def __upload_ca_cert(self): """ Upload the CA certificate from the NSS database to the LDAP directory. """ dirname = config_dirname(self.serverid) dsdb = certs.CertDB(self.realm, nssdir=dirname, subject_base=self.subject_base) trust_flags = dict(reversed(dsdb.list_certs())) conn = ipaldap.IPAdmin(self.fqdn) conn.do_simple_bind(DN(('cn', 'directory manager')), self.dm_password) nicknames = dsdb.find_root_cert(self.cacert_name)[:-1] for nickname in nicknames: cert = dsdb.get_cert_from_db(nickname, pem=False) certstore.put_ca_cert_nss(conn, self.suffix, cert, nickname, trust_flags[nickname]) nickname = self.cacert_name cert = dsdb.get_cert_from_db(nickname, pem=False) certstore.put_ca_cert_nss(conn, self.suffix, cert, nickname, trust_flags[nickname], config_ipa=self.ca_is_configured, config_compat=self.master_fqdn is None) conn.unbind()
def install(self): print("Installing CA certificate, please wait") options = self.options cert_filename = self.args[1] nss_cert = None try: try: nss_cert = x509.load_certificate_from_file(cert_filename) except IOError as e: raise admintool.ScriptError( "Can't open \"%s\": %s" % (cert_filename, e)) except (TypeError, NSPRError, ValueError) as e: raise admintool.ScriptError("Not a valid certificate: %s" % e) subject = nss_cert.subject cert = nss_cert.der_data finally: del nss_cert nickname = options.nickname or str(subject) ca_certs = certstore.get_ca_certs_nss(api.Backend.ldap2, api.env.basedn, api.env.realm, False) with certs.NSSDatabase() as tmpdb: pw = ipautil.write_tmp_file(ipautil.ipa_generate_password()) tmpdb.create_db(pw.name) tmpdb.add_cert(cert, nickname, 'C,,') for ca_cert, ca_nickname, ca_trust_flags in ca_certs: tmpdb.add_cert(ca_cert, ca_nickname, ca_trust_flags) try: tmpdb.verify_ca_cert_validity(nickname) except ValueError as e: raise admintool.ScriptError( "Not a valid CA certificate: %s (visit " "http://www.freeipa.org/page/Troubleshooting for " "troubleshooting guide)" % e) trust_flags = options.trust_flags if ((set(trust_flags) - set(',CPTcgpuw')) or len(trust_flags.split(',')) != 3): raise admintool.ScriptError("Invalid trust flags") try: certstore.put_ca_cert_nss( api.Backend.ldap2, api.env.basedn, cert, nickname, trust_flags) except ValueError as e: raise admintool.ScriptError( "Failed to install the certificate: %s" % e) print("CA certificate successfully installed")
def install(self): print("Installing CA certificate, please wait") options = self.options cert_filename = self.args[1] nss_cert = None try: try: nss_cert = x509.load_certificate_from_file(cert_filename) except IOError as e: raise admintool.ScriptError("Can't open \"%s\": %s" % (cert_filename, e)) except (TypeError, NSPRError, ValueError) as e: raise admintool.ScriptError("Not a valid certificate: %s" % e) subject = nss_cert.subject cert = nss_cert.der_data finally: del nss_cert nickname = options.nickname or str(subject) ca_certs = certstore.get_ca_certs_nss(api.Backend.ldap2, api.env.basedn, api.env.realm, False) with certs.NSSDatabase() as tmpdb: pw = ipautil.write_tmp_file(ipautil.ipa_generate_password()) tmpdb.create_db(pw.name) tmpdb.add_cert(cert, nickname, 'C,,') for ca_cert, ca_nickname, ca_trust_flags in ca_certs: tmpdb.add_cert(ca_cert, ca_nickname, ca_trust_flags) try: tmpdb.verify_ca_cert_validity(nickname) except ValueError as e: raise admintool.ScriptError( "Not a valid CA certificate: %s (visit " "http://www.freeipa.org/page/Troubleshooting for " "troubleshooting guide)" % e) trust_flags = options.trust_flags if ((set(trust_flags) - set(',CPTcgpuw')) or len(trust_flags.split(',')) != 3): raise admintool.ScriptError("Invalid trust flags") try: certstore.put_ca_cert_nss(api.Backend.ldap2, api.env.basedn, cert, nickname, trust_flags) except ValueError as e: raise admintool.ScriptError( "Failed to install the certificate: %s" % e) print("CA certificate successfully installed")
