From 74ba0cc7c1bdb9c560324a68c16593755bcda5d8 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 1 Nov 2010 13:51:14 -0400 Subject: Use Realm as certs subject base name Also use the realm name as nickname for the CA certificate --- install/tools/ipa-replica-install | 2 +- install/tools/ipa-replica-prepare | 6 +++--- install/tools/ipa-server-certinstall | 2 +- install/tools/ipa-server-install | 14 ++++++++------ install/tools/man/ipa-server-install.1 | 2 +- ipa-client/ipa-install/ipa-client-install | 4 ++-- ipapython/certdb.py | 4 +++- ipaserver/install/cainstance.py | 16 ++++++++++------ ipaserver/install/certs.py | 15 ++++++++++----- ipaserver/install/dsinstance.py | 8 ++++---- ipaserver/install/httpinstance.py | 14 +++++++------- ipaserver/plugins/selfsign.py | 5 +++-- 12 files changed, 53 insertions(+), 39 deletions(-) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index e4aae4aa3..2beadae81 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -48,7 +48,7 @@ class ReplicaConfig: self.host_name = "" self.repl_password = "" self.dir = "" - self.subject_base = "O=IPA" + self.subject_base = "" def parse_options(): usage = "%prog [options] REPLICA_FILE" diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare index 6e9d649ae..059b011f9 100755 --- a/install/tools/ipa-replica-prepare +++ b/install/tools/ipa-replica-prepare @@ -103,14 +103,14 @@ def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, hostname, subjec try: self_signed = certs.ipa_self_signed() - db = certs.CertDB(dir, subject_base=subject_base) + db = certs.CertDB(dir, realm_name, subject_base=subject_base) db.create_passwd_file() # if self_signed: # ca_db = certs.CertDB(dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name))) # db.create_from_cacert(ca_db.cacert_fname) # else: # ca_db = certs.CertDB(httpinstance.NSS_DIR, host_name=api.env.host) - ca_db = certs.CertDB(httpinstance.NSS_DIR, host_name=api.env.host, subject_base=subject_base) + ca_db = certs.CertDB(httpinstance.NSS_DIR, realm_name, host_name=api.env.host, subject_base=subject_base) db.create_from_cacert(ca_db.cacert_fname) db.create_server_cert("Server-Cert", hostname, ca_db) except Exception, e: @@ -148,7 +148,7 @@ def export_ra_pkcs12(dir, dm_password): try: try: - db = certs.CertDB(httpinstance.NSS_DIR, host_name=api.env.host) + db = certs.CertDB(httpinstance.NSS_DIR, api.env.realm, host_name=api.env.host) if db.has_nickname("ipaCert"): pkcs12_fname = "%s/ra.p12" % dir diff --git a/install/tools/ipa-server-certinstall b/install/tools/ipa-server-certinstall index d853f7188..9d69853e5 100755 --- a/install/tools/ipa-server-certinstall +++ b/install/tools/ipa-server-certinstall @@ -89,7 +89,7 @@ def choose_server_cert(server_certs): return server_certs[num - 1] def import_cert(dirname, pkcs12_fname, pkcs12_passwd, db_password): - cdb = certs.CertDB(dirname) + cdb = certs.CertDB(dirname, api.env.realm) cdb.create_passwd_file(db_password) cdb.create_certdbs() [pw_fd, pw_name] = tempfile.mkstemp() diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index c8a17c99d..569079d5a 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -122,8 +122,8 @@ def parse_options(): help="The starting uid value (default random)") parser.add_option("--gidstart", dest="gidstart", default=namespace, type=int, help="The starting gid value (default random)") - parser.add_option("--subject", dest="subject", default="O=IPA", - help="The certificate subject base (default O=IPA)") + parser.add_option("--subject", dest="subject", + help="The certificate subject base (default O=)") parser.add_option("--no_hbac_allow", dest="hbac_allow", default=False, action="store_true", help="Don't install allow_all HBAC rule") @@ -402,8 +402,8 @@ def uninstall(): ntpinstance.NTPInstance(fstore).uninstall() if