From 2e8bae590eae495628ffb709540f7e83eee52ba2 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 8 Sep 2010 22:11:31 -0400
Subject: Have certmonger track the initial Apache and 389-ds server certs.

We don't use certmonger to get certificates during installation because
of the chicken-and-egg problem. This means that the IPA web and ldap
certs aren't being tracked for renewal.

This requires some manual changes to the certmonger request files once
tracking has begun because it doesn't store a subject or principal template
when a cert is added via start-tracking.

This also required some changes to the cert command plugin to allow a
host to execute calls against its own service certs.

ticket 67
---
 ipalib/plugins/cert.py | 29 +++++++++++++++++++++++++++--
 1 file changed, 27 insertions(+), 2 deletions(-)

(limited to 'ipalib/plugins/cert.py')

diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
index 1154e2e3..60161cf1 100644
--- a/ipalib/plugins/cert.py
+++ b/ipalib/plugins/cert.py
@@ -417,7 +417,16 @@ class cert_show(VirtualCommand):
     operation="retrieve certificate"
 
     def execute(self, serial_number):
-        self.check_access()
+        hostname = None
+        try:
+            self.check_access()
+        except errors.ACIError, acierr:
+            self.debug("Not granted by ACI to retrieve certificate, looking at principal")
+            bind_principal = getattr(context, 'principal')
+            if not bind_principal.startswith('host/'):
+                raise acierr
+            hostname = get_host_from_principal(bind_principal)
+
         result=self.Backend.ra.get_certificate(serial_number)
         cert = x509.load_certificate(result['certificate'])
         result['subject'] = unicode(cert.subject)
@@ -426,6 +435,12 @@ class cert_show(VirtualCommand):
         result['valid_not_after'] = unicode(cert.valid_not_after_str)
         result['md5_fingerprint'] = unicode(nss.data_to_hex(nss.md5_digest(cert.der_data), 64)[0])
         result['sha1_fingerprint'] = unicode(nss.data_to_hex(nss.sha1_digest(cert.der_data), 64)[0])
+        if hostname:
+            # If we have a hostname we want to verify that the subject
+            # of the certificate matches it, otherwise raise an error
+            if hostname != cert.subject.common_name:
+                raise acierr
+
         return dict(result=result)
 
 api.register(cert_show)
@@ -457,7 +472,17 @@ class cert_revoke(VirtualCommand):
     )
 
     def execute(self, serial_number, **kw):
-        self.check_access()
+        hostname = None
+        try:
+            self.check_access()
+        except errors.ACIError, acierr:
+            self.debug("Not granted by ACI to revoke certificate, looking at principal")
+            try:
+                # Let cert_show() handle verifying that the subject of the
+                # cert we're dealing with matches the hostname in the principal
+                result = api.Command['cert_show'](unicode(serial_number))['result']
+            except errors.NotImplementedError:
+                pass
         return dict(
             result=self.Backend.ra.revoke_certificate(serial_number, **kw)
         )
-- 
cgit