Imported Debian patch 4.7.2-3
This commit is contained in:
Timo Aaltonen
committed by
Mario Fetka
Mario Fetka
parent
27edeba051
commit
8bc559c5a1
@@ -1,106 +1,93 @@
|
||||
# Copyright (C) 2015 IPA Project Contributors, see COPYING for license
|
||||
|
||||
from __future__ import print_function, absolute_import
|
||||
|
||||
import contextlib
|
||||
import os
|
||||
import secrets
|
||||
from base64 import b64encode
|
||||
|
||||
|
||||
# pylint: disable=relative-import
|
||||
from custodia.message.kem import KEMClient, KEY_USAGE_SIG, KEY_USAGE_ENC
|
||||
# pylint: enable=relative-import
|
||||
from jwcrypto.common import json_decode
|
||||
from jwcrypto.jwk import JWK
|
||||
from ipalib.krb_utils import krb5_format_service_principal_name
|
||||
from ipaserver.secrets.kem import IPAKEMKeys
|
||||
from ipaserver.secrets.store import IPASecStore
|
||||
from ipaserver.secrets.store import iSecStore
|
||||
from ipaplatform.paths import paths
|
||||
from base64 import b64encode
|
||||
import ldapurl
|
||||
import gssapi
|
||||
import os
|
||||
import urllib3
|
||||
import requests
|
||||
|
||||
|
||||
@contextlib.contextmanager
|
||||
def ccache_env(ccache):
|
||||
"""Temporarily set KRB5CCNAME environment variable
|
||||
"""
|
||||
orig_ccache = os.environ.get('KRB5CCNAME')
|
||||
os.environ['KRB5CCNAME'] = ccache
|
||||
try:
|
||||
yield
|
||||
finally:
|
||||
os.environ.pop('KRB5CCNAME', None)
|
||||
if orig_ccache is not None:
|
||||
os.environ['KRB5CCNAME'] = orig_ccache
|
||||
|
||||
|
||||
class CustodiaClient:
|
||||
def __init__(self, client_service, keyfile, keytab, server, realm,
|
||||
ldap_uri=None, auth_type=None):
|
||||
if client_service.endswith(realm) or "@" not in client_service:
|
||||
raise ValueError(
|
||||
"Client service name must be a GSS name (service@host), "
|
||||
"not '{}'.".format(client_service)
|
||||
)
|
||||
self.client_service = client_service
|
||||
self.keytab = keytab
|
||||
self.server = server
|
||||
self.realm = realm
|
||||
self.ldap_uri = ldap_uri
|
||||
self.auth_type = auth_type
|
||||
self.service_name = gssapi.Name(
|
||||
'HTTP@{}'.format(server), gssapi.NameType.hostbased_service
|
||||
)
|
||||
self.keystore = IPASecStore()
|
||||
# use in-process MEMORY ccache. Handler process don't need a TGT.
|
||||
self.ccache = 'MEMORY:Custodia_{}'.format(secrets.token_hex())
|
||||
|
||||
with ccache_env(self.ccache):
|
||||
# Init creds immediately to make sure they are valid. Creds
|
||||
# can also be re-inited by _auth_header to avoid expiry.
|
||||
self.creds = self._init_creds()
|
||||
|
||||
self.ikk = IPAKEMKeys(
|
||||
{'server_keys': keyfile, 'ldap_uri': ldap_uri}
|
||||
)
|
||||
self.kemcli = KEMClient(
|
||||
self._server_keys(), self._client_keys()
|
||||
)
|
||||
class CustodiaClient(object):
|
||||
|
||||
def _client_keys(self):
|
||||
return self.ikk.server_keys
|
||||
|
||||
def _server_keys(self):
|
||||
principal = krb5_format_service_principal_name(
|
||||
'host', self.server, self.realm
|
||||
)
|
||||
def _server_keys(self, server, realm):
|
||||
principal = 'host/%s@%s' % (server, realm)
|
||||
sk = JWK(**json_decode(self.ikk.find_key(principal, KEY_USAGE_SIG)))
|
||||
ek = JWK(**json_decode(self.ikk.find_key(principal, KEY_USAGE_ENC)))
|
||||
return sk, ek
|
||||
return (sk, ek)
|
||||
|
||||
def _init_creds(self):
|
||||
name = gssapi.Name(
|
||||
self.client_service, gssapi.NameType.hostbased_service
|
||||
)
|
||||
store = {
|
||||
'client_keytab': self.keytab,
|
||||
'ccache': self.ccache
|
||||
}
|
||||
def _ldap_uri(self, realm):
|
||||
dashrealm = '-'.join(realm.split('.'))
|
||||
socketpath = paths.SLAPD_INSTANCE_SOCKET_TEMPLATE % (dashrealm,)
|
||||
return 'ldapi://' + ldapurl.ldapUrlEscape(socketpath)
|
||||
|
||||
def _keystore(self, realm, ldap_uri, auth_type):
|
||||
config = dict()
|
||||
if ldap_uri is None:
|
||||
config['ldap_uri'] = self._ldap_uri(realm)
|
||||
else:
|
||||
config['ldap_uri'] = ldap_uri
|
||||
if auth_type is not None:
|
||||
config['auth_type'] = auth_type
|
||||
|
||||
return iSecStore(config)
|
||||
|
||||
def __init__(
|
||||
self, client_service, keyfile, keytab, server, realm,
|
||||
ldap_uri=None, auth_type=None):
