def test_convert_db(): with NSSDatabase(dbtype='dbm') as nssdb: assert nssdb.dbtype == 'dbm' nssdb.create_db() assert nssdb.exists() create_selfsigned(nssdb) oldcerts = nssdb.list_certs() assert len(oldcerts) == 1 oldkeys = nssdb.list_keys() assert len(oldkeys) == 1 nssdb.convert_db() assert nssdb.exists() assert nssdb.dbtype == 'sql' newcerts = nssdb.list_certs() assert len(newcerts) == 1 assert newcerts == oldcerts newkeys = nssdb.list_keys() assert len(newkeys) == 1 assert newkeys == oldkeys for filename in nssdb.filenames: assert os.path.isfile(filename) assert os.path.dirname(filename) == nssdb.secdir assert os.path.basename(nssdb.certdb) == 'cert9.db' assert nssdb.certdb in nssdb.filenames assert os.path.basename(nssdb.keydb) == 'key4.db' assert os.path.basename(nssdb.secmod) == 'pkcs11.txt'
def check_chain(self, pkcs12_filename, pkcs12_pin, nssdb): # create a temp nssdb with NSSDatabase() as tempnssdb: tempnssdb.create_db() # import the PKCS12 file, then delete all CA certificates # this leaves only the server certs in the temp db tempnssdb.import_pkcs12(pkcs12_filename, pkcs12_pin) for nickname, flags in tempnssdb.list_certs(): if not flags.has_key: while tempnssdb.has_nickname(nickname): tempnssdb.delete_cert(nickname) # import all the CA certs from nssdb into the temp db for nickname, flags in nssdb.list_certs(): if not flags.has_key: cert = nssdb.get_cert_from_db(nickname) tempnssdb.add_cert(cert, nickname, flags) # now get the server certs from tempnssdb and check their validity try: for nick, flags in tempnssdb.find_server_certs(): tempnssdb.verify_server_cert_validity(nick, api.env.host) except ValueError as e: raise admintool.ScriptError( "Peer's certificate issuer is not trusted (%s). " "Please run ipa-cacert-manage install and ipa-certupdate " "to install the CA certificate." % str(e))
def export_key(self): tdir = tempfile.mkdtemp(dir=paths.TMP) try: pk12pwfile = os.path.join(tdir, 'pk12pwfile') password = ipautil.ipa_generate_password() with open(pk12pwfile, 'w') as f: f.write(password) pk12file = os.path.join(tdir, 'pk12file') nssdb = NSSDatabase(self.nssdb_path) nssdb.run_pk12util([ "-o", pk12file, "-n", self.nickname, "-k", self.nssdb_pwdfile, "-w", pk12pwfile, ]) with open(pk12file, 'rb') as f: data = f.read() finally: shutil.rmtree(tdir) return json_encode({ 'export password': password, 'pkcs12 data': b64encode(data).decode('ascii') })
def export_key(args, tmpdir): """Export key and certificate from the NSS DB to a PKCS#12 file. The PKCS#12 file is encrypted with a password. """ pk12file = os.path.join(tmpdir, 'export.p12') password = ipautil.ipa_generate_password() pk12pk12pwfile = os.path.join(tmpdir, 'passwd') with open(pk12pk12pwfile, 'w') as f: f.write(password) nssdb = NSSDatabase(args.nssdb_path) nssdb.run_pk12util([ "-o", pk12file, "-n", args.nickname, "-k", args.nssdb_pwdfile, "-w", pk12pk12pwfile, ]) with open(pk12file, 'rb') as f: p12data = f.read() data = { 'export password': password, 'pkcs12 data': p12data, } common.json_dump(data, args.exportfile)
def import_key(args, tmpdir): """Import key and certificate from a PKCS#12 file to a NSS DB. """ data = json.load(args.importfile) password = data['export password'] p12data = base64.b64decode(data['pkcs12 data']) pk12pwfile = os.path.join(tmpdir, 'passwd') with open(pk12pwfile, 'w') as f: f.write(password) pk12file = os.path.join(tmpdir, 'import.p12') with open(pk12file, 'wb') as f: f.write(p12data) nssdb = NSSDatabase(args.nssdb_path) nssdb.run_pk12util([ "-i", pk12file, "-n", args.nickname, "-k", args.nssdb_pwdfile, "-w", pk12pwfile, ])
