From a2a3782efb386f18689faf35a069c4da1085e87d Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Tue, 26 Apr 2011 16:45:19 -0400 Subject: Require an imported certificate's issuer to match our issuer. The goal is to not import foreign certificates. This caused a bunch of tests to fail because we had a hardcoded server certificate. Instead a developer will need to run make-testcert to create a server certificate generated by the local CA to test against. ticket 1134 --- ipalib/plugins/host.py | 7 +++++++ ipalib/plugins/service.py | 27 +++++++++++++++++++++++++-- 2 files changed, 32 insertions(+), 2 deletions(-) (limited to 'ipalib/plugins') diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index 29f659f9c..5d6a23f42 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -85,6 +85,7 @@ from ipalib.plugins.service import normalize_certificate from ipalib.plugins.service import set_certificate_attrs from ipalib.plugins.service import make_pem, check_writable_file from ipalib.plugins.service import write_certificate +from ipalib.plugins.service import verify_cert_subject from ipalib.plugins.dns import dns_container_exists, _record_types from ipalib.plugins.dns import add_forward_record from ipalib import _, ngettext @@ -400,6 +401,11 @@ class host_add(LDAPCreate): # save the password so it can be displayed in post_callback setattr(context, 'randompassword', entry_attrs['userpassword']) del entry_attrs['random'] + cert = options.get('usercertificate') + if cert: + cert = normalize_certificate(cert) + verify_cert_subject(ldap, keys[-1], cert) + entry_attrs['usercertificate'] = cert entry_attrs['managedby'] = dn return dn @@ -600,6 +606,7 @@ class host_mod(LDAPUpdate): entry_attrs['objectclass'] = obj_classes cert = normalize_certificate(entry_attrs.get('usercertificate')) if cert: + verify_cert_subject(ldap, keys[-1], cert) (dn, entry_attrs_old) = ldap.get_entry(dn, ['usercertificate']) if 'usercertificate' in entry_attrs_old: oldcert = normalize_certificate(entry_attrs_old.get('usercertificate')[0]) diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py index 2f47e065d..85956272b 100644 --- a/ipalib/plugins/service.py +++ b/ipalib/plugins/service.py @@ -206,6 +206,25 @@ def normalize_certificate(cert): return cert +def verify_cert_subject(ldap, hostname, cert): + """ + Verify that the certificate issuer we're adding matches the issuer + base of our installation. + + This assumes the certificate has already been normalized. + + This raises an exception on errors and returns nothing otherwise. + """ + cert = x509.load_certificate(cert, datatype=x509.DER) + subject = str(cert.subject) + issuer = str(cert.issuer) + + # Handle both supported forms of issuer, from selfsign and dogtag. + if ((issuer != 'CN=%s Certificate Authority' % api.env.realm) and + (issuer != 'CN=Certificate Authority,O=%s' % api.env.realm)): + raise errors.CertificateOperationError(error=_('Issuer "%(issuer)s" does not match the expected issuer') % \ + {'issuer' : issuer}) + def set_certificate_attrs(entry_attrs): """ Set individual attributes from some values from a certificate. @@ -342,7 +361,9 @@ class service_add(LDAPCreate): cert = options.get('usercertificate') if cert: - entry_attrs['usercertificate'] = normalize_certificate(cert) + cert = normalize_certificate(cert) + verify_cert_subject(ldap, hostname, cert) + entry_attrs['usercertificate'] = cert if not options.get('force', False): # We know the host exists if we've gotten this far but we @@ -406,9 +427,11 @@ class service_mod(LDAPUpdate): def pre_callback(self, ldap, dn, entry_attrs, *keys, **options): if 'usercertificate' in options: + (service, hostname, realm) = split_principal(keys[-1]) cert = options.get('usercertificate') - cert = normalize_certificate(cert) if cert: + cert = normalize_certificate(cert) + verify_cert_subject(ldap, hostname, cert) (dn, entry_attrs_old) = ldap.get_entry(dn, ['usercertificate']) if 'usercertificate' in entry_attrs_old: # FIXME: what to do here? do we revoke the old cert? -- cgit