示例#1
0
    def install(self):
        print("Installing CA certificate, please wait")

        options = self.options
        cert_filename = self.args[1]

        try:
            cert = x509.load_certificate_from_file(cert_filename)
        except IOError as e:
            raise admintool.ScriptError("Can't open \"%s\": %s" %
                                        (cert_filename, e))
        except (TypeError, ValueError) as e:
            raise admintool.ScriptError("Not a valid certificate: %s" % e)

        nickname = options.nickname or str(DN(cert.subject))

        ca_certs = certstore.get_ca_certs_nss(api.Backend.ldap2,
                                              api.env.basedn, api.env.realm,
                                              False)

        with certs.NSSDatabase() as tmpdb:
            tmpdb.create_db()
            tmpdb.add_cert(cert, nickname, EXTERNAL_CA_TRUST_FLAGS)
            for ca_cert, ca_nickname, ca_trust_flags in ca_certs:
                tmpdb.add_cert(ca_cert, ca_nickname, ca_trust_flags)

            try:
                tmpdb.verify_ca_cert_validity(nickname)
            except ValueError as e:
                raise admintool.ScriptError(
                    "Not a valid CA certificate: %s (visit "
                    "http://www.freeipa.org/page/Troubleshooting for "
                    "troubleshooting guide)" % e)

        trust_flags = options.trust_flags.split(',')
        if (set(options.trust_flags) - set(',CPTcgpuw')
                or len(trust_flags) not in [3, 4]):
            raise admintool.ScriptError("Invalid trust flags")

        extra_flags = trust_flags[3:]
        extra_usages = set()
        if extra_flags:
            if 'C' in extra_flags[0]:
                extra_usages.add(x509.EKU_PKINIT_KDC)
            if 'T' in extra_flags[0]:
                extra_usages.add(x509.EKU_PKINIT_CLIENT_AUTH)

        trust_flags = parse_trust_flags(','.join(trust_flags[:3]))
        trust_flags = TrustFlags(trust_flags.has_key, trust_flags.trusted,
                                 trust_flags.ca,
                                 trust_flags.usages | extra_usages)

        try:
            certstore.put_ca_cert_nss(api.Backend.ldap2, api.env.basedn, cert,
                                      nickname, trust_flags)
        except ValueError as e:
            raise admintool.ScriptError(
                "Failed to install the certificate: %s" % e)

        print("CA certificate successfully installed")
示例#2
0
    def __upload_ca_cert(self):
        """
        Upload the CA certificate from the NSS database to the LDAP directory.
        """

        dirname = config_dirname(self.serverid)
        dsdb = certs.CertDB(self.realm,
                            nssdir=dirname,
                            subject_base=self.subject_base)
        trust_flags = dict(reversed(dsdb.list_certs()))

        ldap_uri = ipaldap.get_ldap_uri(self.fqdn)
        conn = ipaldap.LDAPClient(ldap_uri)
        conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN,
                         bind_password=self.dm_password)

        nicknames = dsdb.find_root_cert(self.cacert_name)[:-1]
        for nickname in nicknames:
            cert = dsdb.get_cert_from_db(nickname)
            certstore.put_ca_cert_nss(conn, self.suffix, cert, nickname,
                                      trust_flags[nickname])

        nickname = self.cacert_name
        cert = dsdb.get_cert_from_db(nickname)
        cacert_flags = trust_flags[nickname]
        if self.setup_pkinit:
            cacert_flags = TrustFlags(
                cacert_flags.has_key,
                cacert_flags.trusted,
                cacert_flags.ca,
                (cacert_flags.usages
                 | {x509.EKU_PKINIT_CLIENT_AUTH, x509.EKU_PKINIT_KDC}),
            )
        certstore.put_ca_cert_nss(conn,
                                  self.suffix,
                                  cert,
                                  nickname,
                                  cacert_flags,
                                  config_ipa=self.ca_is_configured,
                                  config_compat=self.master_fqdn is None)

        conn.unbind()
示例#3
0
    def install(self):
        print("Installing CA certificate, please wait")

        options = self.options

        ca_certs = certstore.get_ca_certs_nss(api.Backend.ldap2,
                                              api.env.basedn, api.env.realm,
                                              False)

        with certs.NSSDatabase() as tmpdb:
            tmpdb.create_db()
            tmpdb.import_files(self.args[1:])
            imported = tmpdb.list_certs()
            logger.debug("loaded raw certs '%s'", imported)

            if len(imported) > 1 and options.nickname:
                raise admintool.ScriptError(
                    "Nickname can only be used if only a single "
                    "certificate is loaded")

            # If a nickname was provided re-import the cert
            if options.nickname:
                (nickname, trust_flags) = imported[0]
                cert = tmpdb.get_cert(nickname)
                tmpdb.delete_cert(nickname)
                tmpdb.add_cert(cert, options.nickname, EXTERNAL_CA_TRUST_FLAGS)
                imported = tmpdb.list_certs()

            for ca_cert, ca_nickname, ca_trust_flags in ca_certs:
                tmpdb.add_cert(ca_cert, ca_nickname, ca_trust_flags)

            for nickname, trust_flags in imported:
                if trust_flags.has_key:
                    continue
                tmpdb.trust_root_cert(nickname, EXTERNAL_CA_TRUST_FLAGS)

            for nickname, trust_flags in imported:
                try:
                    tmpdb.verify_ca_cert_validity(nickname)
                except ValueError as e:
                    raise admintool.ScriptError(
                        "Not a valid CA certificate: %s (visit "
                        "http://www.freeipa.org/page/Troubleshooting for "
                        "troubleshooting guide)" % e)
                else:
                    print("Verified %s" % nickname)

            trust_flags = options.trust_flags.split(',')
            if (set(options.trust_flags) - set(',CPTcgpuw')
                    or len(trust_flags) not in [3, 4]):
                raise admintool.ScriptError("Invalid trust flags")

            extra_flags = trust_flags[3:]
            extra_usages = set()
            if extra_flags:
                if 'C' in extra_flags[0]:
                    extra_usages.add(x509.EKU_PKINIT_KDC)
                if 'T' in extra_flags[0]:
                    extra_usages.add(x509.EKU_PKINIT_CLIENT_AUTH)

            trust_flags = parse_trust_flags(','.join(trust_flags[:3]))
            trust_flags = TrustFlags(trust_flags.has_key, trust_flags.trusted,
                                     trust_flags.ca,
                                     trust_flags.usages | extra_usages)

            for nickname, _trust_flags in imported:
                try:
                    cert = tmpdb.get_cert(nickname)
                    certstore.put_ca_cert_nss(api.Backend.ldap2,
                                              api.env.basedn, cert, nickname,
                                              trust_flags)
                except ValueError as e:
                    raise admintool.ScriptError(
                        "Failed to install the certificate: %s" % e)

        print("CA certificate successfully installed")
示例#4
0
def key_policy_to_trust_flags(trusted, ca, ext_key_usage):
    """
    Convert certificate store key policy to certutil trust flags.
    """
    return TrustFlags(False, trusted, ca, ext_key_usage)