summaryrefslogtreecommitdiffstats
path: root/ipaserver/plugins/ca.py
Commit message (Collapse)AuthorAgeFilesLines
* py3: base64 encoding/decoding returns always bytes don't mix itMartin Basti2017-02-081-3/+1
| | | | | | | | | Using unicode(bytes) call causes undesired side effect that is inserting `b` character to result. This obviously causes issues with binary base64 data https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Reuse self.api when executing ca_enabled_checkFraser Tweedale2017-01-111-6/+6
| | | | | | | | | | | | | | The ca_enabled_check function is a wrapper around api.Command.ca_is_enabled. When using remote_api (e.g. during installer), ca_enabled_check invokes the *global* api instead of the remote_api. Update ca_enabled_check to explicitly receive an api object from the caller and invoke Command.ca_is_enabled through it. Part of: https://fedorahosted.org/freeipa/ticket/2614 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ca: fix ca-find with --pkey-onlyJan Cholasta2017-01-051-3/+7
| | | | | | | | | | | | | | Since commit 32b1743e5fb318b226a602ec8d9a4b6ef2a25c9d, ca-find will fail with internal error if --pkey-only is specified, because the code to look up the CA certificate and certificate chain assumes that the ipaCAId attribute is always present in the result. Fix this by not attempting to lookup the certificate / chain at all when --pkey-only is specified. https://fedorahosted.org/freeipa/ticket/6178 Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
* Fix regression in test suiteFraser Tweedale2016-12-131-4/+10
| | | | | | | | | | | | | 32b1743e5fb318b226a602ec8d9a4b6ef2a25c9d introduced a regression in test_serverroles.py, caused by ca_find attempting to log into the Dogtag REST API. (ca_find is called by cert_find which is called by server_del during cleanup). Avoid logging into Dogtag in cert_find unless something actually needs to be retrieved. Fixes: https://fedorahosted.org/freeipa/ticket/6178 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Add options to write lightweight CA cert or chain to fileFraser Tweedale2016-12-121-5/+60
| | | | | | | | | | | | | | Administrators need a way to retrieve the certificate or certificate chain of an IPA-managed lightweight CA. Add params to the `ca' object for carrying the CA certificate and chain (as multiple DER values). Add the `--chain' flag for including the chain in the result (chain is also included with `--all'). Add the `--certificate-out' option for writing the certificate to a file (or the chain, if `--chain' was given). Fixes: https://fedorahosted.org/freeipa/ticket/6178 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
* Add commentary about CA deletion to plugin docFraser Tweedale2016-10-061-8/+13
| | | | | | | | | | | Add commentary to 'ca' plugin documentation to explain what happens when a CA gets deleted - namely, that its signing cert gets revoked and its private key deleted. Also break the docstring up into smaller chunks to aid translation. Fixes: https://fedorahosted.org/freeipa/ticket/6256 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Add ca-disable and ca-enable commandsFraser Tweedale2016-09-071-2/+64
| | | | | | | | | | | | | We soon plan to revoke certificates upon lightweight CA deletion. This makes it important to provide a way to prevent a CA from issuing certificates whilst not deleting and revoking it, and continuing to allow management of issued certs. This commit adds the ca-disable and ca-enable commands. Fixes: https://fedorahosted.org/freeipa/ticket/6257 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Check for CA subject name collision before attempting creationFraser Tweedale2016-06-301-0/+7
| | | | | | | | | | Lightweight CA subject name collisions are prevented by Dogtag (response code 409 Conflict), however, we do not want to expose the Dogtag error. Perform the check in the IPA framework as well, raising DuplicateEntry on collision. Fixes: https://fedorahosted.org/freeipa/ticket/5981 Reviewed-By: Milan Kubik <mkubik@redhat.com>
* Add 'ca' pluginFraser Tweedale2016-06-151-0/+217
This commit adds the 'ca' plugin for creating and managing lightweight CAs. The initial implementation supports a single level of sub-CAs underneath the IPA CA. This commit also: - adds the container for FreeIPA CA objects - adds schema for the FreeIPA CA objects - updates ipa-pki-proxy.conf to allow access to the Dogtag lightweight CAs REST API. Part of: https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>