diff options
| author | Simo Sorce <ssorce@redhat.com> | 2010-11-01 13:51:14 -0400 |
|---|---|---|
| committer | Simo Sorce <ssorce@redhat.com> | 2010-11-18 15:09:31 -0500 |
| commit | 74ba0cc7c1bdb9c560324a68c16593755bcda5d8 (patch) | |
| tree | 13165adebe5ee440606b76e735e49787fb94657a /ipaserver | |
| parent | 775fc23738d8a882bdd9cff9064b50594901e518 (diff) | |
| download | freeipa-74ba0cc7c1bdb9c560324a68c16593755bcda5d8.tar.gz freeipa-74ba0cc7c1bdb9c560324a68c16593755bcda5d8.tar.xz freeipa-74ba0cc7c1bdb9c560324a68c16593755bcda5d8.zip | |
Use Realm as certs subject base name
Also use the realm name as nickname for the CA certificate
Diffstat (limited to 'ipaserver')
| -rw-r--r-- | ipaserver/install/cainstance.py | 16 | ||||
| -rw-r--r-- | ipaserver/install/certs.py | 15 | ||||
| -rw-r--r-- | ipaserver/install/dsinstance.py | 8 | ||||
| -rw-r--r-- | ipaserver/install/httpinstance.py | 14 | ||||
| -rw-r--r-- | ipaserver/plugins/selfsign.py | 5 |
5 files changed, 34 insertions, 24 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 1998928a3..5f13b721f 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -36,7 +36,7 @@ import urllib import xml.dom.minidom import stat from ipapython import dogtag -from ipapython.certdb import CA_NICKNAME +from ipapython.certdb import get_ca_nickname from ipalib import pkcs10 import subprocess @@ -365,8 +365,9 @@ class CAInstance(service.Service): 2 = have signed cert, continue installation """ - def __init__(self): + def __init__(self, realm): service.Service.__init__(self, "pki-cad") + self.realm = realm self.pki_user = "pkiuser" self.dm_password = None self.admin_password = None @@ -382,7 +383,7 @@ class CAInstance(service.Service): # The same database is used for mod_nss because the NSS context # will already have been initialized by Apache by the time # mod_python wants to do things. - self.canickname = CA_NICKNAME + self.canickname = get_ca_nickname(realm) self.basedn = "o=ipaca" self.ca_agent_db = tempfile.mkdtemp(prefix = "tmp-") self.ra_agent_db = "/etc/httpd/alias" @@ -400,7 +401,7 @@ class CAInstance(service.Service): admin_password, ds_port=DEFAULT_DSPORT, pkcs12_info=None, master_host=None, csr_file=None, cert_file=None, cert_chain_file=None, - subject_base="O=IPA"): + subject_base=None): """Create a CA instance. This may involve creating the pki-ca instance dogtag instance. @@ -420,7 +421,10 @@ class CAInstance(service.Service): if self.pkcs12_info is not None: self.clone = True self.master_host = master_host - self.subject_base = subject_base + if subject_base is None: + self.subject_base = "O=%s" % self.realm + else: + self.subject_base = subject_base # Determine if we are installing as an externally-signed CA and # what stage we're in. @@ -1000,5 +1004,5 @@ if __name__ == "__main__": installutils.standard_logging_setup("install.log", False) cs = CADSInstance() cs.create_instance("dirsrv", "EXAMPLE.COM", "catest.example.com", "example.com", "password") - ca = CAInstance() + ca = CAInstance("EXAMPLE.COM") ca.configure_instance("pkiuser", "catest.example.com", "password", "password") diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 4f8b4e708..d4728b80e 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -33,7 +33,7 @@ from ipapython import dogtag from ipapython import sysrestore from ipapython import ipautil from ipapython import certmonger -from ipapython.certdb import CA_NICKNAME +from ipapython.certdb import get_ca_nickname from ipalib import pkcs10 from ConfigParser import RawConfigParser, MissingSectionHeaderError import service @@ -163,8 +163,9 @@ def next_replica(serial_file=CA_SERIALNO): return str(serial) class CertDB(object): - def __init__(self, nssdir, fstore=None, host_name=None, subject_base=None): + def __init__(self, nssdir, realm, fstore=None, host_name=None, subject_base=None): self.secdir = nssdir + self.realm = realm self.noise_fname = self.secdir + "/noise.txt" self.passwd_fname = self.secdir + "/pwdfile.txt" @@ -191,7 +192,7 @@ class CertDB(object): else: self.subject_format = "CN=%s,O=IPA" - self.cacert_name = CA_NICKNAME + self.cacert_name = get_ca_nickname(self.realm) self.valid_months = "120" self.keysize = "1024" @@ -345,10 +346,11 @@ class CertDB(object): def create_ca_cert(self): os.chdir(self.secdir) + subject = "cn=%s Certificate Authority" % self.realm p = subprocess.Popen(["/usr/bin/certutil", "-d", self.secdir, "-S", "-n", self.cacert_name, - "-s", "cn=IPA Test Certificate Authority", + "-s", subject, "-x", "-t", "CT,,C", "-1", @@ -853,7 +855,10 @@ class CertDB(object): else: raise RuntimeError("unknown error import pkcs#12 file") - def export_pkcs12(self, pkcs12_fname, pkcs12_pwd_fname, nickname=CA_NICKNAME): + def export_pkcs12(self, pkcs12_fname, pkcs12_pwd_fname, nickname=None): + if nickname is None: + nickname = get_ca_nickname(api.env.realm) + ipautil.run(["/usr/bin/pk12util", "-d", self.secdir, "-o", pkcs12_fname, "-n", nickname, diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 89613bc31..48b6f551e 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -404,7 +404,7 @@ class DsInstance(service.Service): def __enable_ssl(self): dirname = config_dirname(self.serverid) - dsdb = certs.CertDB(dirname, subject_base=self.subject_base) + dsdb = certs.CertDB(dirname, self.realm_name, subject_base=self.subject_base) if self.pkcs12_info: dsdb.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1]) server_certs = dsdb.find_server_certs() @@ -416,7 +416,7 @@ class DsInstance(service.Service): self.dercert = dsdb.get_cert_from_db(nickname) else: nickname = "Server-Cert" - cadb = certs.CertDB(httpinstance.NSS_DIR, host_name=self.fqdn, subject_base=self.subject_base) + cadb = certs.CertDB(httpinstance.NSS_DIR, self.realm_name, host_name=self.fqdn, subject_base=self.subject_base) if self.self_signed_ca: cadb.create_self_signed() dsdb.create_from_cacert(cadb.cacert_fname, passwd=None) @@ -529,7 +529,7 @@ class DsInstance(service.Service): # drop the trailing / off the config_dirname so the directory # will match what is in certmonger dirname = config_dirname(serverid)[:-1] - dsdb = certs.CertDB(dirname) + dsdb = certs.CertDB(dirname, self.realm_name) dsdb.untrack_server_cert("Server-Cert") erase_ds_instance_data(serverid) @@ -571,7 +571,7 @@ class DsInstance(service.Service): self.stop() dirname = config_dirname(realm_to_serverid(self.realm_name)) - certdb = certs.CertDB(dirname, subject_base=self.subject_base) + certdb = certs.CertDB(dirname, self.realm_name, subject_base=self.subject_base) if not cacert_name or len(cacert_name) == 0: cacert_name = "Imported CA" # we can't pass in the nickname, so we set the instance variable diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 13d7a6601..f55995b19 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -30,7 +30,7 @@ import dsinstance import installutils from ipapython import sysrestore from ipapython import ipautil -from ipalib import util +from ipalib import util, api HTTPD_DIR = "/etc/httpd" SSL_CONF = HTTPD_DIR + "/conf.d/ssl.conf" @@ -164,10 +164,10 @@ class HTTPInstance(service.Service): def __setup_ssl(self): if self.self_signed_ca: - ca_db = certs.CertDB(NSS_DIR, subject_base=self.subject_base) + ca_db = certs.CertDB(NSS_DIR, self.realm, subject_base=self.subject_base) else: - ca_db = certs.CertDB(NSS_DIR, host_name=self.fqdn, subject_base=self.subject_base) - db = certs.CertDB(NSS_DIR, subject_base=self.subject_base) + ca_db = certs.CertDB(NSS_DIR, self.realm, host_name=self.fqdn, subject_base=self.subject_base) + db = certs.CertDB(NSS_DIR, self.realm, subject_base=self.subject_base) if self.pkcs12_info: db.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1], passwd="") server_certs = db.find_server_certs() @@ -223,7 +223,7 @@ class HTTPInstance(service.Service): prefs_fd.close() # The signing cert is generated in __setup_ssl - db = certs.CertDB(NSS_DIR, subject_base=self.subject_base) + db = certs.CertDB(NSS_DIR, self.realm, subject_base=self.subject_base) pwdfile = open(db.passwd_fname) pwd = pwdfile.read() @@ -238,7 +238,7 @@ class HTTPInstance(service.Service): shutil.rmtree(tmpdir) def __publish_ca_cert(self): - ca_db = certs.CertDB(NSS_DIR) + ca_db = certs.CertDB(NSS_DIR, self.realm) shutil.copy(ca_db.cacert_fname, "/usr/share/ipa/html/ca.crt") os.chmod("/usr/share/ipa/html/ca.crt", 0444) @@ -252,7 +252,7 @@ class HTTPInstance(service.Service): if not running is None: self.stop() - db = certs.CertDB(NSS_DIR) + db = certs.CertDB(NSS_DIR, api.env.realm) db.untrack_server_cert("Server-Cert") if not enabled is None and not enabled: self.chkconfig_off() diff --git a/ipaserver/plugins/selfsign.py b/ipaserver/plugins/selfsign.py index 9943f73d2..741fb0dc4 100644 --- a/ipaserver/plugins/selfsign.py +++ b/ipaserver/plugins/selfsign.py @@ -39,7 +39,7 @@ from ipalib import Backend from ipalib import errors from ipalib import x509 from ipalib import pkcs10 -from ipapython.certdb import CA_NICKNAME +from ipapython.certdb import get_ca_nickname import subprocess import os import re @@ -47,6 +47,7 @@ from ipaserver.plugins import rabase from ipaserver.install import certs import tempfile from ipalib import _ +from ipalib import api from ipalib.plugins.cert import get_csr_hostname from nss.error import NSPRError @@ -157,7 +158,7 @@ class ra(rabase.rabase): "/usr/bin/certutil", "-C", "-d", self.sec_dir, - "-c", CA_NICKNAME, + "-c", get_ca_nickname(api.env.realm), "-i", csr_name, "-o", cert_name, "-m", str(serialno), |