Commit Graph

135 Commits

Author SHA1 Message Date
Petr Viktorin
b8c46f2a32 Modernize number literals
Use Python-3 compatible syntax, without breaking compatibility with py 2.7

- Octals literals start with 0o to prevent confusion
- The "L" at the end of large int literals is not required as they use
  long on Python 2 automatically.
- Using 'int' instead of 'long' for small numbers is OK in all cases except
  strict type checking checking, e.g. type(0).

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-07-31 15:22:19 +02:00
Fraser Tweedale
4cf2bfcaa6 Add profile_id parameter to 'request_certificate'
Add the profile_id parameter to the 'request_certificate' function
and update call sites.

Also remove multiple occurrences of the default profile ID
'caIPAserviceCert'.

Part of: https://fedorahosted.org/freeipa/ticket/57

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-06-04 08:27:33 +00:00
Jan Cholasta
b9ae769048 Make certificate renewal process synchronized
Synchronization is achieved using a global renewal lock.

https://fedorahosted.org/freeipa/ticket/4803

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-01-13 18:34:59 +00:00
Tomas Babej
faec4ef9de certs: Fix incorrect flag handling in load_cacert
For CA certificates that are not certificates of IPA CA, we incorrectly
set the trust flags to ",,", regardless what the actual trust_flags
parameter was passed.

Make the load_cacert method respect trust_flags and make it a required
argument.

https://fedorahosted.org/freeipa/ticket/4779

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-12-02 14:44:42 +00:00
Jan Cholasta
86c534df7d Move NSSDatabase from ipaserver.certs to ipapython.certdb
https://fedorahosted.org/freeipa/ticket/4416

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-09-30 10:01:38 +02:00
Jan Cholasta
83cbfa8eae Do stricter validation of CA certificates
Every CA certificate must have non-empty subject and basic constraints
extension with the CA flag set.

https://fedorahosted.org/freeipa/ticket/4477

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-09-30 08:50:47 +02:00
Jan Cholasta
60ecba77cd Add NSSDatabase.import_files method for importing files in various formats
The files are accepted in PEM and DER certificate, PKCS#7 certificate chain,
PKCS#8 and raw private key and PKCS#12 formats.

https://fedorahosted.org/freeipa/ticket/4480
https://fedorahosted.org/freeipa/ticket/4489

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-09-30 08:50:47 +02:00
David Kupka
6d94cdf250 Use certmonger D-Bus API instead of messing with its files.
FreeIPA certmonger module changed to use D-Bus to communicate with certmonger.
Using the D-Bus API should be more stable and supported way of using cermonger than
tampering with its files.

>=certmonger-0.75.13 is needed for this to work.

https://fedorahosted.org/freeipa/ticket/4280

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-09-05 10:51:42 +02:00
Jan Cholasta
6bb240fa2c Fix parsing of long nicknames in certutil -L output.
https://fedorahosted.org/freeipa/ticket/4453

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-08-07 15:07:39 +02:00
Jan Cholasta
f39c6ee544 Add new NSSDatabase method get_cert for getting certs from NSS databases.
Part of https://fedorahosted.org/freeipa/ticket/3737

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
987bf3fbf0 Allow multiple CA certificates in replica info files.
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
88706c5674 Add new add_cert method for adding certificates to NSSDatabase and CertDB.
Replace all uses of NSSDatabase method add_single_pem_cert with add_cert and
remove add_single_pem_cert.

Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
feecdb4cdc Rename CertDB method add_cert to import_cert.
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
d2bf0b8b54 Fix trust flags in HTTP and DS NSS databases.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
9d4eeeda55 Allow specifying trust flags in NSSDatabase and CertDB method trust_root_cert.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
52f72ec058 Do not treat the IPA RA cert as CA cert in DS NSS database.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
031b281921 Add method for verifying CA certificates to NSSDatabase.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Tomas Babej
4d2ef43f28 ipaplatform: Move all filesystem paths to ipaplatform.paths module
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-16 19:48:20 +02:00
Tomas Babej
c7edd7b68c ipaplatform: Remove redundant imports of ipaservices
Also fixes few incorrect imports.

https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-16 19:48:20 +02:00
Tomas Babej
49fcd42f8f ipaplatform: Change service code in freeipa to use ipaplatform services
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-16 19:48:19 +02:00
Jan Cholasta
c123264ac7 Read passwords from stdin when importing PKCS#12 files with pk12util.
This works around pk12util refusing to use empty password files, which prevents
the use of PKCS#12 files with empty password.

https://fedorahosted.org/freeipa/ticket/3897
2013-10-04 10:27:23 +02:00
Jan Cholasta
f2c3ae36f9 Replace only the cert instead of the whole NSS DB in ipa-server-certinstall.
https://fedorahosted.org/freeipa/ticket/3641
2013-08-20 16:18:59 +02:00
Jan Cholasta
59c4aba883 Remove unused NSSDatabase and CertDB method find_root_cert_from_pkcs12.
https://fedorahosted.org/freeipa/ticket/3641
2013-08-20 16:18:59 +02:00
Martin Kosek
b9ec4d1a67 Prevent *.pyo and *.pyc multilib problems
Differences in the python byte code fails in a build validation
(rpmdiff) done on difference architecture of the same package.

