Generate PIN for PKI to help Dogtag in FIPS

Dogtag is currently unable to generate a PIN it could use for
an NSS database creation in FIPS. Generate it for them so that
we don't fail.

https://pagure.io/freeipa/issue/6824

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
This commit is contained in:
Stanislav Laznicka 2017-03-28 13:54:16 +02:00 committed by Tomas Krizek
parent 2dda1acf44
commit e204d030fc
No known key found for this signature in database
GPG Key ID: 22A2A94B5E49415A
2 changed files with 10 additions and 2 deletions

View File

@ -541,6 +541,10 @@ class CAInstance(DogtagInstance):
# CA key algorithm
config.set("CA", "pki_ca_signing_key_algorithm", self.ca_signing_algorithm)
# generate pin which we know can be used for FIPS NSS database
pki_pin = ipautil.ipa_generate_password()
config.set("CA", "pki_pin", pki_pin)
if self.clone:
if self.no_db_setup:
@ -613,7 +617,7 @@ class CAInstance(DogtagInstance):
try:
DogtagInstance.spawn_instance(
self, cfg_file,
nolog_list=(self.dm_password, self.admin_password)
nolog_list=(self.dm_password, self.admin_password, pki_pin)
)
finally:
os.remove(cfg_file)

View File

@ -235,6 +235,10 @@ class KRAInstance(DogtagInstance):
"KRA", "pki_share_dbuser_dn",
str(DN(('uid', 'pkidbuser'), ('ou', 'people'), ('o', 'ipaca'))))
# generate pin which we know can be used for FIPS NSS database
pki_pin = ipautil.ipa_generate_password()
config.set("KRA", "pki_pin", pki_pin)
_p12_tmpfile_handle, p12_tmpfile_name = tempfile.mkstemp(dir=paths.TMP)
if self.clone:
@ -275,7 +279,7 @@ class KRAInstance(DogtagInstance):
try:
DogtagInstance.spawn_instance(
self, cfg_file,
nolog_list=(self.dm_password, self.admin_password)
nolog_list=(self.dm_password, self.admin_password, pki_pin)
)
finally:
os.remove(p12_tmpfile_name)