websms/freeipa
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Imported Debian patch 4.0.5-6~numeezy

Browse Source
This commit is contained in:
Alexandre Ellert
2016-02-17 15:07:45 +01:00
committed by Mario Fetka
parent c44de33144
commit 10dfc9587b
1203 changed files with 53869 additions and 241462 deletions
Download Patch File Download Diff File Expand all files Collapse all files

63
ipaserver/install/ipa_server_certinstall.py
View File

@@ -24,7 +24,6 @@ import os.path
import pwd
import optparse
from ipaplatform.constants import constants
from ipaplatform.paths import paths
from ipapython import admintool
from ipapython.dn import DN
@@ -32,12 +31,12 @@ from ipapython.ipautil import user_input, write_tmp_file
from ipalib import api, errors
from ipalib.constants import CACERT
from ipaserver.install import certs, dsinstance, httpinstance, installutils
from ipaserver.plugins.ldap2 import ldap2
class ServerCertInstall(admintool.AdminTool):
command_name = 'ipa-server-certinstall'
usage = "%prog <-d|-w> [options] <file> ..."
usage = "%prog <-d|-w> [options] <PKCS#12 file>"
description = "Install new SSL server certificates."
@@ -55,16 +54,12 @@ class ServerCertInstall(admintool.AdminTool):
help="install certificate for the http server")
parser.add_option(
"--pin",
dest="pin", metavar="PIN", sensitive=True,
dest="pin",
help="The password of the PKCS#12 file")
parser.add_option(
"--dirsrv_pin", "--http_pin",
dest="pin",
help=optparse.SUPPRESS_HELP)
parser.add_option(
"--cert-name",
dest="cert_name", metavar="NAME",
help="Name of the certificate to install")
parser.add_option(
"-p", "--dirman-password",
dest="dirman_password",
@@ -78,13 +73,13 @@ class ServerCertInstall(admintool.AdminTool):
if not self.options.dirsrv and not self.options.http:
self.option_parser.error("you must specify dirsrv and/or http")
if not self.args:
self.option_parser.error("you must provide certificate filename")
if len(self.args) != 1:
self.option_parser.error("you must provide a pkcs12 filename")
def ask_for_options(self):
super(ServerCertInstall, self).ask_for_options()
if not self.options.dirman_password:
if self.options.dirsrv and not self.options.dirman_password:
self.options.dirman_password = installutils.read_password(
"Directory Manager", confirm=False, validate=False, retry=False)
if self.options.dirman_password is None:
@@ -93,18 +88,16 @@ class ServerCertInstall(admintool.AdminTool):
if self.options.pin is None:
self.options.pin = installutils.read_password(
"Enter private key unlock", confirm=False, validate=False)
"Enter %s unlock" % self.args[0], confirm=False, validate=False)
if self.options.pin is None:
raise admintool.ScriptError(
"Private key unlock password required")
"%s unlock password required" % self.args[0])
def run(self):
api.bootstrap(in_server=True)
api.finalize()
conn = api.Backend.ldap2
conn.connect(bind_dn=DN(('cn', 'directory manager')),
bind_pw=self.options.dirman_password)
self.pkcs12_fname = self.args[0]
if self.options.dirsrv:
self.install_dirsrv_cert()
@@ -112,13 +105,14 @@ class ServerCertInstall(admintool.AdminTool):
if self.options.http:
self.install_http_cert()
conn.disconnect()
def install_dirsrv_cert(self):
serverid = installutils.realm_to_serverid(api.env.realm)
serverid = dsinstance.realm_to_serverid(api.env.realm)
dirname = dsinstance.config_dirname(serverid)
conn = api.Backend.ldap2
conn = ldap2(shared_instance=False, base_dn='')
conn.connect(bind_dn=DN(('cn', 'directory manager')),
bind_pw=self.options.dirman_password)
entry = conn.get_entry(DN(('cn', 'RSA'), ('cn', 'encryption'),
('cn', 'config')),
['nssslpersonalityssl'])
@@ -134,6 +128,8 @@ class ServerCertInstall(admintool.AdminTool):
except errors.EmptyModlist:
pass
conn.disconnect()
def install_http_cert(self):
dirname = certs.NSS_DIR
@@ -148,37 +144,34 @@ class ServerCertInstall(admintool.AdminTool):
'NSSNickname', server_cert)
# Fix the database permissions
os.chmod(os.path.join(dirname, 'cert8.db'), 0o640)
os.chmod(os.path.join(dirname, 'key3.db'), 0o640)
os.chmod(os.path.join(dirname, 'secmod.db'), 0o640)
os.chmod(os.path.join(dirname, 'cert8.db'), 0640)
os.chmod(os.path.join(dirname, 'key3.db'), 0640)
os.chmod(os.path.join(dirname, 'secmod.db'), 0640)
pent = pwd.getpwnam(constants.HTTPD_USER)
pent = pwd.getpwnam("apache")
os.chown(os.path.join(dirname, 'cert8.db'), 0, pent.pw_gid)
os.chown(os.path.join(dirname, 'key3.db'), 0, pent.pw_gid)
os.chown(os.path.join(dirname, 'secmod.db'), 0, pent.pw_gid)
def import_cert(self, dirname, pkcs12_passwd, old_cert, principal, command):
pkcs12_file, pin, ca_cert = installutils.load_pkcs12(
cert_files=self.args,
key_password=pkcs12_passwd,
key_nickname=self.options.cert_name,
ca_cert_files=[CACERT],
host_name=api.env.host)
installutils.check_pkcs12(
pkcs12_info=(self.pkcs12_fname, pkcs12_passwd),
ca_file=CACERT,
hostname=api.env.host)
cdb = certs.CertDB(api.env.realm, nssdir=dirname)
try:
ca_enabled = api.Command.ca_is_enabled()['result']
if ca_enabled:
if api.env.enable_ra:
cdb.untrack_server_cert(old_cert)
cdb.delete_cert(old_cert)
cdb.import_pkcs12(pkcs12_file.name, pin)
cdb.import_pkcs12(self.pkcs12_fname, pkcs12_passwd)
server_cert = cdb.find_server_certs()[0][0]
if ca_enabled:
if api.env.enable_ra:
cdb.track_server_cert(server_cert, principal, cdb.passwd_fname,
command)
except RuntimeError as e:
except RuntimeError, e:
raise admintool.ScriptError(str(e))
return server_cert