diff --git a/jans-linux-setup/jans_setup/setup_app/installers/jans_auth.py b/jans-linux-setup/jans_setup/setup_app/installers/jans_auth.py index 2091dde1967..c40682f2e66 100644 --- a/jans-linux-setup/jans_setup/setup_app/installers/jans_auth.py +++ b/jans-linux-setup/jans_setup/setup_app/installers/jans_auth.py @@ -5,6 +5,7 @@ import uuid import shutil import json +import tempfile from urllib.parse import urlparse @@ -159,17 +160,16 @@ def import_openbanking_certificate(self): jwksUri = oxauth_config_json['jwksUri'] o = urlparse(jwksUri) jwks_addr = o.netloc - ssl_cmd = shutil.which('openssl') - random_crt_fn = os.path.join(self.output_folder, '{}.crt'.format(os.urandom(3).hex())) - cmd = "echo -n | {} s_client -connect {}:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > {}".format(ssl_cmd, jwks_addr, random_crt_fn) - self.run(cmd, shell=True) + open_banking_cert = self.get_server_certificate(jwks_addr) alias = jwks_addr.replace('.', '_') - self.run([Config.cmd_keytool, '-import', '-trustcacerts', '-keystore', - Config.defaultTrustStoreFN, '-storepass', 'changeit', - '-noprompt', '-alias', alias, '-file', random_crt_fn]) + with tempfile.TemporaryDirectory() as tmp_dir: + tmp_fn = os.path.join(tmp_dir, jwks_addr+'.crt') + self.writeFile(tmp_fn, open_banking_cert) + self.run([Config.cmd_keytool, '-import', '-trustcacerts', '-keystore', + Config.defaultTrustStoreFN, '-storepass', 'changeit', + '-noprompt', '-alias', alias, '-file', tmp_fn]) - #os.remove(random_crt_fn) def import_openbanking_key(self): if os.path.isfile(Config.ob_key_fn) and os.path.isfile(Config.ob_cert_fn): diff --git a/jans-linux-setup/jans_setup/setup_app/utils/collect_properties.py b/jans-linux-setup/jans_setup/setup_app/utils/collect_properties.py index 17fb053e7c7..c0c547d8125 100644 --- a/jans-linux-setup/jans_setup/setup_app/utils/collect_properties.py +++ b/jans-linux-setup/jans_setup/setup_app/utils/collect_properties.py @@ -196,10 +196,10 @@ def collect(self): ssl_subj = self.get_ssl_subject('/etc/certs/httpd.crt') - Config.countryCode = ssl_subj['C'] - Config.state = ssl_subj['ST'] - Config.city = ssl_subj['L'] - Config.city = ssl_subj['L'] + Config.countryCode = ssl_subj.get('countryName', '') + Config.state = ssl_subj.get('stateOrProvinceName', '') + Config.city = ssl_subj.get('localityName', '') + Config.admin_email = ssl_subj.get('emailAddress', '') #this is not good, but there is no way to retreive password from ldap if not Config.get('admin_password'): @@ -209,11 +209,7 @@ def collect(self): Config.admin_password = Config.cb_password if not Config.get('orgName'): - Config.orgName = ssl_subj['O'] - - #for service in jetty_services: - # setup_prop[jetty_services[service][0]] = os.path.exists('/opt/jans/jetty/{0}/webapps/{0}.war'.format(service)) - + Config.orgName = ssl_subj.get('organizationName', '') for s in ['jansScimEnabled']: setattr(Config, s, oxConfiguration.get(s, False)) @@ -252,13 +248,6 @@ def collect(self): Config.installEleven = os.path.exists(os.path.join(Config.jetty_base, 'jans-eleven/start.ini')) Config.install_config_api = os.path.exists(os.path.join(Config.jansOptFolder, 'jans-config-api')) - result = dbUtils.search('ou=people,o=jans', search_filter='(&(uid=admin)(objectClass=jansPerson))') - if result: - Config.admin_inum = result['inum'] - if 'mail' in result: - Config.admin_email = result['mail'] - - def save(self): if os.path.exists(Config.setup_properties_fn): self.backupFile(Config.setup_properties_fn) diff --git a/jans-linux-setup/jans_setup/setup_app/utils/crypto64.py b/jans-linux-setup/jans_setup/setup_app/utils/crypto64.py index 05f1d8b8f4a..530d12b5711 100644 --- a/jans-linux-setup/jans_setup/setup_app/utils/crypto64.py +++ b/jans-linux-setup/jans_setup/setup_app/utils/crypto64.py @@ -2,6 +2,8 @@ import re import base64 import json +import socket +import ssl from collections import OrderedDict from pathlib import Path @@ -15,15 +17,10 @@ class Crypto64: def get_ssl_subject(self, ssl_fn): + cert_info = ssl._ssl._test_decode_cert(ssl_fn) retDict = {} - cmd = paths.cmd_openssl + ' x509 -noout -subject -nameopt RFC2253 -in {}'.format(ssl_fn) - s = self.run(cmd, shell=True) - s = s.strip() + ',' - - for k in ('emailAddress', 'CN', 'O', 'L', 'ST', 'C'): - rex = re.search('{}=(.*?),'.format(k), s) - retDict[k] = rex.groups()[0] if rex else '' - + for subj in cert_info["subject"]: + retDict[subj[0][0]] = subj[0][1] return retDict def obscure(self, data=""): @@ -327,3 +324,11 @@ def encode_test_passwords(self): Config.templateRenderingDict['oxauthClient_4_encoded_pw'] = self.obscure(Config.templateRenderingDict['oxauthClient_4_pw']) except: self.logIt("Error encoding test passwords", True) + + def get_server_certificate(self, host): + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + context = ssl.SSLContext() + ssl_sock = context.wrap_socket(sock, server_hostname=host) + ssl_sock.connect((host, 443)) + cert_der = ssl_sock.getpeercert(True) + return ssl.DER_cert_to_PEM_cert(cert_der) diff --git a/jans-linux-setup/jans_setup/setup_app/utils/properties_utils.py b/jans-linux-setup/jans_setup/setup_app/utils/properties_utils.py index fb42ac24e49..6894de0d614 100644 --- a/jans-linux-setup/jans_setup/setup_app/utils/properties_utils.py +++ b/jans-linux-setup/jans_setup/setup_app/utils/properties_utils.py @@ -455,7 +455,7 @@ def check_oxd_ssl_cert(self, oxd_hostname, oxd_port): self.writeFile(oxd_crt_fn, oxd_cert) ssl_subjects = self.get_ssl_subject(oxd_crt_fn) - if ssl_subjects['CN'] != oxd_hostname: + if ssl_subjects.get('commonName') != oxd_hostname: return ssl_subjects