Check ca_wrapped in ipa-custodia-check

ca_wrapped uses Dogtag's pki tool (written in Java) to wrap key material. Add checks to custodia to verify that key wrapping works. Related: https://pagure.io/freeipa/issue/8488 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Francois Cami <fcami@redhat.com>
2025-02-25 18:55:28 -06:00 · 2020-09-16 17:01:29 +02:00 · 2020-09-16 17:01:29 +02:00 · fbb6484dbe
commit fbb6484dbe
parent a96b89388d
5 changed files with 20 additions and 0 deletions
--- a/install/tools/ipa-custodia-check.in
+++ b/install/tools/ipa-custodia-check.in
@ -49,6 +49,8 @@ KEYS = [
    'dm/DMHash',
    'ra/ipaCert',
    'ca/auditSigningCert cert-pki-ca',
+    'ca_wrapped/auditSigningCert cert-pki-ca',
+    'ca_wrapped/auditSigningCert cert-pki-ca/1.2.840.113549.3.7',
    'ca/caSigningCert cert-pki-ca',
    'ca/ocspSigningCert cert-pki-ca',
    'ca/subsystemCert cert-pki-ca',
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@ -395,6 +395,7 @@ class BasePathNamespace:
    IPA_CUSTODIA_SOCKET = '/run/httpd/ipa-custodia.sock'
    IPA_CUSTODIA_AUDIT_LOG = '/var/log/ipa-custodia.audit.log'
    IPA_CUSTODIA_HANDLER = "/usr/libexec/ipa/custodia"
+    IPA_CUSTODIA_CHECK = "/usr/libexec/ipa/ipa-custodia-check"
    IPA_GETKEYTAB = '/usr/sbin/ipa-getkeytab'
    EXTERNAL_SCHEMA_DIR = '/usr/share/ipa/schema.d'
    GSSPROXY_CONF = '/etc/gssproxy/10-ipa.conf'
--- a/ipaplatform/debian/paths.py
+++ b/ipaplatform/debian/paths.py
@ -117,6 +117,7 @@ class DebianPathNamespace(BasePathNamespace):
    IPA_CUSTODIA_SOCKET = "/run/apache2/ipa-custodia.sock"
    IPA_CUSTODIA_AUDIT_LOG = '/var/log/ipa-custodia.audit.log'
    IPA_CUSTODIA_HANDLER = "/usr/lib/ipa/custodia"
+    IPA_CUSTODIA_CHECK = "/usr/lib/ipa/ipa-custodia-check"
    WSGI_PREFIX_DIR = "/run/apache2/wsgi"

 paths = DebianPathNamespace()
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@ -1013,6 +1013,12 @@ class TestInstallMaster(IntegrationTest):
        )
        assert result.returncode != 0

+    def test_ipa_custodia_check(self):
+        # check local key retrieval
+        self.master.run_command(
+            [paths.IPA_CUSTODIA_CHECK, self.master.hostname]
+        )
+

 class TestInstallMasterKRA(IntegrationTest):

--- a/ipatests/test_integration/test_simple_replication.py
+++ b/ipatests/test_integration/test_simple_replication.py
@ -21,6 +21,7 @@ from __future__ import print_function

 import pytest

+from ipaplatform.paths import paths
 from ipapython.dn import DN
 from ipatests.pytest_ipa.integration import tasks
 from ipatests.test_integration.base import IntegrationTest
@ -94,6 +95,15 @@ class TestSimpleReplication(IntegrationTest):
        assert msg1 not in result.stdout_text
        assert msg2 not in result.stdout_text

+    def test_ipa_custodia_check(self):
+        replica = self.replicas[0]
+        self.master.run_command(
+            [paths.IPA_CUSTODIA_CHECK, replica.hostname]
+        )
+        replica.run_command(
+            [paths.IPA_CUSTODIA_CHECK, self.master.hostname]
+        )
+
    def test_replica_removal(self):
        """Test replica removal"""
        result = self.master.run_command(['ipa-replica-manage', 'list'])