From 34f28f06db291c7408fbeb7276dcdaae5f0ef18a Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: May 16 2024 12:46:32 +0000
Subject: Add token support to installer certificate handling


Pass along the user-provided password file, if any, to the
underlying NSS database. This will provide for per-token
passwords.

If a token is in a nickname then break it out and pass it to
certutil separately.

Fixes: https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>

---

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index e2e9956..f8be1ef 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -161,8 +161,8 @@ class CertDB:
     def __init__(self, realm, nssdir, fstore=None,
                  host_name=None, subject_base=None, ca_subject=None,
                  user=None, group=None, mode=None, create=False,
-                 dbtype='auto'):
-        self.nssdb = NSSDatabase(nssdir, dbtype=dbtype)
+                 dbtype='auto', pwd_file=None):
+        self.nssdb = NSSDatabase(nssdir, dbtype=dbtype, pwd_file=pwd_file)
 
         self.realm = realm
 
@@ -377,8 +377,14 @@ class CertDB:
         """
         Retrieve a certificate from the current NSS database for nickname.
         """
+        if ':' in nickname:
+            token = nickname.split(':', 1)[0]
+        else:
+            token = None
         try:
             args = ["-L", "-n", nickname, "-a"]
+            if token:
+                args.extend(['-h', token])
             result = self.run_certutil(args, capture_output=True)
             return x509.load_pem_x509_certificate(result.raw_output)
         except ipautil.CalledProcessError: