IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

drop fix-dnssec-services.diff fix-pkcs11-helper.diff, refresh others

Browse Source
This commit is contained in:
Timo Aaltonen
2017-07-03 23:54:29 +03:00
parent 1ec9149391
commit e28a378351
10 changed files with 29 additions and 524 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
debian/changelog vendored
View File

@@ -1,15 +1,21 @@
freeipa (4.5.2-1) UNRELEASED; urgency=medium
* New upstream release.
- Remove upstreamed patches: add-debian-platform.diff,
- Remove upstreamed patches:
add-debian-platform.diff,
ipa-kdb-support-dal-version-5-and-6.diff,
purge-firefox-extension.diff, fix-ipa-otpd-install.diff,
fix-ipa-otpd-service.diff, purge-firefox-extension.diff,
prefix.patch, fix-kdcproxy-path.diff, fix-is-running.diff
purge-firefox-extension.diff,
fix-ipa-otpd-install.diff,
fix-ipa-otpd-service.diff,
purge-firefox-extension.diff,
prefix.patch,
fix-kdcproxy-path.diff,
fix-is-running.diff,
fix-pkcs11-helper.diff,
fix-dnssec-services.diff
- Remove obsolete patches: fix-memcached.diff,
fix-oddjobs.diff
- Refresh patches: fix-dnssec-services.diff,
fix-ipa-conf.diff, fix-replicainstall.diff
- Refresh rest of the patches
* control et al: Memcached is not used anymore.
* control, server.install: Depend on gssproxy.
* control: Build-depend on python-jinja2, add CSR files to python-

2
debian/patches/create-sysconfig-ods.diff vendored
View File

@@ -1,6 +1,6 @@
--- a/ipaserver/install/opendnssecinstance.py
+++ b/ipaserver/install/opendnssecinstance.py
@@ -206,6 +206,9 @@ class OpenDNSSECInstance(service.Service
@@ -195,6 +195,9 @@ class OpenDNSSECInstance(service.Service
if not self.fstore.has_file(paths.SYSCONFIG_ODS):
self.fstore.backup_file(paths.SYSCONFIG_ODS)

6
debian/patches/enable-mod-nss-during-setup.diff vendored
View File

@@ -1,14 +1,14 @@
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -183,6 +183,7 @@ class HTTPInstance(service.Service):
self.step("create KDC proxy user", create_kdcproxy_user)
if not self.is_kdcproxy_configured():
self.step("create KDC proxy config", self.create_kdcproxy_conf)
self.step("enable KDC proxy", self.enable_kdcproxy)
+ ipautil.run(["/usr/sbin/a2enmod", "nss"], capture_output=True)
self.step("restarting httpd", self.__start)
self.step("starting httpd", self.start)
self.step("configuring httpd to start on boot", self.__enable)
self.step("enabling oddjobd", self.enable_and_start_oddjobd)
@@ -508,6 +509,8 @@ class HTTPInstance(service.Service):
@@ -529,6 +530,8 @@ class HTTPInstance(service.Service):
except Exception:
pass

100
debian/patches/fix-dnssec-services.diff vendored
View File

@@ -1,100 +0,0 @@
From 40026185382efaed65b6ad604b21d8790f38aa33 Mon Sep 17 00:00:00 2001
From: Timo Aaltonen <tjaalton@debian.org>
Date: Wed, 15 Mar 2017 16:41:50 +0200
Subject: [PATCH] configure: Use ODS_USER and NAMED_GROUP in
daemons/dnssec/*.service.in
These are platform specific, add values for Debian and default values
for Fedora/RHEL.
Also, use prettier output when checking the extra python install options.
---
configure.ac | 20 +++++++++++++++++++-
daemons/dnssec/Makefile.am | 2 ++
daemons/dnssec/ipa-dnskeysyncd.service.in | 6 +++---
daemons/dnssec/ipa-ods-exporter.service.in | 2 +-
4 files changed, 25 insertions(+), 5 deletions(-)
diff --git a/configure.ac b/configure.ac
index 81f74f1..a590e3e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -291,13 +291,31 @@ AC_SUBST([IPAPLATFORM])
AC_MSG_RESULT([${IPAPLATFORM}])
if test "x${IPAPLATFORM}" == "xdebian"; then
+ NAMED_GROUP="bind"
+ ODS_USER="opendnssec"
# see https://www.debian.org/doc/packaging-manuals/python-policy/ap-packaging_tools.html
PYTHON_INSTALL_EXTRA_OPTIONS="--install-layout=deb"
else
+ NAMED_GROUP="named"
+ ODS_USER="ods"
PYTHON_INSTALL_EXTRA_OPTIONS=""
fi
+
+AC_MSG_CHECKING([NAMED_GROUP])
+AC_SUBST([NAMED_GROUP])
+AC_MSG_RESULT([${NAMED_GROUP}])
+
+AC_MSG_CHECKING([ODS_USER])
+AC_SUBST([ODS_USER])
+AC_MSG_RESULT([${ODS_USER}])
+
+AC_MSG_CHECKING([python setup.py install extra options])
AC_SUBST([PYTHON_INSTALL_EXTRA_OPTIONS])
-AC_MSG_RESULT([python setup.py install extra options ${PYTHON_INSTALL_EXTRA_OPTIONS}])
+if test "x${PYTHON_INSTALL_EXTRA_OPTIONS}" == "x"; then
+ AC_MSG_RESULT([none])
+else
+ AC_MSG_RESULT([${PYTHON_INSTALL_EXTRA_OPTIONS}])
+fi
dnl ---------------------------------------------------------------------------
dnl Version information from VERSION.m4 and command line
diff --git a/daemons/dnssec/Makefile.am b/daemons/dnssec/Makefile.am
index 37a0dcf..b0db4e1 100644
--- a/daemons/dnssec/Makefile.am
+++ b/daemons/dnssec/Makefile.am
@@ -25,6 +25,8 @@ CLEANFILES = $(systemdsystemunit_DATA)
-e 's|@libexecdir[@]|$(libexecdir)|g' \
-e 's|@localstatedir[@]|$(localstatedir)|g' \
-e 's|@sysconfenvdir[@]|$(sysconfenvdir)|g' \
+ -e 's|@ODS_USER[@]|$(ODS_USER)|g' \
+ -e 's|@NAMED_GROUP[@]|$(NAMED_GROUP)|g' \
'$(srcdir)/$@.in' >$@
dnssecconfdir = $(IPA_SYSCONF_DIR)/dnssec
diff --git a/daemons/dnssec/ipa-dnskeysyncd.service.in b/daemons/dnssec/ipa-dnskeysyncd.service.in
index f39c3ce..38c6f92 100644
--- a/daemons/dnssec/ipa-dnskeysyncd.service.in
+++ b/daemons/dnssec/ipa-dnskeysyncd.service.in
@@ -4,9 +4,9 @@ Description=IPA key daemon
[Service]
EnvironmentFile=@sysconfenvdir@/ipa-dnskeysyncd
ExecStart=@libexecdir@/ipa/ipa-dnskeysyncd
-User=ods
-Group=named
-SupplementaryGroups=ods
+User=@ODS_USER@
+Group=@NAMED_GROUP@
+SupplementaryGroups=@ODS_USER@
PrivateTmp=yes
Restart=on-failure
RestartSec=60s
diff --git a/daemons/dnssec/ipa-ods-exporter.service.in b/daemons/dnssec/ipa-ods-exporter.service.in
index 5ec7317..ef74287 100644
--- a/daemons/dnssec/ipa-ods-exporter.service.in
+++ b/daemons/dnssec/ipa-ods-exporter.service.in
@@ -6,7 +6,7 @@ After=ipa-ods-exporter.socket
[Service]
EnvironmentFile=@sysconfenvdir@/ipa-ods-exporter
ExecStart=@libexecdir@/ipa/ipa-ods-exporter
-User=ods
+User=@ODS_USER@
PrivateTmp=yes
Restart=on-failure
RestartSec=60s
--
2.7.4

