diff options
author | Rob Crittenden <rcritten@redhat.com> | 2011-06-08 10:54:41 -0400 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2011-06-21 19:09:50 -0400 |
commit | dd69c7dbe68e8f8674994a54ea913f2dd2e52c32 (patch) | |
tree | 5fdc303354eb26a1d2cd206c81babdc73e8d51b9 /ipaserver | |
parent | 3a36eced53e540fe8f2b23eadf7dffda080324de (diff) | |
download | freeipa-dd69c7dbe68e8f8674994a54ea913f2dd2e52c32.tar.gz freeipa-dd69c7dbe68e8f8674994a54ea913f2dd2e52c32.tar.xz freeipa-dd69c7dbe68e8f8674994a54ea913f2dd2e52c32.zip |
Make data type of certificates more obvious/predictable internally.
For the most part certificates will be treated as being in DER format.
When we load a certificate we will generally accept it in any format but
will convert it to DER before proceeding in normalize_certificate().
This also re-arranges a bit of code to pull some certificate-specific
functions out of ipalib/plugins/service.py into ipalib/x509.py.
This also tries to use variable names to indicate what format the certificate
is in at any given point:
dercert: DER
cert: PEM
nsscert: a python-nss Certificate object
rawcert: unknown format
ticket 32
Diffstat (limited to 'ipaserver')
-rw-r--r-- | ipaserver/install/cainstance.py | 14 | ||||
-rw-r--r-- | ipaserver/install/certs.py | 17 | ||||
-rw-r--r-- | ipaserver/install/dsinstance.py | 4 | ||||
-rw-r--r-- | ipaserver/install/httpinstance.py | 2 | ||||
-rw-r--r-- | ipaserver/install/service.py | 14 |
5 files changed, 23 insertions, 28 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 30aa9f525..001e6eb09 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -38,7 +38,7 @@ import stat import socket from ipapython import dogtag from ipapython.certdb import get_ca_nickname -from ipalib import pkcs10 +from ipalib import pkcs10, x509 import subprocess from nss.error import NSPRError @@ -322,7 +322,7 @@ class CADSInstance(service.Service): # We only handle one server cert self.nickname = server_certs[0][0] - self.dercert = dsdb.get_cert_from_db(self.nickname) + self.dercert = dsdb.get_cert_from_db(self.nickname, pem=False) dsdb.track_server_cert(self.nickname, self.principal, dsdb.passwd_fname) def create_certdb(self): @@ -721,13 +721,6 @@ class CAInstance(service.Service): # TODO: roll back here? logging.critical("Failed to restart the certificate server. See the installation log for details.") - def __get_agent_cert(self, nickname): - args = ["/usr/bin/certutil", "-L", "-d", self.ca_agent_db, "-n", nickname, "-a"] - (out, err, returncode) = ipautil.run(args) - out = out.replace('-----BEGIN CERTIFICATE-----', '') - out = out.replace('-----END CERTIFICATE-----', '') - return out - def __issue_ra_cert(self): # The CA certificate is in the agent DB but isn't trusted (admin_fd, admin_name) = tempfile.mkstemp() @@ -801,8 +794,7 @@ class CAInstance(service.Service): self.ra_cert = outputList['b64_cert'] self.ra_cert = self.ra_cert.replace('\\n','') - self.ra_cert = self.ra_cert.replace('-----BEGIN CERTIFICATE-----','') - self.ra_cert = self.ra_cert.replace('-----END CERTIFICATE-----','') + self.ra_cert = x509.strip_header(self.ra_cert) # Add the new RA cert to the database in /etc/httpd/alias (agent_fd, agent_name) = tempfile.mkstemp() diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index da89370af..07dda2cc0 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -432,11 +432,22 @@ class CertDB(object): except RuntimeError: break - def get_cert_from_db(self, nickname): + def get_cert_from_db(self, nickname, pem=True): + """ + Retrieve a certificate from the current NSS database for nickname. + + pem controls whether the value returned PEM or DER-encoded. The + default is the data straight from certutil -a. + """ try: args = ["-L", "-n", nickname, "-a"] (cert, err, returncode) = self.run_certutil(args) - return cert + if pem: + return cert + else: + (cert, start) = find_cert_from_txt(cert, start=0) + dercert = base64.b64decode(cert) + return dercert except ipautil.CalledProcessError: return '' @@ -501,6 +512,8 @@ class CertDB(object): that will issue our cert. You can override the certificate Subject by specifying a subject. + + Returns a certificate in DER format. """ cdb = other_certdb if not cdb: diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 845e1e253..574a5afd8 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -379,7 +379,7 @@ class DsInstance(service.Service): logging.debug("completed creating ds instance") except ipautil.CalledProcessError, e: logging.critical("failed to restart ds instance %s" % e) - + # check for open port 389 from now on self.open_ports.append(389) @@ -517,7 +517,7 @@ class DsInstance(service.Service): # We only handle one server cert nickname = server_certs[0][0] - self.dercert = dsdb.get_cert_from_db(nickname) + self.dercert = dsdb.get_cert_from_db(nickname, pem=False) dsdb.track_server_cert(nickname, self.principal, dsdb.passwd_fname) else: nickname = "Server-Cert" diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index e53c01e1c..26fde51f9 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -185,7 +185,7 @@ class HTTPInstance(service.Service): db.create_password_conf() # We only handle one server cert nickname = server_certs[0][0] - self.dercert = db.get_cert_from_db(nickname) + self.dercert = db.get_cert_from_db(nickname, pem=False) db.track_server_cert(nickname, self.principal, db.passwd_fname) self.__set_mod_nss_nickname(nickname) diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index d8d04e73a..efbb2c933 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -94,6 +94,7 @@ class Service(object): self.realm = None self.suffix = None self.principal = None + self.dercert = None def ldap_connect(self): self.admin_conn = self.__get_conn(self.fqdn, self.dm_password) @@ -192,23 +193,12 @@ class Service(object): """ Add a certificate to a service - This should be passed in DER format but we'll be nice and convert - a base64-encoded cert if needed (like when we add certs that come - from PKCS#12 files.) + This server cert should be in DER format. """ if not self.admin_conn: self.ldap_connect() - try: - s = self.dercert.find('-----BEGIN CERTIFICATE-----') - if s > -1: - e = self.dercert.find('-----END CERTIFICATE-----') - s = s + 27 - self.dercert = self.dercert[s:e] - self.dercert = base64.b64decode(self.dercert) - except Exception: - pass dn = "krbprincipalname=%s,cn=services,cn=accounts,%s" % (self.principal, self.suffix) mod = [(ldap.MOD_ADD, 'userCertificate', self.dercert)] try: |