summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2012-03-07 17:46:33 -0500
committerMartin Kosek <mkosek@redhat.com>2012-03-15 09:55:03 +0100
commit1584807e022540af7ca1a89031f18f45194c31ab (patch)
tree9243cd7fe8a14111b14da41b97573f086979dd87
parentd082b64b7b17ceee5fe3e2d7d9140b100ee4ea59 (diff)
downloadfreeipa-1584807e022540af7ca1a89031f18f45194c31ab.tar.gz
freeipa-1584807e022540af7ca1a89031f18f45194c31ab.tar.xz
freeipa-1584807e022540af7ca1a89031f18f45194c31ab.zip
Add subject key identifier to the dogtag server cert profile.
This will add it on upgrades too and any new certs issued will have a subject key identifier set. If the user has customized the profile themselves then this won't be applied. https://fedorahosted.org/freeipa/ticket/2446
Diffstat
-rw-r--r--install/tools/ipa-upgradeconfig13
-rw-r--r--ipaserver/install/cainstance.py47
2 files changed, 58 insertions, 2 deletions
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index a23489f4..40a2b68c 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -31,6 +31,8 @@ try:
from ipaserver.install import httpinstance
from ipaserver.install import memcacheinstance
from ipaserver.install import service
+ from ipaserver.install import cainstance
+ from ipaserver.install import certs
import ldap
import krbV
import re
@@ -233,6 +235,15 @@ def cleanup_kdc():
if fstore.has_file(filename):
fstore.untrack_file(filename)
+def upgrade_ipa_profile(realm):
+ """
+ Update the IPA Profile provided by dogtag
+ """
+ ca = cainstance.CAInstance(realm, certs.NSS_DIR)
+ if ca.is_configured():
+ if ca.enable_subject_key_identifier():
+ ca.restart()
+
def main():
"""
Get some basics about the system. If getting those basics fail then
@@ -284,6 +295,8 @@ def main():
pass
cleanup_kdc()
+ upgrade_ipa_profile(krbctx.default_realm)
+
try:
if __name__ == "__main__":
sys.exit(main())
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 345a8c2d..948bc2d0 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -72,6 +72,7 @@ EE_CLIENT_AUTH_PORT=9446
UNSECURE_PORT=9180
TOMCAT_SERVER_PORT=9701
+IPA_SERVICE_PROFILE = '/var/lib/%s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME
# We need to reset the template because the CA uses the regular boot
# information
@@ -520,6 +521,7 @@ class CAInstance(service.Service):
self.step("setting up signing cert profile", self.__setup_sign_profile)
self.step("set up CRL publishing", self.__enable_crl_publish)
self.step("set certificate subject base", self.__set_subject_in_config)
+ self.step("enabling Subject Key Identifier", self.enable_subject_key_identifier)
self.step("configuring certificate server to start on boot", self.__enable)
if not self.clone:
self.step("restarting certificate server", self.__restart_instance)
@@ -1030,14 +1032,17 @@ class CAInstance(service.Service):
installutils.set_directive(caconfig, 'ca.publish.rule.instance.LdapXCertRule.enable', 'false', quotes=False, separator='=')
# Fix the CRL URI in the profile
- installutils.set_directive('/var/lib/%s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME, 'policyset.serverCertSet.9.default.params.crlDistPointsPointName_0', 'https://%s/ipa/crl/MasterCRL.bin' % ipautil.format_netloc(self.fqdn), quotes=False, separator='=')
+ installutils.set_directive(IPA_SERVICE_PROFILE,
+ 'policyset.serverCertSet.9.default.params.crlDistPointsPointName_0',
+ 'https://%s/ipa/crl/MasterCRL.bin' % ipautil.format_netloc(self.fqdn),
+ quotes=False, separator='=')
ipaservices.restore_context(publishdir)
def __set_subject_in_config(self):
# dogtag ships with an IPA-specific profile that forces a subject
# format. We need to update that template with our base subject
- if installutils.update_file("/var/lib/%s/profiles/ca/caIPAserviceCert.cfg" % PKI_INSTANCE_NAME, 'OU=pki-ipa, O=IPA', self.subject_base):
+ if installutils.update_file(IPA_SERVICE_PROFILE, 'OU=pki-ipa, O=IPA', self.subject_base):
print "Updating subject_base in CA template failed"
def uninstall(self):
@@ -1071,6 +1076,44 @@ class CAInstance(service.Service):
shutil.copy(ipautil.SHARE_DIR + "ipa-pki-proxy.conf",
HTTPD_CONFD + "ipa-pki-proxy.conf")
+ def enable_subject_key_identifier(self):
+ """
+ See if Subject Key Identifier is set in the profile and if not, add it.
+ """
+ setlist = installutils.get_directive(IPA_SERVICE_PROFILE,
+ 'policyset.serverCertSet.list', separator='=')
+
+ # this is the default setting from pki-ca. Don't touch it if a user
+ # has manually modified it.
+ if setlist == '1,2,3,4,5,6,7,8':
+ installutils.set_directive(IPA_SERVICE_PROFILE,
+ 'policyset.serverCertSet.list',
+ '1,2,3,4,5,6,7,8,10',
+ quotes=False, separator='=')
+ installutils.set_directive(IPA_SERVICE_PROFILE,
+ 'policyset.serverCertSet.10.constraint.class_id',
+ 'noConstraintImpl',
+ quotes=False, separator='=')
+ installutils.set_directive(IPA_SERVICE_PROFILE,
+ 'policyset.serverCertSet.10.constraint.name',
+ 'No Constraint',
+ quotes=False, separator='=')
+ installutils.set_directive(IPA_SERVICE_PROFILE,
+ 'policyset.serverCertSet.10.default.class_id',
+ 'subjectKeyIdentifierExtDefaultImpl',
+ quotes=False, separator='=')
+ installutils.set_directive(IPA_SERVICE_PROFILE,
+ 'policyset.serverCertSet.10.default.name',
+ 'Subject Key Identifier Extension Default',
+ quotes=False, separator='=')
+ installutils.set_directive(IPA_SERVICE_PROFILE,
+ 'policyset.serverCertSet.10.default.params.critical',
+ 'false',
+ quotes=False, separator='=')
+ return True
+
+ # No update was done
+ return False
def install_replica_ca(config, postinstall=False):
"""
generated by cgit (git 2.34.1) at 2024-06-02 18:59:31 +0000