diff options
author | Simo Sorce <simo@redhat.com> | 2015-08-07 11:44:59 -0400 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2015-10-15 14:24:33 +0200 |
commit | 86240938b58cd9bf85a96d34c39b55f6d59a36b8 (patch) | |
tree | c6eb2343cd05eb73d4979816f6d38716aedf18ed /ipaserver/install/custodiainstance.py | |
parent | 5761f73e2598dc404a3b51c6810e3dd250d2ba11 (diff) | |
download | freeipa-86240938b58cd9bf85a96d34c39b55f6d59a36b8.tar.gz freeipa-86240938b58cd9bf85a96d34c39b55f6d59a36b8.tar.xz freeipa-86240938b58cd9bf85a96d34c39b55f6d59a36b8.zip |
Add function to extract CA certs for install
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diffstat (limited to 'ipaserver/install/custodiainstance.py')
-rw-r--r-- | ipaserver/install/custodiainstance.py | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py index f506ba163..6f4afb3a9 100644 --- a/ipaserver/install/custodiainstance.py +++ b/ipaserver/install/custodiainstance.py @@ -6,7 +6,11 @@ from ipaplatform.paths import paths from service import SimpleServiceInstance from ipapython import ipautil from ipaserver.install import installutils +from base64 import b64encode, b64decode +from jwcrypto.common import json_decode +import shutil import os +import tempfile class CustodiaInstance(SimpleServiceInstance): @@ -74,6 +78,57 @@ class CustodiaInstance(SimpleServiceInstance): cli = CustodiaClient(self.fqdn, master_host_name, self.realm) cli.fetch_key('dm/DMHash') + def get_ca_keys(self, ca_host, cacerts_file, cacerts_pwd): + # Fecth all needed certs one by one, then combine them in a single + # p12 file + certlist = ['caSigningCert cert-pki-ca', + 'ocspSigningCert cert-pki-ca', + 'auditSigningCert cert-pki-ca', + 'subsystemCert cert-pki-ca'] + + cli = CustodiaClient(self.fqdn, ca_host, self.realm) + + # Temporary nssdb + tmpnssdir = tempfile.mkdtemp(dir=paths.TMP) + try: + # Temporary nssdb password + nsspwfile = os.path.join(tmpnssdir, 'nsspwfile') + with open(nsspwfile, 'w+') as f: + f.write(b64encode(os.urandom(16))) + f.flush() + + # Cert file password + crtpwfile = os.path.join(tmpnssdir, 'crtpwfile') + with open(crtpwfile, 'w+') as f: + f.write(cacerts_pwd) + f.flush() + + for nickname in certlist: + value = cli.fetch_key(os.path.join('ca', nickname), False) + v = json_decode(value) + pk12pwfile = os.path.join(tmpnssdir, 'pk12pwfile') + with open(pk12pwfile, 'w+') as f: + f.write(v['export password']) + pk12file = os.path.join(tmpnssdir, 'pk12file') + with open(pk12file, 'w+') as f: + f.write(b64decode(v['pkcs12 data'])) + ipautil.run([paths.PK12UTIL, + '-d', tmpnssdir, + '-k', nsspwfile, + '-n', nickname, + '-i', pk12file, + '-w', pk12pwfile]) + + # Now that we gathered all certs, re-export + ipautil.run([paths.PKCS12EXPORT, + '-d', tmpnssdir, + '-p', nsspwfile, + '-w', crtpwfile, + '-o', cacerts_file]) + + finally: + shutil.rmtree(tmpnssdir) + def __start(self): super(CustodiaInstance, self).__start() |