Re: [Freeipa-devel] [PATCHES] 149-151 Ask for PKCS#12 password interactively

[Martin Kosek]

On 07/15/2013 10:57 AM, Jan Cholasta wrote:
 On 12.7.2013 10:19, Tomas Babej wrote:
 Just a nitpick:

 + # If any of the PKCS#12 options are selected, all are required.

 + pkcs12_req = (options.dirsrv_pkcs12, options.http_pkcs12)

 + pkcs12_opt = (options.pkinit_pkcs12,)

 + if any(pkcs12_req + pkcs12_opt) and not all(pkcs12_req):

 parser.error(All PKCS#12 options are required if any are used.)

 This error message is somewhat misleading, since --pkinit-pkcs12 options
 is not required.
 
 Fixed.
 
 Updated patches attached.
 
 Honza
 

The updated error message looks OK.

ACK, pushed all 3 patches to master, ipa-3-2.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 149-151 Ask for PKCS#12 password interactively

[Jan Cholasta]

On 12.7.2013 10:19, Tomas Babej wrote:

Just a nitpick:

+ # If any of the PKCS#12 options are selected, all are required.

+ pkcs12_req = (options.dirsrv_pkcs12, options.http_pkcs12)

+ pkcs12_opt = (options.pkinit_pkcs12,)

+ if any(pkcs12_req + pkcs12_opt) and not all(pkcs12_req):

parser.error(All PKCS#12 options are required if any are used.)

This error message is somewhat misleading, since --pkinit-pkcs12 options
is not required.


Fixed.

Updated patches attached.

Honza

--
Jan Cholasta
From 6b21db9dc6c2cc3b7fb5a13877cbe8cb3aec1213 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Tue, 9 Jul 2013 10:23:47 +
Subject: [PATCH 1/3] Ask for PKCS#12 password interactively in
 ipa-server-install.

https://fedorahosted.org/freeipa/ticket/3717
---
 install/tools/ipa-server-install | 76 ++--
 1 file changed, 50 insertions(+), 26 deletions(-)

diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index cc88a0b..4ba6f0e 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -276,13 +276,20 @@ def parse_options():
 if not options.forwarders and not options.no_forwarders:
 parser.error(You must specify at least one --forwarder option or --no-forwarders option)
 
-# If any of the PKCS#12 options are selected, all are required. Create a
-# list of the options and count it to enforce that all are required without
-# having a huge set of it blocks.
-pkcs12 = [options.dirsrv_pkcs12, options.http_pkcs12, options.dirsrv_pin, options.http_pin]
-cnt = pkcs12.count(None)
-if cnt  0 and cnt  4:
-parser.error(All PKCS#12 options are required if any are used.)
+# If any of the PKCS#12 options are selected, all are required.
+pkcs12_req = (options.dirsrv_pkcs12, options.http_pkcs12)
+pkcs12_opt = (options.pkinit_pkcs12,)
+if any(pkcs12_req + pkcs12_opt) and not all(pkcs12_req):
+parser.error(--dirsrv_pkcs12 and --http_pkcs12 are required if any 
+ PKCS#12 options are used.)
+
+if options.unattended:
+if options.dirsrv_pkcs12 and not options.dirsrv_pin:
+parser.error(You must specify --dirsrv_pin with --dirsrv_pkcs12)
+if options.http_pkcs12 and not options.http_pin:
+parser.error(You must specify --http_pin with --http_pkcs12)
+if options.pkinit_pkcs12 and not options.pkinit_pin:
+parser.error(You must specify --pkinit_pin with --pkinit_pkcs12)
 
 if options.dirsrv_pkcs12 and not options.root_ca_file:
 parser.error(
@@ -704,18 +711,6 @@ def main():
 sys.exit(1)
 cert = certdict[certissuer]
 
-if options.http_pkcs12:
-http_pin_file = ipautil.write_tmp_file(options.http_pin)
-http_pkcs12_info = (options.http_pkcs12, http_pin_file.name)
-
-if options.dirsrv_pkcs12:
-dirsrv_pin_file = ipautil.write_tmp_file(options.dirsrv_pin)
-dirsrv_pkcs12_info = (options.dirsrv_pkcs12, dirsrv_pin_file.name)
-
-if options.pkinit_pkcs12:
-pkinit_pin_file = ipautil.write_tmp_file(options.pkinit_pin)
-pkinit_pkcs12_info = (options.pkinit_pkcs12, pkinit_pin_file.name)
-
 # We only set up the CA if the PKCS#12 options are not given.
 if options.dirsrv_pkcs12:
 setup_ca = False
@@ -834,13 +829,6 @@ def main():
 else:
 domain_name = options.domain_name
 