This patch:
 1) Ensures that timestamps of generated *.pyo and *.pyc files match
 2) Python integer literals greater or equal 2^32 and lower than 2^64
    are converted to long right away to prevent different type of
    the integer on architectures with different size of int

https://fedorahosted.org/freeipa/ticket/3858
2013-08-13 15:31:46 +02:00
Ana Krivokapic
f637d05a18 Properly handle non-existent cert files
https://fedorahosted.org/freeipa/ticket/3785
2013-07-18 13:37:40 +02:00
Jan Cholasta
2ccadf4726 Skip empty lines when parsing pk12util output. 2013-06-12 12:59:54 +02:00
Jan Cholasta
1e772b1845 Handle exceptions gracefully when verifying PKCS#12 files.
https://fedorahosted.org/freeipa/ticket/3667
2013-06-12 12:59:54 +02:00
Petr Viktorin
e736e75ce9 Drop --selfsign server functionality
Design: http://freeipa.org/page/V3/Drop_selfsign_functionality
Ticket: https://fedorahosted.org/freeipa/ticket/3494
2013-04-15 16:56:12 -04:00
Petr Viktorin
1bc892c02d Load the CA cert into server NSS databases
The CA cert was not loaded, so if it was missing from the PKCS#12 file,
installation would fail.
Pass the cert filename to the server installers and include it in
the NSS DB.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3363
2013-04-02 15:28:50 +02:00
Petr Viktorin
03a2c66eda Support installing with custom SSL certs, without a CA
Design: http://freeipa.org/page/V3/CA-less_install
https://fedorahosted.org/freeipa/ticket/3363
2013-04-02 15:28:50 +02:00
Petr Viktorin
ac06a28cf9 Trust CAs from PKCS#12 files even if they don't have Friendly Names
Instead of trusting all certificates with friendly names,
now all certs without a "u" flag are trusted as root certs.
2013-04-02 15:28:50 +02:00
Petr Viktorin
1e86378d49 ipaserver.install.certs: Introduce NSSDatabase as a more generic certutil wrapper
The CertDB class was meant to be a wrapper around NSS databases,
certutil, pk12util, etc. Unfortunately, over time it grew too
dependent on the particular scenarios it is used in.
Introduce a new class that has no knowledge about IPA configuration,
and move generic code to it.

In the future, generic code should be moved to NSSDatabase, code
for the self-signed CA should be removed, and IPA-specific code may
stay in CertDB (which calls NSSDatabase).
2013-04-02 15:28:50 +02:00
Petr Viktorin
334ba2e79f Remove unused imports from ipaserver/install
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
2013-03-01 16:59:44 +01:00
Jan Cholasta
c1735e1c80 Drop ipapython.compat. 2013-02-01 09:16:06 -05:00
John Dennis
a1991aeac1 Use secure method to acquire IPA CA certificate
Major changes ipa-client-install:

* Use GSSAPI connection to LDAP server to download CA cert (now
  the default method)

* Add --ca-cert-file option to load the CA cert from a disk file.
  Validate the file. If this option is used the supplied CA cert
  is considered definitive.

* The insecure HTTP retrieval method is still supported but it must be
  explicitly forced and a warning will be emitted.

* Remain backward compatible with unattended case (except for aberrant
  condition when preexisting /etc/ipa/ca.crt differs from securely
  obtained CA cert, see below)

* If /etc/ipa/ca.crt CA cert preexists the validate it matches the
  securely acquired CA cert, if not:

  - If --unattended and not --force abort with error

  - If interactive query user to accept new CA cert, if not abort

  In either case warn user.

* If interactive and LDAP retrieval fails prompt user if they want to
  proceed with insecure HTTP method

* If not interactive and LDAP retrieval fails abort unless --force

* Backup preexisting /etc/ipa/ca.crt in FileStore prior to execution,
  if ipa-client-install fails it will be restored.

Other changes:

* Add new exception class CertificateInvalidError

* Add utility convert_ldap_error() to ipalib.ipautil

* Replace all hardcoded instances of /etc/ipa/ca.crt in
  ipa-client-install with CACERT constant (matches existing practice
  elsewhere).

* ipadiscovery no longer retrieves CA cert via HTTP.

* Handle LDAP minssf failures during discovery, treat failure to check
  ldap server as a warninbg in absebce of a provided CA certificate via
  --ca-cert-file or though existing /etc/ipa/ca.crt file.

Signed-off-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
2013-01-23 14:26:42 -05:00
Petr Viktorin
4bb4535101 Use correct Dogtag port in ipaserver.install.certs
On an instance upgraded from Dogtag 9 to Dogtag 10,
ipa-replica-prepare used the wrong port number. Fix that.
2012-09-20 13:58:53 +02:00
Petr Viktorin
4f76c143d2 Use Dogtag 10 only when it is available
Put the changes from Ade's dogtag 10 patch into namespaced constants in
dogtag.py, which are then referenced in the code.

Make ipaserver.install.CAInstance use the service name specified in the
configuration. Uninstallation, where config is removed before CA uninstall,
also uses the (previously) configured value.

This and Ade's patch address https://fedorahosted.org/freeipa/ticket/2846
2012-09-17 18:43:59 -04:00
Petr Viktorin
a95eaeac8e Internationalization for public errors
Currently, we throw many public exceptions without proper i18n.
Wrap natural-language error messages in _() so they can be translated.

In the service plugin, raise NotFound errors using handle_not_found helper
so the error message contains the offending service.

Use ScriptError instead of NotFoundError in bindinstance install.

https://fedorahosted.org/freeipa/ticket/1953
2012-09-03 18:16:12 +02:00
John Dennis
94d457e83c Use DN objects instead of strings
* Convert every string specifying a DN into a DN object

* Every place a dn was manipulated in some fashion it was replaced by
  the use of DN operators

* Add new DNParam parameter type for parameters which are DN's

* DN objects are used 100% of the time throughout the entire data
  pipeline whenever something is logically a dn.

