Re: [Freeipa-devel] [PATCH] 983 add subject key identifier
On Wed, 2012-03-14 at 17:31 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Wed, 2012-03-07 at 17:49 -0500, Rob Crittenden wrote: Add subject key identifier to the dogtag server cert profile. This will add it on upgrades too and any new certs issued will have a subject key identifier set. If the user has customized the profile themselves then this won't be applied. rob NACK I found few issues with the patch: 1) There is an extraneous pdb statement: +import pdb; pdb.set_trace() 2) A name of config file should be put to some variable once and not created every time again in enable_subject_key_identifier. It would be much more readable and less error prone: +installutils.set_directive('/var/lib/% s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME, 'policyset.serverCertSet.list', '1,2,3,4,5,6,7,8,10', quotes=False, separator='=') +installutils.set_directive('/var/lib/% s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME, 'policyset.serverCertSet.10.constraint.class_id', 'noConstraintImpl', quotes=False, separator='=') ... 3) We do not handle gracefully missing config file. This is what happens when replica without CA is upgraded: # rpm -Uvh --force /home/mkosek/dist-review/rpms/freeipa-* Preparing...### [100%] 1:freeipa-python ### [ 17%] 2:freeipa-client ### [ 33%] 3:freeipa-admintools ### [ 50%] 4:freeipa-server ### [ 67%] Upgraded /etc/httpd/conf.d/ipa-pki-proxy.conf to version 1 Traceback (most recent call last): File /usr/sbin/ipa-upgradeconfig, line 301, inmodule sys.exit(main()) File /usr/sbin/ipa-upgradeconfig, line 297, in main upgrade_ipa_profile(krbctx.default_realm) File /usr/sbin/ipa-upgradeconfig, line 243, in upgrade_ipa_profile if ca.enable_subject_key_identifier(): File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 1079, in enable_subject_key_identifier setlist = installutils.get_directive('/var/lib/%s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME, 'policyset.serverCertSet.list', separator='=') File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 429, in get_directive fd = open(filename, r) IOError: [Errno 2] No such file or directory: '/var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg' 5:freeipa-server-selinux ### [ 83%] 6:freeipa-debuginfo ### [100%] 1. Martin I think this should do it. rob Yup, its much better. ACK. Pushed to master, ipa-2-2. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 983 add subject key identifier
Martin Kosek wrote: On Wed, 2012-03-07 at 17:49 -0500, Rob Crittenden wrote: Add subject key identifier to the dogtag server cert profile. This will add it on upgrades too and any new certs issued will have a subject key identifier set. If the user has customized the profile themselves then this won't be applied. rob NACK I found few issues with the patch: 1) There is an extraneous pdb statement: +import pdb; pdb.set_trace() 2) A name of config file should be put to some variable once and not created every time again in enable_subject_key_identifier. It would be much more readable and less error prone: +installutils.set_directive('/var/lib/% s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME, 'policyset.serverCertSet.list', '1,2,3,4,5,6,7,8,10', quotes=False, separator='=') +installutils.set_directive('/var/lib/% s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME, 'policyset.serverCertSet.10.constraint.class_id', 'noConstraintImpl', quotes=False, separator='=') ... 3) We do not handle gracefully missing config file. This is what happens when replica without CA is upgraded: # rpm -Uvh --force /home/mkosek/dist-review/rpms/freeipa-* Preparing...### [100%] 1:freeipa-python ### [ 17%] 2:freeipa-client ### [ 33%] 3:freeipa-admintools ### [ 50%] 4:freeipa-server ### [ 67%] Upgraded /etc/httpd/conf.d/ipa-pki-proxy.conf to version 1 Traceback (most recent call last): File /usr/sbin/ipa-upgradeconfig, line 301, inmodule sys.exit(main()) File /usr/sbin/ipa-upgradeconfig, line 297, in main upgrade_ipa_profile(krbctx.default_realm) File /usr/sbin/ipa-upgradeconfig, line 243, in upgrade_ipa_profile if ca.enable_subject_key_identifier(): File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 1079, in enable_subject_key_identifier setlist = installutils.get_directive('/var/lib/%s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME, 'policyset.serverCertSet.list', separator='=') File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 