def verify_server_cert_validity(self, nickname, hostname):
"""Verify a certificate is valid for a SSL server with given hostname
Raises a ValueError if the certificate is invalid.
"""
certdb = cert = None
if nss.nss_is_initialized():
nss.nss_shutdown()
nss.nss_init(self.secdir)
try:
certdb = nss.get_default_certdb()
cert = nss.find_cert_from_nickname(nickname)
intended_usage = nss.certificateUsageSSLServer
try:
approved_usage = cert.verify_now(certdb, True, intended_usage)
except NSPRError as e:
if e.errno != -8102:
raise ValueError(e.strerror)
approved_usage = 0
if not approved_usage & intended_usage:
raise ValueError('invalid for a SSL server')
if not cert.verify_hostname(hostname):
raise ValueError('invalid for server %s' % hostname)
finally:
del certdb, cert
nss.nss_shutdown()
return None
def verify_ca_cert_validity(self, nickname):
certdb = cert = None
if nss.nss_is_initialized():
nss.nss_shutdown()
nss.nss_init(self.secdir)
try:
certdb = nss.get_default_certdb()
cert = nss.find_cert_from_nickname(nickname)
if not cert.subject:
raise ValueError("has empty subject")
try:
bc = cert.get_extension(nss.SEC_OID_X509_BASIC_CONSTRAINTS)
except KeyError:
raise ValueError("missing basic constraints")
bc = nss.BasicConstraints(bc.value)
if not bc.is_ca:
raise ValueError("not a CA certificate")
intended_usage = nss.certificateUsageSSLCA
try:
approved_usage = cert.verify_now(certdb, True, intended_usage)
except NSPRError as e:
if e.errno != -8102: # SEC_ERROR_INADEQUATE_KEY_USAGE
raise ValueError(e.strerror)
approved_usage = 0
if approved_usage & intended_usage != intended_usage:
raise ValueError('invalid for a CA')
finally:
del certdb, cert
nss.nss_shutdown()
def test_full(self):
nss.nss_init_nodb()
try:
doc = PSKCDocument(os.path.join(basename, "full.xml"))
assert [(t.id, t.options) for t in doc.getKeyPackages()] == [
(
u"KID1",
{
"ipatokenotpkey": u"GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ",
"ipatokennotafter": u"20060531000000Z",
"ipatokennotbefore": u"20060501000000Z",
"ipatokenserial": u"SerialNo-IssueNo",
"ipatokentotpclockoffset": 60000,
"ipatokenotpalgorithm": u"sha1",
"ipatokenvendor": u"iana.dummy",
"description": u"FriendlyName",
"ipatokentotptimestep": 200,
"ipatokenhotpcounter": 0,
"ipatokenmodel": u"Model",
"ipatokenotpdigits": 8,
"type": u"hotp",
},
)
]
finally:
nss.nss_shutdown()
def verify_ca_cert_validity(self, nickname):
certdb = cert = None
if nss.nss_is_initialized():
nss.nss_shutdown()
nss.nss_init(self.secdir)
try:
certdb = nss.get_default_certdb()
cert = nss.find_cert_from_nickname(nickname)
if not cert.subject:
raise ValueError("has empty subject")
try:
bc = cert.get_extension(nss.SEC_OID_X509_BASIC_CONSTRAINTS)
except KeyError:
raise ValueError("missing basic constraints")
bc = nss.BasicConstraints(bc.value)
if not bc.is_ca:
raise ValueError("not a CA certificate")
intended_usage = nss.certificateUsageSSLCA
try:
approved_usage = cert.verify_now(certdb, True, intended_usage)
except NSPRError as e:
if e.errno != -8102: # SEC_ERROR_INADEQUATE_KEY_USAGE
raise ValueError(e.strerror)
approved_usage = 0
if approved_usage & intended_usage != intended_usage:
raise ValueError('invalid for a CA')
finally:
del certdb, cert
nss.nss_shutdown()
def verify_server_cert_validity(self, nickname, hostname):
"""Verify a certificate is valid for a SSL server with given hostname
Raises a ValueError if the certificate is invalid.
