def renew_external_step_2(self, ca, old_cert_der):
print("Importing the renewed CA certificate, please wait")
options = self.options
conn = api.Backend.ldap2
old_cert_obj = x509.load_certificate(old_cert_der, x509.DER)
old_der_subject = x509.get_der_subject(old_cert_der, x509.DER)
old_spki = old_cert_obj.public_key().public_bytes(
serialization.Encoding.DER,
serialization.PublicFormat.SubjectPublicKeyInfo
)
cert_file, ca_file = installutils.load_external_cert(
options.external_cert_files, DN(old_cert_obj.subject))
with open(cert_file.name) as f:
new_cert_data = f.read()
new_cert_der = x509.normalize_certificate(new_cert_data)
new_cert_obj = x509.load_certificate(new_cert_der, x509.DER)
new_der_subject = x509.get_der_subject(new_cert_der, x509.DER)
new_spki = new_cert_obj.public_key().public_bytes(
serialization.Encoding.DER,
serialization.PublicFormat.SubjectPublicKeyInfo
)
if new_cert_obj.subject != old_cert_obj.subject:
raise admintool.ScriptError(
"Subject name mismatch (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)")
if new_der_subject != old_der_subject:
raise admintool.ScriptError(
"Subject name encoding mismatch (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)")
if new_spki != old_spki:
raise admintool.ScriptError(
"Subject public key info mismatch (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)")
with certs.NSSDatabase() as tmpdb:
tmpdb.create_db()
tmpdb.add_cert(old_cert_der, 'IPA CA', EXTERNAL_CA_TRUST_FLAGS)
try:
tmpdb.add_cert(new_cert_der, 'IPA CA', EXTERNAL_CA_TRUST_FLAGS)
except ipautil.CalledProcessError as e:
raise admintool.ScriptError(
"Not compatible with the current CA certificate: %s" % e)
ca_certs = x509.load_certificate_list_from_file(ca_file.name)
for ca_cert in ca_certs:
data = ca_cert.public_bytes(serialization.Encoding.DER)
tmpdb.add_cert(
data, str(DN(ca_cert.subject)), EXTERNAL_CA_TRUST_FLAGS)
try:
tmpdb.verify_ca_cert_validity('IPA CA')
except ValueError as e:
raise admintool.ScriptError(
"Not a valid CA certificate: %s (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)" % e)
trust_chain = tmpdb.get_trust_chain('IPA CA')[:-1]
for nickname in trust_chain:
try:
ca_cert = tmpdb.get_cert(nickname)
except RuntimeError:
break
certstore.put_ca_cert_nss(
conn,
api.env.basedn,
ca_cert,
nickname,
EMPTY_TRUST_FLAGS)
dn = DN(('cn', self.cert_nickname), ('cn', 'ca_renewal'),
('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
try:
entry = conn.get_entry(dn, ['usercertificate'])
entry['usercertificate'] = [new_cert_der]
conn.update_entry(entry)
except errors.NotFound:
entry = conn.make_entry(
dn,
objectclass=['top', 'pkiuser', 'nscontainer'],
cn=[self.cert_nickname],
usercertificate=[new_cert_der])
conn.add_entry(entry)
except errors.EmptyModlist:
pass
try:
ca.set_renewal_master()
except errors.NotFound:
raise admintool.ScriptError("CA renewal master not found")
self.resubmit_request('dogtag-ipa-ca-renew-agent-reuse')
print("CA certificate successfully renewed")
def renew_external_step_2(self, ca, old_cert_der):
print("Importing the renewed CA certificate, please wait")
options = self.options
conn = api.Backend.ldap2
old_cert_obj = x509.load_certificate(old_cert_der, x509.DER)
old_der_subject = x509.get_der_subject(old_cert_der, x509.DER)
old_spki = old_cert_obj.public_key().public_bytes(
serialization.Encoding.DER,
serialization.PublicFormat.SubjectPublicKeyInfo
)
cert_file, ca_file = installutils.load_external_cert(
options.external_cert_files, DN(old_cert_obj.subject))
with open(cert_file.name) as f:
new_cert_data = f.read()
new_cert_der = x509.normalize_certificate(new_cert_data)
new_cert_obj = x509.load_certificate(new_cert_der, x509.DER)
