diff options
author | Fraser Tweedale <ftweedal@redhat.com> | 2016-05-10 13:56:40 +1000 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2016-06-15 07:13:38 +0200 |
commit | 08e0aa23b0d2c7226472670b4d29d3cc5c5242d6 (patch) | |
tree | 7a184c97bd78d5703120df5e35cca3bcebe1b0cb /ipaserver | |
parent | ae6d5b79fbce83e5ded8d8d46108b193c164ac14 (diff) | |
download | freeipa-08e0aa23b0d2c7226472670b4d29d3cc5c5242d6.tar.gz freeipa-08e0aa23b0d2c7226472670b4d29d3cc5c5242d6.tar.xz freeipa-08e0aa23b0d2c7226472670b4d29d3cc5c5242d6.zip |
Add issuer options to cert-show and cert-find
Add options to cert-show and cert-find for specifying the issuer as
a DN, or a CA name.
Also add the issuer DN to the output of cert-find.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Diffstat (limited to 'ipaserver')
-rw-r--r-- | ipaserver/plugins/cert.py | 47 | ||||
-rw-r--r-- | ipaserver/plugins/dogtag.py | 9 |
2 files changed, 56 insertions, 0 deletions
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 63a051fab..171d08b9d 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -610,6 +610,13 @@ class cert_show(VirtualCommand): ) takes_options = ( + Str('cacn?', + cli_name='ca', + query=True, + label=_('Issuing CA'), + doc=_('Name of issing CA'), + autofill=False, + ), Str('out?', label=_('Output filename'), doc=_('File to store the certificate in.'), @@ -631,8 +638,24 @@ class cert_show(VirtualCommand): raise acierr hostname = get_host_from_principal(bind_principal) + issuer_dn = None + if 'cacn' in options: + ca_obj = api.Command.ca_show(options['cacn'])['result'] + issuer_dn = ca_obj['ipacasubjectdn'][0] + + # Dogtag lightweight CAs have shared serial number domain, so + # we don't tell Dogtag the issuer (but we check the cert after). + # result=self.Backend.ra.get_certificate(serial_number) cert = x509.load_certificate(result['certificate']) + + if issuer_dn is not None and DN(unicode(cert.issuer)) != DN(issuer_dn): + # DN of cert differs from what we requested + raise errors.NotFound( + reason=_("Certificate with serial number %(serial)s " + "issued by CA '%(ca)s' not found") + % dict(serial=serial_number, ca=options['cacn'])) + result['subject'] = unicode(cert.subject) result['issuer'] = unicode(cert.issuer) result['valid_not_before'] = unicode(cert.valid_not_before_str) @@ -734,6 +757,18 @@ class cert_find(Command): doc=_('Subject'), autofill=False, ), + Str('cacn?', + cli_name='ca', + query=True, + label=_('Issuing CA'), + doc=_('Name of issing CA'), + autofill=False, + ), + Str('issuer?', + label=_('Issuer'), + doc=_('Issuer DN'), + autofill=False, + ), Int('revocation_reason?', label=_('Reason'), doc=_('Reason for revoking the certificate (0-10). Type ' @@ -818,6 +853,18 @@ class cert_find(Command): def execute(self, **options): ca_enabled_check() + + if 'cacn' in options: + ca_obj = api.Command.ca_show(options['cacn'])['result'] + ca_sdn = unicode(ca_obj['ipacasubjectdn'][0]) + if 'issuer' in options: + if DN(ca_sdn) != DN(options['issuer']): + # client has provided both 'ca' and 'issuer' but + # issuer DNs don't match; result must be empty + return dict(result=[], count=0, truncated=False) + else: + options['issuer'] = ca_sdn + ret = dict( result=self.Backend.ra.find(options) ) diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 43aab92ff..919ecfeac 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1809,6 +1809,10 @@ class ra(rabase.rabase): node.text = options['subject'] booloptions['subjectInUse'] = True + if 'issuer' in options: + node = etree.SubElement(page, 'issuerDN') + node.text = options['issuer'] + if 'revocation_reason' in options: node = etree.SubElement(page, 'revocationReason') node.text = unicode(options['revocation_reason']) @@ -1897,6 +1901,11 @@ class ra(rabase.rabase): dn = cert.xpath('SubjectDN') if len(dn) == 1: response_request['subject'] = unicode(dn[0].text) + + issuer_dn = cert.xpath('IssuerDN') + if len(dn) == 1: + response_request['issuer'] = unicode(issuer_dn[0].text) + status = cert.xpath('Status') if len(status) == 1: response_request['status'] = unicode(status[0].text) |