URL: https://github.com/freeipa/freeipa/pull/446 Author: stlaz Title: #446: Certdb passwd Action: opened
PR body: """ With this patchset, ipa-client-install should not ask for NSS database password. Prerequisite: https://github.com/freeipa/freeipa/pull/367 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/446/head:pr446 git checkout pr446
From 78a0a62860d0b2c1733ea9151a75cf085bca177b Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Tue, 6 Dec 2016 09:14:54 +0100 Subject: [PATCH 1/3] Add password to certutil calls in NSSDatabase NSSDatabases should have the ability to run certutil with a password if location of the file containing it is known. https://fedorahosted.org/freeipa/ticket/5695 --- ipapython/certdb.py | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/ipapython/certdb.py b/ipapython/certdb.py index 9481326..3531730 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -83,7 +83,8 @@ class NSSDatabase(object): # got too tied to IPA server details, killing reusability. # BaseCertDB is a class that knows nothing about IPA. # Generic NSS DB code should be moved here. - def __init__(self, nssdir=None): + def __init__(self, nssdir=None, password_filename=None): + self.password_filename = password_filename if nssdir is None: self.secdir = tempfile.mkdtemp() self._is_temporary = True @@ -104,6 +105,8 @@ def __exit__(self, type, value, tb): def run_certutil(self, args, stdin=None, **kwargs): new_args = [CERTUTIL, "-d", self.secdir] new_args = new_args + args + if self.password_filename is not None: + new_args.extend(['-f', self.password_filename]) return ipautil.run(new_args, stdin, **kwargs) def create_db(self, password_filename): @@ -111,7 +114,9 @@ def create_db(self, password_filename): :param password_filename: Name of file containing the database password """ - self.run_certutil(["-N", "-f", password_filename]) + # run_certutil will use self.password_filename to setup the db + self.password_filename = password_filename + self.run_certutil(["-N"]) def list_certs(self): """Return nicknames and cert flags for all certs in the database From 3b278308c1c29ac56b2e2c0c4c55fd0b5ad43553 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Fri, 6 Jan 2017 14:19:12 +0100 Subject: [PATCH 2/3] custodiainstance: don't use IPA-specific CertDB Replaced CertDB with NSSDatabase. CertDB expects the password to be stored in nss_dir/passwd.txt but custodia creates its temporary NSS database with a different password file. --- ipaserver/install/custodiainstance.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py index a0bb399..314578c 100644 --- a/ipaserver/install/custodiainstance.py +++ b/ipaserver/install/custodiainstance.py @@ -2,12 +2,12 @@ from ipaserver.secrets.kem import IPAKEMKeys from ipaserver.secrets.client import CustodiaClient -from ipaserver.install.certs import CertDB from ipaplatform.paths import paths from ipaplatform.constants import constants from ipaserver.install.service import SimpleServiceInstance from ipapython import ipautil from ipapython.ipa_log_manager import root_logger +from ipapython.certdb import NSSDatabase from ipaserver.install import installutils from ipaserver.install import ldapupdate from ipaserver.install import sysupgrade @@ -159,7 +159,7 @@ def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data): '-w', pk12pwfile]) # Add CA certificates - tmpdb = CertDB(self.realm, nssdir=tmpnssdir) + tmpdb = NSSDatabase(tmpnssdir, password_filename=nsspwfile) self.suffix = ipautil.realm_to_suffix(self.realm) self.import_ca_certs(tmpdb, True) From 2ebd4652bb71eda072613f2863e0259006a30399 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Wed, 8 Feb 2017 16:03:05 +0100 Subject: [PATCH 3/3] Don't prompt for NSS database psswd during client-install In FIPS, the client-installation prompts for NSS database password when it tries to add a certificate to this database. Since NSSDatabase now accepts password_filename to grab the password from, use this instead. https://fedorahosted.org/freeipa/ticket/5695 --- ipaserver/install/certs.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 80918d4..bbf94fc 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -83,8 +83,6 @@ class CertDB(object): def __init__( self, realm, nssdir=NSS_DIR, fstore=None, host_name=None, subject_base=None, ca_subject=None): - self.nssdb = NSSDatabase(nssdir) - self.secdir = nssdir self.realm = realm @@ -97,6 +95,9 @@ def __init__( self.pk12_fname = self.secdir + "/cacert.p12" self.pin_fname = self.secdir + "/pin.txt" self.pwd_conf = paths.HTTPD_PASSWORD_CONF + self.nssdb = NSSDatabase( + self.secdir, password_filename=self.passwd_fname) + self.reqdir = None self.certreq_fname = None self.certder_fname = None
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
