diff options
author | Jan Cholasta <jcholast@redhat.com> | 2014-04-14 12:13:12 +0200 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2014-07-30 16:04:21 +0200 |
commit | 61159b7ff2b92d40bad3a6084a249f5c51b07a48 (patch) | |
tree | 4a18c0b87b4eb4f96e882205a9e9e98e6f6aa9c2 /install | |
parent | 7086183519bd82ef1e277ceb3ee45438c6695159 (diff) | |
download | freeipa-61159b7ff2b92d40bad3a6084a249f5c51b07a48.tar.gz freeipa-61159b7ff2b92d40bad3a6084a249f5c51b07a48.tar.xz freeipa-61159b7ff2b92d40bad3a6084a249f5c51b07a48.zip |
Check that renewed certificates coming from LDAP are actually renewed.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Diffstat (limited to 'install')
-rwxr-xr-x | install/certmonger/dogtag-ipa-ca-renew-agent-submit | 38 |
1 files changed, 32 insertions, 6 deletions
diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit index 2ff90494c..4f0b78acc 100755 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit @@ -210,6 +210,21 @@ def retrieve_cert(): """ Retrieve new certificate from LDAP. """ + operation = os.environ.get('CERTMONGER_OPERATION') + if operation == 'SUBMIT': + attempts = 0 + elif operation == 'POLL': + cookie = os.environ.get('CERTMONGER_CA_COOKIE') + if not cookie: + return (UNCONFIGURED, "Cookie not provided") + + try: + attempts = int(cookie) + except ValueError: + return (UNCONFIGURED, "Invalid cookie: %r" % cookie) + else: + return (OPERATION_NOT_SUPPORTED_BY_HELPER,) + csr = os.environ.get('CERTMONGER_CSR') if not csr: return (UNCONFIGURED, "Certificate request not provided") @@ -218,6 +233,11 @@ def retrieve_cert(): if not nickname: return (REJECTED, "No friendly name in the certificate request") + old_cert = os.environ.get('CERTMONGER_CERTIFICATE') + if not old_cert: + return (REJECTED, "New certificate requests not supported") + old_cert = x509.normalize_certificate(old_cert) + syslog.syslog(syslog.LOG_NOTICE, "Updating certificate for %s" % nickname) with ldap_connect() as conn: @@ -227,13 +247,19 @@ def retrieve_cert(): ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn), ['usercertificate']) except errors.NotFound: - syslog.syslog( - syslog.LOG_INFO, - "Updated certificate for %s not available" % nickname) - # No cert available yet, tell certmonger to wait another 8 hours - return (WAIT_WITH_DELAY, 8 * 60 * 60) + cert = old_cert + else: + cert = entry.single_value['usercertificate'] + + if cert == old_cert: + attempts += 1 + if attempts < 4: + syslog.syslog( + syslog.LOG_INFO, + "Updated certificate for %s not available" % nickname) + # No cert available yet, tell certmonger to wait another 8 hours + return (WAIT_WITH_DELAY, 8 * 60 * 60, attempts) - cert = entry.single_value['usercertificate'] cert = base64.b64encode(cert) cert = x509.make_pem(cert) |