Add token support to installer certificate handling

Pass along the user-provided password file, if any, to the underlying NSS database. This will provide for per-token passwords. If a token is in a nickname then break it out and pass it to certutil separately. Fixes: https://pagure.io/freeipa/issue/9273 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2025-02-25 18:55:28 -06:00 · 2022-09-30 11:39:14 -04:00
parent e6078c639c
commit 34f28f06db
1 changed files with 8 additions and 2 deletions
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -161,8 +161,8 @@ class CertDB:
    def __init__(self, realm, nssdir, fstore=None,
                 host_name=None, subject_base=None, ca_subject=None,
                 user=None, group=None, mode=None, create=False,
-                 dbtype='auto'):
-        self.nssdb = NSSDatabase(nssdir, dbtype=dbtype)
+                 dbtype='auto', pwd_file=None):
+        self.nssdb = NSSDatabase(nssdir, dbtype=dbtype, pwd_file=pwd_file)

        self.realm = realm

@@ -377,8 +377,14 @@ class CertDB:
        """
        Retrieve a certificate from the current NSS database for nickname.
        """
+        if ':' in nickname:
+            token = nickname.split(':', 1)[0]
+        else:
+            token = None
        try:
            args = ["-L", "-n", nickname, "-a"]
+            if token:
+                args.extend(['-h', token])
            result = self.run_certutil(args, capture_output=True)
            return x509.load_pem_x509_certificate(result.raw_output)
        except ipautil.CalledProcessError: