IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

csrgen: Support encrypted private keys

Browse Source 
https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This commit is contained in:
Ben Lipton 2017-02-08 20:56:37 -05:00 committed by Jan Cholasta
parent 4350dcdea2
commit ada91c2058
2 changed files with 15 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
install/share/csrgen/templates/openssl_base.tmpl
View File

@ -3,15 +3,16 @@
{%- endraw %} {%- endraw %}
#!/bin/bash -e #!/bin/bash -e
if [[ $# -ne 2 ]]; then if [[ $# -lt 2 ]]; then
echo "Usage: $0 <outfile> <keyfile>" echo "Usage: $0 <outfile> <keyfile> <other openssl arguments>"
echo "Called as: $0 $@" echo "Called as: $0 $@"
exit 1 exit 1
fi fi
CONFIG="$(mktemp)" CONFIG="$(mktemp)"
CSR="$1" CSR="$1"
shift KEYFILE="$2"
shift; shift
echo \ echo \
{% raw %}{% filter quote %}{% endraw -%} {% raw %}{% filter quote %}{% endraw -%}
@ -30,5 +31,5 @@ req_extensions = {% call openssl.section() %}{{ rendered_extensions }}{% endcall
{{ openssl.openssl_sections|join('\n\n') }} {{ openssl.openssl_sections|join('\n\n') }}
{% endfilter %}{%- endraw %} > "$CONFIG" {% endfilter %}{%- endraw %} > "$CONFIG"
openssl req -new -config "$CONFIG" -out "$CSR" -key $1 openssl req -new -config "$CONFIG" -out "$CSR" -key "$KEYFILE" "$@"
rm "$CONFIG" rm "$CONFIG"

10
ipaclient/plugins/cert.py
View File

@ -51,6 +51,11 @@ class cert_request(MethodOverride):
label=_('Path to private key file'), label=_('Path to private key file'),
doc=_('Path to PEM file containing a private key'), doc=_('Path to PEM file containing a private key'),
), ),
Str(
'password_file?',
label=_(
'File containing a password for the private key or database'),
),
Str( Str(
'csr_profile_id?', 'csr_profile_id?',
label=_('Name of CSR generation profile (if not the same as' label=_('Name of CSR generation profile (if not the same as'
@ -68,14 +73,19 @@ class cert_request(MethodOverride):
database = options.pop('database', None) database = options.pop('database', None)
private_key = options.pop('private_key', None) private_key = options.pop('private_key', None)
csr_profile_id = options.pop('csr_profile_id', None) csr_profile_id = options.pop('csr_profile_id', None)
password_file = options.pop('password_file', None)
if csr is None: if csr is None:
if database: if database:
helper = u'certutil' helper = u'certutil'
helper_args = ['-d', database] helper_args = ['-d', database]
if password_file:
helper_args += ['-f', password_file]
elif private_key: elif private_key:
helper = u'openssl' helper = u'openssl'
helper_args = [private_key] helper_args = [private_key]
if password_file:
helper_args += ['-passin', 'file:%s' % password_file]
else: else:
raise errors.InvocationError( raise errors.InvocationError(
message=u"One of 'database' or 'private_key' is required") message=u"One of 'database' or 'private_key' is required")