diff options
author | Endi S. Dewata <edewata@redhat.com> | 2015-12-12 04:10:54 +0100 |
---|---|---|
committer | Matthew Harmsen <mharmsen@pki.usersys.redhat.com> | 2016-02-22 20:19:47 -0700 |
commit | 2f7b4ce93db7df6985b1df8136c1af8132d8a962 (patch) | |
tree | 130ef68348d6385943c73e3c2fc737859f07791e | |
parent | 71d4bc1b5b73c34622adfacf3105d2fc8feb1aa1 (diff) | |
download | pki-2f7b4ce93db7df6985b1df8136c1af8132d8a962.tar.gz pki-2f7b4ce93db7df6985b1df8136c1af8132d8a962.tar.xz pki-2f7b4ce93db7df6985b1df8136c1af8132d8a962.zip |
Fixed external CA case for IPA compatibility.
The installation code for external CA case has been fixed such
that IPA can detect step 1 completion properly.
The code that handles certificate data conversion has been fixed
to reformat base-64 data for PEM output properly.
The installation summary for step 1 has been updated to provide
more accurate information.
https://fedorahosted.org/pki/ticket/456
(cherry picked from commit 449e4357e733a70e8f27f65f69ca8f0f7c8b5b21)
-rw-r--r-- | base/common/python/pki/nss.py | 8 | ||||
-rw-r--r-- | base/server/python/pki/server/deployment/pkihelper.py | 7 | ||||
-rw-r--r-- | base/server/python/pki/server/deployment/scriptlets/configuration.py | 10 | ||||
-rwxr-xr-x | base/server/sbin/pkispawn | 23 |
4 files changed, 40 insertions, 8 deletions
diff --git a/base/common/python/pki/nss.py b/base/common/python/pki/nss.py index 196fe462f..67fd90b4c 100644 --- a/base/common/python/pki/nss.py +++ b/base/common/python/pki/nss.py @@ -43,9 +43,13 @@ def convert_data(data, input_format, output_format, header=None, footer=None): if input_format == 'base64' and output_format == 'pem': - # split a single line into multiple lines - data = data.rstrip('\r\n') + # join base-64 data into a single line + data = data.replace('\r', '').replace('\n', '') + + # re-split the line into fixed-length lines lines = [data[i:i+64] for i in range(0, len(data), 64)] + + # add header and footer return '%s\n%s\n%s\n' % (header, '\n'.join(lines), footer) if input_format == 'pem' and output_format == 'base64': diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py index f349b74da..e8591398d 100644 --- a/base/server/python/pki/server/deployment/pkihelper.py +++ b/base/server/python/pki/server/deployment/pkihelper.py @@ -488,15 +488,18 @@ class ConfigurationFile: # generic extension support in CSR - for external CA self.add_req_ext = config.str2bool( self.mdict['pki_req_ext_add']) + self.external = config.str2bool(self.mdict['pki_external']) + self.external_step_one = not config.str2bool(self.mdict['pki_external_step_two']) + self.external_step_two = not self.external_step_one + if self.external: # generic extension support in CSR - for external CA if self.add_req_ext: self.req_ext_oid = self.mdict['pki_req_ext_oid'] self.req_ext_critical = self.mdict['pki_req_ext_critical'] self.req_ext_data = self.mdict['pki_req_ext_data'] - self.external_step_two = config.str2bool( - self.mdict['pki_external_step_two']) + self.skip_configuration = config.str2bool( self.mdict['pki_skip_configuration']) self.standalone = config.str2bool(self.mdict['pki_standalone']) diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py index 6539de8e1..ba8cff68e 100644 --- a/base/server/python/pki/server/deployment/scriptlets/configuration.py +++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py @@ -93,9 +93,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): token = deployer.mdict['pki_token_name'] nssdb = instance.open_nssdb(token) - external = config.str2bool(deployer.mdict['pki_external']) - step_one = not config.str2bool(deployer.mdict['pki_external_step_two']) - step_two = not step_one + external = deployer.configuration_file.external + step_one = deployer.configuration_file.external_step_one + step_two = deployer.configuration_file.external_step_two try: if external and step_one: # external/existing CA step 1 @@ -141,6 +141,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): signing_csr = pki.nss.convert_csr(signing_csr, 'pem', 'base64') subsystem.config['ca.signing.certreq'] = signing_csr + # This is needed by IPA to detect step 1 completion. + # See is_step_one_done() in ipaserver/install/cainstance.py. + subsystem.config['preop.ca.type'] = 'otherca' + subsystem.save() elif external and step_two: # external/existing CA step 2 diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn index fb5a61a8f..3b09e0f20 100755 --- a/base/server/sbin/pkispawn +++ b/base/server/sbin/pkispawn @@ -611,7 +611,13 @@ def main(argv): config.pki_log.debug(pkilogging.log_format(parser.mdict), extra=config.PKI_INDENTATION_LEVEL_0) - print_install_information(parser.mdict) + external = deployer.configuration_file.external + step_one = deployer.configuration_file.external_step_one + + if external and step_one: + print_step_one_information(parser.mdict) + else: + print_install_information(parser.mdict) def set_port(parser, tag, prompt, existing_data): @@ -621,6 +627,21 @@ def set_port(parser, tag, prompt, existing_data): parser.read_text(prompt, config.pki_subsystem, tag) +def print_step_one_information(mdict): + + print(log.PKI_SPAWN_INFORMATION_HEADER) + print(" The %s subsystem of the '%s' instance is still incomplete." % + (config.pki_subsystem, mdict['pki_instance_name'])) + print() + print(" A CSR for the CA certificate has been generated at:\n" + " %s" + % mdict['pki_external_csr_path']) + print() + print(" Submit the CSR to an external CA to generate a CA certificate\n" + " for this subsystem.") + print(log.PKI_SPAWN_INFORMATION_FOOTER) + + def print_install_information(mdict): skip_configuration = config.str2bool(mdict['pki_skip_configuration']) |