IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-23 07:33:27 -06:00
Code Issues Packages Projects Releases Wiki Activity

certdb, certs: make trust flags argument mandatory

Browse Source 
Make the trust flags argument mandatory in all functions in `certdb` and
`certs`.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
This commit is contained in:
Jan Cholasta 2017-04-27 09:57:45 +02:00 committed by Martin Basti
parent 235265a5f5
commit f0442a2d0e
6 changed files with 16 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
ipapython/certdb.py
View File

@ -468,14 +468,12 @@ class NSSDatabase(object):
self.import_pkcs12(out_file.name, out_password)
def trust_root_cert(self, root_nickname, trust_flags=None):
def trust_root_cert(self, root_nickname, trust_flags):
if root_nickname[:7] == "Builtin":
root_logger.debug(
"No need to add trust for built-in root CAs, skipping %s" %
root_nickname)
else:
if trust_flags is None:
trust_flags = EXTERNAL_CA_TRUST_FLAGS
try:
self.run_certutil(["-M", "-n", root_nickname,
"-t", trust_flags])

11
ipaserver/install/certs.py
View File

@ -550,7 +550,7 @@ class CertDB(object):
return root_nicknames
def trust_root_cert(self, root_nickname, trust_flags=None):
def trust_root_cert(self, root_nickname, trust_flags):
if root_nickname is None:
root_logger.debug("Unable to identify root certificate to trust. Continuing but things are likely to fail.")
return
@ -600,14 +600,13 @@ class CertDB(object):
self.create_certdbs()
self.load_cacert(cacert_fname, IPA_CA_TRUST_FLAGS)
def create_from_pkcs12(self, pkcs12_fname, pkcs12_passwd, passwd=None,
ca_file=None, trust_flags=None):
def create_from_pkcs12(self, pkcs12_fname, pkcs12_passwd,
ca_file, trust_flags):
"""Create a new NSS database using the certificates in a PKCS#12 file.
pkcs12_fname: the filename of the PKCS#12 file
pkcs12_pwd_fname: the file containing the pin for the PKCS#12 file
nickname: the nickname/friendly-name of the cert we are loading
passwd: The password to use for the new NSS database we are creating
The global CA may be added as well in case it wasn't included in the
PKCS#12 file. Extra certs won't hurt in any case.
@ -615,7 +614,7 @@ class CertDB(object):
The global CA may be specified in ca_file, as a PEM filename.
"""
self.create_noise_file()
self.create_passwd_file(passwd)
self.create_passwd_file()
self.create_certdbs()
self.init_from_pkcs12(
pkcs12_fname,
@ -624,7 +623,7 @@ class CertDB(object):
trust_flags=trust_flags)
def init_from_pkcs12(self, pkcs12_fname, pkcs12_passwd,
ca_file=None, trust_flags=None):
ca_file, trust_flags):
self.import_pkcs12(pkcs12_fname, pkcs12_passwd)
server_certs = self.find_server_certs()
if len(server_certs) == 0:

2
ipaserver/install/dsinstance.py
View File

@ -769,7 +769,7 @@ class DsInstance(service.Service):
if self.ca_is_configured:
trust_flags = IPA_CA_TRUST_FLAGS
else:
trust_flags = None
trust_flags = EXTERNAL_CA_TRUST_FLAGS
dsdb.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1],
ca_file=self.ca_file,
trust_flags=trust_flags)

6
ipaserver/install/httpinstance.py
View File

@ -32,7 +32,9 @@ import six
from augeas import Augeas
from ipalib.install import certmonger
from ipapython.certdb import IPA_CA_TRUST_FLAGS, TRUSTED_PEER_TRUST_FLAGS
from ipapython.certdb import (IPA_CA_TRUST_FLAGS,
EXTERNAL_CA_TRUST_FLAGS,
TRUSTED_PEER_TRUST_FLAGS)
from ipaserver.install import service
from ipaserver.install import certs
from ipaserver.install import installutils
@ -384,7 +386,7 @@ class HTTPInstance(service.Service):
if self.ca_is_configured:
trust_flags = IPA_CA_TRUST_FLAGS
else:
trust_flags = None
trust_flags = EXTERNAL_CA_TRUST_FLAGS
db.init_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1],
ca_file=self.ca_file,
trust_flags=trust_flags)

5
ipaserver/install/installutils.py
View File

@ -49,6 +49,7 @@ from ipalib.install.kinit import kinit_password
import ipaplatform
from ipapython import ipautil, admintool, version
from ipapython.admintool import ScriptError
from ipapython.certdb import EXTERNAL_CA_TRUST_FLAGS
from ipapython.ipa_log_manager import root_logger
from ipapython.ipaldap import DIRMAN_DN, LDAPClient
from ipalib.util import validate_hostname
@ -1036,7 +1037,7 @@ def load_pkcs12(cert_files, key_password, key_nickname, ca_cert_files,
if 'u' in trust_flags:
key_nickname = nickname
continue
nssdb.trust_root_cert(nickname)
nssdb.trust_root_cert(nickname, EXTERNAL_CA_TRUST_FLAGS)
# Check we have the whole cert chain & the CA is in it
trust_chain = list(reversed(nssdb.get_trust_chain(key_nickname)))
@ -1176,7 +1177,7 @@ def load_external_cert(files, ca_subject):
cache[nickname] = (cert, subject, issuer)
if subject == ca_subject:
ca_nickname = nickname
nssdb.trust_root_cert(nickname)
nssdb.trust_root_cert(nickname, EXTERNAL_CA_TRUST_FLAGS)
if ca_nickname is None:
raise ScriptError(

4
ipaserver/install/server/replicainstall.py
View File

@ -23,7 +23,7 @@ import ipaclient.install.ntpconf
from ipalib.install import certstore, sysrestore
from ipalib.install.kinit import kinit_keytab
from ipapython import ipaldap, ipautil
from ipapython.certdb import IPA_CA_TRUST_FLAGS
from ipapython.certdb import IPA_CA_TRUST_FLAGS, EXTERNAL_CA_TRUST_FLAGS
from ipapython.dn import DN
from ipapython.ipa_log_manager import root_logger
from ipapython.admintool import ScriptError
@ -740,7 +740,7 @@ def install_check(installer):
if ca_enabled:
trust_flags = IPA_CA_TRUST_FLAGS
else:
trust_flags = None
trust_flags = EXTERNAL_CA_TRUST_FLAGS
tmp_db.create_from_pkcs12(pkcs12_info[0], pkcs12_info[1],
ca_file=cafile,
trust_flags=trust_flags)