"""
certdb = cert = None
if nss.nss_is_initialized():
nss.nss_shutdown()
nss.nss_init(self.secdir)
try:
certdb = nss.get_default_certdb()
cert = nss.find_cert_from_nickname(nickname)
intended_usage = nss.certificateUsageSSLServer
try:
approved_usage = cert.verify_now(certdb, True, intended_usage)
except NSPRError as e:
if e.errno != -8102:
raise ValueError(e.strerror)
approved_usage = 0
if not approved_usage & intended_usage:
raise ValueError('invalid for a SSL server')
if not cert.verify_hostname(hostname):
raise ValueError('invalid for server %s' % hostname)
finally:
del certdb, cert
nss.nss_shutdown()
return None
def __init__(self, host, port=None, strict=None,
dbdir=None, family=socket.AF_UNSPEC, no_init=False,
tls_version_min='tls1.1', tls_version_max='tls1.2'):
"""
:param host: the server to connect to
:param port: the port to use (default is set in HTTPConnection)
:param dbdir: the NSS database directory
:param family: network family to use (default AF_UNSPEC)
:param no_init: do not initialize the NSS database. This requires
that the database has already been initialized or
the request will fail.
:param tls_min_version: mininum version of SSL/TLS supported
:param tls_max_version: maximum version of SSL/TLS supported.
"""
httplib.HTTPConnection.__init__(self, host, port, strict)
NSSAddressFamilyFallback.__init__(self, family)
if not dbdir:
raise RuntimeError("dbdir is required")
root_logger.debug('%s init %s', self.__class__.__name__, host)
if not no_init and nss.nss_is_initialized():
# close any open NSS database and use the new one
ssl.clear_session_cache()
try:
nss.nss_shutdown()
except NSPRError, e:
if e.errno != error.SEC_ERROR_NOT_INITIALIZED:
raise e
def run_server():
pid = os.fork()
if pid == 0:
nss.nss_init(db_name)
server()
nss.nss_shutdown()
time.sleep(sleep_time)
return pid
def run_server():
pid = os.fork()
if pid == 0:
nss.nss_init(certdir)
server()
nss.nss_shutdown()
time.sleep(sleep_time)
return pid
def test_figure8(self):
nss.nss_init_nodb()
try:
PSKCDocument(os.path.join(basename, "pskc-figure8.xml"))
except NotImplementedError: # X.509 is not supported.
pass
else:
assert False
finally:
nss.nss_shutdown()
def test_invalid(self):
nss.nss_init_nodb()
try:
PSKCDocument(os.path.join(basename, "pskc-invalid.xml"))
except ValueError: # File is invalid.
pass
else:
assert False
finally:
nss.nss_shutdown()
def test_invalid(self):
nss.nss_init_nodb()
try:
PSKCDocument(os.path.join(basename, "pskc-invalid.xml"))
except ValueError: # File is invalid.
pass
else:
assert False
finally:
nss.nss_shutdown()
def test_figure8(self):
nss.nss_init_nodb()
try:
PSKCDocument(os.path.join(basename, "pskc-figure8.xml"))
except NotImplementedError: # X.509 is not supported.
pass
else:
assert False
finally:
nss.nss_shutdown()
def test_mini(self):
nss.nss_init_nodb()
try:
doc = PSKCDocument(os.path.join(basename, "pskc-mini.xml"))
[(t.id, t.options) for t in doc.getKeyPackages()]
except ValidationError: # Unsupported token type.
pass
else:
assert False
finally:
nss.nss_shutdown()
def test_mini(self):
nss.nss_init_nodb()
try:
doc = PSKCDocument(os.path.join(basename, "pskc-mini.xml"))
[(t.id, t.options) for t in doc.getKeyPackages()]
except ValidationError: # Unsupported token type.
pass
else:
assert False
finally:
nss.nss_shutdown()
def shutdown(self):
if not nss.nss_is_initialized():
return
try:
ssl.clear_session_cache()
except Exception:
pass
try:
nss.nss_shutdown()
except Exception:
pass
def shutdown(self):
if not nss.nss_is_initialized():
return
try:
ssl.clear_session_cache()
except Exception:
pass
try:
nss.nss_shutdown()
except Exception:
pass
def __init__(
self,
host,
port=None,
strict=None,
dbdir=None,
family=socket.AF_UNSPEC,
no_init=False,
tls_version_min="tls1.1",
tls_version_max="tls1.2",
):
"""
:param host: the server to connect to
:param port: the port to use (default is set in HTTPConnection)
:param dbdir: the NSS database directory
:param family: network family to use (default AF_UNSPEC)
:param no_init: do not initialize the NSS database. This requires
that the database has already been initialized or
the request will fail.
:param tls_min_version: mininum version of SSL/TLS supported
:param tls_max_version: maximum version of SSL/TLS supported.