cainstance.CADSInstance().is_configured(): cainstance.CADSInstance().uninstall() - if cainstance.CAInstance().is_configured(): - cainstance.CAInstance().uninstall() + if cainstance.CAInstance(api.env.realm).is_configured(): + cainstance.CAInstance(api.env.realm).uninstall() bindinstance.BindInstance(fstore).uninstall() httpinstance.HTTPInstance(fstore).uninstall() krbinstance.KrbInstance(fstore).uninstall() @@ -465,7 +465,6 @@ def main(): global fstore fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') - # Configuration for ipalib, we will bootstrap and finalize later, after # we are sure we have the configuration file ready. cfg = dict( @@ -610,6 +609,9 @@ def main(): else: realm_name = options.realm_name.upper() + if not options.subject: + options.subject = "O=%s" % realm_name + if not options.dm_password: dm_password = read_dm_password() else: @@ -689,7 +691,7 @@ def main(): if options.external_cert_file is None: cs = cainstance.CADSInstance() cs.create_instance("pkisrv", realm_name, host_name, domain_name, dm_password) - ca = cainstance.CAInstance() + ca = cainstance.CAInstance(realm_name) if external == 0: ca.configure_instance("pkiuser", host_name, dm_password, dm_password, subject_base=options.subject) elif external == 1: diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1 index 943a42014..0d4d8c523 100644 --- a/install/tools/man/ipa-server-install.1 +++ b/install/tools/man/ipa-server-install.1 @@ -102,7 +102,7 @@ The starting user id number (default random) The starting group id number (default random) .TP \fB\-\-subject\fR=\fISUBJECT\fR - The certificate subject base (default O=IPA) + The certificate subject base (default O=REALM.NAME) .TP \fB\-\-no_hbac_allow\fR Don't install allow_all HBAC rule. This rule lets any user from any host access any service on any other host. It is expected that users will remove this rule before moving to production. diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 8f4b9d2bb..fa9d27566 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -521,8 +521,7 @@ def main(): cli_server = None cli_realm = None cli_basedn = None - - subject_base = "O=IPA" + subject_base = None if options.unattended and (options.password is None and options.principal is None and options.prompt_password is False) and not options.on_master: print "One of password and principal are required." @@ -597,6 +596,7 @@ def main(): cli_realm = ds.getRealmName() cli_basedn = ds.getBaseDN() + subject_base = "O=%s" % ds.getRealmName() print "Realm: "+cli_realm print "DNS Domain: "+cli_domain diff --git a/ipapython/certdb.py b/ipapython/certdb.py index a2fbb0ec3..4e838025c 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -25,7 +25,9 @@ from ipalib.compat import sha1 import shutil import os -CA_NICKNAME = "IPA CA" +CA_NICKNAME_FMT = "%s IPA CA" +def get_ca_nickname(realm, format=CA_NICKNAME_FMT): + return format % realm class CertDB(object): """ diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 1998928a3..5f13b721f 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -36,7 +36,7 @@ import urllib import xml.dom.minidom import stat from ipapython import dogtag -from ipapython.certdb import CA_NICKNAME +from ipapython.certdb import get_ca_nickname from ipalib import pkcs10 import subprocess @@ -365,8 +365,9 @@ class CAInstance(service.Service): 2 = have signed cert, continue installation """ - def __init__(self): + def __init__(self, realm): service.Service.