Esempio n. 1
0
    def stop_tracking_certificates(self, stop_certmonger=True):
        """Stop tracking our certificates. Called on uninstall.
        """
        logger.debug(
            "Configuring certmonger to stop tracking system certificates "
            "for %s", self.subsystem)

        cmonger = services.knownservices.certmonger
        services.knownservices.dbus.start()
        cmonger.start()

        nicknames = list(self.tracking_reqs)
        if self.server_cert_name is not None:
            nicknames.append(self.server_cert_name)

        for nickname in nicknames:
            try:
                certmonger.stop_tracking(
                    self.nss_db, nickname=nickname)
            except RuntimeError as e:
                logger.error(
                    "certmonger failed to stop tracking certificate: %s", e)

        if stop_certmonger:
            cmonger.stop()
Esempio n. 2
0
    def replace_key_cert_files(
        self, cert, key, cert_fname, key_fname, ca_cert,
        profile=None, cmgr_post_command=None
    ):
        try:
            ca_enabled = api.Command.ca_is_enabled()['result']
            if ca_enabled:
                certmonger.stop_tracking(certfile=cert_fname)

            x509.write_certificate(cert, cert_fname)
            x509.write_pem_private_key(key, key_fname)

            if ca_enabled:
                # Start tracking only if the cert was issued by IPA CA
                # Retrieve IPA CA
                cdb = certs.CertDB(api.env.realm, nssdir=paths.IPA_NSSDB_DIR)
                ipa_ca_cert = cdb.get_cert_from_db(
                    get_ca_nickname(api.env.realm))
                # And compare with the CA which signed this certificate
                if ca_cert == ipa_ca_cert:
                    req_id = certmonger.start_tracking(
                        (cert_fname, key_fname),
                        storage='FILE',
                        post_command=cmgr_post_command
                    )
                    return req_id
        except RuntimeError as e:
            raise admintool.ScriptError(str(e))
Esempio n. 3
0
    def replace_key_cert_files(
        self, cert, key, cert_fname, key_fname, ca_cert, passwd_fname=None,
        profile=None, cmgr_post_command=None
    ):
        try:
            ca_enabled = api.Command.ca_is_enabled()['result']
            if ca_enabled:
                certmonger.stop_tracking(certfile=cert_fname)

            pkey_passwd = None
            if passwd_fname is not None:
                with open(passwd_fname, 'rb') as f:
                    pkey_passwd = f.read()

            x509.write_certificate(cert, cert_fname)
            x509.write_pem_private_key(key, key_fname, pkey_passwd)

            if ca_enabled:
                # Start tracking only if the cert was issued by IPA CA
                # Retrieve IPA CA
                cdb = certs.CertDB(api.env.realm, nssdir=paths.IPA_NSSDB_DIR)
                ipa_ca_cert = cdb.get_cert_from_db(
                    get_ca_nickname(api.env.realm))
                # And compare with the CA which signed this certificate
                if ca_cert == ipa_ca_cert:
                    req_id = certmonger.start_tracking(
                        (cert_fname, key_fname),
                        pinfile=passwd_fname,
                        storage='FILE',
                        post_command=cmgr_post_command
                    )
                    return req_id
        except RuntimeError as e:
            raise admintool.ScriptError(str(e))
        return None
Esempio n. 4
0
    def stop_tracking_certificates(self, stop_certmonger=True):
        """Stop tracking our certificates. Called on uninstall.
        """
        logger.debug(
            "Configuring certmonger to stop tracking system certificates "
            "for %s", self.subsystem)

        cmonger = services.knownservices.certmonger
        if not services.knownservices.dbus.is_running():
            # some platforms protect dbus with RefuseManualStart=True
            services.knownservices.dbus.start()
        cmonger.start()

        nicknames = list(self.tracking_reqs)
        if self.server_cert_name is not None:
            nicknames.append(self.server_cert_name)

        for nickname in nicknames:
            try:
                certmonger.stop_tracking(
                    self.nss_db, nickname=nickname)
            except RuntimeError as e:
                logger.error(
                    "certmonger failed to stop tracking certificate: %s", e)

        if stop_certmonger:
            cmonger.stop()
Esempio n. 5
0
    def stop_tracking_certificates(self, stop_certmonger=True):
        """Stop tracking our certificates. Called on uninstall.
        """
        self.print_msg(
            "Configuring certmonger to stop tracking system certificates "
            "for %s" % self.subsystem)

