From afea026a5c45ce24f3bf6da499b4d334eea3ca78 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Mar 01 2017 09:43:41 +0000 Subject: Remove pkcs12 handling functions from CertDB These functions don't require anything from the CertDB instance, move them out so no needless instantiation of CertDB is performed in order to use them. https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Jan Cholasta --- diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 001b03f..1725215 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -61,6 +61,27 @@ def get_cert_nickname(cert): return (str(dn[0]), dn) +def install_pem_from_p12(p12_fname, p12_passwd, pem_fname): + pwd = ipautil.write_tmp_file(p12_passwd) + ipautil.run([paths.OPENSSL, "pkcs12", "-nokeys", + "-in", p12_fname, "-out", pem_fname, + "-passin", "file:" + pwd.name]) + + +def install_key_from_p12(p12_fname, p12_passwd, pem_fname): + pwd = ipautil.write_tmp_file(p12_passwd) + ipautil.run([paths.OPENSSL, "pkcs12", "-nodes", "-nocerts", + "-in", p12_fname, "-out", pem_fname, + "-passin", "file:" + pwd.name]) + + +def export_pem_p12(pkcs12_fname, pkcs12_pwd_fname, nickname, pem_fname): + ipautil.run([paths.OPENSSL, "pkcs12", + "-export", "-name", nickname, + "-in", pem_fname, "-out", pkcs12_fname, + "-passout", "file:" + pkcs12_pwd_fname]) + + class CertDB(object): """An IPA-server-specific wrapper around NSS @@ -538,13 +559,6 @@ class CertDB(object): "-k", self.passwd_fname, "-w", pkcs12_pwd_fname]) - def export_pem_p12(self, pkcs12_fname, pkcs12_pwd_fname, - nickname, pem_fname): - ipautil.run([paths.OPENSSL, "pkcs12", - "-export", "-name", nickname, - "-in", pem_fname, "-out", pkcs12_fname, - "-passout", "file:" + pkcs12_pwd_fname]) - def create_from_cacert(self): cacert_fname = paths.IPA_CA_CRT if ipautil.file_exists(self.certdb_fname): @@ -629,18 +643,6 @@ class CertDB(object): self.create_pin_file() self.export_ca_cert(nickname, False) - def install_pem_from_p12(self, p12_fname, p12_passwd, pem_fname): - pwd = ipautil.write_tmp_file(p12_passwd) - ipautil.run([paths.OPENSSL, "pkcs12", "-nokeys", - "-in", p12_fname, "-out", pem_fname, - "-passin", "file:" + pwd.name]) - - def install_key_from_p12(self, p12_fname, p12_passwd, pem_fname): - pwd = ipautil.write_tmp_file(p12_passwd) - ipautil.run([paths.OPENSSL, "pkcs12", "-nodes", "-nocerts", - "-in", p12_fname, "-out", pem_fname, - "-passin", "file:" + pwd.name]) - def publish_ca_cert(self, location): self.nssdb.publish_ca_cert(self.cacert_name, location) diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py index 14d5c73..6fa4b4a 100644 --- a/ipaserver/install/ipa_replica_prepare.py +++ b/ipaserver/install/ipa_replica_prepare.py @@ -607,7 +607,7 @@ class ReplicaPrepare(admintool.AdminTool): try: if is_kdc: - db.export_pem_p12(pkcs12_fname, passwd_fname, + certs.export_pem_p12(pkcs12_fname, passwd_fname, nickname, os.path.join(self.dir, "kdc.pem")) else: db.export_pkcs12(pkcs12_fname, passwd_fname, nickname) diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 44b3821..9aa3b62 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -346,14 +346,11 @@ class KrbInstance(service.Service): self.move_service_to_host(host_principal) def setup_pkinit(self): - ca_db = certs.CertDB(self.realm, host_name=self.fqdn, - subject_base=self.subject_base) - if self.pkcs12_info: - ca_db.install_pem_from_p12(self.pkcs12_info[0], + certs.install_pem_from_p12(self.pkcs12_info[0], self.pkcs12_info[1], paths.KDC_CERT) - ca_db.install_key_from_p12(self.pkcs12_info[0], + certs.install_key_from_p12(self.pkcs12_info[0], self.pkcs12_info[1], paths.KDC_KEY) else: