Blame SOURCES/0003-Add-issuer-request-option-for-specifying-issuer.patch

7a8c6d
From 2187e205da4fb2fcfdc2d8b9e4a4117f849041f7 Mon Sep 17 00:00:00 2001
7a8c6d
From: Fraser Tweedale <ftweedal@redhat.com>
7a8c6d
Date: Fri, 3 Jun 2016 10:22:23 +1000
7a8c6d
Subject: [PATCH] Add 'issuer' request option for specifying issuer
7a8c6d
7a8c6d
FreeIPA is implementing a 'lightweight CAs' feature where a single
7a8c6d
Dogtag instance can host multiple CAs.  Add the '--issuer' / '-X'
7a8c6d
getcert-request option for specifying a particular CA, and the
7a8c6d
'CERTMONGER_CA_ISSUER' environment variable for passing the value to
7a8c6d
submit helpers.  Also update the 'ipa-submit' helper to set the 'ca'
7a8c6d
argument if the environment variable is set.
7a8c6d
7a8c6d
Reviewed-by: Nalin Dahyabhai <nalin@redhat.com>
7a8c6d
---
7a8c6d
 doc/api.txt                     |  2 ++
7a8c6d
 doc/submit.txt                  |  1 +
7a8c6d
 src/cadata.c                    |  1 +
7a8c6d
 src/getcert-request.1.in        |  3 +++
7a8c6d
 src/getcert-resubmit.1.in       |  3 +++
7a8c6d
 src/getcert-start-tracking.1.in |  3 +++
7a8c6d
 src/getcert.c                   | 44 ++++++++++++++++++++++++++++++++++++-----
7a8c6d
 src/ipa.c                       | 25 +++++++++++++++++------
7a8c6d
 src/store-files.c               |  9 +++++++++
7a8c6d
 src/store-int.h                 |  1 +
7a8c6d
 src/submit-e.c                  |  1 +
7a8c6d
 src/submit-e.h                  |  1 +
7a8c6d
 src/tdbus.h                     |  1 +
7a8c6d
 src/tdbush.c                    | 25 ++++++++++++++++++++++-
7a8c6d
 tests/028-dbus/expected.out     |  1 +
7a8c6d
 15 files changed, 109 insertions(+), 12 deletions(-)
7a8c6d
7a8c6d
diff --git a/doc/api.txt b/doc/api.txt
7a8c6d
index e11f944de5861663d742c8b91129f7b592e7f72c..31016bec004f0b7f00db4cb3baefd236d485dc85 100644
7a8c6d
--- a/doc/api.txt
7a8c6d
+++ b/doc/api.txt
7a8c6d
@@ -56,6 +56,7 @@ o object layout
7a8c6d
                {("template-crldp"),array-of-string (CRL distribution point URIs)}
7a8c6d
                {("template-ns-comment"),string (Netscape comment)}
7a8c6d
                {("template-profile"),string (certificate profile)}
7a8c6d
+               {("template-issuer"),string (requested issuer)}
7a8c6d
                {("template-challenge-password"),string (password to add to CSR)}
7a8c6d
                {("template-challenge-password-file"),string (password file)
7a8c6d
                {("cert-presave-command"),string}
7a8c6d
@@ -164,6 +165,7 @@ o object layout
7a8c6d
                {("template-crldp"),array-of-string (CRL distribution point URIs)}
7a8c6d
                {("template-ns-comment"),string (Netscape comment)}
7a8c6d
                {("template-profile"),string (certificate profile)}
7a8c6d
+               {("template-issuer"),string (requested issuer)}
7a8c6d
                {("template-challenge-password"),string (password to add to CSR)}
7a8c6d
                {("template-challenge-password-file"),string (password file)
7a8c6d
                {("cert-presave-command"),string}
7a8c6d
diff --git a/doc/submit.txt b/doc/submit.txt
7a8c6d
index dbf5319dc29bd9adb4054d4e76e90f028bad5fa6..7444f88c078b7453ae350268482832485259348a 100644
7a8c6d
--- a/doc/submit.txt
7a8c6d
+++ b/doc/submit.txt
7a8c6d
@@ -13,6 +13,7 @@ An external CA helper has a few jobs:
7a8c6d
   * $CERTMONGER_REQ_PRINCIPAL -> Kerberos principal name subjectAltName values
7a8c6d
   * $CERTMONGER_REQ_IP_ADDRESS-> IP address subjectAltName values (since 0.78)
7a8c6d
   * $CERTMONGER_CA_PROFILE    -> requested enrollment profile/template/certtype
7a8c6d
+  * $CERTMONGER_CA_ISSUER     -> requested issuer for enrollment
7a8c6d
   * $CERTMONGER_CSR           -> certificate signing request
7a8c6d
   * $CERTMONGER_CERTIFICATE   -> previously-issued certificate, if there is one
7a8c6d
   * $CERTMONGER_CA_NICKNAME   -> nickname of CA (since 0.73)
7a8c6d
diff --git a/src/cadata.c b/src/cadata.c
7a8c6d
index 947b2e68d3e74abf688aebd48344bfbf964e5656..7861fe73104143d6a9135fcb50b3ead583b03bf7 100644
7a8c6d
--- a/src/cadata.c
7a8c6d
+++ b/src/cadata.c
7a8c6d
@@ -50,6 +50,7 @@ const char *attribute_map[] = {
7a8c6d
 	CM_SUBMIT_REQ_EMAIL_ENV, CM_DBUS_PROP_TEMPLATE_EMAIL,
7a8c6d
 	CM_SUBMIT_REQ_IP_ADDRESS_ENV, CM_DBUS_PROP_TEMPLATE_IP_ADDRESS,
7a8c6d
 	CM_SUBMIT_PROFILE_ENV, CM_DBUS_PROP_TEMPLATE_PROFILE,
7a8c6d
+	CM_SUBMIT_ISSUER_ENV, CM_DBUS_PROP_TEMPLATE_ISSUER,
7a8c6d
 	NULL,
7a8c6d
 };
7a8c6d
 
7a8c6d
diff --git a/src/getcert-request.1.in b/src/getcert-request.1.in
7a8c6d
index f11f1ffa35ccb6eb3d6aeea149353f55d5266534..b6578dce4b06fd60f9e784ba5665489eb3dd3982 100644
7a8c6d
--- a/src/getcert-request.1.in
7a8c6d
+++ b/src/getcert-request.1.in
7a8c6d
@@ -87,6 +87,9 @@ the CA should correspond to one listed by \fIgetcert list-cas\fR.
