URL: https://github.com/freeipa/freeipa/pull/490
Author: HonzaCholasta
Title: #490: [WIP] certdb: use certutil and match_hostname for cert
verification
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/490/head:pr490
git checkout pr490
From b83b5998b2917215d964114b0548cbaa8b89b5d8 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Mon, 2 Jan 2017 13:53:18 +0100
Subject: [PATCH] certdb: use certutil and match_hostname for cert verification
Use certutil and ssl.match_hostname calls instead of python-nss for
certificate verification.
---
freeipa.spec.in | 16 +++++------
ipalib/x509.py | 27 ++++++++++++++++++
ipapython/certdb.py | 80 ++++++++++++++++++++---------------------------------
ipasetup.py.in | 2 +-
4 files changed, 66 insertions(+), 59 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 5c835ca..2cde0da 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -129,8 +129,8 @@ BuildRequires: python-cffi
%if 0%{?with_lint}
BuildRequires: samba-python
BuildRequires: python-setuptools
-# 1.4: the version where Certificate.serial changed to .serial_number
-BuildRequires: python-cryptography >= 1.4
+# 1.6: x509.Name.rdns (https://github.com/pyca/cryptography/issues/3199)
+BuildRequires: python-cryptography >= 1.6
BuildRequires: python-gssapi >= 1.2.0
BuildRequires: pylint >= 1.0
# workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506
@@ -165,8 +165,8 @@ BuildRequires: python2-jinja2
# FIXME: this depedency is missing - server will not work
#BuildRequires: python3-samba
BuildRequires: python3-setuptools
-# 1.4: the version where Certificate.serial changed to .serial_number
-BuildRequires: python3-cryptography >= 1.4
+# 1.6: x509.Name.rdns (https://github.com/pyca/cryptography/issues/3199)
+BuildRequires: python3-cryptography >= 1.6
BuildRequires: python3-gssapi >= 1.2.0
BuildRequires: python3-pylint >= 1.0
# workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506
@@ -592,7 +592,7 @@ Requires: gnupg
Requires: keyutils
Requires: pyOpenSSL
Requires: python-nss >= 0.16
-Requires: python-cryptography >= 1.4
+Requires: python-cryptography >= 1.6
Requires: python-netaddr
Requires: python-libipa_hbac
Requires: python-qrcode-core >= 5.0.0
@@ -642,7 +642,7 @@ Requires: gnupg
Requires: keyutils
Requires: python3-pyOpenSSL
Requires: python3-nss >= 0.16
-Requires: python3-cryptography >= 1.4
+Requires: python3-cryptography >= 1.6
Requires: python3-netaddr
Requires: python3-libipa_hbac
Requires: python3-qrcode-core >= 5.0.0
@@ -717,7 +717,7 @@ Requires: python-pytest-multihost >= 0.5
Requires: python-pytest-sourceorder
Requires: ldns-utils
Requires: python-sssdconfig
-Requires: python2-cryptography >= 1.4
+Requires: python2-cryptography >= 1.6
Provides: %{alt_name}-tests = %{version}
Conflicts: %{alt_name}-tests
@@ -751,7 +751,7 @@ Requires: python3-pytest-multihost >= 0.5
Requires: python3-pytest-sourceorder
Requires: ldns-utils
Requires: python3-sssdconfig
-Requires: python3-cryptography >= 1.4
+Requires: python3-cryptography >= 1.6
%description -n python3-ipatests
IPA is an integrated solution to provide centrally managed Identity (users,
diff --git a/ipalib/x509.py b/ipalib/x509.py
index f65cf81..da0b4bc 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -35,6 +35,7 @@
import binascii
import datetime
import ipaddress
+import ssl
import base64
import re
@@ -49,6 +50,7 @@
from ipalib import util
from ipalib import errors
from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
if six.PY3:
unicode = str
@@ -543,3 +545,28 @@ def format_datetime(t):
if t.tzinfo is None:
t = t.replace(tzinfo=UTC())
return unicode(t.strftime("%a %b %d %H:%M:%S %Y %Z"))
+
+
+def match_hostname(cert, hostname):
+ match_cert = {}
+
+ match_cert['subject'] = match_subject = []
+ for rdn in cert.subject.rdns:
+ match_rdn = []
+ for ava in rdn:
+ if ava.oid == cryptography.x509.oid.NameOID.COMMON_NAME:
+ match_rdn.append(('commonName', ava.value))
+ match_subject.append(match_rdn)
+
+ try:
+ san = cert.extensions.get_extension_for_class(
+ cryptography.x509.SubjectAlternativeName)
+ except cryptography.x509.ExtensionNotFound:
+ pass
+ else:
+ match_cert['subjectAltName'] = match_san = []
+ for value in san.value.get_values_for_type(cryptography.x509.DNSName):
+ value = DNSName(value).ToASCII()
+ match_san.append(('DNS', value))
+
+ ssl.match_hostname(match_cert, hostname)
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index b22c3c1..23c4226 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -25,9 +25,9 @@
import tempfile
import shutil
import base64
+
from cryptography.hazmat.primitives import serialization
-from nss import nss
-from nss.error import NSPRError
+import cryptography.x509
from ipaplatform.tasks import tasks
from ipapython.dn import DN
@@ -532,59 +532,39 @@ def verify_server_cert_validity(self, nickname, hostname):
Raises a ValueError if the certificate is invalid.
