Fix trust flags in HTTP and DS NSS databases.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
author: Jan Cholasta <jcholast@redhat.com> 2014-06-09 16:04:09 +0200
committer: Petr Viktorin <pviktori@redhat.com> 2014-07-30 16:04:21 +0200
commit: d2bf0b8b540e4efdb5ef06a449310f9a04a2eb17 (patch)
tree: d9d95c32799bc4141f2d8bcda301624be413b51d
parent: 9d4eeeda55b397237af17392f3acb9542e126145 (diff)
download: freeipa-d2bf0b8b540e4efdb5ef06a449310f9a04a2eb17.tar.gz
freeipa-d2bf0b8b540e4efdb5ef06a449310f9a04a2eb17.tar.xz
freeipa-d2bf0b8b540e4efdb5ef06a449310f9a04a2eb17.zip
5 files changed, 54 insertions, 17 deletions
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index c9ad0a67f..e24a6658c 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -37,7 +37,7 @@ import ipalib.util
 import ipalib.errors
 from ipaplatform import services
 from ipaplatform.tasks import tasks
-from ipapython import ipautil, sysrestore, version
+from ipapython import ipautil, sysrestore, version, certdb
 from ipapython.config import IPAOptionParser
 from ipapython.ipa_log_manager import *
 from ipapython import certmonger
@@ -1052,6 +1052,26 @@ def remove_ds_ra_cert(subject_base):
     sysupgrade.set_upgrade_state('ds', 'remove_ra_cert', True)
 
 
+def fix_trust_flags(service, **kwargs):
+    root_logger.info('[Fixing trust_flags in %s NSS database]' % service)
+
+    if not api.env.enable_ra:
+        root_logger.info("CA is not enabled")
+        return
+
+    if sysupgrade.get_upgrade_state(service, 'fix_trust_flags'):
+        root_logger.info("Trust flags already fixed")
+        return
+
+    db = certs.CertDB(api.env.realm, **kwargs)
+    nickname = certdb.get_ca_nickname(api.env.realm)
+    cert = db.get_cert_from_db(nickname)
+    if cert:
+        db.trust_root_cert(nickname, 'CT,C,C')
+
+    sysupgrade.set_upgrade_state(service, 'fix_trust_flags', True)
+
+
 def main():
     """
     Get some basics about the system. If getting those basics fail then
@@ -1119,7 +1139,7 @@ def main():
         sub_dict['CLONE']='#' if crl.lower() == 'true' else ''
 
     ds_serverid = dsinstance.realm_to_serverid(api.env.realm)
-    certmap_dir = dsinstance.config_dirname(ds_serverid)
+    ds_dirname = dsinstance.config_dirname(ds_serverid)
 
     upgrade(sub_dict, paths.HTTPD_IPA_CONF, ipautil.SHARE_DIR + "ipa.conf")
     upgrade(sub_dict, paths.HTTPD_IPA_REWRITE_CONF, ipautil.SHARE_DIR + "ipa-rewrite.conf")
@@ -1127,7 +1147,7 @@ def main():
     if subject_base:
         upgrade(
             sub_dict,
-            os.path.join(certmap_dir, "certmap.conf"),
+            os.path.join(ds_dirname, "certmap.conf"),
             os.path.join(ipautil.SHARE_DIR, "certmap.conf.template")
         )
     upgrade_pki(ca, fstore)
@@ -1145,12 +1165,17 @@ def main():
     http.configure_selinux_for_httpd()
     http.change_mod_nss_port_from_http()
 
+    http.stop()
+    fix_trust_flags('http')
+    http.start()
+
     ds = dsinstance.DsInstance()
     ds.configure_dirsrv_ccache()
 
     ds.stop(ds_serverid)
     fix_schema_file_syntax()
     remove_ds_ra_cert(subject_base)
+    fix_trust_flags('ds', nssdir=ds_dirname)
     ds.start(ds_serverid)
 
     uninstall_selfsign(ds, http)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 997281f92..a3f692d9d 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1043,10 +1043,12 @@ class CAInstance(service.Service):
                     (rdn, subject_dn) = certs.get_cert_nickname(certlist[st:en+25])
                     if subject_dn == ca_dn:
                         nick = get_ca_nickname(self.realm)
+                        trust_flags = 'CT,C,C'
                     else:
                         nick = str(subject_dn)
+                        trust_flags = ',,'
                     self.__run_certutil(
-                        ['-A', '-t', 'CT,C,C', '-n', nick, '-a',
+                        ['-A', '-t', trust_flags, '-n', nick, '-a',
                          '-i', chain_name]
                     )
                 finally:
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index c9f038f56..d28f7a3c8 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -203,7 +203,7 @@ class NSSDatabase(object):
                 root_nickname)
         else:
             if trust_flags is None:
-                trust_flags = 'CT,CT,'
+                trust_flags = 'C,,'
             try:
                 self.run_certutil(["-M", "-n", root_nickname,
                                    "-t", trust_flags])
@@ -479,7 +479,7 @@ class CertDB(object):
                          "-k", self.passwd_fname])
             self.set_perms(self.pk12_fname)
 