* Many classes now enforce DN usage for their attributes which are
  dn's. This is implmented via ipautil.dn_attribute_property(). The
  only permitted types for a class attribute specified to be a DN are
  either None or a DN object.

* Require that every place a dn is used it must be a DN object.
  This translates into lot of::

    assert isinstance(dn, DN)

  sprinkled through out the code. Maintaining these asserts is
  valuable to preserve DN type enforcement. The asserts can be
  disabled in production.

  The goal of 100% DN usage 100% of the time has been realized, these
  asserts are meant to preserve that.

  The asserts also proved valuable in detecting functions which did
  not obey their function signatures, such as the baseldap pre and
  post callbacks.

* Moved ipalib.dn to ipapython.dn because DN class is shared with all
  components, not just the server which uses ipalib.

* All API's now accept DN's natively, no need to convert to str (or
  unicode).

* Removed ipalib.encoder and encode/decode decorators. Type conversion
  is now explicitly performed in each IPASimpleLDAPObject method which
  emulates a ldap.SimpleLDAPObject method.

* Entity & Entry classes now utilize DN's

* Removed __getattr__ in Entity & Entity clases. There were two
  problems with it. It presented synthetic Python object attributes
  based on the current LDAP data it contained. There is no way to
  validate synthetic attributes using code checkers, you can't search
  the code to find LDAP attribute accesses (because synthetic
  attriutes look like Python attributes instead of LDAP data) and
  error handling is circumscribed. Secondly __getattr__ was hiding
  Python internal methods which broke class semantics.

* Replace use of methods inherited from ldap.SimpleLDAPObject via
  IPAdmin class with IPAdmin methods. Directly using inherited methods
  was causing us to bypass IPA logic. Mostly this meant replacing the
  use of search_s() with getEntry() or getList(). Similarly direct
  access of the LDAP data in classes using IPAdmin were replaced with
  calls to getValue() or getValues().

* Objects returned by ldap2.find_entries() are now compatible with
  either the python-ldap access methodology or the Entity/Entry access
  methodology.

* All ldap operations now funnel through the common
  IPASimpleLDAPObject giving us a single location where we interface
  to python-ldap and perform conversions.

* The above 4 modifications means we've greatly reduced the
  proliferation of multiple inconsistent ways to perform LDAP
  operations. We are well on the way to having a single API in IPA for
  doing LDAP (a long range goal).

* All certificate subject bases are now DN's

* DN objects were enhanced thusly:
  - find, rfind, index, rindex, replace and insert methods were added
  - AVA, RDN and DN classes were refactored in immutable and mutable
    variants, the mutable variants are EditableAVA, EditableRDN and
    EditableDN. By default we use the immutable variants preserving
    important semantics. To edit a DN cast it to an EditableDN and
    cast it back to DN when done editing. These issues are fully
    described in other documentation.
  - first_key_match was removed
  - DN equalty comparison permits comparison to a basestring

* Fixed ldapupdate to work with DN's. This work included:
  - Enhance test_updates.py to do more checking after applying
    update. Add test for update_from_dict(). Convert code to use
    unittest classes.
  - Consolidated duplicate code.
  - Moved code which should have been in the class into the class.
  - Fix the handling of the 'deleteentry' update action. It's no longer
    necessary to supply fake attributes to make it work. Detect case
    where subsequent update applies a change to entry previously marked
    for deletetion. General clean-up and simplification of the
    'deleteentry' logic.
  - Rewrote a couple of functions to be clearer and more Pythonic.
  - Added documentation on the data structure being used.
  - Simplfy the use of update_from_dict()

* Removed all usage of get_schema() which was being called prior to
  accessing the .schema attribute of an object. If a class is using
  internal lazy loading as an optimization it's not right to require
  users of the interface to be aware of internal
  optimization's. schema is now a property and when the schema
  property is accessed it calls a private internal method to perform
  the lazy loading.

* Added SchemaCache class to cache the schema's from individual
  servers. This was done because of the observation we talk to
  different LDAP servers, each of which may have it's own
  schema. Previously we globally cached the schema from the first
  server we connected to and returned that schema in all contexts. The
  cache includes controls to invalidate it thus forcing a schema
  refresh.

* Schema caching is now senstive to the run time context. During
  install and upgrade the schema can change leading to errors due to
  out-of-date cached schema. The schema cache is refreshed in these
  contexts.

* We are aware of the LDAP syntax of all LDAP attributes. Every
  attribute returned from an LDAP operation is passed through a
  central table look-up based on it's LDAP syntax. The table key is
  the LDAP syntax it's value is a Python callable that returns a
  Python object matching the LDAP syntax. There are a handful of LDAP
  attributes whose syntax is historically incorrect
  (e.g. DistguishedNames that are defined as DirectoryStrings). The
  table driven conversion mechanism is augmented with a table of
  hard coded exceptions.

  Currently only the following conversions occur via the table:

  - dn's are converted to DN objects

  - binary objects are converted to Python str objects (IPA
    convention).

  - everything else is converted to unicode using UTF-8 decoding (IPA
    convention).

  However, now that the table driven conversion mechanism is in place
  it would be trivial to do things such as converting attributes
  which have LDAP integer syntax into a Python integer, etc.

* Expected values in the unit tests which are a DN no longer need to
  use lambda expressions to promote the returned value to a DN for
  equality comparison. The return value is automatically promoted to
  a DN. The lambda expressions have been removed making the code much
  simpler and easier to read.

* Add class level logging to a number of classes which did not support
  logging, less need for use of root_logger.

* Remove ipaserver/conn.py, it was unused.

* Consolidated duplicate code wherever it was found.