-if options.http_pkcs12:
-# Check the given PKCS#12 files
-ca_file = options.root_ca_file
-check_pkcs12 = installutils.check_pkcs12
-http_cert_name = check_pkcs12(http_pkcs12_info, ca_file, host_name)
-dirsrv_cert_name = check_pkcs12(dirsrv_pkcs12_info, ca_file, host_name)
-
 domain_name = domain_name.lower()
 
 ip = get_server_ip_address(host_name, fstore, options.unattended, options)
@@ -858,6 +846,42 @@ def main():
 if not options.subject:
 options.subject = DN(('O', realm_name))
 
+ca_file = options.root_ca_file
+
+if options.http_pkcs12:
+if not options.http_pin:
+options.http_pin = installutils.read_password(
+Enter %s unlock % options.http_pkcs12,
+confirm=False, validate=False)
+if options.http_pin is None:
+sys.exit(%s unlock password required % options.http_pkcs12)
+http_pin_file = ipautil.write_tmp_file(options.http_pin)
+http_pkcs12_info = (options.http_pkcs12, http_pin_file.name)
+http_cert_name = installutils.check_pkcs12(
+http_pkcs12_info, ca_file, host_name)
+
+if options.dirsrv_pkcs12:
+if not options.dirsrv_pin:
+options.dirsrv_pin = installutils.read_password(
+Enter %s unlock % options.dirsrv_pkcs12,
+confirm=False, validate=False)
+if options.dirsrv_pin is None:
+sys.exit(%s unlock password required % 

Re: [Freeipa-devel] [PATCHES] 149-151 Ask for PKCS#12 password interactively

[Jan Cholasta]

On 11.7.2013 20:51, Rob Crittenden wrote:

Jan Cholasta wrote:

Hi,

the attached patches fix https://fedorahosted.org/freeipa/ticket/3717.

Also added a small patch to fix a formatting issue with
installutils.read_password.

Honza


Functionally ok but I found it very jarring the way the passwords were
prompted for. I think they should be moved after the realm question and
the text should be more than just the path to the filename.

rob



Moved the prompt and changed the text to Enter file unlock password.

Updated patches attached.

Honza

--
Jan Cholasta
From 992080e556036afe35c39092a5326c3267d8edf1 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Tue, 9 Jul 2013 10:23:47 +
Subject: [PATCH 1/3] Ask for PKCS#12 password interactively in
 ipa-server-install.

https://fedorahosted.org/freeipa/ticket/3717
---
 install/tools/ipa-server-install | 73 ++--
 1 file changed, 48 insertions(+), 25 deletions(-)

diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index cc88a0b..fed2004 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -276,14 +276,20 @@ def parse_options():
 if not options.forwarders and not options.no_forwarders:
 parser.error(You must specify at least one --forwarder option or --no-forwarders option)
 
-# If any of the PKCS#12 options are selected, all are required. Create a
-# list of the options and count it to enforce that all are required without
-# having a huge set of it blocks.
-pkcs12 = [options.dirsrv_pkcs12, options.http_pkcs12, options.dirsrv_pin, options.http_pin]
-cnt = pkcs12.count(None)
-if cnt  0 and cnt  4:
+# If any of the PKCS#12 options are selected, all are required.
+pkcs12_req = (options.dirsrv_pkcs12, options.http_pkcs12)
+pkcs12_opt = (options.pkinit_pkcs12,)
+if any(pkcs12_req + pkcs12_opt) and not all(pkcs12_req):
 parser.error(All PKCS#12 options are required if any are used.)
 
+if options.unattended:
+if options.dirsrv_pkcs12 and not options.dirsrv_pin:
+parser.error(You must specify --dirsrv_pin with --dirsrv_pkcs12)
+if options.http_pkcs12 and not options.http_pin:
+parser.error(You must specify --http_pin with --http_pkcs12)
+if options.pkinit_pkcs12 and not options.pkinit_pin:
+parser.error(You must specify --pkinit_pin with --pkinit_pkcs12)
+
 if options.dirsrv_pkcs12 and not options.root_ca_file:
 parser.error(
 --root-ca-file must be given with the PKCS#12 options.)
@@ -704,18 +710,6 @@ def main():
 sys.exit(1)
 cert = certdict[certissuer]
 
