Add support for configuring KDC certs for PKINIT

This patch adds support only for the selfsign case. Replica support is also still missing at this stage.
author: Simo Sorce <ssorce@redhat.com> 2010-10-29 16:23:21 -0400
committer: Simo Sorce <ssorce@redhat.com> 2010-11-18 15:09:36 -0500
commit: 52a46d121bf760f6beca4622ace0a4554a679c3c (patch)
tree: 550a2bddf9ab3848da9ab33ca73529060b9e4c68 /ipaserver/install/certs.py
parent: 74ba0cc7c1bdb9c560324a68c16593755bcda5d8 (diff)
download: freeipa-52a46d121bf760f6beca4622ace0a4554a679c3c.tar.gz
freeipa-52a46d121bf760f6beca4622ace0a4554a679c3c.tar.xz
freeipa-52a46d121bf760f6beca4622ace0a4554a679c3c.zip
1 files changed, 84 insertions, 4 deletions
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index d4728b80e..3fa65207c 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -180,6 +180,7 @@ class CertDB(object):
         self.certreq_fname = None
         self.certder_fname = None
         self.host_name = host_name
+        self.subject_base = subject_base
         try:
             self.cwd = os.getcwd()
         except OSError, e:
@@ -187,10 +188,9 @@ class CertDB(object):
 
         self.self_signed_ca = ipa_self_signed()
 
-        if subject_base:
-            self.subject_format = "CN=%%s,%s" % subject_base
-        else:
-            self.subject_format = "CN=%s,O=IPA"
+        if not subject_base:
+            self.subject_base = "O=IPA"
+        self.subject_format = "CN=%%s,%s" % self.subject_base
 
         self.cacert_name = get_ca_nickname(self.realm)
         self.valid_months = "120"
@@ -937,6 +937,86 @@ class CertDB(object):
         except:
             pass
 
+    def create_kdc_cert(self, nickname, hostname, destdir):
+        """Create a new certificate with the spcial othername encoding needed
+           by a KDC certificate.
+
+           nickname: the CN name set in the certificate
+           destdir: the location where cert and key are to be installed
+
+           destdir will contain kdc.pem if the operation is successful
+        """
+
+        reqcfg = "kdc_req.conf"
+        extcfg = ipautil.SHARE_DIR + "kdc_extensions.template"
+        key_fname = destdir + "/kdckey.pem"
+        cert_fname = destdir + "/kdccert.pem"
+        key_cert_fname = destdir + "/kdc.pem"
+
+        # Setup the temp dir
+        self.setup_cert_request()
+
+        # Copy the CA password file because openssl apparently can't use
+        # the same file twice within the same command and throws an error
+        ca_pwd_file = self.reqdir + "pwdfile.txt"
+        shutil.copyfile(self.passwd_fname, ca_pwd_file)
+
+        # Extract the cacert.pem file used by openssl to sign the certs
+        ipautil.run(["/usr/bin/openssl", "pkcs12",
+                     "-in", self.pk12_fname,
+                     "-passin", "file:" + self.passwd_fname,
+                     "-passout", "file:" + ca_pwd_file,
+                     "-out", "cacert.pem"])
+
+        # Create the kdc key
+        ipautil.run(["/usr/bin/openssl", "genrsa",
+                     "-out", key_fname, "2048"])
+
+        # Prepare a simple cert request
+        req_dict = dict(PASSWORD=self.gen_password(),
+                        SUBJBASE=self.subject_base,
+                        CERTNAME="CN="+nickname)
+        req_template = ipautil.SHARE_DIR + reqcfg + ".template"
+        conf = ipautil.template_file(req_template, req_dict)
+        fd = open(reqcfg, "w+")
+        fd.write(conf)
+        fd.close()
+
+        base = self.subject_base.replace(",", "/")
+        esc_subject = "CN=%s/%s" % (nickname, base)
+
+        ipautil.run(["/usr/bin/openssl", "req", "-new",
+                     "-config", reqcfg,
+                     "-subj", esc_subject,
+                     "-key", key_fname,
+                     "-out", "kdc.req"])
+
+        # Finally, sign the cert using the extensions file to set the
+        # special name
+        ipautil.run(["/usr/bin/openssl", "x509", "-req",
+                     "-CA", "cacert.pem",
+                     "-extfile", extcfg,
+                     "-extensions", "kdc_cert",
+                     "-passin", "file:" + ca_pwd_file,
+                     "-set_serial", next_serial(),
+                     "-in", "kdc.req",
+                     "-out", cert_fname],
+                    env = { 'REALM':self.realm, 'HOST_FQDN':hostname })
+
+        # Merge key and cert in a single file
+        fd = open(key_fname, "r")
+        key = fd.read()
+        fd.close()
+        fd = open(cert_fname, "r")
+        cert = fd.read()
+        fd.close()
+        fd = open(key_cert_fname, "w")
+        fd.write(key)
+        fd.write(cert)
+        fd.close()
+        os.unlink(key_fname)
+        os.unlink(cert_fname)
+
     def backup_files(self):
         self.fstore.backup_file(self.noise_fname)
         self.fstore.backup_file(self.passwd_fname)
author	Simo Sorce <ssorce@redhat.com>	2010-10-29 16:23:21 -0400
committer	Simo Sorce <ssorce@redhat.com>	2010-11-18 15:09:36 -0500
commit	52a46d121bf760f6beca4622ace0a4554a679c3c (patch)
tree	550a2bddf9ab3848da9ab33ca73529060b9e4c68 /ipaserver/install/certs.py
parent	74ba0cc7c1bdb9c560324a68c16593755bcda5d8 (diff)
download	freeipa-52a46d121bf760f6beca4622ace0a4554a679c3c.tar.gz freeipa-52a46d121bf760f6beca4622ace0a4554a679c3c.tar.xz freeipa-52a46d121bf760f6beca4622ace0a4554a679c3c.zip