[Freeipa-devel] [PATCH] 356 Added command to retrieve vault transport certificate.

Endi Sukma Dewata edewata at redhat.com
Mon Jan 26 19:15:00 UTC 2015 

On 11/4/2014 12:29 AM, Endi Sukma Dewata wrote:
> On 10/28/2014 6:26 PM, Endi Sukma Dewata wrote:
>> On 10/23/2014 6:18 AM, Jan Cholasta wrote:
>>> Hi,
>>>
>>> Dne 22.10.2014 v 22:06 Endi Sukma Dewata napsal(a):
>>>> A new command has been added to retrieve the vault transport
>>>> certificate and optionally save it into a file. The vault archive
>>>> and retrieve command has been modified to retrieve the transport
>>>> certificate and store it locally for subsequent usage. This way
>>>> it's no longer necessary to manually import the transport
>>>> certificate into the client's NSS database.
>>>
>>> As part of the CA certificate renewal feature in 4.1, I have added a
>>> LDAP certificate store to IPA, see
>>> <http://www.freeipa.org/page/V4/CA_certificate_renewal>. Currently it
>>> supports only CA certificates, but can be extended to support end entity
>>> certificates rather easily. If you use it for the vault transport
>>> certificate, it can be added to the client NSS database automatically on
>>> install.
>>>
>>> Honza
>>>
>>
>> I'm attaching a new patch that's identical to the previous one with
>> ticket URL updated. I'm thinking we should check this patch in first
>> because it's already done, and then investigate the use of CA cert
>> management utility as a separate enhancement since the it seems to need
>> to be generalized before it can be used to manage KRA transport cert.
>> I'll also need to investigate the KRA transport cert replacement process
>> to make sure it can be accommodated via IPA's cert management utility.
>
> Revised the patch to always download the transport certificate (no local
> caching). Further optimization can be done later.

Rebased on top of #355-3, no code changes.

-- 
Endi S. Dewata
-------------- next part --------------
>From 56e1211f42faa1e4c36184efdcddc3af23310cda Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata at redhat.com>
Date: Wed, 22 Oct 2014 10:02:25 -0400
Subject: [PATCH] Added command to retrieve vault transport certificate.

A new command has been added to retrieve the vault transport
certificate and optionally save it into a file. The vault archive
and retrieve command has been modified to retrieve the transport
certificate and store it locally for subsequent usage. This way
it's no longer necessary to manually import the transport
certificate into the client's NSS database.

https://fedorahosted.org/freeipa/ticket/3872
---
 API.txt                 |  5 ++++
 VERSION                 |  4 +--
 ipalib/plugins/vault.py | 80 +++++++++++++++++++++++++++++++++++++++++++++++--
 3 files changed, 84 insertions(+), 5 deletions(-)

diff --git a/API.txt b/API.txt
index f6fd2686a49dfabc053a772818904ca6c14f3b53..f64fd1570efff9a2eb2e277e16ceef2ebb1a9ae3 100644
--- a/API.txt
+++ b/API.txt
@@ -4676,6 +4676,11 @@ option: Str('version?', exclude='webui')
 output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: PrimaryKey('value', None, None)
+command: vault_transport_cert
+args: 0,2,1
+option: Str('out?', cli_name='out')
+option: Str('version?', exclude='webui')
+output: Output('result', None, None)
 command: vaultcontainer_add
 args: 1,9,3
 arg: Str('cn', attribute=True, cli_name='container_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, required=True)
diff --git a/VERSION b/VERSION
index b0250045145d17e40df3828d0c50be1db8867625..c75e5376c1041a701908ea7e23c8b4e570eb21b6 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
 #                                                      #
 ########################################################
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=114
-# Last change: edewata - added vault access control
+IPA_API_VERSION_MINOR=115
+# Last change: edewata - added vault transport certificate
diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py
index 7ec36836a741bc0669ab1be59192532136e8e126..58f0ae494c0d0c2c3a66f708cbe7c1545bdeec84 100644
--- a/ipalib/plugins/vault.py
+++ b/ipalib/plugins/vault.py
@@ -25,6 +25,8 @@ import shutil
 import string
 import tempfile
 
+import nss.nss as nss
+
 import pki
 import pki.account
 import pki.crypto
@@ -118,7 +120,6 @@ EXAMPLES:
 """)
 
 register = Registry()
-transport_cert_nickname = 'KRA Transport Certificate'
 
 @register()
 class vaultcontainer(LDAPObject):
@@ -845,6 +846,63 @@ class vault_show(LDAPRetrieve):
 
 
 @register()
+class vault_transport_cert(Command):
+    __doc__ = _('Retrieve vault transport certificate.')
+
+
+    # list of attributes we want exported to JSON
+    json_friendly_attributes = (
+        'takes_args',
+    )
+
+    takes_options = (
+        Str('out?',
+            cli_name='out',
+            doc=_('Output file to store the transport certificate'),
+        ),
+    )
+
+    has_output_params = (
+        Str('certificate',
+            label=_('Certificate'),
+        ),
+    )
+
+    def __json__(self):
+        json_dict = dict(
+            (a, getattr(self, a)) for a in self.json_friendly_attributes
+        )
+        json_dict['takes_options'] = list(self.get_json_options())
+        return json_dict
+
+    def forward(self, *args, **options):
+
+        file = options.get('out')
+
+        # don't send these parameters to server
+        if 'out' in options:
+            del options['out']
+
+        response = super(vault_transport_cert, self).forward(*args, **options)
+
+        if file:
+            with open(file, 'w') as f:
+                f.write(response['result']['certificate'])
+
+        return response
+
+    def execute(self, *args, **options):
+
+        kra_client = api.Backend.kra.get_client()
+        transport_cert = kra_client.system_certs.get_transport_cert()
+        return {
+            'result': {
+                'certificate': transport_cert.encoded
+            }
+        }
+
+
+ at register()
 class vault_archive(LDAPRetrieve):
     __doc__ = _('Archive data into a vault.')
 
@@ -931,7 +989,15 @@ class vault_archive(LDAPRetrieve):
         session_key = crypto.generate_session_key()
 
         # retrieve transport certificate
-        nss_transport_cert = crypto.get_cert(transport_cert_nickname)
+        (file, filename) = tempfile.mkstemp()
+        os.close(file)
+        try:
+            api.Command.vault_transport_cert(out=unicode(filename))
+            transport_cert_der = nss.read_der_from_file(filename, True)
+            nss_transport_cert = nss.Certificate(transport_cert_der)
+
+        finally:
+            os.remove(filename)
 
         # wrap session key with transport certificate
         wrapped_session_key = crypto.asymmetric_wrap(
@@ -1070,7 +1136,15 @@ class vault_retrieve(LDAPRetrieve):
         session_key = crypto.generate_session_key()
 
         # retrieve transport certificate
-        nss_transport_cert = crypto.get_cert(transport_cert_nickname)
+        (file, filename) = tempfile.mkstemp()
+        os.close(file)
+        try:
+            api.Command.vault_transport_cert(out=unicode(filename))
+            transport_cert_der = nss.read_der_from_file(filename, True)
+            nss_transport_cert = nss.Certificate(transport_cert_der)
+
+        finally:
+            os.remove(filename)
 
         # wrap session key with transport certificate
         wrapped_session_key = crypto.asymmetric_wrap(
-- 
1.9.0

More information about the Freeipa-devel mailing list