-if options.http_pkcs12:
-http_pin_file = ipautil.write_tmp_file(options.http_pin)
-http_pkcs12_info = (options.http_pkcs12, http_pin_file.name)
-
-if options.dirsrv_pkcs12:
-dirsrv_pin_file = ipautil.write_tmp_file(options.dirsrv_pin)
-dirsrv_pkcs12_info = (options.dirsrv_pkcs12, dirsrv_pin_file.name)
-
-if options.pkinit_pkcs12:
-pkinit_pin_file = ipautil.write_tmp_file(options.pkinit_pin)
-pkinit_pkcs12_info = (options.pkinit_pkcs12, pkinit_pin_file.name)
-
 # We only set up the CA if the PKCS#12 options are not given.
 if options.dirsrv_pkcs12:
 setup_ca = False
@@ -834,13 +828,6 @@ def main():
 else:
 domain_name = options.domain_name
 
-if options.http_pkcs12:
-# Check the given PKCS#12 files
-ca_file = options.root_ca_file
-check_pkcs12 = installutils.check_pkcs12
-http_cert_name = check_pkcs12(http_pkcs12_info, ca_file, host_name)
-dirsrv_cert_name = check_pkcs12(dirsrv_pkcs12_info, ca_file, host_name)
-
 domain_name = domain_name.lower()
 
 ip = get_server_ip_address(host_name, fstore, options.unattended, options)
@@ -858,6 +845,42 @@ def main():
 if not options.subject:
 options.subject = DN(('O', realm_name))
 
+ca_file = options.root_ca_file
+
+if options.http_pkcs12:
+if not options.http_pin:
+options.http_pin = installutils.read_password(
+Enter %s unlock % options.http_pkcs12,
+confirm=False, validate=False)
+if options.http_pin is None:
+sys.exit(%s unlock password required % options.http_pkcs12)
+http_pin_file = ipautil.write_tmp_file(options.http_pin)
+http_pkcs12_info = (options.http_pkcs12, http_pin_file.name)
+http_cert_name = installutils.check_pkcs12(
+http_pkcs12_info, ca_file, host_name)
+
+if options.dirsrv_pkcs12:
+if not options.dirsrv_pin:
+options.dirsrv_pin = installutils.read_password(
+Enter %s unlock % options.dirsrv_pkcs12,
+confirm=False, validate=False)
+if options.dirsrv_pin is None:
+sys.exit(%s unlock password 

Re: [Freeipa-devel] [PATCHES] 149-151 Ask for PKCS#12 password interactively

[Tomas Babej]

 
  Functionally ok but I found it very jarring the way the passwords were
  prompted for. I think they should be moved after the realm question and
  the text should be more than just the path to the filename.
 
  rob
 
 
 Moved the prompt and changed the text to Enter file unlock password.
 
 Updated patches attached.
 
 Honza

Just a nitpick:

+# If any of the PKCS#12 options are selected, all are required.
+pkcs12_req = (options.dirsrv_pkcs12, options.http_pkcs12)
+pkcs12_opt = (options.pkinit_pkcs12,)
+if any(pkcs12_req + pkcs12_opt) and not all(pkcs12_req):
 parser.error(All PKCS#12 options are required if any are used.)

This error message is somewhat misleading, since --pkinit-pkcs12 options is not 
required.

Tomas___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 149-151 Ask for PKCS#12 password interactively

[Rob Crittenden]

Jan Cholasta wrote:

Hi,

the attached patches fix https://fedorahosted.org/freeipa/ticket/3717.

Also added a small patch to fix a formatting issue with
installutils.read_password.

Honza


Functionally ok but I found it very jarring the way the passwords were 
prompted for. I think they should be moved after the realm question and 
the text should be more than just the path to the filename.


rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCHES] 149-151 Ask for PKCS#12 password interactively

[Jan Cholasta]

Hi,

the attached patches fix https://fedorahosted.org/freeipa/ticket/3717.

Also added a small patch to fix a formatting issue with 
installutils.read_password.


