def execute(self, serial_number, **kw):
ca_enabled_check()
# Make sure that the cert specified by issuer+serial exists.
# Will raise NotFound if it does not.
resp = api.Command.cert_show(unicode(serial_number), cacn=kw['cacn'])
try:
self.check_access()
except errors.ACIError as acierr:
self.debug(
"Not granted by ACI to revoke certificate, looking at principal"
)
try:
cert = x509.load_certificate(resp['result']['certificate'])
if not bind_principal_can_manage_cert(cert):
raise acierr
except errors.NotImplementedError:
raise acierr
revocation_reason = kw['revocation_reason']
if revocation_reason == 7:
raise errors.CertificateOperationError(
error=_('7 is not a valid revocation reason'))
return dict(
# Dogtag lightweight CAs have shared serial number domain, so
# we don't tell Dogtag the issuer (but we already checked that
# the given serial was issued by the named ca).
result=self.Backend.ra.revoke_certificate(
str(serial_number), revocation_reason=revocation_reason))
def execute(self, csr, **kw):
ca_enabled_check()
ldap = self.api.Backend.ldap2
principal = kw.get('principal')
add = kw.get('add')
request_type = kw.get('request_type')
service = None
"""
Access control is partially handled by the ACI titled
'Hosts can modify service userCertificate'. This is for the case
where a machine binds using a host/ prinicpal. It can only do the
request if the target hostname is in the managedBy attribute which
is managed using the add/del member commands.
Binding with a user principal one needs to be in the request_certs
taskgroup (directly or indirectly via role membership).
"""
bind_principal = getattr(context, 'principal')
# Can this user request certs?
if not bind_principal.startswith('host/'):
self.check_access()
try:
subject = pkcs10.get_subject(csr)
extensions = pkcs10.get_extensions(csr)
subjectaltname = pkcs10.get_subjectaltname(csr) or ()
except (NSPRError, PyAsn1Error), e:
raise errors.CertificateOperationError(
error=_("Failure decoding Certificate Signing Request: %s") %
e)
def get_csr_hostname(csr):
"""
Return the value of CN in the subject of the request or None
"""
try:
request = pkcs10.load_certificate_request(csr)
subject = pkcs10.get_subject(request)
return subject.common_name
except NSPRError, nsprerr:
raise errors.CertificateOperationError(
error=_('Failure decoding Certificate Signing Request:'))
def get_subjectaltname(csr):
"""
Return the first value of the subject alt name, if any
"""
try:
request = pkcs10.load_certificate_request(csr)
for extension in request.extensions:
if extension.oid_tag == nss.SEC_OID_X509_SUBJECT_ALT_NAME:
return nss.x509_alt_name(extension.value)[0]
return None
except NSPRError, nsprerr:
raise errors.CertificateOperationError(
error=_('Failure decoding Certificate Signing Request'))
def forward(self, csr=None, **options):
database = options.pop('database', None)
private_key = options.pop('private_key', None)
csr_profile_id = options.pop('csr_profile_id', None)
password_file = options.pop('password_file', None)
if csr is None:
# Deferred import, ipaclient.csrgen is expensive to load.
# see https://pagure.io/freeipa/issue/7484
from ipaclient import csrgen
if database:
adaptor = csrgen.NSSAdaptor(database, password_file)
elif private_key:
adaptor = csrgen.OpenSSLAdaptor(
key_filename=private_key, password_filename=password_file)
else:
raise errors.InvocationError(
message=u"One of 'database' or 'private_key' is required")
pubkey_info = adaptor.get_subject_public_key_info()
pubkey_info_b64 = base64.b64encode(pubkey_info)
# If csr_profile_id is passed, that takes precedence.
# Otherwise, use profile_id. If neither are passed, the default
# in cert_get_requestdata will be used.
profile_id = csr_profile_id
if profile_id is None:
profile_id = options.get('profile_id')
response = self.api.Command.cert_get_requestdata(
profile_id=profile_id,
principal=options.get('principal'),
public_key_info=pubkey_info_b64)
req_info_b64 = response['result']['request_info']
req_info = base64.b64decode(req_info_b64)
csr = adaptor.sign_csr(req_info)
if not csr:
raise errors.CertificateOperationError(
error=(_('Generated CSR was empty')))
else:
if database is not None or private_key is not None:
raise errors.MutuallyExclusiveError(reason=_(
"Options 'database' and 'private_key' are not compatible"
" with 'csr'"))
return super(cert_request, self).forward(csr, **options)
class ra(rabase.rabase):
"""
Request Authority backend plugin.
"""
def request_certificate(self, csr, request_type='pkcs10'):
"""
:param csr: The certificate signing request.
:param request_type: The request type (defaults to ``'pkcs10'``).
Submit certificate signing request.
The command returns a dict with these possible key/value pairs.
Some key/value pairs may be absent.
+---------------+---------------+---------------+
|result name |result type |comments |
+===============+===============+===============+
|serial_number |unicode [1]_ | |
+---------------+---------------+---------------+
|certificate |unicode [2]_ | |
+---------------+---------------+---------------+
|request_id |unicode | |
+---------------+---------------+---------------+
|subject |unicode | |
+---------------+---------------+---------------+
.. [1] Passed through XMLRPC as decimal string. Can convert to
optimal integer type (int or long) via int(serial_number)
.. [2] Base64 encoded
"""
try:
config = api.Command['config_show']()['result']
subject_base = EditableDN(config.get('ipacertificatesubjectbase')[0])
hostname = get_csr_hostname(csr)
subject_base.insert(0, RDN(('CN', hostname)))
request = pkcs10.load_certificate_request(csr)
# python-nss normalizes the request subject
request_subject = DN(str(pkcs10.get_subject(request)))
if subject_base != request_subject:
raise errors.CertificateOperationError(error=_('Request subject "%(request_subject)s" does not match the form "%(subject_base)s"') % \
{'request_subject' : request_subject, 'subject_base' : subject_base})
except errors.CertificateOperationError, e:
raise e
except NSPRError, e:
raise errors.CertificateOperationError(error=_('unable to decode csr: %s') % e)
def forward(self, csr=None, **options):
database = options.pop('database', None)
private_key = options.pop('private_key', None)
csr_profile_id = options.pop('csr_profile_id', None)
password_file = options.pop('password_file', None)
if csr is None:
if database:
adaptor = csrgen.NSSAdaptor(database, password_file)
elif private_key:
adaptor = csrgen.OpenSSLAdaptor(private_key, password_file)
else:
raise errors.InvocationError(
message=u"One of 'database' or 'private_key' is required")
pubkey_info = adaptor.get_subject_public_key_info()
pubkey_info_b64 = base64.b64encode(pubkey_info)
