Imported Upstream version 4.7.2

ipaclient/csrgen/profiles/caIPAserviceCert.json

@@ -0,0 +1,15 @@
+[
+    {
+        "syntax": "syntaxSubject",
+        "data": [
+            "dataHostCN",
+            "dataSubjectBase"
+        ]
+    },
+    {
+        "syntax": "syntaxSAN",
+        "data": [
+            "dataDNS"
+        ]
+    }
+]

ipaclient/csrgen/profiles/userCert.json

@@ -0,0 +1,15 @@
+[
+    {
+        "syntax": "syntaxSubject",
+        "data": [
+            "dataUsernameCN",
+            "dataSubjectBase"
+        ]
+    },
+    {
+        "syntax": "syntaxSAN",
+        "data": [
+            "dataEmail"
+        ]
+    }
+]

ipaclient/csrgen/rules/dataDNS.json

@@ -0,0 +1,8 @@
+{
+  "rule": {
+    "template": "DNS = {{subject.krbprincipalname.0.partition('/')[2].partition('@')[0]}}"
+  },
+  "options": {
+    "data_source": "subject.krbprincipalname.0.partition('/')[2].partition('@')[0]"
+  }
+}

ipaclient/csrgen/rules/dataEmail.json

@@ -0,0 +1,8 @@
+{
+  "rule": {
+    "template": "email = {{subject.mail.0}}"
+  },
+  "options": {
+    "data_source": "subject.mail.0"
+  }
+}

ipaclient/csrgen/rules/dataHostCN.json

@@ -0,0 +1,8 @@
+{
+  "rule": {
+    "template": "CN={{subject.krbprincipalname.0.partition('/')[2].partition('@')[0]}}"
+  },
+  "options": {
+    "data_source": "subject.krbprincipalname.0.partition('/')[2].partition('@')[0]"
+  }
+}

ipaclient/csrgen/rules/dataSubjectBase.json

@@ -0,0 +1,8 @@
+{
+  "rule": {
+    "template": "{{config.ipacertificatesubjectbase.0}}"
+  },
+  "options": {
+    "data_source": "config.ipacertificatesubjectbase.0"
+  }
+}

ipaclient/csrgen/rules/dataUsernameCN.json

@@ -0,0 +1,8 @@
+{
+  "rule": {
+    "template": "CN={{subject.uid.0}}"
+  },
+  "options": {
+    "data_source": "subject.uid.0"
+  }
+}

ipaclient/csrgen/rules/syntaxSAN.json

@@ -0,0 +1,8 @@
+{
+  "rule": {
+    "template": "subjectAltName = @{% call openssl.section() %}{{ datarules|join('\n') }}{% endcall %}"
+  },
+  "options": {
+    "extension": true
+  }
+}

ipaclient/csrgen/rules/syntaxSubject.json

@@ -0,0 +1,9 @@
+{
+  "rule": {
+    "template": "distinguished_name = {% call openssl.section() %}{{ datarules|reverse|join('\n') }}{% endcall %}"
+  },
+  "options": {
+    "required": true,
+    "data_source_combinator": "and"
+  }
+}

ipaclient/csrgen/templates/openssl_base.tmpl

@@ -0,0 +1,17 @@
+{% raw -%}
+{% import "openssl_macros.tmpl" as openssl -%}
+{% endraw -%}
+[ req ]
+prompt = no
+encrypt_key = no
+
+{{ parameters|join('\n') }}
+{% raw %}{% set rendered_extensions -%}{% endraw %}
+{{ extensions|join('\n') }}
+{% raw -%}
+{%- endset -%}
+{% if rendered_extensions -%}
+req_extensions = {% call openssl.section() %}{{ rendered_extensions }}{% endcall %}
+{% endif %}
+{{ openssl.openssl_sections|join('\n\n') }}
+{%- endraw %}

ipaclient/csrgen/templates/openssl_macros.tmpl

@@ -0,0 +1,29 @@
+{# List containing rendered sections to be included at end #}
+{% set openssl_sections = [] %}
+
+{#
+List containing one entry for each section name allocated. Because of
+scoping rules, we need to use a list so that it can be a "per-render global"
+that gets updated in place. Real globals are shared by all templates with the
+same environment, and variables defined in the macro don't persist after the
+macro invocation ends.
+#}
+{% set openssl_section_num = [] %}
+
+{% macro section() -%}
+{% set name -%}
+sec{{ openssl_section_num|length -}}
+{% endset -%}
+{% do openssl_section_num.append('') -%}
+{% set contents %}{{ caller() }}{% endset -%}
+{% if contents -%}
+{% set sectiondata = formatsection(name, contents) -%}
+{% do openssl_sections.append(sectiondata) -%}
+{% endif -%}
+{{ name -}}
+{% endmacro %}
+
+{% macro formatsection(name, contents) -%}
+[ {{ name }} ]
+{{ contents -}}
+{% endmacro %}