The NSS database directory is created with mode 640, which causes the IPA
client to fail to connect to any IPA server, because it is unable to read
trusted CA certificates from the NSS database.
Create the directory with mode 644 to fix the issue.
https://fedorahosted.org/freeipa/ticket/5959
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
NSSDatabases should call certutil with a password. Also, removed
`password_filename` argument from `.create_db()`.
https://fedorahosted.org/freeipa/ticket/5695
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This is in preparation for separating out the user under which the
ipa api framework runs as.
This commit also removes certs.NSS_DIR to avoid confusion and replaces
it where appropriate with the correct NSS DB directory, either the old
HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is
removed altogether as it was simply not necessary.
https://fedorahosted.org/freeipa/ticket/5959
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
certdb.NSSDatabase.import_files currently accumulates certificates
extracted from input files as a string, which is ugly. Accumulate a
list of PEMs instead, and join() them just in time for PKCS #12
creation.
Part of: https://fedorahosted.org/freeipa/ticket/6178
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Add a single function for extracting X.509 certs in PEM format from
a PKCS #7 object. Refactor sites that execute ``openssl pkcs7`` to
use the new function.
Part of: https://fedorahosted.org/freeipa/ticket/6178
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Since commit f919ab4ee0, a temporary file is
used to give passwords to pk12util. When a password is empty, the temporary
will be empty as well, which pk12util does not like.
Add new line after the password in the temporary file to please pk12util.
https://fedorahosted.org/freeipa/ticket/6541
Reviewed-By: David Kupka <dkupka@redhat.com>
ipaplatform is not available in PyPI wheel packages. The guard silences
a pylint error in wheel pylint tests.
https://fedorahosted.org/freeipa/ticket/6474
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Use hard-coded paths to certutil, pk12util and openssl in certdb if
ipaplatform is not available.
Hard-coded the path to setpasswd in ipautil.run() doc string.
Remove ipaplatform dependency from ipapython's setup.py and add ipapython
dependency to ipaplatform's setup.py.
https://fedorahosted.org/freeipa/ticket/6474
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Currently the PKCS#12 file password is passed via stdin and pk12util reads
it from /dev/stdin, which is platform-specific.
Use a temporary file instead.
https://fedorahosted.org/freeipa/ticket/6474
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
The create_ipa_nssdb() and update_ipa_nssdb() depend on ipaplatform.
Move them to ipaclient.install.client as they are used only from the client
installer and ipa-restore.
https://fedorahosted.org/freeipa/ticket/6474
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Update x509.load_certificate and related functions to return
python-cryptography ``Certificate`` objects. Update the call sites
accordingly, including removal of NSS initialisation code.
Also update GeneralName parsing code to return python-cryptography
GeneralName values, for consistency with other code that processes
GeneralNames. The new function, `get_san_general_names`, and
associated helper functions, can be removed when python-cryptography
provides a way to deal with unrecognised critical extensions.
Part of: https://fedorahosted.org/freeipa/ticket/6398
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Unused variables may:
* make code less readable
* create dead code
* potentialy hide issues/errors
Enabled check should prevent to leave unused variable in code
Check is locally disabled for modules that fix is not clear or easy or have too many occurences of
unused variables
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
The -r option makes certutil output certificates in DER. If there are
multiple certificates sharing the same nickname, certutil will output
them concatenated into a single blob. The blob is not a valid DER
anymore and causes failures further in the code.
Use the -a option instead to output the certificates in PEM and convert
them to DER on demand.
https://fedorahosted.org/freeipa/ticket/5117https://fedorahosted.org/freeipa/ticket/5720
Reviewed-By: David Kupka <dkupka@redhat.com>
Don't put any IPA certificates to /etc/pki/nssdb - IPA itself uses
/etc/ipa/nssdb and IPA CA certificates are provided to the system using
p11-kit. Remove leftovers on upgrade.
https://fedorahosted.org/freeipa/ticket/5592
Reviewed-By: David Kupka <dkupka@redhat.com>
The ipautil.run function now returns an object with returncode and
output are accessible as attributes.
The stdout and stderr of all commands are logged (unless skip_output is given).
The stdout/stderr contents must be explicitly requested with a keyword
argument, otherwise they are None.
This is because in Python 3, the output needs to be decoded, and that can
fail if it's not decodable (human-readable) text.
The raw (bytes) output is always available from the result object,
as is "leniently" decoded output suitable for logging.
All calls are changed to reflect this.
A use of Popen in cainstance is changed to ipautil.run.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
export_pem_cert should export the certificate
in pem format but instead exports the cert in der
format as it doesn't enable pem=True.
This patch specifies pem=True for export_pem_cert function
Signed-off-by: Niranjan MR <mrniranjan@fedoraproject.org>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Use Python-3 compatible syntax, without breaking compatibility with py 2.7
- Octals literals start with 0o to prevent confusion
- The "L" at the end of large int literals is not required as they use
long on Python 2 automatically.
- Using 'int' instead of 'long' for small numbers is OK in all cases except
strict type checking checking, e.g. type(0).
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This is the new default NSS database for IPA.
/etc/pki/nssdb is still maintained for backward compatibility.
https://fedorahosted.org/freeipa/ticket/3259
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The changes include:
* Change license blobs in source files to mention GPLv3+ not GPLv2 only
* Add GPLv3+ license text
* Package COPYING not LICENSE as the license blobs (even the old ones)
mention COPYING specifically, it is also more common, I think
https://fedorahosted.org/freeipa/ticket/239