diff options
-rwxr-xr-x | ipa-client/ipa-install/ipa-client-install | 10 | ||||
-rw-r--r-- | ipalib/x509.py | 33 |
2 files changed, 30 insertions, 13 deletions
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index bd299f9ba..f068c9d34 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -48,6 +48,7 @@ try: from ipapython.dn import DN from ipapython.ssh import SSHPublicKey from ipalib.rpc import delete_persistent_client_session_data + import nss.nss as nss import SSSDConfig from ConfigParser import RawConfigParser from optparse import SUPPRESS_HELP, OptionGroup, OptionValueError @@ -77,10 +78,15 @@ def parse_options(): if not os.path.isabs(value): raise OptionValueError("%s option '%s' is not an absolute file path" % (opt, value)) + initialized = nss.nss_is_initialized() try: cert = x509.load_certificate_from_file(value) except Exception, e: raise OptionValueError("%s option '%s' is not a valid certificate file" % (opt, value)) + else: + del(cert) + if not initialized: + nss.nss_shutdown() parser.values.ca_cert_file = value @@ -1372,6 +1378,8 @@ def get_ca_cert_from_file(url): except Exception, e: raise errors.FileError(reason = u"cannot write certificate file '%s': %s" % (CACERT, e)) + else: + del(cert) def get_ca_cert_from_http(url, ca_file, warn=True): ''' @@ -1478,6 +1486,8 @@ def validate_new_ca_cert(existing_ca_cert, ca_file, ask, override=False): root_logger.debug( "Existing CA cert and Retrieved CA cert are identical") os.remove(ca_file) + del(existing_ca_cert) + del(new_ca_cert) def get_ca_cert(fstore, options, server, basedn): diff --git a/ipalib/x509.py b/ipalib/x509.py index f8a13577b..4f81fb59a 100644 --- a/ipalib/x509.py +++ b/ipalib/x509.py @@ -91,18 +91,18 @@ def load_certificate(data, datatype=PEM, dbdir=None): data = strip_header(data) data = base64.b64decode(data) - if dbdir is None: - if 'in_tree' in api.env: - if api.env.in_tree: - dbdir = api.env.dot_ipa + os.sep + 'alias' + if not nss.nss_is_initialized(): + if dbdir is None: + if 'in_tree' in api.env: + if api.env.in_tree: + dbdir = api.env.dot_ipa + os.sep + 'alias' + else: + dbdir = "/etc/httpd/alias" + nss.nss_init(dbdir) else: - dbdir = "/etc/httpd/alias" - nss.nss_init(dbdir) + nss.nss_init_nodb() else: - nss.nss_init_nodb() - else: - nss.nss_init(dbdir) - + nss.nss_init(dbdir) return nss.Certificate(buffer(data)) @@ -139,7 +139,9 @@ def get_subject(certificate, datatype=PEM, dbdir=None): """ nsscert = load_certificate(certificate, datatype, dbdir) - return nsscert.subject + subject = nsscert.subject + del(nsscert) + return subject def get_issuer(certificate, datatype=PEM, dbdir=None): """ @@ -147,14 +149,18 @@ def get_issuer(certificate, datatype=PEM, dbdir=None): """ nsscert = load_certificate(certificate, datatype, dbdir) - return nsscert.issuer + issuer = nsscert.issuer + del(nsscert) + return issuer def get_serial_number(certificate, datatype=PEM, dbdir=None): """ Return the decimal value of the serial number. """ nsscert = load_certificate(certificate, datatype, dbdir) - return nsscert.serial_number + serial_number = nsscert.serial_number + del(nsscert) + return serial_number def make_pem(data): """ @@ -230,6 +236,7 @@ def verify_cert_subject(ldap, hostname, dercert): nsscert = load_certificate(dercert, datatype=DER) subject = str(nsscert.subject) issuer = str(nsscert.issuer) + del(nsscert) # Handle both supported forms of issuer, from selfsign and dogtag. if (not valid_issuer(issuer)): |