def install(self):
print("Installing CA certificate, please wait")
options = self.options
cert_filename = self.args[1]
try:
cert = x509.load_certificate_from_file(cert_filename)
except IOError as e:
raise admintool.ScriptError("Can't open \"%s\": %s" %
(cert_filename, e))
except (TypeError, ValueError) as e:
raise admintool.ScriptError("Not a valid certificate: %s" % e)
nickname = options.nickname or str(DN(cert.subject))
ca_certs = certstore.get_ca_certs_nss(api.Backend.ldap2,
api.env.basedn, api.env.realm,
False)
with certs.NSSDatabase() as tmpdb:
tmpdb.create_db()
tmpdb.add_cert(cert, nickname, EXTERNAL_CA_TRUST_FLAGS)
for ca_cert, ca_nickname, ca_trust_flags in ca_certs:
tmpdb.add_cert(ca_cert, ca_nickname, ca_trust_flags)
try:
tmpdb.verify_ca_cert_validity(nickname)
except ValueError as e:
raise admintool.ScriptError(
"Not a valid CA certificate: %s (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)" % e)
trust_flags = options.trust_flags.split(',')
if (set(options.trust_flags) - set(',CPTcgpuw')
or len(trust_flags) not in [3, 4]):
raise admintool.ScriptError("Invalid trust flags")
extra_flags = trust_flags[3:]
extra_usages = set()
if extra_flags:
if 'C' in extra_flags[0]:
extra_usages.add(x509.EKU_PKINIT_KDC)
if 'T' in extra_flags[0]:
extra_usages.add(x509.EKU_PKINIT_CLIENT_AUTH)
trust_flags = parse_trust_flags(','.join(trust_flags[:3]))
trust_flags = TrustFlags(trust_flags.has_key, trust_flags.trusted,
trust_flags.ca,
trust_flags.usages | extra_usages)
try:
certstore.put_ca_cert_nss(api.Backend.ldap2, api.env.basedn, cert,
nickname, trust_flags)
except ValueError as e:
raise admintool.ScriptError(
"Failed to install the certificate: %s" % e)
print("CA certificate successfully installed")
def __upload_ca_cert(self):
"""
Upload the CA certificate from the NSS database to the LDAP directory.
"""
dirname = config_dirname(self.serverid)
dsdb = certs.CertDB(self.realm,
nssdir=dirname,
subject_base=self.subject_base)
trust_flags = dict(reversed(dsdb.list_certs()))
ldap_uri = ipaldap.get_ldap_uri(self.fqdn)
conn = ipaldap.LDAPClient(ldap_uri)
conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN,
bind_password=self.dm_password)
nicknames = dsdb.find_root_cert(self.cacert_name)[:-1]
for nickname in nicknames:
cert = dsdb.get_cert_from_db(nickname)
certstore.put_ca_cert_nss(conn, self.suffix, cert, nickname,
trust_flags[nickname])
nickname = self.cacert_name
cert = dsdb.get_cert_from_db(nickname)
cacert_flags = trust_flags[nickname]
if self.setup_pkinit:
cacert_flags = TrustFlags(
cacert_flags.has_key,
cacert_flags.trusted,
cacert_flags.ca,
(cacert_flags.usages
| {x509.EKU_PKINIT_CLIENT_AUTH, x509.EKU_PKINIT_KDC}),
)
certstore.put_ca_cert_nss(conn,
self.suffix,
cert,
nickname,
cacert_flags,
config_ipa=self.ca_is_configured,
config_compat=self.master_fqdn is None)
conn.unbind()
def install(self):
print("Installing CA certificate, please wait")
options = self.options
ca_certs = certstore.get_ca_certs_nss(api.Backend.ldap2,
api.env.basedn, api.env.realm,
False)
with certs.NSSDatabase() as tmpdb:
tmpdb.create_db()
tmpdb.import_files(self.args[1:])
imported = tmpdb.list_certs()
logger.debug("loaded raw certs '%s'", imported)
if len(imported) > 1 and options.nickname:
raise admintool.ScriptError(
"Nickname can only be used if only a single "
"certificate is loaded")
# If a nickname was provided re-import the cert
if options.nickname:
(nickname, trust_flags) = imported[0]
cert = tmpdb.get_cert(nickname)
tmpdb.delete_cert(nickname)
tmpdb.add_cert(cert, options.nickname, EXTERNAL_CA_TRUST_FLAGS)
imported = tmpdb.list_certs()
for ca_cert, ca_nickname, ca_trust_flags in ca_certs:
tmpdb.add_cert(ca_cert, ca_nickname, ca_trust_flags)
for nickname, trust_flags in imported:
if trust_flags.has_key:
continue
tmpdb.trust_root_cert(nickname, EXTERNAL_CA_TRUST_FLAGS)
for nickname, trust_flags in imported:
try:
tmpdb.verify_ca_cert_validity(nickname)
except ValueError as e:
raise admintool.ScriptError(
"Not a valid CA certificate: %s (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)" % e)
else:
print("Verified %s" % nickname)
trust_flags = options.trust_flags.split(',')
if (set(options.trust_flags) - set(',CPTcgpuw')
or len(trust_flags) not in [3, 4]):
raise admintool.ScriptError("Invalid trust flags")
extra_flags = trust_flags[3:]
extra_usages = set()
if extra_flags:
if 'C' in extra_flags[0]:
extra_usages.add(x509.EKU_PKINIT_KDC)
if 'T' in extra_flags[0]:
extra_usages.add(x509.EKU_PKINIT_CLIENT_AUTH)
trust_flags = parse_trust_flags(','.join(trust_flags[:3]))
trust_flags = TrustFlags(trust_flags.has_key, trust_flags.trusted,
trust_flags.ca,
trust_flags.usages | extra_usages)
for nickname, _trust_flags in imported:
try:
cert = tmpdb.get_cert(nickname)
certstore.put_ca_cert_nss(api.Backend.ldap2,
api.env.basedn, cert, nickname,
trust_flags)
except ValueError as e:
raise admintool.ScriptError(
"Failed to install the certificate: %s" % e)
print("CA certificate successfully installed")
def key_policy_to_trust_flags(trusted, ca, ext_key_usage):
"""
Convert certificate store key policy to certutil trust flags.
"""
return TrustFlags(False, trusted, ca, ext_key_usage)