Simplify NSSDatabase password file handling

https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2025-02-25 18:55:28 -06:00 · 2016-12-22 14:24:21 -05:00
parent d124e307f3
commit f648c5631a
6 changed files with 33 additions and 47 deletions
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -83,7 +83,6 @@ class CertDB(object):
        self.realm = realm

        self.noise_fname = self.secdir + "/noise.txt"
-        self.passwd_fname = self.secdir + "/pwdfile.txt"
        self.certdb_fname = self.secdir + "/cert8.db"
        self.keydb_fname = self.secdir + "/key3.db"
        self.secmod_fname = self.secdir + "/secmod.db"
@@ -119,6 +118,10 @@ class CertDB(object):
    ca_subject = ipautil.dn_attribute_property('_ca_subject')
    subject_base = ipautil.dn_attribute_property('_subject_base')

+    @property
+    def passwd_fname(self):
+        return self.nssdb.pwd_file
+
    def __del__(self):
        if self.reqdir is not None:
            shutil.rmtree(self.reqdir, ignore_errors=True)
@@ -189,7 +192,7 @@ class CertDB(object):
        ipautil.backup_file(self.certdb_fname)
        ipautil.backup_file(self.keydb_fname)
        ipautil.backup_file(self.secmod_fname)
-        self.nssdb.create_db(self.passwd_fname)
+        self.nssdb.create_db()
        self.set_perms(self.passwd_fname, write=True)

    def list_certs(self):
@@ -510,7 +513,7 @@ class CertDB(object):
        return self.nssdb.find_server_certs()

    def import_pkcs12(self, pkcs12_fname, pkcs12_passwd=None):
-        return self.nssdb.import_pkcs12(pkcs12_fname, self.passwd_fname,
+        return self.nssdb.import_pkcs12(pkcs12_fname,
                                        pkcs12_passwd=pkcs12_passwd)

    def export_pkcs12(self, pkcs12_fname, pkcs12_pwd_fname, nickname=None):
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -1003,19 +1003,16 @@ def load_pkcs12(cert_files, key_password, key_nickname, ca_cert_files,
        the CA certificate of the CA that issued the server certificate
    """
    with certs.NSSDatabase() as nssdb:
-        db_password = ipautil.ipa_generate_password()
-        db_pwdfile = ipautil.write_tmp_file(db_password)
-        nssdb.create_db(db_pwdfile.name)
+        nssdb.create_db()

        try:
-            nssdb.import_files(cert_files, db_pwdfile.name,
-                               True, key_password, key_nickname)
+            nssdb.import_files(cert_files, True, key_password, key_nickname)
        except RuntimeError as e:
            raise ScriptError(str(e))

        if ca_cert_files:
            try:
-                nssdb.import_files(ca_cert_files, db_pwdfile.name)
+                nssdb.import_files(ca_cert_files)
            except RuntimeError as e:
                raise ScriptError(str(e))

@@ -1068,7 +1065,7 @@ def load_pkcs12(cert_files, key_password, key_nickname, ca_cert_files,
            '-o', out_file.name,
            '-n', key_nickname,
            '-d', nssdb.secdir,
-            '-k', db_pwdfile.name,
+            '-k', nssdb.pwd_file,
            '-w', out_pwdfile.name,
        ]
        ipautil.run(args)
@@ -1143,12 +1140,10 @@ def load_external_cert(files, ca_subject):
        with the external CA certificate chain
    """
    with certs.NSSDatabase() as nssdb:
-        db_password = ipautil.ipa_generate_password()
-        db_pwdfile = ipautil.write_tmp_file(db_password)
-        nssdb.create_db(db_pwdfile.name)
+        nssdb.create_db()

        try:
-            nssdb.import_files(files, db_pwdfile.name)
+            nssdb.import_files(files)
        except RuntimeError as e:
            raise ScriptError(str(e))

--- a/ipaserver/install/ipa_server_certinstall.py
+++ b/ipaserver/install/ipa_server_certinstall.py
@@ -25,7 +25,7 @@ import optparse  # pylint: disable=deprecated-module

 from ipaplatform.constants import constants
 from ipaplatform.paths import paths
-from ipapython import admintool, ipautil
+from ipapython import admintool
 from ipapython.certdb import get_ca_nickname, NSSDatabase
 from ipapython.dn import DN
 from ipalib import api, errors
@@ -164,14 +164,11 @@ class ServerCertInstall(admintool.AdminTool):
    def check_chain(self, pkcs12_filename, pkcs12_pin, nssdb):
        # create a temp nssdb
        with NSSDatabase() as tempnssdb:
-            db_password = ipautil.ipa_generate_password()
-            db_pwdfile = ipautil.write_tmp_file(db_password)
-            tempnssdb.create_db(db_pwdfile.name)
+            tempnssdb.create_db()

            # import the PKCS12 file, then delete all CA certificates
            # this leaves only the server certs in the temp db
-            tempnssdb.import_pkcs12(
-                pkcs12_filename, db_pwdfile.name, pkcs12_pin)
+            tempnssdb.import_pkcs12(pkcs12_filename, pkcs12_pin)
            for nickname, flags in tempnssdb.list_certs():
                if 'u' not in flags:
                    while tempnssdb.has_nickname(nickname):
--- a/ipaserver/install/kra.py
+++ b/ipaserver/install/kra.py
@@ -54,9 +54,8 @@ def install_check(api, replica_config, options):
            return

        with certdb.NSSDatabase() as tmpdb:
-            pw = ipautil.write_tmp_file(ipautil.ipa_generate_password())
-            tmpdb.create_db(pw.name)
-            tmpdb.import_pkcs12(replica_config.dir + "/cacert.p12", pw.name,
+            tmpdb.create_db()
+            tmpdb.import_pkcs12(replica_config.dir + "/cacert.p12",
                                replica_config.dirman_password)
            kra_cert_nicknames = [
                "storageCert cert-pki-kra", "transportCert cert-pki-kra",
--- a/ipaserver/install/plugins/update_ra_cert_store.py
+++ b/ipaserver/install/plugins/update_ra_cert_store.py
@@ -37,8 +37,7 @@ class update_ra_cert_store(Updater):
                return False, []
        else:
            # Create the DB
-            newdb.create_db(os.path.join(paths.IPA_RADB_DIR, 'pwdfile.txt'),
-                            user=constants.HTTPD_USER,
+            newdb.create_db(user=constants.HTTPD_USER,
                            group=constants.HTTPD_GROUP,
                            mode=0o751, backup=True)

@@ -58,18 +57,16 @@ class update_ra_cert_store(Updater):
                                 "chain: {}".format(name, str(e)))

        # As the last step export/import/delete the RA Cert
-        ipa_httpd_pwdfile = os.path.join(paths.HTTPD_ALIAS_DIR, 'pwdfile.txt')
-        ipa_radb_pwdfile = os.path.join(paths.IPA_RADB_DIR, 'pwdfile.txt')
        pw = binascii.hexlify(os.urandom(10))
        p12file = os.path.join(paths.IPA_RADB_DIR, 'ipaCert.p12')
-        olddb.export_pkcs12('ipaCert', p12file, ipa_httpd_pwdfile, pw)
-        newdb.import_pkcs12(p12file, ipa_radb_pwdfile, pw)
+        olddb.export_pkcs12('ipaCert', p12file, pw)
+        newdb.import_pkcs12(p12file, pw)

        certmonger.stop_tracking(secdir=olddb.secdir,
                                 nickname='ipaCert')
        certmonger.start_tracking(secdir=newdb.secdir,
                                  nickname='ipaCert',
-                                  password_file=ipa_radb_pwdfile)
+                                  password_file=newdb.pwd_file)

        olddb.delete_cert('ipaCert')