7a8c6d
 \fB\-T\fR NAME
7a8c6d
 Request a certificate using the named profile, template, or certtype,
7a8c6d
 from the specified CA.
7a8c6d
+.TP
7a8c6d
+\fB\-X\fR NAME
7a8c6d
+Request a certificate using the named issuer from the specified CA.
7a8c6d
 
7a8c6d
 .SH SIGNING REQUEST OPTIONS
7a8c6d
 
7a8c6d
diff --git a/src/getcert-resubmit.1.in b/src/getcert-resubmit.1.in
7a8c6d
index ad31da9995194280d79c2ce6bb2311291d37072d..165940eab1e625ecd3db63a1cf0bd822ae6abf72 100644
7a8c6d
--- a/src/getcert-resubmit.1.in
7a8c6d
+++ b/src/getcert-resubmit.1.in
7a8c6d
@@ -48,6 +48,9 @@ the CA should correspond to one listed by \fIgetcert list-cas\fR.
7a8c6d
 Request a certificate using the named profile, template, or certtype,
7a8c6d
 from the specified CA.
7a8c6d
 .TP
7a8c6d
+\fB\-X\fR NAME
7a8c6d
+Request a certificate using the named issuer from the specified CA.
7a8c6d
+.TP
7a8c6d
 \fB\-I\fR NAME
7a8c6d
 Assign the specified nickname to this task, replacing the previous nickname.
7a8c6d
 
7a8c6d
diff --git a/src/getcert-start-tracking.1.in b/src/getcert-start-tracking.1.in
7a8c6d
index 6cd24e77dd578662e4b18b8ae18dd26b6faa7122..a46f53578626bc62abaeb22e77500548c34ac3c0 100644
7a8c6d
--- a/src/getcert-start-tracking.1.in
7a8c6d
+++ b/src/getcert-start-tracking.1.in
7a8c6d
@@ -85,6 +85,9 @@ useful in combination with \fB\-r\fR.
7a8c6d
 \fB\-T\fR NAME
7a8c6d
 Request a certificate using the named profile, template, or certtype,
7a8c6d
 from the specified CA.
7a8c6d
+.TP
7a8c6d
+\fB\-X\fR NAME
7a8c6d
+Request a certificate using the named issuer from the specified CA.
7a8c6d
 
7a8c6d
 .SH SIGNING REQUEST OPTIONS
7a8c6d
 If and when \fIcertmonger\fR attempts to obtain a new certificate to replace
7a8c6d
diff --git a/src/getcert.c b/src/getcert.c
7a8c6d
index 49840dd968a75929ef55c6b77966187f0c59fa78..cfa36fb1a7ea16c9c9bacc8f40360efa594b7830 100644
7a8c6d
--- a/src/getcert.c
7a8c6d
+++ b/src/getcert.c
7a8c6d
@@ -691,7 +691,7 @@ request(const char *argv0, int argc, const char **argv)
7a8c6d
 	char *pin = NULL, *pinfile = NULL, *cpass = NULL, *cpassfile = NULL;
7a8c6d
 	int keysize = 0, auto_renew = 1, verbose = 0, ku = 0, kubit, c, i, j;
7a8c6d
 	char *ca = DEFAULT_CA, *subject = NULL, **eku = NULL, *oid, *id = NULL;
7a8c6d
-	char *profile = NULL, kustring[16];
7a8c6d
+	char *profile = NULL, *issuer = NULL, kustring[16];
7a8c6d
 	char **principal = NULL, **dns = NULL, **email = NULL, **ipaddr = NULL;
7a8c6d
 	char *key_owner = NULL, *key_perms = NULL;
7a8c6d
 	char *cert_owner = NULL, *cert_perms = NULL;
7a8c6d
@@ -732,6 +732,7 @@ request(const char *argv0, int argc, const char **argv)
7a8c6d
 		{"ca", 'c', POPT_ARG_STRING, &ca, 0, _("use the specified CA configuration rather than the default"), HELP_TYPE_NAME},
7a8c6d
 #endif
7a8c6d
 		{"profile", 'T', POPT_ARG_STRING, NULL, 'T', _("ask the CA to process the request using the named profile or template"), HELP_TYPE_NAME},
7a8c6d
+		{"issuer", 'X', POPT_ARG_STRING, NULL, 'X', _("ask the CA to process the request using the named issuer"), HELP_TYPE_NAME},
7a8c6d
 		{"subject-name", 'N', POPT_ARG_STRING, NULL, 'N', _("set requested subject name (default: CN=<hostname>)"), HELP_TYPE_SUBJECT},
7a8c6d
 		{"key-usage", 'u', POPT_ARG_STRING, NULL, 'u', _("set requested key usage value"), HELP_TYPE_KU},
7a8c6d
 		{"extended-key-usage", 'U', POPT_ARG_STRING, NULL, 'U', _("set requested extended key usage OID"), HELP_TYPE_EKU},
7a8c6d
@@ -858,6 +859,9 @@ request(const char *argv0, int argc, const char **argv)
7a8c6d
 		case 'T':
7a8c6d
 			profile = talloc_strdup(globals.tctx, poptarg);
7a8c6d
 			break;
7a8c6d
+		case 'X':
7a8c6d
+			issuer = talloc_strdup(globals.tctx, poptarg);
7a8c6d
+			break;
7a8c6d
 		case 'N':
7a8c6d
 			subject = talloc_strdup(globals.tctx, poptarg);