12
debian/patches/fix-ipa-conf.diff vendored
View File

@@ -1,7 +1,7 @@
Description: Fix paths
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -37,7 +37,7 @@ FileETag None
@@ -47,7 +47,7 @@ FileETag None
# FIXME: WSGISocketPrefix is a server-scope directive. The mod_wsgi package
# should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf:
@@ -10,16 +10,16 @@ Description: Fix paths
# Configure mod_wsgi handler for /ipa
@@ -68,7 +68,7 @@ WSGIScriptReloading Off
@@ -129,7 +129,7 @@ Alias /ipa/session/cookie "/usr/share/ip
SessionCookieName ipa_session path=/ipa;httponly;secure;
SessionHeader IPASESSION
SessionMaxAge 1800
- GssapiSessionKey file:/etc/httpd/alias/ipasession.key
+ GssapiSessionKey file:/etc/apache2/ipasession.key
GssapiDelegCcacheDir /var/run/ipa/ccaches
GssapiDelegCcachePerms mode:0660 gid:ipaapi
@@ -112,7 +112,7 @@ Alias /ipa/session/cookie "/usr/share/ip
Header unset Set-Cookie
</Location>
@@ -149,7 +149,7 @@ Alias /ipa/session/cookie "/usr/share/ip
# Custodia stuff is redirected to the custodia daemon
# after authentication
<Location "/ipa/keys/">
@@ -28,7 +28,7 @@ Description: Fix paths
RequestHeader set GSS_NAME %{GSS_NAME}s
RequestHeader set REMOTE_USER %{REMOTE_USER}s
</Location>
@@ -146,8 +146,8 @@ Alias /ipa/crl "$CRL_PUBLISH_PATH"
@@ -183,8 +183,8 @@ Alias /ipa/crl "$CRL_PUBLISH_PATH"
# List explicitly only the fonts we want to serve

10
debian/patches/fix-opendnssec-setup.diff vendored
View File

@@ -11,7 +11,7 @@ Description: Fix ODS setup with 2.0.x
</RepositoryList>
--- a/ipaserver/install/opendnssecinstance.py
+++ b/ipaserver/install/opendnssecinstance.py
@@ -304,7 +304,7 @@ class OpenDNSSECInstance(service.Service
@@ -293,7 +293,7 @@ class OpenDNSSECInstance(service.Service
else:
# initialize new kasp.db
command = [
@@ -22,7 +22,7 @@ Description: Fix ODS setup with 2.0.x
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -171,7 +171,7 @@ class BasePathNamespace(object):
@@ -168,7 +168,7 @@ class BasePathNamespace(object):
NET = "/usr/bin/net"
BIN_NISDOMAINNAME = "/usr/bin/nisdomainname"
NSUPDATE = "/usr/bin/nsupdate"
@@ -31,9 +31,9 @@ Description: Fix ODS setup with 2.0.x
ODS_SIGNER = "/usr/sbin/ods-signer"
OPENSSL = "/usr/bin/openssl"
PK12UTIL = "/usr/bin/pk12util"
--- a/ipapython/dnssec/odsmgr.py
+++ b/ipapython/dnssec/odsmgr.py
@@ -125,7 +125,7 @@ class ODSMgr(object):
--- a/ipaserver/dnssec/odsmgr.py
+++ b/ipaserver/dnssec/odsmgr.py
@@ -133,7 +133,7 @@ class ODSMgr(object):
Raises CalledProcessError if returncode != 0.
"""

