Commit Graph

31 Commits

Author SHA1 Message Date
Fraser Tweedale
3d01ec14c6 Allow full customisability of IPA CA subject DN
Currently only the "subject base" of the IPA CA subject DN can be
customised, via the installer's --subject-base option.  The RDN
"CN=Certificate Authority" is appended to form the subject DN, and
this composition is widely assumed.

Some administrators need more control over the CA subject DN,
especially to satisfy expectations of external CAs when the IPA CA
is to be externally signed.

This patch adds full customisability of the CA subject DN.
Specifically:

- Add the --ca-subject option for specifying the full IPA CA subject
  DN.  Defaults to "CN=Certificate Authority, O=$SUBJECT_BASE".

- ipa-ca-install, when installing a CA in a previous CA-less
  topology, updates DS certmap.conf with the new new CA subject DN.

- DsInstance.find_subject_base no longer looks in certmap.conf,
  because the CA subject DN can be unrelated to the subject base.

Fixes: https://fedorahosted.org/freeipa/ticket/2614
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-11 15:26:20 +01:00
Fraser Tweedale
db6674096c installutils: remove hardcoded subject DN assumption
`installutils.load_external_cert` assumes that the IPA CA subject
DN is `CN=Certificate Authority, {subject_base}`.  In preparation
for full customisability of IPA CA subject DN, push this assumption
out of this function to call sites (which will be updated in a
subsequent commit).

Part of: https://fedorahosted.org/freeipa/ticket/2614

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-11 15:26:20 +01:00
Jan Cholasta
a2c5888973 ipalib: move certstore to the install subpackage
The certstore module depends on ipaplatform.

Move it to ipalib.install, as it is used only from installers.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
26c46a447f ipapython: move certmonger and sysrestore to ipalib.install
The certmonger and sysrestore modules depend on ipaplatform.

Move them to ipalib.install as they are used only from installers.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Christian Heimes
38e8719f72 Python3 pylint fixes
Sprinkle 'pylint disable' comments over the code base to silence a bunch
of pylint warnings on Python 3. All silenced warnings are harmless and
not bugs.

https://fedorahosted.org/freeipa/ticket/4985

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-25 16:18:22 +01:00
Fraser Tweedale
db116f73fe x509: use python-cryptography to process certs
Update x509.load_certificate and related functions to return
python-cryptography ``Certificate`` objects.  Update the call sites
accordingly, including removal of NSS initialisation code.

Also update GeneralName parsing code to return python-cryptography
GeneralName values, for consistency with other code that processes
GeneralNames.  The new function, `get_san_general_names`, and
associated helper functions, can be removed when python-cryptography
provides a way to deal with unrecognised critical extensions.

Part of: https://fedorahosted.org/freeipa/ticket/6398

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-11-10 10:21:47 +01:00
Tomas Krizek
922062eb55 install tools: ldap conn management
* ipca-ca-install: Use a single ldap connection for the entire
    script. Connecting with ccache in promote is not needed.
* ipa-cacert-manage: Always connect to ldap, since renew and install
    are the only options and renew seems to need ldap connection even
    for self signed certificates.
* ipa-compat-manage: Use one ldap connection for the entire script.
    Replaced try-finally with proper disconnect, code block reindented.
* ipa-csreplica-manage: Properly establish and close the ldap connection.
* ipa-dns-install: Proper connect, disconnect to ldap.
* ipa-kra-install: Proper connect/disconnect for install and uninstall.
* ipa-ldap-update: Proper connect and disconnect to ldap.
* ipa-nis-manage: Proper connect/disconnect for ldap. Try-finally removed
    and code block reindented.
* ipa-replica-manage: Proper connect/disconnect to ldap.
* ipa-replica-prepare: Connect added to validate_options(), where api is
    initialized and disconnected added at the end of run. Reconnect in
    ask_for_options() to validate directory manager password.
* ipa-server-certinstall: Use api.Backend.ldap2 for ldap connections.
* ipa-server-upgrade: Connect to and disconnect from api.Backend.ldap2.

https://fedorahosted.org/freeipa/ticket/6461

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-11-07 11:34:03 +01:00
Martin Basti
d937588146 Pylint: remove unused variables from installers and scripts
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-10-06 10:43:36 +02:00
Martin Basti
45e3aee352 Pylint: enable check for unused-variables
Unused variables may:
* make code less readable
* create dead code
* potentialy hide issues/errors

Enabled check should prevent to leave unused variable in code

Check is locally disabled for modules that fix is not clear or easy or have too many occurences of
unused variables

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-09-27 13:35:58 +02:00
Stanislav Laznicka
bf6adfe69d Improvements for the ipa-cacert-manage man and help
The man page for ipa-cacert-manage didn't mention that some
options are only applicable to the install some to the renew
subcommand.

Also fixed a few missing articles.

https://fedorahosted.org/freeipa/ticket/6013

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-08-09 16:09:08 +02:00
Jan Cholasta
ef91346407 cacert install: fix trust chain validation
https://fedorahosted.org/freeipa/ticket/5612

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-02-24 09:22:59 +01:00
Martin Basti
e4075b1fe2 Remove unused imports
This patch removes unused imports, alse pylint has been configured to
check unused imports.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-12-23 07:59:22 +01:00
Jan Cholasta
aeffe2da42 install: drop support for Dogtag 9
Dogtag 9 CA and CA DS install and uninstall code was removed. Existing
Dogtag 9 CA and CA DS instances are disabled on upgrade.

Creating a replica of a Dogtag 9 IPA master is still supported.

https://fedorahosted.org/freeipa/ticket/5197

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-11-25 09:12:25 +01:00
David Kupka
5f2cfb5aa2 ipa-cacert-renew: Fix connection to ldap.
https://fedorahosted.org/freeipa/ticket/5468

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-11-23 15:50:16 +01:00
Petr Viktorin
eab334dde8 Handle binascii.Error from base64.b64decode()
In Python 3, the base64.b64decode function raises binascii.Error (a ValueError
subclass) when it finds incorrect padding. In Python 2 it raises TypeError.

Callers should usually handle ValueError; unless they are specifically
concerned with handling base64 padding issues).

In some cases, callers should handle ValueError:
- ipalib.pkcs10 (get_friendlyname, load_certificate_request): callers should
  handle ValueError
- ipalib.x509 (load_certificate*, get_*): callers should handle ValueError

In other cases ValueError is handled:
- ipalib.parameters
- ipapython.ssh
- ipalib.rpc (json_decode_binary - callers already expect ValueError)
- ipaserver.install.ldapupdate

Elsewhere no error handling is done, because values come from trusted
sources, or are pre-validated:
- vault plugin
- ipaserver.install.cainstance
- ipaserver.install.certs
- ipaserver.install.ipa_otptoken_import

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-10-22 18:34:46 +02:00
Petr Viktorin
8de13bd7dd Use the print function
In Python 3, `print` is no longer a statement. Call it as a function
everywhere, and include the future import to remove the statement
in Python 2 code as well.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-09-01 11:42:01 +02:00
Michael Simacek
aad73fad60 Port from python-krbV to python-gssapi
python-krbV library is deprecated and doesn't work with python 3. Replacing all
it's usages with python-gssapi.

- Removed Backend.krb and KRB5_CCache classes
  They were wrappers around krbV classes that cannot really work without them
- Added few utility functions for querying GSSAPI credentials
  in krb_utils module. They provide replacements for KRB5_CCache.
- Merged two kinit_keytab functions
- Changed ldap plugin connection defaults to match ipaldap
- Unified getting default realm
  Using api.env.realm instead of krbV call

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2015-08-26 09:41:36 +02:00
Petr Viktorin
27dabb4528 Modernize 'except' clauses
The 'as' syntax works from Python 2 on, and Python 3 will
drop the "comma" syntax.

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-08-12 18:17:23 +02:00
Jan Cholasta
e39fe4ed31 plugable: Pass API to plugins on initialization rather than using set_api
https://fedorahosted.org/freeipa/ticket/3090

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-07-01 13:05:30 +00:00
Jan Cholasta
8f9c5988e2 Refer the user to freeipa.org when something goes wrong in ipa-cacert-manage
https://fedorahosted.org/freeipa/ticket/4781

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2014-12-10 17:08:49 +00:00
Jan Cholasta
f7f3c83748 Check subject name encoding in ipa-cacert-manage renew
https://fedorahosted.org/freeipa/ticket/4781

Reviewed-By: David Kupka <dkupka@redhat.com>
2014-12-10 17:07:05 +00:00
Jan Cholasta
2cf0f0a658 Fail if certmonger can't see new CA certificate in LDAP in ipa-cacert-manage
This should not normally happen, but if it does, report an error instead of
waiting idefinitely for the certificate to appear.

https://fedorahosted.org/freeipa/ticket/4629

Reviewed-By: David Kupka <dkupka@redhat.com>
2014-11-05 15:26:42 +01:00
Jan Cholasta
da24d8a6e7 Fix certmonger search for the CA cert in ipa-certupdate and ipa-cacert-manage
The search criteria did not include the CA agent name.

https://fedorahosted.org/freeipa/ticket/3259

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-09-30 10:01:38 +02:00
Jan Cholasta
83cbfa8eae Do stricter validation of CA certificates
Every CA certificate must have non-empty subject and basic constraints
extension with the CA flag set.

https://fedorahosted.org/freeipa/ticket/4477

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-09-30 08:50:47 +02:00
Jan Cholasta
3aa0731fc6 External CA installer options usability fixes
The --external_cert_file and --external_ca_file options of ipa-server-install
and ipa-ca-install have been replaced by --external-cert-file option which
accepts multiple files. The files are accepted in PEM and DER certificate and
PKCS#7 certificate chain formats.

https://fedorahosted.org/freeipa/ticket/4480

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-09-30 08:50:47 +02:00
David Kupka
6d94cdf250 Use certmonger D-Bus API instead of messing with its files.
FreeIPA certmonger module changed to use D-Bus to communicate with certmonger.
Using the D-Bus API should be more stable and supported way of using cermonger than
tampering with its files.

>=certmonger-0.75.13 is needed for this to work.

https://fedorahosted.org/freeipa/ticket/4280

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-09-05 10:51:42 +02:00
Jan Cholasta
8bbdfff102 Allow adding CA certificates to certificate store in ipa-cacert-manage.
Part of https://fedorahosted.org/freeipa/ticket/3737

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
18aa3216e0 Allow changing chaining of the IPA CA certificate in ipa-cacert-manage.
Part of https://fedorahosted.org/freeipa/ticket/3737

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
6870eb909e Add function for writing list of certificates to a PEM file to ipalib.x509.
Also rename load_certificate_chain_from_file to
load_certificate_list_from_file.

Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
88706c5674 Add new add_cert method for adding certificates to NSSDatabase and CertDB.
Replace all uses of NSSDatabase method add_single_pem_cert with add_cert and
remove add_single_pem_cert.

Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
ba3c7b4a89 Add CA certificate management tool ipa-cacert-manage.
Part of https://fedorahosted.org/freeipa/ticket/3737

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00