Re: [Freeipa-devel] [PATCH] 983 add subject key identifier
On Wed, 2012-03-14 at 17:31 -0400, Rob Crittenden wrote:
Martin Kosek wrote:
On Wed, 2012-03-07 at 17:49 -0500, Rob Crittenden wrote:
Add subject key identifier to the dogtag server cert profile.
This will add it on upgrades too and any new certs issued will have a
subject key identifier set.
If the user has customized the profile themselves then this won't be
applied.
rob
NACK
I found few issues with the patch:
1) There is an extraneous pdb statement:
+import pdb; pdb.set_trace()
2) A name of config file should be put to some variable once and not
created every time again in enable_subject_key_identifier. It would be
much more readable and less error prone:
+installutils.set_directive('/var/lib/%
s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME,
'policyset.serverCertSet.list', '1,2,3,4,5,6,7,8,10', quotes=False,
separator='=')
+installutils.set_directive('/var/lib/%
s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME,
'policyset.serverCertSet.10.constraint.class_id', 'noConstraintImpl',
quotes=False, separator='=')
...
3) We do not handle gracefully missing config file. This is what happens
when replica without CA is upgraded:
# rpm -Uvh --force /home/mkosek/dist-review/rpms/freeipa-*
Preparing...###
[100%]
1:freeipa-python ### [
17%]
2:freeipa-client ### [
33%]
3:freeipa-admintools ### [
50%]
4:freeipa-server ### [
67%]
Upgraded /etc/httpd/conf.d/ipa-pki-proxy.conf to version 1
Traceback (most recent call last):
File /usr/sbin/ipa-upgradeconfig, line 301, inmodule
sys.exit(main())
File /usr/sbin/ipa-upgradeconfig, line 297, in main
upgrade_ipa_profile(krbctx.default_realm)
File /usr/sbin/ipa-upgradeconfig, line 243, in upgrade_ipa_profile
if ca.enable_subject_key_identifier():
File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py,
line 1079, in enable_subject_key_identifier
setlist =
installutils.get_directive('/var/lib/%s/profiles/ca/caIPAserviceCert.cfg' %
PKI_INSTANCE_NAME, 'policyset.serverCertSet.list', separator='=')
File
/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line
429, in get_directive
fd = open(filename, r)
IOError: [Errno 2] No such file or directory:
'/var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg'
5:freeipa-server-selinux ### [
83%]
6:freeipa-debuginfo ###
[100%]
1. Martin
I think this should do it.
rob
Yup, its much better. ACK. Pushed to master, ipa-2-2.
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 983 add subject key identifier
Martin Kosek wrote:
On Wed, 2012-03-07 at 17:49 -0500, Rob Crittenden wrote:
Add subject key identifier to the dogtag server cert profile.
This will add it on upgrades too and any new certs issued will have a
subject key identifier set.
If the user has customized the profile themselves then this won't be
applied.
rob
NACK
I found few issues with the patch:
1) There is an extraneous pdb statement:
+import pdb; pdb.set_trace()
2) A name of config file should be put to some variable once and not
created every time again in enable_subject_key_identifier. It would be
much more readable and less error prone:
+installutils.set_directive('/var/lib/%
s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME,
'policyset.serverCertSet.list', '1,2,3,4,5,6,7,8,10', quotes=False,
separator='=')
+installutils.set_directive('/var/lib/%
s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME,
'policyset.serverCertSet.10.constraint.class_id', 'noConstraintImpl',
quotes=False, separator='=')
...
3) We do not handle gracefully missing config file. This is what happens
when replica without CA is upgraded:
# rpm -Uvh --force /home/mkosek/dist-review/rpms/freeipa-*
Preparing...### [100%]
1:freeipa-python ### [ 17%]
2:freeipa-client ### [ 33%]
3:freeipa-admintools ### [ 50%]
4:freeipa-server ### [ 67%]
Upgraded /etc/httpd/conf.d/ipa-pki-proxy.conf to version 1
Traceback (most recent call last):
File /usr/sbin/ipa-upgradeconfig, line 301, inmodule
sys.exit(main())
File /usr/sbin/ipa-upgradeconfig, line 297, in main
upgrade_ipa_profile(krbctx.default_realm)
File /usr/sbin/ipa-upgradeconfig, line 243, in upgrade_ipa_profile
if ca.enable_subject_key_identifier():
File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py,
line 1079, in enable_subject_key_identifier
setlist =
installutils.get_directive('/var/lib/%s/profiles/ca/caIPAserviceCert.cfg' %
PKI_INSTANCE_NAME, 'policyset.serverCertSet.list', separator='=')
File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py,
line 429, in get_directive
fd = open(filename, r)
IOError: [Errno 2] No such file or directory:
'/var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg'
5:freeipa-server-selinux ### [ 83%]
6:freeipa-debuginfo ### [100%]
1. Martin
I think this should do it.
rob
From e24088093029c1d8b55f487f009547d214bce568 Mon Sep 17 00:00:00 2001
From: Rob Crittenden rcrit...@redhat.com
Date: Wed, 7 Mar 2012 17:46:33 -0500
Subject: [PATCH] Add subject key identifier to the dogtag server cert
profile.