399
debian/patches/fix-pkcs11-helper.diff vendored
View File

@@ -1,399 +0,0 @@
commit 07df61b7814db08d81e1ff92f58b24e5d852fdf8
Author: Martin Basti <mbasti@redhat.com>
Date: Wed Mar 29 18:53:11 2017 +0200
Fix PKCS11 helper
Slots in HSM are not assigned statically, we have to chose proper
slot from token label.
Softhsm i2.2.0 changed this behavior and now slots can change over
time (it is allowed by pkcs11 standard).
Changelog:
* created method get_slot() that returns slot number from
used label
* replaces usage of slot in __init__ method of P11_Helper
with label
* slot is dynamically detected from token label before
session is opened
* pkcs11-util --init-token now uses '--free' instead '--slot'
which uses first free slot (we don't care about slot numbers
anymore)
https://pagure.io/freeipa/issue/6692
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
diff --git a/daemons/dnssec/ipa-dnskeysync-replica b/daemons/dnssec/ipa-dnskeysync-replica
index 69a3a68..3714163 100755
--- a/daemons/dnssec/ipa-dnskeysync-replica
+++ b/daemons/dnssec/ipa-dnskeysync-replica
@@ -15,6 +15,7 @@ import os
import sys
import ipalib
+from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL
from ipapython.dn import DN
from ipapython.ipa_log_manager import root_logger, standard_logging_setup
from ipapython import ipaldap
@@ -154,8 +155,7 @@ ldapkeydb = LdapKeyDB(log, ldap,
DN(('cn', 'keys'), ('cn', 'sec'), ipalib.api.env.container_dns,
ipalib.api.env.basedn))
-# TODO: slot number could be configurable
-localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, 0,
+localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, SOFTHSM_DNSSEC_TOKEN_LABEL,
open(paths.DNSSEC_SOFTHSM_PIN).read())
ldap2replica_master_keys_sync(log, ldapkeydb, localhsm)
diff --git a/daemons/dnssec/ipa-ods-exporter b/daemons/dnssec/ipa-ods-exporter
index 385764a..77f8c4d 100755
--- a/daemons/dnssec/ipa-ods-exporter
+++ b/daemons/dnssec/ipa-ods-exporter
@@ -32,6 +32,7 @@ import sqlite3
import traceback
import ipalib
+from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL
from ipapython.dn import DN
from ipapython import ipaldap
from ipapython import ipautil
@@ -645,7 +646,7 @@ log.debug('Connected')
ldapkeydb = LdapKeyDB(log, ldap, DN(('cn', 'keys'), ('cn', 'sec'),
ipalib.api.env.container_dns,
ipalib.api.env.basedn))
-localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, 0,
+localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, SOFTHSM_DNSSEC_TOKEN_LABEL,
open(paths.DNSSEC_SOFTHSM_PIN).read())
ldap2master_replica_keys_sync(log, ldapkeydb, localhsm)
diff --git a/ipalib/constants.py b/ipalib/constants.py
index c423117..43f1f3c 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -279,3 +279,5 @@ RENEWAL_CA_NAME = 'dogtag-ipa-ca-renew-agent'
# regexp definitions
PATTERN_GROUPUSER_NAME = '^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?$'
+
+SOFTHSM_DNSSEC_TOKEN_LABEL = u'ipaDNSSEC'
diff --git a/ipapython/dnssec/localhsm.py b/ipapython/dnssec/localhsm.py
index 8f18a45..73511e9 100755
--- a/ipapython/dnssec/localhsm.py
+++ b/ipapython/dnssec/localhsm.py
@@ -89,10 +89,11 @@ class Key(collections.MutableMapping):
def __repr__(self):
return self.__str__()
+
class LocalHSM(AbstractHSM):
- def __init__(self, library, slot, pin):
+ def __init__(self, library, label, pin):
self.cache_replica_pubkeys = None
- self.p11 = _ipap11helper.P11_Helper(slot, pin, library)
