URL: https://github.com/freeipa/freeipa/pull/663
Author: stlaz
 Title: #663: Generate PIN for PKI to help Dogtag in FIPS
Action: opened

PR body:
"""
Dogtag is currently unable to generate a PIN it could use for
an NSS database creation in FIPS. Generate it for them so that
we don't fail.

https://pagure.io/freeipa/issue/6824
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/663/head:pr663
git checkout pr663
From 287954ab65a579f9551ecd5c6d8e403e5f06abc9 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slazn...@redhat.com>
Date: Tue, 28 Mar 2017 13:54:16 +0200
Subject: [PATCH] Generate PIN for PKI to help Dogtag in FIPS

Dogtag is currently unable to generate a PIN it could use for
an NSS database creation in FIPS. Generate it for them so that
we don't fail.

https://pagure.io/freeipa/issue/6824
---
 ipaserver/install/cainstance.py  | 6 +++++-
 ipaserver/install/krainstance.py | 6 +++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index f0d3c23..92bb760 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -541,6 +541,10 @@ def __spawn_instance(self):
         # CA key algorithm
         config.set("CA", "pki_ca_signing_key_algorithm", self.ca_signing_algorithm)
 
+        # generate pin which we know can be used for FIPS NSS database
+        pki_pin = ipautil.ipa_generate_password()
+        config.set("CA", "pki_pin", pki_pin)
+
         if self.clone:
 
             if self.no_db_setup:
@@ -613,7 +617,7 @@ def __spawn_instance(self):
         try:
             DogtagInstance.spawn_instance(
                 self, cfg_file,
-                nolog_list=(self.dm_password, self.admin_password)
+                nolog_list=(self.dm_password, self.admin_password, pki_pin)
             )
         finally:
             os.remove(cfg_file)
diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
index b41ccb6..34d6678 100644
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@@ -235,6 +235,10 @@ def __spawn_instance(self):
             "KRA", "pki_share_dbuser_dn",
             str(DN(('uid', 'pkidbuser'), ('ou', 'people'), ('o', 'ipaca'))))
 
+        # generate pin which we know can be used for FIPS NSS database
+        pki_pin = ipautil.ipa_generate_password()
+        config.set("KRA", "pki_pin", pki_pin)
+
         _p12_tmpfile_handle, p12_tmpfile_name = tempfile.mkstemp(dir=paths.TMP)
 
         if self.clone:
@@ -275,7 +279,7 @@ def __spawn_instance(self):
         try:
             DogtagInstance.spawn_instance(
                 self, cfg_file,
-                nolog_list=(self.dm_password, self.admin_password)
+                nolog_list=(self.dm_password, self.admin_password, pki_pin)
             )
         finally:
             os.remove(p12_tmpfile_name)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to