# If csr_profile_id is passed, that takes precedence.
# Otherwise, use profile_id. If neither are passed, the default
# in cert_get_requestdata will be used.
profile_id = csr_profile_id
if profile_id is None:
profile_id = options.get('profile_id')
response = self.api.Command.cert_get_requestdata(
profile_id=profile_id,
principal=options.get('principal'),
public_key_info=unicode(pubkey_info_b64))
req_info_b64 = response['result']['request_info']
req_info = base64.b64decode(req_info_b64)
csr = adaptor.sign_csr(req_info)
if not csr:
raise errors.CertificateOperationError(
error=(_('Generated CSR was empty')))
# cert_request requires the CSR to be base64-encoded (but PEM
# header and footer are not required)
csr = unicode(base64.b64encode(csr))
else:
if database is not None or private_key is not None:
raise errors.MutuallyExclusiveError(reason=_(
"Options 'database' and 'private_key' are not compatible"
" with 'csr'"))
return super(cert_request, self).forward(csr, **options)
def validate_csr(ugettext, csr):
"""
Ensure the CSR is base64-encoded and can be decoded by our PKCS#10
parser.
"""
if api.env.context == 'cli':
# If we are passed in a pointer to a valid file on the client side
# escape and let the load_files() handle things
if csr and os.path.exists(csr):
return
try:
pkcs10.load_certificate_request(csr)
except (TypeError, ValueError) as e:
raise errors.CertificateOperationError(
error=_('Failure decoding Certificate Signing Request: %s') % e)
def verify_cert_subject(ldap, hostname, dercert):
"""
Verify that the certificate issuer we're adding matches the issuer
base of our installation.
This assumes the certificate has already been normalized.
This raises an exception on errors and returns nothing otherwise.
"""
nsscert = load_certificate(dercert, datatype=DER)
subject = str(nsscert.subject)
issuer = str(nsscert.issuer)
del (nsscert)
if (not valid_issuer(issuer)):
raise errors.CertificateOperationError(error=_('Issuer "%(issuer)s" does not match the expected issuer') % \
{'issuer' : issuer})
class cert_revoke(VirtualCommand):
__doc__ = _('Revoke a certificate.')
takes_args = _serial_number
has_output_params = (Flag(
'revoked',
label=_('Revoked'),
), )
operation = "revoke certificate"
# FIXME: The default is 0. Is this really an Int param?
takes_options = (Int('revocation_reason',
label=_('Reason'),
doc=_('Reason for revoking the certificate (0-10)'),
minvalue=0,
maxvalue=10,
default=0,
autofill=True), )
def execute(self, serial_number, **kw):
ca_enabled_check()
hostname = None
try:
self.check_access()
except errors.ACIError, acierr:
self.debug(
"Not granted by ACI to revoke certificate, looking at principal"
)
try:
# Let cert_show() handle verifying that the subject of the
# cert we're dealing with matches the hostname in the principal
result = api.Command['cert_show'](
unicode(serial_number))['result']
except errors.NotImplementedError:
pass
revocation_reason = kw['revocation_reason']
if revocation_reason == 7:
raise errors.CertificateOperationError(
error=_('7 is not a valid revocation reason'))
return dict(result=self.Backend.ra.revoke_certificate(
serial_number, revocation_reason=revocation_reason))
def execute(self, serial_number, **kw):
ca_enabled_check()
hostname = None
try:
self.check_access()
except errors.ACIError as acierr:
self.debug(
"Not granted by ACI to revoke certificate, looking at principal"
)
try:
# Let cert_show() handle verifying that the subject of the
# cert we're dealing with matches the hostname in the principal
result = api.Command['cert_show'](
unicode(serial_number))['result']
except errors.NotImplementedError:
pass
revocation_reason = kw['revocation_reason']
if revocation_reason == 7:
raise errors.CertificateOperationError(
error=_('7 is not a valid revocation reason'))
return dict(result=self.Backend.ra.revoke_certificate(
serial_number, revocation_reason=revocation_reason))
class test_service(Declarative):
cleanup_commands = [
('host_del', [fqdn1], {}),
('host_del', [fqdn2], {}),
('host_del', [fqdn3], {}),
('service_del', [service1], {}),
]
tests = [
dict(
desc='Try to retrieve non-existent %r' % service1,
command=('service_show', [service1], {}),
expected=errors.NotFound(reason=u'%s: service not found' %
service1),
),
dict(
desc='Try to update non-existent %r' % service1,
command=('service_mod', [service1],
dict(usercertificate=get_testcert())),
expected=errors.NotFound(reason=u'%s: service not found' %
service1),
),
dict(
desc='Try to delete non-existent %r' % service1,
command=('service_del', [service1], {}),
expected=errors.NotFound(reason=u'%s: service not found' %
service1),
),
dict(
desc='Create %r' % fqdn1,
command=(
'host_add',
[fqdn1],
dict(
description=u'Test host 1',
l=u'Undisclosed location 1',
force=True,
),
),
expected=dict(
value=fqdn1,
summary=u'Added host "%s"' % fqdn1,
result=dict(
dn=host1dn,
fqdn=[fqdn1],
description=[u'Test host 1'],
l=[u'Undisclosed location 1'],
krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
objectclass=objectclasses.host,
ipauniqueid=[fuzzy_uuid],
managedby_host=[u'%s' % fqdn1],
has_keytab=False,
has_password=False,
),
),
),
dict(
desc='Create %r' % fqdn2,
command=(
'host_add',
[fqdn2],
dict(
description=u'Test host 2',
l=u'Undisclosed location 2',
force=True,
),
),
expected=dict(
value=fqdn2,
summary=u'Added host "%s"' % fqdn2,
result=dict(
dn=host2dn,
fqdn=[fqdn2],
description=[u'Test host 2'],
l=[u'Undisclosed location 2'],
krbprincipalname=[u'host/%s@%s' % (fqdn2, api.env.realm)],
