Commit Graph

55 Commits

Author SHA1 Message Date
Stanislav Laznicka
1521296297 x509,certdb: handle certificates as bytes
Certificates, both in PEM and DER format, should be handled as bytes
in Python 3.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:28:58 +02:00
Stanislav Laznicka
b5732efda6 x509: Make certificates represented as objects
https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:28:58 +02:00
Stanislav Laznicka
4375ef860f Split x509.load_certificate() into PEM/DER functions
Splitting the load_certificate() function into two separate helps
us word the requirements for the input explicitly. It also makes
our backend similar to the one of python-cryptography so eventually
we can swap python-cryptography for IPA x509 module.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:28:58 +02:00
Jan Cholasta
7a482b7c72 logging: do not log into the root logger
Deprecate `ipa_log_manager.root_logger` and replace all calls to it with
module-level logger calls.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Stanislav Laznicka
bee3c1eccd More verbose error message on kdc cert validation
KDC cert validation was added but provides rather non-descriptive
error should there be something wrong with a certificate. Pass
the error message from the `openssl` tool in such cases.

https://pagure.io/freeipa/issue/6945

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-06-16 16:04:00 +02:00
Stanislav Laznicka
f827fe0f19 cert-validate: keep all messages in cert validation
Previous attempt to improve error messages during certificate
validation would only work in English locale so we're keeping
the whole NSS messages for all cases.

https://pagure.io/freeipa/issue/6945

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-06-16 16:04:00 +02:00
Fraser Tweedale
bc6d499514 Add Subject Key Identifier to CA cert validity check
CA certificates MUST have the Subject Key Identifier extension to
facilitiate certification path construction.  Not having this
extension on the IPA CA certificate will cause failures in Dogtag
during signing; it tries to copy the CA's Subject Key Identifier to
the new certificate's Authority Key Identifier extension, which
fails.

When installing an externally-signed CA, check that the Subject Key
Identifier extension is present in the CA certificate.

Fixes: https://pagure.io/freeipa/issue/6976
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-30 12:39:15 +02:00
Jan Cholasta
3b5dbf7cdb server install: fix KDC certificate validation in CA-less
Verify that the provided certificate has the extended key usage and subject
alternative name required for KDC.

https://pagure.io/freeipa/issue/6831
https://pagure.io/freeipa/issue/6869

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Jan Cholasta
01a7416d30 install: trust IPA CA for PKINIT
Trust IPA CA to issue PKINIT KDC and client authentication certificates in
the IPA certificate store.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Jan Cholasta
52730c786f certdb: use custom object for trust flags
Replace trust flag strings with `TrustFlags` objects. The `TrustFlags`
class encapsulates `certstore` key policy and has an additional flag
indicating the presence of a private key.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Jan Cholasta
f0442a2d0e certdb, certs: make trust flags argument mandatory
Make the trust flags argument mandatory in all functions in `certdb` and
`certs`.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Jan Cholasta
235265a5f5 certdb: add named trust flag constants
Add named constants for common trust flag combinations.

Use the named constants instead of trust flags strings in the code.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Stanislav Laznicka
3d969d7bad Provide useful messages during cert validation
When the certificate validation was replaced, some error messages
were omitted (like "Peer's certificate expired."). Bring these back.

https://pagure.io/freeipa/issue/6945

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-05-18 17:32:59 +02:00
Stanislav Laznicka
aae9a918b6 Remove publish_ca_cert() method from NSSDatabase
NSSDatabase.publish_ca_cert() is not used anymore, remove it.

https://pagure.io/freeipa/issue/6806

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-04-03 13:06:29 +00:00
Jan Cholasta
720034f1b4 certdb: fix AttributeError in verify_ca_cert_validity
`NSSDatabase.verify_ca_cert_validity` tries to access a property of basic
constraints extension on the extension object itself rather than its value.

Access the attribute on the correct object to fix the issue.

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-04-03 12:40:55 +00:00
Jan Cholasta
9183cf2a75 certdb: use certutil and match_hostname for cert verification
Use certutil and ssl.match_hostname calls instead of python-nss for
certificate verification.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-03-31 12:20:35 +02:00
Jan Cholasta
e263cb46cb httpinstance: clean up /etc/httpd/alias on uninstall
Restore cert8.db, key3.db, pwdfile.txt and secmod.db in /etc/httpd/alias
from backup on uninstall.

Files modified by IPA are kept with .ipasave suffix.

https://pagure.io/freeipa/issue/4639

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-03-22 14:58:18 +01:00
Jan Cholasta
5d489ac560 pylint_plugins: add forbidden import checker
Add new pylint AST checker plugin which implements a check for imports
forbidden in IPA. Which imports are forbidden is configurable in pylintrc.

