summaryrefslogtreecommitdiffstats
path: root/ipaserver/plugins/cert.py
Commit message (Collapse)AuthorAgeFilesLines
* cert: defer cert-find result post-processingJan Cholasta2017-04-191-37/+56
| | | | | | | | | | | | | Rather than post-processing the results of each internal search, post-process the combined result. This avoids expensive per-certificate searches when cert-find is executed with the --all option on certificates which won't even be included in the combined result. https://pagure.io/freeipa/issue/6808 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Conditionally import pyhbacChristian Heimes2017-04-031-1/+89
| | | | | | | | | | | | | | | | | | | | | | | | The pyhbac module is part of SSSD. It's not available as stand-alone PyPI package. It would take a lot of effort to package it because the code is deeply tight into SSSD. Let's follow the example of other SSSD Python packages and make the import of pyhbac conditionally. It's only necessary for caacl and hbactest plugins. I renamed convert_to_ipa_rule() to _convert_to_ipa_rule() because it does not check for presence of pyhbac package itself. The check is performed earlier in execute(). The prefix indicates that it is an internal function and developers have to think twice before using it in another place. This makes it much easier to install ipaserver with instrumented build of Python with a different ABI or in isolated virtual envs to profile and debug the server. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Hide request_type doc string in cert-request helpAbhijeet Kasurde2017-03-311-1/+1
| | | | | | | | | | | | Fix hides description of request_type argument in cert-request command help Fixes https://pagure.io/freeipa/issue/6494 Fixes https://pagure.io/freeipa/issue/5734 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
* cert: do not limit internal searches in cert-findJan Cholasta2017-03-271-18/+10
| | | | | | | | | | | | Instead, apply the limits on the combined result. This fixes (absence of) `--sizelimit` leading to strange behavior, such as `cert-find --users user` returning a non-empty result only with `--sizelimit 0`. https://pagure.io/freeipa/issue/6716 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* check for replica's KDC entry on master before requesting PKINIT certMartin Babinsky2017-03-151-3/+3
| | | | | | | | | | This prevents replication-based race conditions to break PKINIT certificate requests on replica installation. https://pagure.io/freeipa/issue/6739 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* check that the master requesting PKINIT cert has KDC enabledMartin Babinsky2017-03-151-5/+17
| | | | | | | https://pagure.io/freeipa/issue/6739 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* cert: include certificate chain in cert command outputJan Cholasta2017-03-141-7/+46
| | | | | | | | | | | | Include the full certificate chain in the output of cert-request, cert-show and cert-find if --chain or --all is specified. If output file is specified in the CLI together with --chain, the full certificate chain is written to the file. https://pagure.io/freeipa/issue/6547 Reviewed-By: David Kupka <dkupka@redhat.com>
* Add SHA256 fingerprints for certsTomas Krizek2017-03-071-0/+7
| | | | | | | https://fedorahosted.org/freeipa/ticket/6701 Reviewed-By: Pavel Vomacka <pvomacka@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Extract method to map principal to princpal typeFraser Tweedale2017-03-031-15/+14
| | | | | | Part of: https://pagure.io/freeipa/issue/5011 Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
* Remove redundant principal_type argumentFraser Tweedale2017-03-031-8/+5
| | | | | | | | | Minor refactor to remove the redundant 'principal_type' argument from 'caacl_check' and associated functions. Part of: https://pagure.io/freeipa/issue/5011 Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
* Remove md5_fingerprints from IPAStanislav Laznicka2017-02-231-7/+0
| | | | | | | | | | MD5 is a grandpa and FIPS does not like it at all. https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
* cryptography has deprecated serial in favor of serial_numberChristian Heimes2017-02-101-2/+2
| | | | | | Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* py3: base64 encoding/decoding returns always bytes don't mix itMartin Basti2017-02-081-1/+1
| | | | | | | | | Using unicode(bytes) call causes undesired side effect that is inserting `b` character to result. This obviously causes issues with binary base64 data https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* py3: fix CSR encoding inside frameworkMartin Basti2017-01-311-1/+3
| | | | | | | | | csr must be in string because framework excpects only strings, so we have to decode it back https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com>
* cert: fix search limit handling in cert-findJan Cholasta2017-01-241-4/+17
| | | | | | | | | | | | | | If search limits are not specified in cert-find, use the configured limits. This applies to the certificate search in the CA as well. Detect and report if size limit was exceeded in the certificate search in the CA. Do not apply limits to the internal ca-find call. https://fedorahosted.org/freeipa/ticket/6564 Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
* Fix coverity issueTomas Krizek2017-01-161-1/+2
| | | | | | | A code path exists, where principal_obj is None. Add check principal_obj is not None to avoid dereferencing it. Reviewed-By: Martin Basti <mbasti@redhat.com>
* Reuse self.api when executing ca_enabled_checkFraser Tweedale2017-01-111-8/+8
| | | | | | | | | | | | | | The ca_enabled_check function is a wrapper around api.Command.ca_is_enabled. When using remote_api (e.g. during installer), ca_enabled_check invokes the *global* api instead of the remote_api. Update ca_enabled_check to explicitly receive an api object from the caller and invoke Command.ca_is_enabled through it. Part of: https://fedorahosted.org/freeipa/ticket/2614 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Remove "Request Certificate with SubjectAltName" permissionFraser Tweedale2016-12-211-6/+0
| | | | | | | | | | | | | | | | | | subjectAltName is required or relevant in most certificate use cases (esp. TLS, where carrying DNS name in Subject DN CN attribute is deprecated). Therefore it does not really make sense to have a special permission for this, over and above "request certificate" permission. Furthermore, we already do rigorously validate SAN contents again the subject principal, and the permission is waived for self-service requests or if the operator is a host principal. So remove the permission, the associated virtual operation, and the associated code in cert_request. Fixes: https://fedorahosted.org/freeipa/ticket/6526 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Configure Anonymous PKINIT on server installSimo Sorce2016-12-121-18/+68
| | | | | | | | | | | | Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST authentication (necessary for 2FA for example) using an anonymous krbtgt obtained via Pkinit. https://fedorahosted.org/freeipa/ticket/5678 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* cert-request: match names against principal aliasesFraser Tweedale2016-12-061-28/+85
| | | | | | | | | | | | | | | Currently we do not check Kerberos principal aliases when validating a CSR. Enhance cert-request to accept the following scenarios: - for hosts and services: CN and SAN dnsNames match a principal alias (realm and service name must be same as nominated principal) - for all principal types: UPN or KRB5PrincipalName othername match any principal alias. Fixes: https://fedorahosted.org/freeipa/ticket/6295 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Milan Kubik <mkubik@redhat.com>
* cert-request: accept CSRs with extraneous dataFraser Tweedale2016-11-111-2/+5
| | | | | | | | | | | | | | | The cert-request command used to accept CSRs that had extra data surrounding the PEM data, e.g. commentary about the contents of the CSR. Recent commits that switch to using python-cryptography for cert and CSR handling broke this. Our acceptance tests use such CSRs, hence the tests are now failing. To avoid the issue, freshly encode the python-cryptography CertificateSigningRequest object as PEM. This avoids re-using the user-supplied data, in case it has extraneous data. Fixes: https://fedorahosted.org/freeipa/ticket/6472 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* x509: use python-cryptography to process certsFraser Tweedale2016-11-101-53/+62
| | | | | | | | | | | | | | | | | Update x509.load_certificate and related functions to return python-cryptography ``Certificate`` objects. Update the call sites accordingly, including removal of NSS initialisation code. Also update GeneralName parsing code to return python-cryptography GeneralName values, for consistency with other code that processes GeneralNames. The new function, `get_san_general_names`, and associated helper functions, can be removed when python-cryptography provides a way to deal with unrecognised critical extensions. Part of: https://fedorahosted.org/freeipa/ticket/6398 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
* x509: avoid use of nss.data_to_hexFraser Tweedale2016-11-101-4/+4
| | | | | | | | | | | Avoid use of the nss.data_to_hex function for formatting certificate fingerprints. Add our own helper functions to format the fingerprints as hex (with colons). Part of: https://fedorahosted.org/freeipa/ticket/6398 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
* pkcs10: use python-cryptography for CSR processingFraser Tweedale2016-11-101-52/+43
| | | | | | | | | | Update ``ipalib.pkcs10`` module to use python-cryptography for CSR processing instead of NSS. Part of: https://fedorahosted.org/freeipa/ticket/6398 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