def expired_ipa_certs(now): """ Determine which IPA certs are expired, or close to expiry. Return a list of (IPACertType, cert) pairs. """ certs = [] # IPA RA cert = x509.load_certificate_from_file(paths.RA_AGENT_PEM) if cert.not_valid_after <= now: certs.append((IPACertType.IPARA, cert)) # Apache HTTPD cert = x509.load_certificate_from_file(paths.HTTPD_CERT_FILE) if cert.not_valid_after <= now: certs.append((IPACertType.HTTPS, cert)) # LDAPS ds_dbdir = dsinstance.config_dirname(realm_to_serverid(api.env.realm)) db = NSSDatabase(nssdir=ds_dbdir) cert = db.get_cert('Server-Cert') if cert.not_valid_after <= now: certs.append((IPACertType.LDAPS, cert)) # KDC cert = x509.load_certificate_from_file(paths.KDC_CERT) if cert.not_valid_after <= now: certs.append((IPACertType.KDC, cert)) return certs
def __init__(self, realm, nssdir=NSS_DIR, fstore=None, host_name=None, subject_base=None): self.nssdb = NSSDatabase(nssdir) self.secdir = nssdir self.realm = realm self.noise_fname = self.secdir + "/noise.txt" self.passwd_fname = self.secdir + "/pwdfile.txt" self.certdb_fname = self.secdir + "/cert8.db" self.keydb_fname = self.secdir + "/key3.db" self.secmod_fname = self.secdir + "/secmod.db" self.cacert_fname = self.secdir + "/cacert.asc" self.pk12_fname = self.secdir + "/cacert.p12" self.pin_fname = self.secdir + "/pin.txt" self.pwd_conf = paths.HTTPD_PASSWORD_CONF self.reqdir = None self.certreq_fname = None self.certder_fname = None self.host_name = host_name self.subject_base = subject_base try: self.cwd = os.getcwd() except OSError, e: raise RuntimeError( "Unable to determine the current directory: %s" % str(e))
def expired_dogtag_certs(now): """ Determine which Dogtag certs are expired, or close to expiry. Return a list of (cert_id, cert) pairs. """ certs = [] db = NSSDatabase(nssdir=paths.PKI_TOMCAT_ALIAS_DIR) for certid, nickname in [ ('sslserver', 'Server-Cert cert-pki-ca'), ('subsystem', 'subsystemCert cert-pki-ca'), ('ca_ocsp_signing', 'ocspSigningCert cert-pki-ca'), ('ca_audit_signing', 'auditSigningCert cert-pki-ca'), ('kra_transport', 'transportCert cert-pki-kra'), ('kra_storage', 'storageCert cert-pki-kra'), ('kra_audit_signing', 'auditSigningCert cert-pki-kra'), ]: try: cert = db.get_cert(nickname) except RuntimeError: pass # unfortunately certdb doesn't give us a better exception else: if cert.not_valid_after <= now: certs.append((certid, cert)) return certs
def export_key(self): tdir = tempfile.mkdtemp(dir=paths.TMP) try: wrapped_key_file = os.path.join(tdir, 'wrapped_key') certificate_file = os.path.join(tdir, 'certificate') ipautil.run([ paths.PKI, '-d', self.nssdb_path, '-C', self.nssdb_pwdfile, 'ca-authority-key-export', '--wrap-nickname', self.wrap_nick, '--target-nickname', self.target_nick, '-o', wrapped_key_file ]) nssdb = NSSDatabase(self.nssdb_path) nssdb.run_certutil([ '-L', '-n', self.target_nick, '-a', '-o', certificate_file, ]) with open(wrapped_key_file, 'rb') as f: wrapped_key = f.read() with open(certificate_file, 'r') as f: certificate = f.read() finally: shutil.rmtree(tdir) return json_encode({ 'wrapped_key': b64encode(wrapped_key).decode('ascii'), 'certificate': certificate })
