diff options
| author | Ade Lee <alee@redhat.com> | 2015-07-28 14:58:00 -0400 |
|---|---|---|
| committer | Ade Lee <alee@redhat.com> | 2015-07-28 18:47:21 -0400 |
| commit | becc7fdd56407941d47bfc6281b5c90bfdae5fa9 (patch) | |
| tree | 642ca9cc88449f8bc21bbbc66ad4ab495017e2ec | |
| parent | ff0cb61874b26b1e4e4c55623324cb3097a42912 (diff) | |
| download | pki-becc7fdd56407941d47bfc6281b5c90bfdae5fa9.tar.gz pki-becc7fdd56407941d47bfc6281b5c90bfdae5fa9.tar.xz pki-becc7fdd56407941d47bfc6281b5c90bfdae5fa9.zip | |
Remove noise file generation code
Noise file does not actually need to have random data because
NSS does not actually use this data. Certutil still needs
the file though, so we will put dummy data in there. This
solves potential problems with the random() method used and also
issues like BZ 1244382
| -rw-r--r-- | base/server/python/pki/server/deployment/pkihelper.py | 71 | ||||
| -rw-r--r-- | base/server/python/pki/server/deployment/scriptlets/security_databases.py | 12 |
2 files changed, 19 insertions, 64 deletions
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py index 5bc4ffab8..b02333d54 100644 --- a/base/server/python/pki/server/deployment/pkihelper.py +++ b/base/server/python/pki/server/deployment/pkihelper.py @@ -25,12 +25,10 @@ import errno import sys import os import fileinput -import random import re import requests.exceptions import shutil from shutil import Error, WindowsError -import string import subprocess import time import types @@ -1811,63 +1809,6 @@ class File: raise return - def generate_noise_file( - self, name, random_bytes, uid=None, gid=None, - perms=config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS, - acls=None, critical_failure=True): - try: - if not os.path.exists(name): - # generating noise file called <name> and - # filling it with <random_bytes> random bytes - config.pki_log.info( - log.PKIHELPER_NOISE_FILE_2, name, random_bytes, - extra=config.PKI_INDENTATION_LEVEL_2) - open(name, "w").close() - with open(name, "w") as FILE: - noise = ''.join(random.choice(string.ascii_letters +\ - string.digits) for x in range(random_bytes)) - FILE.write(noise) - # chmod <perms> <name> - config.pki_log.debug(log.PKIHELPER_CHMOD_2, perms, name, - extra=config.PKI_INDENTATION_LEVEL_3) - os.chmod(name, perms) - # chown <uid>:<gid> <name> - if uid is None: - uid = self.identity.get_uid() - if gid is None: - gid = self.identity.get_gid() - config.pki_log.debug(log.PKIHELPER_CHOWN_3, - uid, gid, name, - extra=config.PKI_INDENTATION_LEVEL_3) - os.chown(name, uid, gid) - # Store record in installation manifest - record = manifest.Record() - record.name = name - record.type = manifest.RECORD_TYPE_FILE - record.user = self.mdict['pki_user'] - record.group = self.mdict['pki_group'] - record.uid = uid - record.gid = gid - record.permissions = perms - record.acls = acls - self.manifest_db.append(record) - elif not os.path.isfile(name): - config.pki_log.error( - log.PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1, name, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure: - raise Exception( - log.PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1 % name) - except OSError as exc: - if exc.errno == errno.EEXIST: - pass - else: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure: - raise - return - class Symlink: """PKI Deployment Symbolic Link Class""" @@ -4417,8 +4358,14 @@ class ConfigClient: output_file = os.path.join( self.mdict['pki_client_database_dir'], "admin_pkcs10.bin") - self.deployer.file.generate_noise_file( - noise_file, int(self.mdict['pki_admin_keysize'])) + # note: in the function below, certutil is used to generate + # the request for the admin cert. The keys are generated + # by NSS, which does not actually use the data in the noise + # file, so it does not matter what is in this file. Certutil + # still requires it though, otherwise it waits for keyboard + # input. + with open(noise_file, 'w') as f: + f.write("not_so_random_data") self.deployer.certutil.generate_certificate_request( self.mdict['pki_admin_subject_dn'], @@ -4429,6 +4376,8 @@ class ConfigClient: self.mdict['pki_client_database_dir'], None, None, True) + self.deployer.file.delete(noise_file) + # convert output to ascii command = ["BtoA", output_file, output_file + ".asc"] config.pki_log.info( diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py index 3f8623af1..c3d4d9e49 100644 --- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py +++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py @@ -91,9 +91,15 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): deployer.mdict['pki_self_signed_nickname'], password_file=deployer.mdict['pki_shared_pfile']) if not rv: - deployer.file.generate_noise_file( - deployer.mdict['pki_self_signed_noise_file'], - deployer.mdict['pki_self_signed_noise_bytes']) + # note: in the function below, certutil is used to generate + # the request for the self signed cert. The keys are generated + # by NSS, which does not actually use the data in the noise + # file, so it does not matter what is in this file. Certutil + # still requires it though, otherwise it waits for keyboard + # input + with open( + deployer.mdict['pki_self_signed_noise_file'], 'w') as f: + f.write("not_so_random_data") deployer.certutil.generate_self_signed_certificate( deployer.mdict['pki_database_path'], deployer.mdict['pki_cert_database'], |