-    def load_cacert(self, cacert_fname):
+    def load_cacert(self, cacert_fname, trust_flags='C,,'):
         """
         Load all the certificates from a given file. It is assumed that
         this file creates CA certificates.
@@ -496,9 +496,11 @@ class CertDB(object):
                 (rdn, subject_dn) = get_cert_nickname(cert)
                 if subject_dn == ca_dn:
                     nick = get_ca_nickname(self.realm)
+                    tf = trust_flags
                 else:
                     nick = str(subject_dn)
-                self.nssdb.add_single_pem_cert(nick, "CT,,C", cert)
+                    tf = ',,'
+                self.nssdb.add_single_pem_cert(nick, tf, cert)
             except RuntimeError:
                 break
 
@@ -839,10 +841,10 @@ class CertDB(object):
         # a new certificate database.
         self.create_passwd_file(passwd)
         self.create_certdbs()
-        self.load_cacert(cacert_fname)
+        self.load_cacert(cacert_fname, 'CT,C,C')
 
     def create_from_pkcs12(self, pkcs12_fname, pkcs12_passwd, passwd=None,
-                           ca_file=None):
+                           ca_file=None, trust_flags=None):
         """Create a new NSS database using the certificates in a PKCS#12 file.
 
            pkcs12_fname: the filename of the PKCS#12 file
@@ -864,19 +866,17 @@ class CertDB(object):
             raise RuntimeError("Could not find a suitable server cert in import in %s" % pkcs12_fname)
 
         if ca_file:
-            self.nssdb.import_pem_cert('CA', 'CT,CT,', ca_file)
+            self.nssdb.import_pem_cert('CA', ',,', ca_file)
 
         # We only handle one server cert
         nickname = server_certs[0][0]
 
-        ca_names = [name for name, flags
-                    in self.nssdb.list_certs() if 'u' not in flags]
+        ca_names = self.find_root_cert(nickname)[:-1]
         if len(ca_names) == 0:
             raise RuntimeError("Could not find a CA cert in %s" % pkcs12_fname)
 
-        self.cacert_name = ca_names[0]
-        for ca in ca_names:
-            self.trust_root_cert(ca)
+        self.cacert_name = ca_names[-1]
+        self.trust_root_cert(self.cacert_name, trust_flags)
 
         self.create_pin_file()
         self.export_ca_cert(nickname, False)
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 2a9f3b618..e503cb220 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -625,8 +625,13 @@ class DsInstance(service.Service):
         dirname = config_dirname(self.serverid)
         dsdb = certs.CertDB(self.realm, nssdir=dirname, subject_base=self.subject_base)
         if self.pkcs12_info:
+            if self.ca_is_configured:
+                trust_flags = 'CT,C,C'
+            else:
+                trust_flags = None
             dsdb.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1],
-                                    ca_file=self.ca_file)
+                                    ca_file=self.ca_file,
+                                    trust_flags=trust_flags)
             server_certs = dsdb.find_server_certs()
             if len(server_certs) == 0:
                 raise RuntimeError("Could not find a suitable server cert in import in %s" % self.pkcs12_info[0])
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 3ca3bf77f..56f8a8910 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -269,8 +269,13 @@ class HTTPInstance(service.Service):
 
         db = certs.CertDB(self.realm, subject_base=self.subject_base)
         if self.pkcs12_info:
+            if api.env.enable_ra:
+                trust_flags = 'CT,C,C'
+            else:
+                trust_flags = None
             db.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1],
-                                  passwd=None, ca_file=self.ca_file)
+                                  passwd=None, ca_file=self.ca_file,
+                                  trust_flags=trust_flags)
             server_certs = db.find_server_certs()
             if len(server_certs) == 0:
                 raise RuntimeError("Could not find a suitable server cert in import in %s" % self.pkcs12_info[0])
author	Jan Cholasta <jcholast@redhat.com>	2014-06-09 16:04:09 +0200
committer	Petr Viktorin <pviktori@redhat.com>	2014-07-30 16:04:21 +0200
commit	d2bf0b8b540e4efdb5ef06a449310f9a04a2eb17 (patch)
tree	d9d95c32799bc4141f2d8bcda301624be413b51d
parent	9d4eeeda55b397237af17392f3acb9542e126145 (diff)
download	freeipa-d2bf0b8b540e4efdb5ef06a449310f9a04a2eb17.tar.gz freeipa-d2bf0b8b540e4efdb5ef06a449310f9a04a2eb17.tar.xz freeipa-d2bf0b8b540e4efdb5ef06a449310f9a04a2eb17.zip