429, in get_directive fd = open(filename, r) IOError: [Errno 2] No such file or directory: '/var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg' 5:freeipa-server-selinux ### [ 83%] 6:freeipa-debuginfo ### [100%] 1. Martin I think this should do it. rob From e24088093029c1d8b55f487f009547d214bce568 Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Wed, 7 Mar 2012 17:46:33 -0500 Subject: [PATCH] Add subject key identifier to the dogtag server cert profile. This will add it on upgrades too and any new certs issued will have a subject key identifier set. If the user has customized the profile themselves then this won't be applied. https://fedorahosted.org/freeipa/ticket/2446 --- install/tools/ipa-upgradeconfig | 13 ++ ipaserver/install/cainstance.py | 47 +- 2 files changed, 58 insertions(+), 2 deletions(-) diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index a23489f406f29db4b8f33c153cccb1121675eb61..40a2b68ce89b58b98077428783a98e3060674665 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -31,6 +31,8 @@ try: from ipaserver.install import httpinstance from ipaserver.install import memcacheinstance from ipaserver.install import service +from ipaserver.install import cainstance +from ipaserver.install import certs import ldap import krbV import re @@ -233,6 +235,15 @@ def cleanup_kdc(): if fstore.has_file(filename): fstore.untrack_file(filename) +def upgrade_ipa_profile(realm): + +Update the IPA Profile provided by dogtag + +ca = cainstance.CAInstance(realm, certs.NSS_DIR) +if ca.is_configured(): +if ca.enable_subject_key_identifier(): +ca.restart() + def main(): Get some basics about the system. If getting those basics fail then @@ -284,6 +295,8 @@ def main(): pass cleanup_kdc() +upgrade_ipa_profile(krbctx.default_realm) + try: if __name__ == __main__: sys.exit(main()) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 3afc705ddc677c035d63c804d4a28737c03d8352..f953100be9d8e99abf402ae8453ca39a26758da1 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -72,6 +72,7 @@ EE_CLIENT_AUTH_PORT=9446 UNSECURE_PORT=9180 TOMCAT_SERVER_PORT=9701 +IPA_SERVICE_PROFILE = '/var/lib/%s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME # We need to reset the
Re: [Freeipa-devel] [PATCH] 983 add subject key identifier
On Wed, 2012-03-07 at 17:49 -0500, Rob Crittenden wrote: Add subject key identifier to the dogtag server cert profile. This will add it on upgrades too and any new certs issued will have a subject key identifier set. If the user has customized the profile themselves then this won't be applied. rob NACK I found few issues with the patch: 1) There is an extraneous pdb statement: +import pdb; pdb.set_trace() 2) A name of config file should be put to some variable once and not created every time again in enable_subject_key_identifier. It would be much more readable and less error prone: +installutils.set_directive('/var/lib/% s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME, 'policyset.serverCertSet.list', '1,2,3,4,5,6,7,8,10', quotes=False, separator='=') +installutils.set_directive('/var/lib/% s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME, 'policyset.serverCertSet.10.constraint.class_id', 'noConstraintImpl', quotes=False, separator='=') ... 3) We do not handle gracefully missing config file. This is what happens when replica without CA is upgraded: # rpm -Uvh --force /home/mkosek/dist-review/rpms/freeipa-* Preparing...### [100%] 1:freeipa-python ### [ 17%] 2:freeipa-client ### [ 33%] 3:freeipa-admintools ### [ 50%] 4:freeipa-server ### [ 67%] Upgraded /etc/httpd/conf.d/ipa-pki-proxy.conf to version 1 Traceback (most recent call last): File /usr/sbin/ipa-upgradeconfig, line 301, in module sys.exit(main()) File /usr/sbin/ipa-upgradeconfig, line 297, in main upgrade_ipa_profile(krbctx.default_realm) File /usr/sbin/ipa-upgradeconfig, line 243, in upgrade_ipa_profile if ca.enable_subject_key_identifier(): File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 1079, in enable_subject_key_identifier setlist = installutils.get_directive('/var/lib/%s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME, 'policyset.serverCertSet.list', separator='=') File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 429, in get_directive fd = open(filename, r) IOError: [Errno 2] No such file or directory: '/var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg' 5:freeipa-server-selinux ### [ 83%] 6:freeipa-debuginfo ### [100%] 1. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 983 add subject key identifier
