diff options
| author | Jan Cholasta <jcholast@redhat.com> | 2014-02-27 15:09:10 +0100 |
|---|---|---|
| committer | Petr Viktorin <pviktori@redhat.com> | 2014-07-30 16:04:21 +0200 |
| commit | 2c43a3d0d564b2cfc910d80c42d2ac3c55c9aeb3 (patch) | |
| tree | 39ba246c8ea00d16da5070b77d16536beadfb4bf /install/tools/ipa-server-install | |
| parent | 2109d6611bafe75f352eb35cfc7b04f2fb113ce3 (diff) | |
| download | freeipa-2c43a3d0d564b2cfc910d80c42d2ac3c55c9aeb3.tar.gz freeipa-2c43a3d0d564b2cfc910d80c42d2ac3c55c9aeb3.tar.xz freeipa-2c43a3d0d564b2cfc910d80c42d2ac3c55c9aeb3.zip | |
Move external cert validation from ipa-server-install to installutils.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Diffstat (limited to 'install/tools/ipa-server-install')
| -rwxr-xr-x | install/tools/ipa-server-install | 45 |
1 files changed, 4 insertions, 41 deletions
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index da6004132..9b76e9510 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -70,7 +70,6 @@ from ipapython import ipautil from ipapython import dogtag from ipalib import api, errors, util from ipapython.config import IPAOptionParser -from ipalib.x509 import load_certificate_from_file, load_certificate_chain_from_file from ipalib.util import validate_domain_name from ipalib.constants import CACERT from ipapython.ipa_log_manager import * @@ -749,48 +748,12 @@ def main(): if options.external_cert_file: try: - extcert = load_certificate_from_file(options.external_cert_file) - except IOError, e: - print "Can't load the PEM certificate: %s." % str(e) - sys.exit(1) - except nss.error.NSPRError: - print "'%s' is not a valid PEM-encoded certificate." % options.external_cert_file - sys.exit(1) - - certsubject = DN(str(extcert.subject)) - wantsubject = DN(('CN','Certificate Authority'), options.subject) - if certsubject != wantsubject: - print "Subject of the external certificate is not correct (got %s, expected %s)." % (certsubject, wantsubject) - sys.exit(1) - - try: - extchain = load_certificate_chain_from_file(options.external_ca_file) - except IOError, e: - print "Can't load the external CA chain: %s." % str(e) - sys.exit(1) - except nss.error.NSPRError: - print "'%s' is not a valid PEM-encoded certificate chain." % options.external_ca_file - sys.exit(1) - - certdict = dict((DN(str(cert.subject)), cert) for cert in extchain) - del extchain - certissuer = DN(str(extcert.issuer)) - if certissuer not in certdict: - print "The external certificate is not signed by the external CA (unknown issuer %s)." % certissuer + validate_external_cert(options.external_cert_file, + options.external_ca_file, options.subject) + except ValueError, e: + print e sys.exit(1) - cert = extcert - del extcert - while cert.issuer != cert.subject: - certissuer = DN(str(cert.issuer)) - if certissuer not in certdict: - print "The external CA chain is incomplete (%s is missing from the chain)." % certissuer - sys.exit(1) - del cert - cert = certdict[certissuer] - del certdict - del cert - # We only set up the CA if the PKCS#12 options are not given. if options.dirsrv_pkcs12: setup_ca = False |