        cmonger = services.knownservices.certmonger
        services.knownservices.messagebus.start()
        cmonger.start()

        nicknames = [nickname for nickname, _profile in self.tracking_reqs]
        if self.server_cert_name is not None:
            nicknames.append(self.server_cert_name)

        for nickname in nicknames:
            try:
                certmonger.stop_tracking(
                    self.nss_db, nickname=nickname)
            except RuntimeError as e:
                self.log.error(
                    "certmonger failed to stop tracking certificate: %s", e)

        if stop_certmonger:
            cmonger.stop()
Esempio n. 6
0
    def stop_tracking_certificates(self, stop_certmonger=True):
        """
        Stop tracking our certificates. Called on uninstall.  Also called
        during upgrade to fix discrepancies.

        """
        logger.debug(
            "Configuring certmonger to stop tracking system certificates "
            "for %s", self.subsystem)

        cmonger = services.knownservices.certmonger
        if not services.knownservices.dbus.is_running():
            # some platforms protect dbus with RefuseManualStart=True
            services.knownservices.dbus.start()
        cmonger.start()

        for nickname in self.tracking_reqs:
            try:
                certmonger.stop_tracking(self.nss_db, nickname=nickname)
            except RuntimeError as e:
                logger.error(
                    "certmonger failed to stop tracking certificate: %s", e)

        if stop_certmonger:
            cmonger.stop()
Esempio n. 7
0
 def untrack_server_cert(self, nickname):
     """
     Tell certmonger to stop tracking the given certificate nickname.
     """
     try:
         certmonger.stop_tracking(self.secdir, nickname=nickname)
     except RuntimeError as e:
         root_logger.error("certmonger failed to stop tracking certificate: %s" % str(e))
Esempio n. 8
0
 def untrack_server_cert(self, nickname):
     """
     Tell certmonger to stop tracking the given certificate nickname.
     """
     try:
         certmonger.stop_tracking(self.secdir, nickname=nickname)
     except RuntimeError as e:
         root_logger.error("certmonger failed to stop tracking certificate: %s" % str(e))
Esempio n. 9
0
    def install_kdc_cert(self):
        ca_cert_file = paths.CA_BUNDLE_PEM
        pkcs12_file, pin, ca_cert = installutils.load_pkcs12(
            cert_files=self.args,
            key_password=self.options.pin,
            key_nickname=self.options.cert_name,
            ca_cert_files=[ca_cert_file],
            realm_name=api.env.realm)

        cdb = certs.CertDB(api.env.realm, nssdir=paths.IPA_NSSDB_DIR)

        # Check that the ca_cert is known and trusted
        with tempfile.NamedTemporaryFile() as temp:
            certs.install_pem_from_p12(pkcs12_file.name, pin, temp.name)

            kdc_cert = x509.load_certificate_from_file(temp.name)
            ca_certs = x509.load_certificate_list_from_file(ca_cert_file)

            try:
                verify_kdc_cert_validity(kdc_cert, ca_certs, api.env.realm)
            except ValueError as e:
                raise admintool.ScriptError(
                    "Peer's certificate issuer is not trusted (%s). "
                    "Please run ipa-cacert-manage install and ipa-certupdate "
                    "to install the CA certificate." % str(e))

        try:
            ca_enabled = api.Command.ca_is_enabled()['result']
            if ca_enabled:
                certmonger.stop_tracking(certfile=paths.KDC_CERT)

            certs.install_pem_from_p12(pkcs12_file.name, pin, paths.KDC_CERT)
            certs.install_key_from_p12(pkcs12_file.name, pin, paths.KDC_KEY)

            if ca_enabled:
                # Start tracking only if the cert was issued by IPA CA
                # Retrieve IPA CA
                ipa_ca_cert = cdb.get_cert_from_db(
                    get_ca_nickname(api.env.realm),
                    pem=False)
                # And compare with the CA which signed this certificate
                if ca_cert == ipa_ca_cert:
                    certmonger.start_tracking(
                        (paths.KDC_CERT, paths.KDC_KEY),
                        storage='FILE',
                        profile='KDCs_PKINIT_Certs')
        except RuntimeError as e:
            raise admintool.ScriptError(str(e))

        krb = krbinstance.KrbInstance()
        krb.init_info(
            realm_name=api.env.realm,
            host_name=api.env.host,
        )
        krb.pkinit_enable()
Esempio n. 10
0
    def install_kdc_cert(self):
        ca_cert_file = paths.CA_BUNDLE_PEM
        pkcs12_file, pin, ca_cert = installutils.load_pkcs12(
            cert_files=self.args,
            key_password=self.options.pin,
            key_nickname=self.options.cert_name,
            ca_cert_files=[ca_cert_file],
            realm_name=api.env.realm)

        cdb = certs.CertDB(api.env.realm, nssdir=paths.IPA_NSSDB_DIR)

