Check that renewed certificates coming from LDAP are actually renewed.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2025-02-25 18:55:28 -06:00 · 2014-04-14 12:13:12 +02:00 · 2014-04-14 12:13:12 +02:00 · 61159b7ff2
commit 61159b7ff2
parent 7086183519
1 changed files with 32 additions and 6 deletions
--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit
+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
@ -210,6 +210,21 @@ def retrieve_cert():
    """
    Retrieve new certificate from LDAP.
    """
+    operation = os.environ.get('CERTMONGER_OPERATION')
+    if operation == 'SUBMIT':
+        attempts = 0
+    elif operation == 'POLL':
+        cookie = os.environ.get('CERTMONGER_CA_COOKIE')
+        if not cookie:
+            return (UNCONFIGURED, "Cookie not provided")
+
+        try:
+            attempts = int(cookie)
+        except ValueError:
+            return (UNCONFIGURED, "Invalid cookie: %r" % cookie)
+    else:
+        return (OPERATION_NOT_SUPPORTED_BY_HELPER,)
+
    csr = os.environ.get('CERTMONGER_CSR')
    if not csr:
        return (UNCONFIGURED, "Certificate request not provided")
@ -218,6 +233,11 @@ def retrieve_cert():
    if not nickname:
        return (REJECTED, "No friendly name in the certificate request")

+    old_cert = os.environ.get('CERTMONGER_CERTIFICATE')
+    if not old_cert:
+        return (REJECTED, "New certificate requests not supported")
+    old_cert = x509.normalize_certificate(old_cert)
+
    syslog.syslog(syslog.LOG_NOTICE, "Updating certificate for %s" % nickname)

    with ldap_connect() as conn:
@ -227,13 +247,19 @@ def retrieve_cert():
                   ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn),
                ['usercertificate'])
        except errors.NotFound:
-            syslog.syslog(
-                syslog.LOG_INFO,
-                "Updated certificate for %s not available" % nickname)
-            # No cert available yet, tell certmonger to wait another 8 hours
-            return (WAIT_WITH_DELAY, 8 * 60 * 60)
+            cert = old_cert
+        else:
+            cert = entry.single_value['usercertificate']
+
+        if cert == old_cert:
+            attempts += 1
+            if attempts < 4:
+                syslog.syslog(
+                    syslog.LOG_INFO,
+                    "Updated certificate for %s not available" % nickname)
+                # No cert available yet, tell certmonger to wait another 8 hours
+                return (WAIT_WITH_DELAY, 8 * 60 * 60, attempts)

-        cert = entry.single_value['usercertificate']
        cert = base64.b64encode(cert)
        cert = x509.make_pem(cert)