freeipa

FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments.  |  http://www.freeipa.org/

Commit ada91c2 csrgen: Support encrypted private keys

2 files Authored by benlipton 2 years ago , Committed by jcholast 2 years ago ,
csrgen: Support encrypted private keys

https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>

    
 1 @@ -3,15 +3,16 @@
 2   {%- endraw %}
 3   #!/bin/bash -e
 4   
 5 - if [[ $# -ne 2 ]]; then
 6 - echo "Usage: $0 <outfile> <keyfile>"
 7 + if [[ $# -lt 2 ]]; then
 8 + echo "Usage: $0 <outfile> <keyfile> <other openssl arguments>"
 9   echo "Called as: $0 $@"
10   exit 1
11   fi
12   
13   CONFIG="$(mktemp)"
14   CSR="$1"
15 - shift
16 + KEYFILE="$2"
17 + shift; shift
18   
19   echo \
20   {% raw %}{% filter quote %}{% endraw -%}
21 @@ -30,5 +31,5 @@
22   {{ openssl.openssl_sections|join('\n\n') }}
23   {% endfilter %}{%- endraw %} > "$CONFIG"
24   
25 - openssl req -new -config "$CONFIG" -out "$CSR" -key $1
26 + openssl req -new -config "$CONFIG" -out "$CSR" -key "$KEYFILE" "$@"
27   rm "$CONFIG"
 1 @@ -52,6 +52,11 @@
 2               doc=_('Path to PEM file containing a private key'),
 3           ),
 4           Str(
 5 +             'password_file?',
 6 +             label=_(
 7 +                 'File containing a password for the private key or database'),
 8 +         ),
 9 +         Str(
10               'csr_profile_id?',
11               label=_('Name of CSR generation profile (if not the same as'
12                       ' profile_id)'),
13 @@ -68,14 +73,19 @@
14           database = options.pop('database', None)
15           private_key = options.pop('private_key', None)
16           csr_profile_id = options.pop('csr_profile_id', None)
17 +         password_file = options.pop('password_file', None)
18   
19           if csr is None:
20               if database:
21                   helper = u'certutil'
22                   helper_args = ['-d', database]
23 +                 if password_file:
24 +                     helper_args += ['-f', password_file]
25               elif private_key:
26                   helper = u'openssl'
27                   helper_args = [private_key]
28 +                 if password_file:
29 +                     helper_args += ['-passin', 'file:%s' % password_file]
30               else:
31                   raise errors.InvocationError(
32                       message=u"One of 'database' or 'private_key' is required")