objectclass=objectclasses.host,
ipauniqueid=[fuzzy_uuid],
managedby_host=[u'%s' % fqdn2],
has_keytab=False,
has_password=False,
),
),
),
dict(
desc='Create %r' % fqdn3,
command=(
'host_add',
[fqdn3],
dict(
description=u'Test host 3',
l=u'Undisclosed location 3',
force=True,
),
),
expected=dict(
value=fqdn3.lower(),
summary=u'Added host "%s"' % fqdn3.lower(),
result=dict(
dn=host3dn,
fqdn=[fqdn3.lower()],
description=[u'Test host 3'],
l=[u'Undisclosed location 3'],
krbprincipalname=[
u'host/%s@%s' % (fqdn3.lower(), api.env.realm)
],
objectclass=objectclasses.host,
ipauniqueid=[fuzzy_uuid],
managedby_host=[u'%s' % fqdn3.lower()],
has_keytab=False,
has_password=False,
),
),
),
dict(
desc='Create %r' % service1,
command=(
'service_add',
[service1],
dict(force=True, ),
),
expected=dict(
value=service1,
summary=u'Added service "%s"' % service1,
result=dict(
dn=service1dn,
krbprincipalname=[service1],
objectclass=objectclasses.service,
ipauniqueid=[fuzzy_uuid],
managedby_host=[fqdn1],
),
),
),
dict(
desc='Try to create duplicate %r' % service1,
command=(
'service_add',
[service1],
dict(force=True, ),
),
expected=errors.DuplicateEntry(
message=u'service with name "%s" already exists' % service1),
),
dict(
desc='Retrieve %r' % service1,
command=('service_show', [service1], {}),
expected=dict(
value=service1,
summary=None,
result=dict(
dn=service1dn,
krbprincipalname=[service1],
has_keytab=False,
managedby_host=[fqdn1],
),
),
),
dict(
desc='Retrieve %r with all=True' % service1,
command=('service_show', [service1], dict(all=True)),
expected=dict(
value=service1,
summary=None,
result=dict(
dn=service1dn,
krbprincipalname=[service1],
ipakrbprincipalalias=[service1],
objectclass=objectclasses.service,
ipauniqueid=[fuzzy_uuid],
managedby_host=[fqdn1],
has_keytab=False,
ipakrbrequirespreauth=True,
ipakrbokasdelegate=False,
),
),
),
dict(
desc='Search for %r' % service1,
command=('service_find', [service1], {}),
expected=dict(
count=1,
truncated=False,
summary=u'1 service matched',
result=[
dict(
dn=service1dn,
krbprincipalname=[service1],
managedby_host=[fqdn1],
has_keytab=False,
),
],
),
),
dict(
desc='Search for %r with all=True' % service1,
command=('service_find', [service1], dict(all=True)),
expected=dict(
count=1,
truncated=False,
summary=u'1 service matched',
result=[
dict(
dn=service1dn,
krbprincipalname=[service1],
ipakrbprincipalalias=[service1],
objectclass=objectclasses.service,
ipauniqueid=[fuzzy_uuid],
has_keytab=False,
managedby_host=[fqdn1],
ipakrbrequirespreauth=True,
ipakrbokasdelegate=False,
),
],
),
),
dict(
desc='Add non-existent host to %r' % service1,
command=('service_add_host', [service1], dict(host=u'notfound')),
expected=dict(
failed=dict(managedby=dict(host=[(u'notfound',
u'no such entry')])),
completed=0,
result=dict(
dn=service1dn,
krbprincipalname=[service1],
managedby_host=[fqdn1],
),
),
),
dict(
desc='Remove non-existent host from %r' % service1,
command=('service_remove_host', [service1],
dict(host=u'notfound')),
expected=dict(
failed=dict(managedby=dict(
host=[(u'notfound', u'This entry is not a member')])),
completed=0,
result=dict(
dn=service1dn,
krbprincipalname=[service1],
managedby_host=[fqdn1],
),
),
),
dict(
desc='Add host to %r' % service1,
command=('service_add_host', [service1], dict(host=fqdn2)),
expected=dict(
failed=dict(managedby=dict(host=[])),
completed=1,
result=dict(
dn=service1dn,
krbprincipalname=[service1],
managedby_host=[fqdn1, fqdn2],
),
),
),
dict(
desc='Remove host from %r' % service1,
command=('service_remove_host', [service1], dict(host=fqdn2)),
expected=dict(
failed=dict(managedby=dict(host=[])),
completed=1,
result=dict(
dn=service1dn,
krbprincipalname=[service1],
managedby_host=[fqdn1],
),
),
),
dict(
desc='Add mixed-case host to %r' % service1,
command=('service_add_host', [service1], dict(host=fqdn3)),
expected=dict(
failed=dict(managedby=dict(host=[])),
completed=1,
result=dict(
dn=service1dn,
krbprincipalname=[service1],
managedby_host=[fqdn1, fqdn3.lower()],
),
),
),
dict(
desc='Remove mixed-case host from %r' % service1,
command=('service_remove_host', [service1], dict(host=fqdn3)),
expected=dict(
failed=dict(managedby=dict(host=[])),
completed=1,
result=dict(
dn=service1dn,
krbprincipalname=[service1],
managedby_host=[fqdn1],
),
),
),
dict(
desc='Update %r with a bad certificate' % service1,
command=('service_mod', [service1],
dict(usercertificate=badservercert)),
expected=errors.CertificateOperationError(
error=u'Issuer "CN=IPA Test Certificate Authority" does not ' +
u'match the expected issuer'),
),
dict(
desc='Update %r' % service1,
command=('service_mod', [service1],
dict(usercertificate=get_testcert())),
expected=dict(
value=service1,
summary=u'Modified service "%s"' % service1,
result=dict(
usercertificate=[base64.b64decode(get_testcert())],
krbprincipalname=[service1],
managedby_host=[fqdn1],
valid_not_before=fuzzy_date,
valid_not_after=fuzzy_date,
subject=DN(('CN', api.env.host), x509.subject_base()),
serial_number=fuzzy_digits,
serial_number_hex=fuzzy_hex,
md5_fingerprint=fuzzy_hash,
sha1_fingerprint=fuzzy_hash,
issuer=fuzzy_issuer,
),
),
),
dict(desc='Try to update %r with invalid ipakrbauthz data '
'combination' % service1,
command=('service_mod', [service1],
dict(ipakrbauthzdata=[u'MS-PAC', u'NONE'])),
expected=errors.ValidationError(
name='ipakrbauthzdata',
error=u'NONE value cannot be combined with other PAC types')),
dict(
desc='Update %r with valid ipakrbauthz data '