7a8c6d
 			break;
7a8c6d
@@ -1289,6 +1293,13 @@ request(const char *argv0, int argc, const char **argv)
7a8c6d
 		params[i] = &param[i];
7a8c6d
 		i++;
7a8c6d
 	}
7a8c6d
+	if (issuer != NULL) {
7a8c6d
+		param[i].key = CM_DBUS_PROP_TEMPLATE_ISSUER;
7a8c6d
+		param[i].value_type = cm_tdbusm_dict_s;
7a8c6d
+		param[i].value.s = issuer;
7a8c6d
+		params[i] = &param[i];
7a8c6d
+		i++;
7a8c6d
+	}
7a8c6d
 	if (precommand != NULL) {
7a8c6d
 		param[i].key = CM_DBUS_PROP_CERT_PRESAVE_COMMAND;
7a8c6d
 		param[i].value_type = cm_tdbusm_dict_s;
7a8c6d
@@ -1480,7 +1491,7 @@ add_basic_request(enum cm_tdbus_type bus, char *id,
7a8c6d
 		  char *key_perms, char *cert_perms,
7a8c6d
 		  char *pin, char *pinfile,
7a8c6d
 		  char *cpass, char *cpassfile,
7a8c6d
-		  char *ca, char *profile,
7a8c6d
+		  char *ca, char *profile, char *issuer,
7a8c6d
 		  char *precommand, char *postcommand,
7a8c6d
 		  char **anchor_dbs, char **anchor_files,
7a8c6d
 		  dbus_bool_t auto_renew_stop, int waitreq,
7a8c6d
@@ -1644,6 +1655,13 @@ add_basic_request(enum cm_tdbus_type bus, char *id,
7a8c6d
 		params[i] = &param[i];
7a8c6d
 		i++;
7a8c6d
 	}
7a8c6d
+	if (issuer != NULL) {
7a8c6d
+		param[i].key = CM_DBUS_PROP_TEMPLATE_ISSUER;
7a8c6d
+		param[i].value_type = cm_tdbusm_dict_s;
7a8c6d
+		param[i].value.s = issuer;
7a8c6d
+		params[i] = &param[i];
7a8c6d
+		i++;
7a8c6d
+	}
7a8c6d
 	if (precommand != NULL) {
7a8c6d
 		param[i].key = CM_DBUS_PROP_CERT_PRESAVE_COMMAND;
7a8c6d
 		param[i].value_type = cm_tdbusm_dict_s;
7a8c6d
@@ -1726,7 +1744,7 @@ set_tracking(const char *argv0, const char *category,
7a8c6d
 	char **anchor_dbs = NULL, **anchor_files = NULL;
7a8c6d
 	char *id = NULL, *new_id = NULL, *new_request;
7a8c6d
 	char *keyfile = NULL, *certfile = NULL, *ca = DEFAULT_CA;
7a8c6d
-	char *profile = NULL;
7a8c6d
+	char *profile = NULL, *issuer = NULL;
7a8c6d
 	char *pin = NULL, *pinfile = NULL, *cpass = NULL, *cpassfile = NULL;
7a8c6d
 	char *key_owner = NULL, *key_perms = NULL;
7a8c6d
 	char *cert_owner = NULL, *cert_perms = NULL;
7a8c6d
@@ -1767,6 +1785,7 @@ set_tracking(const char *argv0, const char *category,
7a8c6d
 		{"ca", 'c', POPT_ARG_STRING, &ca, 0, _("use the specified CA configuration rather than the default"), HELP_TYPE_NAME},
7a8c6d
 #endif
7a8c6d
 		{"profile", 'T', POPT_ARG_STRING, NULL, 'T', _("ask the CA to process the request using the named profile or template"), HELP_TYPE_NAME},
7a8c6d
+		{"issuer", 'X', POPT_ARG_STRING, NULL, 'X', _("ask the CA to process the request using the named issuer"), HELP_TYPE_NAME},
7a8c6d
 		{"key-usage", 'u', POPT_ARG_STRING, NULL, 'u', _("override requested key usage value"), HELP_TYPE_KU},
7a8c6d
 		{"extended-key-usage", 'U', POPT_ARG_STRING, NULL, 'U', _("override requested extended key usage OID"), HELP_TYPE_EKU},
7a8c6d
 		{"principal", 'K', POPT_ARG_STRING, NULL, 'K', _("override requested principal name"), HELP_TYPE_PRINCIPAL},
7a8c6d
@@ -2291,7 +2310,7 @@ set_tracking(const char *argv0, const char *category,
7a8c6d
 						 key_perms, cert_perms,
7a8c6d
 						 pin, pinfile,
7a8c6d
 						 cpass, cpassfile,
7a8c6d
-						 ca, profile,
7a8c6d
+						 ca, profile, issuer,
7a8c6d
 						 precommand, postcommand,
7a8c6d
 						 anchor_dbs, anchor_files,
7a8c6d
 						 (auto_renew_stop > 0),
7a8c6d
@@ -2366,7 +2385,7 @@ rekey_or_resubmit(const char *argv0, const char *category, int argc,
7a8c6d
 	char *id = NULL, *new_id = NULL, *ca = NULL, *new_request, *nss_scheme;
7a8c6d
 	char *subject = NULL, **eku = NULL, *oid = NULL;
7a8c6d
 	char **principal = NULL, **dns = NULL, **email = NULL, **ipaddr = NULL;
7a8c6d
-	char *profile = NULL, kustring[16];
7a8c6d
+	char *profile = NULL, *issuer = NULL, kustring[16];
7a8c6d
 	char *key_owner = NULL, *key_perms = NULL;
