subject:"Re\: \[Freeipa\-devel\] \[PATCH\] 315 Convert external CA chain to PKCS#7 before passing it to pkispawn"

Re: [Freeipa-devel] [PATCH] 315 Convert external CA chain to PKCS#7 before passing it to pkispawn

2014-08-14 Thread Petr Viktorin


On 08/13/2014 03:57 PM, Martin Kosek wrote:

On 08/13/2014 03:12 PM, Petr Viktorin wrote:

[...]

This works for me, but I'm not sure if I'm correctly reproducing the specific
scenario this patch fixes. So as always, can you please add tests for code you
write?


+1!


As far as other scenarios, it seems to me that when I do something wrong I get
a very unhelpful error message late in the installation.

I tried signing the request using xca but pkispawn choked on the result; I'll
try to write a reproducer script using command-line tools.

Attached is a script (based on the external ca integration test) that
reproduces the same IndexError as mentioned in the ticket. (If necessary,
adjust the IP addresses, hostnames, etc. to fit your environment.)
The difference from a working script is that extensions aren't added to the IPA
cert when it's signed.


This is a very good finding. If Jan's patch fixes the reported problem, let us
push it.


Pushed to:
master: 359dfe58b94079e1e16f4fb8960eb29b251f2cbc
ipa-4-1: 359dfe58b94079e1e16f4fb8960eb29b251f2cbc
ipa-4-0: 7c03ef0e727ca44ce1228e9896079a1d02227e14



But the missing validation should be fixed too. Can you please extend
https://fedorahosted.org/freeipa/ticket/4480
that is (will be) planned for 4.1 and attach your script as well so that we can
improve the usability by both accepting more certificate types and validation?


Comment added.


--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 315 Convert external CA chain to PKCS#7 before passing it to pkispawn

2014-08-13 Thread Martin Kosek

On 08/13/2014 03:12 PM, Petr Viktorin wrote:
> On 08/08/2014 11:50 AM, Jan Cholasta wrote:
>> Dne 8.8.2014 v 11:20 Martin Kosek napsal(a):
>>> On 08/08/2014 10:55 AM, Jan Cholasta wrote:
 Hi,

 the attached patch fixes .

 Honza
>>>
>>> Thanks! I did not test, just have couple questions/suggestions:
>>>
>>> 1) Are we testing that the certificate is in proper format, e.g. is
>>> not PKCS7
>>> already? We need to error out properly then
>>
>> Yes, in ipa-server-install.
>>
>>>
>>> 2) Are ipa-server-install --help options as informative as possible?
>>> --external-ca installation is tricky, we need to make sure that is no
>>> doubt
>>> about what the input is.
>>
>> I amended them a little bit.
>>
>>>
>>> 3) We may want to add instructions how to convert PKCS#7 -> PEM to "man
>>> ipa-server-install" too.
>>
>> Added.
>>
>>>
>>> Martin
>>>
>>
>> Updated patch attached.
>>
> 
> Hello,
> This works for me, but I'm not sure if I'm correctly reproducing the specific
> scenario this patch fixes. So as always, can you please add tests for code you
> write?

+1!

> As far as other scenarios, it seems to me that when I do something wrong I get
> a very unhelpful error message late in the installation.
> 
> I tried signing the request using xca but pkispawn choked on the result; I'll
> try to write a reproducer script using command-line tools.
> 
> Attached is a script (based on the external ca integration test) that
> reproduces the same IndexError as mentioned in the ticket. (If necessary,
> adjust the IP addresses, hostnames, etc. to fit your environment.)
> The difference from a working script is that extensions aren't added to the 
> IPA
> cert when it's signed.

This is a very good finding. If Jan's patch fixes the reported problem, let us
push it.

But the missing validation should be fixed too. Can you please extend
https://fedorahosted.org/freeipa/ticket/4480
that is (will be) planned for 4.1 and attach your script as well so that we can
improve the usability by both accepting more certificate types and validation?

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 315 Convert external CA chain to PKCS#7 before passing it to pkispawn

2014-08-13 Thread Petr Viktorin


On 08/08/2014 11:50 AM, Jan Cholasta wrote:

Dne 8.8.2014 v 11:20 Martin Kosek napsal(a):

On 08/08/2014 10:55 AM, Jan Cholasta wrote:

Hi,

the attached patch fixes .

Honza


Thanks! I did not test, just have couple questions/suggestions:

1) Are we testing that the certificate is in proper format, e.g. is
not PKCS7
already? We need to error out properly then


Yes, in ipa-server-install.



2) Are ipa-server-install --help options as informative as possible?
--external-ca installation is tricky, we need to make sure that is no
doubt
about what the input is.


I amended them a little bit.



3) We may want to add instructions how to convert PKCS#7 -> PEM to "man
ipa-server-install" too.


Added.



Martin



Updated patch attached.



Hello,
This works for me, but I'm not sure if I'm correctly reproducing the 
specific scenario this patch fixes. So as always, can you please add 
tests for code you write?



As far as other scenarios, it seems to me that when I do something wrong 
I get a very unhelpful error message late in the installation.


I tried signing the request using xca but pkispawn choked on the result; 
I'll try to write a reproducer script using command-line tools.


Attached is a script (based on the external ca integration test) that 
reproduces the same IndexError as mentioned in the ticket. (If 
necessary, adjust the IP addresses, hostnames, etc. to fit your 
environment.)
The difference from a working script is that extensions aren't added to 
the IPA cert when it's signed.



--
Petr³



index-error-reproducer.sh
Description: application/shellscript
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 315 Convert external CA chain to PKCS#7 before passing it to pkispawn

2014-08-08 Thread Jan Cholasta


Dne 8.8.2014 v 11:20 Martin Kosek napsal(a):

On 08/08/2014 10:55 AM, Jan Cholasta wrote:

Hi,

the attached patch fixes .

