Simplify NSSDatabase password file handling

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>

ipapython/certdb.py

@@ -97,6 +97,7 @@ class NSSDatabase(object):
         else:
             self.secdir = nssdir
             self._is_temporary = False
+        self.pwd_file = os.path.join(self.secdir, 'pwdfile.txt')
 
     def close(self):
         if self._is_temporary:
@@ -145,7 +146,7 @@ class NSSDatabase(object):
             os.makedirs(self.secdir, dirmode)
 
         if password_filename is None:
-            password_filename = os.path.join(self.secdir, 'pwdfile.txt')
+            password_filename = self.pwd_file
 
         if not os.path.exists(password_filename):
             # Create the password file for this db
@@ -218,12 +219,11 @@ class NSSDatabase(object):
 
         return root_nicknames
 
-    def export_pkcs12(self, nickname, pkcs12_filename, db_password_filename,
-                      pkcs12_passwd=None):
+    def export_pkcs12(self, nickname, pkcs12_filename, pkcs12_passwd=None):
         args = [PK12UTIL, "-d", self.secdir,
                 "-o", pkcs12_filename,
                 "-n", nickname,
-                "-k", db_password_filename]
+                "-k", self.pwd_file]
         pkcs12_password_file = None
         if pkcs12_passwd is not None:
             pkcs12_password_file = ipautil.write_tmp_file(pkcs12_passwd + '\n')
@@ -243,11 +243,10 @@ class NSSDatabase(object):
             if pkcs12_password_file is not None:
                 pkcs12_password_file.close()
 
-    def import_pkcs12(self, pkcs12_filename, db_password_filename,
-                      pkcs12_passwd=None):
+    def import_pkcs12(self, pkcs12_filename, pkcs12_passwd=None):
         args = [PK12UTIL, "-d", self.secdir,
                 "-i", pkcs12_filename,
-                "-k", db_password_filename, '-v']
+                "-k", self.pwd_file, '-v']
         pkcs12_password_file = None
         if pkcs12_passwd is not None:
             pkcs12_password_file = ipautil.write_tmp_file(pkcs12_passwd + '\n')
@@ -267,8 +266,8 @@ class NSSDatabase(object):
             if pkcs12_password_file is not None:
                 pkcs12_password_file.close()
 
-    def import_files(self, files, db_password_filename, import_keys=False,
-                     key_password=None, key_nickname=None):
+    def import_files(self, files, import_keys=False, key_password=None,
+                     key_nickname=None):
         """
         Import certificates and a single private key from multiple files
 
@@ -276,8 +275,6 @@ class NSSDatabase(object):
         PKCS#8 and raw private key and PKCS#12 formats.
 
         :param files: Names of files to import
-        :param db_password_filename: Name of file containing the database
-            password
         :param import_keys: Whether to import private keys
         :param key_password: Password to decrypt private keys
         :param key_nickname: Nickname of the private key to import from PKCS#12
@@ -352,7 +349,7 @@ class NSSDatabase(object):
                         args = [
                             OPENSSL, 'pkcs8',
                             '-topk8',
-                            '-passout', 'file:' + db_password_filename,
+                            '-passout', 'file:' + self.pwd_file,
                         ]
                         if ((label != 'PRIVATE KEY' and key_password) or
                             label == 'ENCRYPTED PRIVATE KEY'):
@@ -390,8 +387,7 @@ class NSSDatabase(object):
             # Try to import the file as PKCS#12 file
             if import_keys:
                 try:
-                    self.import_pkcs12(
-                        filename, db_password_filename, key_password)
+                    self.import_pkcs12(filename, key_password)
                 except RuntimeError:
                     pass
                 else:
@@ -442,7 +438,7 @@ class NSSDatabase(object):
                 '-export',
                 '-in', in_file.name,
                 '-out', out_file.name,
-                '-passin', 'file:' + db_password_filename,
+                '-passin', 'file:' + self.pwd_file,
                 '-passout', 'file:' + out_pwdfile.name,
             ]
             try:
@@ -452,8 +448,7 @@ class NSSDatabase(object):
                     "No matching certificate found for private key from %s" %
                     key_file)
 