* Fixed many places that used string concatenation to form a new
  string rather than string formatting operators. This is necessary
  because string formatting converts it's arguments to a string prior
  to building the result string. You can't concatenate a string and a
  non-string.

* Simplify logic in rename_managed plugin. Use DN operators to edit
  dn's.

* The live version of ipa-ldap-updater did not generate a log file.
  The offline version did, now both do.

https://fedorahosted.org/freeipa/ticket/1670
https://fedorahosted.org/freeipa/ticket/1671
https://fedorahosted.org/freeipa/ticket/1672
https://fedorahosted.org/freeipa/ticket/1673
https://fedorahosted.org/freeipa/ticket/1674
https://fedorahosted.org/freeipa/ticket/1392
https://fedorahosted.org/freeipa/ticket/2872
2012-08-12 16:23:24 -04:00
Rob Crittenden
717bbcd2bf Configure certmonger to execute restart scripts on renewal.
certmonger now has the ability to execute a script when it renews a
certificate. This can be used to automatically restart servers so
the certificate doesn't expire in the running server.

https://fedorahosted.org/freeipa/ticket/2050
2012-04-10 01:08:41 -04:00
Jan Cholasta
6488378764 Move the compat module from ipalib to ipapython.
Fixes import problems trying to import just ipalib/compat.py.

https://fedorahosted.org/freeipa/ticket/754
2012-02-13 22:22:49 -05:00
John Dennis
56401c1abe ticket 2022 - modify codebase to utilize IPALogManager, obsoletes logging
change default_logger_level to debug in configure_standard_logging

add new ipa_log_manager module, move log_mgr there, also export
root_logger from log_mgr.

change all log_manager imports to ipa_log_manager and change
log_manager.root_logger to root_logger.

add missing import for parse_log_level()
2011-11-23 09:36:18 +01:00
Rob Crittenden
a41457ec3a Detect CA installation type in ipa-replica-prepare and ipa-ca-install.
ipa-ca-install can only add a dogtag CA to an IPA install.

ipa-replica-prepare can only be run on the initial master with a
selfsign backend.

https://fedorahosted.org/freeipa/ticket/1756
https://fedorahosted.org/freeipa/ticket/1757
2011-09-27 17:50:46 +02:00
Alexander Bokovoy
a02e0514f6 Convert server install code to platform-independent access to system services
https://fedorahosted.org/freeipa/ticket/1605
2011-09-13 11:14:18 +02:00
Rob Crittenden
f8d0688178 Use the IPA server cert profile in the installer.
We were still using the caRAserverCert profile during installation.

https://fedorahosted.org/freeipa/ticket/1744
2011-08-30 20:17:57 -04:00
Adam Young
5ee93349f6 enable proxy for dogtag
Dogtag is going to be proxied through httpd.  To make this work, it has to support renegotiation of the SSL
connection.  This patch enables renegotiate in the nss configuration file during during apache configuration,
as well as modifies libnss to set the appropriate optins on the ssl connection in order to  renegotiate.

The IPA install uses the internal ports instead of proxying through
httpd since  httpd is not set up yet.

IPA needs to Request the certificate through a port that uses authentication.  On the Dogtag side, they provide an additional mapping for this:   /ca/eeca/ca as opposed tp /ca/ee/ca  just for this purpose.

https://fedorahosted.org/freeipa/ticket/1334

add flag to pkicreate in order to enable using proxy.

add the proxy file in  /etc/http/conf.d/

Signed-off-by: Simo Sorce <ssorce@redhat.com>
2011-08-29 17:54:49 -04:00
Jan Cholasta
1ec531469e Make sure messagebus is running prior to starting certmonger.
ticket 1580
2011-08-18 20:15:48 -04:00
John Dennis
442973edc5 Clean up existing DN object usage 2011-07-29 13:13:55 +02:00
Rob Crittenden
d43ba5316a Generate a database password by default in all cases.
If the password passed in when creating a NSS certificate database is None
then a random password is generated. If it is empty ('') then an empty
password is set.

Because of this the HTTP instance on replicas were created with an empty
password.

https://fedorahosted.org/freeipa/ticket/1407
2011-07-17 22:26:01 -04:00
Rob Crittenden
2f650b60a4 Use information from the certificate subject when setting the NSS nickname.
There were a few places in the code where certs were loaded from a
PKCS#7 file or a chain in a PEM file. The certificates got very
generic nicknames.

We can instead pull the subject from the certificate and use that as
the nickname.

https://fedorahosted.org/freeipa/ticket/1141
2011-07-17 22:14:24 -04:00
Rob Crittenden
8a32bb3746 Make dogtag an optional (and default un-) installed component in a replica.
A dogtag replica file is created as usual. When the replica is installed
dogtag is optional and not installed by default. Adding the --setup-ca
option will configure it when the replica is installed.

A new tool ipa-ca-install will configure dogtag if it wasn't configured
when the replica was initially installed.

This moves a fair bit of code out of ipa-replica-install into
installutils and cainstance to avoid duplication.

https://fedorahosted.org/freeipa/ticket/1251
2011-06-23 19:04:33 -04:00
Rob Crittenden
dd69c7dbe6 Make data type of certificates more obvious/predictable internally.
For the most part certificates will be treated as being in DER format.
When we load a certificate we will generally accept it in any format but
will convert it to DER before proceeding in normalize_certificate().

This also re-arranges a bit of code to pull some certificate-specific
functions out of ipalib/plugins/service.py into ipalib/x509.py.

