IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Support CA certificate renewal in dogtag-ipa-ca-renew-agent.

Browse Source 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
Jan Cholasta
2014-02-18 18:14:47 +01:00
committed by Petr Viktorin
parent ee96533aab
commit 35857026e6
1 changed files with 47 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
install/certmonger/dogtag-ipa-ca-renew-agent-submit
View File

@@ -110,7 +110,7 @@ def store_cert():
try: try:
attempts = int(cookie) attempts = int(cookie)
except ValueError: except ValueError:
return (UNCONFIGURED, "Invalid cookie") return (UNCONFIGURED, "Invalid cookie: %r" % cookie)
else: else:
return (OPERATION_NOT_SUPPORTED_BY_HELPER,) return (OPERATION_NOT_SUPPORTED_BY_HELPER,)
@@ -175,7 +175,8 @@ def request_and_store_cert():
state, sep, cookie = cookie.partition(':') state, sep, cookie = cookie.partition(':')
if state not in ('request', 'store'): if state not in ('request', 'store'):
return (UNCONFIGURED, "Invalid cookie") return (UNCONFIGURED,
"Invalid cookie: %r" % os.environ['CERTMONGER_CA_COOKIE'])
else: else:
return (OPERATION_NOT_SUPPORTED_BY_HELPER,) return (OPERATION_NOT_SUPPORTED_BY_HELPER,)
@@ -271,11 +272,55 @@ def export_csr():
return (ISSUED, cert) return (ISSUED, cert)
def renew_ca_cert():
"""
This is used for automatic CA certificate renewal.
"""
cert = os.environ.get('CERTMONGER_CERTIFICATE')
if not cert:
return (REJECTED, "New certificate requests not supported")
operation = os.environ.get('CERTMONGER_OPERATION')
if operation == 'SUBMIT':
state = 'retrieve'
if x509.is_self_signed(cert):
ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
if ca.is_renewal_master():
state = 'request'
elif operation == 'POLL':
cookie = os.environ.get('CERTMONGER_CA_COOKIE')
if not cookie:
return (UNCONFIGURED, "Cookie not provided")
state, sep, cookie = cookie.partition(':')
if state not in ('retrieve', 'request'):
return (UNCONFIGURED,
"Invalid cookie: %r" % os.environ['CERTMONGER_CA_COOKIE'])
os.environ['CERTMONGER_CA_COOKIE'] = cookie
else:
return (OPERATION_NOT_SUPPORTED_BY_HELPER,)
if state == 'retrieve':
result = retrieve_cert()
elif state == 'request':
os.environ['CERTMONGER_CA_PROFILE'] = 'caCACert'
result = request_and_store_cert()
if result[0] == WAIT:
return (result[0], '%s:%s' % (state, result[1]))
elif result[0] == WAIT_WITH_DELAY:
return (result[0], result[1], '%s:%s' % (state, result[2]))
else:
return result
def main(): def main():
handlers = { handlers = {
'ipaStorage': store_cert, 'ipaStorage': store_cert,
'ipaRetrieval': retrieve_cert, 'ipaRetrieval': retrieve_cert,
'ipaCSRExport': export_csr, 'ipaCSRExport': export_csr,
'ipaCACertRenewal': renew_ca_cert,
} }
api.bootstrap(context='renew') api.bootstrap(context='renew')