-            self.import_pkcs12(out_file.name, db_password_filename,
-                               out_password)
+            self.import_pkcs12(out_file.name, out_password)
 
     def trust_root_cert(self, root_nickname, trust_flags=None):
         if root_nickname[:7] == "Builtin":

ipaserver/install/certs.py

@@ -83,7 +83,6 @@ class CertDB(object):
         self.realm = realm
 
         self.noise_fname = self.secdir + "/noise.txt"
-        self.passwd_fname = self.secdir + "/pwdfile.txt"
         self.certdb_fname = self.secdir + "/cert8.db"
         self.keydb_fname = self.secdir + "/key3.db"
         self.secmod_fname = self.secdir + "/secmod.db"
@@ -119,6 +118,10 @@ class CertDB(object):
     ca_subject = ipautil.dn_attribute_property('_ca_subject')
     subject_base = ipautil.dn_attribute_property('_subject_base')
 
+    @property
+    def passwd_fname(self):
+        return self.nssdb.pwd_file
+
     def __del__(self):
         if self.reqdir is not None:
             shutil.rmtree(self.reqdir, ignore_errors=True)
@@ -189,7 +192,7 @@ class CertDB(object):
         ipautil.backup_file(self.certdb_fname)
         ipautil.backup_file(self.keydb_fname)
         ipautil.backup_file(self.secmod_fname)
-        self.nssdb.create_db(self.passwd_fname)
+        self.nssdb.create_db()
         self.set_perms(self.passwd_fname, write=True)
 
     def list_certs(self):
@@ -510,7 +513,7 @@ class CertDB(object):
         return self.nssdb.find_server_certs()
 
     def import_pkcs12(self, pkcs12_fname, pkcs12_passwd=None):
-        return self.nssdb.import_pkcs12(pkcs12_fname, self.passwd_fname,
+        return self.nssdb.import_pkcs12(pkcs12_fname,
                                         pkcs12_passwd=pkcs12_passwd)
 
     def export_pkcs12(self, pkcs12_fname, pkcs12_pwd_fname, nickname=None):

ipaserver/install/installutils.py

@@ -1003,19 +1003,16 @@ def load_pkcs12(cert_files, key_password, key_nickname, ca_cert_files,
         the CA certificate of the CA that issued the server certificate
     """
     with certs.NSSDatabase() as nssdb:
-        db_password = ipautil.ipa_generate_password()
-        db_pwdfile = ipautil.write_tmp_file(db_password)
-        nssdb.create_db(db_pwdfile.name)
+        nssdb.create_db()
 
         try:
-            nssdb.import_files(cert_files, db_pwdfile.name,
-                               True, key_password, key_nickname)
+            nssdb.import_files(cert_files, True, key_password, key_nickname)
         except RuntimeError as e:
             raise ScriptError(str(e))
 
         if ca_cert_files:
             try:
-                nssdb.import_files(ca_cert_files, db_pwdfile.name)
+                nssdb.import_files(ca_cert_files)
             except RuntimeError as e:
                 raise ScriptError(str(e))
 
@@ -1068,7 +1065,7 @@ def load_pkcs12(cert_files, key_password, key_nickname, ca_cert_files,
             '-o', out_file.name,
             '-n', key_nickname,
             '-d', nssdb.secdir,
-            '-k', db_pwdfile.name,
+            '-k', nssdb.pwd_file,
             '-w', out_pwdfile.name,
         ]
         ipautil.run(args)
@@ -1143,12 +1140,10 @@ def load_external_cert(files, ca_subject):
         with the external CA certificate chain
     """
     with certs.NSSDatabase() as nssdb:
-        db_password = ipautil.ipa_generate_password()
-        db_pwdfile = ipautil.write_tmp_file(db_password)
-        nssdb.create_db(db_pwdfile.name)
+        nssdb.create_db()
 