|
||||
self.client_service = client_service
|
||||
self.keytab = keytab
|
||||
|
||||
# Init creds immediately to make sure they are valid. Creds
|
||||
# can also be re-inited by _auth_header to avoid expiry.
|
||||
#
|
||||
self.creds = self.init_creds()
|
||||
|
||||
self.service_name = gssapi.Name('HTTP@%s' % (server,),
|
||||
gssapi.NameType.hostbased_service)
|
||||
self.server = server
|
||||
|
||||
self.ikk = IPAKEMKeys({'server_keys': keyfile, 'ldap_uri': ldap_uri})
|
||||
|
||||
self.kemcli = KEMClient(self._server_keys(server, realm),
|
||||
self._client_keys())
|
||||
|
||||
self.keystore = self._keystore(realm, ldap_uri, auth_type)
|
||||
|
||||
# FIXME: Remove warnings about missing subjAltName for the
|
||||
# requests module
|
||||
urllib3.disable_warnings()
|
||||
|
||||
def init_creds(self):
|
||||
name = gssapi.Name(self.client_service,
|
||||
gssapi.NameType.hostbased_service)
|
||||
store = {'client_keytab': self.keytab,
|
||||
'ccache': 'MEMORY:Custodia_%s' % b64encode(
|
||||
os.urandom(8)).decode('ascii')}
|
||||
return gssapi.Credentials(name=name, store=store, usage='initiate')
|
||||
|
||||
def _auth_header(self):
|
||||
if self.creds.lifetime < 300:
|
||||
self.creds = self._init_creds()
|
||||
ctx = gssapi.SecurityContext(
|
||||
name=self.service_name,
|
||||
creds=self.creds
|
||||
)
|
||||
if not self.creds or self.creds.lifetime < 300:
|
||||
self.creds = self.init_creds()
|
||||
ctx = gssapi.SecurityContext(name=self.service_name, creds=self.creds)
|
||||
authtok = ctx.step()
|
||||
return {'Authorization': 'Negotiate %s' % b64encode(
|
||||
authtok).decode('ascii')}
|
||||
|
||||
def fetch_key(self, keyname, store=True):
|
||||
|
||||
# Prepare URL
|
||||
url = 'https://%s/ipa/keys/%s' % (self.server, keyname)
|
||||
|
||||
@@ -112,11 +99,9 @@ class CustodiaClient:
|
||||
headers = self._auth_header()
|
||||
|
||||
# Perform request
|
||||
r = requests.get(
|
||||
url, headers=headers,
|
||||
verify=paths.IPA_CA_CRT,
|
||||
params={'type': 'kem', 'value': request}
|
||||
)
|
||||
r = requests.get(url, headers=headers,
|
||||
verify=paths.IPA_CA_CRT,
|
||||
params={'type': 'kem', 'value': request})
|
||||
r.raise_for_status()
|
||||
reply = r.json()
|
||||
|
||||
|
||||
@@ -7,7 +7,7 @@ import ldap.filter
|
||||
from ipapython.ipaldap import ldap_initialize
|
||||
|
||||
|
||||
class iSecLdap:
|
||||
class iSecLdap(object):
|
||||
|
||||
def __init__(self, uri, auth_type=None):
|
||||
self.uri = uri
|
||||
|
||||
@@ -1,2 +0,0 @@
|
||||
"""Export / import handlers
|
||||
"""
|
||||
@@ -1,75 +0,0 @@
|
||||
#
|
||||
# Copyright (C) 2019 IPA Project Contributors, see COPYING for license
|
||||
#
|
||||
"""Common helpers for handlers
|
||||
"""
|
||||
import argparse
|
||||
import base64
|
||||
import json
|
||||
import shutil
|
||||
import tempfile
|
||||
|
||||
|
||||
def default_json(obj):
|
||||
"""JSON encoder default handler
|
||||
"""
|
||||
if isinstance(obj, (bytes, bytearray)):
|
||||
return base64.b64encode(obj).decode('ascii')
|
||||
raise TypeError(
|
||||
"Object of type {} is not JSON serializable".format(type(obj))
|
||||
)
|
||||
|
||||
|
||||
def json_dump(data, exportfile):
|
||||
"""Dump JSON to file
|
||||
"""
|
||||
json.dump(
|
||||
data,
|
||||
exportfile,
|
||||
default=default_json,
|
||||
separators=(',', ':'),
|
||||
sort_keys=True
|
||||
)
|
||||
|
||||
|
||||
def mkparser(supports_import=True, **kwargs):
|
||||
"""Create default parser for handler with export / import args
|
||||
|
||||
All commands support export to file or stdout. Most commands can also
|
||||
import from a file or stdin. Export and import are mutually exclusive
|
||||
options.
