URL: https://github.com/freeipa/freeipa/pull/663 Author: stlaz Title: #663: Generate PIN for PKI to help Dogtag in FIPS Action: opened
PR body: """ Dogtag is currently unable to generate a PIN it could use for an NSS database creation in FIPS. Generate it for them so that we don't fail. https://pagure.io/freeipa/issue/6824 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/663/head:pr663 git checkout pr663
From 287954ab65a579f9551ecd5c6d8e403e5f06abc9 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Tue, 28 Mar 2017 13:54:16 +0200 Subject: [PATCH] Generate PIN for PKI to help Dogtag in FIPS Dogtag is currently unable to generate a PIN it could use for an NSS database creation in FIPS. Generate it for them so that we don't fail. https://pagure.io/freeipa/issue/6824 --- ipaserver/install/cainstance.py | 6 +++++- ipaserver/install/krainstance.py | 6 +++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index f0d3c23..92bb760 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -541,6 +541,10 @@ def __spawn_instance(self): # CA key algorithm config.set("CA", "pki_ca_signing_key_algorithm", self.ca_signing_algorithm) + # generate pin which we know can be used for FIPS NSS database + pki_pin = ipautil.ipa_generate_password() + config.set("CA", "pki_pin", pki_pin) + if self.clone: if self.no_db_setup: @@ -613,7 +617,7 @@ def __spawn_instance(self): try: DogtagInstance.spawn_instance( self, cfg_file, - nolog_list=(self.dm_password, self.admin_password) + nolog_list=(self.dm_password, self.admin_password, pki_pin) ) finally: os.remove(cfg_file) diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py index b41ccb6..34d6678 100644 --- a/ipaserver/install/krainstance.py +++ b/ipaserver/install/krainstance.py @@ -235,6 +235,10 @@ def __spawn_instance(self): "KRA", "pki_share_dbuser_dn", str(DN(('uid', 'pkidbuser'), ('ou', 'people'), ('o', 'ipaca')))) + # generate pin which we know can be used for FIPS NSS database + pki_pin = ipautil.ipa_generate_password() + config.set("KRA", "pki_pin", pki_pin) + _p12_tmpfile_handle, p12_tmpfile_name = tempfile.mkstemp(dir=paths.TMP) if self.clone: @@ -275,7 +279,7 @@ def __spawn_instance(self): try: DogtagInstance.spawn_instance( self, cfg_file, - nolog_list=(self.dm_password, self.admin_password) + nolog_list=(self.dm_password, self.admin_password, pki_pin) ) finally: os.remove(p12_tmpfile_name)
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