new_der_subject = x509.get_der_subject(new_cert_der, x509.DER)
new_spki = new_cert_obj.public_key().public_bytes(
serialization.Encoding.DER,
serialization.PublicFormat.SubjectPublicKeyInfo
)
if new_cert_obj.subject != old_cert_obj.subject:
raise admintool.ScriptError(
"Subject name mismatch (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)")
if new_der_subject != old_der_subject:
raise admintool.ScriptError(
"Subject name encoding mismatch (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)")
if new_spki != old_spki:
raise admintool.ScriptError(
"Subject public key info mismatch (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)")
with certs.NSSDatabase() as tmpdb:
tmpdb.create_db()
tmpdb.add_cert(old_cert_der, 'IPA CA', 'C,,')
try:
tmpdb.add_cert(new_cert_der, 'IPA CA', 'C,,')
except ipautil.CalledProcessError as e:
raise admintool.ScriptError(
"Not compatible with the current CA certificate: %s" % e)
ca_certs = x509.load_certificate_list_from_file(ca_file.name)
for ca_cert in ca_certs:
data = ca_cert.public_bytes(serialization.Encoding.DER)
tmpdb.add_cert(data, str(DN(ca_cert.subject)), 'C,,')
try:
tmpdb.verify_ca_cert_validity('IPA CA')
except ValueError as e:
raise admintool.ScriptError(
"Not a valid CA certificate: %s (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)" % e)
trust_chain = tmpdb.get_trust_chain('IPA CA')[:-1]
for nickname in trust_chain:
try:
ca_cert = tmpdb.get_cert(nickname)
except RuntimeError:
break
certstore.put_ca_cert_nss(
conn, api.env.basedn, ca_cert, nickname, ',,')
dn = DN(('cn', self.cert_nickname), ('cn', 'ca_renewal'),
('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
try:
entry = conn.get_entry(dn, ['usercertificate'])
entry['usercertificate'] = [new_cert_der]
conn.update_entry(entry)
except errors.NotFound:
entry = conn.make_entry(
dn,
objectclass=['top', 'pkiuser', 'nscontainer'],
cn=[self.cert_nickname],
usercertificate=[new_cert_der])
conn.add_entry(entry)
except errors.EmptyModlist:
pass
try:
ca.set_renewal_master()
except errors.NotFound:
raise admintool.ScriptError("CA renewal master not found")
self.resubmit_request(ca, 'ipaRetrieval')
print("CA certificate successfully renewed")
def insert_ca_certs_into_systemwide_ca_store(self, ca_certs):
new_cacert_path = paths.SYSTEMWIDE_IPA_CA_CRT
if os.path.exists(new_cacert_path):
try:
os.remove(new_cacert_path)
except OSError as e:
root_logger.error(
"Could not remove %s: %s", new_cacert_path, e)
return False
new_cacert_path = paths.IPA_P11_KIT
try:
f = open(new_cacert_path, 'w')
except IOError as e:
root_logger.info("Failed to open %s: %s" % (new_cacert_path, e))
return False
f.write("# This file was created by IPA. Do not edit.\n"
"\n")
has_eku = set()
for cert, nickname, trusted, ext_key_usage in ca_certs:
try:
subject = x509.get_der_subject(cert, x509.DER)
issuer = x509.get_der_issuer(cert, x509.DER)
serial_number = x509.get_der_serial_number(cert, x509.DER)
public_key_info = x509.get_der_public_key_info(cert, x509.DER)
except (NSPRError, PyAsn1Error, ValueError) as e:
root_logger.warning(
"Failed to decode certificate \"%s\": %s", nickname, e)
continue
label = urllib.parse.quote(nickname)
subject = urllib.parse.quote(subject)
issuer = urllib.parse.quote(issuer)
serial_number = urllib.parse.quote(serial_number)
public_key_info = urllib.parse.quote(public_key_info)
cert = base64.b64encode(cert)
cert = x509.make_pem(cert)
obj = ("[p11-kit-object-v1]\n"
"class: certificate\n"
"certificate-type: x-509\n"
"certificate-category: authority\n"
"label: \"%(label)s\"\n"
"subject: \"%(subject)s\"\n"
"issuer: \"%(issuer)s\"\n"
"serial-number: \"%(serial_number)s\"\n"
"x-public-key-info: \"%(public_key_info)s\"\n" %
dict(label=label,
subject=subject,
