|
|
ac7d03 |
From 7aca75a7142eba58d9cb3ab5d40f3224e53e2243 Mon Sep 17 00:00:00 2001
|
|
|
ac7d03 |
From: Jan Cholasta <jcholast@redhat.com>
|
|
|
ac7d03 |
Date: Wed, 3 May 2017 06:17:32 +0000
|
|
|
ac7d03 |
Subject: [PATCH] cacert manage: support PKINIT
|
|
|
ac7d03 |
|
|
|
ac7d03 |
Allow installing 3rd party CA certificates trusted to issue PKINIT KDC
|
|
|
ac7d03 |
and/or client certificates.
|
|
|
ac7d03 |
|
|
|
ac7d03 |
https://pagure.io/freeipa/issue/6831
|
|
|
ac7d03 |
|
|
|
ac7d03 |
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
|
|
ac7d03 |
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
ac7d03 |
---
|
|
|
ac7d03 |
install/tools/man/ipa-cacert-manage.1 | 2 +-
|
|
|
ac7d03 |
ipaserver/install/ipa_cacert_manage.py | 21 +++++++++++++++++----
|
|
|
ac7d03 |
2 files changed, 18 insertions(+), 5 deletions(-)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
diff --git a/install/tools/man/ipa-cacert-manage.1 b/install/tools/man/ipa-cacert-manage.1
|
|
|
ac7d03 |
index e36258d0f96aa1050fe88b05f4fe9a1a8f9a7978..03172814ffb603b656952ce5e9ad6af9c8238ab3 100644
|
|
|
ac7d03 |
--- a/install/tools/man/ipa-cacert-manage.1
|
|
|
ac7d03 |
+++ b/install/tools/man/ipa-cacert-manage.1
|
|
|
ac7d03 |
@@ -90,7 +90,7 @@ File containing the IPA CA certificate and the external CA certificate chain. Th
|
|
|
ac7d03 |
Nickname for the certificate.
|
|
|
ac7d03 |
.TP
|
|
|
ac7d03 |
\fB\-t\fR \fITRUST_FLAGS\fR, \fB\-\-trust\-flags\fR=\fITRUST_FLAGS\fR
|
|
|
ac7d03 |
-Trust flags for the certificate in certutil format. Trust flags are of the form "X,Y,Z" where X is for SSL, Y is for S/MIME, and Z is for code signing. Use ",," for no explicit trust.
|
|
|
ac7d03 |
+Trust flags for the certificate in certutil format. Trust flags are of the form "A,B,C" or "A,B,C,D" where A is for SSL, B is for S/MIME, C is for code signing, and D is for PKINIT. Use ",," for no explicit trust.
|
|
|
ac7d03 |
.sp
|
|
|
ac7d03 |
The supported trust flags are:
|
|
|
ac7d03 |
.RS
|
|
|
ac7d03 |
diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py
|
|
|
ac7d03 |
index d28a5966f054141819463cdb1dfef48ee1e46e92..e88e8b63ae94759ac835f3b3b31b0735d68a67b0 100644
|
|
|
ac7d03 |
--- a/ipaserver/install/ipa_cacert_manage.py
|
|
|
ac7d03 |
+++ b/ipaserver/install/ipa_cacert_manage.py
|
|
|
ac7d03 |
@@ -28,6 +28,7 @@ from ipalib.install import certmonger, certstore
|
|
|
ac7d03 |
from ipapython import admintool, ipautil
|
|
|
ac7d03 |
from ipapython.certdb import (EMPTY_TRUST_FLAGS,
|
|
|
ac7d03 |
EXTERNAL_CA_TRUST_FLAGS,
|
|
|
ac7d03 |
+ TrustFlags,
|
|
|
ac7d03 |
parse_trust_flags)
|
|
|
ac7d03 |
from ipapython.dn import DN
|
|
|
ac7d03 |
from ipaplatform.paths import paths
|
|
|
ac7d03 |
@@ -363,12 +364,24 @@ class CACertManage(admintool.AdminTool):
|
|
|
ac7d03 |
"http://www.freeipa.org/page/Troubleshooting for "
|
|
|
ac7d03 |
"troubleshooting guide)" % e)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
- trust_flags = options.trust_flags
|
|
|
ac7d03 |
- if ((set(trust_flags) - set(',CPTcgpuw')) or
|
|
|
ac7d03 |
- len(trust_flags.split(',')) != 3):
|
|
|
ac7d03 |
+ trust_flags = options.trust_flags.split(',')
|
|
|
ac7d03 |
+ if (set(options.trust_flags) - set(',CPTcgpuw') or
|
|
|
ac7d03 |
+ len(trust_flags) not in [3, 4]):
|
|
|
ac7d03 |
raise admintool.ScriptError("Invalid trust flags")
|
|
|
ac7d03 |
|
|
|
ac7d03 |
- trust_flags = parse_trust_flags(trust_flags)
|
|
|
ac7d03 |
+ extra_flags = trust_flags[3:]
|
|
|
ac7d03 |
+ extra_usages = set()
|
|
|
ac7d03 |
+ if extra_flags:
|
|
|
ac7d03 |
+ if 'C' in extra_flags[0]:
|
|
|
ac7d03 |
+ extra_usages.add(x509.EKU_PKINIT_KDC)
|
|
|
ac7d03 |
+ if 'T' in extra_flags[0]:
|
|
|
ac7d03 |
+ extra_usages.add(x509.EKU_PKINIT_CLIENT_AUTH)
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
+ trust_flags = parse_trust_flags(','.join(trust_flags[:3]))
|
|
|
ac7d03 |
+ trust_flags = TrustFlags(trust_flags.has_key,
|
|
|
ac7d03 |
+ trust_flags.trusted,
|
|
|
ac7d03 |
+ trust_flags.ca,
|
|
|
ac7d03 |
+ trust_flags.usages | extra_usages)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
try:
|
|
|
ac7d03 |
certstore.put_ca_cert_nss(
|
|
|
ac7d03 |
--
|
|
|
ac7d03 |
2.9.4
|
|
|
ac7d03 |
|