User provided certs.

4 files changed, 67 insertions, 21 deletions

diff --git a/ipa-server/ipaserver/certs.py b/ipa-server/ipaserver/certs.py
index fb6b01d0..77052c13 100644
--- a/ipa-server/ipaserver/certs.py
+++ b/ipa-server/ipaserver/certs.py
@@ -17,7 +17,7 @@
 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
 #
 
-import os, stat, subprocess
+import os, stat, subprocess, re
 import sha
 
 from ipa import ipautil
@@ -196,6 +196,50 @@ class CertDB(object):
         f.close()
         self.set_perms(self.pin_fname)
 
+    def trust_root_cert(self, nickname):
+        p = subprocess.Popen(["/usr/bin/certutil", "-d", self.secdir,
+                              "-O", "-n", nickname], stdout=subprocess.PIPE)
+
+        chain = p.stdout.read()
+        chain = chain.split("\n")
+
+        root_nickname = re.match('\ *"(.*)".*', chain[0]).groups()[0]
+
+        self.run_certutil(["-M", "-n", root_nickname,
+                           "-t", "CT,CT,"])
+
+    def find_server_certs(self):
+        p = subprocess.Popen(["/usr/bin/certutil", "-d", self.secdir,
+                              "-L"], stdout=subprocess.PIPE)
+
+        certs = p.stdout.read()
+
+        certs = certs.split("\n")
+
+        server_certs = []
+
+        for cert in certs:
+            fields = cert.split()
+            if not len(fields):
+                continue
+            flags = fields[-1]
+            if 'u' in flags:
+                name = " ".join(fields[0:-1])
+                server_certs.append((name, flags))
+
+        return server_certs
+                
+
+    def import_pkcs12(self, pkcs12_fname):
+        try:
+            ipautil.run(["/usr/bin/pk12util", "-d", self.secdir,
+                         "-i", pkcs12_fname])
+        except ipautil.CalledProcessError, e:
+            if e.returncode == 17:
+                raise RuntimeError("incorrect password")
+            else:
+                raise RuntimeError("unknown error import pkcs#12 file")
+
     def create_self_signed(self, passwd=True):
         self.create_noise_file()
         self.create_passwd_file(passwd)
@@ -208,6 +252,3 @@ class CertDB(object):
         self.create_passwd_file(passwd)
         self.create_certdbs()
         self.load_cacert(cacert_fname)
-
-
-
diff --git a/ipa-server/ipaserver/dsinstance.py b/ipa-server/ipaserver/dsinstance.py
index 5edc3879..818710fb 100644
--- a/ipa-server/ipaserver/dsinstance.py
+++ b/ipa-server/ipaserver/dsinstance.py
@@ -322,7 +322,7 @@ class DsInstance(service.Service):
         conn.addEntry(entry)
         
         conn.unbind()
-        
+
     def __add_default_layout(self):
         self.step("adding default layout")
         txt = ipautil.template_file(ipautil.SHARE_DIR + "bootstrap-template.ldif", self.sub_dict)
diff --git a/ipa-server/ipaserver/httpinstance.py b/ipa-server/ipaserver/httpinstance.py
index 1799cca0..de0b3af8 100644
--- a/ipa-server/ipaserver/httpinstance.py
+++ b/ipa-server/ipaserver/httpinstance.py
@@ -29,6 +29,7 @@ import time
 import service
 import certs
 import dsinstance
+import installutils
 from ipa.ipautil import *
 
 HTTPD_DIR = "/etc/httpd"
@@ -43,21 +44,6 @@ successfully change with the command:
 Try updating the policycoreutils and selinux-policy packages.
 """
 
-def update_file(filename, orig, subst):
-    if os.path.exists(filename):
-        pattern = "%s" % re.escape(orig)
-        p = re.compile(pattern)
-        for line in fileinput.input(filename, inplace=1):
-            if not p.search(line):
-                sys.stdout.write(line)
-            else:
-                sys.stdout.write(p.sub(subst, line))
-        fileinput.close()
-        return 0
-    else:
-        print "File %s doesn't exist." % filename
-        return 1
-
 class HTTPInstance(service.Service):
     def __init__(self):
         service.Service.__init__(self, "httpd")
@@ -145,7 +131,7 @@ class HTTPInstance(service.Service):
 
     def __set_mod_nss_port(self):
         self.step("Setting mod_nss port to 443")
-        if update_file(NSS_CONF, '8443', '443') != 0:
+        if installutils.update_file(NSS_CONF, '8443', '443') != 0:
             print "Updating %s failed." % NSS_CONF
 
     def __setup_ssl(self):
diff --git a/ipa-server/ipaserver/installutils.py b/ipa-server/ipaserver/installutils.py
index a403e815..25cd1555 100644
--- a/ipa-server/ipaserver/installutils.py
+++ b/ipa-server/ipaserver/installutils.py
@@ -21,6 +21,10 @@ import logging
 import socket
 import errno
 import getpass
+import os
+import re
+import fileinput
+import sys
 
 def get_fqdn():
     fqdn = ""
@@ -105,4 +109,19 @@ def read_password(user):
     print ""
     return pwd
 
+def update_file(filename, orig, subst):
+    if os.path.exists(filename):
+        pattern = "%s" % re.escape(orig)
+        p = re.compile(pattern)
+        for line in fileinput.input(filename, inplace=1):
+            if not p.search(line):
+                sys.stdout.write(line)
+            else:
+                sys.stdout.write(p.sub(subst, line))
+        fileinput.close()
+        return 0
+    else:
+        print "File %s doesn't exist." % filename
+        return 1
+