csrgen: Add CSR generation profile for caIPAserviceCert

https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>

6 files changed, 73 insertions, 0 deletions

diff --git a/install/share/csrgen/Makefile.am b/install/share/csrgen/Makefile.am
index 7b718cca1..c9437f5aa 100644
--- a/install/share/csrgen/Makefile.am
+++ b/install/share/csrgen/Makefile.am
@@ -2,10 +2,15 @@ NULL =
 
 profiledir = $(IPA_DATA_DIR)/csrgen/profiles
 profile_DATA =				\
+	profiles/caIPAserviceCert.json	\
 	$(NULL)
 
 ruledir = $(IPA_DATA_DIR)/csrgen/rules
 rule_DATA =				\
+	rules/dataDNS.json		\
+	rules/dataHostCN.json		\
+	rules/syntaxSAN.json		\
+	rules/syntaxSubject.json	\
 	$(NULL)
 
 templatedir = $(IPA_DATA_DIR)/csrgen/templates
diff --git a/install/share/csrgen/profiles/caIPAserviceCert.json b/install/share/csrgen/profiles/caIPAserviceCert.json
new file mode 100644
index 000000000..0d1be5e9b
--- /dev/null
+++ b/install/share/csrgen/profiles/caIPAserviceCert.json
@@ -0,0 +1,14 @@
+[
+    {
+        "syntax": "syntaxSubject",
+        "data": [
+            "dataHostCN"
+        ]
+    },
+    {
+        "syntax": "syntaxSAN",
+        "data": [
+            "dataDNS"
+        ]
+    }
+]
diff --git a/install/share/csrgen/rules/dataDNS.json b/install/share/csrgen/rules/dataDNS.json
new file mode 100644
index 000000000..f0aadca3a
--- /dev/null
+++ b/install/share/csrgen/rules/dataDNS.json
@@ -0,0 +1,12 @@
+{
+  "rules": [
+    {
+      "helper": "openssl",
+      "template": "DNS = {{ipa.datafield(subject.krbprincipalname.0.partition('/')[2].partition('@')[0])}}"
+    },
+    {
+      "helper": "certutil",
+      "template": "dns:{{ipa.datafield(subject.krbprincipalname.0.partition('/')[2].partition('@')[0])|quote}}"
+    }
+  ]
+}
diff --git a/install/share/csrgen/rules/dataHostCN.json b/install/share/csrgen/rules/dataHostCN.json
new file mode 100644
index 000000000..172c7ec51
--- /dev/null
+++ b/install/share/csrgen/rules/dataHostCN.json
@@ -0,0 +1,12 @@
+{
+  "rules": [
+    {
+      "helper": "openssl",
+      "template": "{{ipa.datafield(config.ipacertificatesubjectbase.0)}}\nCN={{ipa.datafield(subject.krbprincipalname.0.partition('/')[2].partition('@')[0])}}"
+    },
+    {
+      "helper": "certutil",
+      "template": "CN={{ipa.datafield(subject.krbprincipalname.0.partition('/')[2].partition('@')[0])|quote}},{{ipa.datafield(config.ipacertificatesubjectbase.0)|quote}}"
+    }
+  ]
+}
diff --git a/install/share/csrgen/rules/syntaxSAN.json b/install/share/csrgen/rules/syntaxSAN.json
new file mode 100644
index 000000000..122eb1244
--- /dev/null
+++ b/install/share/csrgen/rules/syntaxSAN.json
@@ -0,0 +1,15 @@
+{
+  "rules": [
+    {
+      "helper": "openssl",
+      "template": "subjectAltName = @{% call openssl.section() %}{{ datarules|join('\n') }}{% endcall %}",
+      "options": {
+        "extension": true
+      }
+    },
+    {
+      "helper": "certutil",
+      "template": "--extSAN {{ datarules|join(',') }}"
+    }
+  ]
+}
diff --git a/install/share/csrgen/rules/syntaxSubject.json b/install/share/csrgen/rules/syntaxSubject.json
new file mode 100644
index 000000000..7dfa9325d
--- /dev/null
+++ b/install/share/csrgen/rules/syntaxSubject.json
@@ -0,0 +1,15 @@
+{
+  "rules": [
+    {
+      "helper": "openssl",
+      "template": "distinguished_name = {% call openssl.section() %}{{ datarules|first }}{% endcall %}"
+    },
+    {
+      "helper": "certutil",
+      "template": "-s {{ datarules|first }}"
+    }
+  ],
+  "options": {
+    "required": true
+  }
+}