|
||||
"""
|
||||
parser = argparse.ArgumentParser(**kwargs)
|
||||
|
||||
group = parser.add_mutually_exclusive_group(required=True)
|
||||
group.add_argument(
|
||||
'--export',
|
||||
help='JSON export file ("-" for stdout)',
|
||||
dest='exportfile',
|
||||
type=argparse.FileType('w')
|
||||
)
|
||||
if supports_import:
|
||||
group.add_argument(
|
||||
'--import',
|
||||
help='JSON import file ("-" for stdin)',
|
||||
dest='importfile',
|
||||
type=argparse.FileType('r')
|
||||
)
|
||||
|
||||
return parser
|
||||
|
||||
|
||||
def main(parser, export_func, import_func=None, **kwargs):
|
||||
"""Common main function for handlers
|
||||
"""
|
||||
args = parser.parse_args()
|
||||
if args.exportfile is not None:
|
||||
func = export_func
|
||||
else:
|
||||
func = import_func
|
||||
|
||||
tmpdir = tempfile.mkdtemp()
|
||||
try:
|
||||
func(args, tmpdir, **kwargs)
|
||||
finally:
|
||||
shutil.rmtree(tmpdir)
|
||||
@@ -1,63 +0,0 @@
|
||||
#
|
||||
# Copyright (C) 2019 IPA Project Contributors, see COPYING for license
|
||||
#
|
||||
"""Export / import Directory Manager password hash
|
||||
"""
|
||||
import json
|
||||
import os
|
||||
|
||||
from ipalib import api
|
||||
from ipalib import errors
|
||||
from ipaplatform.paths import paths
|
||||
from ipapython.dn import DN
|
||||
from ipapython.ipaldap import LDAPClient, realm_to_ldapi_uri
|
||||
from . import common
|
||||
|
||||
CN_CONFIG = DN(('cn', 'config'))
|
||||
ROOTPW = 'nsslapd-rootpw'
|
||||
|
||||
|
||||
def export_key(args, tmpdir, conn):
|
||||
entry = conn.get_entry(CN_CONFIG, [ROOTPW])
|
||||
data = {
|
||||
'dmhash': entry.single_value[ROOTPW],
|
||||
}
|
||||
common.json_dump(data, args.exportfile)
|
||||
|
||||
|
||||
def import_key(args, tmpdir, conn):
|
||||
data = json.load(args.importfile)
|
||||
dmhash = data['dmhash'].encode('ascii')
|
||||
entry = conn.get_entry(CN_CONFIG, [ROOTPW])
|
||||
entry.single_value[ROOTPW] = dmhash
|
||||
try:
|
||||
conn.update_entry(entry)
|
||||
except errors.EmptyModlist:
|
||||
pass
|
||||
|
||||
|
||||
def main():
|
||||
parser = common.mkparser(
|
||||
description='ipa-custodia LDAP DM hash handler'
|
||||
)
|
||||
|
||||
if os.getegid() != 0:
|
||||
parser.error("Must be run as root user.\n")
|
||||
|
||||
# create LDAP connection using LDAPI and EXTERNAL bind as root
|
||||
if not api.isdone('bootstrap'):
|
||||
api.bootstrap(confdir=paths.ETC_IPA, log=None)
|
||||
realm = api.env.realm
|
||||
ldap_uri = realm_to_ldapi_uri(realm)
|
||||
conn = LDAPClient(ldap_uri=ldap_uri, no_schema=True)
|
||||
try:
|
||||
conn.external_bind()
|
||||
except Exception as e:
|
||||
parser.error("Failed to connect to {}: {}\n".format(ldap_uri, e))
|
||||
|
||||
with conn:
|
||||
common.main(parser, export_key, import_key, conn=conn)
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
||||
@@ -1,122 +0,0 @@
|
||||
#
|
||||
# Copyright (C) 2019 IPA Project Contributors, see COPYING for license
|
||||
#
|
||||
"""Export / import cert and key from NSS DB as PKCS#12 data
|
||||
"""
|
||||
import base64
|
||||
import json
|
||||
import os
|
||||
|
||||
from ipaplatform.paths import paths
|
||||
from ipapython import ipautil
|
||||
from ipapython.certdb import NSSDatabase
|
||||
from . import common
|
||||
|
||||
|
||||
def export_key(args, tmpdir):
|
||||
"""Export key and certificate from the NSS DB to a PKCS#12 file.
|
||||
|
||||
The PKCS#12 file is encrypted with a password.
|
||||
"""
|
||||
pk12file = os.path.join(tmpdir, 'export.p12')
|
||||
|
||||
password = ipautil.ipa_generate_password()
|
||||
pk12pk12pwfile = os.path.join(tmpdir, 'passwd')
|
||||
with open(pk12pk12pwfile, 'w') as f:
|
||||
f.write(password)
|
||||
|
||||
nssdb = NSSDatabase(args.nssdb_path)
|
||||
nssdb.run_pk12util([
|
||||
"-o", pk12file,
|
||||
"-n", args.nickname,
|
||||
"-k", args.nssdb_pwdfile,
|
||||
"-w", pk12pk12pwfile,
|
||||
])
|
||||
|
||||
with open(pk12file, 'rb') as f:
|
||||
p12data = f.read()
|
||||
|
||||
data = {
|
||||
'export password': password,
|
||||
'pkcs12 data': p12data,
|
||||
}
|
||||
common.json_dump(data, args.exportfile)
|
||||
|
||||
|
||||
def import_key(args, tmpdir):
|
||||
"""Import key and certificate from a PKCS#12 file to a NSS DB.
