From f919ab4ee0ec26d77ee6978e75de5daba4073402 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Nov 29 2016 13:50:51 +0000 Subject: certdb: use a temporary file to pass password to pk12util Currently the PKCS#12 file password is passed via stdin and pk12util reads it from /dev/stdin, which is platform-specific. Use a temporary file instead. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka --- diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index d4f7e8a..41712e9 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -33,7 +33,6 @@ class BasePathNamespace(object): SYSTEMCTL = "/bin/systemctl" TAR = "/bin/tar" BIN_TRUE = "/bin/true" - DEV_STDIN = "/dev/stdin" AUTOFS_LDAP_AUTH_CONF = "/etc/autofs_ldap_auth.conf" ETC_DIRSRV = "/etc/dirsrv" DS_KEYTAB = "/etc/dirsrv/ds.keytab" diff --git a/ipapython/certdb.py b/ipapython/certdb.py index 3095253..464cc5b 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -155,11 +155,12 @@ class NSSDatabase(object): args = [paths.PK12UTIL, "-d", self.secdir, "-i", pkcs12_filename, "-k", db_password_filename, '-v'] + pkcs12_password_file = None if pkcs12_passwd is not None: - pkcs12_passwd = pkcs12_passwd + '\n' - args = args + ["-w", paths.DEV_STDIN] + pkcs12_password_file = ipautil.write_tmp_file(pkcs12_passwd) + args = args + ["-w", pkcs12_password_file.name] try: - ipautil.run(args, stdin=pkcs12_passwd) + ipautil.run(args) except ipautil.CalledProcessError as e: if e.returncode == 17: raise RuntimeError("incorrect password for pkcs#12 file %s" % @@ -169,6 +170,9 @@ class NSSDatabase(object): else: raise RuntimeError("unknown error import pkcs#12 file %s" % pkcs12_filename) + finally: + if pkcs12_password_file is not None: + pkcs12_password_file.close() def import_files(self, files, db_password_filename, import_keys=False, key_password=None, key_nickname=None):