summaryrefslogtreecommitdiffstats
path: root/ipaserver
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2011-06-08 10:54:41 -0400
committerRob Crittenden <rcritten@redhat.com>2011-06-21 19:09:50 -0400
commitdd69c7dbe68e8f8674994a54ea913f2dd2e52c32 (patch)
tree5fdc303354eb26a1d2cd206c81babdc73e8d51b9 /ipaserver
parent3a36eced53e540fe8f2b23eadf7dffda080324de (diff)
downloadfreeipa-dd69c7dbe68e8f8674994a54ea913f2dd2e52c32.zip
freeipa-dd69c7dbe68e8f8674994a54ea913f2dd2e52c32.tar.gz
freeipa-dd69c7dbe68e8f8674994a54ea913f2dd2e52c32.tar.xz
Make data type of certificates more obvious/predictable internally.
For the most part certificates will be treated as being in DER format. When we load a certificate we will generally accept it in any format but will convert it to DER before proceeding in normalize_certificate(). This also re-arranges a bit of code to pull some certificate-specific functions out of ipalib/plugins/service.py into ipalib/x509.py. This also tries to use variable names to indicate what format the certificate is in at any given point: dercert: DER cert: PEM nsscert: a python-nss Certificate object rawcert: unknown format ticket 32
Diffstat (limited to 'ipaserver')
-rw-r--r--ipaserver/install/cainstance.py14
-rw-r--r--ipaserver/install/certs.py17
-rw-r--r--ipaserver/install/dsinstance.py4
-rw-r--r--ipaserver/install/httpinstance.py2
-rw-r--r--ipaserver/install/service.py14
5 files changed, 23 insertions, 28 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 30aa9f5..001e6eb 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -38,7 +38,7 @@ import stat
import socket
from ipapython import dogtag
from ipapython.certdb import get_ca_nickname
-from ipalib import pkcs10
+from ipalib import pkcs10, x509
import subprocess
from nss.error import NSPRError
@@ -322,7 +322,7 @@ class CADSInstance(service.Service):
# We only handle one server cert
self.nickname = server_certs[0][0]
- self.dercert = dsdb.get_cert_from_db(self.nickname)
+ self.dercert = dsdb.get_cert_from_db(self.nickname, pem=False)
dsdb.track_server_cert(self.nickname, self.principal, dsdb.passwd_fname)
def create_certdb(self):
@@ -721,13 +721,6 @@ class CAInstance(service.Service):
# TODO: roll back here?
logging.critical("Failed to restart the certificate server. See the installation log for details.")
- def __get_agent_cert(self, nickname):
- args = ["/usr/bin/certutil", "-L", "-d", self.ca_agent_db, "-n", nickname, "-a"]
- (out, err, returncode) = ipautil.run(args)
- out = out.replace('-----BEGIN CERTIFICATE-----', '')
- out = out.replace('-----END CERTIFICATE-----', '')
- return out
-
def __issue_ra_cert(self):
# The CA certificate is in the agent DB but isn't trusted
(admin_fd, admin_name) = tempfile.mkstemp()
@@ -801,8 +794,7 @@ class CAInstance(service.Service):
self.ra_cert = outputList['b64_cert']
self.ra_cert = self.ra_cert.replace('\\n','')
- self.ra_cert = self.ra_cert.replace('-----BEGIN CERTIFICATE-----','')
- self.ra_cert = self.ra_cert.replace('-----END CERTIFICATE-----','')
+ self.ra_cert = x509.strip_header(self.ra_cert)
# Add the new RA cert to the database in /etc/httpd/alias
(agent_fd, agent_name) = tempfile.mkstemp()
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index da89370..07dda2c 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -432,11 +432,22 @@ class CertDB(object):
except RuntimeError:
break
- def get_cert_from_db(self, nickname):
+ def get_cert_from_db(self, nickname, pem=True):
+ """
+ Retrieve a certificate from the current NSS database for nickname.
+
+ pem controls whether the value returned PEM or DER-encoded. The
+ default is the data straight from certutil -a.
+ """
try:
args = ["-L", "-n", nickname, "-a"]
(cert, err, returncode) = self.run_certutil(args)
- return cert
+ if pem:
+ return cert
+ else:
+ (cert, start) = find_cert_from_txt(cert, start=0)
+ dercert = base64.b64decode(cert)
+ return dercert
except ipautil.CalledProcessError:
return ''
@@ -501,6 +512,8 @@ class CertDB(object):
that will issue our cert.
You can override the certificate Subject by specifying a subject.
+
+ Returns a certificate in DER format.
"""
cdb = other_certdb
if not cdb:
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 845e1e2..574a5af 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -379,7 +379,7 @@ class DsInstance(service.Service):
logging.debug("completed creating ds instance")
except ipautil.CalledProcessError, e:
logging.critical("failed to restart ds instance %s" % e)
-
+
# check for open port 389 from now on
self.open_ports.append(389)
@@ -517,7 +517,7 @@ class DsInstance(service.Service):
# We only handle one server cert
nickname = server_certs[0][0]
- self.dercert = dsdb.get_cert_from_db(nickname)
+ self.dercert = dsdb.get_cert_from_db(nickname, pem=False)
dsdb.track_server_cert(nickname, self.principal, dsdb.passwd_fname)
else:
nickname = "Server-Cert"
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index e53c01e..26fde51 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -185,7 +185,7 @@ class HTTPInstance(service.Service):
db.create_password_conf()
# We only handle one server cert
nickname = server_certs[0][0]
- self.dercert = db.get_cert_from_db(nickname)
+ self.dercert = db.get_cert_from_db(nickname, pem=False)
db.track_server_cert(nickname, self.principal, db.passwd_fname)
self.__set_mod_nss_nickname(nickname)
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index d8d04e7..efbb2c9 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -94,6 +94,7 @@ class Service(object):
self.realm = None
self.suffix = None
self.principal = None
+ self.dercert = None
def ldap_connect(self):
self.admin_conn = self.__get_conn(self.fqdn, self.dm_password)
@@ -192,23 +193,12 @@ class Service(object):
"""
Add a certificate to a service
- This should be passed in DER format but we'll be nice and convert
- a base64-encoded cert if needed (like when we add certs that come
- from PKCS#12 files.)
+ This server cert should be in DER format.
"""
if not self.admin_conn:
self.ldap_connect()
- try:
- s = self.dercert.find('-----BEGIN CERTIFICATE-----')
- if s > -1:
- e = self.dercert.find('-----END CERTIFICATE-----')
- s = s + 27
- self.dercert = self.dercert[s:e]
- self.dercert = base64.b64decode(self.dercert)
- except Exception:
- pass
dn = "krbprincipalname=%s,cn=services,cn=accounts,%s" % (self.principal, self.suffix)
mod = [(ldap.MOD_ADD, 'userCertificate', self.dercert)]
try: