diff options
author | Christian Heimes <cheimes@redhat.com> | 2017-03-02 16:09:53 +0100 |
---|---|---|
committer | David Kupka <dkupka@redhat.com> | 2017-03-08 15:59:26 +0100 |
commit | 80be18162921268be9c8981495c9e8a4de0c85cd (patch) | |
tree | 3bd5245a257df520167976a3a83be89c5ea6bb54 /ipaclient/csrgen | |
parent | f8d7e37a091c1df4c989b80b8d19e12ab35533c8 (diff) | |
download | freeipa-80be18162921268be9c8981495c9e8a4de0c85cd.tar.gz freeipa-80be18162921268be9c8981495c9e8a4de0c85cd.tar.xz freeipa-80be18162921268be9c8981495c9e8a4de0c85cd.zip |
Move csrgen templates into ipaclient package
csrgen broke packaging of ipaclient for PyPI. All csrgen related
resources are now package data of ipaclient package. Package data is
accessed with Jinja's PackageLoader() or through pkg_resources.
https://pagure.io/freeipa/issue/6714
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Ben Lipton <blipton@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Diffstat (limited to 'ipaclient/csrgen')
-rw-r--r-- | ipaclient/csrgen/profiles/caIPAserviceCert.json | 15 | ||||
-rw-r--r-- | ipaclient/csrgen/profiles/userCert.json | 15 | ||||
-rw-r--r-- | ipaclient/csrgen/rules/dataDNS.json | 15 | ||||
-rw-r--r-- | ipaclient/csrgen/rules/dataEmail.json | 15 | ||||
-rw-r--r-- | ipaclient/csrgen/rules/dataHostCN.json | 15 | ||||
-rw-r--r-- | ipaclient/csrgen/rules/dataSubjectBase.json | 15 | ||||
-rw-r--r-- | ipaclient/csrgen/rules/dataUsernameCN.json | 15 | ||||
-rw-r--r-- | ipaclient/csrgen/rules/syntaxSAN.json | 15 | ||||
-rw-r--r-- | ipaclient/csrgen/rules/syntaxSubject.json | 16 | ||||
-rw-r--r-- | ipaclient/csrgen/templates/certutil_base.tmpl | 11 | ||||
-rw-r--r-- | ipaclient/csrgen/templates/openssl_base.tmpl | 35 | ||||
-rw-r--r-- | ipaclient/csrgen/templates/openssl_macros.tmpl | 29 |
12 files changed, 211 insertions, 0 deletions
diff --git a/ipaclient/csrgen/profiles/caIPAserviceCert.json b/ipaclient/csrgen/profiles/caIPAserviceCert.json new file mode 100644 index 000000000..114d2ffd4 --- /dev/null +++ b/ipaclient/csrgen/profiles/caIPAserviceCert.json @@ -0,0 +1,15 @@ +[ + { + "syntax": "syntaxSubject", + "data": [ + "dataHostCN", + "dataSubjectBase" + ] + }, + { + "syntax": "syntaxSAN", + "data": [ + "dataDNS" + ] + } +] diff --git a/ipaclient/csrgen/profiles/userCert.json b/ipaclient/csrgen/profiles/userCert.json new file mode 100644 index 000000000..d6cf5cfff --- /dev/null +++ b/ipaclient/csrgen/profiles/userCert.json @@ -0,0 +1,15 @@ +[ + { + "syntax": "syntaxSubject", + "data": [ + "dataUsernameCN", + "dataSubjectBase" + ] + }, + { + "syntax": "syntaxSAN", + "data": [ + "dataEmail" + ] + } +] diff --git a/ipaclient/csrgen/rules/dataDNS.json b/ipaclient/csrgen/rules/dataDNS.json new file mode 100644 index 000000000..2663f1141 --- /dev/null +++ b/ipaclient/csrgen/rules/dataDNS.json @@ -0,0 +1,15 @@ +{ + "rules": [ + { + "helper": "openssl", + "template": "DNS = {{subject.krbprincipalname.0.partition('/')[2].partition('@')[0]}}" + }, + { + "helper": "certutil", + "template": "dns:{{subject.krbprincipalname.0.partition('/')[2].partition('@')[0]|quote}}" + } + ], + "options": { + "data_source": "subject.krbprincipalname.0.partition('/')[2].partition('@')[0]" + } +} diff --git a/ipaclient/csrgen/rules/dataEmail.json b/ipaclient/csrgen/rules/dataEmail.json new file mode 100644 index 000000000..2eae9fb25 --- /dev/null +++ b/ipaclient/csrgen/rules/dataEmail.json @@ -0,0 +1,15 @@ +{ + "rules": [ + { + "helper": "openssl", + "template": "email = {{subject.mail.0}}" + }, + { + "helper": "certutil", + "template": "email:{{subject.mail.0|quote}}" + } + ], + "options": { + "data_source": "subject.mail.0" + } +} diff --git a/ipaclient/csrgen/rules/dataHostCN.json b/ipaclient/csrgen/rules/dataHostCN.json new file mode 100644 index 000000000..5c415bb8c --- /dev/null +++ b/ipaclient/csrgen/rules/dataHostCN.json @@ -0,0 +1,15 @@ +{ + "rules": [ + { + "helper": "openssl", + "template": "CN={{subject.krbprincipalname.0.partition('/')[2].partition('@')[0]}}" + }, + { + "helper": "certutil", + "template": "CN={{subject.krbprincipalname.0.partition('/')[2].partition('@')[0]|quote}}" + } + ], + "options": { + "data_source": "subject.krbprincipalname.0.partition('/')[2].partition('@')[0]" + } +} diff --git a/ipaclient/csrgen/rules/dataSubjectBase.json b/ipaclient/csrgen/rules/dataSubjectBase.json new file mode 100644 index 000000000..309dfb1ed --- /dev/null +++ b/ipaclient/csrgen/rules/dataSubjectBase.json @@ -0,0 +1,15 @@ +{ + "rules": [ + { + "helper": "openssl", + "template": "{{config.ipacertificatesubjectbase.0}}" + }, + { + "helper": "certutil", + "template": "{{config.ipacertificatesubjectbase.0|quote}}" + } + ], + "options": { + "data_source": "config.ipacertificatesubjectbase.0" + } +} diff --git a/ipaclient/csrgen/rules/dataUsernameCN.json b/ipaclient/csrgen/rules/dataUsernameCN.json new file mode 100644 index 000000000..37e7e0113 --- /dev/null +++ b/ipaclient/csrgen/rules/dataUsernameCN.json @@ -0,0 +1,15 @@ +{ + "rules": [ + { + "helper": "openssl", + "template": "CN={{subject.uid.0}}" + }, + { + "helper": "certutil", + "template": "CN={{subject.uid.0|quote}}" + } + ], + "options": { + "data_source": "subject.uid.0" + } +} diff --git a/ipaclient/csrgen/rules/syntaxSAN.json b/ipaclient/csrgen/rules/syntaxSAN.json new file mode 100644 index 000000000..122eb1244 --- /dev/null +++ b/ipaclient/csrgen/rules/syntaxSAN.json @@ -0,0 +1,15 @@ +{ + "rules": [ + { + "helper": "openssl", + "template": "subjectAltName = @{% call openssl.section() %}{{ datarules|join('\n') }}{% endcall %}", + "options": { + "extension": true + } + }, + { + "helper": "certutil", + "template": "--extSAN {{ datarules|join(',') }}" + } + ] +} diff --git a/ipaclient/csrgen/rules/syntaxSubject.json b/ipaclient/csrgen/rules/syntaxSubject.json new file mode 100644 index 000000000..af6ec03d3 --- /dev/null +++ b/ipaclient/csrgen/rules/syntaxSubject.json @@ -0,0 +1,16 @@ +{ + "rules": [ + { + "helper": "openssl", + "template": "distinguished_name = {% call openssl.section() %}{{ datarules|reverse|join('\n') }}{% endcall %}" + }, + { + "helper": "certutil", + "template": "-s {{ datarules|join(',') }}" + } + ], + "options": { + "required": true, + "data_source_combinator": "and" + } +} diff --git a/ipaclient/csrgen/templates/certutil_base.tmpl b/ipaclient/csrgen/templates/certutil_base.tmpl new file mode 100644 index 000000000..a5556fda0 --- /dev/null +++ b/ipaclient/csrgen/templates/certutil_base.tmpl @@ -0,0 +1,11 @@ +#!/bin/bash -e + +if [[ $# -lt 1 ]]; then +echo "Usage: $0 <outfile> [<any> <certutil> <args>]" +echo "Called as: $0 $@" +exit 1 +fi + +CSR="$1" +shift +certutil -R -a -z <(head -c 4096 /dev/urandom) -o "$CSR" {{ options|join(' ') }} "$@" diff --git a/ipaclient/csrgen/templates/openssl_base.tmpl b/ipaclient/csrgen/templates/openssl_base.tmpl new file mode 100644 index 000000000..22b16862e --- /dev/null +++ b/ipaclient/csrgen/templates/openssl_base.tmpl @@ -0,0 +1,35 @@ +{% raw -%} +{% import "openssl_macros.tmpl" as openssl -%} +{%- endraw %} +#!/bin/bash -e + +if [[ $# -lt 2 ]]; then +echo "Usage: $0 <outfile> <keyfile> <other openssl arguments>" +echo "Called as: $0 $@" +exit 1 +fi + +CONFIG="$(mktemp)" +CSR="$1" +KEYFILE="$2" +shift; shift + +echo \ +{% raw %}{% filter quote %}{% endraw -%} +[ req ] +prompt = no +encrypt_key = no + +{{ parameters|join('\n') }} +{% raw %}{% set rendered_extensions -%}{% endraw %} +{{ extensions|join('\n') }} +{% raw -%} +{%- endset -%} +{% if rendered_extensions -%} +req_extensions = {% call openssl.section() %}{{ rendered_extensions }}{% endcall %} +{% endif %} +{{ openssl.openssl_sections|join('\n\n') }} +{% endfilter %}{%- endraw %} > "$CONFIG" + +openssl req -new -config "$CONFIG" -out "$CSR" -key "$KEYFILE" "$@" +rm "$CONFIG" diff --git a/ipaclient/csrgen/templates/openssl_macros.tmpl b/ipaclient/csrgen/templates/openssl_macros.tmpl new file mode 100644 index 000000000..d31b8fef5 --- /dev/null +++ b/ipaclient/csrgen/templates/openssl_macros.tmpl @@ -0,0 +1,29 @@ +{# List containing rendered sections to be included at end #} +{% set openssl_sections = [] %} + +{# +List containing one entry for each section name allocated. Because of +scoping rules, we need to use a list so that it can be a "per-render global" +that gets updated in place. Real globals are shared by all templates with the +same environment, and variables defined in the macro don't persist after the +macro invocation ends. +#} +{% set openssl_section_num = [] %} + +{% macro section() -%} +{% set name -%} +sec{{ openssl_section_num|length -}} +{% endset -%} +{% do openssl_section_num.append('') -%} +{% set contents %}{{ caller() }}{% endset -%} +{% if contents -%} +{% set sectiondata = formatsection(name, contents) -%} +{% do openssl_sections.append(sectiondata) -%} +{% endif -%} +{{ name -}} +{% endmacro %} + +{% macro formatsection(name, contents) -%} +[ {{ name }} ] +{{ contents -}} +{% endmacro %} |