URL: https://github.com/freeipa/freeipa/pull/732 Author: tiran Title: #732: ipa-custodia: use Dogtag's alias/pwdfile.txt Action: opened
PR body: """ /etc/pki/pki-tomcat/password.conf contains additional passwords like replicadb. ipa-custodia does not need these passwords. /etc/pki/pki-tomcat/alias/pwdfile.txt holds the passphrase for Tomcat's NSSDB. The file also simplifies implementation because it removes another temporary file. pwdfile.txt is created by CAInstance.create_certstore_passwdfile() Related: https://pagure.io/freeipa/issue/6888 Signed-off-by: Christian Heimes <chei...@redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/732/head:pr732 git checkout pr732
From 70296313166b019e040f06f1ce395fc0b0f8199c Mon Sep 17 00:00:00 2001 From: Christian Heimes <chei...@redhat.com> Date: Tue, 25 Apr 2017 14:52:35 +0200 Subject: [PATCH] ipa-custodia: use Dogtag's alias/pwdfile.txt /etc/pki/pki-tomcat/password.conf contains additional passwords like replicadb. ipa-custodia does not need these passwords. /etc/pki/pki-tomcat/alias/pwdfile.txt holds the passphrase for Tomcat's NSSDB. The file also simplifies implementation because it removes another temporary file. pwdfile.txt is created by CAInstance.create_certstore_passwdfile() Related: https://pagure.io/freeipa/issue/6888 Signed-off-by: Christian Heimes <chei...@redhat.com> --- ipaplatform/base/paths.py | 1 + ipaserver/secrets/store.py | 34 +++++++--------------------------- 2 files changed, 8 insertions(+), 27 deletions(-) diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 57f185e..7f9297e 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -94,6 +94,7 @@ class BasePathNamespace(object): NSS_DB_DIR = "/etc/pki/nssdb" PKI_TOMCAT = "/etc/pki/pki-tomcat" PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias" + PKI_TOMCAT_ALIAS_PWDFILE_TXT = "/etc/pki/pki-tomcat/alias/pwdfile.txt" PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf" ETC_REDHAT_RELEASE = "/etc/redhat-release" RESOLV_CONF = "/etc/resolv.conf" diff --git a/ipaserver/secrets/store.py b/ipaserver/secrets/store.py index 56cbfbc..43502c2 100644 --- a/ipaserver/secrets/store.py +++ b/ipaserver/secrets/store.py @@ -34,17 +34,6 @@ def log_error(error): print(error, file=sys.stderr) -def PKI_TOMCAT_password_callback(): - password = None - with open(paths.PKI_TOMCAT_PASSWORD_CONF) as f: - for line in f.readlines(): - key, value = line.strip().split('=') - if key == 'internal': - password = value - break - return password - - class NSSWrappedCertDB(DBMAPHandler): ''' Store that extracts private keys from an NSSDB, wrapped with the @@ -62,20 +51,17 @@ def __init__(self, config, dbmap, nickname): raise ValueError( 'Configuration does not provide nickname of wrapping key') self.nssdb_path = dbmap['path'] - self.nssdb_password = dbmap['pwcallback']() + self.nssdb_pwdfile = dbmap['pwdfile'] self.wrap_nick = dbmap['wrap_nick'] self.target_nick = nickname def export_key(self): tdir = tempfile.mkdtemp(dir=paths.TMP) try: - nsspwfile = os.path.join(tdir, 'nsspwfile') - with open(nsspwfile, 'w+') as f: - f.write(self.nssdb_password) wrapped_key_file = os.path.join(tdir, 'wrapped_key') certificate_file = os.path.join(tdir, 'certificate') ipautil.run([ - paths.PKI, '-d', self.nssdb_path, '-C', nsspwfile, + paths.PKI, '-d', self.nssdb_path, '-C', self.nssdb_pwdfile, 'ca-authority-key-export', '--wrap-nickname', self.wrap_nick, '--target-nickname', self.target_nick, @@ -106,15 +92,12 @@ def __init__(self, config, dbmap, nickname): if 'pwcallback' not in dbmap: raise ValueError('Configuration does not provide Password Calback') self.nssdb_path = dbmap['path'] + self.nssdb_pwdfile = dbmap['pwdfile'] self.nickname = nickname - self.nssdb_password = dbmap['pwcallback']() def export_key(self): tdir = tempfile.mkdtemp(dir=paths.TMP) try: - nsspwfile = os.path.join(tdir, 'nsspwfile') - with open(nsspwfile, 'w+') as f: - f.write(self.nssdb_password) pk12pwfile = os.path.join(tdir, 'pk12pwfile') password = ipautil.ipa_generate_password() with open(pk12pwfile, 'w+') as f: @@ -124,7 +107,7 @@ def export_key(self): "-d", self.nssdb_path, "-o", pk12file, "-n", self.nickname, - "-k", nsspwfile, + "-k", self.nssdb_pwdfile, "-w", pk12pwfile]) with open(pk12file, 'r') as f: data = f.read() @@ -137,9 +120,6 @@ def import_key(self, value): v = json_decode(value) tdir = tempfile.mkdtemp(dir=paths.TMP) try: - nsspwfile = os.path.join(tdir, 'nsspwfile') - with open(nsspwfile, 'w+') as f: - f.write(self.nssdb_password) pk12pwfile = os.path.join(tdir, 'pk12pwfile') with open(pk12pwfile, 'w+') as f: f.write(v['export password']) @@ -150,7 +130,7 @@ def import_key(self, value): "-d", self.nssdb_path, "-i", pk12file, "-n", self.nickname, - "-k", nsspwfile, + "-k", self.nssdb_pwdfile, "-w", pk12pwfile]) finally: shutil.rmtree(tdir) @@ -251,12 +231,12 @@ def import_key(self, value): 'type': 'NSSDB', 'path': paths.PKI_TOMCAT_ALIAS_DIR, 'handler': NSSCertDB, - 'pwcallback': PKI_TOMCAT_password_callback, + 'pwdfile': paths.PKI_TOMCAT_ALIAS_PWDFILE_TXT, }, 'ca_wrapped': { 'handler': NSSWrappedCertDB, 'path': paths.PKI_TOMCAT_ALIAS_DIR, - 'pwcallback': PKI_TOMCAT_password_callback, + 'pwdfile': paths.PKI_TOMCAT_ALIAS_PWDFILE_TXT, 'wrap_nick': 'caSigningCert cert-pki-ca', }, 'ra': {
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code