'combination' % service1,
command=('service_mod', [service1],
dict(ipakrbauthzdata=[u'MS-PAC'])),
expected=dict(
value=service1,
summary=u'Modified service "%s"' % service1,
result=dict(
usercertificate=[base64.b64decode(get_testcert())],
krbprincipalname=[service1],
managedby_host=[fqdn1],
ipakrbauthzdata=[u'MS-PAC'],
valid_not_before=fuzzy_date,
valid_not_after=fuzzy_date,
subject=DN(('CN', api.env.host), x509.subject_base()),
serial_number=fuzzy_digits,
serial_number_hex=fuzzy_hex,
md5_fingerprint=fuzzy_hash,
sha1_fingerprint=fuzzy_hash,
issuer=fuzzy_issuer,
),
),
),
dict(
desc='Retrieve %r to verify update' % service1,
command=('service_show', [service1], {}),
expected=dict(
value=service1,
summary=None,
result=dict(
dn=service1dn,
usercertificate=[base64.b64decode(get_testcert())],
krbprincipalname=[service1],
has_keytab=False,
managedby_host=[fqdn1],
ipakrbauthzdata=[u'MS-PAC'],
# These values come from the servercert that is in this
# test case.
valid_not_before=fuzzy_date,
valid_not_after=fuzzy_date,
subject=DN(('CN', api.env.host), x509.subject_base()),
serial_number=fuzzy_digits,
serial_number_hex=fuzzy_hex,
md5_fingerprint=fuzzy_hash,
sha1_fingerprint=fuzzy_hash,
issuer=fuzzy_issuer,
),
),
),
dict(
desc='Enable %r OK_AS_DELEGATE Kerberos ticket flag' % service1,
command=('service_mod', [service1], dict(ipakrbokasdelegate=True)),
expected=dict(
value=service1,
summary=u'Modified service "%s"' % service1,
result=dict(
usercertificate=[base64.b64decode(get_testcert())],
krbprincipalname=[service1],
managedby_host=[fqdn1],
ipakrbauthzdata=[u'MS-PAC'],
valid_not_before=fuzzy_date,
valid_not_after=fuzzy_date,
subject=DN(('CN', api.env.host), x509.subject_base()),
serial_number=fuzzy_digits,
serial_number_hex=fuzzy_hex,
md5_fingerprint=fuzzy_hash,
sha1_fingerprint=fuzzy_hash,
issuer=fuzzy_issuer,
krbticketflags=[u'1048704'],
ipakrbokasdelegate=True,
),
),
),
dict(
desc='Update %r Kerberos ticket flags with setattr' % service1,
command=('service_mod', [service1],
dict(setattr=[u'krbTicketFlags=1048577'])),
expected=dict(
value=service1,
summary=u'Modified service "%s"' % service1,
result=dict(
usercertificate=[base64.b64decode(get_testcert())],
krbprincipalname=[service1],
managedby_host=[fqdn1],
ipakrbauthzdata=[u'MS-PAC'],
valid_not_before=fuzzy_date,
valid_not_after=fuzzy_date,
subject=DN(('CN', api.env.host), x509.subject_base()),
serial_number=fuzzy_digits,
serial_number_hex=fuzzy_hex,
md5_fingerprint=fuzzy_hash,
sha1_fingerprint=fuzzy_hash,
issuer=fuzzy_issuer,
krbticketflags=[u'1048577'],
),
),
),
dict(
desc='Disable %r OK_AS_DELEGATE Kerberos ticket flag' % service1,
command=('service_mod', [service1],
dict(ipakrbokasdelegate=False)),
expected=dict(
value=service1,
summary=u'Modified service "%s"' % service1,
result=dict(
usercertificate=[base64.b64decode(get_testcert())],
krbprincipalname=[service1],
managedby_host=[fqdn1],
ipakrbauthzdata=[u'MS-PAC'],
valid_not_before=fuzzy_date,
valid_not_after=fuzzy_date,
subject=DN(('CN', api.env.host), x509.subject_base()),
serial_number=fuzzy_digits,
serial_number_hex=fuzzy_hex,
md5_fingerprint=fuzzy_hash,
sha1_fingerprint=fuzzy_hash,
issuer=fuzzy_issuer,
krbticketflags=[u'1'],
ipakrbokasdelegate=False,
),
),
),
dict(
desc='Delete %r' % service1,
command=('service_del', [service1], {}),
expected=dict(
value=[service1],
summary=u'Deleted service "%s"' % service1,
result=dict(failed=[]),
),
),
dict(
desc='Try to retrieve non-existent %r' % service1,
command=('service_show', [service1], {}),
expected=errors.NotFound(reason=u'%s: service not found' %
service1),
),
dict(
desc='Try to update non-existent %r' % service1,
command=('service_mod', [service1],
dict(usercertificate=get_testcert())),
expected=errors.NotFound(reason=u'%s: service not found' %
service1),
),
dict(
desc='Try to delete non-existent %r' % service1,
command=('service_del', [service1], {}),
expected=errors.NotFound(reason=u'%s: service not found' %
service1),
),
dict(desc='Create service with malformed principal "foo"',
command=('service_add', [u'foo'], {}),
expected=errors.MalformedServicePrincipal(
reason='missing service')),
dict(
desc='Create service with bad realm "HTTP/[email protected]"',
command=('service_add', [u'HTTP/[email protected]'], {}),
expected=errors.RealmMismatch(),
),
dict(desc='Create a host service %r' % hostprincipal1,
command=('service_add', [hostprincipal1], {}),
expected=errors.HostService()),
# These tests will only succeed when running against lite-server.py
# on same box as IPA install.
dict(
desc=
'Delete the current host (master?) %s HTTP service, should be caught'
% api.env.host,
command=('service_del', ['HTTP/%s' % api.env.host], {}),
expected=errors.ValidationError(
name='principal',
error='This principal is required by the IPA master'),
),
dict(
desc=
'Delete the current host (master?) %s ldap service, should be caught'
% api.env.host,
command=('service_del', ['ldap/%s' % api.env.host], {}),
expected=errors.ValidationError(
name='principal',
error='This principal is required by the IPA master'),
),
dict(
desc=
'Disable the current host (master?) %s HTTP service, should be caught'
% api.env.host,
command=('service_disable', ['HTTP/%s' % api.env.host], {}),
expected=errors.ValidationError(
name='principal',
error='This principal is required by the IPA master'),
),
dict(
desc=
'Disable the current host (master?) %s ldap service, should be caught'
% api.env.host,
command=('service_disable', ['ldap/%s' % api.env.host], {}),
expected=errors.ValidationError(
name='principal',
error='This principal is required by the IPA master'),
),
]
def execute(self, csr, all=False, raw=False, **kw):
ca_enabled_check()
ldap = self.api.Backend.ldap2
add = kw.get('add')
request_type = kw.get('request_type')
profile_id = kw.get('profile_id', self.Backend.ra.DEFAULT_PROFILE)