|
||||
"""
|
||||
data = json.load(args.importfile)
|
||||
password = data['export password']
|
||||
p12data = base64.b64decode(data['pkcs12 data'])
|
||||
|
||||
pk12pwfile = os.path.join(tmpdir, 'passwd')
|
||||
with open(pk12pwfile, 'w') as f:
|
||||
f.write(password)
|
||||
|
||||
pk12file = os.path.join(tmpdir, 'import.p12')
|
||||
with open(pk12file, 'wb') as f:
|
||||
f.write(p12data)
|
||||
|
||||
nssdb = NSSDatabase(args.nssdb_path)
|
||||
nssdb.run_pk12util([
|
||||
"-i", pk12file,
|
||||
"-n", args.nickname,
|
||||
"-k", args.nssdb_pwdfile,
|
||||
"-w", pk12pwfile,
|
||||
])
|
||||
|
||||
|
||||
def default_parser():
|
||||
"""Generic interface
|
||||
"""
|
||||
parser = common.mkparser(
|
||||
description='ipa-custodia NSS cert handler'
|
||||
)
|
||||
parser.add_argument(
|
||||
'--nssdb',
|
||||
dest='nssdb_path',
|
||||
help='path to NSS DB',
|
||||
required=True
|
||||
)
|
||||
parser.add_argument(
|
||||
'--pwdfile',
|
||||
dest='nssdb_pwdfile',
|
||||
help='path to password file for NSS DB',
|
||||
required=True
|
||||
)
|
||||
parser.add_argument(
|
||||
'--nickname',
|
||||
help='nick name of certificate',
|
||||
required=True
|
||||
)
|
||||
return parser
|
||||
|
||||
|
||||
def pki_tomcat_parser():
|
||||
"""Hard-code Dogtag's NSSDB and its password file
|
||||
"""
|
||||
parser = common.mkparser(
|
||||
description='ipa-custodia pki-tomcat NSS cert handler'
|
||||
)
|
||||
parser.add_argument(
|
||||
'--nickname',
|
||||
help='nick name of certificate',
|
||||
required=True
|
||||
)
|
||||
parser.set_defaults(
|
||||
nssdb_path=paths.PKI_TOMCAT_ALIAS_DIR,
|
||||
nssdb_pwdfile=paths.PKI_TOMCAT_ALIAS_PWDFILE_TXT,
|
||||
)
|
||||
return parser
|
||||
|
||||
|
||||
def main(parser=None):
|
||||
if parser is None:
|
||||
parser = default_parser()
|
||||
|
||||
common.main(parser, export_key, import_key)
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
||||
@@ -1,126 +0,0 @@
|
||||
#
|
||||
# Copyright (C) 2019 IPA Project Contributors, see COPYING for license
|
||||
#
|
||||
"""Export and wrap key from NSS DB
|
||||
"""
|
||||
import os
|
||||
|
||||
from ipaplatform.paths import paths
|
||||
from ipapython import ipautil
|
||||
from ipapython.certdb import NSSDatabase
|
||||
from . import common
|
||||
|
||||
|
||||
def export_key(args, tmpdir):
|
||||
"""Export key and certificate from the NSS DB
|
||||
|
||||
The private key is encrypted using key wrapping.
|
||||
"""
|
||||
wrapped_key_file = os.path.join(tmpdir, 'wrapped_key')
|
||||
certificate_file = os.path.join(tmpdir, 'certificate')
|
||||
|
||||
ipautil.run([
|
||||
paths.PKI,
|
||||
'-d', args.nssdb_path,
|
||||
'-C', args.nssdb_pwdfile,
|
||||
'ca-authority-key-export',
|
||||
'--wrap-nickname', args.wrap_nickname,
|
||||
'--target-nickname', args.nickname,
|
||||
'--algorithm', args.algorithm,
|
||||
'-o', wrapped_key_file
|
||||
])
|
||||
|
||||
nssdb = NSSDatabase(args.nssdb_path)
|
||||
nssdb.run_certutil([
|
||||
'-L',
|
||||
'-n', args.nickname,
|
||||
'-a',
|
||||
'-o', certificate_file,
|
||||
])
|
||||
with open(wrapped_key_file, 'rb') as f:
|
||||
wrapped_key = f.read()
|
||||
with open(certificate_file, 'r') as f:
|
||||
certificate = f.read()
|
||||
|
||||
data = {
|
||||
'wrapped_key': wrapped_key,
|
||||
'certificate': certificate
|
||||
}
|
||||
common.json_dump(data, args.exportfile)
|
||||
|
||||
|
||||
def default_parser():
|
||||
"""Generic interface
|
||||
"""
|
||||
parser = common.mkparser(
|
||||
supports_import=False,
|
||||
description='ipa-custodia NSS wrapped cert handler',
|
||||
)
|
||||
parser.add_argument(
|
||||
'--nssdb',
|
||||
dest='nssdb_path',
|
||||
help='path to NSS DB',
|
||||
required=True
|
||||
)
|
||||
parser.add_argument(
|
||||
'--pwdfile',
|
||||
dest='nssdb_pwdfile',
|
||||
help='path to password file for NSS DB',
|
||||
required=True
|
||||
)
|
||||
parser.add_argument(
|
||||
'--wrap-nickname',
|
||||
dest='wrap_nickname',
|
||||
help='nick name of wrapping key',
|
||||
required=True
|
||||
)
|
||||
parser.add_argument(
|
||||
'--nickname',
|
||||
dest='nickname',
|
||||
help='nick name of target key',
|
||||
required=True
|
||||
)
|
||||
return parser
|
||||
|
||||
|
||||
def pki_tomcat_parser():
|
||||
"""Hard-code Dogtag's NSS DB, its password file, and CA key for wrapping
|
||||
"""
|
||||
parser = common.mkparser(
|
||||
supports_import=False,
|
||||
description='ipa-custodia pki-tomcat NSS wrapped cert handler',
|
||||
)
|
||||
parser.add_argument(
|
||||
'--nickname',
|
||||
dest='nickname',
|
||||
help='nick name of target key',
|
||||
required=True
|
||||
)
|
||||
|
||||
# Caller must specify a cipher. This gets passed on to
|
||||
# the 'pki ca-authority-key-export' command (part of
|
||||
# Dogtag) via its own --algorithm option.
|
||||
parser.add_argument(
|
||||
'--algorithm',
|
||||
dest='algorithm',
|
||||
help='OID of symmetric wrap algorithm',
|
||||
required=True
|
||||
)
|
||||
|
||||
parser.set_defaults(
|
||||
nssdb_path=paths.PKI_TOMCAT_ALIAS_DIR,
|
||||
nssdb_pwdfile=paths.PKI_TOMCAT_ALIAS_PWDFILE_TXT,
|
||||
wrap_nickname='caSigningCert cert-pki-ca',
|
||||
)
|
||||
return parser
|
||||
|
||||
|
||||
def main(parser=None):
|
||||
if parser is None:
|
||||
parser = default_parser()
|
||||
|
||||
common.main(parser, export_key, None)
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
||||
@@ -1,118 +0,0 @@
|
||||
#
|
||||
# Copyright (C) 2019 IPA Project Contributors, see COPYING for license
|
||||
#
|
||||
"""Export / import PEM cert and key file as PKCS#12 data
|
||||
"""
|
||||
import base64
|
||||
import json
|
||||
import os
|
||||
|
||||
from ipaplatform.paths import paths
|
||||
from ipapython import ipautil
|
||||
from . import common
|
||||
|
||||
|
||||
def export_key(args, tmpdir):
|
||||
"""Export cert and private from PEM files as PKCS#12 file.