This also tries to use variable names to indicate what format the certificate
is in at any given point:

dercert: DER
cert: PEM
nsscert: a python-nss Certificate object
rawcert: unknown format

ticket 32
2011-06-21 19:09:50 -04:00
Jakub Hrozek
ab2ca8022e Fix assorted bugs found by pylint 2011-01-25 14:01:36 -05:00
Jakub Hrozek
7493d781df Change FreeIPA license to GPLv3+
The changes include:
 * Change license blobs in source files to mention GPLv3+ not GPLv2 only
 * Add GPLv3+ license text
 * Package COPYING not LICENSE as the license blobs (even the old ones)
   mention COPYING specifically, it is also more common, I think

 https://fedorahosted.org/freeipa/ticket/239
2010-12-20 17:19:53 -05:00
Simo Sorce
bfaea1dd78 Move Selfsigned CA creation out of dsinstance
This allows us to have the CA ready to serve out certs for any operation even
before the dsinstance is created. The CA is independent of the dsinstance
anyway.

Also fixes: https://fedorahosted.org/freeipa/ticket/544
2010-12-10 12:28:38 -05:00
Simo Sorce
345fc79f03 pkinit-replica: create certificates for replicas too
altough the kdc certificate name is not tied to the fqdn we create separate
certs for each KDC so that renewal of each of them is done separately.
2010-11-18 15:09:57 -05:00
Simo Sorce
52a46d121b Add support for configuring KDC certs for PKINIT
This patch adds support only for the selfsign case.
Replica support is also still missing at this stage.
2010-11-18 15:09:36 -05:00
Simo Sorce
74ba0cc7c1 Use Realm as certs subject base name
Also use the realm name as nickname for the CA certificate
2010-11-18 15:09:31 -05:00
Rob Crittenden
3703062ab2 Use consistent, specific nickname for the IPA CA certificate.
Also fix some imports for sha. We have a compat module for it, use it.

ticket 181
2010-10-01 13:37:34 -04:00
Rob Crittenden
a67b524510 Automatically convert a v1-style ca_serialno to the v2 config style.
This has been annoying for developers who switch back and forth. It will
still break v1 but at least going from v1 to v2 will work seemlessly.

ticket 240
2010-09-24 15:31:23 -04:00
Rob Crittenden
2951901d1e Properly handle CertificateOperationErrors in replication prepration.
The problem here was two-fold: the certs manager was raising an
error it didn't know about and ipa-replica-prepare wasn't catching it.

ticket 249
2010-09-24 15:30:41 -04:00
Rob Crittenden
f87bd57c1d Fix certmonger errors when doing a client or server uninstall.
This started with the client uninstaller returning a 1 when not installed.
There was no way to tell whether the uninstall failed or the client
simply wasn't installed which caused no end of grief with the installer.

This led to a lot of certmonger failures too, either trying to stop
tracking a non-existent cert or not handling an existing tracked
certificate.

I moved the certmonger code out of the installer and put it into the
client/server shared ipapython lib. It now tries a lot harder and smarter
to untrack a certificate.

ticket 142
2010-09-09 16:38:52 -04:00
Rob Crittenden
2e8bae590e Have certmonger track the initial Apache and 389-ds server certs.
We don't use certmonger to get certificates during installation because
of the chicken-and-egg problem. This means that the IPA web and ldap
certs aren't being tracked for renewal.

This requires some manual changes to the certmonger request files once
tracking has begun because it doesn't store a subject or principal template
when a cert is added via start-tracking.

This also required some changes to the cert command plugin to allow a
host to execute calls against its own service certs.

ticket 67
2010-09-09 16:38:45 -04:00
John Dennis
31027c6183 use NSS for SSL operations 2010-06-15 15:03:36 -04:00
Rob Crittenden
3ea044fb59 Handle CSRs whether they have NEW in the header or not
Also consolidate some duplicate code
2010-05-03 17:58:08 -06:00
Rob Crittenden
70049496e3 Remove older MITM fixes to make compatible with dogtag 1.3.3
We set a new port to be used with dogtag but IPA doesn't utilize it.

This also changes the way we determine which security database to use.
Rather than using whether api.env.home is set use api.env.in_tree.
2010-04-19 10:04:25 -04:00
Rob Crittenden
4bf70406d3 Don't let failure to trust the CA abort the server installation.
This error could result in things not working properly but it should be
relatively easy to fix from the command-line. There is no point in
not installing at all due to this.
2010-04-07 08:59:22 -04:00
Rob Crittenden
33a30fef12 Don't assume local directory is valid or writable.
certutil writes to the local directory when issuing a certificate.
Change to the security database directory when issuing the self-signed CA.

Also handle the case where a user is in a non-existent directory when doing
the install.
2010-02-19 14:37:27 -05:00
Rob Crittenden
8a4ab2a0e5 Move the HTTP/S request code to a common library
This moves code that does HTTP and HTTPS requests into a common library
that can be used by both the installer and the dogtag plugin.

These functions are not generic HTTP/S clients, they are designed
specifically to talk to dogtag, so use accordingly.
2010-02-09 03:26:01 -07:00
Rob Crittenden
dc55240fe8 Be more careful when base64-decoding certificates
Only decode certs that have a BEGIN/END block, otherwise assume it
is in DER format.
2010-02-02 14:02:46 -05:00
Rob Crittenden
b7cda86697 Update dogtag configuration to work after CVE-2009-3555 changes
NSS is going to disallow all SSL renegotiation by default. Because of
this we need to always use the agent port of the dogtag server which
always requires SSL client authentication. The end user port will
prompt for a certificate if required but will attempt to re-do the
handshake to make this happen which will fail with newer versions of NSS.
2010-01-27 17:01:26 -05:00
Rob Crittenden
e4470f8165 User-defined certificate subjects
Let the user, upon installation, set the certificate subject base
for the dogtag CA. Certificate requests will automatically be given
this subject base, regardless of what is in the CSR.

