diff options
| author | Jan Cholasta <jcholast@redhat.com> | 2014-09-18 12:00:15 +0200 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2014-09-30 10:01:38 +0200 |
| commit | bbf962299d23071f238eadbbec4922100cc7c6e8 (patch) | |
| tree | 585090ef42039643782765c581bc97c7d818d79c | |
| parent | b764e9d3e6fcd380c9420c2d442293fdd12ec5dc (diff) | |
| download | freeipa-bbf962299d23071f238eadbbec4922100cc7c6e8.tar.gz freeipa-bbf962299d23071f238eadbbec4922100cc7c6e8.tar.xz freeipa-bbf962299d23071f238eadbbec4922100cc7c6e8.zip | |
Use NSSDatabase instead of direct certutil calls in client code
https://fedorahosted.org/freeipa/ticket/4416
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
| -rwxr-xr-x | ipa-client/ipa-install/ipa-client-install | 50 | ||||
| -rw-r--r-- | ipa-client/ipaclient/ipa_certupdate.py | 14 | ||||
| -rw-r--r-- | ipapython/certdb.py | 20 |
3 files changed, 26 insertions, 58 deletions
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index ab40cd827..22085ecfe 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -226,14 +226,6 @@ def logging_setup(options): def log_service_error(name, action, error): root_logger.error("%s failed to %s: %s", name, action, str(error)) -def nickname_exists(nickname): - (sout, serr, returncode) = run([paths.CERTUTIL, "-L", "-d", paths.NSS_DB_DIR, "-n", nickname], raiseonerr=False) - - if returncode == 0: - return True - else: - return False - def purge_ipa_certs(additional=[]): filename = paths.NSSDB_IPA_TXT if file_exists(filename): @@ -258,12 +250,11 @@ def purge_ipa_certs(additional=[]): if nickname: nicknames.add(nickname) + sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR) for nickname in nicknames: - while nickname_exists(nickname): + while sys_db.has_nickname(nickname): try: - run([paths.CERTUTIL, "-D", - "-d", paths.NSS_DB_DIR, - "-n", nickname]) + sys_db.delete_cert(nickname) except Exception, e: root_logger.error( "Failed to remove %s from /etc/pki/nssdb: %s", nickname, e) @@ -2533,23 +2524,16 @@ def install(options, env, fstore, statestore): except ValueError: pass - tmp_nss_dir = tempfile.mkdtemp() - try: + with certdb.NSSDatabase() as tmp_db: # Add CA certs to a temporary NSS database try: pwd_file = ipautil.write_tmp_file(ipautil.ipa_generate_password()) - run([paths.CERTUTIL, '-N', - '-d', tmp_nss_dir, - '-f', pwd_file.name]) + tmp_db.create_db(pwd_file.name) ca_certs = x509.load_certificate_list_from_file(CACERT) ca_certs = [cert.der_data for cert in ca_certs] for i, cert in enumerate(ca_certs): - run([paths.CERTUTIL, '-A', - '-d', tmp_nss_dir, - '-n', 'CA certificate %d' % (i + 1), - '-t', 'C,,'], - stdin=cert) + tmp_db.add_cert(cert, 'CA certificate %d' % (i + 1), 'C,,') except CalledProcessError, e: root_logger.info("Failed to add CA to temporary NSS database.") return CLIENT_INSTALL_ERROR @@ -2557,7 +2541,7 @@ def install(options, env, fstore, statestore): # Now, let's try to connect to the server's RPC interface connected = False try: - api.Backend.rpcclient.connect(nss_dir=tmp_nss_dir) + api.Backend.rpcclient.connect(nss_dir=tmp_db.secdir) connected = True root_logger.debug("Try RPC connection") api.Backend.rpcclient.forward('ping') @@ -2569,7 +2553,7 @@ def install(options, env, fstore, statestore): "Trying with delegate=True", e) try: api.Backend.rpcclient.connect(delegate=True, - nss_dir=tmp_nss_dir) + nss_dir=tmp_db.secdir) root_logger.debug("Try RPC connection") api.Backend.rpcclient.forward('ping') @@ -2594,8 +2578,6 @@ def install(options, env, fstore, statestore): root_logger.error( "Cannot connect to the server due to generic error: %s", e) return CLIENT_INSTALL_ERROR - finally: - shutil.rmtree(tmp_nss_dir) # Use the RPC directly so older servers are supported result = api.Backend.rpcclient.forward( @@ -2622,14 +2604,10 @@ def install(options, env, fstore, statestore): # Add the CA certificates