diff options
| author | Stanislav Laznicka <slaznick@redhat.com> | 2016-12-06 09:14:54 +0100 |
|---|---|---|
| committer | Martin Basti <mbasti@redhat.com> | 2017-02-17 10:14:23 +0100 |
| commit | ca457eb5ce12291f555f1bf771114d6d7d191987 (patch) | |
| tree | 0bb991ae4d78e70f8766f84c12cd66ff8a0178c7 /ipapython | |
| parent | 79b3fbf97d66adb1f5c960e5473b90f85cbe145a (diff) | |
| download | freeipa-ca457eb5ce12291f555f1bf771114d6d7d191987.tar.gz freeipa-ca457eb5ce12291f555f1bf771114d6d7d191987.tar.xz freeipa-ca457eb5ce12291f555f1bf771114d6d7d191987.zip | |
Add password to certutil calls in NSSDatabase
NSSDatabases should call certutil with a password. Also, removed
`password_filename` argument from `.create_db()`.
https://fedorahosted.org/freeipa/ticket/5695
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diffstat (limited to 'ipapython')
| -rw-r--r-- | ipapython/certdb.py | 20 |
1 files changed, 7 insertions, 13 deletions
diff --git a/ipapython/certdb.py b/ipapython/certdb.py index a6bfcbc3e..73387cf58 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -17,7 +17,6 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. # -import binascii import os import io import pwd @@ -112,13 +111,12 @@ class NSSDatabase(object): def run_certutil(self, args, stdin=None, **kwargs): new_args = [CERTUTIL, "-d", self.secdir] new_args = new_args + args + new_args.extend(['-f', self.pwd_file]) return ipautil.run(new_args, stdin, **kwargs) - def create_db(self, password_filename=None, user=None, group=None, - mode=None, backup=False): + def create_db(self, user=None, group=None, mode=None, backup=False): """Create cert DB - :param password_filename: Name of file containing the database password :param user: User owner the secdir :param group: Group owner of the secdir :param mode: Mode of the secdir @@ -145,19 +143,15 @@ class NSSDatabase(object): if not os.path.exists(self.secdir): os.makedirs(self.secdir, dirmode) - if password_filename is None: - password_filename = self.pwd_file - - if not os.path.exists(password_filename): + if not os.path.exists(self.pwd_file): # Create the password file for this db - hex_str = binascii.hexlify(os.urandom(10)) - with io.open(os.open(password_filename, + with io.open(os.open(self.pwd_file, os.O_CREAT | os.O_WRONLY, - filemode), 'wb', closefd=True) as f: - f.write(hex_str) + filemode), 'w', closefd=True) as f: + f.write(ipautil.ipa_generate_password()) f.flush() - self.run_certutil(["-N", "-f", password_filename]) + self.run_certutil(["-N", "-f", self.pwd_file]) # Finally fix up perms os.chown(self.secdir, uid, gid) |