|
||||
|
||||
The PKCS#12 file is encrypted with a password.
|
||||
"""
|
||||
pk12file = os.path.join(tmpdir, 'export.p12')
|
||||
|
||||
password = ipautil.ipa_generate_password()
|
||||
pk12pwfile = os.path.join(tmpdir, 'passwd')
|
||||
with open(pk12pwfile, 'w') as f:
|
||||
f.write(password)
|
||||
|
||||
# OpenSSL does not support pkcs12 export of a cert without key
|
||||
ipautil.run([
|
||||
paths.OPENSSL, 'pkcs12', '-export',
|
||||
'-in', args.certfile,
|
||||
'-out', pk12file,
|
||||
'-inkey', args.keyfile,
|
||||
'-password', 'file:{pk12pwfile}'.format(pk12pwfile=pk12pwfile),
|
||||
])
|
||||
|
||||
with open(pk12file, 'rb') as f:
|
||||
p12data = f.read()
|
||||
|
||||
data = {
|
||||
'export password': password,
|
||||
'pkcs12 data': p12data,
|
||||
}
|
||||
common.json_dump(data, args.exportfile)
|
||||
|
||||
|
||||
def import_key(args, tmpdir):
|
||||
"""Export key and certificate from a PKCS#12 file to key and cert files.
|
||||
"""
|
||||
data = json.load(args.importfile)
|
||||
password = data['export password']
|
||||
p12data = base64.b64decode(data['pkcs12 data'])
|
||||
|
||||
pk12pwfile = os.path.join(tmpdir, 'passwd')
|
||||
with open(pk12pwfile, 'w') as f:
|
||||
f.write(password)
|
||||
|
||||
pk12file = os.path.join(tmpdir, 'import.p12')
|
||||
with open(pk12file, 'wb') as f:
|
||||
f.write(p12data)
|
||||
|
||||
# get the certificate from the file
|
||||
cmd = [
|
||||
paths.OPENSSL, 'pkcs12',
|
||||
'-in', pk12file,
|
||||
'-clcerts', '-nokeys',
|
||||
'-out', args.certfile,
|
||||
'-password', 'file:{pk12pwfile}'.format(pk12pwfile=pk12pwfile),
|
||||
]
|
||||
ipautil.run(cmd, umask=0o027)
|
||||
|
||||
# get the private key from the file
|
||||
cmd = [
|
||||
paths.OPENSSL, 'pkcs12',
|
||||
'-in', pk12file,
|
||||
'-nocerts', '-nodes',
|
||||
'-out', args.keyfile,
|
||||
'-password', 'file:{pk12pwfile}'.format(pk12pwfile=pk12pwfile),
|
||||
]
|
||||
ipautil.run(cmd, umask=0o027)
|
||||
|
||||
|
||||
def default_parser():
|
||||
parser = common.mkparser(
|
||||
description='ipa-custodia PEM file handler'
|
||||
)
|
||||
parser.add_argument(
|
||||
'--certfile',
|
||||
help='path to PEM encoded cert file',
|
||||
required=True
|
||||
)
|
||||
parser.add_argument(
|
||||
'keyfile',
|
||||
help='path to PEM encoded key file',
|
||||
required=True
|
||||
)
|
||||
return parser
|
||||
|
||||
|
||||
def ra_agent_parser():
|
||||
parser = common.mkparser(
|
||||
description='ipa-custodia RA agent cert handler'
|
||||
)
|
||||
parser.set_defaults(
|
||||
certfile=paths.RA_AGENT_PEM,
|
||||
keyfile=paths.RA_AGENT_KEY
|
||||
)
|
||||
return parser
|
||||
|
||||
|
||||
def main(parser=None):
|
||||
if parser is None:
|
||||
parser = default_parser()
|
||||
|
||||
common.main(parser, export_key, import_key)
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
||||
@@ -5,7 +5,9 @@ from __future__ import print_function, absolute_import
|
||||
import errno
|
||||
import os
|
||||
|
||||
from configparser import ConfigParser
|
||||
# pylint: disable=import-error
|
||||
from six.moves.configparser import ConfigParser
|
||||
# pylint: enable=import-error
|
||||
|
||||
from ipaplatform.paths import paths
|
||||
from ipapython.dn import DN
|
||||
|
||||
@@ -1,39 +1,28 @@
|
||||
# Copyright (C) 2015 IPA Project Contributors, see COPYING for license
|
||||
|
||||
from __future__ import print_function, absolute_import
|
||||
import os
|
||||
import sys
|
||||
|
||||
from custodia.plugin import CSStore
|
||||
|
||||
from base64 import b64encode, b64decode
|
||||
from custodia.store.interface import CSStore # pylint: disable=relative-import
|
||||
from jwcrypto.common import json_decode, json_encode
|
||||
from ipaplatform.paths import paths
|
||||
from ipaplatform.constants import constants
|
||||
from ipapython import ipautil
|
||||
from ipapython.certdb import NSSDatabase
|
||||
from ipaserver.secrets.common import iSecLdap
|
||||
import ldap
|
||||
import os