The selfsign plugin does not currently support this dynamic name
re-assignment and will reject any incoming requests that don't
conform to the subject base.

The certificate subject base is stored in cn=ipaconfig but it does
NOT dynamically update the configuration, for dogtag at least. The
file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to
be updated and pki-cad restarted.
2010-01-20 17:24:01 -05:00
Rob Crittenden
766b534da0 Make the IPA server host and its services "real" IPA entries
We use kadmin.local to bootstrap the creation of the kerberos principals
for the IPA server machine: host, HTTP and ldap. This works fine and has
the side-effect of protecting the services from modification by an
admin (which would likely break the server).

Unfortunately this also means that the services can't be managed by useful
utilities such as certmonger. So we have to create them as "real" services
instead.
2009-12-11 23:06:08 -07:00
Rob Crittenden
7c2c2d6130 Add option to have ipautil.run() not raise an exception
There are times where a caller will want to determine the course of
action based on the returncode instead of relying on it != 0.

This also lets the caller get the contents of stdout and stderr.
2009-11-30 15:28:41 -05:00
Rob Crittenden
49b36583a5 Add external CA signing and abstract out the RA backend
External CA signing is a 2-step process. You first have to run the IPA
installer which will generate a CSR. You pass this CSR to your external
CA and get back a cert. You then pass this cert and the CA cert and
re-run the installer. The CSR is always written to /root/ipa.csr.

A run would look like:

 # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U
[ sign cert request ]
 # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt  -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com

This also abstracts out the RA backend plugin so the self-signed CA we
create can be used in a running server. This means that the cert plugin
can request certs (and nothing else). This should let us do online replica
creation.

To handle the self-signed CA the simple ca_serialno file now contains
additional data so we don't have overlapping serial numbers in replicas.
This isn't used yet. Currently the cert plugin will not work on self-signed
replicas.

One very important change for self-signed CAs is that the CA is no longer
held in the DS database. It is now in the Apache database.

Lots of general fixes were also made in ipaserver.install.certs including:
 - better handling when multiple CA certificates are in a single file
 - A temporary directory for request certs is not always created when the
   class is instantiated (you have to call setup_cert_request())
2009-09-15 10:01:08 -04:00
Rob Crittenden
38ae093c7b Add the CA constraint to the self-signed CA we generate
514027
2009-08-27 16:49:09 -04:00
Jason Gerard DeRose
03a80f512c Fixed whitespace indentation error in certs.py 2009-07-27 19:23:31 -06:00
Rob Crittenden
5bbe1108d5 Identify CAs to trust from an imported PKCS#12 file
We used to use certutil -O to determine the cert chain to trust. This
behavior changed in F-11 such that untrusted CAs are not displayed.
This is only used when we import PKCS#12 files so use pk12util -l to
display the list of certs and keys in the file to determine the nickname(s)
of the CAs to trust.

509111
2009-07-27 16:04:53 -06:00
Rob Crittenden
5767c6b37d Fix deprecation warning for the sha library on Python 2.6
sha has been replaced by hashlib. We need to support Python 2.4 - 2.6 so
this will use hashlib if available but fall back onto sha if not.
Fortunately they use the same API for the function we need.

509042

Signed-off-by: Jason Gerard DeRose <jderose@redhat.com>
2009-07-23 20:03:01 -06:00
Rob Crittenden
b382755fee No need to trust NSS built-in CA's, more specific regex for finding CA nickname
- Add some logging so we have a better idea of what happened if things fail
- Default to self-signed CA to trust if one is not found. This will fix
  the self-signed CA case where certutil doesn't return untrusted CA's in
  -O output.
- Remove unused httplib import

Signed-off-by: Jason Gerard DeRose <jderose@redhat.com>
2009-07-23 13:45:45 -06:00
Rob Crittenden
8d164569d0 Allow replicas of an IPA server using an internal dogtag server as the CA
This involves creating a new CA instance on the replica and using pkisilent
to create a clone of the master CA.

Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of
changes to ports and configuration have been done recently.
2009-07-15 09:00:01 -04:00
Rob Crittenden
dfe9db5548 Add signing profile to CA installation so we can sign the firefox jar file.
Use the requestId we get back from the CA when requesting the RA agent cert
and use that to issue the certificate rather than hardcoding 7.

This also adds some clean-up of file permissions and leaking fds
2009-05-04 16:54:42 -04:00
Rob Crittenden
9182c10b03 Issue DS and Apache server certs during CA installation.
Notes:
- will create a CA instance (pki-ca) if it doesn't exist
- maintains support for a self-signed CA
- A signing cert is still not created so Firefox autoconfig still won't work
2009-04-20 14:01:00 -04:00
Rob Crittenden
262ff2d731 Rename ipa-python directory to ipapython so it is a real python library
We used to install it as ipa, now installing it as ipapython. The rpm
is still ipa-python.
2009-02-09 14:35:15 -05:00
Rob Crittenden
e30cd6ba42 Mass tree reorganization for IPAv2. To view previous history of files use:
% git log --follow -- <file>

renamed: ipa-server/autogen.sh -> autogen.sh
renamed: ipa-server/ipa-kpasswd/Makefile.am -> daemons/ipa-kpasswd/Makefile.am
renamed: ipa-server/ipa-kpasswd/README -> daemons/ipa-kpasswd/README
renamed: ipa-server/ipa-kpasswd/ipa_kpasswd.c -> daemons/ipa-kpasswd/ipa_kpasswd.c
renamed: ipa-server/ipa-kpasswd/ipa_kpasswd.init -> daemons/ipa-kpasswd/ipa_kpasswd.init
renamed: ipa-server/ipa-slapi-plugins/Makefile.am -> daemons/ipa-slapi-plugins/Makefile.am
renamed: ipa-server/ipa-slapi-plugins/README -> daemons/ipa-slapi-plugins/README
renamed: ipa-server/ipa-slapi-plugins/dna/Makefile.am -> daemons/ipa-slapi-plugins/dna/Makefile.am
renamed: ipa-server/ipa-slapi-plugins/dna/dna-conf.ldif -> daemons/ipa-slapi-plugins/dna/dna-conf.ldif
renamed: ipa-server/ipa-slapi-plugins/dna/dna.c -> daemons/ipa-slapi-plugins/dna/dna.c
renamed: ipa-server/ipa-slapi-plugins/ipa-memberof/Makefile.am -> daemons/ipa-slapi-plugins/ipa-memberof/Makefile.am
renamed: ipa-server/ipa-slapi-plugins/ipa-memberof/ipa-memberof.c -> daemons/ipa-slapi-plugins/ipa-memberof/ipa-memberof.c
renamed: ipa-server/ipa-slapi-plugins/ipa-memberof/ipa-memberof.h -> daemons/ipa-slapi-plugins/ipa-memberof/ipa-memberof.h
renamed: ipa-server/ipa-slapi-plugins/ipa-memberof/ipa-memberof_config.c -> daemons/ipa-slapi-plugins/ipa-memberof/ipa-memberof_config.c
renamed: ipa-server/ipa-slapi-plugins/ipa-memberof/memberof-conf.ldif -> daemons/ipa-slapi-plugins/ipa-memberof/memberof-conf.ldif
renamed: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am -> daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
renamed: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/README -> daemons/ipa-slapi-plugins/ipa-pwd-extop/README
renamed: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c -> daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
renamed: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/pwd-extop-conf.ldif -> daemons/ipa-slapi-plugins/ipa-pwd-extop/pwd-extop-conf.ldif
renamed: ipa-server/ipa-slapi-plugins/ipa-winsync/Makefile.am -> daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am
renamed: ipa-server/ipa-slapi-plugins/ipa-winsync/README -> daemons/ipa-slapi-plugins/ipa-winsync/README
renamed: ipa-server/ipa-slapi-plugins/ipa-winsync/ipa-winsync-conf.ldif -> daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-conf.ldif
renamed: ipa-server/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c -> daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c
renamed: ipa-server/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c -> daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c
renamed: ipa-server/ipa-slapi-plugins/ipa-winsync/ipa-winsync.h -> daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.h
renamed: ipa-server/xmlrpc-server/ipa-rewrite.conf -> install/conf/ipa-rewrite.conf
renamed: ipa-server/xmlrpc-server/ipa.conf -> install/conf/ipa.conf
renamed: ipa-server/xmlrpc-server/ssbrowser.html -> install/html/ssbrowser.html
renamed: ipa-server/xmlrpc-server/unauthorized.html -> install/html/unauthorized.html
renamed: ipa-server/ipa-install/share/60ipaconfig.ldif -> install/share/60ipaconfig.ldif
renamed: ipa-server/ipa-install/share/60kerberos.ldif -> install/share/60kerberos.ldif
renamed: ipa-server/ipa-install/share/60radius.ldif -> install/share/60radius.ldif
renamed: ipa-server/ipa-install/share/60samba.ldif -> install/share/60samba.ldif
renamed: ipa-server/ipa-install/share/Makefile.am -> install/share/Makefile.am
renamed: ipa-server/ipa-install/share/bind.named.conf.template -> install/share/bind.named.conf.template
renamed: ipa-server/ipa-install/share/bind.zone.db.template -> install/share/bind.zone.db.template
renamed: ipa-server/ipa-install/share/bootstrap-template.ldif -> install/share/bootstrap-template.ldif
renamed: ipa-server/ipa-install/share/certmap.conf.template -> install/share/certmap.conf.template
renamed: ipa-server/ipa-install/share/default-aci.ldif -> install/share/default-aci.ldif
renamed: ipa-server/ipa-install/share/default-keytypes.ldif -> install/share/default-keytypes.ldif
renamed: ipa-server/ipa-install/share/dna-posix.ldif -> install/share/dna-posix.ldif
renamed: ipa-server/ipa-install/share/encrypted_attribute.ldif -> install/share/encrypted_attribute.ldif
renamed: ipa-server/ipa-install/share/fedora-ds.init.patch -> install/share/fedora-ds.init.patch
renamed: ipa-server/ipa-install/share/indices.ldif -> install/share/indices.ldif
renamed: ipa-server/ipa-install/share/kdc.conf.template -> install/share/kdc.conf.template
renamed: ipa-server/ipa-install/share/kerberos.ldif -> install/share/kerberos.ldif
renamed: ipa-server/ipa-install/share/krb.con.template -> install/share/krb.con.template
renamed: ipa-server/ipa-install/share/krb5.conf.template -> install/share/krb5.conf.template
renamed: ipa-server/ipa-install/share/krb5.ini.template -> install/share/krb5.ini.template
renamed: ipa-server/ipa-install/share/krbrealm.con.template -> install/share/krbrealm.con.template
