URL: https://github.com/freeipa/freeipa/pull/490 Author: HonzaCholasta Title: #490: [WIP] certdb: use certutil and match_hostname for cert verification Action: opened
PR body: """ Use certutil and ssl.match_hostname calls instead of python-nss for certificate verification. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/490/head:pr490 git checkout pr490
From 7afa1afe7010d0f5b680d9c1608cbad4e698d401 Mon Sep 17 00:00:00 2001 From: Jan Cholasta <jchol...@redhat.com> Date: Mon, 2 Jan 2017 13:53:18 +0100 Subject: [PATCH] certdb: use certutil and match_hostname for cert verification Use certutil and ssl.match_hostname calls instead of python-nss for certificate verification. --- freeipa.spec.in | 16 +++++------ ipalib/x509.py | 33 ++++++++++++++++++++++ ipapython/certdb.py | 80 ++++++++++++++++++++--------------------------------- ipasetup.py.in | 2 +- 4 files changed, 72 insertions(+), 59 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 5c835ca..2cde0da 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -129,8 +129,8 @@ BuildRequires: python-cffi %if 0%{?with_lint} BuildRequires: samba-python BuildRequires: python-setuptools -# 1.4: the version where Certificate.serial changed to .serial_number -BuildRequires: python-cryptography >= 1.4 +# 1.6: x509.Name.rdns (https://github.com/pyca/cryptography/issues/3199) +BuildRequires: python-cryptography >= 1.6 BuildRequires: python-gssapi >= 1.2.0 BuildRequires: pylint >= 1.0 # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506 @@ -165,8 +165,8 @@ BuildRequires: python2-jinja2 # FIXME: this depedency is missing - server will not work #BuildRequires: python3-samba BuildRequires: python3-setuptools -# 1.4: the version where Certificate.serial changed to .serial_number -BuildRequires: python3-cryptography >= 1.4 +# 1.6: x509.Name.rdns (https://github.com/pyca/cryptography/issues/3199) +BuildRequires: python3-cryptography >= 1.6 BuildRequires: python3-gssapi >= 1.2.0 BuildRequires: python3-pylint >= 1.0 # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506 @@ -592,7 +592,7 @@ Requires: gnupg Requires: keyutils Requires: pyOpenSSL Requires: python-nss >= 0.16 -Requires: python-cryptography >= 1.4 +Requires: python-cryptography >= 1.6 Requires: python-netaddr Requires: python-libipa_hbac Requires: python-qrcode-core >= 5.0.0 @@ -642,7 +642,7 @@ Requires: gnupg Requires: keyutils Requires: python3-pyOpenSSL Requires: python3-nss >= 0.16 -Requires: python3-cryptography >= 1.4 +Requires: python3-cryptography >= 1.6 Requires: python3-netaddr Requires: python3-libipa_hbac Requires: python3-qrcode-core >= 5.0.0 @@ -717,7 +717,7 @@ Requires: python-pytest-multihost >= 0.5 Requires: python-pytest-sourceorder Requires: ldns-utils Requires: python-sssdconfig -Requires: python2-cryptography >= 1.4 +Requires: python2-cryptography >= 1.6 Provides: %{alt_name}-tests = %{version} Conflicts: %{alt_name}-tests @@ -751,7 +751,7 @@ Requires: python3-pytest-multihost >= 0.5 Requires: python3-pytest-sourceorder Requires: ldns-utils Requires: python3-sssdconfig -Requires: python3-cryptography >= 1.4 +Requires: python3-cryptography >= 1.6 %description -n python3-ipatests IPA is an integrated solution to provide centrally managed Identity (users, diff --git a/ipalib/x509.py b/ipalib/x509.py index f65cf81..03027c0 100644 --- a/ipalib/x509.py +++ b/ipalib/x509.py @@ -35,6 +35,7 @@ import binascii import datetime import ipaddress +import ssl import base64 import re @@ -543,3 +544,35 @@ def format_datetime(t): if t.tzinfo is None: t = t.replace(tzinfo=UTC()) return unicode(t.strftime("%a %b %d %H:%M:%S %Y %Z")) + + +def match_hostname(cert, hostname): + match_cert = {} + + match_cert['subject'] = match_subject = [] + for rdn in cert.subject.rdns: + match_rdn = [] + for ava in rdn: + if ava.oid == cryptography.x509.oid.NameOID.COMMON_NAME: + name = 'commonName' + else: + name = ava.dotted_string + match_ava = (name, ava.value) + match_rdn.append(match_ava) + match_subject.append(match_rdn) + + try: + san = cert.extensions.get_extension_for_class( + cryptography.x509.SubjectAlternativeName) + except cryptography.x509.ExtensionNotFound: + pass + else: + match_cert['subjectAltName'] = match_san = [] + for value in san.get_values_for_type(cryptography.x509.DNSName): + match_dnsname = ('DNS', str(value)) + match_san.append(match_dnsname) + + try: + ssl.match_hostname(match_cert, hostname) + except ssl.SSLError as e: + raise ValueError(e) diff --git a/ipapython/certdb.py b/ipapython/certdb.py index b22c3c1..23c4226 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -25,9 +25,9 @@ import tempfile import shutil import base64 + from cryptography.hazmat.primitives import serialization -from nss import nss -from nss.error import NSPRError +import cryptography.x509 from ipaplatform.tasks import tasks from ipapython.dn import DN @@ -532,59 +532,39 @@ def verify_server_cert_validity(self, nickname, hostname): Raises a ValueError if the certificate is invalid. """ - certdb = cert = None - if nss.nss_is_initialized(): - nss.nss_shutdown() - nss.nss_init(self.secdir) + cert = self.get_cert(nickname) + cert = x509.load_certificate(cert, x509.DER) + try: - certdb = nss.get_default_certdb() - cert = nss.find_cert_from_nickname(nickname) - intended_usage = nss.certificateUsageSSLServer - try: - approved_usage = cert.verify_now(certdb, True, intended_usage) - except NSPRError as e: - if e.errno != -8102: - raise ValueError(e.strerror) - approved_usage = 0 - if not approved_usage & intended_usage: - raise ValueError('invalid for a SSL server') - if not cert.verify_hostname(hostname): - raise ValueError('invalid for server %s' % hostname) - finally: - del certdb, cert - nss.nss_shutdown() + self.run_certutil(['-V', '-n', nickname, '-u', 'V']) + except ipautil.CalledProcessError: + raise ValueError('invalid for a SSL server') - return None + try: + x509.match_hostname(cert, hostname) + except ValueError: + raise ValueError('invalid for server %s' % hostname) def verify_ca_cert_validity(self, nickname): - certdb = cert = None - if nss.nss_is_initialized(): - nss.nss_shutdown() - nss.nss_init(self.secdir) + cert = self.get_cert(nickname) + cert = x509.load_certificate(cert, x509.DER) + + if not cert.subject: + raise ValueError("has empty subject") + try: - certdb = nss.get_default_certdb() - cert = nss.find_cert_from_nickname(nickname) - if not cert.subject: - raise ValueError("has empty subject") - try: - bc = cert.get_extension(nss.SEC_OID_X509_BASIC_CONSTRAINTS) - except KeyError: - raise ValueError("missing basic constraints") - bc = nss.BasicConstraints(bc.value) - if not bc.is_ca: - raise ValueError("not a CA certificate") - intended_usage = nss.certificateUsageSSLCA - try: - approved_usage = cert.verify_now(certdb, True, intended_usage) - except NSPRError as e: - if e.errno != -8102: # SEC_ERROR_INADEQUATE_KEY_USAGE - raise ValueError(e.strerror) - approved_usage = 0 - if approved_usage & intended_usage != intended_usage: - raise ValueError('invalid for a CA') - finally: - del certdb, cert - nss.nss_shutdown() + bc = cert.extensions.get_extension_for_class( + cryptography.x509.BasicConstraints) + except cryptography.x509.ExtensionNotFound: + raise ValueError("missing basic constraints") + + if not bc.ca: + raise ValueError("not a CA certificate") + + try: + self.run_certutil(['-V', '-n', nickname, '-u', 'L']) + except ipautil.CalledProcessError: + raise ValueError('invalid for a CA') def publish_ca_cert(self, canickname, location): args = ["-L", "-n", canickname, "-a"] diff --git a/ipasetup.py.in b/ipasetup.py.in index 915f0ed..d2741cd 100644 --- a/ipasetup.py.in +++ b/ipasetup.py.in @@ -63,7 +63,7 @@ if SETUPTOOLS_VERSION < (8, 0, 0): PACKAGE_VERSION = { - 'cryptography': 'cryptography >= 1.4', + 'cryptography': 'cryptography >= 1.6', 'dnspython': 'dnspython >= 1.15', 'gssapi': 'gssapi >= 1.2.0', 'ipaclient': 'ipaclient == {}'.format(VERSION),
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code