installutils: remove hardcoded subject DN assumption

`installutils.load_external_cert` assumes that the IPA CA subject
DN is `CN=Certificate Authority, {subject_base}`.  In preparation
for full customisability of IPA CA subject DN, push this assumption
out of this function to call sites (which will be updated in a
subsequent commit).

Part of: https://fedorahosted.org/freeipa/ticket/2614

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This commit is contained in:
Fraser Tweedale 2016-11-16 19:31:19 +10:00 committed by Jan Cholasta
parent 324183cd63
commit db6674096c
3 changed files with 12 additions and 6 deletions

View File

@ -109,7 +109,9 @@ def install_check(standalone, replica_config, options):
"--external-ca.")
external_cert_file, external_ca_file = installutils.load_external_cert(
options.external_cert_files, options.subject)
options.external_cert_files,
DN(('CN', 'Certificate Authority'), options.subject)
)
elif options.external_ca:
if cainstance.is_step_one_done():
raise ScriptError(

View File

@ -1095,7 +1095,8 @@ def check_entropy():
except ValueError as e:
root_logger.debug("Invalid value in %s %s", paths.ENTROPY_AVAIL, e)
def load_external_cert(files, subject_base):
def load_external_cert(files, ca_subject):
"""
Load and verify external CA certificate chain from multiple files.
@ -1103,7 +1104,7 @@ def load_external_cert(files, subject_base):
chain formats.
:param files: Names of files to import
:param subject_base: Subject name base for IPA certificates
:param ca_subject: IPA CA subject DN
:returns: Temporary file with the IPA CA certificate and temporary file
with the external CA certificate chain
"""
@ -1117,7 +1118,7 @@ def load_external_cert(files, subject_base):
except RuntimeError as e:
raise ScriptError(str(e))
ca_subject = DN(('CN', 'Certificate Authority'), subject_base)
ca_subject = DN(ca_subject)
ca_nickname = None
cache = {}
for nickname, _trust_flags in nssdb.list_certs():

View File

@ -192,8 +192,6 @@ class CACertManage(admintool.AdminTool):
options = self.options
conn = api.Backend.ldap2
cert_file, ca_file = installutils.load_external_cert(
options.external_cert_files, x509.subject_base())
old_cert_obj = x509.load_certificate(old_cert_der, x509.DER)
old_der_subject = x509.get_der_subject(old_cert_der, x509.DER)
@ -202,6 +200,11 @@ class CACertManage(admintool.AdminTool):
serialization.PublicFormat.SubjectPublicKeyInfo
)
cert_file, ca_file = installutils.load_external_cert(
options.external_cert_files,
DN(('CN', 'Certificate Authority'), x509.subject_base())
)
with open(cert_file.name) as f:
new_cert_data = f.read()
new_cert_der = x509.normalize_certificate(new_cert_data)