* cert-show: show validity in default outputFraser Tweedale2016-10-261-2/+2
| | | | | | | | | cert-show no longer shows validity dates without `--all', but this is important information that should be shown by default. Make it so. Fixes: https://fedorahosted.org/freeipa/ticket/6419 Reviewed-By: Martin Basti <mbasti@redhat.com>
* cert: add revocation reason back to cert-find outputJan Cholasta2016-10-131-8/+9
| | | | | | | | | | | | | | | In commit c718ef058847bb39e78236e8af0ad69ac961bbcf some param values were accidentally removed from cert-find output. In commit 22d5f579bbd8bb452cf1bf620294ab6ade6e7c47 `serial_number_hex` and `revoked` were added back. Add back `revocation_reason` as well. Also, do not include `revoked` with --raw, as it's a virtual attribute. https://fedorahosted.org/freeipa/ticket/6269 Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
* Pylint: remove unused variables in ipaserver packageMartin Basti2016-10-061-6/+4
| | | | Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Pylint: enable check for unused-variablesMartin Basti2016-09-271-0/+2
| | | | | | | | | | | | | | | Unused variables may: * make code less readable * create dead code * potentialy hide issues/errors Enabled check should prevent to leave unused variable in code Check is locally disabled for modules that fix is not clear or easy or have too many occurences of unused variables Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Add help info about certificate revocation reasonsTomas Krizek2016-09-211-1/+2
| | | | | | | | | | Inform the user where to find additional information about certificate revocation reasons. https://fedorahosted.org/freeipa/ticket/6327 Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* cert-request: raise CertificateOperationError if CA disabledFraser Tweedale2016-09-071-2/+10
| | | | | | | | | | Detect when cert-request returns HTTP 409, which indicates that the target CA is disabled - a valid scenario - and raise CertificateOperationError with a friendly message instead of HTTPRequestError. Fixes: https://fedorahosted.org/freeipa/ticket/6260 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* cert: fix cert-find --certificate when the cert is not in LDAPJan Cholasta2016-09-071-7/+5
| | | | | | | | | Always return the cert specified in --certificate in cert-find result, even when the cert is not found in LDAP. https://fedorahosted.org/freeipa/ticket/6304 Reviewed-By: David Kupka <dkupka@redhat.com>
* Fix CA ACL Check on SubjectAltNamesSimo Sorce2016-08-311-4/+8
| | | | | | | | | | The code is supposed to check that the SAN name is also authorized to be used with the specified profile id. The original principal has already been checked. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* cert: include CA name in cert command outputJan Cholasta2016-08-301-9/+24
| | | | | | | | | | | | Include name of the CA that issued a certificate in cert-request, cert-show and cert-find. This allows the caller to call further commands on the cert without having to call ca-find to find the name of the CA. https://fedorahosted.org/freeipa/ticket/6151 Reviewed-By: Martin Basti <mbasti@redhat.com>
* cert: add missing param values to cert-find outputJan Cholasta2016-08-301-1/+2
| | | | | | | | | Add back `serial_number_hex` and `revoked` param values to cert-find output accidentally removed in commit c718ef058847bb39e78236e8af0ad69ac961bbcf. https://fedorahosted.org/freeipa/ticket/6269 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* cert-show: show subject alternative namesFraser Tweedale2016-08-261-3/+126
| | | | | | | | Enhance the cert-show command to return subject alternative name values. Fixes: https://fedorahosted.org/freeipa/ticket/6022 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* x509: include otherName DER value in GeneralNameInfoFraser Tweedale2016-08-261-1/+1
| | | | | | | | | | We want to include the whole DER value when we pretty-print unrecognised otherNames, so add a field to the GeneralNameInfo namedtuple and populate it for otherNames. Part of: https://fedorahosted.org/freeipa/ticket/6022 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* x509: use NSS enums and OIDs to identify SAN typesFraser Tweedale2016-08-261-9/+10
| | | | | | | | | | GeneralName parsing currently relies heavily on strings from NSS. Make the code hopefully less brittle by identifying GeneralName types by NSS enums and, for otherName, the name-type OID also. Part of: https://fedorahosted.org/freeipa/ticket/6022 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Move GeneralName parsing code to ipalib.x509Fraser Tweedale2016-08-261-4/+4