issuer=issuer,
serial_number=serial_number,
public_key_info=public_key_info))
if trusted is True:
obj += "trusted: true\n"
elif trusted is False:
obj += "x-distrusted: true\n"
obj += "%s\n\n" % cert
f.write(obj)
if ext_key_usage is not None and public_key_info not in has_eku:
if not ext_key_usage:
ext_key_usage = {x509.EKU_PLACEHOLDER}
try:
ext_key_usage = x509.encode_ext_key_usage(ext_key_usage)
except PyAsn1Error as e:
root_logger.warning(
"Failed to encode extended key usage for \"%s\": %s",
nickname, e)
continue
value = urllib.parse.quote(ext_key_usage)
obj = ("[p11-kit-object-v1]\n"
"class: x-certificate-extension\n"
"label: \"ExtendedKeyUsage for %(label)s\"\n"
"x-public-key-info: \"%(public_key_info)s\"\n"
"object-id: 2.5.29.37\n"
"value: \"%(value)s\"\n\n" %
dict(label=label,
public_key_info=public_key_info,
value=value))
f.write(obj)
has_eku.add(public_key_info)
f.close()
# Add the CA to the systemwide CA trust database
if not self.reload_systemwide_ca_store():
return False
return True
def insert_ca_certs_into_systemwide_ca_store(self, ca_certs):
# pylint: disable=ipa-forbidden-import
from ipalib import x509 # FixMe: break import cycle
from ipalib.errors import CertificateError
# pylint: enable=ipa-forbidden-import
new_cacert_path = paths.SYSTEMWIDE_IPA_CA_CRT
if os.path.exists(new_cacert_path):
try:
os.remove(new_cacert_path)
except OSError as e:
root_logger.error("Could not remove %s: %s", new_cacert_path,
e)
return False
new_cacert_path = paths.IPA_P11_KIT
try:
f = open(new_cacert_path, 'w')
except IOError as e:
root_logger.info("Failed to open %s: %s" % (new_cacert_path, e))
return False
f.write("# This file was created by IPA. Do not edit.\n" "\n")
has_eku = set()
for cert, nickname, trusted, ext_key_usage in ca_certs:
try:
subject = x509.get_der_subject(cert, x509.DER)
issuer = x509.get_der_issuer(cert, x509.DER)
serial_number = x509.get_der_serial_number(cert, x509.DER)
public_key_info = x509.get_der_public_key_info(cert, x509.DER)
except (PyAsn1Error, ValueError, CertificateError) as e:
root_logger.warning("Failed to decode certificate \"%s\": %s",
nickname, e)
continue
label = urllib.parse.quote(nickname)
subject = urllib.parse.quote(subject)
issuer = urllib.parse.quote(issuer)
serial_number = urllib.parse.quote(serial_number)
public_key_info = urllib.parse.quote(public_key_info)
cert = base64.b64encode(cert)
cert = x509.make_pem(cert)
obj = ("[p11-kit-object-v1]\n"
"class: certificate\n"
"certificate-type: x-509\n"
"certificate-category: authority\n"
"label: \"%(label)s\"\n"
"subject: \"%(subject)s\"\n"
"issuer: \"%(issuer)s\"\n"
"serial-number: \"%(serial_number)s\"\n"
"x-public-key-info: \"%(public_key_info)s\"\n" %
dict(label=label,
subject=subject,
issuer=issuer,
serial_number=serial_number,
public_key_info=public_key_info))
if trusted is True:
obj += "trusted: true\n"
elif trusted is False:
obj += "x-distrusted: true\n"
obj += "%s\n\n" % cert
f.write(obj)
if ext_key_usage is not None and public_key_info not in has_eku:
if not ext_key_usage:
ext_key_usage = {x509.EKU_PLACEHOLDER}
try:
ext_key_usage = x509.encode_ext_key_usage(ext_key_usage)
except PyAsn1Error as e:
root_logger.warning(
"Failed to encode extended key usage for \"%s\": %s",
nickname, e)
continue
value = urllib.parse.quote(ext_key_usage)
obj = ("[p11-kit-object-v1]\n"
"class: x-certificate-extension\n"
"label: \"ExtendedKeyUsage for %(label)s\"\n"
"x-public-key-info: \"%(public_key_info)s\"\n"
"object-id: 2.5.29.37\n"
"value: \"%(value)s\"\n\n" %
dict(label=label,
public_key_info=public_key_info,
value=value))
f.write(obj)
has_eku.add(public_key_info)
f.close()
# Add the CA to the systemwide CA trust database
if not self.reload_systemwide_ca_store():