Honza


Thanks! I did not test, just have couple questions/suggestions:

1) Are we testing that the certificate is in proper format, e.g. is not PKCS7
already? We need to error out properly then


Yes, in ipa-server-install.



2) Are ipa-server-install --help options as informative as possible?
--external-ca installation is tricky, we need to make sure that is no doubt
about what the input is.


I amended them a little bit.



3) We may want to add instructions how to convert PKCS#7 -> PEM to "man
ipa-server-install" too.


Added.



Martin



Updated patch attached.

--
Jan Cholasta
>From f82f8985ecfe1ab408c1db728a8fa9fbcc838276 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Fri, 8 Aug 2014 10:15:26 +0200
Subject: [PATCH] Convert external CA chain to PKCS#7 before passing it to
 pkispawn.

https://fedorahosted.org/freeipa/ticket/4397
---
 install/tools/ipa-server-install   |  6 +++---
 install/tools/man/ipa-server-install.1 | 10 +++---
 ipaserver/install/cainstance.py| 13 -
 3 files changed, 22 insertions(+), 7 deletions(-)

diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 1f158a4..393c52d 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -179,11 +179,11 @@ def parse_options():
 
 cert_group = OptionGroup(parser, "certificate system options")
 cert_group.add_option("", "--external-ca", dest="external_ca", action="store_true",
-  default=False, help="Generate a CSR to be signed by an external CA")
+  default=False, help="Generate a CSR for the IPA CA certificate to be signed by an external CA")
 cert_group.add_option("", "--external_cert_file", dest="external_cert_file",
-  help="PEM file containing a certificate signed by the external CA")
+  help="File containing the IPA CA certificate signed by the external CA in PEM format")
 cert_group.add_option("", "--external_ca_file", dest="external_ca_file",
-  help="PEM file containing the external CA chain")
+  help="File containing the external CA certificate chain in PEM format")
 cert_group.add_option("--no-pkinit", dest="setup_pkinit", action="store_false",
   default=True, help="disables pkinit setup steps")
 cert_group.add_option("--dirsrv_pkcs12", dest="dirsrv_pkcs12",
diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
index 4adf1d0..d713d2d 100644
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@@ -85,13 +85,17 @@ An unattended installation that will never prompt for user input
 .SS "CERTIFICATE SYSTEM OPTIONS"
 .TP
 \fB\-\-external\-ca\fR
-Generate a CSR to be signed by an external CA
+Generate a CSR for the IPA CA certificate to be signed by an external CA.
 .TP
 \fB\-\-external_cert_file\fR=\fIFILE\fR
-PEM file containing a certificate signed by the external CA. Must be given with \-\-external_ca_file.
+File containing the IPA CA certificate signed by the external CA in PEM format. Must be given with \-\-external_ca_file.
 .TP
 \fB\-\-external_ca_file\fR=\fIFILE\fR
-PEM file containing the external CA chain
+File containing the external CA certificate chain in PEM format. Must be given with \-\-external_cert_file.
+
+If the CA certificate chain is in PKCS#7 format you can convert it to PEM using:
+
+openssl pkcs7 -in PKCS7_FILE -print_certs -out PEM_FILE
 .TP
 \fB\-\-no\-pkinit\fR
 Disables pkinit setup steps
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 03aec95..3d0895a 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -583,9 +583,20 @@ class CAInstance(service.Service):
 config.set("CA", "pki_external_csr_path", self.csr_file)
 
 elif self.external == 2:
+cert_chain, stderr, rc = ipautil.run(
+[paths.OPENSSL, 'crl2pkcs7',
+ '-certfile', self.cert_chain_file,
+ '-nocrl'])
+# Dogtag chokes on the header and footer, remove them
+# https://bugzilla.redhat.com/show_bug.cgi?id=1127838
+cert_chain = re.search(
+r'(?<=-BEGIN PKCS7-).*?(?=-END PKCS7-)',
+cert_chain, re.DOTALL).group(0)
+cert_chain_file = ipautil.write_tmp_file(cert_chain)
+
 config.set("CA", "pki_external", "True")
 config.set("CA", "pki_external_ca_cert_path", self.cert_file)
-config.set("CA", "pki_external_ca_cert_chain_path", self.cert_chain_file)
+config.set("CA", "pki_external_ca_cert_chain_path", cert_chain_file.name)
 config.set("CA", "pki_external_step_two

Re: [Freeipa-devel] [PATCH] 315 Convert external CA chain to PKCS#7 before passing it to pkispawn

2014-08-08 Thread Martin Kosek

On 08/08/2014 10:55 AM, Jan Cholasta wrote:
> Hi,
> 
> the attached patch fixes .
> 
> Honza

Thanks! I did not test, just have couple questions/suggestions:

1) Are we testing that the certificate is in proper format, e.g. is not PKCS7
already? We need to error out properly then

2) Are ipa-server-install --help options as informative as possible?
--external-ca installation is tricky, we need to make sure that is no doubt
about what the input is.

3) We may want to add instructions how to convert PKCS#7 -> PEM to "man
ipa-server-install" too.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 315 Convert external CA chain to PKCS#7 before passing it to pkispawn

Re: [Freeipa-devel] [PATCH] 315 Convert external CA chain to PKCS#7 before passing it to pkispawn

Re: [Freeipa-devel] [PATCH] 315 Convert external CA chain to PKCS#7 before passing it to pkispawn

Re: [Freeipa-devel] [PATCH] 315 Convert external CA chain to PKCS#7 before passing it to pkispawn

Re: [Freeipa-devel] [PATCH] 315 Convert external CA chain to PKCS#7 before passing it to pkispawn

5 matches

Site Navigation

Mail list logo

Footer information