# Check that requested authority exists (done before CA ACL
# enforcement so that user gets better error message if
# referencing nonexistant CA) and look up authority ID.
#
ca = kw['cacn']
ca_obj = api.Command.ca_show(ca)['result']
ca_id = ca_obj['ipacaid'][0]
"""
Access control is partially handled by the ACI titled
'Hosts can modify service userCertificate'. This is for the case
where a machine binds using a host/ prinicpal. It can only do the
request if the target hostname is in the managedBy attribute which
is managed using the add/del member commands.
Binding with a user principal one needs to be in the request_certs
taskgroup (directly or indirectly via role membership).
"""
principal = kw.get('principal')
principal_string = unicode(principal)
if principal.is_user:
principal_type = USER
elif principal.is_host:
principal_type = HOST
else:
principal_type = SERVICE
bind_principal = kerberos.Principal(getattr(context, 'principal'))
bind_principal_string = unicode(bind_principal)
if bind_principal.is_user:
bind_principal_type = USER
elif bind_principal.is_host:
bind_principal_type = HOST
else:
bind_principal_type = SERVICE
if (bind_principal_string != principal_string
and bind_principal_type != HOST):
# Can the bound principal request certs for another principal?
self.check_access()
try:
self.check_access("request certificate ignore caacl")
bypass_caacl = True
except errors.ACIError:
bypass_caacl = False
if not bypass_caacl:
caacl_check(principal_type, principal, ca, profile_id)
try:
subject = pkcs10.get_subject(csr)
extensions = pkcs10.get_extensions(csr)
subjectaltname = pkcs10.get_subjectaltname(csr) or ()
except (NSPRError, PyAsn1Error, ValueError) as e:
raise errors.CertificateOperationError(
error=_("Failure decoding Certificate Signing Request: %s") %
e)
# self-service and host principals may bypass SAN permission check
if (bind_principal_string != principal_string
and bind_principal_type != HOST):
if '2.5.29.17' in extensions:
self.check_access('request certificate with subjectaltname')
dn = None
principal_obj = None
# See if the service exists and punt if it doesn't and we aren't
# going to add it
try:
if principal_type == SERVICE:
principal_obj = api.Command['service_show'](principal_string,
all=True)
elif principal_type == HOST:
principal_obj = api.Command['host_show'](principal.hostname,
all=True)
elif principal_type == USER:
principal_obj = api.Command['user_show'](principal.username,
all=True)
except errors.NotFound as e:
if add:
if principal_type == SERVICE:
principal_obj = api.Command['service_add'](
principal_string, force=True)
else:
princtype_str = PRINCIPAL_TYPE_STRING_MAP[principal_type]
raise errors.OperationNotSupportedForPrincipalType(
operation=_("'add' option"),
principal_type=princtype_str)
else:
raise errors.NotFound(
reason=_("The principal for this request doesn't exist."))
principal_obj = principal_obj['result']
dn = principal_obj['dn']
# Ensure that the DN in the CSR matches the principal
cn = subject.common_name #pylint: disable=E1101
if not cn:
raise errors.ValidationError(
name='csr',
error=_("No Common Name was found in subject of request."))
if principal_type in (SERVICE, HOST):
if cn.lower() != principal.hostname.lower():
raise errors.ACIError(info=_(
"hostname in subject of request '%(cn)s' "
"does not match principal hostname '%(hostname)s'") %
dict(cn=cn, hostname=principal.hostname))
elif principal_type == USER:
# check user name
if cn != principal.username:
raise errors.ValidationError(
name='csr',
error=_("DN commonName does not match user's login"))
# check email address
mail = subject.email_address #pylint: disable=E1101
if mail is not None and mail not in principal_obj.get('mail', []):
raise errors.ValidationError(
name='csr',
error=_("DN emailAddress does not match "
"any of user's email addresses"))
# We got this far so the principal entry exists, can we write it?
if not ldap.can_write(dn, "usercertificate"):
raise errors.ACIError(
info=_("Insufficient 'write' privilege "
"to the 'userCertificate' attribute of entry '%s'.") %
dn)
# Validate the subject alt name, if any
for name_type, desc, name, _der_name in subjectaltname:
if name_type == nss.certDNSName:
name = unicode(name)
alt_principal = None
alt_principal_obj = None
try:
if principal_type == HOST:
alt_principal = kerberos.Principal((u'host', name),
principal.realm)
alt_principal_obj = api.Command['host_show'](name,
all=True)
elif principal_type == SERVICE:
alt_principal = kerberos.Principal(
(principal.service_name, name), principal.realm)
alt_principal_obj = api.Command['service_show'](
alt_principal, all=True)
elif principal_type == USER:
raise errors.ValidationError(
name='csr',
error=_("subject alt name type %s is forbidden "
"for user principals") % desc)
except errors.NotFound:
