Re: [Freeipa-devel] [PATCHES] 149-151 Ask for PKCS#12 password interactively
On 07/15/2013 10:57 AM, Jan Cholasta wrote: On 12.7.2013 10:19, Tomas Babej wrote: Just a nitpick: + # If any of the PKCS#12 options are selected, all are required. + pkcs12_req = (options.dirsrv_pkcs12, options.http_pkcs12) + pkcs12_opt = (options.pkinit_pkcs12,) + if any(pkcs12_req + pkcs12_opt) and not all(pkcs12_req): parser.error(All PKCS#12 options are required if any are used.) This error message is somewhat misleading, since --pkinit-pkcs12 options is not required. Fixed. Updated patches attached. Honza The updated error message looks OK. ACK, pushed all 3 patches to master, ipa-3-2. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 149-151 Ask for PKCS#12 password interactively
On 12.7.2013 10:19, Tomas Babej wrote: Just a nitpick: + # If any of the PKCS#12 options are selected, all are required. + pkcs12_req = (options.dirsrv_pkcs12, options.http_pkcs12) + pkcs12_opt = (options.pkinit_pkcs12,) + if any(pkcs12_req + pkcs12_opt) and not all(pkcs12_req): parser.error(All PKCS#12 options are required if any are used.) This error message is somewhat misleading, since --pkinit-pkcs12 options is not required. Fixed. Updated patches attached. Honza -- Jan Cholasta From 6b21db9dc6c2cc3b7fb5a13877cbe8cb3aec1213 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Tue, 9 Jul 2013 10:23:47 + Subject: [PATCH 1/3] Ask for PKCS#12 password interactively in ipa-server-install. https://fedorahosted.org/freeipa/ticket/3717 --- install/tools/ipa-server-install | 76 ++-- 1 file changed, 50 insertions(+), 26 deletions(-) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index cc88a0b..4ba6f0e 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -276,13 +276,20 @@ def parse_options(): if not options.forwarders and not options.no_forwarders: parser.error(You must specify at least one --forwarder option or --no-forwarders option) -# If any of the PKCS#12 options are selected, all are required. Create a -# list of the options and count it to enforce that all are required without -# having a huge set of it blocks. -pkcs12 = [options.dirsrv_pkcs12, options.http_pkcs12, options.dirsrv_pin, options.http_pin] -cnt = pkcs12.count(None) -if cnt 0 and cnt 4: -parser.error(All PKCS#12 options are required if any are used.) +# If any of the PKCS#12 options are selected, all are required. +pkcs12_req = (options.dirsrv_pkcs12, options.http_pkcs12) +pkcs12_opt = (options.pkinit_pkcs12,) +if any(pkcs12_req + pkcs12_opt) and not all(pkcs12_req): +parser.error(--dirsrv_pkcs12 and --http_pkcs12 are required if any + PKCS#12 options are used.) + +if options.unattended: +if options.dirsrv_pkcs12 and not options.dirsrv_pin: +parser.error(You must specify --dirsrv_pin with --dirsrv_pkcs12) +if options.http_pkcs12 and not options.http_pin: +parser.error(You must specify --http_pin with --http_pkcs12) +if options.pkinit_pkcs12 and not options.pkinit_pin: +parser.error(You must specify --pkinit_pin with --pkinit_pkcs12) if options.dirsrv_pkcs12 and not options.root_ca_file: parser.error( @@ -704,18 +711,6 @@ def main(): sys.exit(1) cert = certdict[certissuer] -if options.http_pkcs12: -http_pin_file = ipautil.write_tmp_file(options.http_pin) -http_pkcs12_info = (options.http_pkcs12, http_pin_file.name) - -if options.dirsrv_pkcs12: -dirsrv_pin_file = ipautil.write_tmp_file(options.dirsrv_pin) -dirsrv_pkcs12_info = (options.dirsrv_pkcs12, dirsrv_pin_file.name) - -if options.pkinit_pkcs12: -pkinit_pin_file = ipautil.write_tmp_file(options.pkinit_pin) -pkinit_pkcs12_info = (options.pkinit_pkcs12, pkinit_pin_file.name) - # We only set up the CA if the PKCS#12 options are not given. if options.dirsrv_pkcs12: setup_ca = False @@ -834,13 +829,6 @@ def main(): else: domain_name = options.domain_name -if options.http_pkcs12: -# Check the given PKCS#12 files -ca_file = options.root_ca_file -check_pkcs12 = installutils.check_pkcs12 -http_cert_name = check_pkcs12(http_pkcs12_info, ca_file, host_name) -dirsrv_cert_name = check_pkcs12(dirsrv_pkcs12_info, ca_file, host_name) - domain_name = domain_name.lower() ip = get_server_ip_address(host_name, fstore, options.unattended, options) @@ -858,6 +846,42 @@ def main(): if not options.subject: options.subject = DN(('O', realm_name)) +ca_file = options.root_ca_file + +if options.http_pkcs12: +if not options.http_pin: +options.http_pin = installutils.read_password( +Enter %s unlock % options.http_pkcs12, +confirm=False, validate=False) +if options.http_pin is None: +sys.exit(%s unlock password required % options.http_pkcs12) +http_pin_file = ipautil.write_tmp_file(options.http_pin) +http_pkcs12_info = (options.http_pkcs12, http_pin_file.name) +http_cert_name = installutils.check_pkcs12( +http_pkcs12_info, ca_file, host_name) + +if options.dirsrv_pkcs12: +if not options.dirsrv_pin: +options.dirsrv_pin = installutils.read_password( +Enter %s unlock % options.dirsrv_pkcs12, +confirm=False, validate=False) +if options.dirsrv_pin is None: +sys.exit(%s unlock password required %
Re: [Freeipa-devel] [PATCHES] 149-151 Ask for PKCS#12 password interactively
On 11.7.2013 20:51, Rob Crittenden wrote: Jan Cholasta wrote: Hi, the attached patches fix https://fedorahosted.org/freeipa/ticket/3717. Also added a small patch to fix a formatting issue with installutils.read_password. Honza Functionally ok but I found it very jarring the way the passwords were prompted for. I think they should be moved after the realm question and the text should be more than just the path to the filename. rob Moved the prompt and changed the text to Enter file unlock password. Updated patches attached. Honza -- Jan Cholasta From 992080e556036afe35c39092a5326c3267d8edf1 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Tue, 9 Jul 2013 10:23:47 + Subject: [PATCH 1/3] Ask for PKCS#12 password interactively in ipa-server-install. https://fedorahosted.org/freeipa/ticket/3717 --- install/tools/ipa-server-install | 73 ++-- 1 file changed, 48 insertions(+), 25 deletions(-) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index cc88a0b..fed2004 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -276,14 +276,20 @@ def parse_options(): if not options.forwarders and not options.no_forwarders: parser.error(You must specify at least one --forwarder option or --no-forwarders option) -# If any of the PKCS#12 options are selected, all are required. Create a -# list of the options and count it to enforce that all are required without -# having a huge set of it blocks. -pkcs12 = [options.dirsrv_pkcs12, options.http_pkcs12, options.dirsrv_pin, options.http_pin] -cnt = pkcs12.count(None) -if cnt 0 and cnt 4: +# If any of the PKCS#12 options are selected, all are required. +pkcs12_req = (options.dirsrv_pkcs12, options.http_pkcs12) +pkcs12_opt = (options.pkinit_pkcs12,) +if any(pkcs12_req + pkcs12_opt) and not all(pkcs12_req): parser.error(All PKCS#12 options are required if any are used.) +if options.unattended: +if options.dirsrv_pkcs12 and not options.dirsrv_pin: +parser.error(You must specify --dirsrv_pin with --dirsrv_pkcs12) +if options.http_pkcs12 and not options.http_pin: +parser.error(You must specify --http_pin with --http_pkcs12) +if options.pkinit_pkcs12 and not options.pkinit_pin: +parser.error(You must specify --pkinit_pin with --pkinit_pkcs12) + if options.dirsrv_pkcs12 and not options.root_ca_file: parser.error( --root-ca-file must be given with the PKCS#12 options.) @@ -704,18 +710,6 @@ def main(): sys.exit(1) cert = certdict[certissuer] -if options.http_pkcs12: -http_pin_file = ipautil.write_tmp_file(options.http_pin) -http_pkcs12_info = (options.http_pkcs12, http_pin_file.name) - -if options.dirsrv_pkcs12: -dirsrv_pin_file = ipautil.write_tmp_file(options.dirsrv_pin) -dirsrv_pkcs12_info = (options.dirsrv_pkcs12, dirsrv_pin_file.name) - -if options.pkinit_pkcs12: -pkinit_pin_file = ipautil.write_tmp_file(options.pkinit_pin) -pkinit_pkcs12_info = (options.pkinit_pkcs12, pkinit_pin_file.name) - # We only set up the CA if the PKCS#12 options are not given. if options.dirsrv_pkcs12: setup_ca = False @@ -834,13 +828,6 @@ def main(): else: domain_name = options.domain_name -if options.http_pkcs12: -# Check the given PKCS#12 files -ca_file = options.root_ca_file -check_pkcs12 = installutils.check_pkcs12 -http_cert_name = check_pkcs12(http_pkcs12_info, ca_file, host_name) -dirsrv_cert_name = check_pkcs12(dirsrv_pkcs12_info, ca_file, host_name) - domain_name = domain_name.lower() ip = get_server_ip_address(host_name, fstore, options.unattended, options) @@ -858,6 +845,42 @@ def main(): if not options.subject: options.subject = DN(('O', realm_name)) +ca_file = options.root_ca_file + +if options.http_pkcs12: +if not options.http_pin: +options.http_pin = installutils.read_password( +Enter %s unlock % options.http_pkcs12, +confirm=False, validate=False) +if options.http_pin is None: +sys.exit(%s unlock password required % options.http_pkcs12) +http_pin_file = ipautil.write_tmp_file(options.http_pin) +http_pkcs12_info = (options.http_pkcs12, http_pin_file.name) +http_cert_name = installutils.check_pkcs12( +http_pkcs12_info, ca_file, host_name) + +if options.dirsrv_pkcs12: +if not options.dirsrv_pin: +options.dirsrv_pin = installutils.read_password( +Enter %s unlock % options.dirsrv_pkcs12, +confirm=False, validate=False) +if options.dirsrv_pin is None: +sys.exit(%s unlock password
Re: [Freeipa-devel] [PATCHES] 149-151 Ask for PKCS#12 password interactively
Functionally ok but I found it very jarring the way the passwords were prompted for. I think they should be moved after the realm question and the text should be more than just the path to the filename. rob Moved the prompt and changed the text to Enter file unlock password. Updated patches attached. Honza Just a nitpick: +# If any of the PKCS#12 options are selected, all are required. +pkcs12_req = (options.dirsrv_pkcs12, options.http_pkcs12) +pkcs12_opt = (options.pkinit_pkcs12,) +if any(pkcs12_req + pkcs12_opt) and not all(pkcs12_req): parser.error(All PKCS#12 options are required if any are used.) This error message is somewhat misleading, since --pkinit-pkcs12 options is not required. Tomas___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 149-151 Ask for PKCS#12 password interactively
Jan Cholasta wrote: Hi, the attached patches fix https://fedorahosted.org/freeipa/ticket/3717. Also added a small patch to fix a formatting issue with installutils.read_password. Honza Functionally ok but I found it very jarring the way the passwords were prompted for. I think they should be moved after the realm question and the text should be more than just the path to the filename. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCHES] 149-151 Ask for PKCS#12 password interactively