def install_step_1(standalone, replica_config, options): realm_name = options.realm_name domain_name = options.domain_name dm_password = options.dm_password host_name = options.host_name subject_base = options.subject basedn = ipautil.realm_to_suffix(realm_name) ca = cainstance.CAInstance(realm_name, certs.NSS_DIR, host_name=host_name) if standalone: ca.stop('pki-tomcat') # We need to ldap_enable the CA now that DS is up and running if replica_config is None: config = ['caRenewalMaster'] else: config = [] ca.ldap_enable('CA', host_name, dm_password, basedn, config) # This is done within stopped_service context, which restarts CA ca.enable_client_auth_to_db(paths.CA_CS_CFG_PATH) # Lightweight CA key retrieval is configured in step 1 instead # of CAInstance.configure_instance (which is invoked from step # 0) because kadmin_addprinc fails until krb5.conf is installed # by krb.create_instance. # ca.setup_lightweight_ca_key_retrieval() if standalone and replica_config is None: serverid = installutils.realm_to_serverid(realm_name) dirname = dsinstance.config_dirname(serverid) # Store the new IPA CA cert chain in DS NSS database and LDAP cadb = certs.CertDB(realm_name, subject_base=subject_base) dsdb = certs.CertDB(realm_name, nssdir=dirname, subject_base=subject_base) trust_flags = dict(reversed(cadb.list_certs())) trust_chain = cadb.find_root_cert('ipaCert')[:-1] for nickname in trust_chain[:-1]: cert = cadb.get_cert_from_db(nickname, pem=False) dsdb.add_cert(cert, nickname, trust_flags[nickname]) certstore.put_ca_cert_nss(api.Backend.ldap2, api.env.basedn, cert, nickname, trust_flags[nickname]) nickname = trust_chain[-1] cert = cadb.get_cert_from_db(nickname, pem=False) dsdb.add_cert(cert, nickname, trust_flags[nickname]) certstore.put_ca_cert_nss(api.Backend.ldap2, api.env.basedn, cert, nickname, trust_flags[nickname], config_ipa=True, config_compat=True) api.Backend.ldap2.disconnect() # Restart DS services.knownservices.dirsrv.restart(serverid) api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), bind_pw=dm_password) # Store DS CA cert in Dogtag NSS database dogtagdb = certs.CertDB(realm_name, nssdir=paths.PKI_TOMCAT_ALIAS_DIR) trust_flags = dict(reversed(dsdb.list_certs())) server_certs = dsdb.find_server_certs() trust_chain = dsdb.find_root_cert(server_certs[0][0])[:-1] nickname = trust_chain[-1] cert = dsdb.get_cert_from_db(nickname) dogtagdb.add_cert(cert, nickname, trust_flags[nickname]) if standalone: ca.start('pki-tomcat') # We need to restart apache as we drop a new config file in there services.knownservices.httpd.restart(capture_output=True) # Install CA DNS records if bindinstance.dns_container_exists(host_name, basedn, dm_password): bind = bindinstance.BindInstance(dm_password=dm_password) bind.update_system_records()
def renew_external_step_2(self, ca, old_cert): print("Importing the renewed CA certificate, please wait") options = self.options conn = api.Backend.ldap2 cert_file, ca_file = installutils.load_external_cert( options.external_cert_files, x509.subject_base()) nss_cert = None nss.nss_init(paths.PKI_TOMCAT_ALIAS_DIR) try: nss_cert = x509.load_certificate(old_cert, x509.DER) subject = nss_cert.subject der_subject = x509.get_der_subject(old_cert, x509.DER) #pylint: disable=E1101 pkinfo = nss_cert.subject_public_key_info.format() #pylint: enable=E1101 nss_cert = x509.load_certificate_from_file(cert_file.name) cert = nss_cert.der_data if nss_cert.subject != subject: raise