Martin Kosek wrote:
On Wed, 2012-03-07 at 17:49 -0500, Rob Crittenden wrote:
Add subject key identifier to the dogtag server cert profile.
This will add it on upgrades too and any new certs issued will have a
subject key identifier set.
If the user has customized the profile themselves then this won't be
applied.
rob
NACK
I found few issues with the patch:
1) There is an extraneous pdb statement:
+ import pdb; pdb.set_trace()
2) A name of config file should be put to some variable once and not
created every time again in enable_subject_key_identifier. It would be
much more readable and less error prone:
+ installutils.set_directive('/var/lib/%
s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME,
'policyset.serverCertSet.list', '1,2,3,4,5,6,7,8,10', quotes=False,
separator='=')
+ installutils.set_directive('/var/lib/%
s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME,
'policyset.serverCertSet.10.constraint.class_id', 'noConstraintImpl',
quotes=False, separator='=')
...
3) We do not handle gracefully missing config file. This is what happens
when replica without CA is upgraded:
# rpm -Uvh --force /home/mkosek/dist-review/rpms/freeipa-*
Preparing... ########################################### [100%]
1:freeipa-python ########################################### [ 17%]
2:freeipa-client ########################################### [ 33%]
3:freeipa-admintools ########################################### [ 50%]
4:freeipa-server ########################################### [ 67%]
Upgraded /etc/httpd/conf.d/ipa-pki-proxy.conf to version 1
Traceback (most recent call last):
File "/usr/sbin/ipa-upgradeconfig", line 301, in<module>
sys.exit(main())
File "/usr/sbin/ipa-upgradeconfig", line 297, in main
upgrade_ipa_profile(krbctx.default_realm)
File "/usr/sbin/ipa-upgradeconfig", line 243, in upgrade_ipa_profile
if ca.enable_subject_key_identifier():
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 1079, in enable_subject_key_identifier
setlist =
installutils.get_directive('/var/lib/%s/profiles/ca/caIPAserviceCert.cfg' %
PKI_INSTANCE_NAME, 'policyset.serverCertSet.list', separator='=')
File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 429, in get_directive
fd = open(filename, "r")
IOError: [Errno 2] No such file or directory:
'/var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg'
5:freeipa-server-selinux ########################################### [ 83%]
6:freeipa-debuginfo ########################################### [100%]
1. Martin
I think this should do it.
rob
>From e24088093029c1d8b55f487f009547d214bce568 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Wed, 7 Mar 2012 17:46:33 -0500
Subject: [PATCH] Add subject key identifier to the dogtag server cert
profile.
This will add it on upgrades too and any new certs issued will have
a subject key identifier set.
If the user has customized the profile themselves then this won't be
applied.
https://fedorahosted.org/freeipa/ticket/2446
---
install/tools/ipa-upgradeconfig | 13 ++++++++++
ipaserver/install/cainstance.py | 47 +++++++++++++++++++++++++++++++++++++-
2 files changed, 58 insertions(+), 2 deletions(-)
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index a23489f406f29db4b8f33c153cccb1121675eb61..40a2b68ce89b58b98077428783a98e3060674665 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -31,6 +31,8 @@ try:
from ipaserver.install import httpinstance
from ipaserver.install import memcacheinstance
from ipaserver.install import service
+ from ipaserver.install import cainstance
+ from ipaserver.install import certs
import ldap
import krbV
import re
@@ -233,6 +235,15 @@ def cleanup_kdc():
if fstore.has_file(filename):
fstore.untrack_file(filename)
+def upgrade_ipa_profile(realm):
+ """
+ Update the IPA Profile provided by dogtag
+ """
+ ca = cainstance.CAInstance(realm, certs.NSS_DIR)
+ if ca.is_configured():
+ if ca.enable_subject_key_identifier():
+ ca.restart()
+
def main():
"""
Get some basics about the system. If getting those basics fail then
