Add password file to certutil calls in ipapython.certdb module #446
Conversation
ipapython/certdb.py
Outdated
| @@ -83,7 +83,8 @@ class NSSDatabase(object): | |||
| # got too tied to IPA server details, killing reusability. | |||
| # BaseCertDB is a class that knows nothing about IPA. | |||
| # Generic NSS DB code should be moved here. | |||
| def __init__(self, nssdir=None): | |||
| def __init__(self, nssdir=None, password_filename=None): | |||
| self.password_filename = password_filename | |||
There was a problem hiding this comment.
Could we default to os.path.join(nssdir, 'pwdfile.txt')?
There was a problem hiding this comment.
We might but password file does not need to exist in general. I think this assumption is made in CertDB instead.
I can add it nonetheless.
ipapython/certdb.py
Outdated
| return ipautil.run(new_args, stdin, **kwargs) | ||
|
|
||
| def create_db(self, password_filename): | ||
| """Create cert DB | ||
|
|
||
| :param password_filename: Name of file containing the database password | ||
| """ | ||
| self.run_certutil(["-N", "-f", password_filename]) | ||
| # run_certutil will use self.password_filename to setup the db | ||
| self.password_filename = password_filename |
There was a problem hiding this comment.
Now that the filename is specified via __init__() argument, I see very little point in keeping the argument in create_db() as well.
There was a problem hiding this comment.
As I started doing this I realized that this change actually has to be done along with the one proposed on line 87, will do both, then.
| @@ -159,7 +159,7 @@ def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data): | |||
| '-w', pk12pwfile]) | |||
|
|
|||
| # Add CA certificates | |||
| tmpdb = CertDB(self.realm, nssdir=tmpnssdir) | |||
| tmpdb = NSSDatabase(tmpnssdir, password_filename=nsspwfile) | |||
There was a problem hiding this comment.
Why is this necessary?
There was a problem hiding this comment.
The path to CertDB password file in this case would be $tmpnssdir"/pwdfile.txt". This file would be then passed to CertDB's inner NSSDatabase - but there is no such file. As the author of custodiainstance creates the password file in $tmpnssdir"/pk12pwfile" it was my assumption that they never meant to use IPA-specific NSS database representation.
stlaz
force-pushed
the
certdb_passwd
branch
3 times, most recently
from
c5547d4
to
5d7079f
Compare
ipaclient/install/client.py
Outdated
| db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR) | ||
| pwdfile = os.path.join(db.secdir, 'pwdfile.txt') | ||
| db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR, | ||
| os.path.join(paths.IPA_NSSDB_DIR, 'pwdfile.txt')) |
There was a problem hiding this comment.
I could do this and according changes properly by replacing NSSDatabase with CertDB but that would mean having certs.py moved to ipalib/install so that it's in a reasonable spot which I am not sure is worth it.
|
NSSDatabase now defaults its |
ipaserver/install/server/upgrade.py
Outdated
| @@ -1521,6 +1521,11 @@ def upgrade_configuration(): | |||
| api.env.realm, certs.NSS_DIR, host_name=api.env.host) | |||
| ca_running = ca.is_running() | |||
|
|
|||
| # create passswd.txt file in PKI_TOMCAT_ALIAS_DIR if it does not exist | |||
| # this file will be required on most actions over this NSS DB in FIPS | |||
| if not os.path.exists(paths.PKI_TOMCAT_ALIAS_DIR, 'passwd.txt'): | |||
There was a problem hiding this comment.
Seems like I got somehow obsessed with passwd.txt for some reason. Fixed.
|
This patchset seems more like a cleanup after the privilege separation one, although adding a password to certutil calls is still the main topic here. |
stlaz
changed the title
ipaserver/install/server/upgrade.py
Outdated
| @@ -1543,6 +1543,11 @@ def upgrade_configuration(): | |||
| api.env.realm, paths.IPA_RADB_DIR, host_name=api.env.host) | |||
| ca_running = ca.is_running() | |||
|
|
|||
| # create passswd.txt file in PKI_TOMCAT_ALIAS_DIR if it does not exist | |||
| # this file will be required on most actions over this NSS DB in FIPS | |||
| if not os.path.exists(paths.PKI_TOMCAT_ALIAS_DIR, 'pwdfile.txt'): | |||
There was a problem hiding this comment.
os.path.exists takes only a single argument, the file path needs to be joined.
There was a problem hiding this comment.
That was the original intention, thanks.
NSSDatabases should call certutil with a password. Also, removed `password_filename` argument from `.create_db()`. https://fedorahosted.org/freeipa/ticket/5695
Replaced CertDB with NSSDatabase.
With this patchset, ipa-client-install should not ask for NSS database password.
Prerequisite for it to work in FIPS:
#367
edit: This was a part of a bigger branch and might be missing some parts.