From db6674096c598918ea6b12ca33a96cf5e617a434 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 16 Nov 2016 19:31:19 +1000 Subject: [PATCH] installutils: remove hardcoded subject DN assumption `installutils.load_external_cert` assumes that the IPA CA subject DN is `CN=Certificate Authority, {subject_base}`. In preparation for full customisability of IPA CA subject DN, push this assumption out of this function to call sites (which will be updated in a subsequent commit). Part of: https://fedorahosted.org/freeipa/ticket/2614 Reviewed-By: Jan Cholasta --- ipaserver/install/ca.py | 4 +++- ipaserver/install/installutils.py | 7 ++++--- ipaserver/install/ipa_cacert_manage.py | 7 +++++-- 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py index 820c6eebc..56f6692c8 100644 --- a/ipaserver/install/ca.py +++ b/ipaserver/install/ca.py @@ -109,7 +109,9 @@ def install_check(standalone, replica_config, options): "--external-ca.") external_cert_file, external_ca_file = installutils.load_external_cert( - options.external_cert_files, options.subject) + options.external_cert_files, + DN(('CN', 'Certificate Authority'), options.subject) + ) elif options.external_ca: if cainstance.is_step_one_done(): raise ScriptError( diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index e7fd69fcd..21cf4c107 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -1095,7 +1095,8 @@ def check_entropy(): except ValueError as e: root_logger.debug("Invalid value in %s %s", paths.ENTROPY_AVAIL, e) -def load_external_cert(files, subject_base): + +def load_external_cert(files, ca_subject): """ Load and verify external CA certificate chain from multiple files. @@ -1103,7 +1104,7 @@ def load_external_cert(files, subject_base): chain formats. :param files: Names of files to import - :param subject_base: Subject name base for IPA certificates + :param ca_subject: IPA CA subject DN :returns: Temporary file with the IPA CA certificate and temporary file with the external CA certificate chain """ @@ -1117,7 +1118,7 @@ def load_external_cert(files, subject_base): except RuntimeError as e: raise ScriptError(str(e)) - ca_subject = DN(('CN', 'Certificate Authority'), subject_base) + ca_subject = DN(ca_subject) ca_nickname = None cache = {} for nickname, _trust_flags in nssdb.list_certs(): diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py index 5a278f434..4082dfa4e 100644 --- a/ipaserver/install/ipa_cacert_manage.py +++ b/ipaserver/install/ipa_cacert_manage.py @@ -192,8 +192,6 @@ class CACertManage(admintool.AdminTool): options = self.options conn = api.Backend.ldap2 - cert_file, ca_file = installutils.load_external_cert( - options.external_cert_files, x509.subject_base()) old_cert_obj = x509.load_certificate(old_cert_der, x509.DER) old_der_subject = x509.get_der_subject(old_cert_der, x509.DER) @@ -202,6 +200,11 @@ class CACertManage(admintool.AdminTool): serialization.PublicFormat.SubjectPublicKeyInfo ) + cert_file, ca_file = installutils.load_external_cert( + options.external_cert_files, + DN(('CN', 'Certificate Authority'), x509.subject_base()) + ) + with open(cert_file.name) as f: new_cert_data = f.read() new_cert_der = x509.normalize_certificate(new_cert_data)