diff options
Diffstat (limited to 'ipaserver/install/cainstance.py')
-rw-r--r-- | ipaserver/install/cainstance.py | 89 |
1 files changed, 71 insertions, 18 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 15433f663..ef69c898b 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1554,17 +1554,31 @@ def backup_config(): "Dogtag must be stopped when creating backup of %s" % path) shutil.copy(path, path + '.ipabkp') -def update_people_entry(dercert): +def __update_entry_from_cert(make_filter, make_entry, dercert): """ - Update the userCerticate for an entry in the dogtag ou=People. This - is needed when a certificate is renewed. + Given a certificate and functions to make a filter based on the + cert, and make a new entry based on the cert, update database + accordingly. + + ``make_filter`` + function that takes a certificate in DER format and + returns an LDAP search filter + + ``make_entry`` + function that takes a certificate in DER format and an + LDAP entry, and returns the new state of the LDAP entry. + Return the input unchanged to skip an entry. + + ``dercert`` + An X509.3 certificate in DER format - dercert: An X509.3 certificate in DER format + Logging is done via syslog. - Logging is done via syslog + Return ``True`` if all updates were successful (zero updates is + vacuously successful) otherwise ``False``. - Returns True or False """ + base_dn = DN(('o', 'ipaca')) serial_number = x509.get_serial_number(dercert, datatype=x509.DER) subject = x509.get_subject(dercert, datatype=x509.DER) @@ -1581,14 +1595,7 @@ def update_people_entry(dercert): conn = ldap2.ldap2(api, ldap_uri=dogtag_uri) conn.connect(autobind=True) - db_filter = conn.combine_filters( - [ - conn.make_filter({'objectClass': 'inetOrgPerson'}), - conn.make_filter( - {'description': ';%s;%s' % (issuer, subject)}, - exact=False, trailing_wildcard=False), - ], - conn.MATCH_ALL) + db_filter = make_filter(dercert) try: entries = conn.get_entries(base_dn, conn.SCOPE_SUBTREE, db_filter) except errors.NotFound: @@ -1601,10 +1608,7 @@ def update_people_entry(dercert): syslog.LOG_NOTICE, 'Updating entry %s' % str(entry.dn)) try: - entry['usercertificate'].append(dercert) - entry['description'] = '2;%d;%s;%s' % ( - serial_number, issuer, subject) - + entry = make_entry(dercert, entry) conn.update_entry(entry) except errors.EmptyModlist: pass @@ -1634,6 +1638,55 @@ def update_people_entry(dercert): return True + +def update_people_entry(dercert): + """ + Update the userCerticate for an entry in the dogtag ou=People. This + is needed when a certificate is renewed. + """ + def make_filter(dercert): + subject = x509.get_subject(dercert, datatype=x509.DER) + issuer = x509.get_issuer(dercert, datatype=x509.DER) + return ldap2.ldap2.combine_filters( + [ + ldap2.ldap2.make_filter({'objectClass': 'inetOrgPerson'}), + ldap2.ldap2.make_filter( + {'description': ';%s;%s' % (issuer, subject)}, + exact=False, trailing_wildcard=False), + ], + ldap2.ldap2.MATCH_ALL) + + def make_entry(dercert, entry): + serial_number = x509.get_serial_number(dercert, datatype=x509.DER) + subject = x509.get_subject(dercert, datatype=x509.DER) + issuer = x509.get_issuer(dercert, datatype=x509.DER) + entry['usercertificate'].append(dercert) + entry['description'] = '2;%d;%s;%s' % (serial_number, issuer, subject) + return entry + + return __update_entry_from_cert(make_filter, make_entry, dercert) + + +def update_authority_entry(dercert): + """ + Find the authority entry for the given cert, and update the + serial number to match the given cert. + """ + def make_filter(dercert): + subject = x509.get_subject(dercert, datatype=x509.DER) + return ldap2.ldap2.make_filter( + dict(objectclass='authority', authoritydn=subject), + rules=ldap2.ldap2.MATCH_ALL, + ) + + def make_entry(dercert, entry): + serial_number = x509.get_serial_number(dercert, datatype=x509.DER) + entry['authoritySerial'] = serial_number + return entry + + return __update_entry_from_cert(make_filter, make_entry, dercert) + + def ensure_ldap_profiles_container(): ensure_entry( DN(('ou', 'certificateProfiles'), ('ou', 'ca'), ('o', 'ipaca')), |