Add subject key identifier to the dogtag server cert profile. This will add it on upgrades too and any new certs issued will have a subject key identifier set. If the user has customized the profile themselves then this won't be applied. rob From 830740ea18e92fa7ea2bf6d8db16a2aadc43e76f Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Wed, 7 Mar 2012 17:46:33 -0500 Subject: [PATCH] Add subject key identifier to the dogtag server cert profile. This will add it on upgrades too and any new certs issued will have a subject key identifier set. If the user has customized the profile themselves then this won't be applied. https://fedorahosted.org/freeipa/ticket/2446 --- install/tools/ipa-upgradeconfig | 13 + ipaserver/install/cainstance.py | 20 2 files changed, 33 insertions(+), 0 deletions(-) diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index a23489f406f29db4b8f33c153cccb1121675eb61..f158eab98972aaa10115b5be04efcfed8698e8f5 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -31,6 +31,8 @@ try: from ipaserver.install import httpinstance from ipaserver.install import memcacheinstance from ipaserver.install import service +from ipaserver.install import cainstance +from ipaserver.install import certs import ldap import krbV import re @@ -233,6 +235,15 @@ def cleanup_kdc(): if fstore.has_file(filename): fstore.untrack_file(filename) +def upgrade_ipa_profile(realm): + +Update the IPA Profile provided by dogtag + +import pdb; pdb.set_trace() +ca = cainstance.CAInstance(realm, certs.NSS_DIR) +if ca.enable_subject_key_identifier(): +ca.restart() + def main(): Get some basics about the system. If getting those basics fail then @@ -284,6 +295,8 @@ def main(): pass cleanup_kdc() +upgrade_ipa_profile(krbctx.default_realm) + try: if __name__ == __main__: sys.exit(main()) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 345a8c2da3567fce5bfc107e4e7a4b7a4918017f..6012ae1c7a00a87522fc0778f2cb355a3924d805 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -520,6 +520,7 @@ class CAInstance(service.Service): self.step(setting up signing cert profile, self.__setup_sign_profile) self.step(set up CRL publishing, self.__enable_crl_publish) self.step(set certificate subject base, self.__set_subject_in_config) +self.step(enabling Subject Key Identifier, self.enable_subject_key_identifier) self.step(configuring certificate server to start on boot, self.__enable) if not self.clone: self.step(restarting certificate server, self.__restart_instance) @@ -1071,6 +1072,25 @@ class CAInstance(service.Service): shutil.copy(ipautil.SHARE_DIR + ipa-pki-proxy.conf, HTTPD_CONFD + ipa-pki-proxy.conf) +def enable_subject_key_identifier(self): + +See if Subject Key Identifier is set in the profile and if not, add it. + +setlist = installutils.get_directive('/var/lib/%s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME, 'policyset.serverCertSet.list', separator='=') + +# this is the default setting from pki-ca. Don't touch it if a user +# has manually modified it. +if setlist == '1,2,3,4,5,6,7,8': +installutils.set_directive('/var/lib/%s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME, 'policyset.serverCertSet.list', '1,2,3,4,5,6,7,8,10', quotes=False, separator='=') +installutils.set_directive('/var/lib/%s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME, 'policyset.serverCertSet.10.constraint.class_id', 'noConstraintImpl', quotes=False, separator='=') +installutils.set_directive('/var/lib/%s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME, 'policyset.serverCertSet.10.constraint.name', 'No Constraint', quotes=False, separator='=') +installutils.set_directive('/var/lib/%s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME, 'policyset.serverCertSet.10.default.class_id', 'subjectKeyIdentifierExtDefaultImpl', quotes=False, separator='=') +installutils.set_directive('/var/lib/%s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME, 'policyset.serverCertSet.10.default.name', 'Subject Key Identifier Extension Default', quotes=False, separator='=') +installutils.set_directive('/var/lib/%s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME, 'policyset.serverCertSet.10.default.params.critical', 'false', quotes=False, separator='=') +return True + +# No update was done +return False def install_replica_ca(config, postinstall=False): -- 1.7.6 ___