"""
httplib.HTTPConnection.__init__(self, host, port, strict)
NSSAddressFamilyFallback.__init__(self, family)
root_logger.debug("%s init %s", self.__class__.__name__, host)
# If initialization is requested, initialize the new database.
if not no_init:
if nss.nss_is_initialized():
ssl.clear_session_cache()
try:
nss.nss_shutdown()
except NSPRError as e:
if e.errno != error.SEC_ERROR_NOT_INITIALIZED:
raise e
if not dbdir:
raise RuntimeError("dbdir is required")
nss.nss_init(dbdir)
global current_dbdir
current_dbdir = dbdir
ssl.set_domestic_policy()
nss.set_password_callback(self.password_callback)
self.tls_version_min = str(tls_version_min)
self.tls_version_max = str(tls_version_max)
def __init__(self,
host,
port=None,
strict=None,
dbdir=None,
family=socket.AF_UNSPEC,
no_init=False,
tls_version_min='tls1.1',
tls_version_max='tls1.2'):
"""
:param host: the server to connect to
:param port: the port to use (default is set in HTTPConnection)
:param dbdir: the NSS database directory
:param family: network family to use (default AF_UNSPEC)
:param no_init: do not initialize the NSS database. This requires
that the database has already been initialized or
the request will fail.
:param tls_min_version: mininum version of SSL/TLS supported
:param tls_max_version: maximum version of SSL/TLS supported.
"""
httplib.HTTPConnection.__init__(self, host, port, strict)
NSSAddressFamilyFallback.__init__(self, family)
root_logger.debug('%s init %s', self.__class__.__name__, host)
# If initialization is requested, initialize the new database.
if not no_init:
if nss.nss_is_initialized():
ssl.clear_session_cache()
try:
nss.nss_shutdown()
except NSPRError as e:
if e.errno != error.SEC_ERROR_NOT_INITIALIZED:
raise e
if not dbdir:
raise RuntimeError("dbdir is required")
nss.nss_init(dbdir)
global current_dbdir
current_dbdir = dbdir
ssl.set_domestic_policy()
nss.set_password_callback(self.password_callback)
tls_versions = get_proper_tls_version_span(tls_version_min,
tls_version_max)
self.tls_version_min = tls_versions[0]
self.tls_version_max = tls_versions[-1]
def test_figure7(self):
nss.nss_init_nodb()
try:
doc = PSKCDocument(os.path.join(basename, "pskc-figure7.xml"))
assert doc.keyname == 'My Password 1'
doc.setKey('qwerty')
assert [(t.id, t.options) for t in doc.getKeyPackages()] == \
[(u'123456', {
'ipatokenotpkey': u'GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ',
'ipatokenvendor': u'TokenVendorAcme',
'ipatokenserial': u'987654321',
'ipatokenotpdigits': 8,
'type': u'hotp'})]
finally:
nss.nss_shutdown()
def test_figure7(self):
nss.nss_init_nodb()
try:
doc = PSKCDocument(os.path.join(basename, "pskc-figure7.xml"))
assert doc.keyname == 'My Password 1'
doc.setKey('qwerty')
assert [(t.id, t.options) for t in doc.getKeyPackages()] == \
[(u'123456', {
'ipatokenotpkey': u'GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ',
'ipatokenvendor': u'TokenVendorAcme',
'ipatokenserial': u'987654321',
'ipatokenotpdigits': 8,
'type': u'hotp'})]
finally:
nss.nss_shutdown()
def test_figure6(self):
nss.nss_init_nodb()
try:
doc = PSKCDocument(os.path.join(basename, "pskc-figure6.xml"))
assert doc.keyname == 'Pre-shared-key'
doc.setKey('12345678901234567890123456789012'.decode('hex'))
assert [(t.id, t.options) for t in doc.getKeyPackages()] == \
[(u'12345678', {
'ipatokenotpkey': u'GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ',
'ipatokenvendor': u'Manufacturer',
'ipatokenserial': u'987654321',
'ipatokenhotpcounter': 0,
'ipatokenotpdigits': 8,
'type': u'hotp'})]
finally:
nss.nss_shutdown()
def test_figure6(self):
nss.nss_init_nodb()
try:
doc = PSKCDocument(os.path.join(basename, "pskc-figure6.xml"))
assert doc.keyname == 'Pre-shared-key'
doc.setKey('12345678901234567890123456789012'.decode('hex'))
assert [(t.id, t.options) for t in doc.getKeyPackages()] == \