        # Check that the ca_cert is known and trusted
        with tempfile.NamedTemporaryFile() as temp:
            certs.install_pem_from_p12(pkcs12_file.name, pin, temp.name)

            kdc_cert = x509.load_certificate_from_file(temp.name)
            ca_certs = x509.load_certificate_list_from_file(ca_cert_file)

            try:
                verify_kdc_cert_validity(kdc_cert, ca_certs, api.env.realm)
            except ValueError as e:
                raise admintool.ScriptError(
                    "Peer's certificate issuer is not trusted (%s). "
                    "Please run ipa-cacert-manage install and ipa-certupdate "
                    "to install the CA certificate." % str(e))

        try:
            ca_enabled = api.Command.ca_is_enabled()['result']
            if ca_enabled:
                certmonger.stop_tracking(certfile=paths.KDC_CERT)

            certs.install_pem_from_p12(pkcs12_file.name, pin, paths.KDC_CERT)
            certs.install_key_from_p12(pkcs12_file.name, pin, paths.KDC_KEY)

            if ca_enabled:
                # Start tracking only if the cert was issued by IPA CA
                # Retrieve IPA CA
                ipa_ca_cert = cdb.get_cert_from_db(get_ca_nickname(
                    api.env.realm),
                                                   pem=False)
                # And compare with the CA which signed this certificate
                if ca_cert == ipa_ca_cert:
                    certmonger.start_tracking((paths.KDC_CERT, paths.KDC_KEY),
                                              storage='FILE',
                                              profile='KDCs_PKINIT_Certs')
        except RuntimeError as e:
            raise admintool.ScriptError(str(e))

        krb = krbinstance.KrbInstance()
        krb.init_info(
            realm_name=api.env.realm,
            host_name=api.env.host,
        )
        krb.pkinit_enable()
Esempio n. 11
0
    def execute(self, **options):
        ca_enabled = self.api.Command.ca_is_enabled()['result']
        if not ca_enabled:
            return False, []

        olddb = certdb.NSSDatabase(nssdir=paths.HTTPD_ALIAS_DIR)
        if not olddb.has_nickname('ipaCert'):
            # Nothign to do
            return False, []

        newdb = certdb.NSSDatabase(nssdir=paths.IPA_RADB_DIR)
        if os.path.exists(paths.IPA_RADB_DIR):
            if newdb.has_nickname('ipaCert'):
                self.log.warning(
                    "An 'ipaCert' nickname exists in both the old {} and the "
                    "new {} NSS Databases!".format(paths.HTTPD_ALIAS_DIR,
                                                   paths.IPA_RADB_DIR))
                return False, []
        else:
            # Create the DB
            newdb.create_db(user=IPAAPI_USER, group=IPAAPI_GROUP, backup=True)

        # Import cert chain (ignore errors, as certs may already be imported)
        certlist = olddb.list_certs()
        certflags = {}
        for name, flags in certlist:
            certflags[name] = flags
        for name in olddb.get_trust_chain('ipaCert'):
            if name == 'ipaCert':
                continue
            try:
                cert = olddb.get_cert(name, pem=True)
                newdb.add_cert(cert, name, certflags[name], pem=True)
            except Exception as e:  # pylint disable=broad-except
                self.log.warning("Failed to import '{}' from trust "
                                 "chain: {}".format(name, str(e)))

