diff options
author | Jan Cholasta <jcholast@redhat.com> | 2016-02-22 15:05:35 +0100 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2016-02-24 10:53:28 +0100 |
commit | 11592dde1b232a70f318e01f5271b38890090648 (patch) | |
tree | 5aaeafb3a23893af2bc506c06c18404d930bd7f7 /ipapython/certdb.py | |
parent | 775ee77bcc091ba31fdd3e59f8d45d0b646a44a0 (diff) | |
download | freeipa-11592dde1b232a70f318e01f5271b38890090648.tar.gz freeipa-11592dde1b232a70f318e01f5271b38890090648.tar.xz freeipa-11592dde1b232a70f318e01f5271b38890090648.zip |
client: stop using /etc/pki/nssdb
Don't put any IPA certificates to /etc/pki/nssdb - IPA itself uses
/etc/ipa/nssdb and IPA CA certificates are provided to the system using
p11-kit. Remove leftovers on upgrade.
https://fedorahosted.org/freeipa/ticket/5592
Reviewed-By: David Kupka <dkupka@redhat.com>
Diffstat (limited to 'ipapython/certdb.py')
-rw-r--r-- | ipapython/certdb.py | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/ipapython/certdb.py b/ipapython/certdb.py index 1e6c63a15..aea50a81f 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -56,6 +56,35 @@ def create_ipa_nssdb(): os.chmod(os.path.join(db.secdir, 'secmod.db'), 0o644) +def update_ipa_nssdb(): + ipa_db = NSSDatabase(paths.IPA_NSSDB_DIR) + sys_db = NSSDatabase(paths.NSS_DB_DIR) + + if not os.path.exists(os.path.join(ipa_db.secdir, 'cert8.db')): + create_ipa_nssdb() + + for nickname, trust_flags in (('IPA CA', 'CT,C,C'), + ('External CA cert', 'C,,')): + try: + cert = sys_db.get_cert(nickname) + except RuntimeError: + continue + try: + ipa_db.add_cert(cert, nickname, trust_flags) + except ipautil.CalledProcessError as e: + raise RuntimeError("Failed to add %s to %s: %s" % + (nickname, ipa_db.secdir, e)) + + # Remove IPA certs from /etc/pki/nssdb + for nickname, trust_flags in ipa_db.list_certs(): + while sys_db.has_nickname(nickname): + try: + sys_db.delete_cert(nickname) + except ipautil.CalledProcessError as e: + raise RuntimeError("Failed to remove %s from %s: %s" % + (nickname, sys_db.secdir, e)) + + def find_cert_from_txt(cert, start=0): """ Given a cert blob (str) which may or may not contian leading and |