csrgen: Support encrypted private keys

https://fedorahosted.org/freeipa/ticket/4899 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2025-02-25 18:55:28 -06:00 · 2017-02-08 20:56:37 -05:00 · 2017-02-08 20:56:37 -05:00 · ada91c2058
commit ada91c2058
parent 4350dcdea2
2 changed files with 15 additions and 4 deletions
--- a/install/share/csrgen/templates/openssl_base.tmpl
+++ b/install/share/csrgen/templates/openssl_base.tmpl
@ -3,15 +3,16 @@
 {%- endraw %}
 #!/bin/bash -e

-if [[ $# -ne 2 ]]; then
-echo "Usage: $0 <outfile> <keyfile>"
+if [[ $# -lt 2 ]]; then
+echo "Usage: $0 <outfile> <keyfile> <other openssl arguments>"
 echo "Called as: $0 $@"
 exit 1
 fi

 CONFIG="$(mktemp)"
 CSR="$1"
-shift
+KEYFILE="$2"
+shift; shift

 echo \
 {% raw %}{% filter quote %}{% endraw -%}
@ -30,5 +31,5 @@ req_extensions = {% call openssl.section() %}{{ rendered_extensions }}{% endcall
 {{ openssl.openssl_sections|join('\n\n') }}
 {% endfilter %}{%- endraw %} > "$CONFIG"

-openssl req -new -config "$CONFIG" -out "$CSR" -key $1
+openssl req -new -config "$CONFIG" -out "$CSR" -key "$KEYFILE" "$@"
 rm "$CONFIG"
--- a/ipaclient/plugins/cert.py
+++ b/ipaclient/plugins/cert.py
@ -51,6 +51,11 @@ class cert_request(MethodOverride):
            label=_('Path to private key file'),
            doc=_('Path to PEM file containing a private key'),
        ),
+        Str(
+            'password_file?',
+            label=_(
+                'File containing a password for the private key or database'),
+        ),
        Str(
            'csr_profile_id?',
            label=_('Name of CSR generation profile (if not the same as'
@ -68,14 +73,19 @@ class cert_request(MethodOverride):
        database = options.pop('database', None)
        private_key = options.pop('private_key', None)
        csr_profile_id = options.pop('csr_profile_id', None)
+        password_file = options.pop('password_file', None)

        if csr is None:
            if database:
                helper = u'certutil'
                helper_args = ['-d', database]
+                if password_file:
+                    helper_args += ['-f', password_file]
            elif private_key:
                helper = u'openssl'
                helper_args = [private_key]
+                if password_file:
+                    helper_args += ['-passin', 'file:%s' % password_file]
            else:
                raise errors.InvocationError(
                    message=u"One of 'database' or 'private_key' is required")