Provide default forbidden import configuration and disable the check for
existing forbidden imports in our code base.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-10 13:04:59 +01:00
Christian Heimes
a163ad77b3 certdb: Don't restore_context() of new NSSDB
It's not necesary to restore the context of newly created files. SELinux
ensures that new files have the correct permission. An explicit
restore_context() is only required when either policies have changed or
the context was changed manually.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-01 13:42:01 +01:00
Jan Cholasta
b4fa354f50 client install: create /etc/ipa/nssdb with correct mode
The NSS database directory is created with mode 640, which causes the IPA
client to fail to connect to any IPA server, because it is unable to read
trusted CA certificates from the NSS database.

Create the directory with mode 644 to fix the issue.

https://fedorahosted.org/freeipa/ticket/5959

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-02-20 13:00:50 +00:00
Stanislav Laznicka
ca457eb5ce Add password to certutil calls in NSSDatabase
NSSDatabases should call certutil with a password. Also, removed
`password_filename` argument from `.create_db()`.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-17 10:14:23 +01:00
Simo Sorce
f648c5631a Simplify NSSDatabase password file handling
https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 07:13:37 +01:00
Simo Sorce
d124e307f3 Separate RA cert store from the HTTP cert store
This is in preparation for separating out the user under which the
ipa api framework runs as.

This commit also removes certs.NSS_DIR to avoid confusion and replaces
it where appropriate with the correct NSS DB directory, either the old
HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is
removed altogether as it was simply not necessary.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 07:13:37 +01:00
Fraser Tweedale
cc5b88e5d4 certdb: accumulate extracted certs as list of PEMs
certdb.NSSDatabase.import_files currently accumulates certificates
extracted from input files as a string, which is ugly.  Accumulate a
list of PEMs instead, and join() them just in time for PKCS #12
creation.

Part of: https://fedorahosted.org/freeipa/ticket/6178

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2016-12-12 13:03:15 +01:00
Fraser Tweedale
c7ea56c049 Add function for extracting PEM certs from PKCS #7
Add a single function for extracting X.509 certs in PEM format from
a PKCS #7 object.  Refactor sites that execute ``openssl pkcs7`` to
use the new function.

Part of: https://fedorahosted.org/freeipa/ticket/6178

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2016-12-12 13:03:15 +01:00
Jan Cholasta
a35f5181c0 certdb: fix PKCS#12 import with empty password
Since commit f919ab4ee0, a temporary file is
used to give passwords to pk12util. When a password is empty, the temporary
will be empty as well, which pk12util does not like.

Add new line after the password in the temporary file to please pk12util.

https://fedorahosted.org/freeipa/ticket/6541

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-12-12 07:29:16 +01:00
Christian Heimes
fb307ba582 Add pylint guard to import of ipaplatform in ipapython.certdb
ipaplatform is not available in PyPI wheel packages. The guard silences
a pylint error in wheel pylint tests.

https://fedorahosted.org/freeipa/ticket/6474

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-12-02 09:02:07 +01:00
Jan Cholasta
528012fe8a ipapython: remove hard dependency on ipaplatform
Use hard-coded paths to certutil, pk12util and openssl in certdb if
ipaplatform is not available.

Hard-coded the path to setpasswd in ipautil.run() doc string.

Remove ipaplatform dependency from ipapython's setup.py and add ipapython
dependency to ipaplatform's setup.py.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
f919ab4ee0 certdb: use a temporary file to pass password to pk12util
Currently the PKCS#12 file password is passed via stdin and pk12util reads
it from /dev/stdin, which is platform-specific.

Use a temporary file instead.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
fba6c21da3 certdb: move IPA NSS DB install functions to ipaclient.install
The create_ipa_nssdb() and update_ipa_nssdb() depend on ipaplatform.

Move them to ipaclient.install.client as they are used only from the client
installer and ipa-restore.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Fraser Tweedale
db116f73fe x509: use python-cryptography to process certs
Update x509.load_certificate and related functions to return
python-cryptography ``Certificate`` objects.  Update the call sites
accordingly, including removal of NSS initialisation code.

Also update GeneralName parsing code to return python-cryptography
GeneralName values, for consistency with other code that processes
GeneralNames.  The new function, `get_san_general_names`, and
associated helper functions, can be removed when python-cryptography
provides a way to deal with unrecognised critical extensions.

Part of: https://fedorahosted.org/freeipa/ticket/6398

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-11-10 10:21:47 +01:00
Martin Basti
4628522c53 Pylint: fix the rest of unused local variables
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-10-11 16:50:32 +02:00
Martin Basti
45e3aee352 Pylint: enable check for unused-variables
Unused variables may:
* make code less readable
* create dead code
* potentialy hide issues/errors

Enabled check should prevent to leave unused variable in code

Check is locally disabled for modules that fix is not clear or easy or have too many occurences of
unused variables

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-09-27 13:35:58 +02:00
Jan Cholasta
54a59475f3 certdb: never use the -r option of certutil
The -r option makes certutil output certificates in DER. If there are
multiple certificates sharing the same nickname, certutil will output
them concatenated into a single blob. The blob is not a valid DER
anymore and causes failures further in the code.