[(u'12345678', {
'ipatokenotpkey': u'GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ',
'ipatokenvendor': u'Manufacturer',
'ipatokenserial': u'987654321',
'ipatokenhotpcounter': 0,
'ipatokenotpdigits': 8,
'type': u'hotp'})]
finally:
nss.nss_shutdown()
def test_figure7(self):
nss.nss_init_nodb()
try:
doc = PSKCDocument(os.path.join(basename, "pskc-figure7.xml"))
assert doc.keyname == "My Password 1"
doc.setKey("qwerty")
assert [(t.id, t.options) for t in doc.getKeyPackages()] == [
(
u"123456",
{
"ipatokenotpkey": u"GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ",
"ipatokenvendor": u"TokenVendorAcme",
"ipatokenserial": u"987654321",
"ipatokenotpdigits": 8,
"type": u"hotp",
},
)
]
finally:
nss.nss_shutdown()
def test_figure6(self):
nss.nss_init_nodb()
try:
doc = PSKCDocument(os.path.join(basename, "pskc-figure6.xml"))
assert doc.keyname == "Pre-shared-key"
doc.setKey("12345678901234567890123456789012".decode("hex"))
assert [(t.id, t.options) for t in doc.getKeyPackages()] == [
(
u"12345678",
{
"ipatokenotpkey": u"GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ",
"ipatokenvendor": u"Manufacturer",
"ipatokenserial": u"987654321",
"ipatokenhotpcounter": 0,
"ipatokenotpdigits": 8,
"type": u"hotp",
},
)
]
finally:
nss.nss_shutdown()
def test_full(self):
nss.nss_init_nodb()
try:
doc = PSKCDocument(os.path.join(basename, "full.xml"))
assert [(t.id, t.options) for t in doc.getKeyPackages()] == \
[(u'KID1', {
'ipatokenotpkey': u'GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ',
'ipatokennotafter': u'20060531000000Z',
'ipatokennotbefore': u'20060501000000Z',
'ipatokenserial': u'SerialNo-IssueNo',
'ipatokentotpclockoffset': 60000,
'ipatokenotpalgorithm': u'sha1',
'ipatokenvendor': u'iana.dummy',
'description': u'FriendlyName',
'ipatokentotptimestep': 200,
'ipatokenhotpcounter': 0,
'ipatokenmodel': u'Model',
'ipatokenotpdigits': 8,
'type': u'hotp',
})]
finally:
nss.nss_shutdown()
def test_full(self):
nss.nss_init_nodb()
try:
doc = PSKCDocument(os.path.join(basename, "full.xml"))
assert [(t.id, t.options) for t in doc.getKeyPackages()] == \
[(u'KID1', {
'ipatokenotpkey': u'GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ',
'ipatokennotafter': u'20060531000000Z',
'ipatokennotbefore': u'20060501000000Z',
'ipatokenserial': u'SerialNo-IssueNo',
'ipatokentotpclockoffset': 60000,
'ipatokenotpalgorithm': u'sha1',
'ipatokenvendor': u'iana.dummy',
'description': u'FriendlyName',
'ipatokentotptimestep': 200,
'ipatokenhotpcounter': 0,
'ipatokenmodel': u'Model',
'ipatokenotpdigits': 8,
'type': u'hotp',
})]
finally:
nss.nss_shutdown()
def test_shutdown_callback(self):
int_value = 43
str_value = u"foobar"
count = 0
dict_value = {'count': count}
def shutdown_callback(nss_data, i, s, d):
self.assertEqual(isinstance(nss_data, dict), True)
self.assertEqual(isinstance(i, int), True)
self.assertEqual(i, int_value)
self.assertEqual(isinstance(s, six.string_types), True)
self.assertEqual(s, str_value)
self.assertEqual(isinstance(d, dict), True)
self.assertEqual(d, dict_value)
d['count'] += 1
return True
nss.nss_init_nodb()
nss.set_shutdown_callback(shutdown_callback, int_value, str_value, dict_value)
nss.nss_shutdown()
self.assertEqual(dict_value['count'], count + 1)
# Callback should not be invoked again after shutdown
nss.nss_init_nodb()
nss.nss_shutdown()
self.assertEqual(dict_value['count'], count + 1)
# Callback should not be invoked if cleared
nss.nss_init_nodb()
nss.set_shutdown_callback(shutdown_callback, int_value, str_value, dict_value)
nss.set_shutdown_callback(None)
nss.nss_shutdown()
self.assertEqual(dict_value['count'], count + 1)
def execute(self, argv):
try:
opts, args = getopt.getopt(argv, 'i:v',
['instance=', 'verbose', 'help'])
except getopt.GetoptError as e:
