From 63c4cbd619f81f16e0c08d3786b69d348c9dcfd7 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: May 19 2017 10:33:57 +0000
Subject: client install: fix client PKINIT configuration


Set `pkinit_anchors` in `krb5.conf` to a CA certificate bundle of CAs
trusted to issue KDC certificates rather than `/etc/ipa/ca.crt`.

Set `pkinit_pool` in `krb5.conf` to a CA certificate bundle of all CAs
known to IPA.

Make sure both bundles are exported in all installation code paths.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>

---

diff --git a/client/Makefile.am b/client/Makefile.am
index b6c9dea..e354cb4 100644
--- a/client/Makefile.am
+++ b/client/Makefile.am
@@ -101,4 +101,5 @@ EXTRA_DIST =			\
 
 install-data-hook:
 	$(INSTALL) -d -m 755 $(DESTDIR)$(IPA_SYSCONF_DIR)/nssdb
+	$(INSTALL) -d -m 755 $(DESTDIR)$(localstatedir)/lib/ipa-client/pki
 	$(INSTALL) -d -m 755 $(DESTDIR)$(localstatedir)/lib/ipa-client/sysrestore
diff --git a/freeipa.spec.in b/freeipa.spec.in
index b0c409a..5f7676f 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1101,6 +1101,15 @@ if [ $1 -gt 1 ] ; then
         fi
     fi
 
+    if [ $restore -ge 2 ]; then
+        if grep -E -q '\s*pkinit_anchors = FILE:/etc/ipa/ca.crt$' /etc/krb5.conf 2>/dev/null; then
+            sed -E 's|(\s*)pkinit_anchors = FILE:/etc/ipa/ca.crt$|\1pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem\n\1pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem|' /etc/krb5.conf >/etc/krb5.conf.ipanew
+            mv -Z /etc/krb5.conf.ipanew /etc/krb5.conf
+            cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/kdc-ca-bundle.pem
+            cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/ca-bundle.pem
+        fi
+    fi
+
     if [ -f '/etc/sysconfig/ntpd' -a $restore -ge 2 ]; then
         if grep -E -q 'OPTIONS=.*-u ntp:ntp' /etc/sysconfig/ntpd 2>/dev/null; then
             sed -r '/OPTIONS=/ { s/\s+-u ntp:ntp\s+/ /; s/\s*-u ntp:ntp\s*// }' /etc/sysconfig/ntpd >/etc/sysconfig/ntpd.ipanew
@@ -1472,6 +1481,7 @@ fi
 %ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/pwdfile.txt
 %ghost %config(noreplace) %{_sysconfdir}/pki/ca-trust/source/ipa.p11-kit
 %dir %{_localstatedir}/lib/ipa-client
+%dir %{_localstatedir}/lib/ipa-client/pki
 %dir %{_localstatedir}/lib/ipa-client/sysrestore
 %{_mandir}/man5/default.conf.5*
 
diff --git a/install/share/krb5.conf.template b/install/share/krb5.conf.template
index e8b2ad8..1f18ff9 100644
--- a/install/share/krb5.conf.template
+++ b/install/share/krb5.conf.template
@@ -21,7 +21,8 @@ $OTHER_LIBDEFAULTS
   master_kdc = $FQDN:88
   admin_server = $FQDN:749
   default_domain = $DOMAIN
-  pkinit_anchors = FILE:/etc/ipa/ca.crt
+  pkinit_anchors = FILE:$KDC_CA_BUNDLE_PEM
+  pkinit_pool = FILE:$CA_BUNDLE_PEM
 }
 
 [domain_realm]
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index e78be90..6f10f52 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -710,7 +710,11 @@ def configure_krb5_conf(
         kropts.append(krbconf.setOption('default_domain', cli_domain))
 
     kropts.append(
-        krbconf.setOption('pkinit_anchors', 'FILE:%s' % paths.IPA_CA_CRT))
+        krbconf.setOption('pkinit_anchors',
+                          'FILE:%s' % paths.KDC_CA_BUNDLE_PEM))
+    kropts.append(
+        krbconf.setOption('pkinit_pool',
+                          'FILE:%s' % paths.CA_BUNDLE_PEM))
     ropts = [{
         'name': cli_realm,
         'type': 'subsection',
@@ -2770,6 +2774,13 @@ def _install(options):
     ca_certs_trust = [(c, n, certstore.key_policy_to_trust_flags(t, True, u))
                       for (c, n, t, u) in ca_certs]
 
+    x509.write_certificate_list(
+        [c for c, n, t, u in ca_certs if t is not False],
+        paths.KDC_CA_BUNDLE_PEM)
+    x509.write_certificate_list(
+        [c for c, n, t, u in ca_certs if t is not False],
+        paths.CA_BUNDLE_PEM)
+
     # Add the CA certificates to the IPA NSS database
     root_logger.debug("Adding CA certificates to the IPA NSS database.")
     ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR)
@@ -3317,6 +3328,8 @@ def uninstall(options):
 
     # Remove the CA cert
     remove_file(paths.IPA_CA_CRT)
+    remove_file(paths.KDC_CA_BUNDLE_PEM)
+    remove_file(paths.CA_BUNDLE_PEM)
 
     root_logger.info("Client uninstall complete.")
 