This will add it on upgrades too and any new certs issued will have
a subject key identifier set.
If the user has customized the profile themselves then this won't be
applied.
https://fedorahosted.org/freeipa/ticket/2446
---
install/tools/ipa-upgradeconfig | 13 ++
ipaserver/install/cainstance.py | 47 +-
2 files changed, 58 insertions(+), 2 deletions(-)
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index a23489f406f29db4b8f33c153cccb1121675eb61..40a2b68ce89b58b98077428783a98e3060674665 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -31,6 +31,8 @@ try:
from ipaserver.install import httpinstance
from ipaserver.install import memcacheinstance
from ipaserver.install import service
+from ipaserver.install import cainstance
+from ipaserver.install import certs
import ldap
import krbV
import re
@@ -233,6 +235,15 @@ def cleanup_kdc():
if fstore.has_file(filename):
fstore.untrack_file(filename)
+def upgrade_ipa_profile(realm):
+
+Update the IPA Profile provided by dogtag
+
+ca = cainstance.CAInstance(realm, certs.NSS_DIR)
+if ca.is_configured():
+if ca.enable_subject_key_identifier():
+ca.restart()
+
def main():
Get some basics about the system. If getting those basics fail then
@@ -284,6 +295,8 @@ def main():
pass
cleanup_kdc()
+upgrade_ipa_profile(krbctx.default_realm)
+
try:
if __name__ == __main__:
sys.exit(main())
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 3afc705ddc677c035d63c804d4a28737c03d8352..f953100be9d8e99abf402ae8453ca39a26758da1 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -72,6 +72,7 @@ EE_CLIENT_AUTH_PORT=9446
UNSECURE_PORT=9180
TOMCAT_SERVER_PORT=9701
+IPA_SERVICE_PROFILE = '/var/lib/%s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME
# We need to reset the
Re: [Freeipa-devel] [PATCH] 983 add subject key identifier
On Wed, 2012-03-07 at 17:49 -0500, Rob Crittenden wrote:
Add subject key identifier to the dogtag server cert profile.
This will add it on upgrades too and any new certs issued will have a
subject key identifier set.
If the user has customized the profile themselves then this won't be
applied.
rob
NACK
I found few issues with the patch:
1) There is an extraneous pdb statement:
+import pdb; pdb.set_trace()
2) A name of config file should be put to some variable once and not
created every time again in enable_subject_key_identifier. It would be
much more readable and less error prone:
+installutils.set_directive('/var/lib/%
s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME,
'policyset.serverCertSet.list', '1,2,3,4,5,6,7,8,10', quotes=False,
separator='=')
+installutils.set_directive('/var/lib/%
s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME,
'policyset.serverCertSet.10.constraint.class_id', 'noConstraintImpl',
quotes=False, separator='=')
...
3) We do not handle gracefully missing config file. This is what happens
when replica without CA is upgraded:
# rpm -Uvh --force /home/mkosek/dist-review/rpms/freeipa-*
Preparing...### [100%]
1:freeipa-python ### [ 17%]
2:freeipa-client ### [ 33%]
3:freeipa-admintools ### [ 50%]
4:freeipa-server ### [ 67%]
Upgraded /etc/httpd/conf.d/ipa-pki-proxy.conf to version 1
Traceback (most recent call last):
File /usr/sbin/ipa-upgradeconfig, line 301, in module
sys.exit(main())
File /usr/sbin/ipa-upgradeconfig, line 297, in main
upgrade_ipa_profile(krbctx.default_realm)
File /usr/sbin/ipa-upgradeconfig, line 243, in upgrade_ipa_profile
if ca.enable_subject_key_identifier():
File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line
1079, in enable_subject_key_identifier
setlist =
installutils.get_directive('/var/lib/%s/profiles/ca/caIPAserviceCert.cfg' %
PKI_INSTANCE_NAME, 'policyset.serverCertSet.list', separator='=')
File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py,
line 429, in get_directive
fd = open(filename, r)
IOError: [Errno 2] No such file or directory:
'/var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg'
5:freeipa-server-selinux ### [ 83%]
6:freeipa-debuginfo ### [100%]
1. Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 983 add subject key identifier
Add subject key identifier to the dogtag server cert profile.