return False
return True
def renew_external_step_2(self, ca, old_cert):
print("Importing the renewed CA certificate, please wait")
options = self.options
conn = api.Backend.ldap2
cert_file, ca_file = installutils.load_external_cert(
options.external_cert_files, x509.subject_base())
nss_cert = None
nss.nss_init(paths.PKI_TOMCAT_ALIAS_DIR)
try:
nss_cert = x509.load_certificate(old_cert, x509.DER)
subject = nss_cert.subject
der_subject = x509.get_der_subject(old_cert, x509.DER)
#pylint: disable=E1101
pkinfo = nss_cert.subject_public_key_info.format()
#pylint: enable=E1101
nss_cert = x509.load_certificate_from_file(cert_file.name)
cert = nss_cert.der_data
if nss_cert.subject != subject:
raise admintool.ScriptError(
"Subject name mismatch (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)")
if x509.get_der_subject(cert, x509.DER) != der_subject:
raise admintool.ScriptError(
"Subject name encoding mismatch (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)")
#pylint: disable=E1101
if nss_cert.subject_public_key_info.format() != pkinfo:
raise admintool.ScriptError(
"Subject public key info mismatch (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)")
#pylint: enable=E1101
finally:
del nss_cert
nss.nss_shutdown()
with certs.NSSDatabase() as tmpdb:
pw = ipautil.write_tmp_file(ipautil.ipa_generate_password())
tmpdb.create_db(pw.name)
tmpdb.add_cert(old_cert, 'IPA CA', 'C,,')
try:
tmpdb.add_cert(cert, 'IPA CA', 'C,,')
except ipautil.CalledProcessError as e:
raise admintool.ScriptError(
"Not compatible with the current CA certificate: %s" % e)
ca_certs = x509.load_certificate_list_from_file(ca_file.name)
for ca_cert in ca_certs:
tmpdb.add_cert(ca_cert.der_data, str(ca_cert.subject), 'C,,')
del ca_certs
del ca_cert
try:
tmpdb.verify_ca_cert_validity('IPA CA')
except ValueError as e:
raise admintool.ScriptError(
"Not a valid CA certificate: %s (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)" % e)
trust_chain = tmpdb.get_trust_chain('IPA CA')[:-1]
for nickname in trust_chain:
try:
ca_cert = tmpdb.get_cert(nickname)
except RuntimeError:
break
certstore.put_ca_cert_nss(
conn, api.env.basedn, ca_cert, nickname, ',,')
dn = DN(('cn', self.cert_nickname), ('cn', 'ca_renewal'),
('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
try:
entry = conn.get_entry(dn, ['usercertificate'])
entry['usercertificate'] = [cert]
conn.update_entry(entry)
except errors.NotFound:
entry = conn.make_entry(
dn,
objectclass=['top', 'pkiuser', 'nscontainer'],
cn=[self.cert_nickname],
usercertificate=[cert])
conn.add_entry(entry)
except errors.EmptyModlist:
pass
try:
ca.set_renewal_master()
except errors.NotFound:
raise admintool.ScriptError("CA renewal master not found")
self.resubmit_request(ca, 'ipaRetrieval')
print("CA certificate successfully renewed")
def renew_external_step_2(self, ca, old_cert):
print("Importing the renewed CA certificate, please wait")
options = self.options
conn = api.Backend.ldap2
cert_file, ca_file = installutils.load_external_cert(
options.external_cert_files, x509.subject_base())
nss_cert = None
nss.nss_init(paths.PKI_TOMCAT_ALIAS_DIR)
try:
nss_cert = x509.load_certificate(old_cert, x509.DER)
subject = nss_cert.subject
der_subject = x509.get_der_subject(old_cert, x509.DER)
#pylint: disable=E1101
pkinfo = nss_cert.subject_public_key_info.format()
#pylint: enable=E1101
nss_cert = x509.load_certificate_from_file(cert_file.name)
cert = nss_cert.der_data
if nss_cert.subject != subject:
raise admintool.ScriptError(
"Subject name mismatch (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)")
if x509.get_der_subject(cert, x509.DER) != der_subject:
raise admintool.ScriptError(