to the IPA NSS database root_logger.debug("Adding CA certificates to the IPA NSS database.") + ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR) for cert, nickname, trust_flags in ca_certs_trust: try: - run([paths.CERTUTIL, - "-A", - "-d", paths.IPA_NSSDB_DIR, - "-n", nickname, - "-t", trust_flags], - stdin=cert) + ipa_db.add_cert(cert, nickname, trust_flags) except CalledProcessError, e: root_logger.error( "Failed to add %s to the IPA NSS database.", nickname) @@ -2653,14 +2631,10 @@ def install(options, env, fstore, statestore): root_logger.debug( "Attempting to add CA certificates to the default NSS database.") + sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR) for cert, nickname, trust_flags in ca_certs_trust: try: - run([paths.CERTUTIL, - "-A", - "-d", paths.NSS_DB_DIR, - "-n", nickname, - "-t", trust_flags], - stdin=cert) + sys_db.add_cert(cert, nickname, trust_flags) except CalledProcessError, e: root_logger.error( "Failed to add %s to the default NSS database.", nickname) diff --git a/ipa-client/ipaclient/ipa_certupdate.py b/ipa-client/ipaclient/ipa_certupdate.py index 57dbf200b..f7b0e29ba 100644 --- a/ipa-client/ipaclient/ipa_certupdate.py +++ b/ipa-client/ipaclient/ipa_certupdate.py @@ -22,7 +22,7 @@ import tempfile import shutil from ipapython import (admintool, ipautil, ipaldap, sysrestore, dogtag, - certmonger) + certmonger, certdb) from ipaplatform import services from ipaplatform.paths import paths from ipaplatform.tasks import tasks @@ -72,11 +72,10 @@ class CertUpdate(admintool.AdminTool): self.update_file(paths.IPA_CA_CRT, certs) self.update_db(paths.IPA_NSSDB_DIR, certs) + sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR) for nickname in ('IPA CA', 'External CA cert'): try: - ipautil.run([paths.CERTUTIL, '-D', - '-d', paths.NSS_DB_DIR, - '-n', nickname]) + sys_db.delete_cert(nickname) except ipautil.CalledProcessError, e: pass @@ -165,15 +164,12 @@ class CertUpdate(admintool.AdminTool): self.log.error("failed to update %s: %s", filename, e) def update_db(self, path, certs): + db = certdb.NSSDatabase(path) for cert, nickname, trusted, eku in certs: trust_flags = certstore.key_policy_to_trust_flags( trusted, True, eku) try: - ipautil.run([paths.CERTUTIL, '-A', - '-d', path, - '-n', nickname, - '-t', trust_flags], - stdin=cert) + db.add_cert(cert, nickname, trust_flags) except ipautil.CalledProcessError, e: self.log.error( "failed to update %s in %s: %s", nickname, path, e) diff --git a/ipapython/certdb.py b/ipapython/certdb.py index 792cd7529..09c87c7f9 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -36,24 +36,22 @@ def get_ca_nickname(realm, format=CA_NICKNAME_FMT): def create_ipa_nssdb(): - pwdfile = os.path.join(paths.IPA_NSSDB_DIR, 'pwdfile.txt') + db = NSSDatabase(paths.IPA_NSSDB_DIR) + pwdfile = os.path.join(db.secdir, 'pwdfile.txt') ipautil.backup_file(pwdfile) - ipautil.backup_file(os.path.join(paths.IPA_NSSDB_DIR, 'cert8.db')) - ipautil.backup_file(os.path.join(paths.IPA_NSSDB_DIR, 'key3.db')) - ipautil.backup_file(os.path.join(paths.IPA_NSSDB_DIR, 'secmod.db')) + ipautil.backup_file(os.path.join(db.secdir, 'cert8.db')) + ipautil.backup_file(os.path.join(db.secdir, 'key3.db')) + ipautil.backup_file(os.path.join(db.secdir, 'secmod.db')) with open(pwdfile, 'w') as f: f.write(ipautil.ipa_generate_password(pwd_len=40)) os.chmod(pwdfile, 0600) - ipautil.run([paths.CERTUTIL, - "-N", - "-d", paths.IPA_NSSDB_DIR, - "-f", pwdfile]) - os.chmod(os.path.join(paths.IPA_NSSDB_DIR, 'cert8.db'), 0644) - os.chmod(os.path.join(paths.IPA_NSSDB_DIR, 'key3.db'), 0644) - os.chmod(os.path.join(paths.IPA_NSSDB_DIR, 'secmod.db'), 0644) + db.create_db(pwdfile) + os.chmod(os.path.join(db.secdir, 'cert8.db'), 0644) + os.chmod(os.path.join(db.secdir, 'key3.db'), 0644) + os.chmod(os.path.join(db.secdir, 'secmod.db'), 0644) def find_cert_from_txt(cert, start=0): |