diff options
| author | Fraser Tweedale <ftweedal@redhat.com> | 2016-04-08 22:23:42 +1000 |
|---|---|---|
| committer | Fraser Tweedale <ftweedal@redhat.com> | 2016-05-03 11:42:49 +1000 |
| commit | a2a4117dbc7e489cbb1964d6ce5f95b786a03fde (patch) | |
| tree | 7a8ccedb469915d7755d4a021905664c395f6273 /base/server | |
| parent | 94ee373d053b34e534fbb61826e586693a38c934 (diff) | |
Lightweight CAs: add IPACustodiaKeyRetriever
Add 'IPACustodiaKeyRetriever', a 'KeyRetriever' implementation for
use when Dogtag is deployed as a FreeIPA CA. The Java class invokes
'pki-ipa-retrieve-key', a Python script that retrieves lightweight
CA keys from the Custodia server on a replica that possesses the
keys. 'pki-ipa-retrieve-key' depends on FreeIPA libraries, FreeIPA
server configuration, and Kerberos and Custodia keys owned by
'pkiuser'.
Part of: https://fedorahosted.org/pki/ticket/1625
Diffstat (limited to 'base/server')
| -rw-r--r-- | base/server/CMakeLists.txt | 11 | ||||
| -rwxr-xr-x | base/server/libexec/pki-ipa-retrieve-key | 45 |
2 files changed, 56 insertions, 0 deletions
diff --git a/base/server/CMakeLists.txt b/base/server/CMakeLists.txt index 5a6aea96a..9e5b27833 100644 --- a/base/server/CMakeLists.txt +++ b/base/server/CMakeLists.txt @@ -81,6 +81,17 @@ install( install( DIRECTORY + libexec/ + DESTINATION + ${LIBEXEC_INSTALL_DIR} + FILE_PERMISSIONS + OWNER_EXECUTE OWNER_WRITE OWNER_READ + GROUP_EXECUTE GROUP_READ + WORLD_EXECUTE WORLD_READ +) + +install( + DIRECTORY upgrade DESTINATION ${DATA_INSTALL_DIR}/server/ diff --git a/base/server/libexec/pki-ipa-retrieve-key b/base/server/libexec/pki-ipa-retrieve-key new file mode 100755 index 000000000..8098e534e --- /dev/null +++ b/base/server/libexec/pki-ipa-retrieve-key @@ -0,0 +1,45 @@ +#!/usr/bin/python + +from __future__ import print_function + +import ConfigParser +import base64 +import os +import sys + +from jwcrypto.common import json_decode + +from ipalib.constants import constants +from ipaplatform.paths import paths +from ipapython.secrets.client import CustodiaClient + +conf = ConfigParser.ConfigParser() +conf.read(paths.IPA_DEFAULT_CONF) +hostname = conf.get('global', 'host') +realm = conf.get('global', 'realm') + +keyname = "ca_wrapped/" + sys.argv[1] +servername = sys.argv[2] + +service = constants.PKI_GSSAPI_SERVICE_NAME +client_keyfile = os.path.join(paths.PKI_TOMCAT, service + '.keys') +client_keytab = os.path.join(paths.PKI_TOMCAT, service + '.keytab') + +client = CustodiaClient( + client=hostname, server=servername, realm=realm, + ldap_uri="ldaps://" + hostname, + client_servicename=service, + keyfile=client_keyfile, keytab=client_keytab, + ) + +result_json = client.fetch_key(keyname, store=False) +result = json_decode(result_json) +certificate = result["certificate"] +wrapped_key = base64.b64decode(result["wrapped_key"]) + +# Custodia returns a PEM-encoded certificate and a base64-encoded +# DER PKIArchiveOptions object. Output these values, separated by a +# null byte (certificate first), to be read by the Java +# IPACustodiaKeyRetriever that invoked this program. + +print(certificate, wrapped_key, sep='\0', end='') |