print('ERROR: ' + str(e))
self.usage()
sys.exit(1)
if len(args) < 1:
print('ERROR: missing subsystem ID')
self.usage()
sys.exit(1)
if len(args) < 2:
print('ERROR: missing cert ID')
self.usage()
sys.exit(1)
subsystem_name = args[0]
cert_id = args[1]
instance_name = 'pki-tomcat'
for o, a in opts:
if o in ('-i', '--instance'):
instance_name = a
elif o in ('-v', '--verbose'):
self.set_verbose(True)
elif o == '--help':
self.print_help()
sys.exit()
else:
print('ERROR: unknown option ' + o)
self.usage()
sys.exit(1)
instance = pki.server.PKIInstance(instance_name)
instance.load()
subsystem = instance.get_subsystem(subsystem_name)
subsystem_cert = subsystem.get_subsystem_cert(cert_id)
# get cert data from NSS database
nss.nss_init(instance.nssdb_dir)
nss_cert = nss.find_cert_from_nickname(subsystem_cert['nickname'])
data = base64.b64encode(nss_cert.der_data)
del nss_cert
nss.nss_shutdown()
subsystem_cert['data'] = data
# format cert data for LDAP database
lines = [data[i:i + 64] for i in range(0, len(data), 64)]
data = string.join(lines, '\r\n') + '\r\n'
# get cert request from local CA
# TODO: add support for remote CA
ca = instance.get_subsystem('ca')
results = ca.find_cert_requests(cert=data)
cert_request = results[-1]
request = cert_request['request']
# format cert request for CS.cfg
lines = request.splitlines()
if lines[0] == '-----BEGIN CERTIFICATE REQUEST-----':
lines = lines[1:]
if lines[-1] == '-----END CERTIFICATE REQUEST-----':
lines = lines[:-1]
request = string.join(lines, '')
subsystem_cert['request'] = request
# store cert data and request in CS.cfg
subsystem.update_subsystem_cert(subsystem_cert)
subsystem.save()
self.print_message('Updated "%s" subsystem certificate' % cert_id)
SubsystemCertCLI.print_subsystem_cert(subsystem_cert)
def renew_external_step_2(self, ca, old_cert):
print "Importing the renewed CA certificate, please wait"
options = self.options
cert_file, ca_file = installutils.load_external_cert(
options.external_cert_files, x509.subject_base())
nss_cert = None
nss.nss_init(ca.dogtag_constants.ALIAS_DIR)
try:
nss_cert = x509.load_certificate(old_cert, x509.DER)
subject = nss_cert.subject
der_subject = x509.get_der_subject(old_cert, x509.DER)
#pylint: disable=E1101
pkinfo = nss_cert.subject_public_key_info.format()
#pylint: enable=E1101
nss_cert = x509.load_certificate_from_file(cert_file.name)
cert = nss_cert.der_data
if nss_cert.subject != subject:
raise admintool.ScriptError(
"Subject name mismatch (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)")
if x509.get_der_subject(cert, x509.DER) != der_subject:
raise admintool.ScriptError(
"Subject name encoding mismatch (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)")
#pylint: disable=E1101
if nss_cert.subject_public_key_info.format() != pkinfo:
raise admintool.ScriptError(
"Subject public key info mismatch (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)")
#pylint: enable=E1101
finally:
del nss_cert
nss.nss_shutdown()
with certs.NSSDatabase() as tmpdb:
pw = ipautil.write_tmp_file(ipautil.ipa_generate_password())
tmpdb.create_db(pw.name)
tmpdb.add_cert(old_cert, 'IPA CA', 'C,,')
try:
tmpdb.add_cert(cert, 'IPA CA', 'C,,')
except ipautil.CalledProcessError, e:
raise admintool.ScriptError(
"Not compatible with the current CA certificate: %s" % e)
ca_certs = x509.load_certificate_list_from_file(ca_file.name)
for ca_cert in ca_certs:
tmpdb.add_cert(ca_cert.der_data, str(ca_cert.subject), 'C,,')
del ca_certs
del ca_cert
try:
tmpdb.verify_ca_cert_validity('IPA CA')
except ValueError, e:
raise admintool.ScriptError(
"Not a valid CA certificate: %s (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)" % e)
def main(cls, argv):
nss.nss_init_nodb()
try:
super(OTPTokenImport, cls).main(argv)
finally:
nss.nss_shutdown()
