Add issuer options to cert-show and cert-find

Add options to cert-show and cert-find for specifying the issuer as a DN, or a CA name. Also add the issuer DN to the output of cert-find. Part of: https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
author: Fraser Tweedale <ftweedal@redhat.com> 2016-05-10 13:56:40 +1000
committer: Jan Cholasta <jcholast@redhat.com> 2016-06-15 07:13:38 +0200
commit: 08e0aa23b0d2c7226472670b4d29d3cc5c5242d6 (patch)
tree: 7a184c97bd78d5703120df5e35cca3bcebe1b0cb /ipaserver
parent: ae6d5b79fbce83e5ded8d8d46108b193c164ac14 (diff)
download: freeipa-08e0aa23b0d2c7226472670b4d29d3cc5c5242d6.tar.gz
freeipa-08e0aa23b0d2c7226472670b4d29d3cc5c5242d6.tar.xz
freeipa-08e0aa23b0d2c7226472670b4d29d3cc5c5242d6.zip
2 files changed, 56 insertions, 0 deletions
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 63a051fab..171d08b9d 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -610,6 +610,13 @@ class cert_show(VirtualCommand):
     )
 
     takes_options = (
+        Str('cacn?',
+            cli_name='ca',
+            query=True,
+            label=_('Issuing CA'),
+            doc=_('Name of issing CA'),
+            autofill=False,
+        ),
         Str('out?',
             label=_('Output filename'),
             doc=_('File to store the certificate in.'),
@@ -631,8 +638,24 @@ class cert_show(VirtualCommand):
                 raise acierr
             hostname = get_host_from_principal(bind_principal)
 
+        issuer_dn = None
+        if 'cacn' in options:
+            ca_obj = api.Command.ca_show(options['cacn'])['result']
+            issuer_dn = ca_obj['ipacasubjectdn'][0]
+
+        # Dogtag lightweight CAs have shared serial number domain, so
+        # we don't tell Dogtag the issuer (but we check the cert after).
+        #
         result=self.Backend.ra.get_certificate(serial_number)
         cert = x509.load_certificate(result['certificate'])
+
+        if issuer_dn is not None and DN(unicode(cert.issuer)) != DN(issuer_dn):
+            # DN of cert differs from what we requested
+            raise errors.NotFound(
+                reason=_("Certificate with serial number %(serial)s "
+                    "issued by CA '%(ca)s' not found")
+                    % dict(serial=serial_number, ca=options['cacn']))
+
         result['subject'] = unicode(cert.subject)
         result['issuer'] = unicode(cert.issuer)
         result['valid_not_before'] = unicode(cert.valid_not_before_str)
@@ -734,6 +757,18 @@ class cert_find(Command):
             doc=_('Subject'),
             autofill=False,
         ),
+        Str('cacn?',
+            cli_name='ca',
+            query=True,
+            label=_('Issuing CA'),
+            doc=_('Name of issing CA'),
+            autofill=False,
+        ),
+        Str('issuer?',
+            label=_('Issuer'),
+            doc=_('Issuer DN'),
+            autofill=False,
+        ),
         Int('revocation_reason?',
             label=_('Reason'),
             doc=_('Reason for revoking the certificate (0-10). Type '
@@ -818,6 +853,18 @@ class cert_find(Command):
 
     def execute(self, **options):
         ca_enabled_check()
+
+        if 'cacn' in options:
+            ca_obj = api.Command.ca_show(options['cacn'])['result']
+            ca_sdn = unicode(ca_obj['ipacasubjectdn'][0])
+            if 'issuer' in options:
+                if DN(ca_sdn) != DN(options['issuer']):
+                    # client has provided both 'ca' and 'issuer' but
+                    # issuer DNs don't match; result must be empty
+                    return dict(result=[], count=0, truncated=False)
+            else:
+                options['issuer'] = ca_sdn
+
         ret = dict(
             result=self.Backend.ra.find(options)
         )
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index 43aab92ff..919ecfeac 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -1809,6 +1809,10 @@ class ra(rabase.rabase):
             node.text = options['subject']
             booloptions['subjectInUse'] = True
 
+        if 'issuer' in options:
+            node = etree.SubElement(page, 'issuerDN')
+            node.text = options['issuer']
+
         if 'revocation_reason' in options:
             node = etree.SubElement(page, 'revocationReason')
             node.text = unicode(options['revocation_reason'])
@@ -1897,6 +1901,11 @@ class ra(rabase.rabase):
             dn = cert.xpath('SubjectDN')
             if len(dn) == 1:
                 response_request['subject'] = unicode(dn[0].text)
+
+            issuer_dn = cert.xpath('IssuerDN')
+            if len(dn) == 1:
+                response_request['issuer'] = unicode(issuer_dn[0].text)
+
             status = cert.xpath('Status')
             if len(status) == 1:
                 response_request['status'] = unicode(status[0].text)
author	Fraser Tweedale <ftweedal@redhat.com>	2016-05-10 13:56:40 +1000
committer	Jan Cholasta <jcholast@redhat.com>	2016-06-15 07:13:38 +0200
commit	08e0aa23b0d2c7226472670b4d29d3cc5c5242d6 (patch)
tree	7a184c97bd78d5703120df5e35cca3bcebe1b0cb /ipaserver
parent	ae6d5b79fbce83e5ded8d8d46108b193c164ac14 (diff)
download	freeipa-08e0aa23b0d2c7226472670b4d29d3cc5c5242d6.tar.gz freeipa-08e0aa23b0d2c7226472670b4d29d3cc5c5242d6.tar.xz freeipa-08e0aa23b0d2c7226472670b4d29d3cc5c5242d6.zip