diff options
author | Jan Cholasta <jcholast@redhat.com> | 2014-06-09 16:04:09 +0200 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2014-07-30 16:04:21 +0200 |
commit | d2bf0b8b540e4efdb5ef06a449310f9a04a2eb17 (patch) | |
tree | d9d95c32799bc4141f2d8bcda301624be413b51d /ipaserver | |
parent | 9d4eeeda55b397237af17392f3acb9542e126145 (diff) | |
download | freeipa-d2bf0b8b540e4efdb5ef06a449310f9a04a2eb17.tar.gz freeipa-d2bf0b8b540e4efdb5ef06a449310f9a04a2eb17.tar.xz freeipa-d2bf0b8b540e4efdb5ef06a449310f9a04a2eb17.zip |
Fix trust flags in HTTP and DS NSS databases.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Diffstat (limited to 'ipaserver')
-rw-r--r-- | ipaserver/install/cainstance.py | 4 | ||||
-rw-r--r-- | ipaserver/install/certs.py | 22 | ||||
-rw-r--r-- | ipaserver/install/dsinstance.py | 7 | ||||
-rw-r--r-- | ipaserver/install/httpinstance.py | 7 |
4 files changed, 26 insertions, 14 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 997281f92..a3f692d9d 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1043,10 +1043,12 @@ class CAInstance(service.Service): (rdn, subject_dn) = certs.get_cert_nickname(certlist[st:en+25]) if subject_dn == ca_dn: nick = get_ca_nickname(self.realm) + trust_flags = 'CT,C,C' else: nick = str(subject_dn) + trust_flags = ',,' self.__run_certutil( - ['-A', '-t', 'CT,C,C', '-n', nick, '-a', + ['-A', '-t', trust_flags, '-n', nick, '-a', '-i', chain_name] ) finally: diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index c9f038f56..d28f7a3c8 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -203,7 +203,7 @@ class NSSDatabase(object): root_nickname) else: if trust_flags is None: - trust_flags = 'CT,CT,' + trust_flags = 'C,,' try: self.run_certutil(["-M", "-n", root_nickname, "-t", trust_flags]) @@ -479,7 +479,7 @@ class CertDB(object): "-k", self.passwd_fname]) self.set_perms(self.pk12_fname) - def load_cacert(self, cacert_fname): + def load_cacert(self, cacert_fname, trust_flags='C,,'): """ Load all the certificates from a given file. It is assumed that this file creates CA certificates. @@ -496,9 +496,11 @@ class CertDB(object): (rdn, subject_dn) = get_cert_nickname(cert) if subject_dn == ca_dn: nick = get_ca_nickname(self.realm) + tf = trust_flags else: nick = str(subject_dn) - self.nssdb.add_single_pem_cert(nick, "CT,,C", cert) + tf = ',,' + self.nssdb.add_single_pem_cert(nick, tf, cert) except RuntimeError: break @@ -839,10 +841,10 @@ class CertDB(object): # a new certificate database. self.create_passwd_file(passwd) self.create_certdbs() - self.load_cacert(cacert_fname) + self.load_cacert(cacert_fname, 'CT,C,C') def create_from_pkcs12(self, pkcs12_fname, pkcs12_passwd, passwd=None, - ca_file=None): + ca_file=None, trust_flags=None): """Create a new NSS database using the certificates in a PKCS#12 file. pkcs12_fname: the filename of the PKCS#12 file @@ -864,19 +866,17 @@ class CertDB(object): raise RuntimeError("Could not find a suitable server cert in import in %s" % pkcs12_fname) if ca_file: - self.nssdb.import_pem_cert('CA', 'CT,CT,', ca_file) + self.nssdb.import_pem_cert('CA', ',,', ca_file) # We only handle one server cert nickname = server_certs[0][0] - ca_names = [name for name, flags - in self.nssdb.list_certs() if 'u' not in flags] + ca_names = self.find_root_cert(nickname)[:-1] if len(ca_names) == 0: raise RuntimeError("Could not find a CA cert in %s" % pkcs12_fname) - self.cacert_name = ca_names[0] - for ca in ca_names: - self.trust_root_cert(ca) + self.cacert_name = ca_names[-1] + self.trust_root_cert(self.cacert_name, trust_flags) self.create_pin_file() self.export_ca_cert(nickname, False) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 2a9f3b618..e503cb220 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -625,8 +625,13 @@ class DsInstance(service.Service): dirname = config_dirname(self.serverid) dsdb = certs.CertDB(self.realm, nssdir=dirname, subject_base=self.subject_base) if self.pkcs12_info: + if self.ca_is_configured: + trust_flags = 'CT,C,C' + else: + trust_flags = None dsdb.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1], - ca_file=self.ca_file) + ca_file=self.ca_file, + trust_flags=trust_flags) server_certs = dsdb.find_server_certs() if len(server_certs) == 0: raise RuntimeError("Could not find a suitable server cert in import in %s" % self.pkcs12_info[0]) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 3ca3bf77f..56f8a8910 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -269,8 +269,13 @@ class HTTPInstance(service.Service): db = certs.CertDB(self.realm, subject_base=self.subject_base) if self.pkcs12_info: + if api.env.enable_ra: + trust_flags = 'CT,C,C' + else: + trust_flags = None db.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1], - passwd=None, ca_file=self.ca_file) + passwd=None, ca_file=self.ca_file, + trust_flags=trust_flags) server_certs = db.find_server_certs() if len(server_certs) == 0: raise RuntimeError("Could not find a suitable server cert in import in %s" % self.pkcs12_info[0]) |