admintool.ScriptError( "Subject name mismatch (visit " "http://www.freeipa.org/page/Troubleshooting for " "troubleshooting guide)") if x509.get_der_subject(cert, x509.DER) != der_subject: raise admintool.ScriptError( "Subject name encoding mismatch (visit " "http://www.freeipa.org/page/Troubleshooting for " "troubleshooting guide)") #pylint: disable=E1101 if nss_cert.subject_public_key_info.format() != pkinfo: raise admintool.ScriptError( "Subject public key info mismatch (visit " "http://www.freeipa.org/page/Troubleshooting for " "troubleshooting guide)") #pylint: enable=E1101 finally: del nss_cert nss.nss_shutdown() with certs.NSSDatabase() as tmpdb: pw = ipautil.write_tmp_file(ipautil.ipa_generate_password()) tmpdb.create_db(pw.name) tmpdb.add_cert(old_cert, 'IPA CA', 'C,,') try: tmpdb.add_cert(cert, 'IPA CA', 'C,,') except ipautil.CalledProcessError as e: raise admintool.ScriptError( "Not compatible with the current CA certificate: %s" % e) ca_certs = x509.load_certificate_list_from_file(ca_file.name) for ca_cert in ca_certs: tmpdb.add_cert(ca_cert.der_data, str(ca_cert.subject), 'C,,') del ca_certs del ca_cert try: tmpdb.verify_ca_cert_validity('IPA CA') except ValueError as e: raise admintool.ScriptError( "Not a valid CA certificate: %s (visit " "http://www.freeipa.org/page/Troubleshooting for " "troubleshooting guide)" % e) trust_chain = tmpdb.get_trust_chain('IPA CA')[:-1] for nickname in trust_chain: try: ca_cert = tmpdb.get_cert(nickname) except RuntimeError: break certstore.put_ca_cert_nss( conn, api.env.basedn, ca_cert, nickname, ',,') dn = DN(('cn', self.cert_nickname), ('cn', 'ca_renewal'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn) try: entry = conn.get_entry(dn, ['usercertificate']) entry['usercertificate'] = [cert] conn.update_entry(entry) except errors.NotFound: entry = conn.make_entry( dn, objectclass=['top', 'pkiuser', 'nscontainer'], cn=[self.cert_nickname], usercertificate=[cert]) conn.add_entry(entry) except errors.EmptyModlist: pass try: ca.set_renewal_master() except errors.NotFound: raise admintool.ScriptError("CA renewal master not found") self.resubmit_request(ca, 'ipaRetrieval') print("CA certificate successfully renewed")
def install_step_1(standalone, replica_config, options): realm_name = options.realm_name domain_name = options.domain_name dm_password = options.dm_password host_name = options.host_name subject_base = options.subject basedn = ipautil.realm_to_suffix(realm_name) dogtag_constants = dogtag.install_constants ca = cainstance.CAInstance(realm_name, certs.NSS_DIR, dogtag_constants=dogtag_constants) if standalone: ca.stop(ca.dogtag_constants.PKI_INSTANCE_NAME) # We need to ldap_enable the CA now that DS is up and running ca.ldap_enable('CA', host_name, dm_password, basedn, ['caRenewalMaster']) # This is done within stopped_service context, which restarts CA ca.enable_client_auth_to_db(dogtag_constants.CS_CFG_PATH) if standalone and replica_config is None: serverid = installutils.realm_to_serverid(realm_name) dirname = dsinstance.config_dirname(serverid) # Store the new IPA CA cert chain in DS NSS database and LDAP cadb = certs.CertDB(realm_name, subject_base=subject_base) dsdb = certs.CertDB(realm_name, nssdir=dirname, subject_base=subject_base) trust_flags = dict(reversed(cadb.list_certs())) trust_chain = cadb.find_root_cert('ipaCert')[:-1] for nickname in trust_chain[:-1]: cert = cadb.get_cert_from_db(nickname, pem=False) dsdb.add_cert(cert, nickname, trust_flags[nickname]) certstore.put_ca_cert_nss(api.Backend.ldap2, api.env.basedn, cert, nickname, trust_flags[nickname]) nickname = trust_chain[-1] cert = cadb.get_cert_from_db(nickname, pem=False) dsdb.add_cert(cert, nickname, trust_flags[nickname]) certstore.put_ca_cert_nss(api.Backend.ldap2, api.env.basedn, cert, nickname, trust_flags[nickname], config_ipa=True, config_compat=True) api.Backend.ldap2.disconnect() # Restart DS services.knownservices.dirsrv.restart(serverid) api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), bind_pw=dm_password) # Store DS CA cert in Dogtag NSS database dogtagdb = certs.CertDB(realm_name, nssdir=dogtag_constants.ALIAS_DIR) trust_flags = dict(reversed(dsdb.list_certs())) server_certs = dsdb.find_server_certs() trust_chain = dsdb.find_root_cert(server_certs[0][0])[:-1] nickname = trust_chain[-1] cert = dsdb.get_cert_from_db(nickname) dogtagdb.add_cert(cert, nickname, trust_flags[nickname]) if standalone: ca.start(ca.dogtag_constants.PKI_INSTANCE_NAME) # Update config file try: parser = RawConfigParser() parser.read(paths.IPA_DEFAULT_CONF) parser.set('global', 'enable_ra', 'True') parser.set('global', 'ra_plugin', 'dogtag') parser.set('global', 'dogtag_version', str(dogtag_constants.DOGTAG_VERSION)) with open(paths.IPA_DEFAULT_CONF, 'w') as f: parser.write(f) except IOError as e: print "Failed to update /etc/ipa/default.conf" root_logger.error(str(e)) sys.exit(1) # We need to restart apache as we drop a new config file in there services.knownservices.httpd.restart(capture_output=True) # Install CA DNS records if bindinstance.dns_container_exists(host_name, basedn, dm_password): bind = bindinstance.BindInstance(dm_password=dm_password) bind.add_ipa_ca_dns_records(host_name, domain_name)
def renew_external_step_2(self, ca, old_cert): print("Importing the renewed CA certificate, please wait") options = self.options conn = api.Backend.ldap2 cert_file, ca_file = installutils.load_external_cert( options.external_cert_files, x509.subject_base()) nss_cert = None nss.nss_init(paths.PKI_TOMCAT_ALIAS_DIR) try: nss_cert = x509.load_certificate(old_cert, x509.DER) subject = nss_cert.subject der_subject = x509.get_der_subject(old_cert, x509.DER) #pylint: disable=E1101 pkinfo = nss_cert.subject_public_key_info.format() #pylint: enable=E1101 nss_cert = x509.load_certificate_from_file(cert_file.name) cert = nss_cert.der_data if nss_cert.subject != subject: raise admintool.ScriptError( "Subject name mismatch (visit " "http://www.freeipa.org/page/Troubleshooting for " "troubleshooting guide)") if x509.get_der_subject(cert, x509.DER) != der_subject: raise admintool.ScriptError( "Subject name encoding mismatch (visit " "http://www.freeipa.org/page/Troubleshooting for " "troubleshooting guide)") #pylint: disable=E1101 if nss_cert.subject_public_key_info.format() != pkinfo: raise admintool.ScriptError( "Subject public key info mismatch (visit " "http://www.freeipa.org/page/Troubleshooting for " "troubleshooting guide)") #pylint: enable=E1101 finally: del nss_cert nss.nss_shutdown() with certs.NSSDatabase() as tmpdb: pw = ipautil.write_tmp_file(ipautil.ipa_generate_password()) tmpdb.create_db(pw.name) tmpdb.add_cert(old_cert, 'IPA CA', 'C,,') try: tmpdb.add_cert(cert, 'IPA CA', 'C,,') except ipautil.CalledProcessError as e: raise admintool.ScriptError( "Not compatible with the current CA certificate: %s" % e) ca_certs = x509.load_certificate_list_from_file(ca_file.name) for ca_cert in ca_certs: tmpdb.add_cert(ca_cert.der_data, str(ca_cert.subject), 'C,,') del ca_certs del ca_cert try: tmpdb.verify_ca_cert_validity('IPA CA') except ValueError as e: raise admintool.ScriptError( "Not a valid CA certificate: %s (visit " "http://www.freeipa.org/page/Troubleshooting for " "troubleshooting guide)" % e) trust_chain = tmpdb.get_trust_chain('IPA CA')[:-1] for nickname in trust_chain: try: ca_cert = tmpdb.get_cert(nickname) except RuntimeError: break certstore.put_ca_cert_nss(conn, api.env.basedn, ca_cert, nickname, ',,') dn = DN(('cn', self.cert_nickname), ('cn', 'ca_renewal'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn) try: entry = conn.get_entry(dn, ['usercertificate']) entry['usercertificate'] = [cert] conn.update_entry(entry) except errors.NotFound: entry = conn.make_entry( dn, objectclass=['top', 'pkiuser', 'nscontainer'], cn=[self.cert_nickname], usercertificate=[cert]) conn.add_entry(entry) except errors.EmptyModlist: pass try: ca.set_renewal_master() except errors.NotFound: raise admintool.ScriptError("CA renewal master not found") self.resubmit_request(ca, 'ipaRetrieval') print("CA certificate successfully renewed")
del nss_cert nickname = options.nickname or str(subject) with certs.NSSDatabase() as tmpdb: pw = ipautil.write_tmp_file(ipautil.ipa_generate_password()) tmpdb.create_db(pw.name) tmpdb.add_cert(cert, nickname, 'C,,') try: tmpdb.verify_ca_cert_validity(nickname) except ValueError, e: raise admintool.ScriptError( "Not a valid CA certificate: %s (visit " "http://www.freeipa.org/page/Troubleshooting for " "troubleshooting guide)" % e) trust_flags = options.trust_flags if ((set(trust_flags) - set(',CPTcgpuw')) or len(trust_flags.split(',')) != 3): raise admintool.ScriptError("Invalid trust flags") try: certstore.put_ca_cert_nss( self.conn, api.env.basedn, cert, nickname, trust_flags) except ValueError, e: raise admintool.ScriptError( "Failed to install the certificate: %s" % e) print "CA certificate successfully installed"
def install_step_1(standalone, replica_config, options): realm_name = options.realm_name dm_password = options.dm_password host_name = options.host_name subject_base = options.subject basedn = ipautil.realm_to_suffix(realm_name) ca = cainstance.CAInstance(realm_name, certs.NSS_DIR, host_name=host_name) if standalone: ca.stop('pki-tomcat') # We need to ldap_enable the CA now that DS is up and running if replica_config is None: config = ['caRenewalMaster'] else: config = [] ca.ldap_enable('CA', host_name, dm_password, basedn, config) # This is done within stopped_service context, which restarts CA ca.enable_client_auth_to_db(paths.CA_CS_CFG_PATH) # Lightweight CA key retrieval is configured in step 1 instead # of CAInstance.configure_instance (which is invoked from step # 0) because kadmin_addprinc fails until krb5.conf is installed # by krb.create_instance. # ca.setup_lightweight_ca_key_retrieval() if standalone and replica_config is None: serverid = installutils.realm_to_serverid(realm_name) dirname = dsinstance.config_dirname(serverid) # Store the new IPA CA cert chain in DS NSS database and LDAP cadb = certs.CertDB(realm_name, subject_base=subject_base) dsdb = certs.CertDB(realm_name, nssdir=dirname, subject_base=subject_base) trust_flags = dict(reversed(cadb.list_certs())) trust_chain = cadb.find_root_cert('ipaCert')[:-1] for nickname in trust_chain[:-1]: cert = cadb.get_cert_from_db(nickname, pem=False) dsdb.add_cert(cert, nickname, trust_flags[nickname]) certstore.put_ca_cert_nss(api.Backend.ldap2, api.env.basedn, cert, nickname, trust_flags[nickname]) nickname = trust_chain[-1] cert = cadb.get_cert_from_db(nickname, pem=False) dsdb.add_cert(cert, nickname, trust_flags[nickname]) certstore.put_ca_cert_nss(api.Backend.ldap2, api.env.basedn, cert, nickname, trust_flags[nickname], config_ipa=True, config_compat=True) api.Backend.ldap2.disconnect() # Restart DS services.knownservices.dirsrv.restart(serverid) api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), bind_pw=dm_password) # Store DS CA cert in Dogtag NSS database dogtagdb = certs.CertDB(realm_name, nssdir=paths.PKI_TOMCAT_ALIAS_DIR) trust_flags = dict(reversed(dsdb.list_certs())) server_certs = dsdb.find_server_certs() trust_chain = dsdb.find_root_cert(server_certs[0][0])[:-1] nickname = trust_chain[-1] cert = dsdb.get_cert_from_db(nickname) dogtagdb.add_cert(cert, nickname, trust_flags[nickname]) if standalone: ca.start('pki-tomcat') # We need to restart apache as we drop a new config file in there services.knownservices.httpd.restart(capture_output=True) # Install CA DNS records if bindinstance.dns_container_exists(host_name, basedn, dm_password): bind = bindinstance.BindInstance(dm_password=dm_password) bind.update_system_records()
class CACertManage(admintool.AdminTool): command_name = 'ipa-cacert-manage' usage = "%prog {renew|install} [options]" description = "Manage CA certificates." cert_nickname = 'caSigningCert cert-pki-ca' @classmethod def add_options(cls, parser): super(CACertManage, cls).add_options(parser) parser.add_option("-p", "--password", dest='password', help="Directory Manager password") renew_group = OptionGroup(parser, "Renew options") renew_group.add_option("--self-signed", dest='self_signed', action='store_true', help="Sign the renewed certificate by itself") renew_group.add_option( "--external-ca", dest='self_signed', action='store_false', help="Sign the renewed certificate by external CA") renew_group.add_option( "--external-cert-file", dest="external_cert_files", action="append", metavar="FILE", help="File containing the IPA CA certificate and the external CA " "certificate chain") parser.add_option_group(renew_group) install_group = OptionGroup(parser, "Install options") install_group.add_option("-n", "--nickname", dest='nickname', help="Nickname for the certificate") install_group.add_option( "-t", "--trust-flags", dest='trust_flags', default='C,,', help="Trust flags for the certificate in certutil format") parser.add_option_group(install_group) def validate_options(self): super(CACertManage, self).validate_options(needs_root=True) installutils.check_server_configuration() parser = self.option_parser if not self.args: parser.error("command not provided") command = self.command = self.args[0] options = self.options if command == 'renew': pass elif command == 'install': if len(self.args) < 2: parser.error("certificate file name not provided") else: parser.error("unknown command \"%s\"" % command) def run(self): command = self.command options = self.options api.bootstrap(in_server=True) api.finalize() if ((command == 'renew' and options.external_cert_files) or command == 'install'): self.conn = self.ldap_connect() else: self.conn = None try: if command == 'renew': rc = self.renew() elif command == 'install': rc = self.install() finally: if self.conn is not None: self.conn.disconnect() return rc def ldap_connect(self): conn = ldap2() password = self.options.password if not password: try: ccache = krbV.default_context().default_ccache() conn.connect(ccache=ccache) except (krbV.Krb5Error, errors.ACIError): pass else: return conn password = installutils.read_password("Directory Manager", confirm=False, validate=False) if password is None: raise admintool.ScriptError( "Directory Manager password required") conn.connect(bind_dn=DN(('cn', 'Directory Manager')), bind_pw=password) return conn def renew(self): ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR) if not ca.is_configured(): raise admintool.ScriptError("CA is not configured on this system") nss_dir = ca.dogtag_constants.ALIAS_DIR criteria = { 'cert-database': nss_dir, 'cert-nickname': self.cert_nickname, 'ca-name': 'dogtag-ipa-ca-renew-agent', } self.request_id = certmonger.get_request_id(criteria) if self.request_id