subject:"\[Freeipa\-devel\] \[PATCHES\] add \(initial\) anonymous pkinit support"

Re: [Freeipa-devel] [PATCHES] add (initial) anonymous pkinit support

2010-11-18 Thread Simo Sorce

On Tue, 9 Nov 2010 15:12:25 -0500
Simo Sorce sso...@redhat.com wrote:

 On Mon, 8 Nov 2010 19:34:12 -0500
 Simo Sorce sso...@redhat.com wrote:
 
  Patch 0004: Add basic certification creation for selfsigned CA and
  KDC configuration. opnessl had to be used because the NSS tools
  cannot deal with the special subjectaltName needed for the KDC
  certificate.
 
 Rebased this one on top of master (there was a conflict after latest
 pushes).
 
 Simo.
 

This is a rebase of all the patches in this thread on top of current
master.

-- 
Simo Sorce * Red Hat, Inc * New York
From b70eca77b31c4f6e5c7b2fce93f6badca230838c Mon Sep 17 00:00:00 2001
From: Simo Sorce sso...@redhat.com
Date: Mon, 1 Nov 2010 13:51:14 -0400
Subject: [PATCH 01/12] Use Realm as certs subject base name

Also use the realm name as nickname for the CA certificate
---
 install/tools/ipa-replica-install |2 +-
 install/tools/ipa-replica-prepare |6 +++---
 install/tools/ipa-server-certinstall  |2 +-
 install/tools/ipa-server-install  |   14 --
 install/tools/man/ipa-server-install.1|2 +-
 ipa-client/ipa-install/ipa-client-install |4 ++--
 ipapython/certdb.py   |4 +++-
 ipaserver/install/cainstance.py   |   16 ++--
 ipaserver/install/certs.py|   15 ++-
 ipaserver/install/dsinstance.py   |8 
 ipaserver/install/httpinstance.py |   14 +++---
 ipaserver/plugins/selfsign.py |5 +++--
 12 files changed, 53 insertions(+), 39 deletions(-)

diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index e4aae4aa3c34e283b3da71c8fcd3193ab901ca83..2beadae812dbe87927855dab42e2a44802e38a02 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -48,7 +48,7 @@ class ReplicaConfig:
 self.host_name = 
 self.repl_password = 
 self.dir = 
-self.subject_base = O=IPA
+self.subject_base = 
 
 def parse_options():
 usage = %prog [options] REPLICA_FILE
diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare
index 6e9d649ae6146c850ce6780efa7cccbe1f6100f4..059b011f9f60128ceba171cf5129e8c769e1eaf3 100755
--- a/install/tools/ipa-replica-prepare
+++ b/install/tools/ipa-replica-prepare
@@ -103,14 +103,14 @@ def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, hostname, subjec
 try:
 self_signed = certs.ipa_self_signed()
 
-db = certs.CertDB(dir, subject_base=subject_base)
+db = certs.CertDB(dir, realm_name, subject_base=subject_base)
 db.create_passwd_file()
 #if self_signed:
 #ca_db = certs.CertDB(dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name)))
 #db.create_from_cacert(ca_db.cacert_fname)
 #else:
 #ca_db = certs.CertDB(httpinstance.NSS_DIR, host_name=api.env.host)
-ca_db = certs.CertDB(httpinstance.NSS_DIR, host_name=api.env.host, subject_base=subject_base)
+ca_db = certs.CertDB(httpinstance.NSS_DIR, realm_name, host_name=api.env.host, subject_base=subject_base)
 db.create_from_cacert(ca_db.cacert_fname)
 db.create_server_cert(Server-Cert, hostname, ca_db)
 except Exception, e:
@@ -148,7 +148,7 @@ def export_ra_pkcs12(dir, dm_password):
 
 try:
 try:
-db = certs.CertDB(httpinstance.NSS_DIR, host_name=api.env.host)
+db = certs.CertDB(httpinstance.NSS_DIR, api.env.realm, host_name=api.env.host)
 
 if db.has_nickname(ipaCert):
 pkcs12_fname = %s/ra.p12 % dir
diff --git a/install/tools/ipa-server-certinstall b/install/tools/ipa-server-certinstall
index d853f71889e42d5f9570d153c2b978ef9965..9d69853e51308234cb3330b18e9d5665de62f5ca 100755
--- a/install/tools/ipa-server-certinstall
+++ b/install/tools/ipa-server-certinstall
@@ -89,7 +89,7 @@ def choose_server_cert(server_certs):
 return server_certs[num - 1]
 
