Import Upstream version 4.12.4

2025-08-12 22:28:56 +02:00
parent 03a8170b15
commit 9181ee2487
1629 changed files with 874094 additions and 554378 deletions
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@@ -21,22 +21,25 @@ from __future__ import absolute_import

 import logging
 import os
-import pwd
 import shutil
 import tempfile
 import base64

 from ipalib import api
 from ipalib import x509
+from ipalib.constants import KRA_TRACKING_REQS
 from ipaplatform.paths import paths
 from ipapython import directivesetter
 from ipapython import ipautil
 from ipapython.dn import DN
 from ipaserver.install import cainstance
 from ipaserver.install import installutils
-from ipaserver.install import ldapupdate
 from ipaserver.install.dogtaginstance import DogtagInstance
-from ipaserver.plugins import ldap2
+from ipaserver.install.ca import (
+    lookup_random_serial_number_version,
+    lookup_hsm_configuration
+)
+

 logger = logging.getLogger(__name__)

@@ -66,11 +69,7 @@ class KRAInstance(DogtagInstance):
    # Mapping of nicknames for tracking requests, and the profile to
    # use for that certificate.  'configure_renewal()' reads this
    # dict.  The profile MUST be specified.
-    tracking_reqs = {
-        'auditSigningCert cert-pki-kra': 'caInternalAuthAuditSigningCert',
-        'transportCert cert-pki-kra': 'caInternalAuthTransportCert',
-        'storageCert cert-pki-kra': 'caInternalAuthDRMstorageCert',
-    }
+    tracking_reqs = KRA_TRACKING_REQS

    def __init__(self, realm):
        super(KRAInstance, self).__init__(
@@ -80,10 +79,16 @@ class KRAInstance(DogtagInstance):
            config=paths.KRA_CS_CFG_PATH,
        )

+    def uninstall(self):
+        DogtagInstance.uninstall(self)
+
+        ipautil.remove_file(paths.KRACERT_P12)
+
    def configure_instance(self, realm_name, host_name, dm_password,
                           admin_password, pkcs12_info=None, master_host=None,
                           subject_base=None, ca_subject=None,
-                           promote=False, pki_config_override=None):
+                           promote=False, pki_config_override=None,
+                           token_password=None):
        """Create a KRA instance.

           To create a clone, pass in pkcs12_info.
@@ -97,6 +102,8 @@ class KRAInstance(DogtagInstance):
            self.clone = True
        self.master_host = master_host
        self.pki_config_override = pki_config_override
+        # The remaining token values are available via sysrestore
+        self.token_password = token_password

        self.subject_base = \
            subject_base or installutils.default_subject_base(realm_name)
@@ -170,6 +177,12 @@ class KRAInstance(DogtagInstance):
            pki_import_admin_cert=False,
            pki_client_admin_cert_p12=admin_p12_file,
        )
+        if lookup_random_serial_number_version(api) > 0:
+            cfg['pki_key_id_generator'] = 'random'
+            cfg['pki_request_id_generator'] = 'random'
+        else:
+            cfg['pki_key_id_generator'] = 'legacy'
+            cfg['pki_request_id_generator'] = 'legacy'

        if not (os.path.isdir(paths.PKI_TOMCAT_ALIAS_DIR) and
                os.path.isfile(paths.PKI_TOMCAT_PASSWORD_CONF)):
@@ -179,13 +192,28 @@ class KRAInstance(DogtagInstance):
        else:
            pki_pin = None

