Added a PEMFileHandler for Custodia store

This is a preparation step to be able to handle sending RA agent certificate over Custodia during domain level 1 replica installation. https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
author: Stanislav Laznicka <slaznick@redhat.com> 2017-02-01 09:14:56 +0100
committer: Jan Cholasta <jcholast@redhat.com> 2017-03-01 09:43:41 +0000
commit: 24b134c633390343ba76e4091fa612650976280a (patch)
tree: 850758763b642f801f36af5db08119221156496c
parent: 51a2b1372936106ff95d5a45afc813f146653ae4 (diff)
download: freeipa-24b134c633390343ba76e4091fa612650976280a.tar.gz
freeipa-24b134c633390343ba76e4091fa612650976280a.tar.xz
freeipa-24b134c633390343ba76e4091fa612650976280a.zip
1 files changed, 61 insertions, 0 deletions
diff --git a/ipaserver/secrets/store.py b/ipaserver/secrets/store.py
index b2d724d26..a499aef13 100644
--- a/ipaserver/secrets/store.py
+++ b/ipaserver/secrets/store.py
@@ -191,6 +191,67 @@ class DMLDAP(DBMAPHandler):
         conn.modify_s('cn=config', mods)
 
 
+class PEMFileHandler(DBMAPHandler):
+    def __init__(self, config, dbmap, nickname=None):
+        if 'type' not in dbmap or dbmap['type'] != 'OPENSSL':
+            raise ValueError('Invalid type "{t}", expected OPENSSL'
+                             .format(t=dbmap['type']))
+        self.certfile = dbmap['certfile']
+        self.keyfile = dbmap.get(['keyfile'])
+
+    def export_key(self):
+        _fd, tmpfile = tempfile.mkstemp(dir=paths.TMP)
+        password = ipautil.ipa_generate_password()
+        args = [
+            paths.OPENSSL,
+            "pkcs12", "-export",
+            "-in", self.certfile,
+            "-out", tmpfile,
+            "-password", "pass:{pwd}".format(pwd=password)
+        ]
+        if self.keyfile is not None:
+            args.extend(["-inkey", self.keyfile])
+
+        try:
+            ipautil.run(args, nolog=password)
+            with open(tmpfile, 'r') as f:
+                data = f.read()
+        finally:
+            os.remove(tmpfile)
+        return json_encode({'export password': password,
+                            'pkcs12 data': b64encode(data)})
+
+    def import_key(self, value):
+        v = json_decode(value)
+        data = b64decode(v['pkcs12 data'])
+        password = v['export password']
+        try:
+            _fd, tmpdata = tempfile.mkstemp(dir=paths.TMP)
+            with open(tmpdata, 'w') as f:
+                f.write(data)
+
+            # get the certificate from the file
+            ipautil.run([paths.OPENSSL,
+                         "pkcs12",
+                         "-in", tmpdata,
+                         "-clcerts", "-nokeys",
+                         "-out", self.certfile,
+                         "-passin", "pass:{pwd}".format(pwd=password)],
+                        nolog=(password))
+
+            if self.keyfile is not None:
+                # get the private key from the file
+                ipautil.run([paths.OPENSSL,
+                             "pkcs12",
+                             "-in", tmpdata,
+                             "-nocerts", "-nodes",
+                             "-out", self.keyfile,
+                             "-passin", "pass:{pwd}".format(pwd=password)],
+                            nolog=(password))
+        finally:
+            os.remove(tmpdata)
+
+
 NAME_DB_MAP = {
     'ca': {
         'type': 'NSSDB',
author	Stanislav Laznicka <slaznick@redhat.com>	2017-02-01 09:14:56 +0100
committer	Jan Cholasta <jcholast@redhat.com>	2017-03-01 09:43:41 +0000
commit	24b134c633390343ba76e4091fa612650976280a (patch)
tree	850758763b642f801f36af5db08119221156496c
parent	51a2b1372936106ff95d5a45afc813f146653ae4 (diff)
download	freeipa-24b134c633390343ba76e4091fa612650976280a.tar.gz freeipa-24b134c633390343ba76e4091fa612650976280a.tar.xz freeipa-24b134c633390343ba76e4091fa612650976280a.zip