         try:
-            nssdb.import_files(files, db_pwdfile.name)
+            nssdb.import_files(files)
         except RuntimeError as e:
             raise ScriptError(str(e))
 

ipaserver/install/ipa_server_certinstall.py

@@ -25,7 +25,7 @@ import optparse  # pylint: disable=deprecated-module
 
 from ipaplatform.constants import constants
 from ipaplatform.paths import paths
-from ipapython import admintool, ipautil
+from ipapython import admintool
 from ipapython.certdb import get_ca_nickname, NSSDatabase
 from ipapython.dn import DN
 from ipalib import api, errors
@@ -164,14 +164,11 @@ class ServerCertInstall(admintool.AdminTool):
     def check_chain(self, pkcs12_filename, pkcs12_pin, nssdb):
         # create a temp nssdb
         with NSSDatabase() as tempnssdb:
-            db_password = ipautil.ipa_generate_password()
-            db_pwdfile = ipautil.write_tmp_file(db_password)
-            tempnssdb.create_db(db_pwdfile.name)
+            tempnssdb.create_db()
 
             # import the PKCS12 file, then delete all CA certificates
             # this leaves only the server certs in the temp db
-            tempnssdb.import_pkcs12(
-                pkcs12_filename, db_pwdfile.name, pkcs12_pin)
+            tempnssdb.import_pkcs12(pkcs12_filename, pkcs12_pin)
             for nickname, flags in tempnssdb.list_certs():
                 if 'u' not in flags:
                     while tempnssdb.has_nickname(nickname):

ipaserver/install/kra.py

@@ -54,9 +54,8 @@ def install_check(api, replica_config, options):
             return
 
         with certdb.NSSDatabase() as tmpdb:
-            pw = ipautil.write_tmp_file(ipautil.ipa_generate_password())
-            tmpdb.create_db(pw.name)
-            tmpdb.import_pkcs12(replica_config.dir + "/cacert.p12", pw.name,
+            tmpdb.create_db()
+            tmpdb.import_pkcs12(replica_config.dir + "/cacert.p12",
                                 replica_config.dirman_password)
             kra_cert_nicknames = [
                 "storageCert cert-pki-kra", "transportCert cert-pki-kra",

ipaserver/install/plugins/update_ra_cert_store.py

@@ -37,8 +37,7 @@ class update_ra_cert_store(Updater):
                 return False, []
         else:
             # Create the DB
-            newdb.create_db(os.path.join(paths.IPA_RADB_DIR, 'pwdfile.txt'),
-                            user=constants.HTTPD_USER,
+            newdb.create_db(user=constants.HTTPD_USER,
                             group=constants.HTTPD_GROUP,
                             mode=0o751, backup=True)
 
@@ -58,18 +57,16 @@ class update_ra_cert_store(Updater):
                                  "chain: {}".format(name, str(e)))
 
         # As the last step export/import/delete the RA Cert
-        ipa_httpd_pwdfile = os.path.join(paths.HTTPD_ALIAS_DIR, 'pwdfile.txt')
-        ipa_radb_pwdfile = os.path.join(paths.IPA_RADB_DIR, 'pwdfile.txt')
         pw = binascii.hexlify(os.urandom(10))
         p12file = os.path.join(paths.IPA_RADB_DIR, 'ipaCert.p12')
-        olddb.export_pkcs12('ipaCert', p12file, ipa_httpd_pwdfile, pw)
-        newdb.import_pkcs12(p12file, ipa_radb_pwdfile, pw)
+        olddb.export_pkcs12('ipaCert', p12file, pw)
+        newdb.import_pkcs12(p12file, pw)
 
         certmonger.stop_tracking(secdir=olddb.secdir,
                                  nickname='ipaCert')
         certmonger.start_tracking(secdir=newdb.secdir,
                                   nickname='ipaCert',
-                                  password_file=ipa_radb_pwdfile)
+                                  password_file=newdb.pwd_file)
 
         olddb.delete_cert('ipaCert')