 def import_cert(dirname, pkcs12_fname, pkcs12_passwd, db_password):
-cdb = certs.CertDB(dirname)
+cdb = certs.CertDB(dirname, api.env.realm)
 cdb.create_passwd_file(db_password)
 cdb.create_certdbs()
 [pw_fd, pw_name] = tempfile.mkstemp()
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index c8a17c99d8eee92759d309874e7159095e1d5ca7..569079d5a60cd3b0af09965c952c05fdaca0a1b4 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -122,8 +122,8 @@ def parse_options():
   help=The starting uid value (default random))
 parser.add_option(--gidstart, dest=gidstart, default=namespace, type=int,
   help=The starting gid value (default random))
-parser.add_option(--subject, dest=subject, default=O=IPA,
-  help=The certificate subject base (default O=IPA))
+parser.add_option(--subject, dest=subject,
+

Re: [Freeipa-devel] [PATCHES] add (initial) anonymous pkinit support

2010-11-18 Thread Simo Sorce

On Thu, 18 Nov 2010 12:27:57 -0500
Rob Crittenden rcrit...@redhat.com wrote:

 Simo Sorce wrote:
  On Tue, 9 Nov 2010 15:12:25 -0500
  Simo Sorcesso...@redhat.com  wrote:
 
  On Mon, 8 Nov 2010 19:34:12 -0500
  Simo Sorcesso...@redhat.com  wrote:
 
  Patch 0004: Add basic certification creation for selfsigned CA and
  KDC configuration. opnessl had to be used because the NSS tools
  cannot deal with the special subjectaltName needed for the KDC
  certificate.
 
  Rebased this one on top of master (there was a conflict after
  latest pushes).
 
  Simo.
 
 
  This is a rebase of all the patches in this thread on top of current
  master.
 
 acks all around

Pushed all to master.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] add (initial) anonymous pkinit support

2010-11-09 Thread Simo Sorce

On Mon, 8 Nov 2010 19:34:12 -0500
Simo Sorce sso...@redhat.com wrote:

 
 This set of patches implement the first part of ticket #55
 The patchset only adds the ability to install pkinit with the
 selfsigned CA (or with externally provided certs).
 
 If you need to use/test dogtag you can pass the --no-pkinit option for
 the time being as etting up pkinit is performed by default.
 
 Patch 0003: change the install tools to use a subject base based on
 the realm name and not O=IPA for all installs.

I realized this patch ^^ should probably have been posted separately,
although it is a dependency for all others. It fixes #427

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] add (initial) anonymous pkinit support

2010-11-09 Thread Simo Sorce

On Mon, 8 Nov 2010 19:34:12 -0500
Simo Sorce sso...@redhat.com wrote:

 Patch 0004: Add basic certification creation for selfsigned CA and KDC
 configuration. opnessl had to be used because the NSS tools cannot
 deal with the special subjectaltName needed for the KDC certificate.

Rebased this one on top of master (there was a conflict after latest
pushes).

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
From d3ab2c9a543a431a0c3accc160e96a41ce143bd0 Mon Sep 17 00:00:00 2001
From: Simo Sorce sso...@redhat.com
Date: Fri, 29 Oct 2010 16:23:21 -0400
Subject: [PATCH] Add support for configuring KDC certs for PKINIT

This patch adds support only for the selfsign case.
Replica support is also still missing at this stage.
---
 install/share/Makefile.am |2 +
 install/share/kdc.conf.template   |2 +
 install/share/kdc_extensions.template |   32 
 install/share/kdc_req.conf.template   |   14 +
 install/tools/ipa-server-install  |   36 +-
 ipaserver/install/certs.py|   88 +++--
 ipaserver/install/krbinstance.py  |   46 +-
 7 files changed, 214 insertions(+), 6 deletions(-)
 create mode 100644 install/share/kdc_extensions.template
 create mode 100644 install/share/kdc_req.conf.template

diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index e4b6ca385529e118a1a486eb8687b19e78f5f133..3423ce2874021e3380832c190ff10848d2e2c216 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -24,6 +24,8 @@ app_DATA =\
 	bind.zone.db.template		\
 	certmap.conf.template		\
 	kdc.conf.template		\
+	kdc_extensions.template		\
+	kdc_req.conf.template		\
 	krb5.conf.template		\
 	krb5.ini.template		\
 	krb.con.template		\
diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template
index 4a2cca412c7a5a1b8a45f6d114ec844aa02822ea..f8e07c77bdbffe3d73baf016aae1b9733adb7390 100644
--- a/install/share/kdc.conf.template
+++ b/install/share/kdc.conf.template
@@ -12,4 +12,6 @@
   dict_file = /usr/share/dict/words
   default_principal_flags = +preauth
 ;  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
+  pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem
+  pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
  }
diff --git a/install/share/kdc_extensions.template b/install/share/kdc_extensions.template
new file mode 100644
index ..df992babd406b0f7cffbfca1539d38a862b29f8c
--- /dev/null
+++ b/install/share/kdc_extensions.template
@@ -0,0 +1,32 @@
+[ kdc_cert ]
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
+
+#Pkinit EKU
+extendedKeyUsage = 1.3.6.1.5.2.3.5
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# Copy subject details
+
+issuerAltName=issuer:copy
+
+# Add id-pkinit-san (pkinit subjectAlternativeName)
+# Also add the KDC fqdn, for good measure.
+subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name,DNS:${ENV::HOST_FQDN}
+
+[kdc_princ_name]
+realm = EXP:0, GeneralString:${ENV::REALM}
+principal_name = EXP:1, SEQUENCE:kdc_principal_seq
+
+[kdc_principal_seq]
+name_type = EXP:0, INTEGER:1
+name_string = EXP:1, SEQUENCE:kdc_principals
+
+[kdc_principals]
+princ1 = GeneralString:krbtgt
+princ2 = GeneralString:${ENV::REALM}
+
diff --git a/install/share/kdc_req.conf.template b/install/share/kdc_req.conf.template
new file mode 100644
index ..872852079c09584d3db41d63788d95630029aab2
--- /dev/null
+++ b/install/share/kdc_req.conf.template
@@ -0,0 +1,14 @@
+[ req ]
+default_bits   = 2048
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+prompt = no
+output_password= $PASSWORD
+
+[ req_distinguished_name ]
+$SUBJBASE
+$CERTNAME
+
+[ req_attributes ]
+challengePassword = A challenge password
+
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index b58675fb2dc7e938186e0da4e85e994d36e8fa57..464ebe640c5f78b5b4e93c7ac9dc4bc20171fbd3 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -106,14 +106,20 @@ def parse_options():
   default=False, help=uninstall an existing installation)
 parser.add_option(-N, --no-ntp, dest=conf_ntp, action=store_false,
   help=do not configure ntp, default=True)
+parser.add_option(--no-pkinit, dest=setup_pkinit, action=store_false,
+  default=True, help=disables pkinit setup steps)
 parser.add_option(--dirsrv_pkcs12, dest=dirsrv_pkcs12,
   help=PKCS#12 file containing the Directory Server SSL certificate)
 parser.add_option(--http_pkcs12, dest=http_pkcs12,
   help=PKCS#12 file containing the Apache Server SSL certificate)
+parser.add_option(--pkinit_pkcs12, dest=pkinit_pkcs12,
+

[Freeipa-devel] [PATCHES] add (initial) anonymous pkinit support

2010-11-08 Thread Simo Sorce


This set of patches implement the first part of ticket #55
The patchset only adds the ability to install pkinit with the
selfsigned CA (or with externally provided certs).

If you need to use/test dogtag you can pass the --no-pkinit option for
the time being as etting up pkinit is performed by default.

Patch 0003: change the install tools to use a subject base based on the
realm name and not O=IPA for all installs.

Patch 0004: Add basic certification creation for selfsigned CA and KDC
configuration. opnessl had to be used because the NSS tools cannot deal
with the special subjectaltName needed for the KDC certificate.

Patch 0005: Always set pkinit_anchors so that all clients are
preconfigured to do anonymous pkinit including master. Even if the
client does not support pkinit adding the option does not cause any
harm so it is a safe default.

Patch 0006: Add the wellknown principal need to perform anonymous
pkinit AS requests. This principal is *DISABLED* by default.

Patch 0007: Ad a new plugin that allows to enable the wellknown
account, effectively allowing to get pkinit anonymous tickets.
(as a bonus implements disable too :)

Patch 0008: Add support for configuring pkinit certs on replicas too.