def renew_external_step_2(self, ca, old_cert):
print("Importing the renewed CA certificate, please wait")
options = self.options
conn = api.Backend.ldap2
cert_file, ca_file = installutils.load_external_cert(
options.external_cert_files, x509.subject_base())
nss_cert = None
nss.nss_init(paths.PKI_TOMCAT_ALIAS_DIR)
try:
nss_cert = x509.load_certificate(old_cert, x509.DER)
subject = nss_cert.subject
der_subject = x509.get_der_subject(old_cert, x509.DER)
#pylint: disable=E1101
pkinfo = nss_cert.subject_public_key_info.format()
#pylint: enable=E1101
nss_cert = x509.load_certificate_from_file(cert_file.name)
cert = nss_cert.der_data
if nss_cert.subject != subject:
raise admintool.ScriptError(
"Subject name mismatch (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)")
if x509.get_der_subject(cert, x509.DER) != der_subject:
raise admintool.ScriptError(
"Subject name encoding mismatch (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)")
#pylint: disable=E1101
if nss_cert.subject_public_key_info.format() != pkinfo:
raise admintool.ScriptError(
"Subject public key info mismatch (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)")
#pylint: enable=E1101
finally:
del nss_cert
nss.nss_shutdown()
with certs.NSSDatabase() as tmpdb:
pw = ipautil.write_tmp_file(ipautil.ipa_generate_password())
tmpdb.create_db(pw.name)
tmpdb.add_cert(old_cert, 'IPA CA', 'C,,')
try:
tmpdb.add_cert(cert, 'IPA CA', 'C,,')
except ipautil.CalledProcessError as e:
raise admintool.ScriptError(
"Not compatible with the current CA certificate: %s" % e)
ca_certs = x509.load_certificate_list_from_file(ca_file.name)
for ca_cert in ca_certs:
tmpdb.add_cert(ca_cert.der_data, str(ca_cert.subject), 'C,,')
del ca_certs
del ca_cert
try:
tmpdb.verify_ca_cert_validity('IPA CA')
except ValueError as e:
raise admintool.ScriptError(
"Not a valid CA certificate: %s (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)" % e)
trust_chain = tmpdb.get_trust_chain('IPA CA')[:-1]
for nickname in trust_chain:
try:
ca_cert = tmpdb.get_cert(nickname)
except RuntimeError:
break
certstore.put_ca_cert_nss(
conn, api.env.basedn, ca_cert, nickname, ',,')
dn = DN(('cn', self.cert_nickname), ('cn', 'ca_renewal'),
('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
try:
entry = conn.get_entry(dn, ['usercertificate'])
entry['usercertificate'] = [cert]
conn.update_entry(entry)
except errors.NotFound:
entry = conn.make_entry(
dn,
objectclass=['top', 'pkiuser', 'nscontainer'],
cn=[self.cert_nickname],
usercertificate=[cert])
conn.add_entry(entry)
except errors.EmptyModlist:
pass
try:
ca.set_renewal_master()
except errors.NotFound:
raise admintool.ScriptError("CA renewal master not found")
self.resubmit_request(ca, 'ipaRetrieval')
print("CA certificate successfully renewed")
def tearDown(self):
del self.encoding_ctx
del self.decoding_ctx
nss.nss_shutdown()
def renew_external_step_2(self, ca, old_cert):
print "Importing the renewed CA certificate, please wait"
options = self.options
cert_file, ca_file = installutils.load_external_cert(
options.external_cert_files, x509.subject_base())
nss_cert = None
nss.nss_init(ca.dogtag_constants.ALIAS_DIR)
try:
nss_cert = x509.load_certificate(old_cert, x509.DER)
subject = nss_cert.subject
der_subject = x509.get_der_subject(old_cert, x509.DER)
#pylint: disable=E1101
pkinfo = nss_cert.subject_public_key_info.format()
#pylint: enable=E1101
nss_cert = x509.load_certificate_from_file(cert_file.name)
cert = nss_cert.der_data
if nss_cert.subject != subject:
raise admintool.ScriptError(
"Subject name mismatch (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)")
if x509.get_der_subject(cert, x509.DER) != der_subject:
raise admintool.ScriptError(
"Subject name encoding mismatch (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)")