| | | | | | | | | | | GeneralName parsing code is primarily relevant to X.509. An upcoming change will add SAN parsing to the cert-show command, so first move the GeneralName parsing code from ipalib.pkcs10 to ipalib.x509. Part of: https://fedorahosted.org/freeipa/ticket/6022 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* cert-revoke: fix permission check bypass (CVE-2016-5404)Fraser Tweedale2016-08-221-28/+32
| | | | | | | | | | | | | | | | | The 'cert_revoke' command checks the 'revoke certificate' permission, however, if an ACIError is raised, it then invokes the 'cert_show' command. The rational was to re-use a "host manages certificate" check that is part of the 'cert_show' command, however, it is sufficient that 'cert_show' executes successfully for 'cert_revoke' to recover from the ACIError continue. Therefore, anyone with 'retrieve certificate' permission can revoke *any* certificate and cause various kinds of DoS. Fix the problem by extracting the "host manages certificate" check to its own method and explicitly calling it from 'cert_revoke'. Fixes: https://fedorahosted.org/freeipa/ticket/6232 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* cert: do not crash on invalid data in cert-findJan Cholasta2016-08-171-4/+24
| | | | | | | https://fedorahosted.org/freeipa/ticket/6150 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
* cert: speed up cert-findJan Cholasta2016-08-171-182/+216
| | | | | | | | | | | | Use issuer+serial rather than raw DER blob to identify certificates in cert-find's intermediate result. Restructure the code to make it (hopefully) easier to follow. https://fedorahosted.org/freeipa/ticket/6098 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
* Add --cn option to cert-statusFraser Tweedale2016-07-011-8/+8
| | | | | | | | | Add the 'cacn' option to the cert-status command. Right now there is nothing we need to (or can) do with it, but we add it anyway for future use. Fixes: https://fedorahosted.org/freeipa/ticket/5999 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Migrate management framework plugins to use Principal parameterMartin Babinsky2016-07-011-49/+39
| | | | | | | | | | | | All plugins will now use this parameter and common code for all operations on Kerberos principals. Additional semantic validators and normalizers were added to determine or append a correct realm so that the previous behavior is kept intact. https://fedorahosted.org/freeipa/ticket/3864 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Fix minor typoYuri Chornoivan2016-07-011-1/+1
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* Add --ca option to cert-revoke and cert-remove-holdFraser Tweedale2016-07-011-15/+32
| | | | | | | | | | | | | | Implement the --ca option for cert-revoke and cert-remove-hold. Defaults to the IPA CA. Raise NotFound if the cert with the given serial was not issued by the nominated CA. Also default the --ca option of cert-show to the IPA CA. Add commentary to cert-status to explain why it does not use the --ca option. Fixes: https://fedorahosted.org/freeipa/ticket/5999 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* cert: fix CLI output of cert_remove_holdJan Cholasta2016-06-301-8/+0
| | | | | | | | | | cert_remove_hold uses output params instead of exceptions to convey unsuccessful result. Move the output params to the client side before the command is fixed to use exceptions. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* cert-request: better error msg when 'add' not supportedFraser Tweedale2016-06-301-3/+18
| | | | | | | | | | | | cert-request supports adding service principals that don't exist. If add is requested for other principal types, the error message just says "the principal doesn't exist". Add a new error type with better error message to explain that 'add' is not supported for host or user principals. Fixes: https://fedorahosted.org/freeipa/ticket/5991 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
* cert.py split module docstring to multiple ugetext stringMartin Basti2016-06-301-37/+37
| | | | | | | | | It is hard to translate whole dosctring again and again aftear each minor change. This split will make life for translators easier. (Just note: dosctring was changed and that is the reason why I'm sending this, because translators must translate it again anyway) Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* cert-find: fix 'issuer' optionFraser Tweedale2016-06-291-0/+2
| | | | | | | | | | | | | The 'issuer' option of cert-find was recently changed from Str to DNParam, however, 'ra.find' expects a string and throws when it receives a DN. When constructing the dict that gets passed to 'ra.find', turn DNParams into strings. Part of: https://fedorahosted.org/freeipa/ticket/5381 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* cert: allow search by certificateJan Cholasta2016-06-211-8/+40
| | | | | | | | | Allow search by certificate data or file in cert-find. https://fedorahosted.org/freeipa/ticket/5381 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
generated by cgit (git 2.34.1) at 2025-09-01 08:41:43 +0000