@@ -284,6 +295,8 @@ def main():
pass
cleanup_kdc()
+ upgrade_ipa_profile(krbctx.default_realm)
+
try:
if __name__ == "__main__":
sys.exit(main())
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 3afc705ddc677c035d63c804d4a28737c03d8352..f953100be9d8e99abf402ae8453ca39a26758da1 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -72,6 +72,7 @@ EE_CLIENT_AUTH_PORT=9446
UNSECURE_PORT=9180
TOMCAT_SERVER_PORT=9701
+IPA_SERVICE_PROFILE = '/var/lib/%s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME
# We need to reset the template because the CA uses the regular boot
# information
@@ -520,6 +521,7 @@ class CAInstance(service.Service):
self.step("setting up signing cert profile", self.__setup_sign_profile)
self.step("set up CRL publishing", self.__enable_crl_publish)
self.step("set certificate subject base", self.__set_subject_in_config)
+ self.step("enabling Subject Key Identifier", self.enable_subject_key_identifier)
self.step("configuring certificate server to start on boot", self.__enable)
if not self.clone:
self.step("restarting certificate server", self.__restart_instance)
@@ -1027,14 +1029,17 @@ class CAInstance(service.Service):
installutils.set_directive(caconfig, 'ca.publish.rule.instance.LdapXCertRule.enable', 'false', quotes=False, separator='=')
# Fix the CRL URI in the profile
- installutils.set_directive('/var/lib/%s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME, 'policyset.serverCertSet.9.default.params.crlDistPointsPointName_0', 'https://%s/ipa/crl/MasterCRL.bin' % ipautil.format_netloc(self.fqdn), quotes=False, separator='=')
+ installutils.set_directive(IPA_SERVICE_PROFILE,
+ 'policyset.serverCertSet.9.default.params.crlDistPointsPointName_0',
+ 'https://%s/ipa/crl/MasterCRL.bin' % ipautil.format_netloc(self.fqdn),
+ quotes=False, separator='=')
ipaservices.restore_context(publishdir)
def __set_subject_in_config(self):
# dogtag ships with an IPA-specific profile that forces a subject
# format. We need to update that template with our base subject
- if installutils.update_file("/var/lib/%s/profiles/ca/caIPAserviceCert.cfg" % PKI_INSTANCE_NAME, 'OU=pki-ipa, O=IPA', self.subject_base):
+ if installutils.update_file(IPA_SERVICE_PROFILE, 'OU=pki-ipa, O=IPA', self.subject_base):
print "Updating subject_base in CA template failed"
def uninstall(self):
@@ -1068,6 +1073,44 @@ class CAInstance(service.Service):
shutil.copy(ipautil.SHARE_DIR + "ipa-pki-proxy.conf",
HTTPD_CONFD + "ipa-pki-proxy.conf")
+ def enable_subject_key_identifier(self):
+ """
+ See if Subject Key Identifier is set in the profile and if not, add it.
+ """
+ setlist = installutils.get_directive(IPA_SERVICE_PROFILE,
+ 'policyset.serverCertSet.list', separator='=')
+
+ # this is the default setting from pki-ca. Don't touch it if a user
+ # has manually modified it.
+ if setlist == '1,2,3,4,5,6,7,8':
+ installutils.set_directive(IPA_SERVICE_PROFILE,
+ 'policyset.serverCertSet.list',
+ '1,2,3,4,5,6,7,8,10',
+ quotes=False, separator='=')
+ installutils.set_directive(IPA_SERVICE_PROFILE,
+ 'policyset.serverCertSet.10.constraint.class_id',
+ 'noConstraintImpl',
+ quotes=False, separator='=')
+ installutils.set_directive(IPA_SERVICE_PROFILE,
+ 'policyset.serverCertSet.10.constraint.name',
+ 'No Constraint',
+ quotes=False, separator='=')
+ installutils.set_directive(IPA_SERVICE_PROFILE,
+ 'policyset.serverCertSet.10.default.class_id',
+ 'subjectKeyIdentifierExtDefaultImpl',
+ quotes=False, separator='=')
+ installutils.set_directive(IPA_SERVICE_PROFILE,
+ 'policyset.serverCertSet.10.default.name',
+ 'Subject Key Identifier Extension Default',
+ quotes=False, separator='=')
+ installutils.set_directive(IPA_SERVICE_PROFILE,
+ 'policyset.serverCertSet.10.default.params.critical',
+ 'false',
+ quotes=False, separator='=')
+ return True
+
+ # No update was done
+ return False
def install_replica_ca(config, postinstall=False):
"""
--
1.7.6
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
