diff options
author | Fraser Tweedale <ftweedal@redhat.com> | 2016-05-10 13:56:40 +1000 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2016-06-15 07:13:38 +0200 |
commit | 08e0aa23b0d2c7226472670b4d29d3cc5c5242d6 (patch) | |
tree | 7a184c97bd78d5703120df5e35cca3bcebe1b0cb | |
parent | ae6d5b79fbce83e5ded8d8d46108b193c164ac14 (diff) | |
download | freeipa-08e0aa23b0d2c7226472670b4d29d3cc5c5242d6.tar.gz freeipa-08e0aa23b0d2c7226472670b4d29d3cc5c5242d6.tar.xz freeipa-08e0aa23b0d2c7226472670b4d29d3cc5c5242d6.zip |
Add issuer options to cert-show and cert-find
Add options to cert-show and cert-find for specifying the issuer as
a DN, or a CA name.
Also add the issuer DN to the output of cert-find.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
-rw-r--r-- | API.txt | 7 | ||||
-rw-r--r-- | VERSION | 4 | ||||
-rw-r--r-- | ipaserver/plugins/cert.py | 47 | ||||
-rw-r--r-- | ipaserver/plugins/dogtag.py | 9 |
4 files changed, 63 insertions, 4 deletions
@@ -730,11 +730,13 @@ output: Entry('result') output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>]) output: PrimaryKey('value') command: cert_find -args: 0,17,4 +args: 0,19,4 option: Flag('all', autofill=True, cli_name='all', default=False) +option: Str('cacn?', autofill=False, cli_name='ca') option: Flag('exactly?', autofill=True, default=False) option: Str('issuedon_from?', autofill=False) option: Str('issuedon_to?', autofill=False) +option: Str('issuer?', autofill=False) option: Int('max_serial_number?', autofill=False) option: Int('min_serial_number?', autofill=False) option: Flag('raw', autofill=True, cli_name='raw', default=False) @@ -774,8 +776,9 @@ option: Int('revocation_reason', autofill=True, default=0) option: Str('version?') output: Output('result') command: cert_show -args: 1,2,1 +args: 1,3,1 arg: Str('serial_number') +option: Str('cacn?', autofill=False, cli_name='ca') option: Str('out?') option: Str('version?') output: Output('result') @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=183 -# Last change: ftweedal - add --ca option to cert-request +IPA_API_VERSION_MINOR=184 +# Last change: ftweedal - add issuer options to cert-show and cert-find diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 63a051fab..171d08b9d 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -610,6 +610,13 @@ class cert_show(VirtualCommand): ) takes_options = ( + Str('cacn?', + cli_name='ca', + query=True, + label=_('Issuing CA'), + doc=_('Name of issing CA'), + autofill=False, + ), Str('out?', label=_('Output filename'), doc=_('File to store the certificate in.'), @@ -631,8 +638,24 @@ class cert_show(VirtualCommand): raise acierr hostname = get_host_from_principal(bind_principal) + issuer_dn = None + if 'cacn' in options: + ca_obj = api.Command.ca_show(options['cacn'])['result'] + issuer_dn = ca_obj['ipacasubjectdn'][0] + + # Dogtag lightweight CAs have shared serial number domain, so + # we don't tell Dogtag the issuer (but we check the cert after). + # result=self.Backend.ra.get_certificate(serial_number) cert = x509.load_certificate(result['certificate']) + + if issuer_dn is not None and DN(unicode(cert.issuer)) != DN(issuer_dn): + # DN of cert differs from what we requested + raise errors.NotFound( + reason=_("Certificate with serial number %(serial)s " + "issued by CA '%(ca)s' not found") + % dict(serial=serial_number, ca=options['cacn'])) + result['subject'] = unicode(cert.subject) result['issuer'] = unicode(cert.issuer) result['valid_not_before'] = unicode(cert.valid_not_before_str) @@ -734,6 +757,18 @@ class cert_find(Command): doc=_('Subject'), autofill=False, ), + Str('cacn?', + cli_name='ca', + query=True, + label=_('Issuing CA'), + doc=_('Name of issing CA'), + autofill=False, + ), + Str('issuer?', + label=_('Issuer'), + doc=_('Issuer DN'), + autofill=False, + ), Int('revocation_reason?', label=_('Reason'), doc=_('Reason for revoking the certificate (0-10). Type ' @@ -818,6 +853,18 @@ class cert_find(Command): def execute(self, **options): ca_enabled_check() + + if 'cacn' in options: + ca_obj = api.Command.ca_show(options['cacn'])['result'] + ca_sdn = unicode(ca_obj['ipacasubjectdn'][0]) + if 'issuer' in options: + if DN(ca_sdn) != DN(options['issuer']): + # client has provided both 'ca' and 'issuer' but + # issuer DNs don't match; result must be empty + return dict(result=[], count=0, truncated=False) + else: + options['issuer'] = ca_sdn + ret = dict( result=self.Backend.ra.find(options) ) diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 43aab92ff..919ecfeac 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1809,6 +1809,10 @@ class ra(rabase.rabase): node.text = options['subject'] booloptions['subjectInUse'] = True + if 'issuer' in options: + node = etree.SubElement(page, 'issuerDN') + node.text = options['issuer'] + if 'revocation_reason' in options: node = etree.SubElement(page, 'revocationReason') node.text = unicode(options['revocation_reason']) @@ -1897,6 +1901,11 @@ class ra(rabase.rabase): dn = cert.xpath('SubjectDN') if len(dn) == 1: response_request['subject'] = unicode(dn[0].text) + + issuer_dn = cert.xpath('IssuerDN') + if len(dn) == 1: + response_request['issuer'] = unicode(issuer_dn[0].text) + status = cert.xpath('Status') if len(status) == 1: response_request['status'] = unicode(status[0].text) |