cacert manage: support PKINIT

Allow installing 3rd party CA certificates trusted to issue PKINIT KDC and/or client certificates. https://pagure.io/freeipa/issue/6831 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2025-02-25 18:55:28 -06:00 · 2017-05-03 06:17:32 +00:00 · 2017-05-03 06:17:32 +00:00 · 9ea764ecf5
commit 9ea764ecf5
parent b3855704f4
2 changed files with 18 additions and 5 deletions
--- a/install/tools/man/ipa-cacert-manage.1
+++ b/install/tools/man/ipa-cacert-manage.1
@ -90,7 +90,7 @@ File containing the IPA CA certificate and the external CA certificate chain. Th
 Nickname for the certificate.
 .TP
 \fB\-t\fR \fITRUST_FLAGS\fR, \fB\-\-trust\-flags\fR=\fITRUST_FLAGS\fR
-Trust flags for the certificate in certutil format. Trust flags are of the form "X,Y,Z" where X is for SSL, Y is for S/MIME, and Z is for code signing. Use ",," for no explicit trust.
+Trust flags for the certificate in certutil format. Trust flags are of the form "A,B,C" or "A,B,C,D" where A is for SSL, B is for S/MIME, C is for code signing, and D is for PKINIT. Use ",," for no explicit trust.
 .sp
 The supported trust flags are:
 .RS
--- a/ipaserver/install/ipa_cacert_manage.py
+++ b/ipaserver/install/ipa_cacert_manage.py
@ -28,6 +28,7 @@ from ipalib.install import certmonger, certstore
 from ipapython import admintool, ipautil
 from ipapython.certdb import (EMPTY_TRUST_FLAGS,
                              EXTERNAL_CA_TRUST_FLAGS,
+                              TrustFlags,
                              parse_trust_flags)
 from ipapython.dn import DN
 from ipaplatform.paths import paths
@ -363,12 +364,24 @@ class CACertManage(admintool.AdminTool):
                    "http://www.freeipa.org/page/Troubleshooting for "
                    "troubleshooting guide)" % e)

-        trust_flags = options.trust_flags
-        if ((set(trust_flags) - set(',CPTcgpuw')) or
-            len(trust_flags.split(',')) != 3):
+        trust_flags = options.trust_flags.split(',')
+        if (set(options.trust_flags) - set(',CPTcgpuw') or
+                len(trust_flags) not in [3, 4]):
            raise admintool.ScriptError("Invalid trust flags")

-        trust_flags = parse_trust_flags(trust_flags)
+        extra_flags = trust_flags[3:]
+        extra_usages = set()
+        if extra_flags:
+            if 'C' in extra_flags[0]:
+                extra_usages.add(x509.EKU_PKINIT_KDC)
+            if 'T' in extra_flags[0]:
+                extra_usages.add(x509.EKU_PKINIT_CLIENT_AUTH)
+
+        trust_flags = parse_trust_flags(','.join(trust_flags[:3]))
+        trust_flags = TrustFlags(trust_flags.has_key,
+                                 trust_flags.trusted,
+                                 trust_flags.ca,
+                                 trust_flags.usages | extra_usages)

        try:
            certstore.put_ca_cert_nss(