[Freeipa-devel] [PATCHES] 267-294 Support multiple CA certificates in LDAP
Rob Crittenden
rcritten at redhat.com
Mon Jun 16 14:56:19 UTC 2014
Jan Cholasta wrote:
> Hi,
>
> the attached patches implement
> <https://fedorahosted.org/freeipa/ticket/3259> and
> <https://fedorahosted.org/freeipa/ticket/3520>.
>
> This work depends on my patches 241-253 and 262-266
> (<http://www.redhat.com/archives/freeipa-devel/2014-June/msg00276.html>).
>
> Note that automatic distribution of CA certificates to IPA systems is
> not implemented yet (it's planned for IPA 4.2, see
> <https://fedorahosted.org/freeipa/ticket/4322>), so /etc/ipa/ca.crt,
> /etc/pki/nssdb, /etc/dirsrv/slapd-REALM and /etc/httpd/alias are updated
> *only* during client/server install.
267
What is the purpose of this change? Won't this cause no certificates to
be exported in the default case?
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 61a954f..3cd7a53 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -463,7 +463,7 @@ class CertDB(object):
do that step."""
# export the CA cert for use with other apps
ipautil.backup_file(self.cacert_fname)
- root_nicknames = self.find_root_cert(nickname)
+ root_nicknames = self.find_root_cert(nickname)[:-1]
fd = open(self.cacert_fname, "w")
for root in root_nicknames:
(cert, stderr, returncode) = self.run_certutil(["-L", "-n",
root, "-a"])
Or are you separating out issuing CA from the rest of the chain?
268 ACK
269 ACK
270
If a user has their own CA installed, such as the case where they used
ipa-server-certinstall, this will break it.
What can be in the other set? Docs are needed.
You potentially add a bunch of certs with no trust, what is the purpose?
271
ipaSecretKey isn't mentioned on
http://www.freeipa.org/page/V4/CA_certificate_renewal . What is it and
does it need to be added now?
272 ACK
273 ACK
274 ACK
275 ACK
276
There isn't any error handling around the ASN.1 decoder. Is that wise?
There should be unit tests
277
There should be unit tests
278
When the certificate must be passed in as DER can you use dercert as the
argument name so it's clear what is needed?
In update_ca_cert() and get_ca_certs() should the values for trust be
case insensitive?
This breaks the convention where attribute names are always lower-case.
I can't really grok add_ca_cert(). You are adding certs but removing
values? Is this un-setting the list of trusted CA's maybe?
There isn't a single comment in this file beyond the header.
279
Looks ok
280
Why add the chain with no trust?
281 / 282
What is the difference between add_cert and import_cert other than
passing in trust and not having the db password? Do we even need
add_single_pem_cert anymore?
283 / 284
In __import_ca_certs() I assume the pass is there for NotFound for the
case of creating a replica with an older master that doesn't have these?
How is SSL trust setup then?
This code looks awfully similar.
285
ACK
286
It looks ok, just one wild thought. If writing the certificate fails and
you go to clean up by removing ca_file, what if that removal fails, for
the same reason the write failed, SELinux for example?
287
If this weren't addressed in a later patch I've have dinged you on the:
+ return [cert]
There are some places where you pluralize the variables (certs) and
others where you do not (ca_cert, existing_ca_cert).
288
Is a rawcert a dercert? I'd use that name instead for consistency.
normalize_certificate() can raise exceptions. Those should be handled in
write_certificate_list()
289
ACK
290
This can be dangerous because if another database is opened in the
process things may fail. Additional warnings and red flags should be
provided, or the context should be compared to known places this will
blow up (e.g server).
291
You use a temporary database to make cleanup easier I suppose? Did you
test this in enforcing?
292
Need unit tests
293
Why the fixme for the x509 import?
Isn't this changing already published API for
[insert|remove]_ca_cert_into_systemwide_ca_store?
294
Can you change the old occurances of
cafile = config.dir + "/ca.crt"
to use CACERT instead?
Bad case in exception, "Ca cert file is not available". Is there any
additional information we can provide, like what to do about it and
where we looked?
You actually remove one occurrence of CACERT and replace it with a
hardcoded path, is that on purpose?
---
I still need to do functional testing and will probably take another
pass the changes through but this patchset generally looks ok.
rob
More information about the Freeipa-devel
mailing list