From ada91c20588046bb147fc701718d3da4d2c080ca Mon Sep 17 00:00:00 2001 From: Ben Lipton Date: Feb 28 2017 09:02:49 +0000 Subject: csrgen: Support encrypted private keys https://fedorahosted.org/freeipa/ticket/4899 Reviewed-By: Jan Cholasta --- diff --git a/install/share/csrgen/templates/openssl_base.tmpl b/install/share/csrgen/templates/openssl_base.tmpl index 2d6c070..22b1686 100644 --- a/install/share/csrgen/templates/openssl_base.tmpl +++ b/install/share/csrgen/templates/openssl_base.tmpl @@ -3,15 +3,16 @@ {%- endraw %} #!/bin/bash -e -if [[ $# -ne 2 ]]; then -echo "Usage: $0 " +if [[ $# -lt 2 ]]; then +echo "Usage: $0 " echo "Called as: $0 $@" exit 1 fi CONFIG="$(mktemp)" CSR="$1" -shift +KEYFILE="$2" +shift; shift echo \ {% raw %}{% filter quote %}{% endraw -%} @@ -30,5 +31,5 @@ req_extensions = {% call openssl.section() %}{{ rendered_extensions }}{% endcall {{ openssl.openssl_sections|join('\n\n') }} {% endfilter %}{%- endraw %} > "$CONFIG" -openssl req -new -config "$CONFIG" -out "$CSR" -key $1 +openssl req -new -config "$CONFIG" -out "$CSR" -key "$KEYFILE" "$@" rm "$CONFIG" diff --git a/ipaclient/plugins/cert.py b/ipaclient/plugins/cert.py index 16244e1..348529c 100644 --- a/ipaclient/plugins/cert.py +++ b/ipaclient/plugins/cert.py @@ -52,6 +52,11 @@ class cert_request(MethodOverride): doc=_('Path to PEM file containing a private key'), ), Str( + 'password_file?', + label=_( + 'File containing a password for the private key or database'), + ), + Str( 'csr_profile_id?', label=_('Name of CSR generation profile (if not the same as' ' profile_id)'), @@ -68,14 +73,19 @@ class cert_request(MethodOverride): database = options.pop('database', None) private_key = options.pop('private_key', None) csr_profile_id = options.pop('csr_profile_id', None) + password_file = options.pop('password_file', None) if csr is None: if database: helper = u'certutil' helper_args = ['-d', database] + if password_file: + helper_args += ['-f', password_file] elif private_key: helper = u'openssl' helper_args = [private_key] + if password_file: + helper_args += ['-passin', 'file:%s' % password_file] else: raise errors.InvocationError( message=u"One of 'database' or 'private_key' is required")