Hi, the attached patches fix https://fedorahosted.org/freeipa/ticket/3717. Also added a small patch to fix a formatting issue with installutils.read_password. Honza -- Jan Cholasta From 6a1eedeb478dce9acced03cf3ee2a502384428a9 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Tue, 9 Jul 2013 10:23:47 + Subject: [PATCH 1/3] Ask for PKCS#12 password interactively in ipa-server-install. https://fedorahosted.org/freeipa/ticket/3717 --- install/tools/ipa-server-install | 66 ++-- 1 file changed, 43 insertions(+), 23 deletions(-) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index cc88a0b..e477dee 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -276,14 +276,20 @@ def parse_options(): if not options.forwarders and not options.no_forwarders: parser.error(You must specify at least one --forwarder option or --no-forwarders option) -# If any of the PKCS#12 options are selected, all are required. Create a -# list of the options and count it to enforce that all are required without -# having a huge set of it blocks. -pkcs12 = [options.dirsrv_pkcs12, options.http_pkcs12, options.dirsrv_pin, options.http_pin] -cnt = pkcs12.count(None) -if cnt 0 and cnt 4: +# If any of the PKCS#12 options are selected, all are required. +pkcs12_req = (options.dirsrv_pkcs12, options.http_pkcs12) +pkcs12_opt = (options.pkinit_pkcs12,) +if any(pkcs12_req + pkcs12_opt) and not all(pkcs12_req): parser.error(All PKCS#12 options are required if any are used.) +if options.unattended: +if options.dirsrv_pkcs12 and not options.dirsrv_pin: +parser.error(You must specify --dirsrv_pin with --dirsrv_pkcs12) +if options.http_pkcs12 and not options.http_pin: +parser.error(You must specify --http_pin with --http_pkcs12) +if options.pkinit_pkcs12 and not options.pkinit_pin: +parser.error(You must specify --pkinit_pin with --pkinit_pkcs12) + if options.dirsrv_pkcs12 and not options.root_ca_file: parser.error( --root-ca-file must be given with the PKCS#12 options.) @@ -704,18 +710,6 @@ def main(): sys.exit(1) cert = certdict[certissuer] -if options.http_pkcs12: -http_pin_file = ipautil.write_tmp_file(options.http_pin) -http_pkcs12_info = (options.http_pkcs12, http_pin_file.name) - -if options.dirsrv_pkcs12: -dirsrv_pin_file = ipautil.write_tmp_file(options.dirsrv_pin) -dirsrv_pkcs12_info = (options.dirsrv_pkcs12, dirsrv_pin_file.name) - -if options.pkinit_pkcs12: -pkinit_pin_file = ipautil.write_tmp_file(options.pkinit_pin) -pkinit_pkcs12_info = (options.pkinit_pkcs12, pkinit_pin_file.name) - # We only set up the CA if the PKCS#12 options are not given. if options.dirsrv_pkcs12: setup_ca = False @@ -834,12 +828,38 @@ def main(): else: domain_name = options.domain_name +ca_file = options.root_ca_file + if options.http_pkcs12: -# Check the given PKCS#12 files -ca_file = options.root_ca_file -check_pkcs12 = installutils.check_pkcs12 -http_cert_name = check_pkcs12(http_pkcs12_info, ca_file, host_name) -dirsrv_cert_name = check_pkcs12(dirsrv_pkcs12_info, ca_file, host_name) +if not options.http_pin: +options.http_pin = installutils.read_password( +options.http_pkcs12, confirm=False, validate=False) +if options.http_pin is None: +sys.exit(%s password required % options.http_pkcs12) +http_pin_file = ipautil.write_tmp_file(options.http_pin) +http_pkcs12_info = (options.http_pkcs12, http_pin_file.name) +http_cert_name = installutils.check_pkcs12( +http_pkcs12_info, ca_file, host_name) + +if options.dirsrv_pkcs12: +if not options.dirsrv_pin: +options.dirsrv_pin = installutils.read_password( +options.dirsrv_pkcs12, confirm=False, validate=False) +if options.dirsrv_pin is None: +sys.exit(%s password required % options.dirsrv_pkcs12) +dirsrv_pin_file = ipautil.write_tmp_file(options.dirsrv_pin) +dirsrv_pkcs12_info = (options.dirsrv_pkcs12, dirsrv_pin_file.name) +dirsrv_cert_name = installutils.check_pkcs12( +dirsrv_pkcs12_info, ca_file, host_name) + +if options.pkinit_pkcs12: +if not options.pkinit_pin: +options.pkinit_pin = installutils.read_password( +options.pkinit_pkcs12, confirm=False, validate=False) +if options.pkinit_pin is None: +sys.exit(%s password required % options.pkinit_pkcs12) +pkinit_pin_file = ipautil.write_tmp_file(options.pkinit_pin) +pkinit_pkcs12_info = (options.pkinit_pkcs12,