        # As the last step export/import/delete the RA Cert
        pw = binascii.hexlify(os.urandom(10))
        p12file = os.path.join(paths.IPA_RADB_DIR, 'ipaCert.p12')
        olddb.export_pkcs12('ipaCert', p12file, pw)
        newdb.import_pkcs12(p12file, pw)

        certmonger.stop_tracking(secdir=olddb.secdir, nickname='ipaCert')
        certmonger.start_tracking(secdir=newdb.secdir,
                                  nickname='ipaCert',
                                  password_file=newdb.pwd_file)

        olddb.delete_cert('ipaCert')

        return False, []
Esempio n. 12
0
    def execute(self, **options):
        ra_nick = 'ipaCert'
        ca_enabled = self.api.Command.ca_is_enabled()['result']
        if not ca_enabled:
            return False, []

        try:
            certdb = NSSDatabase(nssdir=paths.HTTPD_ALIAS_DIR)
        except ValueError as e:
            logger.warning("Problem opening NSS database in "
                           "%s. Skipping check for existing RA "
                           "agent certificate: %s", paths.HTTPD_ALIAS_DIR, e)
            return False, []

        if not certdb.has_nickname(ra_nick):
            # Nothign to do
            return False, []
        elif os.path.exists(paths.RA_AGENT_PEM):
            # even though the certificate file exists, we will overwrite it
            # as it's probabably something wrong anyway
            logger.warning(
                "A certificate with the nickname 'ipaCert' exists in "
                "the old '%s' NSS database as well as in the new "
                "PEM file '%s'",
                paths.HTTPD_ALIAS_DIR, paths.RA_AGENT_PEM)

        _fd, p12file = tempfile.mkstemp(dir=certdb.secdir)
        # no password is necessary as we will be saving it in clear anyway
        certdb.export_pkcs12(ra_nick, p12file, pkcs12_passwd='')

        # stop tracking the old cert and remove it
        certmonger.stop_tracking(paths.HTTPD_ALIAS_DIR, nickname=ra_nick)
        certdb.delete_key_and_cert(ra_nick)
        if os.path.exists(paths.OLD_KRA_AGENT_PEM):
            os.remove(paths.OLD_KRA_AGENT_PEM)

        # get the private key and certificate from the file and start
        # tracking it in certmonger
        ca = cainstance.CAInstance()
        ca.import_ra_cert(p12file)

        os.remove(p12file)

        return False, []
Esempio n. 13
0
    def execute(self, **options):
        ra_nick = 'ipaCert'
        ca_enabled = self.api.Command.ca_is_enabled()['result']
        if not ca_enabled:
            return False, []

        certdb = NSSDatabase(nssdir=paths.HTTPD_ALIAS_DIR)
        if not certdb.has_nickname(ra_nick):
            # Nothign to do
            return False, []
        elif os.path.exists(paths.RA_AGENT_PEM):
            # even though the certificate file exists, we will overwrite it
            # as it's probabably something wrong anyway
            self.log.warning(
                "A certificate with the nickname 'ipaCert' exists in "
                "the old '{}' NSS database as well as in the new "
                "PEM file '{}'"
                .format(paths.HTTPD_ALIAS_DIR, paths.RA_AGENT_PEM))

        _fd, p12file = tempfile.mkstemp(dir=certdb.secdir)
        # no password is necessary as we will be saving it in clear anyway
        certdb.export_pkcs12(ra_nick, p12file, pkcs12_passwd='')

        # stop tracking the old cert and remove it
        certmonger.stop_tracking(paths.HTTPD_ALIAS_DIR, nickname=ra_nick)
        certdb.delete_cert(ra_nick)
        if os.path.exists(paths.OLD_KRA_AGENT_PEM):
            os.remove(paths.OLD_KRA_AGENT_PEM)

        # get the private key and certificate from the file and start
        # tracking it in certmonger
        ca = cainstance.CAInstance()
        ca.import_ra_cert(p12file)

        os.remove(p12file)

        return False, []
Esempio n. 14
0
 def stop_tracking_certs(self):
     certmonger.stop_tracking(certfile=paths.KDC_CERT)
Esempio n. 15
0
 def stop_tracking_certificates(self):
     try:
         certmonger.stop_tracking(certfile=paths.HTTPD_CERT_FILE)
     except RuntimeError as e:
         logger.error("certmonger failed to stop tracking certificate: %s",
                      str(e))
Esempio n. 16
0
 def stop_tracking_certs(self):
     certmonger.stop_tracking(certfile=paths.KDC_CERT)
Esempio n. 17
0
 def stop_tracking_certificates(self):
     try:
         certmonger.stop_tracking(certfile=paths.HTTPD_CERT_FILE)
     except RuntimeError as e:
         logger.error("certmonger failed to stop tracking certificate: %s",
                      str(e))