|
||||
import shutil
|
||||
import sys
|
||||
import tempfile
|
||||
|
||||
|
||||
class UnknownKeyName(Exception):
|
||||
pass
|
||||
|
||||
|
||||
class InvalidKeyArguments(Exception):
|
||||
pass
|
||||
|
||||
|
||||
class DBMAPHandler:
|
||||
dbtype = None
|
||||
supports_extra_args = False
|
||||
class DBMAPHandler(object):
|
||||
|
||||
def __init__(self, config, dbmap, nickname):
|
||||
dbtype = dbmap.get('type')
|
||||
if dbtype is None or dbtype != self.dbtype:
|
||||
raise ValueError(
|
||||
"Invalid type '{}', expected '{}'".format(
|
||||
dbtype, self.dbtype
|
||||
)
|
||||
)
|
||||
self.config = config
|
||||
self.dbmap = dbmap
|
||||
self.nickname = nickname
|
||||
raise NotImplementedError
|
||||
|
||||
def export_key(self):
|
||||
raise NotImplementedError
|
||||
@@ -42,146 +31,229 @@ class DBMAPHandler:
|
||||
raise NotImplementedError
|
||||
|
||||
|
||||
class DBMAPCommandHandler(DBMAPHandler):
|
||||
def __init__(self, config, dbmap, nickname):
|
||||
super().__init__(config, dbmap, nickname)
|
||||
self.runas = dbmap.get('runas')
|
||||
self.command = os.path.join(
|
||||
paths.IPA_CUSTODIA_HANDLER,
|
||||
dbmap['command']
|
||||
)
|
||||
|
||||
def run_handler(self, extra_args=(), stdin=None):
|
||||
"""Run handler script to export / import key material
|
||||
"""
|
||||
args = [self.command]
|
||||
args.extend(extra_args)
|
||||
kwargs = dict(
|
||||
runas=self.runas,
|
||||
encoding='utf-8',
|
||||
)
|
||||
|
||||
if stdin:
|
||||
args.extend(['--import', '-'])
|
||||
kwargs.update(stdin=stdin)
|
||||
else:
|
||||
args.extend(['--export', '-'])
|
||||
kwargs.update(capture_output=True)
|
||||
|
||||
result = ipautil.run(args, **kwargs)
|
||||
|
||||
if stdin is None:
|
||||
return result.output
|
||||
else:
|
||||
return None
|
||||
|
||||
|
||||
def log_error(error):
|
||||
print(error, file=sys.stderr)
|
||||
|
||||
|
||||
class NSSWrappedCertDB(DBMAPCommandHandler):
|
||||
"""
|
||||
class NSSWrappedCertDB(DBMAPHandler):
|
||||
'''
|
||||
Store that extracts private keys from an NSSDB, wrapped with the
|
||||
private key of the primary CA.
|
||||
"""
|
||||
dbtype = 'NSSDB'
|
||||
supports_extra_args = True
|
||||
'''
|
||||
|
||||
OID_DES_EDE3_CBC = '1.2.840.113549.3.7'
|
||||
|
||||
def __init__(self, config, dbmap, nickname, *extra_args):
|
||||
super().__init__(config, dbmap, nickname)
|
||||
|
||||
# Extra args is either a single OID specifying desired wrap
|
||||
# algorithm, or empty. If empty, we must assume that the
|
||||
# client is an old version that only supports DES-EDE3-CBC.
|
||||
#
|
||||
# Using either the client's requested algorithm or the
|
||||
# default of DES-EDE3-CBC, we pass it along to the handler
|
||||
# via the --algorithm option. The handler, in turn, passes
|
||||
# it along to the 'pki ca-authority-key-export' program
|
||||
# (which is part of Dogtag).
|
||||
#
|
||||
if len(extra_args) > 1:
|
||||
raise InvalidKeyArguments("Too many arguments")
|
||||
if len(extra_args) == 1:
|
||||
self.alg = extra_args[0]
|
||||
else:
|
||||
self.alg = self.OID_DES_EDE3_CBC
|
||||
def __init__(self, config, dbmap, nickname):
|
||||
if 'path' not in dbmap:
|
||||
raise ValueError(
|
||||
'Configuration does not provide NSSDB path')
|
||||
if 'pwdfile' not in dbmap:
|
||||
raise ValueError('Configuration does not provide password file')
|
||||
if 'wrap_nick' not in dbmap:
|
||||
raise ValueError(
|
||||
'Configuration does not provide nickname of wrapping key')
|
||||
self.nssdb_path = dbmap['path']
|
||||
self.nssdb_pwdfile = dbmap['pwdfile']
|
||||
self.wrap_nick = dbmap['wrap_nick']
|
||||
self.target_nick = nickname
|
||||
|
||||
def export_key(self):
|
||||
return self.run_handler([
|
||||
'--nickname', self.nickname,
|
||||
'--algorithm', self.alg,
|
||||
])
|
||||
tdir = tempfile.mkdtemp(dir=paths.TMP)
|
||||
try:
|
||||
wrapped_key_file = os.path.join(tdir, 'wrapped_key')
|
||||
certificate_file = os.path.join(tdir, 'certificate')
