KDC cert validation was added but provides rather non-descriptive
error should there be something wrong with a certificate. Pass
the error message from the `openssl` tool in such cases.
https://pagure.io/freeipa/issue/6945
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Previous attempt to improve error messages during certificate
validation would only work in English locale so we're keeping
the whole NSS messages for all cases.
https://pagure.io/freeipa/issue/6945
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
In session_storage.py, store_data() stores data as the bytes data
type but get_data() is returning a string. Have get_data() return
bytes as well.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Martin Basti <mbasti@redhat.com>
If the Subject DN is syntactically valid but contains unrecognised
name attributes, FreeIPA accepts it but Dogtag rejects it, returning
status 400 and causing the framework to raise RemoteRetrieveError.
Update the ca-add command to perform some additional validation on
the user-supplied Subject DN, making sure that we recognise all the
attributes.
Fixes: https://pagure.io/freeipa/issue/6987
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Felipe Volpone <felipevolpone@gmail.com>
CA certificates MUST have the Subject Key Identifier extension to
facilitiate certification path construction. Not having this
extension on the IPA CA certificate will cause failures in Dogtag
during signing; it tries to copy the CA's Subject Key Identifier to
the new certificate's Authority Key Identifier extension, which
fails.
When installing an externally-signed CA, check that the Subject Key
Identifier extension is present in the CA certificate.
Fixes: https://pagure.io/freeipa/issue/6976
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Replace trust flag strings with `TrustFlags` objects. The `TrustFlags`
class encapsulates `certstore` key policy and has an additional flag
indicating the presence of a private key.
https://pagure.io/freeipa/issue/6831
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
When the certificate validation was replaced, some error messages
were omitted (like "Peer's certificate expired."). Bring these back.
https://pagure.io/freeipa/issue/6945
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
httplib.HTTPConnection supports timeout option so _httplib_request can
be updated to allow passing connection keyword arguments to
connection_factory.
We need connection timeout for cases when reply from server is not
received on time to ask again and not to wait for infinity.
https://pagure.io/freeipa/issue/6766
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
`NSSDatabase.verify_ca_cert_validity` tries to access a property of basic
constraints extension on the extension object itself rather than its value.
Access the attribute on the correct object to fix the issue.
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Fixes TypeError: bytes or integer address expected instead of str instance
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Unfortunately the MIT krb5 library has a severe limitation with FILE
ccaches when retrieving config data. It will always only search until
the first entry is found and return that one.
For FILE caches MIT krb5 does not support removing old entries when a
new one is stored, and storage happens only in append mode, so the end
result is that even if an update is stored it is never returned with the
standard krb5_cc_get_config() call.
To work around this issue we simply implement what krb5_cc_get_config()
does under the hood with the difference that we do not stop at the first
match but keep going until all ccache entries have been checked.
Related https://pagure.io/freeipa/issue/6775
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Restore cert8.db, key3.db, pwdfile.txt and secmod.db in /etc/httpd/alias
from backup on uninstall.
Files modified by IPA are kept with .ipasave suffix.
https://pagure.io/freeipa/issue/4639
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
When provided empty value in nolog parameter nolog_replace added 'XXXXXXXX'
three (once for plain value, once for http quoted value and last time for shell
quoted value) times before every character (including terminating '\0') in the string.
https://pagure.io/freeipa/issue/6738
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
ctypes can only handle bytes, not text. Encode and decode all incoming
and outgoing text from UTF-8 to bytes.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
************* Module ipaserver.install.ipa_kra_install
ipaserver/install/ipa_kra_install.py:25: [W0402(deprecated-module), ] Uses of a deprecated module 'optparse')
************* Module ipapython.install.core
ipapython/install/core.py:163: [E1101(no-member), _knob] Module 'types' has no 'TypeType' member)
************* Module ipatests.test_ipapython.test_dn
ipatests/test_ipapython/test_dn.py:1205: [W1505(deprecated-method), TestDN.test_x500_text] Using deprecated method assertEquals())
************* Module ipa-ca-install
install/tools/ipa-ca-install:228: [E1101(no-member), install_master] Instance of 'ValueError' has no 'message' member)
install/tools/ipa-ca-install:232: [E1101(no-member), install_master] Instance of 'ValueError' has no 'message' member)
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Add new pylint AST checker plugin which implements a check for imports
forbidden in IPA. Which imports are forbidden is configurable in pylintrc.
Provide default forbidden import configuration and disable the check for
existing forbidden imports in our code base.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Replace the placeholder with the actual value during build.
This fixes the client incorrectly assuming that the default version of all
plugins is 1.
https://pagure.io/freeipa/issue/6597
Reviewed-By: Martin Basti <mbasti@redhat.com>
GSS-SPNEGO allows us to negotiate a SASL bind with less roundtrips
therefore use it when possible.
We only enable it for local connections for now because we only
recently fixed Cyrus SASL to do proper GSS-SPNEGO negotiation. This
change means a newer and an older version are not compatible.
Restricting ourselves to the local host prevents issues with
incompatible services, and it is ok for us as we are only really
looking for speedups for the local short-lived connections performed
by the framework. Most other clients have longer lived connections,
so peformance improvements there are not as important.
Ticket: https://pagure.io/freeipa/issue/6656
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
When cookie has Max-Age set it tries to get expiration by adding
to a timestamp. Without this patch the timestamp would be set to
None and thus the addition of timestamp + max_age fails
https://pagure.io/freeipa/issue/6718
Reviewed-By: Simo Sorce <ssorce@redhat.com>
It's not necesary to restore the context of newly created files. SELinux
ensures that new files have the correct permission. An explicit
restore_context() is only required when either policies have changed or
the context was changed manually.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Replaced NSSConnection with Python's httplib.HTTPSConnection.
This class is OpenSSL-based.
A client certificate with a private key is required to authenticate
against the certificate server. We facilitate the RA_AGENT_PEM which
already exists.
https://fedorahosted.org/freeipa/ticket/5695
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The NSS database directory is created with mode 640, which causes the IPA
client to fail to connect to any IPA server, because it is unable to read
trusted CA certificates from the NSS database.
Create the directory with mode 644 to fix the issue.
https://fedorahosted.org/freeipa/ticket/5959
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
There are several excerptions ConnectionRefusedError raised
before ipactl is able to connect to dogtag after restart. These
exception should be logged on debug level until timeout is reached.
https://fedorahosted.org/freeipa/ticket/6674
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
It was possible to set tls_version_min/max to 'ssl2' or 'ssl3',
even though newer versions of NSS will fail to set this as a valid
TLS version. This patch explicitly checks for deprecated TLS versions
prior to creating a TLS connection.
Also, we don't allow tls_version_min/max to be set to a random
string anymore.
https://fedorahosted.org/freeipa/ticket/6607
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
This is in preparation for separating out the user under which the
ipa api framework runs as.
This commit also removes certs.NSS_DIR to avoid confusion and replaces
it where appropriate with the correct NSS DB directory, either the old
HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is
removed altogether as it was simply not necessary.
https://fedorahosted.org/freeipa/ticket/5959
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
