diff options
author | Rob Crittenden <rcritten@redhat.com> | 2010-01-20 11:26:20 -0500 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2010-01-20 17:24:01 -0500 |
commit | e4470f8165242fba6c5ce477a2eeca0141891701 (patch) | |
tree | 01b9fa763a36cce597c7bc045badcd02fe29523c /ipaserver/plugins/selfsign.py | |
parent | 2955c955acc8fc510c6183b92fb8ca1b29b823e2 (diff) | |
download | freeipa-e4470f8165242fba6c5ce477a2eeca0141891701.tar.gz freeipa-e4470f8165242fba6c5ce477a2eeca0141891701.tar.xz freeipa-e4470f8165242fba6c5ce477a2eeca0141891701.zip |
User-defined certificate subjects
Let the user, upon installation, set the certificate subject base
for the dogtag CA. Certificate requests will automatically be given
this subject base, regardless of what is in the CSR.
The selfsign plugin does not currently support this dynamic name
re-assignment and will reject any incoming requests that don't
conform to the subject base.
The certificate subject base is stored in cn=ipaconfig but it does
NOT dynamically update the configuration, for dogtag at least. The
file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to
be updated and pki-cad restarted.
Diffstat (limited to 'ipaserver/plugins/selfsign.py')
-rw-r--r-- | ipaserver/plugins/selfsign.py | 29 |
1 files changed, 28 insertions, 1 deletions
diff --git a/ipaserver/plugins/selfsign.py b/ipaserver/plugins/selfsign.py index 7d5dafa7d..af832a610 100644 --- a/ipaserver/plugins/selfsign.py +++ b/ipaserver/plugins/selfsign.py @@ -38,13 +38,18 @@ if api.env.ra_plugin != 'selfsign': from ipalib import Backend from ipalib import errors from ipalib import x509 +from ipalib import pkcs10 import subprocess import os +import re from ipaserver.plugins import rabase from ipaserver.install import certs import tempfile from pyasn1 import error from ipalib.request import ugettext as _ +from pyasn1.codec.der import encoder +import base64 +from ipalib.plugins.cert import get_csr_hostname class ra(rabase.rabase): """ @@ -79,6 +84,28 @@ class ra(rabase.rabase): .. [2] Base64 encoded """ + try: + config = api.Command['config_show']()['result'] + subject_base = config.get('ipacertificatesubjectbase')[0] + hostname = get_csr_hostname(csr) + request = pkcs10.load_certificate_request(csr) + base = re.split(',\s*(?=\w+=)', subject_base) + base.reverse() + base.append("CN=%s" % hostname) + request_subject = request.get_subject().get_components() + new_request = [] + for r in request_subject: + new_request.append("%s=%s" % (r[0], r[1])) + + if str(base).lower() != str(new_request).lower(): + subject_base='CN=%s, %s' % (hostname, subject_base) + new_request.reverse() + raise errors.CertificateOperationError(error=_('Request subject \'%s\' does not match the form \'%s\'' % (", ".join(new_request), subject_base))) + except errors.CertificateOperationError, e: + raise e + except Exception, e: + raise errors.CertificateOperationError(error=_('unable to decode csr: %s' % e)) + # certutil wants the CSR to have have a header and footer. Add one # if it isn't there. s = csr.find('-----BEGIN NEW CERTIFICATE REQUEST-----') @@ -86,7 +113,7 @@ class ra(rabase.rabase): s = csr.find('-----BEGIN CERTIFICATE REQUEST-----') if s == -1: csr = '-----BEGIN NEW CERTIFICATE REQUEST-----\n' + csr + \ - '-----END NEW CERTIFICATE REQUEST-----\n' + '\n-----END NEW CERTIFICATE REQUEST-----\n' try: (csr_fd, csr_name) = tempfile.mkstemp() |