def test_2_get_subject(self):
"""
Test retrieving the subject
"""
subject = x509.get_subject(goodcert)
assert DN(str(subject)) == DN(('CN','ipa.example.com'),('O','IPA'))
der = base64.b64decode(goodcert)
subject = x509.get_subject(der, x509.DER)
assert DN(str(subject)) == DN(('CN','ipa.example.com'),('O','IPA'))
# We should be able to pass in a tuple/list of certs too
subject = x509.get_subject((goodcert))
assert DN(str(subject)) == DN(('CN','ipa.example.com'),('O','IPA'))
subject = x509.get_subject([goodcert])
assert DN(str(subject)) == DN(('CN','ipa.example.com'),('O','IPA'))
def test_2_get_subject(self):
"""
Test retrieving the subject
"""
subject = x509.get_subject(goodcert)
assert DN(str(subject)) == DN(('CN', 'ipa.example.com'), ('O', 'IPA'))
der = base64.b64decode(goodcert)
subject = x509.get_subject(der, x509.DER)
assert DN(str(subject)) == DN(('CN', 'ipa.example.com'), ('O', 'IPA'))
# We should be able to pass in a tuple/list of certs too
subject = x509.get_subject((goodcert))
assert DN(str(subject)) == DN(('CN', 'ipa.example.com'), ('O', 'IPA'))
subject = x509.get_subject([goodcert])
assert DN(str(subject)) == DN(('CN', 'ipa.example.com'), ('O', 'IPA'))
def _parse_cert(dercert):
try:
subject = x509.get_subject(dercert, x509.DER)
issuer = x509.get_issuer(dercert, x509.DER)
serial_number = x509.get_serial_number(dercert, x509.DER)
public_key_info = x509.get_der_public_key_info(dercert, x509.DER)
except (NSPRError, PyAsn1Error), e:
raise ValueError("failed to decode certificate: %s" % e)
def _parse_cert(dercert):
try:
subject = x509.get_subject(dercert, x509.DER)
issuer = x509.get_issuer(dercert, x509.DER)
serial_number = x509.get_serial_number(dercert, x509.DER)
public_key_info = x509.get_der_public_key_info(dercert, x509.DER)
except (NSPRError, PyAsn1Error) as e:
raise ValueError("failed to decode certificate: %s" % e)
subject = str(subject).replace('\\;', '\\3b')
issuer = str(issuer).replace('\\;', '\\3b')
issuer_serial = '%s;%s' % (issuer, serial_number)
return subject, issuer_serial, public_key_info
def _parse_cert(dercert):
try:
subject = x509.get_subject(dercert, x509.DER)
issuer = x509.get_issuer(dercert, x509.DER)
serial_number = x509.get_serial_number(dercert, x509.DER)
public_key_info = x509.get_der_public_key_info(dercert, x509.DER)
except (NSPRError, PyAsn1Error) as e:
raise ValueError("failed to decode certificate: %s" % e)
subject = str(subject).replace('\\;', '\\3b')
issuer = str(issuer).replace('\\;', '\\3b')
issuer_serial = '%s;%s' % (issuer, serial_number)
return subject, issuer_serial, public_key_info
def install_check(standalone, replica_config, options):
global external_cert_file
global external_ca_file
realm_name = options.realm_name
host_name = options.host_name
subject_base = options.subject
if replica_config is not None:
if standalone and api.env.ra_plugin == 'selfsign':
sys.exit('A selfsign CA can not be added')
if ((not options.promote
and not ipautil.file_exists(replica_config.dir + "/cacert.p12"))):
print('CA cannot be installed in CA-less setup.')
sys.exit(1)
if standalone and not options.skip_conncheck:
principal = options.principal
replica_conn_check(
replica_config.master_host_name, host_name, realm_name, True,
replica_config.ca_ds_port, options.admin_password,
principal=principal, ca_cert_file=options.ca_cert_file)
if options.skip_schema_check or options.promote:
root_logger.info("Skipping CA DS schema check")
else:
cainstance.replica_ca_install_check(replica_config)
return
if standalone:
if api.Command.ca_is_enabled()['result']:
sys.exit(
"One or more CA masters are already present in IPA realm "
"'%s'.\nIf you wish to replicate CA to this host, please "
"re-run 'ipa-ca-install'\nwith a replica file generated on "
"an existing CA master as argument." % realm_name
)
if options.external_cert_files:
if not cainstance.is_step_one_done():
# This can happen if someone passes external_ca_file without
# already having done the first stage of the CA install.
print("CA is not installed yet. To install with an external CA "
"is a two-stage process.\nFirst run the installer with "
"--external-ca.")
sys.exit(1)
external_cert_file, external_ca_file = installutils.load_external_cert(
options.external_cert_files, options.subject)
elif options.external_ca:
if cainstance.is_step_one_done():
print("CA is already installed.\nRun the installer with "
"--external-cert-file.")
sys.exit(1)
if ipautil.file_exists(paths.ROOT_IPA_CSR):
print(("CA CSR file %s already exists.\nIn order to continue "
"remove the file and run the installer again." %
paths.ROOT_IPA_CSR))
sys.exit(1)
if not options.external_cert_files:
if not cainstance.check_port():
print("IPA requires port 8443 for PKI but it is currently in use.")
