This is modeled after the NetworkManager API, which seems to expose quite a
bit to unprivileged processes running on the desktop.
http://people.redhat.com/dcbw/NetworkManager/NetworkManager%20DBUS%20API.txt
Despite efforts, this may not match introspection data and the implementation,
since they're only kept in agreement manually. These may not all be
implemented yet, but if you find a piece you need, please add a ticket or a
patch to do so. Eventually we'll get it all.
The D-Bus API:
o service name = org.fedorahosted.certmonger
o object layout
/org/fedorahosted/certmonger
interface=org.fedorahosted.certmonger
- find_request_by_nickname
arguments: nickname -> string of request's nickname
returns: path -> object path for request, if found
- get_requests
returns: array of paths -> object paths for requests
- get_supported_key_types
returns: array of string -> "RSA"
- get_supported_key_storage
returns: array of string -> "NSSDB", "FILE"
- get_supported_cert_storage
returns: array of string -> "NSSDB", "FILE"
- add_request
arguments: [dict{string,variant{string/path/array-of-string/number/boolean}}]
{"NICKNAME"("nickname"),string}
{"KEY_TYPE"("key-type"),"RSA"}
{"KEY_SIZE"("key-size"),integer}
{"KEY_STORAGE"("key-storage"),"NSSDB"/"FILE"/"NONE"}*
{"KEY_LOCATION"("key-file"/"key-database"),string}*
{"KEY_NICKNAME"("key-nickname"),string}
{"KEY_TOKEN"("key-token"),string}
{"KEY_PIN"("key-pin"),string}
{"KEY_PIN_FILE"("key-pin-file"),string}
{"CERT_STORAGE"("cert-storage"),"NSSDB"/"FILE"}*
{"CERT_LOCATION"("cert-file"/"cert-database"),string}*
{"CERT_NICKNAME"("cert-nickname"),string}
{"CERT_TOKEN"("cert-token"),string}
{"TRACK"("monitoring"),boolean}
{"RENEW"("autorenew"),boolean}
{"SUBJECT"("template-subject"),string}
{"EKU"("template-eku"),array-of-string (oids)}
{"PRINCIPAL"("template-principal"),array-of-string (principal names)}
{"DNS"("template-hostname"),array-of-string (dns names)}
{"EMAIL"("template-email"),array-of-string (email addresses)}
{"CA"("ca"),path (known CA to use)}
{("cert-postsave-command"),string}
* = required values
returns: boolean -> succeeded
path (optional) -> object path for new request
- remove_request
arguments: path -> object path for request
returns: boolean -> succeeded
- find_ca_by_nickname
arguments: nickname -> string of ca's nickname
returns: path -> object path for ca, if found
- get_known_cas
returns: array of path -> object paths for known cas
- add_known_ca
arguments: string -> ca nickname
string -> external helper command
array of string (optional) -> known issuer names used by ca
returns: boolean -> succeeded
- remove_known_ca
arguments: path -> object path for ca
returns: boolean -> succeeded
(objects whose names are returned by "get-requests" or "get-defaults")
interface=org.fedorahosted.certmonger.request
- get_nickname ("nickname" property)
returns: string
- get_status ("status"/"stuck" property pair)
returns: string -> state name
boolean -> i-am-stuck
- get_key_type_and_size ("key-type"/"key-size" property pair)
returns: string -> key algorithm
number -> key size
- get_key_storage_info ("key-storage"/"key-file"/"key-database"/"key-nickname"/"key-token" property set)
returns: string -> "file", "nssdb"
string(required for "nssdb" or "file") -> filename (for "file"), or directory (for "nssdb")
string(required for "nssdb") -> nssdb nickname
string(optional) -> nssdb token name
- get_cert_storage_info ("key-storage"/"key-file"/"key-database"/"key-nickname"/"key-token" property set)
returns: string -> "file", "nssdb"
string -> filename (for "file"), or directory (for "nssdb")
string(required for "nssdb") -> nssdb nickname
string(optional) -> nssdb token name
- get_cert_data ("cert" property)
returns: string -> certificate in PEM format
- get_cert_info ("issuer"/"serial"/"subject"/"email"/"hostname"/"principal"/"eku" property set)
returns: string -> issuer
string -> serial number
string -> subject
number -> expiration (unix time)
array of string -> email addresses
array of string -> dns names
array of string -> principal names
number -> key usage as bitfield based on RFC5280's values
array of string -> oid values
- get_monitoring ("monitoring" property)
returns: boolean -> enabled?