# We don't want to issue any certificates referencing
# machines we don't know about. Nothing is stored in this
# host record related to this certificate.
raise errors.NotFound(reason=_(
'The service principal for '
'subject alt name %s in certificate request does not '
'exist') % name)
if alt_principal_obj is not None:
altdn = alt_principal_obj['result']['dn']
if not ldap.can_write(altdn, "usercertificate"):
raise errors.ACIError(info=_(
"Insufficient privilege to create a certificate "
"with subject alt name '%s'.") % name)
if alt_principal is not None and not bypass_caacl:
caacl_check(principal_type, alt_principal, ca, profile_id)
elif name_type in [
(nss.certOtherName, x509.SAN_UPN),
(nss.certOtherName, x509.SAN_KRB5PRINCIPALNAME),
]:
if name != principal_string:
raise errors.ACIError(
info=_("Principal '%s' in subject alt name does not "
"match requested principal") % name)
elif name_type == nss.certRFC822Name:
if principal_type == USER:
if name not in principal_obj.get('mail', []):
raise errors.ValidationError(
name='csr',
error=_("RFC822Name does not match "
"any of user's email addresses"))
else:
raise errors.ValidationError(
name='csr',
error=_("subject alt name type %s is forbidden "
"for non-user principals") % desc)
else:
raise errors.ACIError(
info=_("Subject alt name type %s is forbidden") % desc)
# Request the certificate
try:
result = self.Backend.ra.request_certificate(
csr, profile_id, ca_id, request_type=request_type)
except errors.HTTPRequestError as e:
if e.status == 409: # pylint: disable=no-member
raise errors.CertificateOperationError(
error=_("CA '%s' is disabled") % ca)
else:
raise e
if not raw:
self.obj._parse(result, all)
result['request_id'] = int(result['request_id'])
result['cacn'] = ca_obj['cn'][0]
# Success? Then add it to the principal's entry
# (unless the profile tells us not to)
profile = api.Command['certprofile_show'](profile_id)
store = profile['result']['ipacertprofilestoreissued'][0] == 'TRUE'
if store and 'certificate' in result:
cert = str(result.get('certificate'))
kwargs = dict(addattr=u'usercertificate={}'.format(cert))
if principal_type == SERVICE:
api.Command['service_mod'](principal_string, **kwargs)
elif principal_type == HOST:
api.Command['host_mod'](principal.hostname, **kwargs)
elif principal_type == USER:
api.Command['user_mod'](principal.username, **kwargs)
return dict(
result=result,
value=pkey_to_value(int(result['request_id']), kw),
)
s = csr.find('-----BEGIN CERTIFICATE REQUEST-----')
if s == -1:
csr = '-----BEGIN NEW CERTIFICATE REQUEST-----\n' + csr + \
'\n-----END NEW CERTIFICATE REQUEST-----\n'
try:
(csr_fd, csr_name) = tempfile.mkstemp()
os.write(csr_fd, csr)
os.close(csr_fd)
except Exception, e:
try:
os.remove(csr_name)
except:
pass
self.log.error('unable to create temporary csr file: %s' % e)
raise errors.CertificateOperationError(error=_('file operation'))
try:
(cert_fd, cert_name) = tempfile.mkstemp()
os.close(cert_fd)
except Exception, e:
try:
os.remove(csr_name)
except:
pass
try:
os.remove(cert_name)
except:
pass
self.log.error('unable to create temporary certificate file: %s' % e)
raise errors.CertificateOperationError(error=_('file operation'))
def execute(self, csr, all=False, raw=False, **kw):
ca_enabled_check()
ldap = self.api.Backend.ldap2
add = kw.get('add')
request_type = kw.get('request_type')
profile_id = kw.get('profile_id', self.Backend.ra.DEFAULT_PROFILE)
# Check that requested authority exists (done before CA ACL
# enforcement so that user gets better error message if
# referencing nonexistant CA) and look up authority ID.
#
ca = kw['cacn']
ca_obj = api.Command.ca_show(ca)['result']
ca_id = ca_obj['ipacaid'][0]
"""
Access control is partially handled by the ACI titled
'Hosts can modify service userCertificate'. This is for the case
where a machine binds using a host/ prinicpal. It can only do the
request if the target hostname is in the managedBy attribute which
is managed using the add/del member commands.
Binding with a user principal one needs to be in the request_certs
taskgroup (directly or indirectly via role membership).
"""
principal = kw.get('principal')
principal_string = unicode(principal)
if principal.is_user:
principal_type = USER
elif principal.is_host:
principal_type = HOST
else:
principal_type = SERVICE
bind_principal = kerberos.Principal(getattr(context, 'principal'))
bind_principal_string = unicode(bind_principal)
if bind_principal.is_user:
bind_principal_type = USER
elif bind_principal.is_host:
bind_principal_type = HOST
else:
bind_principal_type = SERVICE
if (bind_principal_string != principal_string
and bind_principal_type != HOST):
# Can the bound principal request certs for another principal?
self.check_access()
try:
self.check_access("request certificate ignore caacl")
bypass_caacl = True
except errors.ACIError:
bypass_caacl = False
if not bypass_caacl:
caacl_check(principal_type, principal, ca, profile_id)
try:
csr_obj = pkcs10.load_certificate_request(csr)
except ValueError as e:
raise errors.CertificateOperationError(
error=_("Failure decoding Certificate Signing Request: %s") %
e)
try:
ext_san = csr_obj.extensions.get_extension_for_oid(
cryptography.x509.oid.ExtensionOID.SUBJECT_ALTERNATIVE_NAME)
except cryptography.x509.extensions.ExtensionNotFound:
ext_san = None
# self-service and host principals may bypass SAN permission check
if (bind_principal_string != principal_string
and bind_principal_type != HOST):
if ext_san is not None:
self.check_access('request certificate with subjectaltname')
dn = None
principal_obj = None
# See if the service exists and punt if it doesn't and we aren't
# going to add it
try:
if principal_type == SERVICE:
principal_obj = api.Command['service_show'](principal_string,
all=True)
elif principal_type == HOST:
principal_obj = api.Command['host_show'](principal.hostname,
all=True)
elif principal_type == USER:
principal_obj = api.Command['user_show'](principal.username,
all=True)
except errors.NotFound as e:
if add:
if principal_type == SERVICE:
principal_obj = api.Command['service_add'](
principal_string, force=True)
else:
princtype_str = PRINCIPAL_TYPE_STRING_MAP[principal_type]
raise errors.OperationNotSupportedForPrincipalType(
operation=_("'add' option"),
principal_type=princtype_str)
else:
raise errors.NotFound(
reason=_("The principal for this request doesn't exist."))
principal_obj = principal_obj['result']
dn = principal_obj['dn']
# Ensure that the DN in the CSR matches the principal
#
# We only look at the "most specific" CN value
cns = csr_obj.subject.get_attributes_for_oid(
cryptography.x509.oid.NameOID.COMMON_NAME)
if len(cns) == 0:
raise errors.ValidationError(
name='csr',
error=_("No Common Name was found in subject of request."))
