Support exporting CSRs in dogtag-ipa-ca-renew-agent.

Reviewed-By: Petr Viktorin <pviktori@redhat.com>

1 files changed, 27 insertions, 0 deletions

diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
index e39da4a21..57eb4e584 100755
--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit
+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
@@ -244,10 +244,37 @@ def retrieve_cert():
 
     return (ISSUED, cert)
 
+def export_csr():
+    """
+    This does not actually renew the cert, it just writes the CSR provided
+    by certmonger to /var/lib/ipa/ca.csr and returns the existing cert.
+    """
+    operation = os.environ.get('CERTMONGER_OPERATION')
+    if operation != 'SUBMIT':
+        return (OPERATION_NOT_SUPPORTED_BY_HELPER,)
+
+    csr = os.environ.get('CERTMONGER_CSR')
+    if not csr:
+        return (UNCONFIGURED, "Certificate request not provided")
+
+    cert = os.environ.get('CERTMONGER_CERTIFICATE')
+    if not cert:
+        return (REJECTED, "New certificate requests not supported")
+
+    csr_file = '/var/lib/ipa/ca.csr'
+    try:
+        with open(csr_file, 'wb') as f:
+            f.write(csr)
+    except Exception, e:
+        return (UNREACHABLE, "Failed to write %s: %s" % (csr_file, e))
+
+    return (ISSUED, cert)
+
 def main():
     handlers = {
         'ipaStorage':       store_cert,
         'ipaRetrieval':     retrieve_cert,
+        'ipaCSRExport':     export_csr,
     }
 
     api.bootstrap(context='renew')