-        _p12_tmpfile_handle, p12_tmpfile_name = tempfile.mkstemp(dir=paths.TMP)
+        ca = cainstance.CAInstance(self.realm)
+        if ca.hsm_enabled:
+            cfg['pki_hsm_enable'] = True
+            cfg['pki_token_name'] = ca.token_name
+            cfg['pki_token_password'] = self.token_password
+            cfg['pki_sslserver_token'] = 'internal'
+            # Require OAEP for nfast devices as they do not support
+            # PKCS1v15.
+            (_unused, token_library_path) = lookup_hsm_configuration(api)
+            if 'nfast' in token_library_path:
+                cfg['pki_use_oaep_rsa_keywrap'] = True
+
+        p12_tmpfile_name = None

        if self.clone:
            krafile = self.pkcs12_info[0]
-            shutil.copy(krafile, p12_tmpfile_name)
-            pent = pwd.getpwnam(self.service_user)
-            os.chown(p12_tmpfile_name, pent.pw_uid, pent.pw_gid)
+            if krafile:
+                _p12_tmpfile_handle, p12_tmpfile_name = tempfile.mkstemp(
+                    dir=paths.TMP
+                )
+                shutil.copy(krafile, p12_tmpfile_name)
+                self.service_user.chown(p12_tmpfile_name)

            self._configure_clone(
                cfg,
@@ -208,11 +236,10 @@ class KRAInstance(DogtagInstance):
                )

        # Generate configuration file
-        pent = pwd.getpwnam(self.service_user)
        config = self._create_spawn_config(cfg)
        with tempfile.NamedTemporaryFile('w', delete=False) as f:
            config.write(f)
-            os.fchown(f.fileno(), pent.pw_uid, pent.pw_gid)
+            self.service_user.chown(f.fileno())
            cfg_file = f.name

        nolog_list = [
@@ -225,11 +252,15 @@ class KRAInstance(DogtagInstance):
                nolog_list=nolog_list
            )
        finally:
-            os.remove(p12_tmpfile_name)
+            if p12_tmpfile_name:
+                os.remove(p12_tmpfile_name)
            os.remove(cfg_file)
            os.remove(admin_p12_file)

-        shutil.move(paths.KRA_BACKUP_KEYS_P12, paths.KRACERT_P12)
+        if config.getboolean(
+            self.subsystem, 'pki_backup_keys', fallback=True
+        ):
+            shutil.move(paths.KRA_BACKUP_KEYS_P12, paths.KRACERT_P12)
        logger.debug("completed creating KRA instance")

    def __create_kra_agent(self):
@@ -237,14 +268,11 @@ class KRAInstance(DogtagInstance):
        Create KRA agent, assign a certificate, and add the user to
        the appropriate groups for accessing KRA services.
        """
+        conn = api.Backend.ldap2

        # get RA agent certificate
        cert = x509.load_certificate_from_file(paths.RA_AGENT_PEM)

-        # connect to KRA database
-        conn = ldap2.ldap2(api)
-        conn.connect(autobind=True)
-
        # create ipakra user with RA agent certificate
        entry = conn.make_entry(
            KRA_AGENT_DN,
@@ -267,20 +295,12 @@ class KRAInstance(DogtagInstance):
            KRA_BASEDN)
        conn.add_entry_to_group(KRA_AGENT_DN, group_dn, 'uniqueMember')

-        conn.disconnect()
-
    def __add_vault_container(self):
        self._ldap_mod(
            'vault.ldif', {'SUFFIX': self.suffix}, raise_on_err=True)

    def __apply_updates(self):
-        sub_dict = {
-            'SUFFIX': self.suffix,
-        }
-
-        ld = ldapupdate.LDAPUpdate(dm_password=self.dm_password,
-                                   sub_dict=sub_dict)
-        ld.update([os.path.join(paths.UPDATES_DIR, '40-vault.update')])
+        self._ldap_update(['40-vault.update'])

    def enable_ephemeral(self):
        """
@@ -295,6 +315,18 @@ class KRAInstance(DogtagInstance):

        # A restart is required

+    def enable_oaep_wrap_algo(self):
+        """
+        Enable KRA OAEP key wrap algorithm
+        """
+        with installutils.stopped_service('pki-tomcatd', 'pki-tomcat'):
+            directivesetter.set_directive(
+                self.config,
+                'keyWrap.useOAEP',
+                'true', quotes=False, separator='=')
+
+        # A restart is required
+
    def update_cert_config(self, nickname, cert):
        """
        When renewing a KRA subsystem certificate the configuration file