+ self.p11 = _ipap11helper.P11_Helper(label, pin, library)
self.log = logging.getLogger()
def __del__(self):
diff --git a/ipapython/p11helper.py b/ipapython/p11helper.py
index 5ff9ccc..f193ea7 100644
--- a/ipapython/p11helper.py
+++ b/ipapython/p11helper.py
@@ -30,6 +30,7 @@ struct _CK_VERSION
};
typedef unsigned long CK_SLOT_ID;
+typedef CK_SLOT_ID *CK_SLOT_ID_PTR;
typedef unsigned long CK_SESSION_HANDLE;
@@ -43,6 +44,13 @@ typedef unsigned long CK_KEY_TYPE;
typedef unsigned long CK_ATTRIBUTE_TYPE;
+typedef unsigned long ck_flags_t;
+
+typedef unsigned char CK_BBOOL;
+
+typedef unsigned long int CK_ULONG;
+typedef CK_ULONG *CK_ULONG_PTR;
+
struct _CK_ATTRIBUTE
{
CK_ATTRIBUTE_TYPE type;
@@ -59,6 +67,31 @@ struct _CK_MECHANISM
unsigned long ulParameterLen;
};
+struct _CK_TOKEN_INFO
+{
+ unsigned char label[32];
+ unsigned char manufacturer_id[32];
+ unsigned char model[16];
+ unsigned char serial_number[16];
+ ck_flags_t flags;
+ unsigned long max_session_count;
+ unsigned long session_count;
+ unsigned long max_rw_session_count;
+ unsigned long rw_session_count;
+ unsigned long max_pin_len;
+ unsigned long min_pin_len;
+ unsigned long total_public_memory;
+ unsigned long free_public_memory;
+ unsigned long total_private_memory;
+ unsigned long free_private_memory;
+ struct _CK_VERSION hardware_version;
+ struct _CK_VERSION firmware_version;
+ unsigned char utc_time[16];
+};
+
+typedef struct _CK_TOKEN_INFO CK_TOKEN_INFO;
+typedef CK_TOKEN_INFO *CK_TOKEN_INFO_PTR;
+
typedef unsigned long CK_RV;
typedef ... *CK_NOTIFY;
@@ -70,9 +103,12 @@ typedef CK_RV (*CK_C_Finalize) (void *pReserved);
typedef ... *CK_C_GetInfo;
typedef ... *CK_C_GetFunctionList;
CK_RV C_GetFunctionList (struct _CK_FUNCTION_LIST **function_list);
-typedef ... *CK_C_GetSlotList;
+typedef CK_RV (*CK_C_GetSlotList) (CK_BBOOL tokenPresent,
+ CK_SLOT_ID_PTR pSlotList,
+ CK_ULONG_PTR pulCount);
typedef ... *CK_C_GetSlotInfo;
-typedef ... *CK_C_GetTokenInfo;
+typedef CK_RV (*CK_C_GetTokenInfo) (CK_SLOT_ID slotID,
+ CK_TOKEN_INFO_PTR pInfo);
typedef ... *CK_C_WaitForSlotEvent;
typedef ... *CK_C_GetMechanismList;
typedef ... *CK_C_GetMechanismInfo;
@@ -255,10 +291,7 @@ struct _CK_FUNCTION_LIST
typedef unsigned char CK_BYTE;
typedef unsigned char CK_UTF8CHAR;
-typedef unsigned char CK_BBOOL;
-typedef unsigned long int CK_ULONG;
typedef CK_BYTE *CK_BYTE_PTR;
-typedef CK_ULONG *CK_ULONG_PTR;
typedef CK_OBJECT_HANDLE *CK_OBJECT_HANDLE_PTR;
@@ -387,6 +420,7 @@ CKM_AES_KEY_GEN = 0x1080
CKR_OK = 0
CKR_ATTRIBUTE_TYPE_INVALID = 0x12
CKR_USER_NOT_LOGGED_IN = 0x101
+CKR_BUFFER_TOO_SMALL = 0x150
CK_BYTE = _ffi.typeof('CK_BYTE')
CK_BBOOL = _ffi.typeof('CK_BBOOL')
@@ -403,6 +437,10 @@ CK_MECHANISM = _ffi.typeof('CK_MECHANISM')
CK_FUNCTION_LIST_PTR = _ffi.typeof('CK_FUNCTION_LIST_PTR')
+CK_SLOT_ID = _ffi.typeof('CK_SLOT_ID')
+
+CK_TOKEN_INFO = _ffi.typeof('CK_TOKEN_INFO')
+
NULL_PTR = NULL
@@ -796,11 +834,10 @@ class P11_Helper(object):
# Object not found
return False
- def __init__(self, slot, user_pin, library_path):
+ def __init__(self, token_label, user_pin, library_path):
self.p11_ptr = new_ptr(CK_FUNCTION_LIST_PTR)
self.session_ptr = new_ptr(CK_SESSION_HANDLE)
- self.slot = 0
self.session_ptr[0] = 0
self.p11_ptr[0] = NULL
self.module_handle = None
@@ -808,7 +845,7 @@ class P11_Helper(object):
# Parse method args
if isinstance(user_pin, unicode):
user_pin = user_pin.encode()
