From 2f7b4ce93db7df6985b1df8136c1af8132d8a962 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Sat, 12 Dec 2015 04:10:54 +0100 Subject: Fixed external CA case for IPA compatibility. The installation code for external CA case has been fixed such that IPA can detect step 1 completion properly. The code that handles certificate data conversion has been fixed to reformat base-64 data for PEM output properly. The installation summary for step 1 has been updated to provide more accurate information. https://fedorahosted.org/pki/ticket/456 (cherry picked from commit 449e4357e733a70e8f27f65f69ca8f0f7c8b5b21) --- base/common/python/pki/nss.py | 8 ++++++-- .../python/pki/server/deployment/pkihelper.py | 7 +++++-- .../server/deployment/scriptlets/configuration.py | 10 +++++++--- base/server/sbin/pkispawn | 23 +++++++++++++++++++++- 4 files changed, 40 insertions(+), 8 deletions(-) diff --git a/base/common/python/pki/nss.py b/base/common/python/pki/nss.py index 196fe462f..67fd90b4c 100644 --- a/base/common/python/pki/nss.py +++ b/base/common/python/pki/nss.py @@ -43,9 +43,13 @@ def convert_data(data, input_format, output_format, header=None, footer=None): if input_format == 'base64' and output_format == 'pem': - # split a single line into multiple lines - data = data.rstrip('\r\n') + # join base-64 data into a single line + data = data.replace('\r', '').replace('\n', '') + + # re-split the line into fixed-length lines lines = [data[i:i+64] for i in range(0, len(data), 64)] + + # add header and footer return '%s\n%s\n%s\n' % (header, '\n'.join(lines), footer) if input_format == 'pem' and output_format == 'base64': diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py index f349b74da..e8591398d 100644 --- a/base/server/python/pki/server/deployment/pkihelper.py +++ b/base/server/python/pki/server/deployment/pkihelper.py @@ -488,15 +488,18 @@ class ConfigurationFile: # generic extension support in CSR - for external CA self.add_req_ext = config.str2bool( self.mdict['pki_req_ext_add']) + self.external = config.str2bool(self.mdict['pki_external']) + self.external_step_one = not config.str2bool(self.mdict['pki_external_step_two']) + self.external_step_two = not self.external_step_one + if self.external: # generic extension support in CSR - for external CA if self.add_req_ext: self.req_ext_oid = self.mdict['pki_req_ext_oid'] self.req_ext_critical = self.mdict['pki_req_ext_critical'] self.req_ext_data = self.mdict['pki_req_ext_data'] - self.external_step_two = config.str2bool( - self.mdict['pki_external_step_two']) + self.skip_configuration = config.str2bool( self.mdict['pki_skip_configuration']) self.standalone = config.str2bool(self.mdict['pki_standalone']) diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py index 6539de8e1..ba8cff68e 100644 --- a/base/server/python/pki/server/deployment/scriptlets/configuration.py +++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py @@ -93,9 +93,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): token = deployer.mdict['pki_token_name'] nssdb = instance.open_nssdb(token) - external = config.str2bool(deployer.mdict['pki_external']) - step_one = not config.str2bool(deployer.mdict['pki_external_step_two']) - step_two = not step_one + external = deployer.configuration_file.external + step_one = deployer.configuration_file.external_step_one + step_two = deployer.configuration_file.external_step_two try: if external and step_one: # external/existing CA step 1 @@ -141,6 +141,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): signing_csr = pki.nss.convert_csr(signing_csr, 'pem', 'base64') subsystem.config['ca.signing.certreq'] = signing_csr + # This is needed by IPA to detect step 1 completion. + # See is_step_one_done() in ipaserver/install/cainstance.py. + subsystem.config['preop.ca.type'] = 'otherca' + subsystem.save() elif external and step_two: # external/existing CA step 2 diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn index fb5a61a8f..3b09e0f20 100755 --- a/base/server/sbin/pkispawn +++ b/base/server/sbin/pkispawn @@ -611,7 +611,13 @@ def main(argv): config.pki_log.debug(pkilogging.log_format(parser.mdict), extra=config.PKI_INDENTATION_LEVEL_0) - print_install_information(parser.mdict) + external = deployer.configuration_file.external + step_one = deployer.configuration_file.external_step_one + + if external and step_one: + print_step_one_information(parser.mdict) + else: + print_install_information(parser.mdict) def set_port(parser, tag, prompt, existing_data): @@ -621,6 +627,21 @@ def set_port(parser, tag, prompt, existing_data): parser.read_text(prompt, config.pki_subsystem, tag) +def print_step_one_information(mdict): + + print(log.PKI_SPAWN_INFORMATION_HEADER) + print(" The %s subsystem of the '%s' instance is still incomplete." % + (config.pki_subsystem, mdict['pki_instance_name'])) + print() + print(" A CSR for the CA certificate has been generated at:\n" + " %s" + % mdict['pki_external_csr_path']) + print() + print(" Submit the CSR to an external CA to generate a CA certificate\n" + " for this subsystem.") + print(log.PKI_SPAWN_INFORMATION_FOOTER) + + def print_install_information(mdict): skip_configuration = config.str2bool(mdict['pki_skip_configuration']) -- cgit