From c123264ac77cd533a08978909f837c8f4d3e224e Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Wed, 25 Sep 2013 08:33:35 +0000
Subject: Read passwords from stdin when importing PKCS#12 files with pk12util.

This works around pk12util refusing to use empty password files, which prevents
the use of PKCS#12 files with empty password.

https://fedorahosted.org/freeipa/ticket/3897
---
 install/tools/ipa-replica-install | 34 ++++++++++++++++++++++------------
 install/tools/ipa-server-install  |  9 +++------
 2 files changed, 25 insertions(+), 18 deletions(-)

(limited to 'install')

diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index 2a88c1021..5e6941402 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -149,16 +149,31 @@ def set_owner(config, dir):
     pw = pwd.getpwnam(dsinstance.DS_USER)
     os.chown(dir, pw.pw_uid, pw.pw_gid)
 
+
+def make_pkcs12_info(directory, cert_name, password_name):
+    """Make pkcs12_info
+
+    :param directory: Base directory (config.dir)
+    :param cert_name: Cert filename (e.g. "dscert.p12")
+    :param password_name: Cert filename (e.g. "dirsrv_pin.txt")
+    :return: a (full cert path, password) tuple, or None if cert is not found
+    """
+    cert_path = os.path.join(directory, cert_name)
+    if ipautil.file_exists(cert_path):
+        password_file = os.path.join(directory, password_name)
+        password = open(password_file).read().strip()
+        return cert_path, password
+    else:
+        return None
+
+
 def install_replica_ds(config):
     dsinstance.check_ports()
 
     # if we have a pkcs12 file, create the cert db from
     # that. Otherwise the ds setup will create the CA
     # cert
-    pkcs12_info = None
-    if ipautil.file_exists(config.dir + "/dscert.p12"):
-        pkcs12_info = (config.dir + "/dscert.p12",
-                       config.dir + "/dirsrv_pin.txt")
+    pkcs12_info = make_pkcs12_info(config.dir, "dscert.p12", "dirsrv_pin.txt")
 
     ds = dsinstance.DsInstance()
     ds.create_replica(
@@ -178,10 +193,8 @@ def install_krb(config, setup_pkinit=False):
     krb = krbinstance.KrbInstance()
 
     #pkinit files
-    pkcs12_info = None
-    if ipautil.file_exists(config.dir + "/pkinitcert.p12"):
-        pkcs12_info = (config.dir + "/pkinitcert.p12",
-                       config.dir + "/pkinit_pin.txt")
+    pkcs12_info = make_pkcs12_info(config.dir, "pkinitcert.p12",
+                                   "pkinit_pin.txt")
 
     krb.create_replica(config.realm_name,
                        config.master_host_name, config.host_name,
@@ -206,10 +219,7 @@ def install_http(config, auto_redirect):
     # if we have a pkcs12 file, create the cert db from
     # that. Otherwise the ds setup will create the CA
     # cert
-    pkcs12_info = None
-    if ipautil.file_exists(config.dir + "/httpcert.p12"):
-        pkcs12_info = (config.dir + "/httpcert.p12",
-                       config.dir + "/http_pin.txt")
+    pkcs12_info = make_pkcs12_info(config.dir, "httpcert.p12", "http_pin.txt")
 
     memcache = memcacheinstance.MemcacheInstance()
     memcache.create_instance('MEMCACHE', config.host_name, config.dirman_password, ipautil.realm_to_suffix(config.realm_name))
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index cf8d3d01b..aa424c377 100644
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -882,8 +882,7 @@ def main():
                 confirm=False, validate=False)
             if options.http_pin is None:
                 sys.exit("%s unlock password required" % options.http_pkcs12)
-        http_pin_file = ipautil.write_tmp_file(options.http_pin)
-        http_pkcs12_info = (options.http_pkcs12, http_pin_file.name)
+        http_pkcs12_info = (options.http_pkcs12, options.http_pin)
         http_cert_name = installutils.check_pkcs12(
             http_pkcs12_info, ca_file, host_name)
 
@@ -894,8 +893,7 @@ def main():
                 confirm=False, validate=False)
             if options.dirsrv_pin is None:
                 sys.exit("%s unlock password required" % options.dirsrv_pkcs12)
-        dirsrv_pin_file = ipautil.write_tmp_file(options.dirsrv_pin)
-        dirsrv_pkcs12_info = (options.dirsrv_pkcs12, dirsrv_pin_file.name)
+        dirsrv_pkcs12_info = (options.dirsrv_pkcs12, options.dirsrv_pin)
         dirsrv_cert_name = installutils.check_pkcs12(
             dirsrv_pkcs12_info, ca_file, host_name)
 
@@ -906,8 +904,7 @@ def main():
                 confirm=False, validate=False)
             if options.pkinit_pin is None:
                 sys.exit("%s unlock password required" % options.pkinit_pkcs12)
-        pkinit_pin_file = ipautil.write_tmp_file(options.pkinit_pin)
-        pkinit_pkcs12_info = (options.pkinit_pkcs12, pkinit_pin_file.name)
+        pkinit_pkcs12_info = (options.pkinit_pkcs12, options.pkinit_pin)
 
     if not options.dm_password:
         dm_password = read_dm_password()
-- 
cgit