ipa/SOURCES/0007-Specify-cert_paths-when-calling-PKIConnection_rhbz#1849155.patch

From 9ded9e2573a00c388533f2a09365c499a4e2961e Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Fri, 19 Jun 2020 08:48:56 -0400
Subject: [PATCH] Specify cert_paths when calling PKIConnection

PKIConnection now defaults to specifying verify=True. We've introduced
a new parameter, cert_paths, to specify additional paths (directories or
files) to load as certificates. Specify the IPA CA certificate file so
we can guarantee connections succeed and validate the peer's certificate.

Point to IPA CA certificate during pkispawn

Bump pki_version to 10.9.0-0.4 (aka -b2)

Fixes: https://pagure.io/freeipa/issue/8379
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1849155
Related: https://github.com/dogtagpki/pki/pull/443
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1426572
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
---
 freeipa.spec.in                       |  6 +++---
 install/tools/ipa-pki-wait-running.in |  3 ++-
 ipaserver/install/cainstance.py       |  7 +++++++
 ipaserver/install/dogtaginstance.py   |  3 ++-
 ipaserver/plugins/dogtag.py           | 11 +++++------
 5 files changed, 19 insertions(+), 11 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 74e752ea5..d00b9d640 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -112,9 +112,9 @@
 # Fedora
 %endif
 
-# 10.7.3 supports LWCA key replication using AES
-# https://pagure.io/freeipa/issue/8020
-%global pki_version 10.7.3-1
+# PKIConnection has been modified to always validate certs.
+# https://pagure.io/freeipa/issue/8379
+%global pki_version 10.9.0-0.4
 
 # https://pagure.io/certmonger/issue/90
 %global certmonger_version 0.79.7-1
diff --git a/install/tools/ipa-pki-wait-running.in b/install/tools/ipa-pki-wait-running.in
index 69f5ec296..4f0f2f34a 100644
--- a/install/tools/ipa-pki-wait-running.in
+++ b/install/tools/ipa-pki-wait-running.in
@@ -59,7 +59,8 @@ def get_conn(hostname, subsystem):
     """
     conn = PKIConnection(
         hostname=hostname,
-        subsystem=subsystem
+        subsystem=subsystem,
+        cert_paths=paths.IPA_CA_CRT
     )
     logger.info(
         "Created connection %s://%s:%s/%s",
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 706bc28cc..9294f1dba 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -509,6 +509,13 @@ class CAInstance(DogtagInstance):
         else:
             pki_pin = None
 
+        # When spawning a CA instance, always point to IPA_CA_CRT if it
+        # exists. Later, when we're performing step 2 of an external CA
+        # installation, we'll overwrite this key to point to the real
+        # external CA.
+        if os.path.exists(paths.IPA_CA_CRT):
+            cfg['pki_cert_chain_path'] = paths.IPA_CA_CRT
+
         if self.clone:
             if self.no_db_setup:
                 cfg.update(
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index 361d80a8c..7e295665c 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -70,7 +70,8 @@ def get_security_domain():
     connection = PKIConnection(
         protocol='https',
         hostname=api.env.ca_host,
-        port='8443'
+        port='8443',
+        cert_paths=paths.IPA_CA_CRT
     )
     domain_client = pki.system.SecurityDomainClient(connection)
     info = domain_client.get_security_domain_info()
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index 4de26d76f..b300f6b18 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -2082,13 +2082,12 @@ class kra(Backend):
             'https',
             self.kra_host,
             str(self.kra_port),
-            'kra')
+            'kra',
+            cert_paths=paths.IPA_CA_CRT
+        )
 
-        connection.session.cert = (paths.RA_AGENT_PEM, paths.RA_AGENT_KEY)
-        # uncomment the following when this commit makes it to release
-        # https://git.fedorahosted.org/cgit/pki.git/commit/?id=71ae20c
-        # connection.set_authentication_cert(paths.RA_AGENT_PEM,
-        #                                    paths.RA_AGENT_KEY)
+        connection.set_authentication_cert(paths.RA_AGENT_PEM,
+                                           paths.RA_AGENT_KEY)
 
         try:
             yield KRAClient(connection, crypto)
-- 
2.26.2