Check ca_wrapped in ipa-custodia-check

ca_wrapped uses Dogtag's pki tool (written in Java) to wrap key material. Add checks to custodia to verify that key wrapping works. Related: https://pagure.io/freeipa/issue/8488 Signed-off-by: Christian Heimes <cheimes@redhat.com>
freeipa · Sep 21, 2020 · 0a00a93 · 0a00a93
1 parent b606fa6
commit 0a00a93
Show file tree

Hide file tree

Showing 5 changed files with 20 additions and 0 deletions.
diff --git a/install/tools/ipa-custodia-check.in b/install/tools/ipa-custodia-check.in
@@ -49,6 +49,8 @@ KEYS = [
     'dm/DMHash',
     'ra/ipaCert',
     'ca/auditSigningCert cert-pki-ca',
+    'ca_wrapped/auditSigningCert cert-pki-ca',
+    'ca_wrapped/auditSigningCert cert-pki-ca/1.2.840.113549.3.7',
     'ca/caSigningCert cert-pki-ca',
     'ca/ocspSigningCert cert-pki-ca',
     'ca/subsystemCert cert-pki-ca',

diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
@@ -393,6 +393,7 @@ class BasePathNamespace:
     IPA_CUSTODIA_SOCKET = '/run/httpd/ipa-custodia.sock'
     IPA_CUSTODIA_AUDIT_LOG = '/var/log/ipa-custodia.audit.log'
     IPA_CUSTODIA_HANDLER = "/usr/libexec/ipa/custodia"
+    IPA_CUSTODIA_CHECK = "/usr/libexec/ipa-custodia-check"
     IPA_GETKEYTAB = '/usr/sbin/ipa-getkeytab'
     EXTERNAL_SCHEMA_DIR = '/usr/share/ipa/schema.d'
     GSSPROXY_CONF = '/etc/gssproxy/10-ipa.conf'

diff --git a/ipaplatform/debian/paths.py b/ipaplatform/debian/paths.py
@@ -117,6 +117,7 @@ class DebianPathNamespace(BasePathNamespace):
     IPA_CUSTODIA_SOCKET = "/run/apache2/ipa-custodia.sock"
     IPA_CUSTODIA_AUDIT_LOG = '/var/log/ipa-custodia.audit.log'
     IPA_CUSTODIA_HANDLER = "/usr/lib/ipa/custodia"
+    IPA_CUSTODIA_CHECK = "/usr/lib/ipa/ipa-custodia-check"
     WSGI_PREFIX_DIR = "/run/apache2/wsgi"
 
 paths = DebianPathNamespace()
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
@@ -971,6 +971,12 @@ def test_admin_root_alias_CVE_2020_10747(self):
         assert result.returncode != 0
         assert 'user with name "root" already exists' in result.stderr_text
 
+    def test_ipa_custodia_check(self):
+        # check local key retrieval
+        self.master.run_command(
+            [paths.IPA_CUSTODIA_CHECK, self.master.hostname]
+        )
+
 
 class TestInstallMasterKRA(IntegrationTest):
 

diff --git a/ipatests/test_integration/test_simple_replication.py b/ipatests/test_integration/test_simple_replication.py
@@ -21,6 +21,7 @@
 
 import pytest
 
+from ipaplatform.paths import paths
 from ipapython.dn import DN
 from ipatests.pytest_ipa.integration import tasks
 from ipatests.test_integration.base import IntegrationTest
@@ -103,3 +104,12 @@ def test_replica_removal(self):
                                  self.replicas[0].hostname, '--force'])
         result = self.master.run_command(['ipa-replica-manage', 'list'])
         assert self.replicas[0].hostname not in result.stdout_text
+
+    def test_ipa_custodia_check(self):
+        replica = self.replicas[0]
+        self.master.run_command(
+            [paths.IPA_CUSTODIA_CHECK, replica.hostname]
+        )
+        replica.run_command(
+            [paths.IPA_CUSTODIA_CHECK, self.master.hostname]
+        )