certmonger: add support for MS V2 template

Update certmonger.resubmit_request() and .modify() to support specifying the Microsoft V2 certificate template extension. This feature was introduced in certmonger-0.79.5 so bump the minimum version in the spec file. Part of: https://pagure.io/freeipa/issue/6858 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2025-02-25 18:55:28 -06:00 · 2017-08-22 15:39:53 +10:00
parent 2207dc5c17
commit 560ee3c0b5
2 changed files with 20 additions and 7 deletions
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -320,8 +320,7 @@ Requires(preun): python systemd-units
 Requires(postun): python systemd-units
 Requires: policycoreutils >= 2.1.12-5
 Requires: tar
-# certmonger-0.79.4-2 fixes newlines in PEM files
-Requires(pre): certmonger >= 0.79.4-2
+Requires(pre): certmonger >= 0.79.5-1
 Requires(pre): 389-ds-base >= 1.3.5.14
 Requires: fontawesome-fonts
 Requires: open-sans-fonts
@@ -540,8 +539,7 @@ Requires: libcurl >= 7.21.7-2
 Requires: xmlrpc-c >= 1.27.4
 Requires: sssd >= 1.14.0
 Requires: python-sssdconfig
-# certmonger-0.79.4-2 fixes newlines in PEM files
-Requires: certmonger >= 0.79.4-2
+Requires: certmonger >= 0.79.5-1
 Requires: nss-tools
 Requires: bind-utils
 Requires: oddjob-mkhomedir
--- a/ipalib/install/certmonger.py
+++ b/ipalib/install/certmonger.py
@@ -507,23 +507,36 @@ def stop_tracking(secdir=None, request_id=None, nickname=None, certfile=None):
        request.parent.obj_if.remove_request(request.path)


-def modify(request_id, ca=None, profile=None):
+def modify(request_id, ca=None, profile=None, template_v2=None):
    update = {}
    if ca is not None:
        cm = _certmonger()
        update['CA'] = cm.obj_if.find_ca_by_nickname(ca)
    if profile is not None:
        update['template-profile'] = profile
+    if template_v2 is not None:
+        update['template-ms-certificate-template'] = template_v2
+
    if len(update) > 0:
        request = _get_request({'nickname': request_id})
        request.obj_if.modify(update)


-def resubmit_request(request_id, ca=None, profile=None, is_ca=False):
+def resubmit_request(
+        request_id,
+        ca=None,
+        profile=None,
+        template_v2=None,
+        is_ca=False):
    """
    :param request_id: the certmonger numeric request ID
    :param ca: the nickname for the certmonger CA, e.g. IPA or SelfSign
-    :param profile: the dogtag template profile to use, e.g. SubCA
+    :param profile: the profile to use, e.g. SubCA.  For requests using the
+                    Dogtag CA, this is the profile to use.  This also causes
+                    the Microsoft certificate tempalte name extension to the
+                    CSR (for telling AD CS what template to use).
+    :param template_v2: Microsoft V2 template specifier extension value.
+                        Format: <oid>:<major-version>[:<minor-version>]
    :param is_ca: boolean that if True adds the CA basic constraint
    """
    request = _get_request({'nickname': request_id})
@@ -534,6 +547,8 @@ def resubmit_request(request_id, ca=None, profile=None, is_ca=False):
            update['CA'] = cm.obj_if.find_ca_by_nickname(ca)
        if profile is not None:
            update['template-profile'] = profile
+        if template_v2 is not None:
+            update['template-ms-certificate-template'] = template_v2
        if is_ca:
            update['template-is-ca'] = True
            update['template-ca-path-length'] = -1  # no path length