|
||||
ipautil.run([
|
||||
paths.PKI, '-d', self.nssdb_path, '-C', self.nssdb_pwdfile,
|
||||
'ca-authority-key-export',
|
||||
'--wrap-nickname', self.wrap_nick,
|
||||
'--target-nickname', self.target_nick,
|
||||
'-o', wrapped_key_file])
|
||||
nssdb = NSSDatabase(self.nssdb_path)
|
||||
nssdb.run_certutil([
|
||||
'-L', '-n', self.target_nick,
|
||||
'-a', '-o', certificate_file,
|
||||
])
|
||||
with open(wrapped_key_file, 'rb') as f:
|
||||
wrapped_key = f.read()
|
||||
with open(certificate_file, 'r') as f:
|
||||
certificate = f.read()
|
||||
finally:
|
||||
shutil.rmtree(tdir)
|
||||
return json_encode({
|
||||
'wrapped_key': b64encode(wrapped_key).decode('ascii'),
|
||||
'certificate': certificate})
|
||||
|
||||
|
||||
class NSSCertDB(DBMAPCommandHandler):
|
||||
dbtype = 'NSSDB'
|
||||
class NSSCertDB(DBMAPHandler):
|
||||
|
||||
def __init__(self, config, dbmap, nickname):
|
||||
if 'type' not in dbmap or dbmap['type'] != 'NSSDB':
|
||||
raise ValueError('Invalid type "%s",'
|
||||
' expected "NSSDB"' % (dbmap['type'],))
|
||||
if 'path' not in dbmap:
|
||||
raise ValueError('Configuration does not provide NSSDB path')
|
||||
if 'pwdfile' not in dbmap:
|
||||
raise ValueError('Configuration does not provide password file')
|
||||
self.nssdb_path = dbmap['path']
|
||||
self.nssdb_pwdfile = dbmap['pwdfile']
|
||||
self.nickname = nickname
|
||||
|
||||
def export_key(self):
|
||||
return self.run_handler(['--nickname', self.nickname])
|
||||
tdir = tempfile.mkdtemp(dir=paths.TMP)
|
||||
try:
|
||||
pk12pwfile = os.path.join(tdir, 'pk12pwfile')
|
||||
password = ipautil.ipa_generate_password()
|
||||
with open(pk12pwfile, 'w') as f:
|
||||
f.write(password)
|
||||
pk12file = os.path.join(tdir, 'pk12file')
|
||||
nssdb = NSSDatabase(self.nssdb_path)
|
||||
nssdb.run_pk12util([
|
||||
"-o", pk12file,
|
||||
"-n", self.nickname,
|
||||
"-k", self.nssdb_pwdfile,
|
||||
"-w", pk12pwfile,
|
||||
])
|
||||
with open(pk12file, 'rb') as f:
|
||||
data = f.read()
|
||||
finally:
|
||||
shutil.rmtree(tdir)
|
||||
return json_encode({'export password': password,
|
||||
'pkcs12 data': b64encode(data).decode('ascii')})
|
||||
|
||||
def import_key(self, value):
|
||||
return self.run_handler(
|
||||
['--nickname', self.nickname],
|
||||
stdin=value
|
||||
)
|
||||
v = json_decode(value)
|
||||
tdir = tempfile.mkdtemp(dir=paths.TMP)
|
||||
try:
|
||||
pk12pwfile = os.path.join(tdir, 'pk12pwfile')
|
||||
with open(pk12pwfile, 'w') as f:
|
||||
f.write(v['export password'])
|
||||
pk12file = os.path.join(tdir, 'pk12file')
|
||||
with open(pk12file, 'wb') as f:
|
||||
f.write(b64decode(v['pkcs12 data']))
|
||||
nssdb = NSSDatabase(self.nssdb_path)
|
||||
nssdb.run_pk12util([
|
||||
"-i", pk12file,
|
||||
"-n", self.nickname,
|
||||
"-k", self.nssdb_pwdfile,
|
||||
"-w", pk12pwfile,
|
||||
])
|
||||
finally:
|
||||
shutil.rmtree(tdir)
|
||||
|
||||
|
||||
# Exfiltrate the DM password Hash so it can be set in replica's and this
|
||||
# way let a replica be install without knowing the DM password and yet
|
||||
# still keep the DM password synchronized across replicas
|
||||
class DMLDAP(DBMAPCommandHandler):
|
||||
dbtype = 'DMLDAP'
|
||||
class DMLDAP(DBMAPHandler):
|
||||
|
||||
def __init__(self, config, dbmap, nickname):
|
||||
super().__init__(config, dbmap, nickname)
|
||||
if 'type' not in dbmap or dbmap['type'] != 'DMLDAP':
|
||||
raise ValueError('Invalid type "%s",'
|
||||
' expected "DMLDAP"' % (dbmap['type'],))
|
||||
if nickname != 'DMHash':
|
||||
raise UnknownKeyName("Unknown Key Named '%s'" % nickname)
|
||||
self.ldap = iSecLdap(config['ldap_uri'],
|
||||
config.get('auth_type', None))
|
||||
|
||||
def export_key(self):
|
||||
return self.run_handler()
|
||||
conn = self.ldap.connect()
|
||||
r = conn.search_s('cn=config', ldap.SCOPE_BASE,
|
||||
attrlist=['nsslapd-rootpw'])
|
||||
if len(r) != 1:
|
||||
raise RuntimeError('DM Hash not found!')
