Fixed external CA case for IPA compatibility.

The installation code for external CA case has been fixed such
that IPA can detect step 1 completion properly.

The code that handles certificate data conversion has been fixed
to reformat base-64 data for PEM output properly.

The installation summary for step 1 has been updated to provide
more accurate information.

https://fedorahosted.org/pki/ticket/456
(cherry picked from commit 449e4357e733a70e8f27f65f69ca8f0f7c8b5b21)

4 files changed, 40 insertions, 8 deletions

diff --git a/base/common/python/pki/nss.py b/base/common/python/pki/nss.py
index 196fe462f..67fd90b4c 100644
--- a/base/common/python/pki/nss.py
+++ b/base/common/python/pki/nss.py
@@ -43,9 +43,13 @@ def convert_data(data, input_format, output_format, header=None, footer=None):
 
     if input_format == 'base64' and output_format == 'pem':
 
-        # split a single line into multiple lines
-        data = data.rstrip('\r\n')
+        # join base-64 data into a single line
+        data = data.replace('\r', '').replace('\n', '')
+
+        # re-split the line into fixed-length lines
         lines = [data[i:i+64] for i in range(0, len(data), 64)]
+
+        # add header and footer
         return '%s\n%s\n%s\n' % (header, '\n'.join(lines), footer)
 
     if input_format == 'pem' and output_format == 'base64':
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
index f349b74da..e8591398d 100644
--- a/base/server/python/pki/server/deployment/pkihelper.py
+++ b/base/server/python/pki/server/deployment/pkihelper.py
@@ -488,15 +488,18 @@ class ConfigurationFile:
         # generic extension support in CSR - for external CA
         self.add_req_ext = config.str2bool(
             self.mdict['pki_req_ext_add'])
+
         self.external = config.str2bool(self.mdict['pki_external'])
+        self.external_step_one = not config.str2bool(self.mdict['pki_external_step_two'])
+        self.external_step_two = not self.external_step_one
+
         if self.external:
             # generic extension support in CSR - for external CA
             if self.add_req_ext:
                 self.req_ext_oid = self.mdict['pki_req_ext_oid']
                 self.req_ext_critical = self.mdict['pki_req_ext_critical']
                 self.req_ext_data = self.mdict['pki_req_ext_data']
-        self.external_step_two = config.str2bool(
-            self.mdict['pki_external_step_two'])
+
         self.skip_configuration = config.str2bool(
             self.mdict['pki_skip_configuration'])
         self.standalone = config.str2bool(self.mdict['pki_standalone'])
diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py
index 6539de8e1..ba8cff68e 100644
--- a/base/server/python/pki/server/deployment/scriptlets/configuration.py
+++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py
@@ -93,9 +93,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
         token = deployer.mdict['pki_token_name']
         nssdb = instance.open_nssdb(token)
 
-        external = config.str2bool(deployer.mdict['pki_external'])
-        step_one = not config.str2bool(deployer.mdict['pki_external_step_two'])
-        step_two = not step_one
+        external = deployer.configuration_file.external
+        step_one = deployer.configuration_file.external_step_one
+        step_two = deployer.configuration_file.external_step_two
 
         try:
             if external and step_one: # external/existing CA step 1
@@ -141,6 +141,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                     signing_csr = pki.nss.convert_csr(signing_csr, 'pem', 'base64')
                     subsystem.config['ca.signing.certreq'] = signing_csr
 
+                # This is needed by IPA to detect step 1 completion.
+                # See is_step_one_done() in ipaserver/install/cainstance.py.
+                subsystem.config['preop.ca.type'] = 'otherca'
+
                 subsystem.save()
 
             elif external and step_two: # external/existing CA step 2
diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn
index fb5a61a8f..3b09e0f20 100755
--- a/base/server/sbin/pkispawn
+++ b/base/server/sbin/pkispawn
@@ -611,7 +611,13 @@ def main(argv):
     config.pki_log.debug(pkilogging.log_format(parser.mdict),
                          extra=config.PKI_INDENTATION_LEVEL_0)
 
-    print_install_information(parser.mdict)
+    external = deployer.configuration_file.external
+    step_one = deployer.configuration_file.external_step_one
+
+    if external and step_one:
+        print_step_one_information(parser.mdict)
+    else:
+        print_install_information(parser.mdict)
 
 
 def set_port(parser, tag, prompt, existing_data):
@@ -621,6 +627,21 @@ def set_port(parser, tag, prompt, existing_data):
         parser.read_text(prompt, config.pki_subsystem, tag)
 
 
+def print_step_one_information(mdict):
+
+    print(log.PKI_SPAWN_INFORMATION_HEADER)
+    print("      The %s subsystem of the '%s' instance is still incomplete." %
+          (config.pki_subsystem, mdict['pki_instance_name']))
+    print()
+    print("      A CSR for the CA certificate has been generated at:\n"
+          "            %s"
+          % mdict['pki_external_csr_path'])
+    print()
+    print("      Submit the CSR to an external CA to generate a CA certificate\n"
+          "      for this subsystem.")
+    print(log.PKI_SPAWN_INFORMATION_FOOTER)
+
+
 def print_install_information(mdict):
 
     skip_configuration = config.str2bool(mdict['pki_skip_configuration'])