def export_key(args, tmpdir): """Export key and certificate from the NSS DB The private key is encrypted using key wrapping. """ wrapped_key_file = os.path.join(tmpdir, 'wrapped_key') certificate_file = os.path.join(tmpdir, 'certificate') ipautil.run([ paths.PKI, '-d', args.nssdb_path, '-C', args.nssdb_pwdfile, 'ca-authority-key-export', '--wrap-nickname', args.wrap_nickname, '--target-nickname', args.nickname, '-o', wrapped_key_file ]) nssdb = NSSDatabase(args.nssdb_path) nssdb.run_certutil([ '-L', '-n', args.nickname, '-a', '-o', certificate_file, ]) with open(wrapped_key_file, 'rb') as f: wrapped_key = f.read() with open(certificate_file, 'r') as f: certificate = f.read() data = {'wrapped_key': wrapped_key, 'certificate': certificate} common.json_dump(data, args.exportfile)
def setup(self): self.nssdb = NSSDatabase() secdir = self.nssdb.secdir self.reqfile = os.path.join(secdir, "test.csr") self.certfile = os.path.join(secdir, "cert.crt") # Create our temporary NSS database self.nssdb.create_db() self.subject = DN(('CN', self.host_fqdn), subject_base())
def __init__(self, realm, nssdir, fstore=None, host_name=None, subject_base=None, ca_subject=None, user=None, group=None, mode=None, create=False): self.nssdb = NSSDatabase(nssdir) self.secdir = nssdir self.realm = realm self.noise_fname = self.secdir + "/noise.txt" self.certdb_fname = self.secdir + "/cert8.db" self.keydb_fname = self.secdir + "/key3.db" self.secmod_fname = self.secdir + "/secmod.db" self.pk12_fname = self.secdir + "/cacert.p12" self.pin_fname = self.secdir + "/pin.txt" self.reqdir = None self.certreq_fname = None self.certder_fname = None self.host_name = host_name self.ca_subject = ca_subject self.subject_base = subject_base try: self.cwd = os.path.abspath(os.getcwd()) except OSError as e: raise RuntimeError( "Unable to determine the current directory: %s" % str(e)) self.cacert_name = get_ca_nickname(self.realm) self.user = user self.group = group self.mode = mode self.uid = 0 self.gid = 0 if not create: if os.path.isdir(self.secdir): # We are going to set the owner of all of the cert # files to the owner of the containing directory # instead of that of the process. This works when # this is called by root for a daemon that runs as # a normal user mode = os.stat(self.secdir) self.uid = mode[stat.ST_UID] self.gid = mode[stat.ST_GID] else: if user is not None: pu = pwd.getpwnam(user) self.uid = pu.pw_uid self.gid = pu.pw_gid if group is not None: self.gid = grp.getgrnam(group).gr_gid self.create_certdbs() if fstore: self.fstore = fstore else: self.fstore = sysrestore.FileStore(paths.SYSRESTORE)
def __init__(self, realm, nssdir, fstore=None, host_name=None, subject_base=None, ca_subject=None, user=None, group=None, mode=None, create=False, dbtype='auto'): self.nssdb = NSSDatabase(nssdir, dbtype=dbtype) self.realm = realm self.noise_fname = os.path.join(self.secdir, "noise.txt") self.pk12_fname = os.path.join(self.secdir, "cacert.p12") self.pin_fname = os.path.join(self.secdir + "pin.txt") self.reqdir = None self.certreq_fname = None self.certder_fname = None self.host_name = host_name self.ca_subject = ca_subject self.subject_base = subject_base self.cacert_name = get_ca_nickname(self.realm) self.user = user self.group = group self.mode = mode self.uid = 0 self.gid = 0 if not create: if os.path.isdir(self.secdir): # We are going to set the owner of all of the cert # files to the owner of the containing directory # instead of that of the process. This works when # this is called by root for a daemon that runs as # a normal user mode = os.stat(self.secdir) self.uid = mode[stat.ST_UID] self.gid = mode[stat.ST_GID] else: if user is not None: pu = pwd.getpwnam(user) self.uid = pu.pw_uid self.gid = pu.pw_gid if group is not None: self.gid = grp.getgrnam(group).gr_gid self.create_certdbs() if fstore: self.fstore = fstore else: self.fstore = sysrestore.FileStore(paths.SYSRESTORE)
