diff options
author | Fraser Tweedale <ftweedal@redhat.com> | 2016-10-12 11:03:56 +1000 |
---|---|---|
committer | David Kupka <dkupka@redhat.com> | 2016-11-10 10:21:47 +0100 |
commit | 85487281cdc09720f6a0385ebb7157742d762a0c (patch) | |
tree | eec0f41f02be3328cc5a598a58dbf791c04a0efa /install/certmonger | |
parent | 66637f766dd0ddc50888013962be2294fd8d0e9a (diff) | |
download | freeipa-85487281cdc09720f6a0385ebb7157742d762a0c.tar.gz freeipa-85487281cdc09720f6a0385ebb7157742d762a0c.tar.xz freeipa-85487281cdc09720f6a0385ebb7157742d762a0c.zip |
pkcs10: remove pyasn1 PKCS #10 spec
In the dogtag-ipa-ca-renew-agent-submit certmonger renewal helper,
we currently use our hand-rolled PKCS #10 pyasn1 specification to
parse the friendlyName out of CSRs generated by certmonger (it
contains the NSSDB nickname of the cert).
Use other information from the renewal helper process environment to
determine the nickname and remove our PKCS #10 pyasn1 spec.
Part of: https://fedorahosted.org/freeipa/ticket/6398
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Diffstat (limited to 'install/certmonger')
-rwxr-xr-x | install/certmonger/dogtag-ipa-ca-renew-agent-submit | 52 |
1 files changed, 36 insertions, 16 deletions
diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit index 6f5841ee3..41f7a62b1 100755 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit @@ -39,10 +39,10 @@ import six from ipapython import ipautil from ipapython.dn import DN -from ipalib import api, errors, pkcs10, x509 +from ipalib import api, errors, x509 from ipaplatform.paths import paths from ipaserver.plugins.ldap2 import ldap2 -from ipaserver.install import cainstance, certs +from ipaserver.install import cainstance, dsinstance, certs # This is a certmonger CA helper script for IPA CA subsystem cert renewal. See # https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/submit.txt for more @@ -65,8 +65,36 @@ if six.PY3: IPA_CA_NICKNAME = 'caSigningCert cert-pki-ca' def get_nickname(): - csr = os.environ.get('CERTMONGER_CSR') - return pkcs10.get_friendlyname(csr) if csr else None + subject = os.environ.get('CERTMONGER_REQ_SUBJECT') + if not subject: + return None + + subject_base = dsinstance.DsInstance().find_subject_base() + if not subject_base: + return None + + nickname_by_subject_dn = { + DN('CN=Certificate Authority', subject_base): + 'caSigningCert cert-pki-ca', + DN('CN=CA Audit', subject_base): 'auditSigningCert cert-pki-ca', + DN('CN=OCSP Subsystem', subject_base): 'ocspSigningCert cert-pki-ca', + DN('CN=CA Subsystem', subject_base): 'subsystemCert cert-pki-ca', + DN('CN=KRA Audit', subject_base): 'auditSigningCert cert-pki-kra', + DN('CN=KRA Transport Certificate', subject_base): + 'transportCert cert-pki-kra', + DN('CN=KRA Storage Certificate', subject_base): + 'storageCert cert-pki-kra', + DN('CN=IPA RA', subject_base): 'ipaCert', + } + + try: + return nickname_by_subject_dn[DN(subject)] + except KeyError: + cas = api.Command.ca_find(ipacasubjectdn=DN(subject))['result'] + if len(cas) == 0: + return None + return 'caSigningCert cert-pki-ca {}'.format(cas[0]['ipacaid'][0]) + def is_lightweight_ca(): nickname = get_nickname() or '' @@ -216,13 +244,9 @@ def store_cert(): else: return (OPERATION_NOT_SUPPORTED_BY_HELPER,) - csr = os.environ.get('CERTMONGER_CSR') - if not csr: - return (UNCONFIGURED, "Certificate request not provided") - - nickname = pkcs10.get_friendlyname(csr) + nickname = get_nickname() if not nickname: - return (REJECTED, "No friendly name in the certificate request") + return (REJECTED, "Nickname could not be determined") cert = os.environ.get('CERTMONGER_CERTIFICATE') if not cert: @@ -325,13 +349,9 @@ def retrieve_or_reuse_cert(): Retrieve certificate from LDAP. If the certificate is not available, reuse the old certificate. """ - csr = os.environ.get('CERTMONGER_CSR') - if not csr: - return (UNCONFIGURED, "Certificate request not provided") - - nickname = pkcs10.get_friendlyname(csr) + nickname = get_nickname() if not nickname: - return (REJECTED, "No friendly name in the certificate request") + return (REJECTED, "Nickname could not be determined") cert = os.environ.get('CERTMONGER_CERTIFICATE') if not cert: |