|
||||
rootpw = r[0][1]['nsslapd-rootpw'][0]
|
||||
return json_encode({'dmhash': rootpw.decode('ascii')})
|
||||
|
||||
def import_key(self, value):
|
||||
self.run_handler(stdin=value)
|
||||
v = json_decode(value)
|
||||
rootpw = v['dmhash'].encode('ascii')
|
||||
conn = self.ldap.connect()
|
||||
mods = [(ldap.MOD_REPLACE, 'nsslapd-rootpw', rootpw)]
|
||||
conn.modify_s('cn=config', mods)
|
||||
|
||||
|
||||
class PEMFileHandler(DBMAPCommandHandler):
|
||||
dbtype = 'PEM'
|
||||
class PEMFileHandler(DBMAPHandler):
|
||||
def __init__(self, config, dbmap, nickname=None):
|
||||
if 'type' not in dbmap or dbmap['type'] != 'PEM':
|
||||
raise ValueError('Invalid type "{t}", expected PEM'
|
||||
.format(t=dbmap['type']))
|
||||
self.certfile = dbmap['certfile']
|
||||
self.keyfile = dbmap.get('keyfile')
|
||||
|
||||
def export_key(self):
|
||||
return self.run_handler()
|
||||
_fd, tmpfile = tempfile.mkstemp(dir=paths.TMP)
|
||||
password = ipautil.ipa_generate_password()
|
||||
args = [
|
||||
paths.OPENSSL,
|
||||
"pkcs12", "-export",
|
||||
"-in", self.certfile,
|
||||
"-out", tmpfile,
|
||||
"-password", "pass:{pwd}".format(pwd=password)
|
||||
]
|
||||
if self.keyfile is not None:
|
||||
args.extend(["-inkey", self.keyfile])
|
||||
|
||||
try:
|
||||
ipautil.run(args, nolog=(password, ))
|
||||
with open(tmpfile, 'rb') as f:
|
||||
data = f.read()
|
||||
finally:
|
||||
os.remove(tmpfile)
|
||||
return json_encode({'export password': password,
|
||||
'pkcs12 data': b64encode(data).decode('ascii')})
|
||||
|
||||
def import_key(self, value):
|
||||
return self.run_handler(stdin=value)
|
||||
v = json_decode(value)
|
||||
data = b64decode(v['pkcs12 data'])
|
||||
password = v['export password']
|
||||
fd, tmpdata = tempfile.mkstemp(dir=paths.TMP)
|
||||
os.close(fd)
|
||||
try:
|
||||
with open(tmpdata, 'wb') as f:
|
||||
f.write(data)
|
||||
|
||||
# get the certificate from the file
|
||||
ipautil.run([paths.OPENSSL,
|
||||
"pkcs12",
|
||||
"-in", tmpdata,
|
||||
"-clcerts", "-nokeys",
|
||||
"-out", self.certfile,
|
||||
"-passin", "pass:{pwd}".format(pwd=password)],
|
||||
nolog=(password, ))
|
||||
|
||||
if self.keyfile is not None:
|
||||
# get the private key from the file
|
||||
ipautil.run([paths.OPENSSL,
|
||||
"pkcs12",
|
||||
"-in", tmpdata,
|
||||
"-nocerts", "-nodes",
|
||||
"-out", self.keyfile,
|
||||
"-passin", "pass:{pwd}".format(pwd=password)],
|
||||
nolog=(password, ))
|
||||
finally:
|
||||
os.remove(tmpdata)
|
||||
|
||||
|
||||
NAME_DB_MAP = {
|
||||
'ca': {
|
||||
'type': 'NSSDB',
|
||||
'path': paths.PKI_TOMCAT_ALIAS_DIR,
|
||||
'handler': NSSCertDB,
|
||||
'command': 'ipa-custodia-pki-tomcat',
|
||||
'runas': constants.PKI_USER,
|
||||
'pwdfile': paths.PKI_TOMCAT_ALIAS_PWDFILE_TXT,
|
||||
},
|
||||
'ca_wrapped': {
|
||||
'type': 'NSSDB',
|
||||
'handler': NSSWrappedCertDB,
|
||||
'command': 'ipa-custodia-pki-tomcat-wrapped',
|
||||
'runas': constants.PKI_USER,
|
||||
'path': paths.PKI_TOMCAT_ALIAS_DIR,
|
||||
'pwdfile': paths.PKI_TOMCAT_ALIAS_PWDFILE_TXT,
|
||||
'wrap_nick': 'caSigningCert cert-pki-ca',
|
||||
},
|
||||
'ra': {
|
||||
'type': 'PEM',
|
||||
'handler': PEMFileHandler,
|
||||
'command': 'ipa-custodia-ra-agent',
|
||||
'runas': None, # import needs root permission to write to directory
|
||||
'certfile': paths.RA_AGENT_PEM,
|
||||
'keyfile': paths.RA_AGENT_KEY,
|
||||
},
|
||||
'dm': {
|
||||
'type': 'DMLDAP',
|
||||
'handler': DMLDAP,
|
||||
'command': 'ipa-custodia-dmldap',
|
||||
'runas': None, # root
|
||||
}
|
||||
}
|
||||
|
||||
@@ -193,15 +265,12 @@ class IPASecStore(CSStore):
|
||||
|
||||
def _get_handler(self, key):
|
||||
path = key.split('/', 3)
|
||||
if len(path) < 3 or path[0] != 'keys':
|
||||
if len(path) != 3 or path[0] != 'keys':
|
||||
raise ValueError('Invalid name')
|
||||
if path[1] not in NAME_DB_MAP:
|
||||
raise UnknownKeyName("Unknown DB named '%s'" % path[1])
|
||||
dbmap = NAME_DB_MAP[path[1]]
|
||||
handler = dbmap['handler']
|
||||
if len(path) > 3 and not handler.supports_extra_args:
|
||||
raise InvalidKeyArguments('Handler does not support extra args')
|
||||
return handler(self.config, dbmap, path[2], *path[3:])
|
||||
return dbmap['handler'](self.config, dbmap, path[2])
|
||||
|
||||
def get(self, key):
|
||||
try:
|
||||
|
||||
Reference in New Issue
Block a user