def test_check_validity(): with NSSDatabase() as nssdb: nssdb.create_db() create_selfsigned(nssdb) with pytest.raises(ValueError): nssdb.verify_ca_cert_validity(CERTNICK) nssdb.verify_server_cert_validity(CERTNICK, CERTSAN) with pytest.raises(ValueError): nssdb.verify_server_cert_validity(CERTNICK, 'invalid.example')
def basecert_fsetup(self, request): self.nssdb = NSSDatabase() secdir = self.nssdb.secdir self.reqfile = os.path.join(secdir, "test.csr") self.certfile = os.path.join(secdir, "cert.crt") # Create our temporary NSS database self.nssdb.create_db() self.subject = DN(('CN', self.host_fqdn), subject_base()) def fin(): self.nssdb.close() request.addfinalizer(fin)
def __init__(self, realm, nssdir=NSS_DIR, fstore=None, host_name=None, subject_base=None): self.nssdb = NSSDatabase(nssdir) self.secdir = nssdir self.realm = realm self.noise_fname = self.secdir + "/noise.txt" self.passwd_fname = self.secdir + "/pwdfile.txt" self.certdb_fname = self.secdir + "/cert8.db" self.keydb_fname = self.secdir + "/key3.db" self.secmod_fname = self.secdir + "/secmod.db" self.cacert_fname = self.secdir + "/cacert.asc" self.pk12_fname = self.secdir + "/cacert.p12" self.pin_fname = self.secdir + "/pin.txt" self.pwd_conf = paths.HTTPD_PASSWORD_CONF self.reqdir = None self.certreq_fname = None self.certder_fname = None self.host_name = host_name self.subject_base = subject_base try: self.cwd = os.getcwd() except OSError as e: raise RuntimeError( "Unable to determine the current directory: %s" % str(e)) if not subject_base: self.subject_base = DN(('O', 'IPA')) self.cacert_name = get_ca_nickname(self.realm) self.valid_months = "120" self.keysize = "1024" # We are going to set the owner of all of the cert # files to the owner of the containing directory # instead of that of the process. This works when # this is called by root for a daemon that runs as # a normal user mode = os.stat(self.secdir) self.uid = mode[stat.ST_UID] self.gid = mode[stat.ST_GID] if fstore: self.fstore = fstore else: self.fstore = sysrestore.FileStore(paths.SYSRESTORE)
def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data): # Fecth all needed certs one by one, then combine them in a single # p12 file prefix = data['prefix'] certlist = data['list'] # Before we attempt to fetch keys from this host, make sure our public # keys have been replicated there. self.__wait_keys(ca_host) cli = self.__CustodiaClient(server=ca_host) # Temporary nssdb tmpnssdir = tempfile.mkdtemp(dir=paths.TMP) tmpdb = NSSDatabase(tmpnssdir) tmpdb.create_db() try: # Cert file password crtpwfile = os.path.join(tmpnssdir, 'crtpwfile') with open(crtpwfile, 'w+') as f: f.write(cacerts_pwd) f.flush() for nickname in certlist: value = cli.fetch_key(os.path.join(prefix, nickname), False) v = json_decode(value) pk12pwfile = os.path.join(tmpnssdir, 'pk12pwfile') with open(pk12pwfile, 'w+') as f: f.write(v['export password']) pk12file = os.path.join(tmpnssdir, 'pk12file') with open(pk12file, 'w+') as f: f.write(b64decode(v['pkcs12 data'])) ipautil.run([ paths.PK12UTIL, '-d', tmpdb.secdir, '-k', tmpdb.pwd_file, '-n', nickname, '-i', pk12file, '-w', pk12pwfile ]) # Add CA certificates self.suffix = ipautil.realm_to_suffix(self.realm) self.import_ca_certs(tmpdb, True) # Now that we gathered all certs, re-export ipautil.run([ paths.PKCS12EXPORT, '-d', tmpdb.secdir, '-p', tmpdb.pwd_file, '-w', crtpwfile, '-o', cacerts_file ]) finally: shutil.rmtree(tmpnssdir)