#pylint: disable=E1101
if nss_cert.subject_public_key_info.format() != pkinfo:
raise admintool.ScriptError(
"Subject public key info mismatch (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)")
#pylint: enable=E1101
finally:
del nss_cert
nss.nss_shutdown()
with certs.NSSDatabase() as tmpdb:
pw = ipautil.write_tmp_file(ipautil.ipa_generate_password())
tmpdb.create_db(pw.name)
tmpdb.add_cert(old_cert, 'IPA CA', 'C,,')
try:
tmpdb.add_cert(cert, 'IPA CA', 'C,,')
except ipautil.CalledProcessError, e:
raise admintool.ScriptError(
"Not compatible with the current CA certificate: %s" % e)
ca_certs = x509.load_certificate_list_from_file(ca_file.name)
for ca_cert in ca_certs:
tmpdb.add_cert(ca_cert.der_data, str(ca_cert.subject), 'C,,')
del ca_certs
del ca_cert
try:
tmpdb.verify_ca_cert_validity('IPA CA')
except ValueError, e:
raise admintool.ScriptError(
"Not a valid CA certificate: %s (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)" % e)
def tearDown(self):
nss.nss_shutdown()
def test_ssl(self):
request = "foo"
nss.nss_init(certdir)
reply = client(request)
nss.nss_shutdown()
self.assertEqual("{%s}" % request, reply)
def renew_external_step_2(self, ca, old_cert):
print("Importing the renewed CA certificate, please wait")
options = self.options
conn = api.Backend.ldap2
cert_file, ca_file = installutils.load_external_cert(
options.external_cert_files, x509.subject_base())
nss_cert = None
nss.nss_init(paths.PKI_TOMCAT_ALIAS_DIR)
try:
nss_cert = x509.load_certificate(old_cert, x509.DER)
subject = nss_cert.subject
der_subject = x509.get_der_subject(old_cert, x509.DER)
#pylint: disable=E1101
pkinfo = nss_cert.subject_public_key_info.format()
#pylint: enable=E1101
nss_cert = x509.load_certificate_from_file(cert_file.name)
cert = nss_cert.der_data
if nss_cert.subject != subject:
raise admintool.ScriptError(
"Subject name mismatch (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)")
if x509.get_der_subject(cert, x509.DER) != der_subject:
raise admintool.ScriptError(
"Subject name encoding mismatch (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)")
#pylint: disable=E1101
if nss_cert.subject_public_key_info.format() != pkinfo:
raise admintool.ScriptError(
"Subject public key info mismatch (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)")
#pylint: enable=E1101
finally:
del nss_cert
nss.nss_shutdown()
with certs.NSSDatabase() as tmpdb:
pw = ipautil.write_tmp_file(ipautil.ipa_generate_password())
tmpdb.create_db(pw.name)
tmpdb.add_cert(old_cert, 'IPA CA', 'C,,')
try:
tmpdb.add_cert(cert, 'IPA CA', 'C,,')
except ipautil.CalledProcessError as e:
raise admintool.ScriptError(
"Not compatible with the current CA certificate: %s" % e)
ca_certs = x509.load_certificate_list_from_file(ca_file.name)
for ca_cert in ca_certs:
tmpdb.add_cert(ca_cert.der_data, str(ca_cert.subject), 'C,,')
del ca_certs
del ca_cert
try:
tmpdb.verify_ca_cert_validity('IPA CA')
except ValueError as e:
raise admintool.ScriptError(
"Not a valid CA certificate: %s (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)" % e)
trust_chain = tmpdb.get_trust_chain('IPA CA')[:-1]
for nickname in trust_chain:
try:
ca_cert = tmpdb.get_cert(nickname)
except RuntimeError:
break
certstore.put_ca_cert_nss(conn, api.env.basedn, ca_cert,
nickname, ',,')
dn = DN(('cn', self.cert_nickname), ('cn', 'ca_renewal'),
('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
try:
entry = conn.get_entry(dn, ['usercertificate'])
entry['usercertificate'] = [cert]
conn.update_entry(entry)
except errors.NotFound:
entry = conn.make_entry(
dn,
objectclass=['top', 'pkiuser', 'nscontainer'],
cn=[self.cert_nickname],
usercertificate=[cert])
conn.add_entry(entry)
except errors.EmptyModlist:
pass
try:
ca.set_renewal_master()
except errors.NotFound:
raise admintool.ScriptError("CA renewal master not found")