diff --git a/ipaclient/install/ipa_certupdate.py b/ipaclient/install/ipa_certupdate.py
index 7dc88f0..7e8527e 100644
--- a/ipaclient/install/ipa_certupdate.py
+++ b/ipaclient/install/ipa_certupdate.py
@@ -113,6 +113,8 @@ class CertUpdate(admintool.AdminTool):
 
     def update_client(self, certs):
         self.update_file(paths.IPA_CA_CRT, certs)
+        self.update_file(paths.KDC_CA_BUNDLE_PEM, certs)
+        self.update_file(paths.CA_BUNDLE_PEM, certs)
 
         ipa_db = certdb.NSSDatabase(api.env.nss_dir)
 
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index f80c9e9..804fdde 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -331,6 +331,8 @@ class BasePathNamespace(object):
     VAR_RUN_DIRSRV_DIR = "/var/run/dirsrv"
     IPA_CCACHES = "/var/run/ipa/ccaches"
     HTTP_CCACHE = "/var/lib/ipa/gssproxy/http.ccache"
+    CA_BUNDLE_PEM = "/var/lib/ipa-client/pki/ca-bundle.pem"
+    KDC_CA_BUNDLE_PEM = "/var/lib/ipa-client/pki/kdc-ca-bundle.pem"
     IPA_RENEWAL_LOCK = "/var/run/ipa/renewal.lock"
     SVC_LIST_FILE = "/var/run/ipa/services.list"
     KRB5CC_SAMBA = "/var/run/samba/krb5cc_samba"
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index a4aa4f2..b8c8cc4 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -794,10 +794,13 @@ class CAInstance(DogtagInstance):
         certlist = x509.pkcs7_to_pems(data, x509.DER)
 
         # We have all the certificates in certlist, write them to a PEM file
-        with open(paths.IPA_CA_CRT, 'w') as ipaca_pem:
-            for cert in certlist:
-                ipaca_pem.write(cert)
-                ipaca_pem.write('\n')
+        for path in [paths.IPA_CA_CRT,
+                     paths.KDC_CA_BUNDLE_PEM,
+                     paths.CA_BUNDLE_PEM]:
+            with open(path, 'w') as ipaca_pem:
+                for cert in certlist:
+                    ipaca_pem.write(cert)
+                    ipaca_pem.write('\n')
 
     def __request_ra_certificate(self):
         # create a temp file storing the pwd
diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py
index 40f08d7..f8cdd56 100644
--- a/ipaserver/install/ipa_backup.py
+++ b/ipaserver/install/ipa_backup.py
@@ -150,6 +150,8 @@ class Backup(admintool.AdminTool):
         paths.SSHD_CONFIG,
         paths.SSH_CONFIG,
         paths.KRB5_CONF,
+        paths.KDC_CA_BUNDLE_PEM,
+        paths.CA_BUNDLE_PEM,
         paths.IPA_CA_CRT,
         paths.IPA_DEFAULT_CONF,
         paths.DS_KEYTAB,
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 2f14ff5..e52577b 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -261,7 +261,9 @@ class KrbInstance(service.Service):
                              KRB5KDC_KADM5_KEYTAB=paths.KRB5KDC_KADM5_KEYTAB,
                              KDC_CERT=paths.KDC_CERT,
                              KDC_KEY=paths.KDC_KEY,
-                             CACERT_PEM=paths.CACERT_PEM)
+                             CACERT_PEM=paths.CACERT_PEM,
+                             KDC_CA_BUNDLE_PEM=paths.KDC_CA_BUNDLE_PEM,
+                             CA_BUNDLE_PEM=paths.CA_BUNDLE_PEM)
 
         # IPA server/KDC is not a subdomain of default domain
         # Proper domain-realm mapping needs to be specified
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 25c21db..c1bdce6 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -796,6 +796,16 @@ def install(installer):
         x509.write_certificate(http_ca_cert, paths.IPA_CA_CRT)
         os.chmod(paths.IPA_CA_CRT, 0o444)
 
+        if not options.no_pkinit:
+            x509.write_certificate(http_ca_cert, paths.KDC_CA_BUNDLE_PEM)
+        else:
+            with open(paths.KDC_CA_BUNDLE_PEM, 'w'):
+                pass
+        os.chmod(paths.KDC_CA_BUNDLE_PEM, 0o444)
+
+        x509.write_certificate(http_ca_cert, paths.CA_BUNDLE_PEM)
+        os.chmod(paths.CA_BUNDLE_PEM, 0o444)
+
     # we now need to enable ssl on the ds
     ds.enable_ssl()
 
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index c19edce..66d7ba4 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -1390,6 +1390,10 @@ def install(installer):
 
         # Update and istall updated CA file
         cafile = install_ca_cert(conn, api.env.basedn, api.env.realm, cafile)
+        install_ca_cert(conn, api.env.basedn, api.env.realm, cafile,
+                        destfile=paths.KDC_CA_BUNDLE_PEM)
+        install_ca_cert(conn, api.env.basedn, api.env.realm, cafile,
+                        destfile=paths.CA_BUNDLE_PEM)
 
         # Configure dirsrv
         ds = install_replica_ds(config, options, ca_enabled,
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index c244958..648dc1f 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1831,7 +1831,9 @@ def upgrade_configuration():
                         KRB5KDC_KADM5_KEYTAB=paths.KRB5KDC_KADM5_KEYTAB,
                         KDC_CERT=paths.KDC_CERT,
                         KDC_KEY=paths.KDC_KEY,
-                        CACERT_PEM=paths.CACERT_PEM)
+                        CACERT_PEM=paths.CACERT_PEM,
+                        KDC_CA_BUNDLE_PEM=paths.KDC_CA_BUNDLE_PEM,
+                        CA_BUNDLE_PEM=paths.CA_BUNDLE_PEM)
     krb.add_anonymous_principal()
     setup_pkinit(krb)