#!/usr/bin/python3 from __future__ import print_function import argparse import os from requests import HTTPError from ipalib import constants from ipalib.config import Env from ipaplatform.paths import paths from ipaserver.secrets.client import CustodiaClient def main(): env = Env() env._finalize() parser = argparse.ArgumentParser("ipa-pki-retrieve-key") parser.add_argument("keyname", type=str) parser.add_argument("servername", type=str) args = parser.parse_args() keyname = "ca_wrapped/{}".format(args.keyname) service = constants.PKI_GSSAPI_SERVICE_NAME client_keyfile = os.path.join(paths.PKI_TOMCAT, service + '.keys') client_keytab = os.path.join(paths.PKI_TOMCAT, service + '.keytab') for filename in [client_keyfile, client_keytab]: if not os.access(filename, os.R_OK): parser.error( "File '{}' missing or not readable.\n".format(filename) ) # pylint: disable=no-member client = CustodiaClient( client_service="{}@{}".format(service, env.host), server=args.servername, realm=env.realm, ldap_uri="ldaps://" + env.host, keyfile=client_keyfile, keytab=client_keytab, ) OID_AES128_CBC = "2.16.840.1.101.3.4.1.2" try: # Initially request a key wrapped using AES128-CBC. # This uses the recent ability to specify additional # parameters to a Custodia resource. path = f'{keyname}/{OID_AES128_CBC}' # aes128-cbc resp = client.fetch_key(path, store=False) except HTTPError as e: if e.response.status_code == 404: # The 404 indicates one of two conditions: # # a) The server is an older version that does not support # extra Custodia parameters. We should retry without # specifying an algorithm. # # b) The key does not exist. At this point we cannot # distinguish (a) and (b) but if we retry without # specifying an algorithm, the second attempt will # also fail with status 404. # # So the correct way to handle both scenarios is to # retry without the algorithm parameter. # resp = client.fetch_key(keyname, store=False) else: raise # something else went wrong; re-raise # Print the response JSON to stdout; it is already in the format # that Dogtag's ExternalProcessKeyRetriever expects print(resp) if __name__ == '__main__': main()