"""
- certdb = cert = None
- if nss.nss_is_initialized():
- nss.nss_shutdown()
- nss.nss_init(self.secdir)
+ cert = self.get_cert(nickname)
+ cert = x509.load_certificate(cert, x509.DER)
+
try:
- certdb = nss.get_default_certdb()
- cert = nss.find_cert_from_nickname(nickname)
- intended_usage = nss.certificateUsageSSLServer
- try:
- approved_usage = cert.verify_now(certdb, True, intended_usage)
- except NSPRError as e:
- if e.errno != -8102:
- raise ValueError(e.strerror)
- approved_usage = 0
- if not approved_usage & intended_usage:
- raise ValueError('invalid for a SSL server')
- if not cert.verify_hostname(hostname):
- raise ValueError('invalid for server %s' % hostname)
- finally:
- del certdb, cert
- nss.nss_shutdown()
+ self.run_certutil(['-V', '-n', nickname, '-u', 'V'])
+ except ipautil.CalledProcessError:
+ raise ValueError('invalid for a SSL server')
- return None
+ try:
+ x509.match_hostname(cert, hostname)
+ except ValueError:
+ raise ValueError('invalid for server %s' % hostname)
def verify_ca_cert_validity(self, nickname):
- certdb = cert = None
- if nss.nss_is_initialized():
- nss.nss_shutdown()
- nss.nss_init(self.secdir)
+ cert = self.get_cert(nickname)
+ cert = x509.load_certificate(cert, x509.DER)
+
+ if not cert.subject:
+ raise ValueError("has empty subject")
+
try:
- certdb = nss.get_default_certdb()
- cert = nss.find_cert_from_nickname(nickname)
- if not cert.subject:
- raise ValueError("has empty subject")
- try:
- bc = cert.get_extension(nss.SEC_OID_X509_BASIC_CONSTRAINTS)
- except KeyError:
- raise ValueError("missing basic constraints")
- bc = nss.BasicConstraints(bc.value)
- if not bc.is_ca:
- raise ValueError("not a CA certificate")
- intended_usage = nss.certificateUsageSSLCA
- try:
- approved_usage = cert.verify_now(certdb, True, intended_usage)
- except NSPRError as e:
- if e.errno != -8102: # SEC_ERROR_INADEQUATE_KEY_USAGE
- raise ValueError(e.strerror)
- approved_usage = 0
- if approved_usage & intended_usage != intended_usage:
- raise ValueError('invalid for a CA')
- finally:
- del certdb, cert
- nss.nss_shutdown()
+ bc = cert.extensions.get_extension_for_class(
+ cryptography.x509.BasicConstraints)
+ except cryptography.x509.ExtensionNotFound:
+ raise ValueError("missing basic constraints")
+
+ if not bc.ca:
+ raise ValueError("not a CA certificate")
+
+ try:
+ self.run_certutil(['-V', '-n', nickname, '-u', 'L'])
+ except ipautil.CalledProcessError:
+ raise ValueError('invalid for a CA')
def publish_ca_cert(self, canickname, location):
args = ["-L", "-n", canickname, "-a"]
diff --git a/ipasetup.py.in b/ipasetup.py.in
index 915f0ed..d2741cd 100644
--- a/ipasetup.py.in
+++ b/ipasetup.py.in
@@ -63,7 +63,7 @@ if SETUPTOOLS_VERSION < (8, 0, 0):
PACKAGE_VERSION = {
- 'cryptography': 'cryptography >= 1.4',
+ 'cryptography': 'cryptography >= 1.6',
'dnspython': 'dnspython >= 1.15',
'gssapi': 'gssapi >= 1.2.0',
'ipaclient': 'ipaclient == {}'.format(VERSION),
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