renamed: ipa-server/ipa-install/share/master-entry.ldif -> install/share/master-entry.ldif
renamed: ipa-server/ipa-install/share/memberof-task.ldif -> install/share/memberof-task.ldif
renamed: ipa-server/ipa-install/share/ntp.conf.server.template -> install/share/ntp.conf.server.template
renamed: ipa-server/ipa-install/share/ntpd.sysconfig.template -> install/share/ntpd.sysconfig.template
renamed: ipa-server/ipa-install/share/preferences.html.template -> install/share/preferences.html.template
renamed: ipa-server/ipa-install/share/referint-conf.ldif -> install/share/referint-conf.ldif
renamed: ipa-server/ipa-install/share/schema_compat.uldif -> install/share/schema_compat.uldif
renamed: ipa-server/ipa-install/share/unique-attributes.ldif -> install/share/unique-attributes.ldif
renamed: ipa-server/ipa-install/Makefile.am -> install/tools/Makefile.am
renamed: ipa-server/ipa-install/README -> install/tools/README
renamed: ipa-server/ipa-compat-manage -> install/tools/ipa-compat-manage
renamed: ipa-server/ipa-fix-CVE-2008-3274 -> install/tools/ipa-fix-CVE-2008-3274
renamed: ipa-server/ipa-ldap-updater -> install/tools/ipa-ldap-updater
renamed: ipa-server/ipa-install/ipa-replica-install -> install/tools/ipa-replica-install
renamed: ipa-server/ipa-install/ipa-replica-manage -> install/tools/ipa-replica-manage
renamed: ipa-server/ipa-install/ipa-replica-prepare -> install/tools/ipa-replica-prepare
renamed: ipa-server/ipa-install/ipa-server-certinstall -> install/tools/ipa-server-certinstall
renamed: ipa-server/ipa-install/ipa-server-install -> install/tools/ipa-server-install
renamed: ipa-server/ipa-upgradeconfig -> install/tools/ipa-upgradeconfig
renamed: ipa-server/ipa-install/ipactl -> install/tools/ipactl
renamed: ipa-server/man/Makefile.am -> install/tools/man/Makefile.am
renamed: ipa-server/man/ipa-compat-manage.1 -> install/tools/man/ipa-compat-manage.1
renamed: ipa-server/man/ipa-ldap-updater.1 -> install/tools/man/ipa-ldap-updater.1
renamed: ipa-server/man/ipa-replica-install.1 -> install/tools/man/ipa-replica-install.1
renamed: ipa-server/man/ipa-replica-manage.1 -> install/tools/man/ipa-replica-manage.1
renamed: ipa-server/man/ipa-replica-prepare.1 -> install/tools/man/ipa-replica-prepare.1
renamed: ipa-server/man/ipa-server-certinstall.1 -> install/tools/man/ipa-server-certinstall.1
renamed: ipa-server/man/ipa-server-install.1 -> install/tools/man/ipa-server-install.1
renamed: ipa-server/man/ipa_kpasswd.8 -> install/tools/man/ipa_kpasswd.8
renamed: ipa-server/man/ipa_webgui.8 -> install/tools/man/ipa_webgui.8
renamed: ipa-server/man/ipactl.8 -> install/tools/man/ipactl.8
renamed: ipa-server/ipa-install/updates/Makefile.am -> install/updates/Makefile.am
renamed: ipa-server/ipa-install/updates/RFC2307bis.update -> install/updates/RFC2307bis.update
renamed: ipa-server/ipa-install/updates/RFC4876.update -> install/updates/RFC4876.update
renamed: ipa-server/ipa-install/updates/indices.update -> install/updates/indices.update
renamed: ipa-server/ipa-install/updates/nss_ldap.update -> install/updates/nss_ldap.update
renamed: ipa-server/ipa-install/updates/replication.update -> install/updates/replication.update
renamed: ipa-server/ipa-install/updates/winsync_index.update -> install/updates/winsync_index.update
renamed: ipa-server/ipaserver/Makefile.am -> ipaserver/install/Makefile.am
renamed: ipa-server/ipaserver/__init__.py -> ipaserver/install/__init__.py
renamed: ipa-server/ipaserver/bindinstance.py -> ipaserver/install/bindinstance.py
renamed: ipa-server/ipaserver/certs.py -> ipaserver/install/certs.py
renamed: ipa-server/ipaserver/dsinstance.py -> ipaserver/install/dsinstance.py
renamed: ipa-server/ipaserver/httpinstance.py -> ipaserver/install/httpinstance.py
renamed: ipa-server/ipaserver/installutils.py -> ipaserver/install/installutils.py
renamed: ipa-server/ipaserver/ipaldap.py -> ipaserver/install/ipaldap.py
renamed: ipa-server/ipaserver/krbinstance.py -> ipaserver/install/krbinstance.py
renamed: ipa-server/ipaserver/ldapupdate.py -> ipaserver/install/ldapupdate.py
renamed: ipa-server/ipaserver/ntpinstance.py -> ipaserver/install/ntpinstance.py
renamed: ipa-server/ipaserver/replication.py -> ipaserver/install/replication.py
renamed: ipa-server/ipaserver/service.py -> ipaserver/install/service.py
renamed: ipa-server/selinux/Makefile -> selinux/Makefile
renamed: ipa-server/selinux/ipa-server-selinux.spec.in -> selinux/ipa-server-selinux.spec.in
renamed: ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.fc -> selinux/ipa_kpasswd/ipa_kpasswd.fc
renamed: ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.te -> selinux/ipa_kpasswd/ipa_kpasswd.te
renamed: ipa-server/selinux/ipa_webgui/ipa_webgui.fc -> selinux/ipa_webgui/ipa_webgui.fc
renamed: ipa-server/selinux/ipa_webgui/ipa_webgui.te -> selinux/ipa_webgui/ipa_webgui.te
renamed: ipa-server/version.m4.in -> version.m4.in
2009-02-03 15:27:14 -05:00