diff options
author | Simo Sorce <simo@redhat.com> | 2015-08-07 11:44:59 -0400 |
---|---|---|
committer | Simo Sorce <simo@redhat.com> | 2015-10-01 16:20:49 -0400 |
commit | 77e7728ba6e85cd08e8a8244c1bd95757ab731a8 (patch) | |
tree | c37a67bb5689a55d7b3087813b589cdfd25d4025 | |
parent | 84db4f2ddebe6c50e1f5844c7c25317d72d19041 (diff) | |
download | freeipa-77e7728ba6e85cd08e8a8244c1bd95757ab731a8.tar.gz freeipa-77e7728ba6e85cd08e8a8244c1bd95757ab731a8.tar.xz freeipa-77e7728ba6e85cd08e8a8244c1bd95757ab731a8.zip |
Add function to extract CA certs for install
Signed-off-by: Simo Sorce <simo@redhat.com>
-rw-r--r-- | ipapython/secrets/client.py | 8 | ||||
-rw-r--r-- | ipaserver/install/custodiainstance.py | 55 |
2 files changed, 61 insertions, 2 deletions
diff --git a/ipapython/secrets/client.py b/ipapython/secrets/client.py index 81d066f84..5b671988d 100644 --- a/ipapython/secrets/client.py +++ b/ipapython/secrets/client.py @@ -74,7 +74,7 @@ class CustodiaClient(object): authtok = ctx.step() return {'Authorization': 'Negotiate %s' % b64encode(authtok)} - def fetch_key(self, keyname): + def fetch_key(self, keyname, store=True): # Prepare URL url = 'https://%s/ipa/keys/%s' % (self.server, keyname) @@ -96,4 +96,8 @@ class CustodiaClient(object): raise RuntimeError('Invlid JSON response type') value = self.kemcli.parse_reply(keyname, reply['value']) - self.keystore.set('keys/%s' % keyname, value) + + if store: + self.keystore.set('keys/%s' % keyname, value) + else: + return value diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py index f506ba163..6f4afb3a9 100644 --- a/ipaserver/install/custodiainstance.py +++ b/ipaserver/install/custodiainstance.py @@ -6,7 +6,11 @@ from ipaplatform.paths import paths from service import SimpleServiceInstance from ipapython import ipautil from ipaserver.install import installutils +from base64 import b64encode, b64decode +from jwcrypto.common import json_decode +import shutil import os +import tempfile class CustodiaInstance(SimpleServiceInstance): @@ -74,6 +78,57 @@ class CustodiaInstance(SimpleServiceInstance): cli = CustodiaClient(self.fqdn, master_host_name, self.realm) cli.fetch_key('dm/DMHash') + def get_ca_keys(self, ca_host, cacerts_file, cacerts_pwd): + # Fecth all needed certs one by one, then combine them in a single + # p12 file + certlist = ['caSigningCert cert-pki-ca', + 'ocspSigningCert cert-pki-ca', + 'auditSigningCert cert-pki-ca', + 'subsystemCert cert-pki-ca'] + + cli = CustodiaClient(self.fqdn, ca_host, self.realm) + + # Temporary nssdb + tmpnssdir = tempfile.mkdtemp(dir=paths.TMP) + try: + # Temporary nssdb password + nsspwfile = os.path.join(tmpnssdir, 'nsspwfile') + with open(nsspwfile, 'w+') as f: + f.write(b64encode(os.urandom(16))) + f.flush() + + # Cert file password + crtpwfile = os.path.join(tmpnssdir, 'crtpwfile') + with open(crtpwfile, 'w+') as f: + f.write(cacerts_pwd) + f.flush() + + for nickname in certlist: + value = cli.fetch_key(os.path.join('ca', nickname), False) + v = json_decode(value) + pk12pwfile = os.path.join(tmpnssdir, 'pk12pwfile') + with open(pk12pwfile, 'w+') as f: + f.write(v['export password']) + pk12file = os.path.join(tmpnssdir, 'pk12file') + with open(pk12file, 'w+') as f: + f.write(b64decode(v['pkcs12 data'])) + ipautil.run([paths.PK12UTIL, + '-d', tmpnssdir, + '-k', nsspwfile, + '-n', nickname, + '-i', pk12file, + '-w', pk12pwfile]) + + # Now that we gathered all certs, re-export + ipautil.run([paths.PKCS12EXPORT, + '-d', tmpnssdir, + '-p', nsspwfile, + '-w', crtpwfile, + '-o', cacerts_file]) + + finally: + shutil.rmtree(tmpnssdir) + def __start(self): super(CustodiaInstance, self).__start() |