is None: raise admintool.ScriptError( "CA certificate is not tracked by certmonger") self.log.debug("Found certmonger request id %r", self.request_id) db = certs.CertDB(api.env.realm, nssdir=nss_dir) cert = db.get_cert_from_db(self.cert_nickname, pem=False) options = self.options if options.external_cert_files: return self.renew_external_step_2(ca, cert) if options.self_signed is not None: self_signed = options.self_signed else: self_signed = x509.is_self_signed(cert, x509.DER) if self_signed: return self.renew_self_signed(ca) else: return self.renew_external_step_1(ca) def renew_self_signed(self, ca): print "Renewing CA certificate, please wait" try: ca.set_renewal_master() except errors.NotFound: raise admintool.ScriptError("CA renewal master not found") self.resubmit_request(ca, 'caCACert') print "CA certificate successfully renewed" def renew_external_step_1(self, ca): print "Exporting CA certificate signing request, please wait" self.resubmit_request(ca, 'ipaCSRExport') print( "The next step is to get %s signed by your CA and re-run " "ipa-cacert-manage as:" % paths.IPA_CA_CSR) print( "ipa-cacert-manage renew " "--external-cert-file=/path/to/signed_certificate " "--external-cert-file=/path/to/external_ca_certificate") def renew_external_step_2(self, ca, old_cert): print "Importing the renewed CA certificate, please wait" options = self.options cert_file, ca_file = installutils.load_external_cert( options.external_cert_files, x509.subject_base()) nss_cert = None nss.nss_init(ca.dogtag_constants.ALIAS_DIR) try: nss_cert = x509.load_certificate(old_cert, x509.DER) subject = nss_cert.subject der_subject = x509.get_der_subject(old_cert, x509.DER) #pylint: disable=E1101 pkinfo = nss_cert.subject_public_key_info.format() #pylint: enable=E1101 nss_cert = x509.load_certificate_from_file(cert_file.name) cert = nss_cert.der_data if nss_cert.subject != subject: raise admintool.ScriptError( "Subject name mismatch (visit " "http://www.freeipa.org/page/Troubleshooting for " "troubleshooting guide)") if x509.get_der_subject(cert, x509.DER) != der_subject: raise admintool.ScriptError( "Subject name encoding mismatch (visit " "http://www.freeipa.org/page/Troubleshooting for " "troubleshooting guide)") #pylint: disable=E1101 if nss_cert.subject_public_key_info.format() != pkinfo: raise admintool.ScriptError( "Subject public key info mismatch (visit " "http://www.freeipa.org/page/Troubleshooting for " "troubleshooting guide)") #pylint: enable=E1101 finally: del nss_cert nss.nss_shutdown() with certs.NSSDatabase() as tmpdb: pw = ipautil.write_tmp_file(ipautil.ipa_generate_password()) tmpdb.create_db(pw.name) tmpdb.add_cert(old_cert, 'IPA CA', 'C,,') try: tmpdb.add_cert(cert, 'IPA CA', 'C,,') except ipautil.CalledProcessError, e: raise admintool.ScriptError( "Not compatible with the current CA certificate: %s" % e) ca_certs = x509.load_certificate_list_from_file(ca_file.name) for ca_cert in ca_certs: tmpdb.add_cert(ca_cert.der_data, str(ca_cert.subject), 'C,,') del ca_certs del ca_cert try: tmpdb.verify_ca_cert_validity('IPA CA') except ValueError, e: raise admintool.ScriptError( "Not a valid CA certificate: %s (visit " "http://www.freeipa.org/page/Troubleshooting for " "troubleshooting guide)" % e) trust_chain = tmpdb.get_trust_chain('IPA CA')[:-1] for nickname in trust_chain: try: ca_cert = tmpdb.get_cert(nickname) except RuntimeError: break certstore.put_ca_cert_nss(self.conn, api.env.basedn, ca_cert, nickname, ',,')
