From 06e65f8859164bc7e12a2c42d64b9f7c381a3219 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 31 Mar 2017 11:22:45 -0400 Subject: Make sure remote hosts have our keys In complex replication setups a replica may try to obtain CA keys from a host that is not the master we initially create the keys against. In this case race conditions may happen due to replication. So we need to make sure the server we are contacting to get the CA keys has our keys in LDAP. We do this by waiting to positively fetch our encryption public key (the last one we create) from the target host LDAP server. Fixes: https://pagure.io/freeipa/issue/6838 Signed-off-by: Simo Sorce --- ipaserver/secrets/kem.py | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'ipaserver/secrets/kem.py') diff --git a/ipaserver/secrets/kem.py b/ipaserver/secrets/kem.py index 28fb4d31b..74ae70d5d 100644 --- a/ipaserver/secrets/kem.py +++ b/ipaserver/secrets/kem.py @@ -24,6 +24,7 @@ import ldap IPA_REL_BASE_DN = 'cn=custodia,cn=ipa,cn=etc' IPA_KEYS_QUERY = '(&(ipaKeyUsage={usage:s})(memberPrincipal={princ:s}))' +IPA_CHECK_QUERY = '(cn=enc/{host:s})' RFC5280_USAGE_MAP = {KEY_USAGE_SIG: 'digitalSignature', KEY_USAGE_ENC: 'dataEncipherment'} @@ -78,6 +79,16 @@ class KEMLdap(iSecLdap): jwk['use'] = KEY_USAGE_MAP[usage] return json_encode(jwk) + def check_host_keys(self, host): + conn = self.connect() + scope = ldap.SCOPE_SUBTREE + + ldap_filter = self.build_filter(IPA_CHECK_QUERY, {'host': host}) + r = conn.search_s(self.keysbase, scope, ldap_filter) + if len(r) != 1: + raise ValueError("Incorrect number of results (%d) searching for" + "public key for %s" % (len(r), host)) + def _format_public_key(self, key): if isinstance(key, str): jwkey = json_decode(key) -- cgit