diff options
| author | Jan Cholasta <jcholast@redhat.com> | 2014-02-18 18:14:47 +0100 |
|---|---|---|
| committer | Petr Viktorin <pviktori@redhat.com> | 2014-07-30 16:04:21 +0200 |
| commit | 35857026e6b96f7db6fc1d81167d75251f4baff1 (patch) | |
| tree | 31c5cc87efc4905bc4f93362b5a5e8109261c227 /install/certmonger | |
| parent | ee96533aab8481c1b18ccf895c8a8f8c604e8841 (diff) | |
| download | freeipa-35857026e6b96f7db6fc1d81167d75251f4baff1.tar.gz freeipa-35857026e6b96f7db6fc1d81167d75251f4baff1.tar.xz freeipa-35857026e6b96f7db6fc1d81167d75251f4baff1.zip | |
Support CA certificate renewal in dogtag-ipa-ca-renew-agent.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Diffstat (limited to 'install/certmonger')
| -rwxr-xr-x | install/certmonger/dogtag-ipa-ca-renew-agent-submit | 49 |
1 files changed, 47 insertions, 2 deletions
diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit index 2777c24de..3956b5891 100755 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit @@ -110,7 +110,7 @@ def store_cert(): try: attempts = int(cookie) except ValueError: - return (UNCONFIGURED, "Invalid cookie") + return (UNCONFIGURED, "Invalid cookie: %r" % cookie) else: return (OPERATION_NOT_SUPPORTED_BY_HELPER,) @@ -175,7 +175,8 @@ def request_and_store_cert(): state, sep, cookie = cookie.partition(':') if state not in ('request', 'store'): - return (UNCONFIGURED, "Invalid cookie") + return (UNCONFIGURED, + "Invalid cookie: %r" % os.environ['CERTMONGER_CA_COOKIE']) else: return (OPERATION_NOT_SUPPORTED_BY_HELPER,) @@ -271,11 +272,55 @@ def export_csr(): return (ISSUED, cert) +def renew_ca_cert(): + """ + This is used for automatic CA certificate renewal. + """ + cert = os.environ.get('CERTMONGER_CERTIFICATE') + if not cert: + return (REJECTED, "New certificate requests not supported") + + operation = os.environ.get('CERTMONGER_OPERATION') + if operation == 'SUBMIT': + state = 'retrieve' + + if x509.is_self_signed(cert): + ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR) + if ca.is_renewal_master(): + state = 'request' + elif operation == 'POLL': + cookie = os.environ.get('CERTMONGER_CA_COOKIE') + if not cookie: + return (UNCONFIGURED, "Cookie not provided") + + state, sep, cookie = cookie.partition(':') + if state not in ('retrieve', 'request'): + return (UNCONFIGURED, + "Invalid cookie: %r" % os.environ['CERTMONGER_CA_COOKIE']) + + os.environ['CERTMONGER_CA_COOKIE'] = cookie + else: + return (OPERATION_NOT_SUPPORTED_BY_HELPER,) + + if state == 'retrieve': + result = retrieve_cert() + elif state == 'request': + os.environ['CERTMONGER_CA_PROFILE'] = 'caCACert' + result = request_and_store_cert() + + if result[0] == WAIT: + return (result[0], '%s:%s' % (state, result[1])) + elif result[0] == WAIT_WITH_DELAY: + return (result[0], result[1], '%s:%s' % (state, result[2])) + else: + return result + def main(): handlers = { 'ipaStorage': store_cert, 'ipaRetrieval': retrieve_cert, 'ipaCSRExport': export_csr, + 'ipaCACertRenewal': renew_ca_cert, } api.bootstrap(context='renew') |