__init__(self, "pki-cad") + self.realm = realm self.pki_user = "pkiuser" self.dm_password = None self.admin_password = None @@ -382,7 +383,7 @@ class CAInstance(service.Service): # The same database is used for mod_nss because the NSS context # will already have been initialized by Apache by the time # mod_python wants to do things. - self.canickname = CA_NICKNAME + self.canickname = get_ca_nickname(realm) self.basedn = "o=ipaca" self.ca_agent_db = tempfile.mkdtemp(prefix = "tmp-") self.ra_agent_db = "/etc/httpd/alias" @@ -400,7 +401,7 @@ class CAInstance(service.Service): admin_password, ds_port=DEFAULT_DSPORT, pkcs12_info=None, master_host=None, csr_file=None, cert_file=None, cert_chain_file=None, - subject_base="O=IPA"): + subject_base=None): """Create a CA instance. This may involve creating the pki-ca instance dogtag instance. @@ -420,7 +421,10 @@ class CAInstance(service.Service): if self.pkcs12_info is not None: self.clone = True self.master_host = master_host - self.subject_base = subject_base + if subject_base is None: + self.subject_base = "O=%s" % self.realm + else: + self.subject_base = subject_base # Determine if we are installing as an externally-signed CA and # what stage we're in. @@ -1000,5 +1004,5 @@ if __name__ == "__main__": installutils.standard_logging_setup("install.log", False) cs = CADSInstance() cs.create_instance("dirsrv", "EXAMPLE.COM", "catest.example.com", "example.com", "password") - ca = CAInstance() + ca = CAInstance("EXAMPLE.COM") ca.configure_instance("pkiuser", "catest.example.com", "password", "password") diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 4f8b4e708..d4728b80e 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -33,7 +33,7 @@ from ipapython import dogtag from ipapython import sysrestore from ipapython import ipautil from ipapython import certmonger -from ipapython.certdb import CA_NICKNAME +from ipapython.certdb import get_ca_nickname from ipalib import pkcs10 from ConfigParser import RawConfigParser, MissingSectionHeaderError import service @@ -163,8 +163,9 @@ def next_replica(serial_file=CA_SERIALNO): return str(serial) class CertDB(object): - def __init__(self, nssdir, fstore=None, host_name=None, subject_base=None): + def __init__(self, nssdir, realm, fstore=None, host_name=None, subject_base=None): self.secdir = nssdir + self.realm = realm self.noise_fname = self.secdir + "/noise.txt" self.passwd_fname = self.secdir + "/pwdfile.txt" @@ -191,7 +192,7 @@ class CertDB(object): else: self.subject_format = "CN=%s,O=IPA" - self.cacert_name = CA_NICKNAME + self.cacert_name = get_ca_nickname(self.realm) self.valid_months = "120" self.keysize = "1024" @@ -345,10 +346,11 @@ class CertDB(object): def create_ca_cert(self): os.chdir(self.secdir) + subject = "cn=%s Certificate Authority" % self.realm p = subprocess.Popen(["/usr/bin/certutil", "-d", self.secdir, "-S", "-n", self.cacert_name, - "-s", "cn=IPA Test Certificate Authority", + "-s", subject, "-x", "-t", "CT,,C", "-1", @@ -853,7 +855,10 @@ class CertDB(object): else: raise RuntimeError("unknown error import pkcs#12 file") - def export_pkcs12(self, pkcs12_fname, pkcs12_pwd_fname, nickname=CA_NICKNAME): + def export_pkcs12(self, pkcs12_fname, pkcs12_pwd_fname, nickname=None): + if nickname is None: + nickname = get_ca_nickname(api.env.realm) + ipautil.run(["/usr/bin/pk12util", "-d", self.secdir, "-o", pkcs12_fname, "-n", nickname, diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 89613bc31..48b6f551e 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -404,7 +404,7 @@ class DsInstance(service.Service): def __enable_ssl(self): dirname = config_dirname(self.serverid) - dsdb = certs.CertDB(dirname, subject_base=self.subject_base) + dsdb = certs.CertDB(dirname, self.realm_name, subject_base=self.subject_base) if self.pkcs12_info: dsdb.