Use the -a option instead to output the certificates in PEM and convert
them to DER on demand.

https://fedorahosted.org/freeipa/ticket/5117
https://fedorahosted.org/freeipa/ticket/5720

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-03-16 09:35:44 +01:00
Jan Cholasta
11592dde1b client: stop using /etc/pki/nssdb
Don't put any IPA certificates to /etc/pki/nssdb - IPA itself uses
/etc/ipa/nssdb and IPA CA certificates are provided to the system using
p11-kit. Remove leftovers on upgrade.

https://fedorahosted.org/freeipa/ticket/5592

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-02-24 10:53:28 +01:00
Petr Viktorin
099cf98307 Refactor ipautil.run
The ipautil.run function now returns an object with returncode and
output are accessible as attributes.

The stdout and stderr of all commands are logged (unless skip_output is given).

The stdout/stderr contents must be explicitly requested with a keyword
argument, otherwise they are None.
This is because in Python 3, the output needs to be decoded, and that can
fail if it's not decodable (human-readable) text.

The raw (bytes) output is always available from the result object,
as is "leniently" decoded output suitable for logging.

All calls are changed to reflect this.

A use of Popen in cainstance is changed to ipautil.run.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-12-14 10:54:23 +01:00
Niranjan MR
0152d16820 enable pem=True in export_pem_cert function
export_pem_cert should export the certificate
in pem format but instead exports the cert in der
format as it doesn't enable pem=True.
This patch specifies pem=True for export_pem_cert function

Signed-off-by: Niranjan MR <mrniranjan@fedoraproject.org>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-11-11 15:02:56 +01:00
Petr Viktorin
27dabb4528 Modernize 'except' clauses
The 'as' syntax works from Python 2 on, and Python 3 will
drop the "comma" syntax.

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-08-12 18:17:23 +02:00
Petr Viktorin
b8c46f2a32 Modernize number literals
Use Python-3 compatible syntax, without breaking compatibility with py 2.7

- Octals literals start with 0o to prevent confusion
- The "L" at the end of large int literals is not required as they use
  long on Python 2 automatically.
- Using 'int' instead of 'long' for small numbers is OK in all cases except
  strict type checking checking, e.g. type(0).

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-07-31 15:22:19 +02:00
Jan Cholasta
fdc70e89e9 Fix CA cert validity check for CA-less and external CA installer options
https://fedorahosted.org/freeipa/ticket/4612

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-10-16 18:09:49 +02:00
Jan Cholasta
98c5788c37 Add missing imports to ipapython.certdb
https://fedorahosted.org/freeipa/ticket/4416

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-09-30 10:18:08 +02:00
Jan Cholasta
bbf962299d Use NSSDatabase instead of direct certutil calls in client code
https://fedorahosted.org/freeipa/ticket/4416

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-09-30 10:01:38 +02:00
Jan Cholasta
b764e9d3e6 Add NSSDatabase.has_nickname for checking nickname presence in a NSS DB
https://fedorahosted.org/freeipa/ticket/4416

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-09-30 10:01:38 +02:00
Jan Cholasta
86c534df7d Move NSSDatabase from ipaserver.certs to ipapython.certdb
https://fedorahosted.org/freeipa/ticket/4416

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-09-30 10:01:38 +02:00
Jan Cholasta
231f57cedb Introduce NSS database /etc/ipa/nssdb
This is the new default NSS database for IPA.

/etc/pki/nssdb is still maintained for backward compatibility.

https://fedorahosted.org/freeipa/ticket/3259

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-09-30 10:01:38 +02:00
Petr Viktorin
5fd68e3f9d Remove unused ipapython.certdb.CertDB class 2013-04-02 15:28:50 +02:00
Jan Cholasta
c1735e1c80 Drop ipapython.compat. 2013-02-01 09:16:06 -05:00
Jan Cholasta
6488378764 Move the compat module from ipalib to ipapython.
Fixes import problems trying to import just ipalib/compat.py.

https://fedorahosted.org/freeipa/ticket/754
2012-02-13 22:22:49 -05:00
Jakub Hrozek
7493d781df Change FreeIPA license to GPLv3+
The changes include:
 * Change license blobs in source files to mention GPLv3+ not GPLv2 only
 * Add GPLv3+ license text
 * Package COPYING not LICENSE as the license blobs (even the old ones)
   mention COPYING specifically, it is also more common, I think

 https://fedorahosted.org/freeipa/ticket/239
2010-12-20 17:19:53 -05:00
Simo Sorce
74ba0cc7c1 Use Realm as certs subject base name
Also use the realm name as nickname for the CA certificate
2010-11-18 15:09:31 -05:00