"Subject name encoding mismatch (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)")
#pylint: disable=E1101
if nss_cert.subject_public_key_info.format() != pkinfo:
raise admintool.ScriptError(
"Subject public key info mismatch (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)")
#pylint: enable=E1101
finally:
del nss_cert
nss.nss_shutdown()
with certs.NSSDatabase() as tmpdb:
pw = ipautil.write_tmp_file(ipautil.ipa_generate_password())
tmpdb.create_db(pw.name)
tmpdb.add_cert(old_cert, 'IPA CA', 'C,,')
try:
tmpdb.add_cert(cert, 'IPA CA', 'C,,')
except ipautil.CalledProcessError as e:
raise admintool.ScriptError(
"Not compatible with the current CA certificate: %s" % e)
ca_certs = x509.load_certificate_list_from_file(ca_file.name)
for ca_cert in ca_certs:
tmpdb.add_cert(ca_cert.der_data, str(ca_cert.subject), 'C,,')
del ca_certs
del ca_cert
try:
tmpdb.verify_ca_cert_validity('IPA CA')
except ValueError as e:
raise admintool.ScriptError(
"Not a valid CA certificate: %s (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)" % e)
trust_chain = tmpdb.get_trust_chain('IPA CA')[:-1]
for nickname in trust_chain:
try:
ca_cert = tmpdb.get_cert(nickname)
except RuntimeError:
break
certstore.put_ca_cert_nss(conn, api.env.basedn, ca_cert,
nickname, ',,')
dn = DN(('cn', self.cert_nickname), ('cn', 'ca_renewal'),
('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
try:
entry = conn.get_entry(dn, ['usercertificate'])
entry['usercertificate'] = [cert]
conn.update_entry(entry)
except errors.NotFound:
entry = conn.make_entry(
dn,
objectclass=['top', 'pkiuser', 'nscontainer'],
cn=[self.cert_nickname],
usercertificate=[cert])
conn.add_entry(entry)
except errors.EmptyModlist:
pass
try:
ca.set_renewal_master()
except errors.NotFound:
raise admintool.ScriptError("CA renewal master not found")
self.resubmit_request(ca, 'ipaRetrieval')
print("CA certificate successfully renewed")
new_cacert_path = paths.IPA_P11_KIT
try:
f = open(new_cacert_path, 'w')
except IOError, e:
root_logger.info("Failed to open %s: %s" % (new_cacert_path, e))
return False
f.write("# This file was created by IPA. Do not edit.\n"
"\n")
has_eku = set()
for cert, nickname, trusted, ext_key_usage in ca_certs:
try:
subject = x509.get_der_subject(cert, x509.DER)
issuer = x509.get_der_issuer(cert, x509.DER)
serial_number = x509.get_der_serial_number(cert, x509.DER)
public_key_info = x509.get_der_public_key_info(cert, x509.DER)
except (NSPRError, PyAsn1Error), e:
root_logger.warning(
"Failed to decode certificate \"%s\": %s", nickname, e)
continue
label = urllib.quote(nickname)
subject = urllib.quote(subject)
issuer = urllib.quote(issuer)
serial_number = urllib.quote(serial_number)
public_key_info = urllib.quote(public_key_info)
cert = base64.b64encode(cert)
return False
new_cacert_path = paths.IPA_P11_KIT
try:
f = open(new_cacert_path, 'w')
except IOError, e:
root_logger.info("Failed to open %s: %s" % (new_cacert_path, e))
return False
f.write("# This file was created by IPA. Do not edit.\n" "\n")
has_eku = set()
for cert, nickname, trusted, ext_key_usage in ca_certs:
try:
subject = x509.get_der_subject(cert, x509.DER)
issuer = x509.get_der_issuer(cert, x509.DER)
serial_number = x509.get_der_serial_number(cert, x509.DER)
public_key_info = x509.get_der_public_key_info(cert, x509.DER)
except (NSPRError, PyAsn1Error), e:
root_logger.warning("Failed to decode certificate \"%s\": %s",
nickname, e)
continue
label = urllib.quote(nickname)
subject = urllib.quote(subject)
issuer = urllib.quote(issuer)
serial_number = urllib.quote(serial_number)
public_key_info = urllib.quote(public_key_info)
cert = base64.b64encode(cert)
def renew_external_step_2(self, ca, old_cert):
print "Importing the renewed CA certificate, please wait"
