mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-26 17:01:14 -06:00
beffa7bcda
Implement the import and export handlers for Custodia keys as external scripts. It's a prerequisite to drop DAC override permission and proper SELinux rules for ipa-custodia. Except for DMLDAP, handlers no longer run as root but as handler specific users with reduced privileges. The Dogtag-related handlers run as pkiuser, which also help with HSM support. The export and import handles are designed to be executed by sudo, too. In the future, ipa-custodia could be executed as an unprivileged process that runs the minimal helper scripts with higher privileges. Fixes: https://pagure.io/freeipa/issue/6888 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
119 lines
2.9 KiB
Python
119 lines
2.9 KiB
Python
#
|
|
# Copyright (C) 2019 IPA Project Contributors, see COPYING for license
|
|
#
|
|
"""Export / import PEM cert and key file as PKCS#12 data
|
|
"""
|
|
import base64
|
|
import json
|
|
import os
|
|
|
|
from ipaplatform.paths import paths
|
|
from ipapython import ipautil
|
|
from . import common
|
|
|
|
|
|
def export_key(args, tmpdir):
|
|
"""Export cert and private from PEM files as PKCS#12 file.
|
|
|
|
The PKCS#12 file is encrypted with a password.
|
|
"""
|
|
pk12file = os.path.join(tmpdir, 'export.p12')
|
|
|
|
password = ipautil.ipa_generate_password()
|
|
pk12pwfile = os.path.join(tmpdir, 'passwd')
|
|
with open(pk12pwfile, 'w') as f:
|
|
f.write(password)
|
|
|
|
# OpenSSL does not support pkcs12 export of a cert without key
|
|
ipautil.run([
|
|
paths.OPENSSL, 'pkcs12', '-export',
|
|
'-in', args.certfile,
|
|
'-out', pk12file,
|
|
'-inkey', args.keyfile,
|
|
'-password', 'file:{pk12pwfile}'.format(pk12pwfile=pk12pwfile),
|
|
])
|
|
|
|
with open(pk12file, 'rb') as f:
|
|
p12data = f.read()
|
|
|
|
data = {
|
|
'export password': password,
|
|
'pkcs12 data': p12data,
|
|
}
|
|
common.json_dump(data, args.exportfile)
|
|
|
|
|
|
def import_key(args, tmpdir):
|
|
"""Export key and certificate from a PKCS#12 file to key and cert files.
|
|
"""
|
|
data = json.load(args.importfile)
|
|
password = data['export password']
|
|
p12data = base64.b64decode(data['pkcs12 data'])
|
|
|
|
pk12pwfile = os.path.join(tmpdir, 'passwd')
|
|
with open(pk12pwfile, 'w') as f:
|
|
f.write(password)
|
|
|
|
pk12file = os.path.join(tmpdir, 'import.p12')
|
|
with open(pk12file, 'wb') as f:
|
|
f.write(p12data)
|
|
|
|
# get the certificate from the file
|
|
cmd = [
|
|
paths.OPENSSL, 'pkcs12',
|
|
'-in', pk12file,
|
|
'-clcerts', '-nokeys',
|
|
'-out', args.certfile,
|
|
'-password', 'file:{pk12pwfile}'.format(pk12pwfile=pk12pwfile),
|
|
]
|
|
ipautil.run(cmd, umask=0o027)
|
|
|
|
# get the private key from the file
|
|
cmd = [
|
|
paths.OPENSSL, 'pkcs12',
|
|
'-in', pk12file,
|
|
'-nocerts', '-nodes',
|
|
'-out', args.keyfile,
|
|
'-password', 'file:{pk12pwfile}'.format(pk12pwfile=pk12pwfile),
|
|
]
|
|
ipautil.run(cmd, umask=0o027)
|
|
|
|
|
|
def default_parser():
|
|
parser = common.mkparser(
|
|
description='ipa-custodia PEM file handler'
|
|
)
|
|
parser.add_argument(
|
|
'--certfile',
|
|
help='path to PEM encoded cert file',
|
|
required=True
|
|
)
|
|
parser.add_argument(
|
|
'keyfile',
|
|
help='path to PEM encoded key file',
|
|
required=True
|
|
)
|
|
return parser
|
|
|
|
|
|
def ra_agent_parser():
|
|
parser = common.mkparser(
|
|
description='ipa-custodia RA agent cert handler'
|
|
)
|
|
parser.set_defaults(
|
|
certfile=paths.RA_AGENT_PEM,
|
|
keyfile=paths.RA_AGENT_KEY
|
|
)
|
|
return parser
|
|
|
|
|
|
def main(parser=None):
|
|
if parser is None:
|
|
parser = default_parser()
|
|
|
|
common.main(parser, export_key, import_key)
|
|
|
|
|
|
if __name__ == '__main__':
|
|
main()
|