Use NSSDatabase instead of direct certutil calls in client code

https://fedorahosted.org/freeipa/ticket/4416

Reviewed-By: Rob Crittenden <rcritten@redhat.com>

2 files changed, 17 insertions, 47 deletions

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index ab40cd827..22085ecfe 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -226,14 +226,6 @@ def logging_setup(options):
 def log_service_error(name, action, error):
     root_logger.error("%s failed to %s: %s", name, action, str(error))
 
-def nickname_exists(nickname):
-        (sout, serr, returncode) = run([paths.CERTUTIL, "-L", "-d", paths.NSS_DB_DIR, "-n", nickname], raiseonerr=False)
-
-        if returncode == 0:
-            return True
-        else:
-            return False
-
 def purge_ipa_certs(additional=[]):
     filename = paths.NSSDB_IPA_TXT
     if file_exists(filename):
@@ -258,12 +250,11 @@ def purge_ipa_certs(additional=[]):
         if nickname:
             nicknames.add(nickname)
 
+    sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR)
     for nickname in nicknames:
-        while nickname_exists(nickname):
+        while sys_db.has_nickname(nickname):
             try:
-                run([paths.CERTUTIL, "-D",
-                     "-d", paths.NSS_DB_DIR,
-                     "-n", nickname])
+                sys_db.delete_cert(nickname)
             except Exception, e:
                 root_logger.error(
                     "Failed to remove %s from /etc/pki/nssdb: %s", nickname, e)
@@ -2533,23 +2524,16 @@ def install(options, env, fstore, statestore):
     except ValueError:
         pass
 
-    tmp_nss_dir = tempfile.mkdtemp()
-    try:
+    with certdb.NSSDatabase() as tmp_db:
         # Add CA certs to a temporary NSS database
         try:
             pwd_file = ipautil.write_tmp_file(ipautil.ipa_generate_password())
-            run([paths.CERTUTIL, '-N',
-                 '-d', tmp_nss_dir,
-                 '-f', pwd_file.name])
+            tmp_db.create_db(pwd_file.name)
 
             ca_certs = x509.load_certificate_list_from_file(CACERT)
             ca_certs = [cert.der_data for cert in ca_certs]
             for i, cert in enumerate(ca_certs):
-                run([paths.CERTUTIL, '-A',
-                     '-d', tmp_nss_dir,
-                     '-n', 'CA certificate %d' % (i + 1),
-                     '-t', 'C,,'],
-                     stdin=cert)
+                tmp_db.add_cert(cert, 'CA certificate %d' % (i + 1), 'C,,')
         except CalledProcessError, e:
             root_logger.info("Failed to add CA to temporary NSS database.")
             return CLIENT_INSTALL_ERROR
@@ -2557,7 +2541,7 @@ def install(options, env, fstore, statestore):
         # Now, let's try to connect to the server's RPC interface
         connected = False
         try:
-            api.Backend.rpcclient.connect(nss_dir=tmp_nss_dir)
+            api.Backend.rpcclient.connect(nss_dir=tmp_db.secdir)
             connected = True
             root_logger.debug("Try RPC connection")
             api.Backend.rpcclient.forward('ping')
@@ -2569,7 +2553,7 @@ def install(options, env, fstore, statestore):
                 "Trying with delegate=True", e)
             try:
                 api.Backend.rpcclient.connect(delegate=True,
-                                              nss_dir=tmp_nss_dir)
+                                              nss_dir=tmp_db.secdir)
                 root_logger.debug("Try RPC connection")
                 api.Backend.rpcclient.forward('ping')
 
@@ -2594,8 +2578,6 @@ def install(options, env, fstore, statestore):
             root_logger.error(
                 "Cannot connect to the server due to generic error: %s", e)
             return CLIENT_INSTALL_ERROR
-    finally:
-        shutil.rmtree(tmp_nss_dir)
 
     # Use the RPC directly so older servers are supported
     result = api.Backend.rpcclient.forward(
@@ -2622,14 +2604,10 @@ def install(options, env, fstore, statestore):
 
     # Add the CA certificates to the IPA NSS database
     root_logger.debug("Adding CA certificates to the IPA NSS database.")
+    ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR)
     for cert, nickname, trust_flags in ca_certs_trust:
         try:
-            run([paths.CERTUTIL,
-                 "-A",
-                 "-d", paths.IPA_NSSDB_DIR,
-                 "-n", nickname,
-                 "-t", trust_flags],
-                stdin=cert)
+            ipa_db.add_cert(cert, nickname, trust_flags)
         except CalledProcessError, e:
             root_logger.error(
                 "Failed to add %s to the IPA NSS database.", nickname)
@@ -2653,14 +2631,10 @@ def install(options, env, fstore, statestore):
 
     root_logger.debug(
         "Attempting to add CA certificates to the default NSS database.")
+    sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR)
     for cert, nickname, trust_flags in ca_certs_trust:
         try:
-            run([paths.CERTUTIL,
-                 "-A",
-                 "-d", paths.NSS_DB_DIR,
-                 "-n", nickname,
-                 "-t", trust_flags],
-                stdin=cert)
+            sys_db.add_cert(cert, nickname, trust_flags)
         except CalledProcessError, e:
             root_logger.error(
                 "Failed to add %s to the default NSS database.", nickname)
diff --git a/ipa-client/ipaclient/ipa_certupdate.py b/ipa-client/ipaclient/ipa_certupdate.py
index 57dbf200b..f7b0e29ba 100644
--- a/ipa-client/ipaclient/ipa_certupdate.py
+++ b/ipa-client/ipaclient/ipa_certupdate.py
@@ -22,7 +22,7 @@ import tempfile
 import shutil
 
 from ipapython import (admintool, ipautil, ipaldap, sysrestore, dogtag,
-                       certmonger)
+                       certmonger, certdb)
 from ipaplatform import services
 from ipaplatform.paths import paths
 from ipaplatform.tasks import tasks
@@ -72,11 +72,10 @@ class CertUpdate(admintool.AdminTool):
         self.update_file(paths.IPA_CA_CRT, certs)
         self.update_db(paths.IPA_NSSDB_DIR, certs)
 
+        sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR)
         for nickname in ('IPA CA', 'External CA cert'):
             try:
-                ipautil.run([paths.CERTUTIL, '-D',
-                             '-d', paths.NSS_DB_DIR,
-                             '-n', nickname])
+                sys_db.delete_cert(nickname)
             except ipautil.CalledProcessError, e:
                 pass
 
@@ -165,15 +164,12 @@ class CertUpdate(admintool.AdminTool):
             self.log.error("failed to update %s: %s", filename, e)
 
     def update_db(self, path, certs):
+        db = certdb.NSSDatabase(path)
         for cert, nickname, trusted, eku in certs:
             trust_flags = certstore.key_policy_to_trust_flags(
                 trusted, True, eku)
             try:
-                ipautil.run([paths.CERTUTIL, '-A',
-                             '-d', path,
-                             '-n', nickname,
-                             '-t', trust_flags],
-                             stdin=cert)
+                db.add_cert(cert, nickname, trust_flags)
             except ipautil.CalledProcessError, e:
                 self.log.error(
                     "failed to update %s in %s: %s", nickname, path, e)