cn = cns[-1].value # "most specific" is end of list
if principal_type in (SERVICE, HOST):
if cn.lower() != principal.hostname.lower():
raise errors.ACIError(info=_(
"hostname in subject of request '%(cn)s' "
"does not match principal hostname '%(hostname)s'") %
dict(cn=cn, hostname=principal.hostname))
elif principal_type == USER:
# check user name
if cn != principal.username:
raise errors.ValidationError(
name='csr',
error=_("DN commonName does not match user's login"))
# check email address
#
# fail if any email addr from DN does not appear in ldap entry
email_addrs = csr_obj.subject.get_attributes_for_oid(
cryptography.x509.oid.NameOID.EMAIL_ADDRESS)
if len(set(email_addrs) - set(principal_obj.get('mail', []))) > 0:
raise errors.ValidationError(
name='csr',
error=_("DN emailAddress does not match "
"any of user's email addresses"))
# We got this far so the principal entry exists, can we write it?
if not ldap.can_write(dn, "usercertificate"):
raise errors.ACIError(
info=_("Insufficient 'write' privilege "
"to the 'userCertificate' attribute of entry '%s'.") %
dn)
# Validate the subject alt name, if any
generalnames = []
if ext_san is not None:
generalnames = x509.process_othernames(ext_san.value)
for gn in generalnames:
if isinstance(gn, cryptography.x509.general_name.DNSName):
name = gn.value
alt_principal = None
alt_principal_obj = None
try:
if principal_type == HOST:
alt_principal = kerberos.Principal((u'host', name),
principal.realm)
alt_principal_obj = api.Command['host_show'](name,
all=True)
elif principal_type == SERVICE:
alt_principal = kerberos.Principal(
(principal.service_name, name), principal.realm)
alt_principal_obj = api.Command['service_show'](
alt_principal, all=True)
elif principal_type == USER:
raise errors.ValidationError(
name='csr',
error=_("subject alt name type %s is forbidden "
"for user principals") % "DNSName")
except errors.NotFound:
# We don't want to issue any certificates referencing
# machines we don't know about. Nothing is stored in this
# host record related to this certificate.
raise errors.NotFound(reason=_(
'The service principal for '
'subject alt name %s in certificate request does not '
'exist') % name)
if alt_principal_obj is not None:
altdn = alt_principal_obj['result']['dn']
if not ldap.can_write(altdn, "usercertificate"):
raise errors.ACIError(info=_(
"Insufficient privilege to create a certificate "
"with subject alt name '%s'.") % name)
if alt_principal is not None and not bypass_caacl:
caacl_check(principal_type, alt_principal, ca, profile_id)
elif isinstance(gn, (x509.KRB5PrincipalName, x509.UPN)):
if gn.name != principal_string:
raise errors.ACIError(
info=_("Principal '%s' in subject alt name does not "
"match requested principal") % gn.name)
elif isinstance(gn, cryptography.x509.general_name.RFC822Name):
if principal_type == USER:
if gn.value not in principal_obj.get('mail', []):
raise errors.ValidationError(
name='csr',
error=_("RFC822Name does not match "
"any of user's email addresses"))
else:
raise errors.ValidationError(
name='csr',
error=_("subject alt name type %s is forbidden "
"for non-user principals") % "RFC822Name")
else:
raise errors.ACIError(
info=_("Subject alt name type %s is forbidden") %
type(gn).__name__)
# Request the certificate
try:
# re-serialise to PEM, in case the user-supplied data has
# extraneous material that will cause Dogtag to freak out
csr_pem = csr_obj.public_bytes(serialization.Encoding.PEM)
result = self.Backend.ra.request_certificate(
csr_pem, profile_id, ca_id, request_type=request_type)
except errors.HTTPRequestError as e:
if e.status == 409: # pylint: disable=no-member
raise errors.CertificateOperationError(
error=_("CA '%s' is disabled") % ca)
else:
raise e
if not raw:
self.obj._parse(result, all)
result['request_id'] = int(result['request_id'])
result['cacn'] = ca_obj['cn'][0]
# Success? Then add it to the principal's entry
# (unless the profile tells us not to)
profile = api.Command['certprofile_show'](profile_id)
store = profile['result']['ipacertprofilestoreissued'][0] == 'TRUE'
if store and 'certificate' in result:
cert = str(result.get('certificate'))
kwargs = dict(addattr=u'usercertificate={}'.format(cert))
if principal_type == SERVICE:
api.Command['service_mod'](principal_string, **kwargs)
elif principal_type == HOST:
api.Command['host_mod'](principal.hostname, **kwargs)
elif principal_type == USER:
api.Command['user_mod'](principal.username, **kwargs)
return dict(
result=result,
value=pkey_to_value(int(result['request_id']), kw),
)
def execute(self, csr, **kw):
ca_enabled_check()
ldap = self.api.Backend.ldap2
add = kw.get('add')
request_type = kw.get('request_type')
profile_id = kw.get('profile_id', self.Backend.ra.DEFAULT_PROFILE)
ca = '.' # top-level CA hardcoded until subca plugin implemented
"""
Access control is partially handled by the ACI titled
'Hosts can modify service userCertificate'. This is for the case
where a machine binds using a host/ prinicpal. It can only do the
request if the target hostname is in the managedBy attribute which
is managed using the add/del member commands.
Binding with a user principal one needs to be in the request_certs
taskgroup (directly or indirectly via role membership).
"""
principal_string = kw.get('principal')
principal = split_any_principal(principal_string)
servicename, principal_name, realm = principal
if servicename is None:
principal_type = USER
elif servicename == 'host':
principal_type = HOST
else:
principal_type = SERVICE
bind_principal = split_any_principal(getattr(context, 'principal'))
bind_service, bind_name, bind_realm = bind_principal
if bind_service is None:
bind_principal_type = USER
elif bind_service == 'host':
bind_principal_type = HOST
else:
bind_principal_type = SERVICE
if bind_principal != principal and bind_principal_type != HOST:
# Can the bound principal request certs for another principal?
self.check_access()
try:
self.check_access("request certificate ignore caacl")
bypass_caacl = True
except errors.ACIError:
bypass_caacl = False
if not bypass_caacl:
caacl_check(principal_type, principal_string, ca, profile_id)
try:
subject = pkcs10.get_subject(csr)
extensions = pkcs10.get_extensions(csr)
subjectaltname = pkcs10.get_subjectaltname(csr) or ()
except (NSPRError, PyAsn1Error, ValueError) as e:
raise errors.CertificateOperationError(
error=_("Failure decoding Certificate Signing Request: %s") %
e)
# self-service and host principals may bypass SAN permission check
if bind_principal != principal and bind_principal_type != HOST:
if '2.5.29.17' in extensions:
self.check_access('request certificate with subjectaltname')
dn = None
principal_obj = None
# See if the service exists and punt if it doesn't and we aren't
# going to add it
try:
if principal_type == SERVICE:
principal_obj = api.Command['service_show'](principal_string,
all=True)
elif principal_type == HOST:
principal_obj = api.Command['host_show'](principal_name,
all=True)
elif principal_type == USER:
principal_obj = api.Command['user_show'](principal_name,
all=True)
except errors.NotFound as e:
if principal_type == SERVICE and add:
principal_obj = api.Command['service_add'](principal_string,
force=True)
else:
raise errors.NotFound(
reason=_("The principal for this request doesn't exist."))
