ac7d03
From 7aca75a7142eba58d9cb3ab5d40f3224e53e2243 Mon Sep 17 00:00:00 2001
ac7d03
From: Jan Cholasta <jcholast@redhat.com>
ac7d03
Date: Wed, 3 May 2017 06:17:32 +0000
ac7d03
Subject: [PATCH] cacert manage: support PKINIT
ac7d03
ac7d03
Allow installing 3rd party CA certificates trusted to issue PKINIT KDC
ac7d03
and/or client certificates.
ac7d03
ac7d03
https://pagure.io/freeipa/issue/6831
ac7d03
ac7d03
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
ac7d03
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
ac7d03
---
ac7d03
 install/tools/man/ipa-cacert-manage.1  |  2 +-
ac7d03
 ipaserver/install/ipa_cacert_manage.py | 21 +++++++++++++++++----
ac7d03
 2 files changed, 18 insertions(+), 5 deletions(-)
ac7d03
ac7d03
diff --git a/install/tools/man/ipa-cacert-manage.1 b/install/tools/man/ipa-cacert-manage.1
ac7d03
index e36258d0f96aa1050fe88b05f4fe9a1a8f9a7978..03172814ffb603b656952ce5e9ad6af9c8238ab3 100644
ac7d03
--- a/install/tools/man/ipa-cacert-manage.1
ac7d03
+++ b/install/tools/man/ipa-cacert-manage.1
ac7d03
@@ -90,7 +90,7 @@ File containing the IPA CA certificate and the external CA certificate chain. Th
ac7d03
 Nickname for the certificate.
ac7d03
 .TP
ac7d03
 \fB\-t\fR \fITRUST_FLAGS\fR, \fB\-\-trust\-flags\fR=\fITRUST_FLAGS\fR
ac7d03
-Trust flags for the certificate in certutil format. Trust flags are of the form "X,Y,Z" where X is for SSL, Y is for S/MIME, and Z is for code signing. Use ",," for no explicit trust.
ac7d03
+Trust flags for the certificate in certutil format. Trust flags are of the form "A,B,C" or "A,B,C,D" where A is for SSL, B is for S/MIME, C is for code signing, and D is for PKINIT. Use ",," for no explicit trust.
ac7d03
 .sp
ac7d03
 The supported trust flags are:
ac7d03
 .RS
ac7d03
diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py
ac7d03
index d28a5966f054141819463cdb1dfef48ee1e46e92..e88e8b63ae94759ac835f3b3b31b0735d68a67b0 100644
ac7d03
--- a/ipaserver/install/ipa_cacert_manage.py
ac7d03
+++ b/ipaserver/install/ipa_cacert_manage.py
ac7d03
@@ -28,6 +28,7 @@ from ipalib.install import certmonger, certstore
ac7d03
 from ipapython import admintool, ipautil
ac7d03
 from ipapython.certdb import (EMPTY_TRUST_FLAGS,
ac7d03
                               EXTERNAL_CA_TRUST_FLAGS,
ac7d03
+                              TrustFlags,
ac7d03
                               parse_trust_flags)
ac7d03
 from ipapython.dn import DN
ac7d03
 from ipaplatform.paths import paths
ac7d03
@@ -363,12 +364,24 @@ class CACertManage(admintool.AdminTool):
ac7d03
                     "http://www.freeipa.org/page/Troubleshooting for "
ac7d03
                     "troubleshooting guide)" % e)
ac7d03
 
ac7d03
-        trust_flags = options.trust_flags
ac7d03
-        if ((set(trust_flags) - set(',CPTcgpuw')) or
ac7d03
-            len(trust_flags.split(',')) != 3):
ac7d03
+        trust_flags = options.trust_flags.split(',')
ac7d03
+        if (set(options.trust_flags) - set(',CPTcgpuw') or
ac7d03
+                len(trust_flags) not in [3, 4]):
ac7d03
             raise admintool.ScriptError("Invalid trust flags")
ac7d03
 
ac7d03
-        trust_flags = parse_trust_flags(trust_flags)
ac7d03
+        extra_flags = trust_flags[3:]
ac7d03
+        extra_usages = set()
ac7d03
+        if extra_flags:
ac7d03
+            if 'C' in extra_flags[0]:
ac7d03
+                extra_usages.add(x509.EKU_PKINIT_KDC)
ac7d03
+            if 'T' in extra_flags[0]:
ac7d03
+                extra_usages.add(x509.EKU_PKINIT_CLIENT_AUTH)
ac7d03
+
ac7d03
+        trust_flags = parse_trust_flags(','.join(trust_flags[:3]))
ac7d03
+        trust_flags = TrustFlags(trust_flags.has_key,
ac7d03
+                                 trust_flags.trusted,
ac7d03
+                                 trust_flags.ca,
ac7d03
+                                 trust_flags.usages | extra_usages)
ac7d03
 
ac7d03
         try:
ac7d03
             certstore.put_ca_cert_nss(
ac7d03
-- 
ac7d03
2.9.4
ac7d03