diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2008-02-05 12:23:53 -0500 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2008-02-05 12:23:53 -0500 |
| commit | 5a96618f5d31b21b983076ccc4c480561a7ccb2a (patch) | |
| tree | ecc32810d350b0d871cb18c4eb07f989b4b5b879 /ipa-server/ipaserver/certs.py | |
| parent | 25057816a560064298357d29228c5a4e01466b7c (diff) | |
| download | freeipa-5a96618f5d31b21b983076ccc4c480561a7ccb2a.tar.gz freeipa-5a96618f5d31b21b983076ccc4c480561a7ccb2a.tar.xz freeipa-5a96618f5d31b21b983076ccc4c480561a7ccb2a.zip | |
Use file to store the current CA serial number
No longer create a PKCS#12 file that contains the CA
No longer send the entire CA to each replica, generate the SSL certs on master
Fix number of bugs in ipa-replica-install and prepare
Produce status output during replica creation
Diffstat (limited to 'ipa-server/ipaserver/certs.py')
| -rw-r--r-- | ipa-server/ipaserver/certs.py | 53 |
1 files changed, 46 insertions, 7 deletions
diff --git a/ipa-server/ipaserver/certs.py b/ipa-server/ipaserver/certs.py index b39cf2244..30568e6e4 100644 --- a/ipa-server/ipaserver/certs.py +++ b/ipa-server/ipaserver/certs.py @@ -19,6 +19,7 @@ import os, stat, subprocess, re import sha +import errno from ipa import ipautil @@ -42,7 +43,7 @@ class CertDB(object): # responsibility of the caller for now. In the # future we might automatically determine this # for a given db. - self.cur_serial = 1000 + self.cur_serial = -1 self.cacert_name = "CA certificate" self.valid_months = "120" @@ -57,10 +58,40 @@ class CertDB(object): self.uid = mode[stat.ST_UID] self.gid = mode[stat.ST_GID] + def set_serial_from_pkcs12(self): + """A CA cert was loaded from a PKCS#12 file. Set up our serial file""" + + self.cur_serial = self.find_cacert_serial() + try: + f=open("/usr/share/ipa/serial","w") + f.write(str(self.cur_serial)) + f.close() + except IOError, e: + raise RuntimeError("Unable to increment serial number: %s" % str(e)) + def next_serial(self): - r = self.cur_serial - self.cur_serial += 1 - return str(r) + try: + f=open("/usr/share/ipa/serial","r") + r = f.readline() + self.cur_serial = int(r) + 1 + f.close() + except IOError, e: + if e.errno == errno.ENOENT: + self.cur_serial = 1000 + f=open("/usr/share/ipa/serial","w") + f.write(str(self.cur_serial)) + f.close() + else: + raise RuntimeError("Unable to determine serial number: %s" % str(e)) + + try: + f=open("/usr/share/ipa/serial","w") + f.write(str(self.cur_serial)) + f.close() + except IOError, e: + raise RuntimeError("Unable to increment serial number: %s" % str(e)) + + return str(self.cur_serial) def set_perms(self, fname, write=False): os.chown(fname, self.uid, self.gid) @@ -75,7 +106,7 @@ class CertDB(object): def run_certutil(self, args, stdin=None): new_args = ["/usr/bin/certutil", "-d", self.secdir] new_args = new_args + args - ipautil.run(new_args, stdin) + return ipautil.run(new_args, stdin) def run_signtool(self, args, stdin=None): new_args = ["/usr/bin/signtool", "-d", self.secdir] @@ -139,6 +170,16 @@ class CertDB(object): "-t", "CT,,C", "-a", "-i", cacert_fname]) + + def find_cacert_serial(self): + (out,err) = self.run_certutil(["-L", "-n", self.cacert_name]) + data = out.split('\n') + for line in data: + x = re.match(r'\s+Serial Number: (\d+) .*', line) + if x is not None: + return x.group(1) + + raise RuntimeError("Unable to find serial number") def create_server_cert(self, nickname, name, other_certdb=None): cdb = other_certdb @@ -330,5 +371,3 @@ class CertDB(object): sysrestore.backup_file(self.pin_fname) sysrestore.backup_file(self.certreq_fname) sysrestore.backup_file(self.certder_fname) - - |