flo-renaud's pull request #50: "Add cert checks in ipa-server-certinstall" was 

See the full pull-request at https://github.com/freeipa/freeipa/pull/50
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/50/head:pr50
git checkout pr50
From 087c96fd57666aebe96863284ebfdb4861bf779a Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <f...@redhat.com>
Date: Thu, 1 Sep 2016 13:56:24 +0200
Subject: [PATCH] Add cert checks in ipa-server-certinstall

When ipa-server-certinstall is called to install a new server certificate,
the prerequisite is that the certificate issuer must be already known by IPA.
This fix adds new checks to make sure that the tool exits before
modifying the target NSS database if it is not the case.
The fix consists in creating a temp NSS database with the CA certs from the
target NSS database + the new server cert and checking the new server cert

 ipaserver/install/ipa_server_certinstall.py | 43 +++++++++++++++++++++++++++--
 1 file changed, 41 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/ipa_server_certinstall.py b/ipaserver/install/ipa_server_certinstall.py
index 0a8fb21..705d666 100644
--- a/ipaserver/install/ipa_server_certinstall.py
+++ b/ipaserver/install/ipa_server_certinstall.py
@@ -25,8 +25,8 @@
 from ipaplatform.constants import constants
 from ipaplatform.paths import paths
-from ipapython import admintool
-from ipapython.certdb import get_ca_nickname
+from ipapython import admintool, ipautil
+from ipapython.certdb import get_ca_nickname, NSSDatabase
 from ipapython.dn import DN
 from ipalib import api, errors
 from ipalib.constants import CACERT
@@ -157,6 +157,41 @@ def install_http_cert(self):
         os.chown(os.path.join(dirname, 'key3.db'), 0, pent.pw_gid)
         os.chown(os.path.join(dirname, 'secmod.db'), 0, pent.pw_gid)
+    def check_chain(self, pkcs12_filename, pkcs12_pin, nssdb):
+        # create a temp nssdb
+        with NSSDatabase() as tempnssdb:
+            db_password = ipautil.ipa_generate_password()
+            db_pwdfile = ipautil.write_tmp_file(db_password)
+            tempnssdb.create_db(db_pwdfile.name)
+            # import the PKCS12 file, then delete all CA certificates
+            # this leaves only the server certs in the temp db
+            try:
+                tempnssdb.import_pkcs12(pkcs12_filename, db_pwdfile.name,
+                    pkcs12_pin)
+                for nickname, flags in tempnssdb.list_certs():
+                    if 'u' not in flags:
+                        tempnssdb.delete_cert(nickname)
+            except RuntimeError as e:
+                raise admintool.ScriptError(str(e))
+            # import all the CA certs from nssdb into the temp db
+            for nickname, flags in nssdb.list_certs():
+                if 'u' not in flags:
+                    cert = nssdb.get_cert_from_db(nickname)
+                    tempnssdb.add_cert(cert, nickname, flags)
+            # now get the server certs from tempnssdb and check their validity
+            try:
+                for nick, flags in tempnssdb.find_server_certs():
+                    tempnssdb.verify_server_cert_validity(nick, api.env.host)
+            except ValueError as e:
+                raise admintool.ScriptError(
+                    "Peer's certificate issuer is not trusted. "
+                    "Please run ipa-cacert-manage install and ipa-certupdate "
+                    "to install the CA certificate.")
     def import_cert(self, dirname, pkcs12_passwd, old_cert, principal, command):
         pkcs12_file, pin, ca_cert = installutils.load_pkcs12(
@@ -167,6 +202,10 @@ def import_cert(self, dirname, pkcs12_passwd, old_cert, principal, command):
         dirname = os.path.normpath(dirname)
         cdb = certs.CertDB(api.env.realm, nssdir=dirname)
+        # Check that the ca_cert is known and trusted
+        self.check_chain(pkcs12_file.name, pin, cdb)
             ca_enabled = api.Command.ca_is_enabled()['result']
             if ca_enabled:
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to