def test_auto_db(): with NSSDatabase() as nssdb: assert nssdb.dbtype == 'auto' assert nssdb.filenames is None assert not nssdb.exists() with pytest.raises(RuntimeError): nssdb.list_certs() nssdb.create_db() assert nssdb.dbtype in ('dbm', 'sql') if NSS_DEFAULT is not None: assert nssdb.dbtype == NSS_DEFAULT assert nssdb.filenames is not None assert nssdb.exists() nssdb.list_certs()
def test_sql_tmp(): with NSSDatabase(dbtype='sql') as nssdb: assert nssdb.dbtype == 'sql' for filename in nssdb.filenames: assert not os.path.isfile(filename) nssdb.create_db() for filename in nssdb.filenames: assert os.path.isfile(filename) assert os.path.dirname(filename) == nssdb.secdir assert os.path.basename(nssdb.certdb) == 'cert9.db' assert nssdb.certdb in nssdb.filenames assert os.path.basename(nssdb.keydb) == 'key4.db' assert os.path.basename(nssdb.secmod) == 'pkcs11.txt'
def test_dbm_tmp(): with NSSDatabase(dbtype='dbm') as nssdb: assert nssdb.dbtype == 'dbm' for filename in nssdb.filenames: assert not os.path.isfile(filename) nssdb.create_db() for filename in nssdb.filenames: assert os.path.isfile(filename) assert os.path.dirname(filename) == nssdb.secdir assert os.path.basename(nssdb.certdb) == 'cert8.db' assert nssdb.certdb in nssdb.filenames assert os.path.basename(nssdb.keydb) == 'key3.db' assert os.path.basename(nssdb.secmod) == 'secmod.db'
def _get_keys(self, ca_host, cacerts_file, cacerts_pwd, data): # Fetch all needed certs one by one, then combine them in a single # PKCS12 file prefix = data['prefix'] certlist = data['list'] cli = self._get_custodia_client(server=ca_host) with NSSDatabase(None) as tmpdb: tmpdb.create_db() # Cert file password crtpwfile = os.path.join(tmpdb.secdir, 'crtpwfile') with open(crtpwfile, 'w+') as f: f.write(cacerts_pwd) for nickname in certlist: value = cli.fetch_key(os.path.join(prefix, nickname), False) v = json_decode(value) pk12pwfile = os.path.join(tmpdb.secdir, 'pk12pwfile') with open(pk12pwfile, 'w+') as f: f.write(v['export password']) pk12file = os.path.join(tmpdb.secdir, 'pk12file') with open(pk12file, 'wb') as f: f.write(b64decode(v['pkcs12 data'])) tmpdb.run_pk12util([ '-k', tmpdb.pwd_file, '-n', nickname, '-i', pk12file, '-w', pk12pwfile ]) # Add CA certificates, but don't import the main CA cert. It's # already present as 'caSigningCert cert-pki-ca'. With SQL db # format, a second import would rename the certificate. See # https://pagure.io/freeipa/issue/7498 for more details. conn = api.Backend.ldap2 suffix = ipautil.realm_to_suffix(self.realm) ca_certs = get_ca_certs_nss(conn, suffix, self.realm, True) for cert, nickname, trust_flags in ca_certs: if nickname == get_ca_nickname(self.realm): continue tmpdb.add_cert(cert, nickname, trust_flags) # Now that we gathered all certs, re-export ipautil.run([ paths.PKCS12EXPORT, '-d', tmpdb.secdir, '-p', tmpdb.pwd_file, '-w', crtpwfile, '-o', cacerts_file ])
def expired_ipa_certs(now): """ Determine which IPA certs are expired, or close to expiry. Return a list of (IPACertType, cert) pairs. """ certs = [] non_renewed = [] # IPA RA cert = x509.load_certificate_from_file(paths.RA_AGENT_PEM) if cert.not_valid_after <= now: certs.append((IPACertType.IPARA, cert)) # Apache HTTPD cert = x509.load_certificate_from_file(paths.HTTPD_CERT_FILE) if cert.not_valid_after <= now: if not is_ipa_issued_cert(api, cert): non_renewed.append((IPACertType.HTTPS, cert)) else: certs.append((IPACertType.HTTPS, cert)) # LDAPS serverid = realm_to_serverid(api.env.realm) ds = dsinstance.DsInstance(realm_name=api.env.realm) ds_dbdir = dsinstance.config_dirname(serverid) ds_nickname = ds.get_server_cert_nickname(serverid) db = NSSDatabase(nssdir=ds_dbdir) cert = db.get_cert(ds_nickname) if cert.not_valid_after <= now: if not is_ipa_issued_cert(api, cert): non_renewed.append((IPACertType.LDAPS, cert)) else: certs.append((IPACertType.LDAPS, cert)) # KDC cert = x509.load_certificate_from_file(paths.KDC_CERT) if cert.not_valid_after <= now: if not is_ipa_issued_cert(api, cert): non_renewed.append((IPACertType.HTTPS, cert)) else: certs.append((IPACertType.KDC, cert)) return certs, non_renewed
def execute(self, **options): ra_nick = 'ipaCert' ca_enabled = self.api.Command.ca_is_enabled()['result'] if not ca_enabled: return False, [] try: certdb = NSSDatabase(nssdir=paths.HTTPD_ALIAS_DIR) except ValueError as e: logger.warning("Problem opening NSS database in " "%s. Skipping check for existing RA " "agent certificate: %s", paths.HTTPD_ALIAS_DIR, e) return False, [] if not certdb.has_nickname(ra_nick): # Nothign to do return False, [] elif os.path.exists(paths.RA_AGENT_PEM): # even though the certificate file exists, we will overwrite it # as it's probabably something wrong anyway logger.warning( "A certificate with the nickname 'ipaCert' exists in " "the old '%s' NSS database as well as in the new " "PEM file '%s'", paths.HTTPD_ALIAS_DIR, paths.RA_AGENT_PEM) _fd, p12file = tempfile.mkstemp(dir=certdb.secdir) # no password is necessary as we will be saving it in clear anyway certdb.export_pkcs12(ra_nick, p12file, pkcs12_passwd='') # stop tracking the old cert and remove it certmonger.stop_tracking(paths.HTTPD_ALIAS_DIR, nickname=ra_nick) certdb.delete_key_and_cert(ra_nick) if os.path.exists(paths.OLD_KRA_AGENT_PEM): os.remove(paths.OLD_KRA_AGENT_PEM) # get the private key and certificate from the file and start # tracking it in certmonger ca = cainstance.CAInstance() ca.import_ra_cert(p12file) os.remove(p12file) return False, []
def expired_dogtag_certs(now): """ Determine which Dogtag certs are expired, or close to expiry. Return a list of (cert_id, cert) pairs. """ certs = [] db = NSSDatabase(nssdir=paths.PKI_TOMCAT_ALIAS_DIR) for certid, nickname in cert_nicknames.items(): try: cert = db.get_cert(nickname) except RuntimeError: pass # unfortunately certdb doesn't give us a better exception else: if cert.not_valid_after <= now: certs.append((certid, cert)) return certs
def _get_keys(self, cacerts_file, cacerts_pwd, data): # Fetch all needed certs one by one, then combine them in a single # PKCS12 file prefix = data['prefix'] certlist = data['list'] cli = self._get_custodia_client() with NSSDatabase(None) as tmpdb: tmpdb.create_db() # Cert file password crtpwfile = os.path.join(tmpdb.secdir, 'crtpwfile') with open(crtpwfile, 'w+') as f: f.write(cacerts_pwd) for nickname in certlist: value = cli.fetch_key(os.path.join(prefix, nickname), False) v = json_decode(value) pk12pwfile = os.path.join(tmpdb.secdir, 'pk12pwfile') with open(pk12pwfile, 'w+') as f: f.write(v['export password']) pk12file = os.path.join(tmpdb.secdir, 'pk12file') with open(pk12file, 'wb') as f: f.write(b64decode(v['pkcs12 data'])) tmpdb.run_pk12util([ '-k', tmpdb.pwd_file, '-n', nickname, '-i', pk12file, '-w', pk12pwfile ]) # Add CA certificates self.export_ca_certs_nssdb(tmpdb, True) # Now that we gathered all certs, re-export ipautil.run([ paths.PKCS12EXPORT, '-d', tmpdb.secdir, '-p', tmpdb.pwd_file, '-w', crtpwfile, '-o', cacerts_file ])
def install_ipa_certs(subject_base, ca_subject_dn, certs): """Print details and install renewed IPA certificates.""" for certtype, oldcert in certs: cert_path = "/etc/pki/pki-tomcat/certs/{}-renewed.crt" \ .format(oldcert.serial_number) cert = x509.load_certificate_from_file(cert_path) print_cert_info("Renewed IPA", certtype.value, cert) if certtype is IPACertType.IPARA: shutil.copyfile(cert_path, paths.RA_AGENT_PEM) cainstance.update_people_entry(cert) replicate_cert(subject_base, ca_subject_dn, cert) elif certtype is IPACertType.HTTPS: shutil.copyfile(cert_path, paths.HTTPD_CERT_FILE) elif certtype is IPACertType.LDAPS: ds_dbdir = dsinstance.config_dirname( realm_to_serverid(api.env.realm)) db = NSSDatabase(nssdir=ds_dbdir) db.delete_cert('Server-Cert') db.import_pem_cert('Server-Cert', EMPTY_TRUST_FLAGS, cert_path) elif certtype is IPACertType.KDC: shutil.copyfile(cert_path, paths.KDC_CERT)
def test_convert_db_nokey(): with NSSDatabase(dbtype='dbm') as nssdb: assert nssdb.dbtype == 'dbm' nssdb.create_db() create_selfsigned(nssdb) assert len(nssdb.list_certs()) == 1 assert len(nssdb.list_keys()) == 1 # remove key, readd cert cert = nssdb.get_cert(CERTNICK) nssdb.run_certutil(['-F', '-n', CERTNICK]) nssdb.add_cert(cert, CERTNICK, TRUSTED_PEER_TRUST_FLAGS) assert len(nssdb.list_keys()) == 0 oldcerts = nssdb.list_certs() assert len(oldcerts) == 1 nssdb.convert_db() assert nssdb.dbtype == 'sql' newcerts = nssdb.list_certs() assert len(newcerts) == 1 assert newcerts == oldcerts assert nssdb.get_cert(CERTNICK) == cert newkeys = nssdb.list_keys() assert newkeys == () for filename in nssdb.filenames: assert os.path.isfile(filename) assert os.path.dirname(filename) == nssdb.secdir old = os.path.join(nssdb.secdir, 'cert8.db') assert not os.path.isfile(old) assert os.path.isfile(old + '.migrated') assert os.path.basename(nssdb.certdb) == 'cert9.db' assert nssdb.certdb in nssdb.filenames assert os.path.basename(nssdb.keydb) == 'key4.db' assert os.path.basename(nssdb.secmod) == 'pkcs11.txt'
def import_key(self, value): v = json_decode(value) tdir = tempfile.mkdtemp(dir=paths.TMP) try: pk12pwfile = os.path.join(tdir, 'pk12pwfile') with open(pk12pwfile, 'w') as f: f.write(v['export password']) pk12file = os.path.join(tdir, 'pk12file') with open(pk12file, 'wb') as f: f.write(b64decode(v['pkcs12 data'])) nssdb = NSSDatabase(self.nssdb_path) nssdb.run_pk12util([ "-i", pk12file, "-n", self.nickname, "-k", self.nssdb_pwdfile, "-w", pk12pwfile, ]) finally: shutil.rmtree(tdir)
def install_ipa_certs(subject_base, ca_subject_dn, certs): """Print details and install renewed IPA certificates.""" for certtype, oldcert in certs: cert_path = RENEWED_CERT_PATH_TEMPLATE.format(oldcert.serial_number) cert = x509.load_certificate_from_file(cert_path) print_cert_info("Renewed IPA", certtype.value, cert) if certtype is IPACertType.IPARA: shutil.copyfile(cert_path, paths.RA_AGENT_PEM) cainstance.update_people_entry(cert) replicate_cert(subject_base, ca_subject_dn, cert) elif certtype is IPACertType.HTTPS: shutil.copyfile(cert_path, paths.HTTPD_CERT_FILE) elif certtype is IPACertType.LDAPS: serverid = realm_to_serverid(api.env.realm) ds = dsinstance.DsInstance(realm_name=api.env.realm) ds_dbdir = dsinstance.config_dirname(serverid) db = NSSDatabase(nssdir=ds_dbdir) ds_nickname = ds.get_server_cert_nickname(serverid) db.delete_cert(ds_nickname) db.import_pem_cert(ds_nickname, EMPTY_TRUST_FLAGS, cert_path) elif certtype is IPACertType.KDC: shutil.copyfile(cert_path, paths.KDC_CERT)
def test_dbm_raise(): with pytest.raises(ValueError) as e: NSSDatabase(dbtype="dbm") assert (str(e.value) == "NSS is built without support of the legacy " "database(DBM)")