options = self.options
cert_file, ca_file = installutils.load_external_cert(
options.external_cert_files, x509.subject_base())
nss_cert = None
nss.nss_init(ca.dogtag_constants.ALIAS_DIR)
try:
nss_cert = x509.load_certificate(old_cert, x509.DER)
subject = nss_cert.subject
der_subject = x509.get_der_subject(old_cert, x509.DER)
#pylint: disable=E1101
pkinfo = nss_cert.subject_public_key_info.format()
#pylint: enable=E1101
nss_cert = x509.load_certificate_from_file(cert_file.name)
cert = nss_cert.der_data
if nss_cert.subject != subject:
raise admintool.ScriptError(
"Subject name mismatch (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)")
if x509.get_der_subject(cert, x509.DER) != der_subject:
raise admintool.ScriptError(
"Subject name encoding mismatch (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)")
#pylint: disable=E1101
if nss_cert.subject_public_key_info.format() != pkinfo:
raise admintool.ScriptError(
"Subject public key info mismatch (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)")
#pylint: enable=E1101
finally:
del nss_cert
nss.nss_shutdown()
with certs.NSSDatabase() as tmpdb:
pw = ipautil.write_tmp_file(ipautil.ipa_generate_password())
tmpdb.create_db(pw.name)
tmpdb.add_cert(old_cert, 'IPA CA', 'C,,')
try:
tmpdb.add_cert(cert, 'IPA CA', 'C,,')
except ipautil.CalledProcessError, e:
raise admintool.ScriptError(
"Not compatible with the current CA certificate: %s" % e)
ca_certs = x509.load_certificate_list_from_file(ca_file.name)
for ca_cert in ca_certs:
tmpdb.add_cert(ca_cert.der_data, str(ca_cert.subject), 'C,,')
del ca_certs
del ca_cert
try:
tmpdb.verify_ca_cert_validity('IPA CA')
except ValueError, e:
raise admintool.ScriptError(
"Not a valid CA certificate: %s (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)" % e)
def renew_external_step_2(self, ca, old_cert):
print "Importing the renewed CA certificate, please wait"
options = self.options
cert_file, ca_file = installutils.load_external_cert(
options.external_cert_files, x509.subject_base())
nss_cert = None
nss.nss_init(ca.dogtag_constants.ALIAS_DIR)
try:
nss_cert = x509.load_certificate(old_cert, x509.DER)
subject = nss_cert.subject
der_subject = x509.get_der_subject(old_cert, x509.DER)
#pylint: disable=E1101
pkinfo = nss_cert.subject_public_key_info.format()
#pylint: enable=E1101
nss_cert = x509.load_certificate_from_file(cert_file.name)
cert = nss_cert.der_data
if nss_cert.subject != subject:
raise admintool.ScriptError(
"Subject name mismatch (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)")
if x509.get_der_subject(cert, x509.DER) != der_subject:
raise admintool.ScriptError(
"Subject name encoding mismatch (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)")
#pylint: disable=E1101
if nss_cert.subject_public_key_info.format() != pkinfo:
raise admintool.ScriptError(
"Subject public key info mismatch (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)")
#pylint: enable=E1101
finally:
del nss_cert
nss.nss_shutdown()
with certs.NSSDatabase() as tmpdb:
pw = ipautil.write_tmp_file(ipautil.ipa_generate_password())
tmpdb.create_db(pw.name)
tmpdb.add_cert(old_cert, 'IPA CA', 'C,,')
try:
tmpdb.add_cert(cert, 'IPA CA', 'C,,')
except ipautil.CalledProcessError, e:
raise admintool.ScriptError(
"Not compatible with the current CA certificate: %s" % e)
ca_certs = x509.load_certificate_list_from_file(ca_file.name)
for ca_cert in ca_certs:
tmpdb.add_cert(ca_cert.der_data, str(ca_cert.subject), 'C,,')
del ca_certs
del ca_cert
try:
tmpdb.verify_ca_cert_validity('IPA CA')
except ValueError, e:
raise admintool.ScriptError(
"Not a valid CA certificate: %s (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)" % e)