7a8c6d
 	char *cert_owner = NULL, *cert_perms = NULL;
7a8c6d
 	char *keytype = NULL;
7a8c6d
@@ -2403,6 +2422,7 @@ rekey_or_resubmit(const char *argv0, const char *category, int argc,
7a8c6d
 		{"ca", 'c', POPT_ARG_STRING, &ca, 0, _("use the specified CA configuration rather than the current one"), HELP_TYPE_NAME},
7a8c6d
 #endif
7a8c6d
 		{"profile", 'T', POPT_ARG_STRING, NULL, 'T', _("ask the CA to process the request using the named profile or template"), HELP_TYPE_NAME},
7a8c6d
+		{"issuer", 'X', POPT_ARG_STRING, NULL, 'X', _("ask the CA to process the request using the named issuer"), HELP_TYPE_NAME},
7a8c6d
 		{"subject-name", 'N', POPT_ARG_STRING, NULL, 'N', _("set requested subject name (default: CN=<hostname>)"), HELP_TYPE_SUBJECT},
7a8c6d
 		{"key-usage", 'u', POPT_ARG_STRING, NULL, 'u', _("set requested key usage value"), HELP_TYPE_KU},
7a8c6d
 		{"extended-key-usage", 'U', POPT_ARG_STRING, NULL, 'U', _("set requested extended key usage OID"), HELP_TYPE_EKU},
7a8c6d
@@ -2477,6 +2497,9 @@ rekey_or_resubmit(const char *argv0, const char *category, int argc,
7a8c6d
 		case 'T':
7a8c6d
 			profile = talloc_strdup(globals.tctx, poptarg);
7a8c6d
 			break;
7a8c6d
+		case 'X':
7a8c6d
+			issuer = talloc_strdup(globals.tctx, poptarg);
7a8c6d
+			break;
7a8c6d
 		case 'i':
7a8c6d
 			id = talloc_strdup(globals.tctx, poptarg);
7a8c6d
 			break;
7a8c6d
@@ -2838,6 +2861,13 @@ rekey_or_resubmit(const char *argv0, const char *category, int argc,
7a8c6d
 		params[i] = &param[i];
7a8c6d
 		i++;
7a8c6d
 	}
7a8c6d
+	if (issuer != NULL) {
7a8c6d
+		param[i].key = CM_DBUS_PROP_TEMPLATE_ISSUER;
7a8c6d
+		param[i].value_type = cm_tdbusm_dict_s;
7a8c6d
+		param[i].value.s = issuer;
7a8c6d
+		params[i] = &param[i];
7a8c6d
+		i++;
7a8c6d
+	}
7a8c6d
 	if (precommand != NULL) {
7a8c6d
 		param[i].key = CM_DBUS_PROP_CERT_PRESAVE_COMMAND;
7a8c6d
 		param[i].value_type = cm_tdbusm_dict_s;
7a8c6d
@@ -4647,6 +4677,7 @@ help(const char *twopartcmd, const char *category)
7a8c6d
 		N_("  -c CA		use the specified CA rather than the default\n"),
7a8c6d
 #endif
7a8c6d
 		N_("  -T PROFILE	ask the CA to process the request using the named profile or template\n"),
7a8c6d
+		N_("  -X ISSUER	ask the CA to process the request using the named issuer\n"),
7a8c6d
 		N_("* Parameters for the signing request:\n"),
7a8c6d
 		N_("  -N NAME	set requested subject name (default: CN=<hostname>)\n"),
7a8c6d
 		N_("  -U EXTUSAGE	set requested extended key usage OID\n"),
7a8c6d
@@ -4695,6 +4726,7 @@ help(const char *twopartcmd, const char *category)
7a8c6d
 		N_("  -c CA		use the specified CA rather than the default\n"),
7a8c6d
 #endif
7a8c6d
 		N_("  -T PROFILE	ask the CA to process the request using the named profile or template\n"),
7a8c6d
+		N_("  -X ISSUER	ask the CA to process the request using the named issuer\n"),
7a8c6d
 		N_("* Parameters for the signing request at renewal time:\n"),
7a8c6d
 		N_("  -U EXTUSAGE	override requested extended key usage OID\n"),
7a8c6d
 		N_("  -u KEYUSAGE	set requested key usage value\n"),
7a8c6d
@@ -4773,6 +4805,7 @@ help(const char *twopartcmd, const char *category)
7a8c6d
 		N_("  -c CA		use the specified CA rather than the current one\n"),
7a8c6d
 #endif
7a8c6d
 		N_("  -T PROFILE	ask the CA to process the request using the named profile or template\n"),
7a8c6d
+		N_("  -X ISSUER	ask the CA to process the request using the named issuer\n"),
7a8c6d
 		N_("* Bus options:\n"),
7a8c6d
 		N_("  -S		connect to the certmonger service on the system bus\n"),
7a8c6d
 		N_("  -s		connect to the certmonger service on the session bus\n"),
7a8c6d
@@ -4820,6 +4853,7 @@ help(const char *twopartcmd, const char *category)
7a8c6d
 		N_("  -c CA		use the specified CA rather than the current one\n"),
7a8c6d
 #endif
7a8c6d
 		N_("  -T PROFILE	ask the CA to process the request using the named profile or template\n"),
7a8c6d
+		N_("  -X ISSUER	ask the CA to process the request using the named issuer\n"),
7a8c6d
 		N_("  -G TYPE	type of new key to be generated\n"),
7a8c6d
 		N_("  -g SIZE	size of new key to be generated\n"),
7a8c6d
 		N_("* Bus options:\n"),
7a8c6d
diff --git a/src/ipa.c b/src/ipa.c
7a8c6d
index 5236abb40246c270d1b14c5cfbc467dbd6e8f7a4..72cdda6b07ea5a4850fb404497196c46a6bbbd6d 100644
7a8c6d
--- a/src/ipa.c
7a8c6d
+++ b/src/ipa.c
7a8c6d
@@ -332,7 +332,8 @@ cm_locate_xmlrpc_service(const char *server,
7a8c6d
 /* Make an XML-RPC request to the "cert_request" method. */
7a8c6d
 static int
7a8c6d
 submit_or_poll_uri(const char *uri, const char *cainfo, const char *capath,
7a8c6d
-	           const char *csr, const char *reqprinc, const char *profile)
7a8c6d
+	           const char *csr, const char *reqprinc,
7a8c6d
+		   const char *profile, const char *issuer)
7a8c6d
 {
7a8c6d
 	struct cm_submit_x_context *ctx;
7a8c6d
 	const char *args[2];
7a8c6d
@@ -366,6 +367,10 @@ submit:
7a8c6d
 	if (profile != NULL) {
7a8c6d
 		cm_submit_x_add_named_arg_s(ctx, "profile_id", profile);
7a8c6d
 	}
7a8c6d
+	/* Add the requested CA named argument. */
7a8c6d
+	if (issuer != NULL) {
7a8c6d
+		cm_submit_x_add_named_arg_s(ctx, "ca", issuer);
7a8c6d
+	}
7a8c6d
 	/* Tell the server to add entries for a principal if one
7a8c6d
 	 * doesn't exist yet. */
7a8c6d
 	cm_submit_x_add_named_arg_b(ctx, "add", 1);
7a8c6d
@@ -440,12 +445,14 @@ static int
7a8c6d
 submit_or_poll(const char *uri, const char *cainfo, const char *capath,
7a8c6d
 	       const char *server, int ldap_uri_cmd, const char *ldap_uri,
7a8c6d
 	       const char *host, const char *domain, char *basedn,
7a8c6d
-	       const char *csr, const char *reqprinc, const char *profile)
7a8c6d
+	       const char *csr, const char *reqprinc,
7a8c6d
+	       const char *profile, const char *issuer)
7a8c6d
 {
7a8c6d
 	int i, u;
7a8c6d
 	char **uris;
7a8c6d
 
7a8c6d
-	i = submit_or_poll_uri(uri, cainfo, capath, csr, reqprinc, profile);
7a8c6d
+	i = submit_or_poll_uri(uri, cainfo, capath, csr, reqprinc, profile,
7a8c6d
+			       issuer);
7a8c6d
 	if ((i == CM_SUBMIT_STATUS_UNREACHABLE) ||
7a8c6d
 	    (i == CM_SUBMIT_STATUS_UNCONFIGURED)) {
7a8c6d
 		u = cm_locate_xmlrpc_service(server, ldap_uri_cmd, ldap_uri,
7a8c6d
@@ -456,7 +463,8 @@ submit_or_poll(const char *uri, const char *cainfo, const char *capath,
7a8c6d
 					continue;
7a8c6d
 				}
7a8c6d
 				i = submit_or_poll_uri(uris[u], cainfo, capath,
7a8c6d
-						       csr, reqprinc, profile);
7a8c6d
+						       csr, reqprinc, profile,
7a8c6d
+						       issuer);
7a8c6d
 				if ((i != CM_SUBMIT_STATUS_UNREACHABLE) &&
7a8c6d
 				    (i != CM_SUBMIT_STATUS_UNCONFIGURED)) {
7a8c6d
 					talloc_free(uris);
7a8c6d
@@ -556,7 +564,7 @@ main(int argc, const char **argv)
7a8c6d
 	const char *xmlrpc_uri = NULL, *ldap_uri = NULL, *server = NULL, *csrfile;
7a8c6d
 	int xmlrpc_uri_cmd = 0, ldap_uri_cmd = 0, verbose = 0;
7a8c6d
 	const char *mode = CM_OP_SUBMIT;
7a8c6d
-	char ldn[LINE_MAX], *basedn = NULL, *profile = NULL;
7a8c6d
+	char ldn[LINE_MAX], *basedn = NULL, *profile = NULL, *issuer = NULL;
7a8c6d
 	krb5_error_code kret;
7a8c6d
 	poptContext pctx;
7a8c6d
 	struct poptOption popts[] = {
7a8c6d
@@ -571,6 +579,7 @@ main(int argc, const char **argv)
7a8c6d
 		{"use-ccache-creds", 'K', POPT_ARG_NONE, NULL, 'K', "use default ccache instead of creating a new one using keytab", NULL},
7a8c6d
 		{"principal-of-request", 'P', POPT_ARG_STRING, &reqprinc, 0, "principal name in signing request", "PRINCIPAL"},
7a8c6d
 		{"profile", 'T', POPT_ARG_STRING, &profile, 0, "request enrollment using the specified profile", "NAME"},