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1]) server_certs = dsdb.find_server_certs() @@ -416,7 +416,7 @@ class DsInstance(service.Service): self.dercert = dsdb.get_cert_from_db(nickname) else: nickname = "Server-Cert" - cadb = certs.CertDB(httpinstance.NSS_DIR, host_name=self.fqdn, subject_base=self.subject_base) + cadb = certs.CertDB(httpinstance.NSS_DIR, self.realm_name, host_name=self.fqdn, subject_base=self.subject_base) if self.self_signed_ca: cadb.create_self_signed() dsdb.create_from_cacert(cadb.cacert_fname, passwd=None) @@ -529,7 +529,7 @@ class DsInstance(service.Service): # drop the trailing / off the config_dirname so the directory # will match what is in certmonger dirname = config_dirname(serverid)[:-1] - dsdb = certs.CertDB(dirname) + dsdb = certs.CertDB(dirname, self.realm_name) dsdb.untrack_server_cert("Server-Cert") erase_ds_instance_data(serverid) @@ -571,7 +571,7 @@ class DsInstance(service.Service): self.stop() dirname = config_dirname(realm_to_serverid(self.realm_name)) - certdb = certs.CertDB(dirname, subject_base=self.subject_base) + certdb = certs.CertDB(dirname, self.realm_name, subject_base=self.subject_base) if not cacert_name or len(cacert_name) == 0: cacert_name = "Imported CA" # we can't pass in the nickname, so we set the instance variable diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 13d7a6601..f55995b19 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -30,7 +30,7 @@ import dsinstance import installutils from ipapython import sysrestore from ipapython import ipautil -from ipalib import util +from ipalib import util, api HTTPD_DIR = "/etc/httpd" SSL_CONF = HTTPD_DIR + "/conf.d/ssl.conf" @@ -164,10 +164,10 @@ class HTTPInstance(service.Service): def __setup_ssl(self): if self.self_signed_ca: - ca_db = certs.CertDB(NSS_DIR, subject_base=self.subject_base) + ca_db = certs.CertDB(NSS_DIR, self.realm, subject_base=self.subject_base) else: - ca_db = certs.CertDB(NSS_DIR, host_name=self.fqdn, subject_base=self.subject_base) - db = certs.CertDB(NSS_DIR, subject_base=self.subject_base) + ca_db = certs.CertDB(NSS_DIR, self.realm, host_name=self.fqdn, subject_base=self.subject_base) + db = certs.CertDB(NSS_DIR, self.realm, subject_base=self.subject_base) if self.pkcs12_info: db.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1], passwd="") server_certs = db.find_server_certs() @@ -223,7 +223,7 @@ class HTTPInstance(service.Service): prefs_fd.close() # The signing cert is generated in __setup_ssl - db = certs.CertDB(NSS_DIR, subject_base=self.subject_base) + db = certs.CertDB(NSS_DIR, self.realm, subject_base=self.subject_base) pwdfile = open(db.passwd_fname) pwd = pwdfile.read() @@ -238,7 +238,7 @@ class HTTPInstance(service.Service): shutil.rmtree(tmpdir) def __publish_ca_cert(self): - ca_db = certs.CertDB(NSS_DIR) + ca_db = certs.CertDB(NSS_DIR, self.realm) shutil.copy(ca_db.cacert_fname, "/usr/share/ipa/html/ca.crt") os.chmod("/usr/share/ipa/html/ca.crt", 0444) @@ -252,7 +252,7 @@ class HTTPInstance(service.Service): if not running is None: self.stop() - db = certs.CertDB(NSS_DIR) + db = certs.CertDB(NSS_DIR, api.env.realm) db.untrack_server_cert("Server-Cert") if not enabled is None and not enabled: self.chkconfig_off() diff --git a/ipaserver/plugins/selfsign.py b/ipaserver/plugins/selfsign.py index 9943f73d2..741fb0dc4 100644 --- a/ipaserver/plugins/selfsign.py +++ b/ipaserver/plugins/selfsign.py @@ -39,7 +39,7 @@ from ipalib import Backend from ipalib import errors from ipalib import x509 from ipalib import pkcs10 -from ipapython.certdb import CA_NICKNAME +from ipapython.certdb import get_ca_nickname import subprocess import os import re @@ -47,6 +47,7 @@ from ipaserver.plugins import rabase from ipaserver.install import certs import tempfile from ipalib import _ +from ipalib import api from ipalib.plugins.cert import get_csr_hostname from nss.error import NSPRError @@ -157,7 +158,7 @@ class ra(rabase.rabase): "/usr/bin/certutil", "-C", "-d", self.sec_dir, - "-c", CA_NICKNAME, + "-c", get_ca_nickname(api.env.realm), "-i", csr_name, "-o", cert_name, "-m", str(serialno), -- cgit