del nss_cert nickname = options.nickname or str(subject) with certs.NSSDatabase() as tmpdb: pw = ipautil.write_tmp_file(ipautil.ipa_generate_password()) tmpdb.create_db(pw.name) tmpdb.add_cert(cert, nickname, 'C,,') try: tmpdb.verify_ca_cert_validity(nickname) except ValueError, e: raise admintool.ScriptError( "Not a valid CA certificate: %s (visit " "http://www.freeipa.org/page/Troubleshooting for " "troubleshooting guide)" % e) trust_flags = options.trust_flags if ((set(trust_flags) - set(',CPTcgpuw')) or len(trust_flags.split(',')) != 3): raise admintool.ScriptError("Invalid trust flags") try: certstore.put_ca_cert_nss(self.conn, api.env.basedn, cert, nickname, trust_flags) except ValueError, e: raise admintool.ScriptError( "Failed to install the certificate: %s" % e) print "CA certificate successfully installed"
def renew_external_step_2(self, ca, old_cert_der): print("Importing the renewed CA certificate, please wait") options = self.options conn = api.Backend.ldap2 cert_file, ca_file = installutils.load_external_cert( options.external_cert_files, x509.subject_base()) old_cert_obj = x509.load_certificate(old_cert_der, x509.DER) old_der_subject = x509.get_der_subject(old_cert_der, x509.DER) old_spki = old_cert_obj.public_key().public_bytes( serialization.Encoding.DER, serialization.PublicFormat.SubjectPublicKeyInfo) with open(cert_file.name) as f: new_cert_data = f.read() new_cert_der = x509.normalize_certificate(new_cert_data) new_cert_obj = x509.load_certificate(new_cert_der, x509.DER) new_der_subject = x509.get_der_subject(new_cert_der, x509.DER) new_spki = new_cert_obj.public_key().public_bytes( serialization.Encoding.DER, serialization.PublicFormat.SubjectPublicKeyInfo) if new_cert_obj.subject != old_cert_obj.subject: raise admintool.ScriptError( "Subject name mismatch (visit " "http://www.freeipa.org/page/Troubleshooting for " "troubleshooting guide)") if new_der_subject != old_der_subject: raise admintool.ScriptError( "Subject name encoding mismatch (visit " "http://www.freeipa.org/page/Troubleshooting for " "troubleshooting guide)") if new_spki != old_spki: raise admintool.ScriptError( "Subject public key info mismatch (visit " "http://www.freeipa.org/page/Troubleshooting for " "troubleshooting guide)") with certs.NSSDatabase() as tmpdb: pw = ipautil.write_tmp_file(ipautil.ipa_generate_password()) tmpdb.create_db(pw.name) tmpdb.add_cert(old_cert_der, 'IPA CA', 'C,,') try: tmpdb.add_cert(new_cert_der, 'IPA CA', 'C,,') except ipautil.CalledProcessError as e: raise admintool.ScriptError( "Not compatible with the current CA certificate: %s" % e) ca_certs = x509.load_certificate_list_from_file(ca_file.name) for ca_cert in ca_certs: data = ca_cert.public_bytes(serialization.Encoding.DER) tmpdb.add_cert(data, str(DN(ca_cert.subject)), 'C,,') try: tmpdb.verify_ca_cert_validity('IPA CA') except ValueError as e: raise admintool.ScriptError( "Not a valid CA certificate: %s (visit " "http://www.freeipa.org/page/Troubleshooting for " "troubleshooting guide)" % e) trust_chain = tmpdb.get_trust_chain('IPA CA')[:-1] for nickname in trust_chain: try: ca_cert = tmpdb.get_cert(nickname) except RuntimeError: break certstore.put_ca_cert_nss(conn, api.env.basedn, ca_cert, nickname, ',,') dn = DN(('cn', self.cert_nickname), ('cn', 'ca_renewal'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn) try: entry = conn.get_entry(dn, ['usercertificate']) entry['usercertificate'] = [new_cert_der] conn.update_entry(entry) except errors.NotFound: entry = conn.make_entry( dn, objectclass=['top', 'pkiuser', 'nscontainer'], cn=[self.cert_nickname], usercertificate=[new_cert_der]) conn.add_entry(entry) except errors.EmptyModlist: pass try: ca.set_renewal_master() except errors.NotFound: raise admintool.ScriptError("CA renewal master not found") self.resubmit_request(ca, 'ipaRetrieval') print("CA certificate successfully renewed")