What is still missing is dogtag integration and certmonger tracking.
Couldn't work on the dogtag part yet because it won't work on f14 which
is the only fedora version that has a kerberos version recent enough to
support asking for anonynoums pkinit tickets.
Certmonger will need some thinking too as the KDC ticket requires a
different code path to be renewd (different commands in selfsign CA and
different profile with dogtag).

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
From 9787b05a29eb7f0c80b60bf47d8d5acf213ceb8b Mon Sep 17 00:00:00 2001
From: Simo Sorce sso...@redhat.com
Date: Mon, 1 Nov 2010 13:51:14 -0400
Subject: [PATCH 1/6] Use Realm as certs subject base name

Also use the realm name as nickname for the CA certificate
---
 install/tools/ipa-replica-install |2 +-
 install/tools/ipa-replica-prepare |6 +++---
 install/tools/ipa-server-certinstall  |2 +-
 install/tools/ipa-server-install  |   14 --
 install/tools/man/ipa-server-install.1|2 +-
 ipa-client/ipa-install/ipa-client-install |4 ++--
 ipapython/certdb.py   |4 +++-
 ipaserver/install/cainstance.py   |   16 ++--
 ipaserver/install/certs.py|   15 ++-
 ipaserver/install/dsinstance.py   |8 
 ipaserver/install/httpinstance.py |   14 +++---
 ipaserver/plugins/selfsign.py |5 +++--
 12 files changed, 53 insertions(+), 39 deletions(-)

diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index e54101202553395fab2515a4c67e1e5f0424b0ab..8cf8d84597588f86110958bc95ff4ad9015709da 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -47,7 +47,7 @@ class ReplicaConfig:
 self.host_name = 
 self.repl_password = 
 self.dir = 
-self.subject_base = O=IPA
+self.subject_base = 
 
 def parse_options():
 from optparse import OptionParser
diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare
index 6e9d649ae6146c850ce6780efa7cccbe1f6100f4..059b011f9f60128ceba171cf5129e8c769e1eaf3 100755
--- a/install/tools/ipa-replica-prepare
+++ b/install/tools/ipa-replica-prepare
@@ -103,14 +103,14 @@ def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, hostname, subjec
 try:
 self_signed = certs.ipa_self_signed()
 
-db = certs.CertDB(dir, subject_base=subject_base)
+db = certs.CertDB(dir, realm_name, subject_base=subject_base)
 db.create_passwd_file()
 #if self_signed:
 #ca_db = certs.CertDB(dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name)))
 #db.create_from_cacert(ca_db.cacert_fname)
 #else:
 #ca_db = certs.CertDB(httpinstance.NSS_DIR, host_name=api.env.host)
-ca_db = certs.CertDB(httpinstance.NSS_DIR, host_name=api.env.host, subject_base=subject_base)
+ca_db = certs.CertDB(httpinstance.NSS_DIR, realm_name, host_name=api.env.host, subject_base=subject_base)
 db.create_from_cacert(ca_db.cacert_fname)
 db.create_server_cert(Server-Cert, hostname, ca_db)
 except Exception, e:
@@ -148,7 +148,7 @@ def export_ra_pkcs12(dir, dm_password):
 
 try:
 try:
-db = certs.CertDB(httpinstance.NSS_DIR, host_name=api.env.host)
+db = certs.CertDB(httpinstance.NSS_DIR, api.env.realm, host_name=api.env.host)
 
 if db.has_nickname(ipaCert):
 pkcs12_fname = %s/ra.p12 % dir
diff --git a/install/tools/ipa-server-certinstall b/install/tools/ipa-server-certinstall
index d853f71889e42d5f9570d153c2b978ef9965..9d69853e51308234cb3330b18e9d5665de62f5ca 100755
---

Re: [Freeipa-devel] [PATCHES] add (initial) anonymous pkinit support

Re: [Freeipa-devel] [PATCHES] add (initial) anonymous pkinit support

Re: [Freeipa-devel] [PATCHES] add (initial) anonymous pkinit support

Re: [Freeipa-devel] [PATCHES] add (initial) anonymous pkinit support

[Freeipa-devel] [PATCHES] add (initial) anonymous pkinit support

5 matches

Site Navigation

Mail list logo

Footer information