Bug 493418 - silent install -save_p12 option creates file mode 644
silent install -save_p12 option creates file mode 644
Status: CLOSED CURRENTRELEASE
Product: Dogtag Certificate System
Classification: Community
Component: Installer (pkicreate/pkiremove) (Show other bugs)
1.0
All Linux
high Severity medium
: ---
: ---
Assigned To: Ade Lee
Chandrasekar Kannan
:
Depends On:
Blocks: 445047 freeIPAFuture
  Show dependency treegraph
 
Reported: 2009-04-01 13:15 EDT by Rob Crittenden
Modified: 2015-01-04 18:37 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-04 16:33:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch to fix (3.85 KB, patch)
2009-04-28 16:01 EDT, Ade Lee
no flags Details | Diff

  None (edit)
Description Rob Crittenden 2009-04-01 13:15:37 EDT
Description of problem:

The pkisilent script has an option to save the CA certs and keys as a PKCS#12 file. This file is created as /tmp/tmp-ca.p12 and is mode 644. Since it contains the CA keys it should at least be created as mode 600. Might be better to create it in the /root as well.

Version-Release number of selected component (if applicable):

dogtag SVN revision 322

Steps to Reproduce:
1. pkisilent ConfigureCA ... -save_p12 true ...
2. ls -l /tmp/tmp-ca.p12 
-rw-r--r-- 1 root root 10852 2009-04-01 12:02 /tmp/tmp-ca.p12
Comment 1 Ade Lee 2009-04-28 16:01:39 EDT
Created attachment 341643 [details]
patch to fix

Added optional flag to specify file location and name
defaults to /root
Also provides correct permissions.

awnuk, please review
Comment 2 Andrew Wnuk 2009-04-28 16:13:14 EDT
attachment (id=341643) +awnuk
Comment 3 Ade Lee 2009-04-28 16:32:21 EDT
[builder@dhcp231-124 dogtag-src]$ svn ci -m "Bugzilla BZ 493418: silent install -save_p12 option creates file mode 644" pki/base/silent/ pki/dogtag/silent/
Sending        pki/base/silent/src/ca/ConfigureCA.java
Sending        pki/dogtag/silent/pki-silent.spec
Transmitting file data ..
Committed revision 418.
Comment 4 Jenny Galipeau 2009-06-05 13:29:51 EDT
save_p12 set to true for CA - p12 created in root's home directory with permissions of 600, however all other p12s are created in /tmp still with permissions of 644.  I think this fix is incomplete.  What is the flag to change the location?  /root may not exist on Solaris.
Comment 5 Ade Lee 2009-06-09 23:33:30 EDT
Jenny, 

A couple of questions: 
1. what other p12 files?  There is only one pk12 file created
2. Use -backup_fname foo to change the location
Comment 6 Jenny Galipeau 2009-06-10 08:48:36 EDT
1.  tmp-kra.p12, tmp-tks.p12, tmp-ocsp.p12  ....
2.  Thank you - I will try that.
Comment 9 Jack Magne 2009-12-03 15:59:07 EST
Attachments id=375817 id=375819 jmagne+

With caveat of checking for an empty string in the function:
checkRequireArgs.
Comment 10 Ade Lee 2009-12-03 16:29:11 EST
Checked in as part of fixes to 504030:

Checked into tip:
[builder@dhcp231-70 silent]$  svn ci -m "fixes for BZ 510774,531162,504030,
493418"  
Sending        silent/scripts/pkisilent
Sending        silent/src/argparser/ArgParser.java
Sending        silent/src/ca/ConfigureCA.java
Sending        silent/src/common/ComCrypto.java
Sending        silent/src/drm/ConfigureDRM.java
Sending        silent/src/ocsp/ConfigureOCSP.java
Sending        silent/src/subca/ConfigureSubCA.java
Sending        silent/src/tks/ConfigureTKS.java
Sending        silent/src/tps/ConfigureTPS.java
Transmitting file data .........
Committed revision 877.

Checked into 8.1
[builder@oliver silent]$ svn ci -m "fixes for BZ 510774,531162, 504030, 493418"
Sending        silent/scripts/pkisilent
Sending        silent/src/argparser/ArgParser.java
Sending        silent/src/ca/ConfigureCA.java
Sending        silent/src/drm/ConfigureDRM.java
Sending        silent/src/ocsp/ConfigureOCSP.java
Sending        silent/src/subca/ConfigureSubCA.java
Sending        silent/src/tks/ConfigureTKS.java
Sending        silent/src/tps/ConfigureTPS.java
Transmitting file data ........
Committed revision 878.
Comment 11 Ade Lee 2009-12-03 16:47:41 EST
QE/ docs:

This was fixed before for the CA only.  It has now been fixed for the other subsystems.  

Note: it does not apply to the TPS
Note: it has not been added to the subCA.  Currently, the code in the subCA does not save the certs in a pk12 file.  I didn't change it - if someone really wants it, they can ask for it.
Comment 13 Asha Akkiangady 2010-02-16 14:17:44 EST
The SaveP12Panel failure mentioned in comment #12 is due to the pkisilent ocsp and tks configuration problem.

pkisilent for CA, DRM, OCSP and TKS with -backup_fname option creates p12 file with permissions of 600.

Marking this bug Verified.

Note You need to log in before you can comment on or make changes to this bug.