Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Using unicode(bytes) call causes undesired side effect that is inserting
`b` character to result. This obviously causes issues with binary base64 data
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
csr must be in string because framework excpects only strings, so we
have to decode it back
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Christian Heimes <cheimes@redhat.com>
If search limits are not specified in cert-find, use the configured limits.
This applies to the certificate search in the CA as well.
Detect and report if size limit was exceeded in the certificate search in
the CA.
Do not apply limits to the internal ca-find call.
https://fedorahosted.org/freeipa/ticket/6564
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
A code path exists, where principal_obj is None. Add check
principal_obj is not None to avoid dereferencing it.
Reviewed-By: Martin Basti <mbasti@redhat.com>
The ca_enabled_check function is a wrapper around
api.Command.ca_is_enabled. When using remote_api (e.g. during
installer), ca_enabled_check invokes the *global* api instead of the
remote_api.
Update ca_enabled_check to explicitly receive an api object from the
caller and invoke Command.ca_is_enabled through it.
Part of: https://fedorahosted.org/freeipa/ticket/2614
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
subjectAltName is required or relevant in most certificate use cases
(esp. TLS, where carrying DNS name in Subject DN CN attribute is
deprecated). Therefore it does not really make sense to have a
special permission for this, over and above "request certificate"
permission.
Furthermore, we already do rigorously validate SAN contents again
the subject principal, and the permission is waived for self-service
requests or if the operator is a host principal.
So remove the permission, the associated virtual operation, and the
associated code in cert_request.
Fixes: https://fedorahosted.org/freeipa/ticket/6526
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.
https://fedorahosted.org/freeipa/ticket/5678
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Currently we do not check Kerberos principal aliases when validating
a CSR. Enhance cert-request to accept the following scenarios:
- for hosts and services: CN and SAN dnsNames match a principal
alias (realm and service name must be same as nominated principal)
- for all principal types: UPN or KRB5PrincipalName othername match
any principal alias.
Fixes: https://fedorahosted.org/freeipa/ticket/6295
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
The cert-request command used to accept CSRs that had extra data
surrounding the PEM data, e.g. commentary about the contents of the
CSR. Recent commits that switch to using python-cryptography for
cert and CSR handling broke this. Our acceptance tests use such
CSRs, hence the tests are now failing.
To avoid the issue, freshly encode the python-cryptography
CertificateSigningRequest object as PEM. This avoids re-using the
user-supplied data, in case it has extraneous data.
Fixes: https://fedorahosted.org/freeipa/ticket/6472
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Update x509.load_certificate and related functions to return
python-cryptography ``Certificate`` objects. Update the call sites
accordingly, including removal of NSS initialisation code.
Also update GeneralName parsing code to return python-cryptography
GeneralName values, for consistency with other code that processes
GeneralNames. The new function, `get_san_general_names`, and
associated helper functions, can be removed when python-cryptography
provides a way to deal with unrecognised critical extensions.
Part of: https://fedorahosted.org/freeipa/ticket/6398
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Avoid use of the nss.data_to_hex function for formatting certificate
fingerprints. Add our own helper functions to format the
fingerprints as hex (with colons).
Part of: https://fedorahosted.org/freeipa/ticket/6398
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Update ``ipalib.pkcs10`` module to use python-cryptography for CSR
processing instead of NSS.
Part of: https://fedorahosted.org/freeipa/ticket/6398
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
cert-show no longer shows validity dates without `--all', but this
is important information that should be shown by default. Make it
so.
Fixes: https://fedorahosted.org/freeipa/ticket/6419
Reviewed-By: Martin Basti <mbasti@redhat.com>
In commit c718ef0588 some param values were
accidentally removed from cert-find output.
In commit 22d5f579bb `serial_number_hex` and
`revoked` were added back.
Add back `revocation_reason` as well. Also, do not include `revoked` with
--raw, as it's a virtual attribute.
https://fedorahosted.org/freeipa/ticket/6269
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Unused variables may:
* make code less readable
* create dead code
* potentialy hide issues/errors
Enabled check should prevent to leave unused variable in code
Check is locally disabled for modules that fix is not clear or easy or have too many occurences of
unused variables
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Inform the user where to find additional information
about certificate revocation reasons.
https://fedorahosted.org/freeipa/ticket/6327
Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Detect when cert-request returns HTTP 409, which indicates that the
target CA is disabled - a valid scenario - and raise
CertificateOperationError with a friendly message instead of
HTTPRequestError.
Fixes: https://fedorahosted.org/freeipa/ticket/6260
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Always return the cert specified in --certificate in cert-find result, even
when the cert is not found in LDAP.
https://fedorahosted.org/freeipa/ticket/6304
Reviewed-By: David Kupka <dkupka@redhat.com>
The code is supposed to check that the SAN name is also authorized to be used
with the specified profile id.
The original principal has already been checked.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Include name of the CA that issued a certificate in cert-request, cert-show
and cert-find.
This allows the caller to call further commands on the cert without having
to call ca-find to find the name of the CA.
https://fedorahosted.org/freeipa/ticket/6151
Reviewed-By: Martin Basti <mbasti@redhat.com>
Add back `serial_number_hex` and `revoked` param values to cert-find output
accidentally removed in commit c718ef0588.
https://fedorahosted.org/freeipa/ticket/6269
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
We want to include the whole DER value when we pretty-print
unrecognised otherNames, so add a field to the GeneralNameInfo
namedtuple and populate it for otherNames.
Part of: https://fedorahosted.org/freeipa/ticket/6022
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
GeneralName parsing currently relies heavily on strings from NSS.
Make the code hopefully less brittle by identifying GeneralName
types by NSS enums and, for otherName, the name-type OID also.
Part of: https://fedorahosted.org/freeipa/ticket/6022
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
GeneralName parsing code is primarily relevant to X.509. An
upcoming change will add SAN parsing to the cert-show command, so
first move the GeneralName parsing code from ipalib.pkcs10 to
ipalib.x509.
Part of: https://fedorahosted.org/freeipa/ticket/6022
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The 'cert_revoke' command checks the 'revoke certificate'
permission, however, if an ACIError is raised, it then invokes the
'cert_show' command. The rational was to re-use a "host manages
certificate" check that is part of the 'cert_show' command, however,
it is sufficient that 'cert_show' executes successfully for
'cert_revoke' to recover from the ACIError continue. Therefore,
anyone with 'retrieve certificate' permission can revoke *any*
certificate and cause various kinds of DoS.
Fix the problem by extracting the "host manages certificate" check
to its own method and explicitly calling it from 'cert_revoke'.
Fixes: https://fedorahosted.org/freeipa/ticket/6232
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Use issuer+serial rather than raw DER blob to identify certificates in
cert-find's intermediate result.
Restructure the code to make it (hopefully) easier to follow.
https://fedorahosted.org/freeipa/ticket/6098
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Add the 'cacn' option to the cert-status command. Right now there
is nothing we need to (or can) do with it, but we add it anyway for
future use.
Fixes: https://fedorahosted.org/freeipa/ticket/5999
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
All plugins will now use this parameter and common code for all operations on
Kerberos principals. Additional semantic validators and normalizers were
added to determine or append a correct realm so that the previous behavior is
kept intact.
https://fedorahosted.org/freeipa/ticket/3864
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Implement the --ca option for cert-revoke and cert-remove-hold.
Defaults to the IPA CA. Raise NotFound if the cert with the given
serial was not issued by the nominated CA.
Also default the --ca option of cert-show to the IPA CA.
Add commentary to cert-status to explain why it does not use the
--ca option.
Fixes: https://fedorahosted.org/freeipa/ticket/5999
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
cert_remove_hold uses output params instead of exceptions to convey
unsuccessful result. Move the output params to the client side before
the command is fixed to use exceptions.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
cert-request supports adding service principals that don't exist.
If add is requested for other principal types, the error message
just says "the principal doesn't exist".
Add a new error type with better error message to explain that 'add'
is not supported for host or user principals.
Fixes: https://fedorahosted.org/freeipa/ticket/5991
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
It is hard to translate whole dosctring again and again aftear each
minor change. This split will make life for translators easier. (Just note: dosctring was
changed and that is the reason why I'm sending this, because translators
must translate it again anyway)
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
The 'issuer' option of cert-find was recently changed from Str to
DNParam, however, 'ra.find' expects a string and throws when it
receives a DN.
When constructing the dict that gets passed to 'ra.find', turn
DNParams into strings.
Part of: https://fedorahosted.org/freeipa/ticket/5381
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Allow search by certificate data or file in cert-find.
https://fedorahosted.org/freeipa/ticket/5381
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Get owner information from LDAP in cert-show and cert-find. Allow search by
owner in cert-find.
https://fedorahosted.org/freeipa/ticket/5381
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Implement cert as an object with methods rather than a bunch of loosely
related commands.
https://fedorahosted.org/freeipa/ticket/5381
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Use only object params and params defined in has_output_params as output
params. This removes unnecessary duplication of params defined both in
object plugins and as command arguments.
This requires all command output params to be properly defined in either
the object plugins or the command's has_output_params. Fix the plugins
where this wasn't true.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Add options to cert-show and cert-find for specifying the issuer as
a DN, or a CA name.
Also add the issuer DN to the output of cert-find.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Add the '--ca' option to the 'ipa cert-request' command, for
specifying the CA to which to direct the request.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Add the optional 'ca_id' argument to ra.request_certificate(), for
passing an Authority ID to Dogtag.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
For backwards compatibility, an ACL that has no CAs and no CA
category allows access to the IPA CA (host authority) only.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Move the remaining plugin code from ipalib.plugins to ipaserver.plugins.
Remove the now unused ipalib.plugins package.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
