Move external cert validation from ipa-server-install to installutils.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2025-02-25 18:55:28 -06:00 · 2014-02-27 15:09:10 +01:00 · 2014-02-27 15:09:10 +01:00 · 2c43a3d0d5
commit 2c43a3d0d5
parent 2109d6611b
2 changed files with 53 additions and 42 deletions
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@ -70,7 +70,6 @@ from ipapython import ipautil
 from ipapython import dogtag
 from ipalib import api, errors, util
 from ipapython.config import IPAOptionParser
-from ipalib.x509 import load_certificate_from_file, load_certificate_chain_from_file
 from ipalib.util import validate_domain_name
 from ipalib.constants import CACERT
 from ipapython.ipa_log_manager import *
@ -749,47 +748,11 @@ def main():

    if options.external_cert_file:
        try:
-            extcert = load_certificate_from_file(options.external_cert_file)
-        except IOError, e:
-            print "Can't load the PEM certificate: %s." % str(e)
+            validate_external_cert(options.external_cert_file,
+                                   options.external_ca_file, options.subject)
+        except ValueError, e:
+            print e
            sys.exit(1)
-        except nss.error.NSPRError:
-            print "'%s' is not a valid PEM-encoded certificate." % options.external_cert_file
-            sys.exit(1)
-
-        certsubject = DN(str(extcert.subject))
-        wantsubject = DN(('CN','Certificate Authority'), options.subject)
-        if certsubject != wantsubject:
-            print "Subject of the external certificate is not correct (got %s, expected %s)." % (certsubject, wantsubject)
-            sys.exit(1)
-
-        try:
-            extchain = load_certificate_chain_from_file(options.external_ca_file)
-        except IOError, e:
-            print "Can't load the external CA chain: %s." % str(e)
-            sys.exit(1)
-        except nss.error.NSPRError:
-            print "'%s' is not a valid PEM-encoded certificate chain." % options.external_ca_file
-            sys.exit(1)
-
-        certdict = dict((DN(str(cert.subject)), cert) for cert in extchain)
-        del extchain
-        certissuer = DN(str(extcert.issuer))
-        if certissuer not in certdict:
-            print "The external certificate is not signed by the external CA (unknown issuer %s)." % certissuer
-            sys.exit(1)
-
-        cert = extcert
-        del extcert
-        while cert.issuer != cert.subject:
-            certissuer = DN(str(cert.issuer))
-            if certissuer not in certdict:
-                print "The external CA chain is incomplete (%s is missing from the chain)." % certissuer
-                sys.exit(1)
-            del cert
-            cert = certdict[certissuer]
-        del certdict
-        del cert

    # We only set up the CA if the PKCS#12 options are not given.
    if options.dirsrv_pkcs12:
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@ -33,13 +33,14 @@ from contextlib import contextmanager
 from dns import resolver, rdatatype
 from dns.exception import DNSException
 import ldap
+from nss.error import NSPRError

 from ipapython import ipautil, sysrestore, admintool, dogtag
 from ipapython.admintool import ScriptError
 from ipapython.ipa_log_manager import *
 from ipalib.util import validate_hostname
 from ipapython import config
-from ipalib import errors
+from ipalib import errors, x509
 from ipapython.dn import DN
 from ipaserver.install import certs, service
 from ipaplatform import services
@ -865,3 +866,50 @@ def check_entropy():
    except ValueError as e:
        root_logger.debug("Invalid value in /proc/sys/kernel/random/entropy_avail %s" % \
            e)
+
+def validate_external_cert(cert_file, ca_file, subject_base):
+    extcert = None
+    try:
+        extcert = x509.load_certificate_from_file(cert_file)
+        certsubject = DN(str(extcert.subject))
+        certissuer = DN(str(extcert.issuer))
+    except IOError, e:
+        raise ValueError("Can't load the PEM certificate: %s." % e)
+    except (TypeError, NSPRError):
+        raise ValueError(
+            "'%s' is not a valid PEM-encoded certificate." % cert_file)
+    finally:
+        del extcert
+
+    wantsubject = DN(('CN', 'Certificate Authority'), subject_base)
+    if certsubject != wantsubject:
+        raise ValueError(
+            "Subject of the external certificate is not correct (got %s, "
+            "expected %s)." % (certsubject, wantsubject))
+
+    extchain = None
+    try:
+        extchain = x509.load_certificate_chain_from_file(ca_file)
+        certdict = dict((DN(str(cert.subject)), DN(str(cert.issuer)))
+                        for cert in extchain)
+    except IOError, e:
+        raise ValueError("Can't load the external CA chain: %s." % e)
+    except (TypeError, NSPRError):
+        raise ValueError(
+            "'%s' is not a valid PEM-encoded certificate chain." % ca_file)
+    finally:
+        del extchain
+
+    if certissuer not in certdict:
+        raise ValueError(
+            "The external certificate is not signed by the external CA "
+            "(unknown issuer %s)." % certissuer)
+
+    while certsubject != certissuer:
+        certsubject = certissuer
+        try:
+            certissuer = certdict[certsubject]
+        except KeyError:
+            raise ValueError(
+                "The external CA chain is incomplete (%s is missing from the "
+                "chain)." % certsubject)