Martin Kosek wrote:
On Thu, 2011-07-07 at 12:02 -0400, Rob Crittenden wrote:
Use John's new DN class to verify that the subject base passed into
ipa-server-install is valid.
https://fedorahosted.org/freeipa/ticket/1176
rob
Works fine for basic errors. But what if the DN is syntactically valid,
but it makes no sense for CA? For example:
# ipa-server-install --subject="FOO=BAR"
...
Configuring certificate server: Estimated time 6 minutes
[1/16]: creating certificate server user
[2/16]: creating pki-ca instance
[3/16]: restarting certificate server
[4/16]: configuring certificate server instance
root : CRITICAL failed to configure ca instance Command
'/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
vm-099.idm.lab.bos.redhat.com -cs_port 9445
-client_certdb_dir /tmp/tmp-VQeqTM -client_certdb_pwd 'XXXXXXXX'
-preop_pin p8NYnreBzTcV8Oq13vCu -domain_name IPA -admin_user admin
-admin_email root@localhost -admin_password 'XXXXXXXX' -agent_name
ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
-agent_cert_subject "CN=ipa-ca-agent,FOO=BAR" -ldap_host
vm-099.idm.lab.bos.redhat.com -ldap_port 7389 -bind_dn "cn=Directory
Manager" -bind_password 'XXXXXXXX' -base_dn o=ipaca -db_name ipaca
-key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true
-backup_pwd 'XXXXXXXX' -subsystem_name pki-cad -token_name internal
-ca_subsystem_cert_subject_name "CN=CA Subsystem,FOO=BAR"
-ca_ocsp_cert_subject_name "CN=OCSP Subsystem,FOO=BAR"
-ca_server_cert_subject_name "CN=vm-099.idm.lab.bos.redhat.com,FOO=BAR"
-ca_audit_signing_cert_subject_name "CN=CA Audit,FOO=BAR"
-ca_sign_cert_subject_name "CN=Certificate Authority,FOO=BAR" -external
false -clone false' returned non-zero exit status 255
Unexpected error - see ipaserver-install.log for details:
Configuration of CA failed
Could we cover also these cases in the callback?
Martin
Added list of allowed attributes.
rob
>From fcb39d9ab06242916381a63e922f4b93cb048971 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Thu, 7 Jul 2011 11:55:20 -0400
Subject: [PATCH] Validate that the certificate subject base is in valid DN format.
https://fedorahosted.org/freeipa/ticket/1176
---
install/tools/ipa-server-install | 21 ++++++++++++++++++++-
1 files changed, 20 insertions(+), 1 deletions(-)
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 35b16dae8c069d510ed0293930a2d026265aa990..8c51154699f84a7e071e3c69883c58eaf2163626 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -58,10 +58,13 @@ from ipapython.ipautil import *
from ipalib import api, errors, util
from ipalib.parameters import IA5Str
from ipapython.config import IPAOptionParser
+from ipalib.dn import DN
pw_name = None
uninstalling = False
+VALID_SUBJECT_ATTRS = ['cn', 'st', 'o', 'ou', 'dnqualifier', 'c', 'serialnumber', 'l', 'title', 'sn', 'givenname', 'initials', 'generationqualifier', 'dc', 'mail', 'uid', 'postaladdress', 'postalcode', 'postofficebox', 'houseidentifier', 'e', 'street', 'pseudonym', 'incorporationlocality', 'incorporationstate', 'incorporationcountry', 'businesscategory']
+
def zonemgr_callback(option, opt_str, value, parser):
"""
Make sure the zonemgr is an IA5String.
@@ -72,6 +75,21 @@ def zonemgr_callback(option, opt_str, value, parser):
ia._convert_scalar(v)
parser.values.zonemgr = value
+def subject_callback(option, opt_str, value, parser):
+ """
+ Make sure the certificate subject base is a valid DN
+ """
+ name = opt_str.replace('--','')
+ v = unicode(value, 'utf-8')
+ try:
+ dn = DN(v)
+ for x in xrange(len(dn)):
+ if dn[x][0].attr.lower() not in VALID_SUBJECT_ATTRS:
+ raise ValueError('invalid attribute: %s' % dn[x][0].attr.lower())
+ except ValueError, e:
+ raise ValueError('Invalid subject base format: %s' % str(e))
+ parser.values.subject = value
+
def parse_options():
# Guaranteed to give a random 200k range below the 2G mark (uint32_t limit)
namespace = random.randint(1, 10000) * 200000
@@ -142,7 +160,8 @@ def parse_options():
help="The starting value for the IDs range (default random)")
parser.add_option("--idmax", dest="idmax", default=0, type=int,
help="The max value value for the IDs range (default: idstart+199999)")
- parser.add_option("--subject", dest="subject",
+ parser.add_option("--subject", action="callback", callback=subject_callback,
+ type="string",
help="The certificate subject base (default O=<realm-name>)")
parser.add_option("--no_hbac_allow", dest="hbac_allow", default=False,
action="store_true",
--
1.7.4
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel