diff options
author | Rob Crittenden <rcritten@redhat.com> | 2011-06-08 10:54:41 -0400 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2011-06-21 19:09:50 -0400 |
commit | dd69c7dbe68e8f8674994a54ea913f2dd2e52c32 (patch) | |
tree | 5fdc303354eb26a1d2cd206c81babdc73e8d51b9 /ipaserver/install/cainstance.py | |
parent | 3a36eced53e540fe8f2b23eadf7dffda080324de (diff) | |
download | freeipa-dd69c7dbe68e8f8674994a54ea913f2dd2e52c32.tar.gz freeipa-dd69c7dbe68e8f8674994a54ea913f2dd2e52c32.tar.xz freeipa-dd69c7dbe68e8f8674994a54ea913f2dd2e52c32.zip |
Make data type of certificates more obvious/predictable internally.
For the most part certificates will be treated as being in DER format.
When we load a certificate we will generally accept it in any format but
will convert it to DER before proceeding in normalize_certificate().
This also re-arranges a bit of code to pull some certificate-specific
functions out of ipalib/plugins/service.py into ipalib/x509.py.
This also tries to use variable names to indicate what format the certificate
is in at any given point:
dercert: DER
cert: PEM
nsscert: a python-nss Certificate object
rawcert: unknown format
ticket 32
Diffstat (limited to 'ipaserver/install/cainstance.py')
-rw-r--r-- | ipaserver/install/cainstance.py | 14 |
1 files changed, 3 insertions, 11 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 30aa9f525..001e6eb09 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -38,7 +38,7 @@ import stat import socket from ipapython import dogtag from ipapython.certdb import get_ca_nickname -from ipalib import pkcs10 +from ipalib import pkcs10, x509 import subprocess from nss.error import NSPRError @@ -322,7 +322,7 @@ class CADSInstance(service.Service): # We only handle one server cert self.nickname = server_certs[0][0] - self.dercert = dsdb.get_cert_from_db(self.nickname) + self.dercert = dsdb.get_cert_from_db(self.nickname, pem=False) dsdb.track_server_cert(self.nickname, self.principal, dsdb.passwd_fname) def create_certdb(self): @@ -721,13 +721,6 @@ class CAInstance(service.Service): # TODO: roll back here? logging.critical("Failed to restart the certificate server. See the installation log for details.") - def __get_agent_cert(self, nickname): - args = ["/usr/bin/certutil", "-L", "-d", self.ca_agent_db, "-n", nickname, "-a"] - (out, err, returncode) = ipautil.run(args) - out = out.replace('-----BEGIN CERTIFICATE-----', '') - out = out.replace('-----END CERTIFICATE-----', '') - return out - def __issue_ra_cert(self): # The CA certificate is in the agent DB but isn't trusted (admin_fd, admin_name) = tempfile.mkstemp() @@ -801,8 +794,7 @@ class CAInstance(service.Service): self.ra_cert = outputList['b64_cert'] self.ra_cert = self.ra_cert.replace('\\n','') - self.ra_cert = self.ra_cert.replace('-----BEGIN CERTIFICATE-----','') - self.ra_cert = self.ra_cert.replace('-----END CERTIFICATE-----','') + self.ra_cert = x509.strip_header(self.ra_cert) # Add the new RA cert to the database in /etc/httpd/alias (agent_fd, agent_name) = tempfile.mkstemp() |