URL: https://github.com/freeipa/freeipa/pull/446
Author: stlaz
 Title: #446: Certdb passwd
Action: opened

PR body:
"""
With this patchset, ipa-client-install should not ask for NSS database password.

Prerequisite:
https://github.com/freeipa/freeipa/pull/367
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/446/head:pr446
git checkout pr446
From 78a0a62860d0b2c1733ea9151a75cf085bca177b Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slazn...@redhat.com>
Date: Tue, 6 Dec 2016 09:14:54 +0100
Subject: [PATCH 1/3] Add password to certutil calls in NSSDatabase

NSSDatabases should have the ability to run certutil with
a password if location of the file containing it is known.

https://fedorahosted.org/freeipa/ticket/5695
---
 ipapython/certdb.py | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index 9481326..3531730 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -83,7 +83,8 @@ class NSSDatabase(object):
     # got too tied to IPA server details, killing reusability.
     # BaseCertDB is a class that knows nothing about IPA.
     # Generic NSS DB code should be moved here.
-    def __init__(self, nssdir=None):
+    def __init__(self, nssdir=None, password_filename=None):
+        self.password_filename = password_filename
         if nssdir is None:
             self.secdir = tempfile.mkdtemp()
             self._is_temporary = True
@@ -104,6 +105,8 @@ def __exit__(self, type, value, tb):
     def run_certutil(self, args, stdin=None, **kwargs):
         new_args = [CERTUTIL, "-d", self.secdir]
         new_args = new_args + args
+        if self.password_filename is not None:
+            new_args.extend(['-f', self.password_filename])
         return ipautil.run(new_args, stdin, **kwargs)
 
     def create_db(self, password_filename):
@@ -111,7 +114,9 @@ def create_db(self, password_filename):
 
         :param password_filename: Name of file containing the database password
         """
-        self.run_certutil(["-N", "-f", password_filename])
+        # run_certutil will use self.password_filename to setup the db
+        self.password_filename = password_filename
+        self.run_certutil(["-N"])
 
     def list_certs(self):
         """Return nicknames and cert flags for all certs in the database

From 3b278308c1c29ac56b2e2c0c4c55fd0b5ad43553 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slazn...@redhat.com>
Date: Fri, 6 Jan 2017 14:19:12 +0100
Subject: [PATCH 2/3] custodiainstance: don't use IPA-specific CertDB

Replaced CertDB with NSSDatabase. CertDB expects the password
to be stored in nss_dir/passwd.txt but custodia creates its
temporary NSS database with a different password file.
---
 ipaserver/install/custodiainstance.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py
index a0bb399..314578c 100644
--- a/ipaserver/install/custodiainstance.py
+++ b/ipaserver/install/custodiainstance.py
@@ -2,12 +2,12 @@
 
 from ipaserver.secrets.kem import IPAKEMKeys
 from ipaserver.secrets.client import CustodiaClient
-from ipaserver.install.certs import CertDB
 from ipaplatform.paths import paths
 from ipaplatform.constants import constants
 from ipaserver.install.service import SimpleServiceInstance
 from ipapython import ipautil
 from ipapython.ipa_log_manager import root_logger
+from ipapython.certdb import NSSDatabase
 from ipaserver.install import installutils
 from ipaserver.install import ldapupdate
 from ipaserver.install import sysupgrade
@@ -159,7 +159,7 @@ def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data):
                              '-w', pk12pwfile])
 
             # Add CA certificates
-            tmpdb = CertDB(self.realm, nssdir=tmpnssdir)
+            tmpdb = NSSDatabase(tmpnssdir, password_filename=nsspwfile)
             self.suffix = ipautil.realm_to_suffix(self.realm)
             self.import_ca_certs(tmpdb, True)
 

From 2ebd4652bb71eda072613f2863e0259006a30399 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slazn...@redhat.com>
Date: Wed, 8 Feb 2017 16:03:05 +0100
Subject: [PATCH 3/3] Don't prompt for NSS database psswd during client-install

In FIPS, the client-installation prompts for NSS database password
when it tries to add a certificate to this database. Since
NSSDatabase now accepts password_filename to grab the password from,
use this instead.

https://fedorahosted.org/freeipa/ticket/5695
---
 ipaserver/install/certs.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 80918d4..bbf94fc 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -83,8 +83,6 @@ class CertDB(object):
     def __init__(
             self, realm, nssdir=NSS_DIR, fstore=None, host_name=None,
             subject_base=None, ca_subject=None):
-        self.nssdb = NSSDatabase(nssdir)
-
         self.secdir = nssdir
         self.realm = realm
 
@@ -97,6 +95,9 @@ def __init__(
         self.pk12_fname = self.secdir + "/cacert.p12"
         self.pin_fname = self.secdir + "/pin.txt"
         self.pwd_conf = paths.HTTPD_PASSWORD_CONF
+        self.nssdb = NSSDatabase(
+            self.secdir, password_filename=self.passwd_fname)
+
         self.reqdir = None
         self.certreq_fname = None
         self.certder_fname = None
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to