4 files changed, 90 insertions, 1 deletions

diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py
index 22a599ae..bdc8591e 100644
--- a/ipapython/certmonger.py
+++ b/ipapython/certmonger.py
@@ -22,6 +22,7 @@
 # server certificates created during the IPA server installation.
 
 import os
+import sys
 import re
 import time
 from ipapython import ipautil
@@ -329,6 +330,70 @@ def remove_principal_from_cas():
             fp.write(line)
         fp.close()
 
+# Routines specific to renewing dogtag CA certificates
+def get_pin(token):
+    """
+    Dogtag stores its NSS pin in a file formatted as token:PIN.
+
+    The caller is expected to handle any exceptions raised.
+    """
+    filename = '/var/lib/pki-ca/conf/password.conf'
+    with open(filename, 'r') as f:
+        for line in f:
+            (tok, pin) = line.split('=', 1)
+            if token == tok:
+                return pin.strip()
+    return None
+
+def dogtag_start_tracking(ca, nickname, pin, pinfile, secdir, command):
+    """
+    Tell certmonger to start tracking a dogtag CA certificate. These
+    are handled differently because their renewal must be done directly
+    and not through IPA.
+
+    This uses the generic certmonger command getcert so we can specify
+    a different helper.
+
+    command is the script to execute.
+
+    Returns the stdout, stderr and returncode from running ipa-getcert
+
+    This assumes that certmonger is already running.
+    """
+    if not cert_exists(nickname, os.path.abspath(secdir)):
+        raise RuntimeError('Nickname "%s" doesn\'t exist in NSS database "%s"' % (nickname, secdir))
+
+    if command is not None and not os.path.isabs(command):
+        if sys.maxsize > 2**32:
+            libpath = 'lib64'
+        else:
+            libpath = 'lib'
+        command = '/usr/%s/ipa/certmonger/%s' % (libpath, command)
+
+    args = ["/usr/bin/getcert", "start-tracking",
+            "-d", os.path.abspath(secdir),
+            "-n", nickname,
+            "-c", ca,
+            "-C", command,
+           ]
+
+    if pinfile:
+        args.append("-p")
+        args.append(pinfile)
+    else:
+        args.append("-P")
+        args.append(pin)
+
+    if ca == 'dogtag-ipa-retrieve-agent-submit':
+        # We cheat and pass in the nickname as the profile when
+        # renewing on a clone. The submit otherwise doesn't pass in the
+        # nickname and we need some way to find the right entry in LDAP.
+        args.append("-T")
+        args.append(nickname)
+
+    (stdout, stderr, returncode) = ipautil.run(args, nolog=[pin])
+
+
 if __name__ == '__main__':
     request_id = request_cert("/etc/httpd/alias", "Test", "cn=tiger.example.com,O=IPA", "HTTP/tiger.example.com@EXAMPLE.COM")
     csr = get_request_value(request_id, 'csr')
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 22c8e293..bed5435b 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -42,6 +42,7 @@ import xmlrpclib
 import datetime
 import netaddr
 import time
+import krbV
 from dns import resolver, rdatatype
 from dns.exception import DNSException
 
@@ -1086,3 +1087,25 @@ def wait_for_open_socket(socket_name, timeout=0):
                 time.sleep(1)
             else:
                 raise e
+
+def kinit_hostprincipal(keytab, ccachedir, principal):
+    """
+    Given a ccache directory and a principal kinit as that user.
+
+    This blindly overwrites the current CCNAME so if you need to save
+    it do so before calling this function.
+
+    Thus far this is used to kinit as the local host.
+    """
+    try:
+        ccache_file = 'FILE:%s/ccache' % ccachedir
+        krbcontext = krbV.default_context()
+        ktab = krbV.Keytab(name=keytab, context=krbcontext)
+        princ = krbV.Principal(name=principal, context=krbcontext)
+        os.environ['KRB5CCNAME'] = ccache_file
+        ccache = krbV.CCache(name=ccache_file, context=krbcontext, primary_principal=princ)
+        ccache.init(princ)
+        ccache.init_creds_keytab(keytab=ktab, principal=princ)
+        return ccache_file
+    except krbV.Krb5Error, e:
+        raise StandardError('Error initializing principal %s in %s: %s' % (principal, keytab, str(e)))
diff --git a/ipapython/platform/base.py b/ipapython/platform/base.py
index 6f9d3867..8c694ac0 100644
--- a/ipapython/platform/base.py
+++ b/ipapython/platform/base.py
@@ -25,7 +25,7 @@ from ipalib.plugable import MagicDict
 wellknownservices = ['certmonger', 'dirsrv', 'httpd', 'ipa', 'krb5kdc',
                      'messagebus', 'nslcd', 'nscd', 'ntpd', 'portmap',
                      'rpcbind', 'kadmin', 'sshd', 'autofs', 'rpcgssd',
-                     'rpcidmapd']
+                     'rpcidmapd', 'pki_cad']
 
 
 # The common ports for these services. This is used to wait for the
diff --git a/ipapython/platform/fedora16.py b/ipapython/platform/fedora16.py
index 8b730e41..100bbb2a 100644
--- a/ipapython/platform/fedora16.py
+++ b/ipapython/platform/fedora16.py
@@ -60,6 +60,7 @@ system_units['dirsrv'] = 'dirsrv@.service'
 system_units['pkids'] = 'dirsrv@PKI-IPA.service'
 # Our PKI instance is pki-cad@pki-ca.service
 system_units['pki-cad'] = 'pki-cad@pki-ca.service'
+system_units['pki_cad'] = system_units['pki-cad']
 
 class Fedora16Service(systemd.SystemdService):
     def __init__(self, service_name):