self.resubmit_request(ca, 'ipaRetrieval')
print("CA certificate successfully renewed")
if client and server:
print "can't be both client and server"
sys.exit(1)
if not (client or server):
print "must be one of client or server"
sys.exit(1)
# Perform basic configuration and setup
if certdir is None:
nss.nss_init_nodb()
else:
nss.nss_init(certdir)
ssl.set_domestic_policy()
nss.set_password_callback(password_callback)
# Run as a client or as a server
if client:
print "starting as client"
Client()
if server:
print "starting as server"
Server()
try:
nss.nss_shutdown()
except Exception, e:
print e
def tearDown(self):
nss.nss_shutdown()
certdb = nss.get_default_certdb()
cert = nss.find_cert_from_nickname(nickname)
intended_usage = nss.certificateUsageSSLServer
try:
approved_usage = cert.verify_now(certdb, True, intended_usage)
except NSPRError, e:
if e.errno != -8102:
raise ValueError(e.strerror)
approved_usage = 0
if not approved_usage & intended_usage:
raise ValueError('invalid for a SSL server')
if not cert.verify_hostname(hostname):
raise ValueError('invalid for server %s' % hostname)
finally:
del certdb, cert
nss.nss_shutdown()
return None
def verify_ca_cert_validity(self, nickname):
certdb = cert = None
if nss.nss_is_initialized():
nss.nss_shutdown()
nss.nss_init(self.secdir)
try:
certdb = nss.get_default_certdb()
cert = nss.find_cert_from_nickname(nickname)
if not cert.subject:
raise ValueError("has empty subject")
try:
bc = cert.get_extension(nss.SEC_OID_X509_BASIC_CONSTRAINTS)
def execute(self, argv):
try:
opts, args = getopt.getopt(argv, 'i:v', [
'instance=',
'verbose', 'help'])
except getopt.GetoptError as e:
print('ERROR: ' + str(e))
self.usage()
sys.exit(1)
if len(args) < 1:
print('ERROR: missing subsystem ID')
self.usage()
sys.exit(1)
if len(args) < 2:
print('ERROR: missing cert ID')
self.usage()
sys.exit(1)
subsystem_name = args[0]
cert_id = args[1]
instance_name = 'pki-tomcat'
for o, a in opts:
if o in ('-i', '--instance'):
instance_name = a
elif o in ('-v', '--verbose'):
self.set_verbose(True)
elif o == '--help':
self.print_help()
sys.exit()
else:
print('ERROR: unknown option ' + o)
self.usage()
sys.exit(1)
instance = pki.server.PKIInstance(instance_name)
instance.load()
subsystem = instance.get_subsystem(subsystem_name)
subsystem_cert = subsystem.get_subsystem_cert(cert_id)
# get cert data from NSS database
nss.nss_init(instance.nssdb_dir)
nss_cert = nss.find_cert_from_nickname(subsystem_cert['nickname'])
data = base64.b64encode(nss_cert.der_data)
del nss_cert
nss.nss_shutdown()
subsystem_cert['data'] = data
# format cert data for LDAP database
lines = [data[i:i + 64] for i in range(0, len(data), 64)]
data = string.join(lines, '\r\n') + '\r\n'
# get cert request from local CA
# TODO: add support for remote CA
ca = instance.get_subsystem('ca')
results = ca.find_cert_requests(cert=data)
cert_request = results[-1]
request = cert_request['request']
# format cert request for CS.cfg
lines = request.splitlines()
if lines[0] == '-----BEGIN CERTIFICATE REQUEST-----':
lines = lines[1:]
if lines[-1] == '-----END CERTIFICATE REQUEST-----':
lines = lines[:-1]
request = string.join(lines, '')
subsystem_cert['request'] = request
# store cert data and request in CS.cfg
subsystem.update_subsystem_cert(subsystem_cert)
subsystem.save()
self.print_message('Updated "%s" subsystem certificate' % cert_id)
SubsystemCertCLI.print_subsystem_cert(subsystem_cert)
def test_ssl(self):
request = "foo"
nss.nss_init(db_name)
reply = client(request)
nss.nss_shutdown()
self.assertEqual("{%s}" % request, reply)
def main(cls, argv):
nss.nss_init_nodb()
try:
super(OTPTokenImport, cls).main(argv)
finally:
nss.nss_shutdown()
def tearDown(self):
del self.encoding_ctx
del self.decoding_ctx
nss.nss_shutdown()