7a8c6d
+		{"issuer", 'X', POPT_ARG_STRING, &issuer, 0, "request enrollment using the specified CA", "NAME"},
7a8c6d
 		{"basedn", 'b', POPT_ARG_STRING, &basedn, 0, "IPA domain LDAP base DN", "DN"},
7a8c6d
 		{"verbose", 'v', POPT_ARG_NONE, NULL, 'v', NULL, NULL},
7a8c6d
 		POPT_AUTOHELP
7a8c6d
@@ -729,6 +738,10 @@ main(int argc, const char **argv)
7a8c6d
 		    (getenv(CM_SUBMIT_PROFILE_ENV) != NULL)) {
7a8c6d
 			profile = strdup(getenv(CM_SUBMIT_PROFILE_ENV));
7a8c6d
 		}
7a8c6d
+		if ((issuer == NULL) &&
7a8c6d
+		    (getenv(CM_SUBMIT_ISSUER_ENV) != NULL)) {
7a8c6d
+			issuer = strdup(getenv(CM_SUBMIT_ISSUER_ENV));
7a8c6d
+		}
7a8c6d
 		if ((server != NULL) && !xmlrpc_uri_cmd) {
7a8c6d
 			snprintf(uri, sizeof(uri),
7a8c6d
 				 "https://%s/ipa/xml", server);
7a8c6d
@@ -835,7 +848,7 @@ main(int argc, const char **argv)
7a8c6d
 		return submit_or_poll(uri, cainfo, capath,
7a8c6d
 				      server, ldap_uri_cmd, ldap_uri,
7a8c6d
 				      host, domain, basedn,
7a8c6d
-				      csr, reqprinc, profile);
7a8c6d
+				      csr, reqprinc, profile, issuer);
7a8c6d
 	} else
7a8c6d
 	if (strcasecmp(mode, CM_OP_FETCH_ROOTS) == 0) {
7a8c6d
 		return fetch_roots(server, ldap_uri_cmd, ldap_uri, host,
7a8c6d
diff --git a/src/store-files.c b/src/store-files.c
7a8c6d
index 961d03b7d1724a2cdb1fc4a26d8f1e25e474824f..889829ca62a035a758288aac158cbe17b0fd9e6d 100644
7a8c6d
--- a/src/store-files.c
7a8c6d
+++ b/src/store-files.c
7a8c6d
@@ -129,6 +129,7 @@ enum cm_store_file_field {
7a8c6d
 	cm_store_entry_field_template_ocsp_location,
7a8c6d
 	cm_store_entry_field_template_ns_comment,
7a8c6d
 	cm_store_entry_field_template_profile,
7a8c6d
+	cm_store_entry_field_template_issuer,
7a8c6d
 	cm_store_entry_field_template_no_ocsp_check,
7a8c6d
 	cm_store_entry_field_template_ns_certtype,
7a8c6d
 
7a8c6d
@@ -303,6 +304,7 @@ static struct cm_store_file_field_list {
7a8c6d
 	{cm_store_entry_field_template_ns_comment, "template_ns_comment"},
7a8c6d
 	{cm_store_entry_field_template_profile, "template_profile"}, /* right */
7a8c6d
 	{cm_store_entry_field_template_profile, "ca_profile"}, /* wrong */
7a8c6d
+	{cm_store_entry_field_template_issuer, "template_issuer"},
7a8c6d
 	{cm_store_entry_field_template_no_ocsp_check, "template_no_ocsp_check"},
7a8c6d
 	{cm_store_entry_field_template_ns_certtype, "template_ns_certtype"},
7a8c6d
 
7a8c6d
@@ -1127,6 +1129,9 @@ cm_store_entry_read(void *parent, const char *filename, FILE *fp)
7a8c6d
 			case cm_store_entry_field_template_profile:
7a8c6d
 				ret->cm_template_profile = free_if_empty(p);
7a8c6d
 				break;
7a8c6d
+			case cm_store_entry_field_template_issuer:
7a8c6d
+				ret->cm_template_issuer = free_if_empty(p);
7a8c6d
+				break;
7a8c6d
 			case cm_store_entry_field_template_no_ocsp_check:
7a8c6d
 				ret->cm_template_no_ocsp_check = atoi(p) != 0;
7a8c6d
 				talloc_free(p);
7a8c6d
@@ -1370,6 +1375,7 @@ cm_store_ca_read(void *parent, const char *filename, FILE *fp)
7a8c6d
 			case cm_store_entry_field_template_ocsp_location:
7a8c6d
 			case cm_store_entry_field_template_ns_comment:
7a8c6d
 			case cm_store_entry_field_template_profile:
7a8c6d
+			case cm_store_entry_field_template_issuer:
7a8c6d
 			case cm_store_entry_field_template_no_ocsp_check:
7a8c6d
 			case cm_store_entry_field_template_ns_certtype:
7a8c6d
 			case cm_store_entry_field_challenge_password:
7a8c6d
@@ -1972,6 +1978,8 @@ cm_store_entry_write(FILE *fp, struct cm_store_entry *entry)
7a8c6d
 				entry->cm_template_ns_comment);
7a8c6d
 	cm_store_file_write_str(fp, cm_store_entry_field_template_profile,
7a8c6d
 				entry->cm_template_profile);
7a8c6d
+	cm_store_file_write_str(fp, cm_store_entry_field_template_issuer,
7a8c6d
+				entry->cm_template_issuer);
7a8c6d