Honza

--
Jan Cholasta
From 6a1eedeb478dce9acced03cf3ee2a502384428a9 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Tue, 9 Jul 2013 10:23:47 +
Subject: [PATCH 1/3] Ask for PKCS#12 password interactively in
 ipa-server-install.

https://fedorahosted.org/freeipa/ticket/3717
---
 install/tools/ipa-server-install | 66 ++--
 1 file changed, 43 insertions(+), 23 deletions(-)

diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index cc88a0b..e477dee 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -276,14 +276,20 @@ def parse_options():
 if not options.forwarders and not options.no_forwarders:
 parser.error(You must specify at least one --forwarder option or --no-forwarders option)
 
-# If any of the PKCS#12 options are selected, all are required. Create a
-# list of the options and count it to enforce that all are required without
-# having a huge set of it blocks.
-pkcs12 = [options.dirsrv_pkcs12, options.http_pkcs12, options.dirsrv_pin, options.http_pin]
-cnt = pkcs12.count(None)
-if cnt  0 and cnt  4:
+# If any of the PKCS#12 options are selected, all are required.
+pkcs12_req = (options.dirsrv_pkcs12, options.http_pkcs12)
+pkcs12_opt = (options.pkinit_pkcs12,)
+if any(pkcs12_req + pkcs12_opt) and not all(pkcs12_req):
 parser.error(All PKCS#12 options are required if any are used.)
 
+if options.unattended:
+if options.dirsrv_pkcs12 and not options.dirsrv_pin:
+parser.error(You must specify --dirsrv_pin with --dirsrv_pkcs12)
+if options.http_pkcs12 and not options.http_pin:
+parser.error(You must specify --http_pin with --http_pkcs12)
+if options.pkinit_pkcs12 and not options.pkinit_pin:
+parser.error(You must specify --pkinit_pin with --pkinit_pkcs12)
+
 if options.dirsrv_pkcs12 and not options.root_ca_file:
 parser.error(
 --root-ca-file must be given with the PKCS#12 options.)
@@ -704,18 +710,6 @@ def main():
 sys.exit(1)
 cert = certdict[certissuer]
 
-if options.http_pkcs12:
-http_pin_file = ipautil.write_tmp_file(options.http_pin)
-http_pkcs12_info = (options.http_pkcs12, http_pin_file.name)
-
-if options.dirsrv_pkcs12:
-dirsrv_pin_file = ipautil.write_tmp_file(options.dirsrv_pin)
-dirsrv_pkcs12_info = (options.dirsrv_pkcs12, dirsrv_pin_file.name)
-
-if options.pkinit_pkcs12:
-pkinit_pin_file = ipautil.write_tmp_file(options.pkinit_pin)
-pkinit_pkcs12_info = (options.pkinit_pkcs12, pkinit_pin_file.name)
-
 # We only set up the CA if the PKCS#12 options are not given.
 if options.dirsrv_pkcs12:
 setup_ca = False
@@ -834,12 +828,38 @@ def main():
 else:
 domain_name = options.domain_name
 
+ca_file = options.root_ca_file
+
 if options.http_pkcs12:
-# Check the given PKCS#12 files
-ca_file = options.root_ca_file
-check_pkcs12 = installutils.check_pkcs12
-http_cert_name = check_pkcs12(http_pkcs12_info, ca_file, host_name)
-dirsrv_cert_name = check_pkcs12(dirsrv_pkcs12_info, ca_file, host_name)
+if not options.http_pin:
+options.http_pin = installutils.read_password(
+options.http_pkcs12, confirm=False, validate=False)
+if options.http_pin is None:
+sys.exit(%s password required % options.http_pkcs12)
+http_pin_file = ipautil.write_tmp_file(options.http_pin)
+http_pkcs12_info = (options.http_pkcs12, http_pin_file.name)
+http_cert_name = installutils.check_pkcs12(
+http_pkcs12_info, ca_file, host_name)
+
+if options.dirsrv_pkcs12:
+if not options.dirsrv_pin:
+options.dirsrv_pin = installutils.read_password(
+options.dirsrv_pkcs12, confirm=False, validate=False)
+if options.dirsrv_pin is None:
+sys.exit(%s password required % options.dirsrv_pkcs12)
+dirsrv_pin_file = ipautil.write_tmp_file(options.dirsrv_pin)
+dirsrv_pkcs12_info = (options.dirsrv_pkcs12, dirsrv_pin_file.name)
+dirsrv_cert_name = installutils.check_pkcs12(
+dirsrv_pkcs12_info, ca_file, host_name)
+
+if options.pkinit_pkcs12:
+if not options.pkinit_pin:
+options.pkinit_pin = installutils.read_password(
+options.pkinit_pkcs12, confirm=False, validate=False)
+if options.pkinit_pin is None:
+sys.exit(%s password required % options.pkinit_pkcs12)
+pkinit_pin_file = ipautil.write_tmp_file(options.pkinit_pin)
+pkinit_pkcs12_info = (options.pkinit_pkcs12,