IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Allow adding CA certificates to certificate store in ipa-cacert-manage.

Browse Source 
Part of https://fedorahosted.org/freeipa/ticket/3737

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
Jan Cholasta 2014-06-13 14:49:29 +02:00 committed by Petr Viktorin
parent 1b8a1e5564
commit 8bbdfff102
2 changed files with 78 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
install/tools/man/ipa-cacert-manage.1
View File

@ -37,6 +37,13 @@ When the IPA CA is subordinate of an external CA, the renewal process involves s
.sp .sp
When the IPA CA is not configured, this command is not available. When the IPA CA is not configured, this command is not available.
.RE .RE
.TP
\fBinstall\fR
\- Install a CA certificate
.sp
.RS
This command can be used to install new CA certificate to IPA.
.RE
.SH "OPTIONS" .SH "OPTIONS"
.TP .TP
\fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR \fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR
@ -54,6 +61,22 @@ PEM file containing a certificate signed by the external CA. Must be given with
\fB\-\-external\-ca\-file\fR=\fIFILE\fR \fB\-\-external\-ca\-file\fR=\fIFILE\fR
PEM file containing the external CA chain. PEM file containing the external CA chain.
.TP .TP
\fB\-n\fR \fINICKNAME\fR, \fB\-\-nickname\fR=\fINICKNAME\fR
Nickname for the certificate.
.TP
\fB\-t\fR \fITRUST_FLAGS\fR, \fB\-\-trust\-flags\fR=\fITRUST_FLAGS\fR
Trust flags for the certificate in certutil format. Trust flags are of the form "X,Y,Z" where X is for SSL, Y is for S/MIME, and Z is for code signing. Use ",," for no explicit trust.
.sp
The supported trust flags are:
.RS
.IP
C \- CA trusted to issue server certificates
.IP
T \- CA trusted to issue client certificates
.IP
p \- not trusted
.RE
.TP
\fB\-v\fR, \fB\-\-verbose\fR \fB\-v\fR, \fB\-\-verbose\fR
Print debugging information. Print debugging information.
.TP .TP

57
ipaserver/install/ipa_cacert_manage.py
View File

@ -36,7 +36,7 @@ from ipaserver.plugins.ldap2 import ldap2
class CACertManage(admintool.AdminTool): class CACertManage(admintool.AdminTool):
command_name = 'ipa-cacert-manage' command_name = 'ipa-cacert-manage'
usage = "%prog renew [options]" usage = "%prog {renew|install} [options]"
description = "Manage CA certificates." description = "Manage CA certificates."
@ -67,6 +67,15 @@ class CACertManage(admintool.AdminTool):
help="PEM file containing the external CA chain") help="PEM file containing the external CA chain")
parser.add_option_group(renew_group) parser.add_option_group(renew_group)
install_group = OptionGroup(parser, "Install options")
install_group.add_option(
"-n", "--nickname", dest='nickname',
help="Nickname for the certificate")
install_group.add_option(
"-t", "--trust-flags", dest='trust_flags', default='C,,',
help="Trust flags for the certificate in certutil format")
parser.add_option_group(install_group)
def validate_options(self): def validate_options(self):
super(CACertManage, self).validate_options(needs_root=True) super(CACertManage, self).validate_options(needs_root=True)
@ -85,6 +94,9 @@ class CACertManage(admintool.AdminTool):
parser.error("--external-ca-file not specified") parser.error("--external-ca-file not specified")
elif not options.external_cert_file and options.external_ca_file: elif not options.external_cert_file and options.external_ca_file:
parser.error("--external-cert-file not specified") parser.error("--external-cert-file not specified")
elif command == 'install':
if len(self.args) < 2:
parser.error("certificate file name not provided")
else: else:
parser.error("unknown command \"%s\"" % command) parser.error("unknown command \"%s\"" % command)
@ -95,7 +107,8 @@ class CACertManage(admintool.AdminTool):
api.bootstrap(in_server=True) api.bootstrap(in_server=True)
api.finalize() api.finalize()
if command == 'renew' and options.external_cert_file: if ((command == 'renew' and options.external_cert_file) or
command == 'install'):
self.conn = self.ldap_connect() self.conn = self.ldap_connect()
else: else:
self.conn = None self.conn = None
@ -103,6 +116,8 @@ class CACertManage(admintool.AdminTool):
try: try:
if command == 'renew': if command == 'renew':
rc = self.renew() rc = self.renew()
elif command == 'install':
rc = self.install()
finally: finally:
if self.conn is not None: if self.conn is not None:
self.conn.disconnect() self.conn.disconnect()
@ -298,3 +313,41 @@ class CACertManage(admintool.AdminTool):
self.log.debug("modifying certmonger request '%s'", self.request_id) self.log.debug("modifying certmonger request '%s'", self.request_id)
certmonger.modify(self.request_id, profile='ipaCACertRenewal') certmonger.modify(self.request_id, profile='ipaCACertRenewal')
def install(self):
print "Installing CA certificate, please wait"
options = self.options
cert_filename = self.args[1]
nss_cert = None
try:
try:
nss_cert = x509.load_certificate_from_file(cert_filename)
except IOError, e:
raise admintool.ScriptError(
"Can't open \"%s\": %s" % (cert_filename, e))
except (TypeError, NSPRError), e:
raise admintool.ScriptError("Not a valid certificate: %s" % e)
if not nss_cert.is_ca_cert():
raise admintool.ScriptError("Not a CA certificate")
subject = nss_cert.subject
cert = nss_cert.der_data
finally:
del nss_cert
nickname = options.nickname or str(subject)
trust_flags = options.trust_flags
if ((set(trust_flags) - set(',CPTcgpuw')) or
len(trust_flags.split(',')) != 3):
raise admintool.ScriptError("Invalid trust flags")
try:
certstore.put_ca_cert_nss(
self.conn, api.env.basedn, cert, nickname, trust_flags)
except ValueError, e:
raise admintool.ScriptError(
"Failed to install the certificate: %s" % e)
print "CA certificate successfully installed"