 	cm_store_file_write_int(fp, cm_store_entry_field_template_no_ocsp_check,
7a8c6d
 				entry->cm_template_no_ocsp_check ? 1 : 0);
7a8c6d
 	cm_store_file_write_str(fp, cm_store_entry_field_template_ns_certtype,
7a8c6d
@@ -2735,6 +2743,7 @@ cm_store_entry_dup(void *parent, struct cm_store_entry *entry)
7a8c6d
 	ret->cm_template_ocsp_location = cm_store_maybe_strdupv(ret, entry->cm_template_ocsp_location);
7a8c6d
 	ret->cm_template_ns_comment = cm_store_maybe_strdup(ret, entry->cm_template_ns_comment);
7a8c6d
 	ret->cm_template_profile = cm_store_maybe_strdup(ret, entry->cm_template_profile);
7a8c6d
+	ret->cm_template_issuer = cm_store_maybe_strdup(ret, entry->cm_template_issuer);
7a8c6d
 	ret->cm_template_no_ocsp_check = entry->cm_template_no_ocsp_check;
7a8c6d
 	ret->cm_template_ns_certtype = cm_store_maybe_strdup(ret,
7a8c6d
 							     entry->cm_template_ns_certtype);
7a8c6d
diff --git a/src/store-int.h b/src/store-int.h
7a8c6d
index d7d3fc86306b103b0a90faef7396697743b9c8da..2d3a35387516c48ab81a6422e42d57d5741593f6 100644
7a8c6d
--- a/src/store-int.h
7a8c6d
+++ b/src/store-int.h
7a8c6d
@@ -142,6 +142,7 @@ struct cm_store_entry {
7a8c6d
 	char **cm_template_ocsp_location;
7a8c6d
 	char *cm_template_ns_comment;
7a8c6d
 	char *cm_template_profile;
7a8c6d
+	char *cm_template_issuer;
7a8c6d
 	char *cm_template_ns_certtype;
7a8c6d
 	unsigned int cm_template_no_ocsp_check: 1;
7a8c6d
 	/* A challenge password, which may be included (in cleartext form!) in
7a8c6d
diff --git a/src/submit-e.c b/src/submit-e.c
7a8c6d
index 6997b436e42aa4f77c421040070ee2484467dea5..befd01e0fd00b8f9e239752ffbd80c985fae5057 100644
7a8c6d
--- a/src/submit-e.c
7a8c6d
+++ b/src/submit-e.c
7a8c6d
@@ -876,6 +876,7 @@ cm_submit_e_helper_main(int fd, struct cm_store_ca *ca,
7a8c6d
 	maybe_setenv(CM_SUBMIT_COOKIE_ENV, entry->cm_ca_cookie);
7a8c6d
 	maybe_setenv(CM_SUBMIT_CA_NICKNAME_ENV, entry->cm_ca_nickname);
7a8c6d
 	maybe_setenv(CM_SUBMIT_PROFILE_ENV, entry->cm_template_profile);
7a8c6d
+	maybe_setenv(CM_SUBMIT_ISSUER_ENV, entry->cm_template_issuer);
7a8c6d
 	maybe_setenv(CM_SUBMIT_CERTIFICATE_ENV, entry->cm_cert);
7a8c6d
 	/* Only pass SCEP data to the helper if we haven't used this set of
7a8c6d
 	 * nonced data before.  It'll ask for fresh data if it needs it. */
7a8c6d
diff --git a/src/submit-e.h b/src/submit-e.h
7a8c6d
index 2e325cf7d36436b89287e9933db83a6d853abfd1..0148d4da07507a000d8e6e8aca98f2ed84669eca 100644
7a8c6d
--- a/src/submit-e.h
7a8c6d
+++ b/src/submit-e.h
7a8c6d
@@ -48,6 +48,7 @@ const char *cm_submit_e_status_text(enum cm_external_status status);
7a8c6d
 #define CM_SUBMIT_COOKIE_ENV "CERTMONGER_CA_COOKIE"
7a8c6d
 #define CM_SUBMIT_CA_NICKNAME_ENV "CERTMONGER_CA_NICKNAME"
7a8c6d
 #define CM_SUBMIT_PROFILE_ENV "CERTMONGER_CA_PROFILE"
7a8c6d
+#define CM_SUBMIT_ISSUER_ENV "CERTMONGER_CA_ISSUER"
7a8c6d
 #define CM_SUBMIT_CERTIFICATE_ENV "CERTMONGER_CERTIFICATE"
7a8c6d
 #define CM_SUBMIT_SCEP_CA_IDENTIFIER_ENV "CERTMONGER_SCEP_CA_IDENTIFIER"
7a8c6d
 #define CM_SUBMIT_SCEP_RA_CERTIFICATE_ENV "CERTMONGER_SCEP_RA_CERTIFICATE"
7a8c6d
diff --git a/src/tdbus.h b/src/tdbus.h
7a8c6d
index c9b3afeb59548c2dc1260cfd7c76b39327a42f89..496f2dd289a0bd9b4d66451ea5eb0acf83d0cf5f 100644
7a8c6d
--- a/src/tdbus.h
7a8c6d
+++ b/src/tdbus.h
7a8c6d
@@ -108,6 +108,7 @@
7a8c6d
 #define CM_DBUS_PROP_TEMPLATE_FRESHEST_CRL "template-freshest-crl"
7a8c6d
 #define CM_DBUS_PROP_TEMPLATE_NS_COMMENT "template-ns-comment"
7a8c6d
 #define CM_DBUS_PROP_TEMPLATE_PROFILE "template-profile"
7a8c6d
+#define CM_DBUS_PROP_TEMPLATE_ISSUER "template-issuer"
7a8c6d
 #define CM_DBUS_PROP_TEMPLATE_NS_CERTTYPE "template-ns-certtype"
7a8c6d
 #define CM_DBUS_SIGNAL_REQUEST_CERT_SAVED "SavedCertificate"
7a8c6d
 #define CM_DBUS_PROP_CA_PRESAVE_COMMAND "ca-presave-command"
7a8c6d
diff --git a/src/tdbush.c b/src/tdbush.c
7a8c6d
index 4660f80f26669d31b2629c543384fe95bbec1ea9..05a503e06a553c566dcff5e053cbd8aa16c20f14 100644
7a8c6d
--- a/src/tdbush.c
7a8c6d
+++ b/src/tdbush.c
7a8c6d
@@ -1562,6 +1562,13 @@ base_add_request(DBusConnection *conn, DBusMessage *msg,
7a8c6d
 							      param->value.s);
7a8c6d
 	}
7a8c6d
 	param = cm_tdbusm_find_dict_entry(d,
7a8c6d
+					  CM_DBUS_PROP_TEMPLATE_ISSUER,
7a8c6d
+					  cm_tdbusm_dict_s);
7a8c6d
+	if (param != NULL) {
7a8c6d
+		new_entry->cm_template_issuer = maybe_strdup(new_entry,
7a8c6d
+							      param->value.s);
7a8c6d
+	}
7a8c6d
+	param = cm_tdbusm_find_dict_entry(d,
7a8c6d
 					  CM_DBUS_PROP_TEMPLATE_CHALLENGE_PASSWORD,
7a8c6d
 					  cm_tdbusm_dict_s);
7a8c6d
 	if ((param != NULL) &&
7a8c6d
@@ -3306,6 +3313,14 @@ request_modify(DBusConnection *conn, DBusMessage *msg,
7a8c6d
 				}
7a8c6d
 			} else
7a8c6d
 			if ((param->value_type == cm_tdbusm_dict_s) &&
7a8c6d
+			    (strcasecmp(param->key, CM_DBUS_PROP_TEMPLATE_ISSUER) == 0)) {
7a8c6d
+				talloc_free(entry->cm_template_issuer);
7a8c6d
+				entry->cm_template_issuer = maybe_strdup(entry, param->value.s);
7a8c6d
+				if (n_propname + 2 < sizeof(propname) / sizeof(propname[0])) {
7a8c6d
+					propname[n_propname++] = CM_DBUS_PROP_TEMPLATE_ISSUER;
7a8c6d
+				}
7a8c6d
+			} else
7a8c6d
+			if ((param->value_type == cm_tdbusm_dict_s) &&
7a8c6d
 			    (strcasecmp(param->key, CM_DBUS_PROP_TEMPLATE_CHALLENGE_PASSWORD) == 0)) {
7a8c6d
 				talloc_free(entry->cm_template_challenge_password);
7a8c6d
 				entry->cm_template_challenge_password = maybe_strdup(entry,
7a8c6d
@@ -6712,6 +6727,14 @@ cm_tdbush_iface_request(void)
7a8c6d
 								       NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
7a8c6d
 								       NULL),
7a8c6d
 				     make_interface_item(cm_tdbush_interface_property,
7a8c6d
+							 make_property(CM_DBUS_PROP_TEMPLATE_ISSUER,
7a8c6d
+								       cm_tdbush_property_string,
7a8c6d
+								       cm_tdbush_property_readwrite,
7a8c6d
+								       cm_tdbush_property_char_p,
7a8c6d
+								       offsetof(struct cm_store_entry, cm_template_issuer),
7a8c6d
+								       NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
7a8c6d
+								       NULL),
7a8c6d
+				     make_interface_item(cm_tdbush_interface_property,
7a8c6d
 							 make_property(CM_DBUS_PROP_TEMPLATE_NS_CERTTYPE,
7a8c6d
 								       cm_tdbush_property_string,
7a8c6d
 								       cm_tdbush_property_readwrite,
7a8c6d
@@ -7156,7 +7179,7 @@ cm_tdbush_iface_request(void)
7a8c6d
 				     make_interface_item(cm_tdbush_interface_signal,
7a8c6d
 							 make_signal(CM_DBUS_SIGNAL_REQUEST_CERT_SAVED,
7a8c6d
 								     NULL),
7a8c6d
-							 NULL)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))));
7a8c6d
+							 NULL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))));
7a8c6d
 	}
7a8c6d
 	return ret;
7a8c6d
 }
7a8c6d
diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out
7a8c6d
index ba55dd5ce97c74475dbebb761c41dd2e64e64365..b2660317b3102373f2a5a877a7224f727929412c 100644
7a8c6d
--- a/tests/028-dbus/expected.out
7a8c6d
+++ b/tests/028-dbus/expected.out
7a8c6d
@@ -328,6 +328,7 @@ OK
7a8c6d
   <property name="template-freshest-crl" type="as" access="readwrite"/>
7a8c6d
   <property name="template-ns-comment" type="s" access="readwrite"/>
7a8c6d
   <property name="template-profile" type="s" access="readwrite"/>
7a8c6d
+  <property name="template-issuer" type="s" access="readwrite"/>
7a8c6d
   <property name="template-ns-certtype" type="s" access="readwrite"/>
7a8c6d
   <property name="template-challenge-password" type="s" access="readwrite"/>
7a8c6d
   <property name="template-challenge-password-file" type="s" access="readwrite"/>
7a8c6d
-- 
7a8c6d
2.9.0
7a8c6d