principal_obj = principal_obj['result']
dn = principal_obj['dn']
# Ensure that the DN in the CSR matches the principal
cn = subject.common_name #pylint: disable=E1101
if not cn:
raise errors.ValidationError(
name='csr',
error=_("No Common Name was found in subject of request."))
if principal_type in (SERVICE, HOST):
if cn.lower() != principal_name.lower():
raise errors.ACIError(info=_(
"hostname in subject of request '%(cn)s' "
"does not match principal hostname '%(hostname)s'") %
dict(cn=cn, hostname=principal_name))
elif principal_type == USER:
# check user name
if cn != principal_name:
raise errors.ValidationError(
name='csr',
error=_("DN commonName does not match user's login"))
# check email address
mail = subject.email_address #pylint: disable=E1101
if mail is not None and mail not in principal_obj.get('mail', []):
raise errors.ValidationError(
name='csr',
error=_("DN emailAddress does not match "
"any of user's email addresses"))
# We got this far so the principal entry exists, can we write it?
if not ldap.can_write(dn, "usercertificate"):
raise errors.ACIError(
info=_("Insufficient 'write' privilege "
"to the 'userCertificate' attribute of entry '%s'.") %
dn)
# Validate the subject alt name, if any
for name_type, name in subjectaltname:
if name_type == pkcs10.SAN_DNSNAME:
name = unicode(name)
alt_principal_obj = None
alt_principal_string = None
try:
if principal_type == HOST:
alt_principal_string = 'host/%s@%s' % (name, realm)
alt_principal_obj = api.Command['host_show'](name,
all=True)
elif principal_type == SERVICE:
alt_principal_string = '%s/%s@%s' % (servicename, name,
realm)
alt_principal_obj = api.Command['service_show'](
alt_principal_string, all=True)
elif principal_type == USER:
raise errors.ValidationError(
name='csr',
error=_("subject alt name type %s is forbidden "
"for user principals") % name_type)
except errors.NotFound:
# We don't want to issue any certificates referencing
# machines we don't know about. Nothing is stored in this
# host record related to this certificate.
raise errors.NotFound(reason=_(
'The service principal for '
'subject alt name %s in certificate request does not '
'exist') % name)
if alt_principal_obj is not None:
altdn = alt_principal_obj['result']['dn']
if not ldap.can_write(altdn, "usercertificate"):
raise errors.ACIError(info=_(
"Insufficient privilege to create a certificate "
"with subject alt name '%s'.") % name)
if alt_principal_string is not None and not bypass_caacl:
caacl_check(principal_type, alt_principal_string, ca,
profile_id)
elif name_type in (pkcs10.SAN_OTHERNAME_KRB5PRINCIPALNAME,
pkcs10.SAN_OTHERNAME_UPN):
if split_any_principal(name) != principal:
raise errors.ACIError(
info=_("Principal '%s' in subject alt name does not "
"match requested principal") % name)
elif name_type == pkcs10.SAN_RFC822NAME:
if principal_type == USER:
if name not in principal_obj.get('mail', []):
raise errors.ValidationError(
name='csr',
error=_("RFC822Name does not match "
"any of user's email addresses"))
else:
raise errors.ValidationError(
name='csr',
error=_("subject alt name type %s is forbidden "
"for non-user principals") % name_type)
else:
raise errors.ACIError(
info=_("Subject alt name type %s is forbidden") %
name_type)
# Request the certificate
result = self.Backend.ra.request_certificate(csr,
profile_id,
request_type=request_type)
cert = x509.load_certificate(result['certificate'])
result['issuer'] = unicode(cert.issuer)
result['valid_not_before'] = unicode(cert.valid_not_before_str)
result['valid_not_after'] = unicode(cert.valid_not_after_str)
result['md5_fingerprint'] = unicode(
nss.data_to_hex(nss.md5_digest(cert.der_data), 64)[0])
result['sha1_fingerprint'] = unicode(
nss.data_to_hex(nss.sha1_digest(cert.der_data), 64)[0])
# Success? Then add it to the principal's entry
# (unless the profile tells us not to)
profile = api.Command['certprofile_show'](profile_id)
store = profile['result']['ipacertprofilestoreissued'][0] == 'TRUE'
if store and 'certificate' in result:
cert = str(result.get('certificate'))
kwargs = dict(addattr=u'usercertificate={}'.format(cert))
if principal_type == SERVICE:
api.Command['service_mod'](principal_string, **kwargs)
elif principal_type == HOST:
api.Command['host_mod'](principal_name, **kwargs)
elif principal_type == USER:
api.Command['user_mod'](principal_name, **kwargs)
return dict(result=result)
def validate_csr(ugettext, csr):
"""
Ensure the CSR is base64-encoded and can be decoded by our PKCS#10
parser.
"""
if api.env.context == 'cli':
# If we are passed in a pointer to a valid file on the client side
# escape and let the load_files() handle things
if csr and os.path.exists(csr):
return
try:
request = pkcs10.load_certificate_request(csr)
except TypeError, e:
raise errors.Base64DecodeError(reason=str(e))
except NSPRError:
raise errors.CertificateOperationError(
error=_('Failure decoding Certificate Signing Request'))
except Exception, e:
raise errors.CertificateOperationError(
error=_('Failure decoding Certificate Signing Request: %s') %
str(e))
def normalize_csr(csr):
"""
Strip any leading and trailing cruft around the BEGIN/END block
"""
end_len = 37
s = csr.find('-----BEGIN NEW CERTIFICATE REQUEST-----')
if s == -1:
s = csr.find('-----BEGIN CERTIFICATE REQUEST-----')
e = csr.find('-----END NEW CERTIFICATE REQUEST-----')