- get_cert_last_checked ("last-checked" property)
returns: number -> time of last check for expiration (unix time)
- get_notification_info ("notification-type"/"notification-syslog-priority"/"notification-email" property set)
returns: string -> method ("syslog", "email")
string -> destination (log level or recipient)
- get_autorenew ("autorenew" property)
returns: boolean -> enabled?
- get_csr_info ("template-subject"/"template-email"/"template-hostname"/"template-principal"/"template-eku" property set)
returns: string -> subject
array of string -> email addresses
array of string -> dns names
array of string -> principal names
number -> key usage as bitfield based on RFC5280's values
array of string -> oid values
- get_key_pin ("key-pin" property)
returns: string -> key storage PIN
- get_key_pin_file ("key-pin-file" property)
returns: string -> path of file containing key storage PIN
- get_csr_data ("csr" property)
returns: string -> signing request in PEM format
- get_ca ("ca" property)
returns: path(optional) -> path to CA object
- get_submitted_date ("submitted-date" property)
returns: number(optional) -> time of last submission to a CA (as time_t)
- get_submitted_cookie ("ca-cookie" property)
returns: string(optional) -> CA-specific value
- get_ca_error ("ca-error" property)
returns: text(optional) -> error text sent by the CA
- modify
- nickname for request
argument: string -> new ID
- pin for key storage
argument: string -> PIN used for key storage
- pin file for key storage
argument: string -> name of file containing PIN used for key storage
- requested subject name
argument: string -> requested subject
- requested subject alternative name(s): email
argument: array of string -> new requested addresses
- requested subject alternative name(s): dnsname
argument: array of string -> new requested hostnames
- requested subject alternative name(s): principalname
argument: array of string -> new requested principal names
- requested new key usage
argument: number -> key usage as bitfield based on RFC5280's values
- requested new extended key usage
argument: array of string -> requested OIDs
- known-ca to use
argument: path -> object path of CA
returns: boolean -> ok
path -> object path, in case it changed
- resubmit (for requests that have been denied, generates a new csr)
returns: boolean -> working-on-it
(objects whose names are returned by "get-known-cas")
interface=org.fedorahosted.certmonger.ca
- get_nickname ("nickname" property)
returns: string
- get_is_default ("is-default" property)
returns: boolean -> is-the-default-ca
- get_type
returns: string -> "EXTERNAL" if this is implemented by an external helper
- get_location
returns: string -> path to external helper
- get_serial
returns: string -> hex value (optional)
- get_issuer_names ("issuer-names" property)
returns: array of string (optional) -> set of known issuer names
- modify
- nickname
arguments: string -> name of ca
returns: boolean -> changed?
- is-default
arguments: boolean -> should-be-the-default-ca
returns: boolean -> is-the-default-ca
- helper-location
arguments: string -> path to external helper
returns: boolean -> changed?
- associated issuer names (for when we have to guess which CA to use)
arguments: array of string (optional) -> set of issuer names
Marshallers needed:
Arguments:
string
path
string,string,string,array-of-string
string,string
boolean
array-of-string
dict{string,variant{string/array-of-string/number/boolean}}
Return:
boolean
number
string
path
boolean,string
boolean,path
string,boolean
string,number
string,string
array-of-path
array-of-string
string,string,string
string,string,string,string
string,string,string,array-of-string
string,string,string,number,array-of-string,array-of-string,array-of-string,number,array-of-string