- self.slot = slot
+ self.token_label = token_label
try:
pGetFunctionList, module_handle = loadLibrary(library_path)
@@ -829,9 +866,16 @@ class P11_Helper(object):
check_return_value(rv, "initialize")
#
+ # Get Slot
+ #
+ slot = self.get_slot()
+ if slot is None:
+ raise Error("No slot for label {} found".format(self.token_label))
+
+ #
# Start session
#
- rv = self.p11.C_OpenSession(self.slot,
+ rv = self.p11.C_OpenSession(slot,
CKF_SERIAL_SESSION | CKF_RW_SESSION, NULL,
NULL, self.session_ptr)
check_return_value(rv, "open session")
@@ -842,6 +886,49 @@ class P11_Helper(object):
rv = self.p11.C_Login(self.session, CKU_USER, user_pin, len(user_pin))
check_return_value(rv, "log in")
+ def get_slot(self):
+ """Get slot where then token is located
+ :return: slot number or None when slot not found
+ """
+ object_count_ptr = new_ptr(CK_ULONG)
+
+ # get slots ID
+ slots = None
+ for _i in range(0, 10):
+ # try max N times, then die to avoid infinite iteration
+ rv = self.p11.C_GetSlotList(CK_TRUE, NULL, object_count_ptr)
+ check_return_value(rv, "get slots IDs - prepare")
+
+ result_ids_ptr = new_array(CK_SLOT_ID, object_count_ptr[0])
+
+ rv = self.p11.C_GetSlotList(
+ CK_TRUE, result_ids_ptr, object_count_ptr)
+ if rv == CKR_BUFFER_TOO_SMALL:
+ continue
+ check_return_value(rv, "get slots IDs")
+ slots = result_ids_ptr
+ break # we have slots !!!
+
+ if slots is None:
+ raise Error("Failed to get slots")
+
+ for slot in slots:
+ token_info_ptr = new_ptr(CK_TOKEN_INFO)
+ rv = self.p11.C_GetTokenInfo(slot, token_info_ptr)
+ check_return_value(rv, 'get token info')
+
+ # softhsm always returns label 32 bytes long with padding made of
+ # white spaces (#32), so we have to rstrip() padding and compare
+ # Label was created by softhsm-util so it is not our fault that
+ # there are #32 as padding (cffi initializes structures with
+ # zeroes)
+ # In case that this is not valid anymore, keep in mind backward
+ # compatibility
+
+ if self.token_label == char_array_to_unicode(
+ token_info_ptr[0].label, 32).rstrip():
+ return slot
+
def finalize(self):
"""
Finalize operations with pkcs11 library
@@ -868,7 +955,6 @@ class P11_Helper(object):
self.p11_ptr[0] = NULL
self.session_ptr[0] = 0
- self.slot = 0
self.module_handle = None
#################################################################
diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py
index fadaf21..d9dfda9 100644
--- a/ipaserver/install/dnskeysyncinstance.py
+++ b/ipaserver/install/dnskeysyncinstance.py
@@ -26,10 +26,9 @@ from ipaplatform.constants import constants
from ipaplatform.paths import paths
from ipalib import errors, api
from ipalib.constants import CACERT
+from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL
from ipaserver.install.bindinstance import dns_container_exists
-softhsm_token_label = u'ipaDNSSEC'
-softhsm_slot = 0
replica_keylabel_template = u"dnssec-replica:%s"
@@ -289,8 +288,8 @@ class DNSKeySyncInstance(service.Service):
command = [
paths.SOFTHSM2_UTIL,
'--init-token',
- '--slot', str(softhsm_slot),
- '--label', softhsm_token_label,
+ '--free', # use random free slot
+ '--label', SOFTHSM_DNSSEC_TOKEN_LABEL,
'--pin', pin,
'--so-pin', pin_so,
]
@@ -309,7 +308,8 @@ class DNSKeySyncInstance(service.Service):
pin = f.read()
os.environ["SOFTHSM2_CONF"] = paths.DNSSEC_SOFTHSM2_CONF
- p11 = _ipap11helper.P11_Helper(softhsm_slot, pin, paths.LIBSOFTHSM2_SO)
+ p11 = _ipap11helper.P11_Helper(
+ SOFTHSM_DNSSEC_TOKEN_LABEL, pin, paths.LIBSOFTHSM2_SO)
try:
# generate replica keypair
diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py
index f0c512b..1aac24a 100644
--- a/ipaserver/install/opendnssecinstance.py
+++ b/ipaserver/install/opendnssecinstance.py
@@ -18,10 +18,9 @@ from ipaplatform import services
from ipaplatform.constants import constants
from ipaplatform.paths import paths
from ipalib import errors, api
-from ipaserver.install import dnskeysyncinstance
+from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL
KEYMASTER = u'dnssecKeyMaster'
-softhsm_slot = 0
def get_dnssec_key_masters(conn):
@@ -72,7 +71,7 @@ class OpenDNSSECInstance(service.Service):
self.ods_gid = None
self.conf_file_dict = {
'SOFTHSM_LIB': paths.LIBSOFTHSM2_SO,
- 'TOKEN_LABEL': dnskeysyncinstance.softhsm_token_label,
+ 'TOKEN_LABEL': SOFTHSM_DNSSEC_TOKEN_LABEL,
'KASP_DB': paths.OPENDNSSEC_KASP_DB,
'ODS_USER': constants.ODS_USER,
'ODS_GROUP': constants.ODS_GROUP,
@@ -247,7 +246,8 @@ class OpenDNSSECInstance(service.Service):
pin = f.read()
os.environ["SOFTHSM2_CONF"] = paths.DNSSEC_SOFTHSM2_CONF
- p11 = p11helper.P11_Helper(softhsm_slot, pin, paths.LIBSOFTHSM2_SO)
+ p11 = p11helper.P11_Helper(
+ SOFTHSM_DNSSEC_TOKEN_LABEL, pin, paths.LIBSOFTHSM2_SO)
try:
# generate master key
root_logger.debug("Creating master key")
diff --git a/ipatests/test_ipapython/test_ipap11helper.py b/ipatests/test_ipapython/test_ipap11helper.py
index 2c8fd28..5659d60 100644
--- a/ipatests/test_ipapython/test_ipap11helper.py
+++ b/ipatests/test_ipapython/test_ipap11helper.py
@@ -55,12 +55,12 @@ def p11(request):
with open('softhsm2.conf', 'w') as cfg:
cfg.write(CONFIG_DATA % token_path)
os.environ['SOFTHSM2_CONF'] = os.path.join(token_path, 'softhsm2.conf')
- subprocess.check_call([SOFTHSM2_UTIL, '--init-token', '--slot', '0',
+ subprocess.check_call([SOFTHSM2_UTIL, '--init-token', '--free',
'--label', 'test', '--pin', '1234', '--so-pin',
'1234'])
try:
- p11 = _ipap11helper.P11_Helper(0, "1234", LIBSOFTHSM)
+ p11 = _ipap11helper.P11_Helper('test', "1234", LIBSOFTHSM)
except _ipap11helper.Error:
pytest.fail('Failed to initialize the helper object.', pytrace=False)
@@ -70,6 +70,8 @@ def p11(request):
except _ipap11helper.Error:
pytest.fail('Failed to finalize the helper object.', pytrace=False)
finally:
+ subprocess.call(
+ [SOFTHSM2_UTIL, '--delete-token', '--label', 'test'])
del os.environ['SOFTHSM2_CONF']
request.addfinalizer(fin)

2
debian/patches/fix-replicainstall.diff vendored
View File

@@ -1,6 +1,6 @@
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -768,7 +768,7 @@ def install_check(installer):
@@ -760,7 +760,7 @@ def install_check(installer):
finally:
shutil.rmtree(tmp_db_dir)

2
debian/patches/hack-libarch.diff vendored
View File

@@ -1,6 +1,6 @@
--- a/ipaserver/install/ldapupdate.py
+++ b/ipaserver/install/ldapupdate.py
@@ -334,9 +334,9 @@ class LDAPUpdate:
@@ -329,9 +329,9 @@ class LDAPUpdate(object):
bits = platform.architecture()[0]
if bits == "64bit":

2
debian/patches/series vendored
View File

@@ -1,5 +1,4 @@
# upstreamed
fix-pkcs11-helper.diff
# not upstreamable
hack-libarch.diff
@@ -9,7 +8,6 @@ enable-mod-nss-during-setup.diff
fix-ipa-conf.diff
fix-kdcproxy-paths.diff
fix-replicainstall.diff
fix-dnssec-services.diff
create-sysconfig-ods.diff
fix-named-conf-template.diff
fix-opendnssec-setup.diff