This will add it on upgrades too and any new certs issued will have a
subject key identifier set.
If the user has customized the profile themselves then this won't be
applied.
rob
From 830740ea18e92fa7ea2bf6d8db16a2aadc43e76f Mon Sep 17 00:00:00 2001
From: Rob Crittenden rcrit...@redhat.com
Date: Wed, 7 Mar 2012 17:46:33 -0500
Subject: [PATCH] Add subject key identifier to the dogtag server cert
profile.
This will add it on upgrades too and any new certs issued will have
a subject key identifier set.
If the user has customized the profile themselves then this won't be
applied.
https://fedorahosted.org/freeipa/ticket/2446
---
install/tools/ipa-upgradeconfig | 13 +
ipaserver/install/cainstance.py | 20
2 files changed, 33 insertions(+), 0 deletions(-)
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index a23489f406f29db4b8f33c153cccb1121675eb61..f158eab98972aaa10115b5be04efcfed8698e8f5 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -31,6 +31,8 @@ try:
from ipaserver.install import httpinstance
from ipaserver.install import memcacheinstance
from ipaserver.install import service
+from ipaserver.install import cainstance
+from ipaserver.install import certs
import ldap
import krbV
import re
@@ -233,6 +235,15 @@ def cleanup_kdc():
if fstore.has_file(filename):
fstore.untrack_file(filename)
+def upgrade_ipa_profile(realm):
+
+Update the IPA Profile provided by dogtag
+
+import pdb; pdb.set_trace()
+ca = cainstance.CAInstance(realm, certs.NSS_DIR)
+if ca.enable_subject_key_identifier():
+ca.restart()
+
def main():
Get some basics about the system. If getting those basics fail then
@@ -284,6 +295,8 @@ def main():
pass
cleanup_kdc()
+upgrade_ipa_profile(krbctx.default_realm)
+
try:
if __name__ == __main__:
sys.exit(main())
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 345a8c2da3567fce5bfc107e4e7a4b7a4918017f..6012ae1c7a00a87522fc0778f2cb355a3924d805 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -520,6 +520,7 @@ class CAInstance(service.Service):
self.step(setting up signing cert profile, self.__setup_sign_profile)
self.step(set up CRL publishing, self.__enable_crl_publish)
self.step(set certificate subject base, self.__set_subject_in_config)
+self.step(enabling Subject Key Identifier, self.enable_subject_key_identifier)
self.step(configuring certificate server to start on boot, self.__enable)
if not self.clone:
self.step(restarting certificate server, self.__restart_instance)
@@ -1071,6 +1072,25 @@ class CAInstance(service.Service):
shutil.copy(ipautil.SHARE_DIR + ipa-pki-proxy.conf,
HTTPD_CONFD + ipa-pki-proxy.conf)
+def enable_subject_key_identifier(self):
+
+See if Subject Key Identifier is set in the profile and if not, add it.
+
+setlist = installutils.get_directive('/var/lib/%s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME, 'policyset.serverCertSet.list', separator='=')
+
+# this is the default setting from pki-ca. Don't touch it if a user
+# has manually modified it.
+if setlist == '1,2,3,4,5,6,7,8':
+installutils.set_directive('/var/lib/%s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME, 'policyset.serverCertSet.list', '1,2,3,4,5,6,7,8,10', quotes=False, separator='=')
+installutils.set_directive('/var/lib/%s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME, 'policyset.serverCertSet.10.constraint.class_id', 'noConstraintImpl', quotes=False, separator='=')
+installutils.set_directive('/var/lib/%s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME, 'policyset.serverCertSet.10.constraint.name', 'No Constraint', quotes=False, separator='=')
+installutils.set_directive('/var/lib/%s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME, 'policyset.serverCertSet.10.default.class_id', 'subjectKeyIdentifierExtDefaultImpl', quotes=False, separator='=')
+installutils.set_directive('/var/lib/%s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME, 'policyset.serverCertSet.10.default.name', 'Subject Key Identifier Extension Default', quotes=False, separator='=')
+installutils.set_directive('/var/lib/%s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME, 'policyset.serverCertSet.10.default.params.critical', 'false', quotes=False, separator='=')
+return True
+
+# No update was done
+return False
def install_replica_ca(config, postinstall=False):
--
1.7.6
___