sys.exit("Aborting installation")
if standalone:
dirname = dsinstance.config_dirname(
installutils.realm_to_serverid(realm_name))
cadb = certs.CertDB(realm_name, subject_base=subject_base)
dsdb = certs.CertDB(realm_name, nssdir=dirname, subject_base=subject_base)
for db in (cadb, dsdb):
for nickname, trust_flags in db.list_certs():
if nickname in (certdb.get_ca_nickname(realm_name),
'ipaCert',
'Signing-Cert'):
print(("Certificate with nickname %s is present in %s, "
"cannot continue." % (nickname, db.secdir)))
sys.exit(1)
cert = db.get_cert_from_db(nickname)
if not cert:
continue
subject = DN(str(x509.get_subject(cert)))
if subject in (DN('CN=Certificate Authority', subject_base),
DN('CN=IPA RA', subject_base),
DN('CN=Object Signing Cert', subject_base)):
print(("Certificate with subject %s is present in %s, "
"cannot continue." % (subject, db.secdir)))
sys.exit(1)
os.remove(csr_name)
except:
pass
try:
cert_fd = open(cert_name)
cert = cert_fd.read()
cert_fd.close()
finally:
try:
os.remove(cert_name)
except:
pass
try:
subject = x509.get_subject(cert)
serial = x509.get_serial_number(cert)
except NSPRError, e:
self.log.error('Unable to decode certificate in entry: %s' % str(e))
raise errors.CertificateOperationError(
error=_('Unable to decode certificate in entry: %s') % str(e))
# To make it look like dogtag return just the base64 data.
cert = cert.replace('\n','')
cert = cert.replace('\r','')
s = cert.find('-----BEGIN CERTIFICATE-----')
e = cert.find('-----END CERTIFICATE-----')
s = s + 27
cert = cert[s:e]
def install_check(standalone, replica_config, options):
global external_cert_file
global external_ca_file
realm_name = options.realm_name
host_name = options.host_name
subject_base = options.subject
if replica_config is not None:
if standalone and api.env.ra_plugin == 'selfsign':
raise ScriptError('A selfsign CA can not be added')
if ((not options.promote
and not ipautil.file_exists(replica_config.dir + "/cacert.p12"))):
raise ScriptError('CA cannot be installed in CA-less setup.')
if standalone and not options.skip_conncheck:
principal = options.principal
replica_conn_check(replica_config.master_host_name,
host_name,
realm_name,
True,
replica_config.ca_ds_port,
options.admin_password,
principal=principal,
ca_cert_file=options.ca_cert_file)
if options.skip_schema_check or options.promote:
root_logger.info("Skipping CA DS schema check")
else:
cainstance.replica_ca_install_check(replica_config)
return
if standalone:
if api.Command.ca_is_enabled()['result']:
raise ScriptError(
"One or more CA masters are already present in IPA realm "
"'%s'.\nIf you wish to replicate CA to this host, please "
"re-run 'ipa-ca-install'\nwith a replica file generated on "
"an existing CA master as argument." % realm_name)
if options.external_cert_files:
if not cainstance.is_step_one_done():
# This can happen if someone passes external_ca_file without
# already having done the first stage of the CA install.
raise ScriptError(
"CA is not installed yet. To install with an external CA "
"is a two-stage process.\nFirst run the installer with "
"--external-ca.")
external_cert_file, external_ca_file = installutils.load_external_cert(
options.external_cert_files, options.subject)
elif options.external_ca:
if cainstance.is_step_one_done():
raise ScriptError(
"CA is already installed.\nRun the installer with "
"--external-cert-file.")
if ipautil.file_exists(paths.ROOT_IPA_CSR):
raise ScriptError(
"CA CSR file %s already exists.\nIn order to continue "
"remove the file and run the installer again." %
paths.ROOT_IPA_CSR)
if not options.external_cert_files:
if not cainstance.check_port():
print("IPA requires port 8443 for PKI but it is currently in use.")
raise ScriptError("Aborting installation")
if standalone:
dirname = dsinstance.config_dirname(
installutils.realm_to_serverid(realm_name))
cadb = certs.CertDB(realm_name, subject_base=subject_base)
dsdb = certs.CertDB(realm_name,
nssdir=dirname,
subject_base=subject_base)
for db in (cadb, dsdb):
for nickname, _trust_flags in db.list_certs():
if nickname in (certdb.get_ca_nickname(realm_name), 'ipaCert',
'Signing-Cert'):
raise ScriptError(
"Certificate with nickname %s is present in %s, "
"cannot continue." % (nickname, db.secdir))
cert = db.get_cert_from_db(nickname)
if not cert:
continue
subject = DN(str(x509.get_subject(cert)))
if subject in (DN('CN=Certificate Authority',
subject_base), DN('CN=IPA RA', subject_base),
DN('CN=Object Signing Cert', subject_base)):
raise ScriptError(
"Certificate with subject %s is present in %s, "
"cannot continue." % (subject, db.secdir))