[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Pki-devel] [PATCH] 266 - Remove noise file generation code



Remove noise file generation code
    
    Noise file does not actually need to have random data because
    NSS does not actually use this data.  Certutil still needs
    the file though, so we will put dummy data in there.  This
    solves potential problems with the random() method used and also
    issues like BZ 1244382

Please review.

Ade
From ae577ed25d822db3973ca98a40ebb0f8671cb7d1 Mon Sep 17 00:00:00 2001
From: Ade Lee <alee redhat com>
Date: Tue, 28 Jul 2015 14:58:00 -0400
Subject: [PATCH] Remove noise file generation code

Noise file does not actually need to have random data because
NSS does not actually use this data.  Certutil still needs
the file though, so we will put dummy data in there.  This
solves potential problems with the random() method used and also
issues like BZ 1244382
---
 .../python/pki/server/deployment/pkihelper.py      | 71 +++-------------------
 .../deployment/scriptlets/security_databases.py    | 12 +++-
 2 files changed, 19 insertions(+), 64 deletions(-)

diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
index 5bc4ffab814891aadf0508d0ae20bb8cc315bc90..b02333d54a9800d172f2da25f70019f9f842a2be 100644
--- a/base/server/python/pki/server/deployment/pkihelper.py
+++ b/base/server/python/pki/server/deployment/pkihelper.py
@@ -25,12 +25,10 @@ import errno
 import sys
 import os
 import fileinput
-import random
 import re
 import requests.exceptions
 import shutil
 from shutil import Error, WindowsError
-import string
 import subprocess
 import time
 import types
@@ -1811,63 +1809,6 @@ class File:
                 raise
         return
 
-    def generate_noise_file(
-            self, name, random_bytes, uid=None, gid=None,
-            perms=config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS,
-            acls=None, critical_failure=True):
-        try:
-            if not os.path.exists(name):
-                # generating noise file called <name> and
-                # filling it with <random_bytes> random bytes
-                config.pki_log.info(
-                    log.PKIHELPER_NOISE_FILE_2, name, random_bytes,
-                    extra=config.PKI_INDENTATION_LEVEL_2)
-                open(name, "w").close()
-                with open(name, "w") as FILE:
-                    noise = ''.join(random.choice(string.ascii_letters +\
-                                    string.digits) for x in range(random_bytes))
-                    FILE.write(noise)
-                # chmod <perms> <name>
-                config.pki_log.debug(log.PKIHELPER_CHMOD_2, perms, name,
-                                     extra=config.PKI_INDENTATION_LEVEL_3)
-                os.chmod(name, perms)
-                # chown <uid>:<gid> <name>
-                if uid is None:
-                    uid = self.identity.get_uid()
-                if gid is None:
-                    gid = self.identity.get_gid()
-                config.pki_log.debug(log.PKIHELPER_CHOWN_3,
-                                     uid, gid, name,
-                                     extra=config.PKI_INDENTATION_LEVEL_3)
-                os.chown(name, uid, gid)
-                # Store record in installation manifest
-                record = manifest.Record()
-                record.name = name
-                record.type = manifest.RECORD_TYPE_FILE
-                record.user = self.mdict['pki_user']
-                record.group = self.mdict['pki_group']
-                record.uid = uid
-                record.gid = gid
-                record.permissions = perms
-                record.acls = acls
-                self.manifest_db.append(record)
-            elif not os.path.isfile(name):
-                config.pki_log.error(
-                    log.PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1, name,
-                    extra=config.PKI_INDENTATION_LEVEL_2)
-                if critical_failure:
-                    raise Exception(
-                        log.PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1 % name)
-        except OSError as exc:
-            if exc.errno == errno.EEXIST:
-                pass
-            else:
-                config.pki_log.error(log.PKI_OSERROR_1, exc,
-                                     extra=config.PKI_INDENTATION_LEVEL_2)
-                if critical_failure:
-                    raise
-        return
-
 
 class Symlink:
     """PKI Deployment Symbolic Link Class"""
@@ -4417,8 +4358,14 @@ class ConfigClient:
                 output_file = os.path.join(
                     self.mdict['pki_client_database_dir'], "admin_pkcs10.bin")
 
-                self.deployer.file.generate_noise_file(
-                    noise_file, int(self.mdict['pki_admin_keysize']))
+                # note: in the function below, certutil is used to generate
+                # the request for the admin cert.  The keys are generated
+                # by NSS, which does not actually use the data in the noise
+                # file, so it does not matter what is in this file.  Certutil
+                # still requires it though, otherwise it waits for keyboard
+                # input.
+                with open(noise_file, 'w') as f:
+                    f.write("not_so_random_data")
 
                 self.deployer.certutil.generate_certificate_request(
                     self.mdict['pki_admin_subject_dn'],
@@ -4429,6 +4376,8 @@ class ConfigClient:
                     self.mdict['pki_client_database_dir'],
                     None, None, True)
 
+                self.deployer.file.delete(noise_file)
+
                 # convert output to ascii
                 command = ["BtoA", output_file, output_file + ".asc"]
                 config.pki_log.info(
diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
index 3f8623af159d4e52195dae010625c8e5cfbaefc8..c3d4d9e498482efa8a96c34545be021f18ab8f56 100644
--- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py
+++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
@@ -91,9 +91,15 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                 deployer.mdict['pki_self_signed_nickname'],
                 password_file=deployer.mdict['pki_shared_pfile'])
             if not rv:
-                deployer.file.generate_noise_file(
-                    deployer.mdict['pki_self_signed_noise_file'],
-                    deployer.mdict['pki_self_signed_noise_bytes'])
+                # note: in the function below, certutil is used to generate
+                # the request for the self signed cert.  The keys are generated
+                # by NSS, which does not actually use the data in the noise
+                # file, so it does not matter what is in this file.  Certutil
+                # still requires it though, otherwise it waits for keyboard
+                # input
+                with open(
+                        deployer.mdict['pki_self_signed_noise_file'], 'w') as f:
+                    f.write("not_so_random_data")
                 deployer.certutil.generate_self_signed_certificate(
                     deployer.mdict['pki_database_path'],
                     deployer.mdict['pki_cert_database'],
-- 
2.4.3


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]