diff options
author | Fraser Tweedale <ftweedal@redhat.com> | 2016-08-08 14:27:20 +1000 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2016-12-12 13:03:15 +0100 |
commit | 32b1743e5fb318b226a602ec8d9a4b6ef2a25c9d (patch) | |
tree | 484f57785d6f872f22e118aed13df38d74a2591e /ipaclient | |
parent | cc5b88e5d4ac1171374be9ae8e6e60730243dd3d (diff) | |
download | freeipa-32b1743e5fb318b226a602ec8d9a4b6ef2a25c9d.tar.gz freeipa-32b1743e5fb318b226a602ec8d9a4b6ef2a25c9d.tar.xz freeipa-32b1743e5fb318b226a602ec8d9a4b6ef2a25c9d.zip |
Add options to write lightweight CA cert or chain to file
Administrators need a way to retrieve the certificate or certificate
chain of an IPA-managed lightweight CA. Add params to the `ca'
object for carrying the CA certificate and chain (as multiple DER
values). Add the `--chain' flag for including the chain in the
result (chain is also included with `--all'). Add the
`--certificate-out' option for writing the certificate to a file (or
the chain, if `--chain' was given).
Fixes: https://fedorahosted.org/freeipa/ticket/6178
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Diffstat (limited to 'ipaclient')
-rw-r--r-- | ipaclient/plugins/ca.py | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/ipaclient/plugins/ca.py b/ipaclient/plugins/ca.py new file mode 100644 index 000000000..fcdf48463 --- /dev/null +++ b/ipaclient/plugins/ca.py @@ -0,0 +1,53 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +import base64 +from ipaclient.frontend import MethodOverride +from ipalib import util, x509, Str +from ipalib.plugable import Registry +from ipalib.text import _ + +register = Registry() + + +class WithCertOutArgs(MethodOverride): + + takes_options = ( + Str( + 'certificate_out?', + doc=_('Write certificate (chain if --chain used) to file'), + include='cli', + cli_metavar='FILE', + ), + ) + + def forward(self, *keys, **options): + filename = None + if 'certificate_out' in options: + filename = options.pop('certificate_out') + util.check_writable_file(filename) + + result = super(WithCertOutArgs, self).forward(*keys, **options) + if filename: + def to_pem(x): + return x509.make_pem(x) + if options.get('chain', False): + ders = result['result']['certificate_chain'] + data = '\n'.join(to_pem(base64.b64encode(der)) for der in ders) + else: + data = to_pem(result['result']['certificate']) + with open(filename, 'wb') as f: + f.write(data) + + return result + + +@register(override=True, no_fail=True) +class ca_add(WithCertOutArgs): + pass + + +@register(override=True, no_fail=True) +class ca_show(WithCertOutArgs): + pass |