diff options
author | Jan Cholasta <jcholast@redhat.com> | 2013-09-25 08:33:35 +0000 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2013-10-04 10:27:23 +0200 |
commit | c123264ac77cd533a08978909f837c8f4d3e224e (patch) | |
tree | 965318ce39f7dcec2ff871b0fed07b810f2145d2 /install/tools/ipa-replica-install | |
parent | 46b358811210ecb83e5ea092d0d0554c923b9823 (diff) | |
download | freeipa-c123264ac77cd533a08978909f837c8f4d3e224e.tar.gz freeipa-c123264ac77cd533a08978909f837c8f4d3e224e.tar.xz freeipa-c123264ac77cd533a08978909f837c8f4d3e224e.zip |
Read passwords from stdin when importing PKCS#12 files with pk12util.
This works around pk12util refusing to use empty password files, which prevents
the use of PKCS#12 files with empty password.
https://fedorahosted.org/freeipa/ticket/3897
Diffstat (limited to 'install/tools/ipa-replica-install')
-rwxr-xr-x | install/tools/ipa-replica-install | 34 |
1 files changed, 22 insertions, 12 deletions
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 2a88c1021..5e6941402 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -149,16 +149,31 @@ def set_owner(config, dir): pw = pwd.getpwnam(dsinstance.DS_USER) os.chown(dir, pw.pw_uid, pw.pw_gid) + +def make_pkcs12_info(directory, cert_name, password_name): + """Make pkcs12_info + + :param directory: Base directory (config.dir) + :param cert_name: Cert filename (e.g. "dscert.p12") + :param password_name: Cert filename (e.g. "dirsrv_pin.txt") + :return: a (full cert path, password) tuple, or None if cert is not found + """ + cert_path = os.path.join(directory, cert_name) + if ipautil.file_exists(cert_path): + password_file = os.path.join(directory, password_name) + password = open(password_file).read().strip() + return cert_path, password + else: + return None + + def install_replica_ds(config): dsinstance.check_ports() # if we have a pkcs12 file, create the cert db from # that. Otherwise the ds setup will create the CA # cert - pkcs12_info = None - if ipautil.file_exists(config.dir + "/dscert.p12"): - pkcs12_info = (config.dir + "/dscert.p12", - config.dir + "/dirsrv_pin.txt") + pkcs12_info = make_pkcs12_info(config.dir, "dscert.p12", "dirsrv_pin.txt") ds = dsinstance.DsInstance() ds.create_replica( @@ -178,10 +193,8 @@ def install_krb(config, setup_pkinit=False): krb = krbinstance.KrbInstance() #pkinit files - pkcs12_info = None - if ipautil.file_exists(config.dir + "/pkinitcert.p12"): - pkcs12_info = (config.dir + "/pkinitcert.p12", - config.dir + "/pkinit_pin.txt") + pkcs12_info = make_pkcs12_info(config.dir, "pkinitcert.p12", + "pkinit_pin.txt") krb.create_replica(config.realm_name, config.master_host_name, config.host_name, @@ -206,10 +219,7 @@ def install_http(config, auto_redirect): # if we have a pkcs12 file, create the cert db from # that. Otherwise the ds setup will create the CA # cert - pkcs12_info = None - if ipautil.file_exists(config.dir + "/httpcert.p12"): - pkcs12_info = (config.dir + "/httpcert.p12", - config.dir + "/http_pin.txt") + pkcs12_info = make_pkcs12_info(config.dir, "httpcert.p12", "http_pin.txt") memcache = memcacheinstance.MemcacheInstance() memcache.create_instance('MEMCACHE', config.host_name, config.dirman_password, ipautil.realm_to_suffix(config.realm_name)) |