diff options
| author | Endi S. Dewata <edewata@redhat.com> | 2016-05-11 19:33:51 +0200 |
|---|---|---|
| committer | Endi S. Dewata <edewata@redhat.com> | 2016-05-12 17:32:55 +0200 |
| commit | b5b2ea7762b2fb3a7248aa779ce4f4ebd1e7ef9b (patch) | |
| tree | c26d8b8c10057c4361e155dca2441a6ea6b8d882 /base/common/python | |
| parent | d39e24e48c74e31e2232768040b264d372e1fe76 (diff) | |
| download | pki-b5b2ea7762b2fb3a7248aa779ce4f4ebd1e7ef9b.tar.gz pki-b5b2ea7762b2fb3a7248aa779ce4f4ebd1e7ef9b.tar.xz pki-b5b2ea7762b2fb3a7248aa779ce4f4ebd1e7ef9b.zip | |
Fixed missing CSR extensions for external CA case.
The deployment tool has been modified to generate CSR with basic
constraints and key usage extensions for the externally-signed CA
signing certificate.
https://fedorahosted.org/pki/ticket/2312
Diffstat (limited to 'base/common/python')
| -rw-r--r-- | base/common/python/pki/nssdb.py | 50 |
1 files changed, 48 insertions, 2 deletions
diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py index 30b1d4793..7908461b1 100644 --- a/base/common/python/pki/nssdb.py +++ b/base/common/python/pki/nssdb.py @@ -169,7 +169,10 @@ class NSSDatabase(object): def create_request(self, subject_dn, request_file, noise_file=None, key_type=None, key_size=None, curve=None, - hash_alg=None): + hash_alg=None, + basic_constraints_ext=None, + key_usage_ext=None): + tmpdir = tempfile.mkdtemp() try: @@ -185,6 +188,8 @@ class NSSDatabase(object): binary_request_file = os.path.join(tmpdir, 'request.bin') + keystroke = '' + cmd = [ 'certutil', '-R', @@ -213,8 +218,49 @@ class NSSDatabase(object): if hash_alg: cmd.extend(['-Z', hash_alg]) + if key_usage_ext: + + cmd.extend(['--keyUsage']) + + usages = [] + for usage in key_usage_ext: + if key_usage_ext[usage]: + usages.append(usage) + + cmd.extend([','.join(usages)]) + + if basic_constraints_ext: + + cmd.extend(['-2', hash_alg]) + + # Is this a CA certificate [y/N]? + if basic_constraints_ext['ca']: + keystroke += 'y' + + keystroke += '\n' + + # Enter the path length constraint, enter to skip [<0 for unlimited path]: + if basic_constraints_ext['path_length'] is not None: + keystroke += basic_constraints_ext['path_length'] + + keystroke += '\n' + + # Is this a critical extension [y/N]? + if basic_constraints_ext['critical']: + keystroke += 'y' + + keystroke += '\n' + # generate binary request - subprocess.check_call(cmd) + p = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, + stderr=subprocess.STDOUT) + + p.communicate(keystroke) + + rc = p.wait() + + if rc: + raise Exception('Failed to generate certificate request. RC: %d' % rc) # encode binary request in base-64 b64_request_file = os.path.join(tmpdir, 'request.b64') |