Handle import and export of external certs

Ticket 1742 has a case where a third party CA certificate has
been added by IPA to the dogtag certdb for the proxy cert.
There is no way to ensure that this certificate is imported
when the system is cloned.

This patch will allow the user to import third party certificates
into a dogtag instance through CLI commands (pki-server).
The certs are tracked by a new instance level configuration file
external_certs.conf.

Then, when cloning:

1.  When the pk12 file is created by the pki-server ca-clone-prepare
    command, the external certs are automatically included.
2.  When creating the clone, the new pki_server_pk12_path and
    password must be provided.  Also, a copy of the
    external_certs.conf file must be provided.
3.  This copy will be read and merged with the existing
    external_certs.conf if one exists.

7 files changed, 43 insertions, 24 deletions

diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py
index a428e397a..a6b2fa30f 100644
--- a/base/common/python/pki/nssdb.py
+++ b/base/common/python/pki/nssdb.py
@@ -395,7 +395,8 @@ class NSSDatabase(object):
 
         subprocess.check_call(cmd)
 
-    def import_cert_chain(self, nickname, cert_chain_file, trust_attributes=None):
+    def import_cert_chain(self, nickname, cert_chain_file,
+                          trust_attributes=None):
 
         tmpdir = tempfile.mkdtemp()
 
@@ -407,16 +408,18 @@ class NSSDatabase(object):
                     nickname=nickname,
                     cert_file=cert_chain_file,
                     trust_attributes=trust_attributes)
-                return self.get_cert(
-                    nickname=nickname,
-                    output_format='base64')
+                return (
+                    self.get_cert(nickname=nickname, output_format='base64'),
+                    [nickname]
+                )
 
-            elif file_type == 'pkcs7': # import PKCS #7 cert chain
-                return self.import_pkcs7(
+            elif file_type == 'pkcs7':  # import PKCS #7 cert chain
+                chain, nicks = self.import_pkcs7(
                     pkcs7_file=cert_chain_file,
                     nickname=nickname,
                     trust_attributes=trust_attributes,
                     output_format='base64')
+                return chain, nicks
 
             else: # import PKCS #7 data without header/footer
                 with open(cert_chain_file, 'r') as f:
@@ -427,17 +430,18 @@ class NSSDatabase(object):
                 with open(tmp_cert_chain_file, 'w') as f:
                     f.write(pkcs7_data)
 
-                self.import_pkcs7(
+                chain, nicks = self.import_pkcs7(
                     pkcs7_file=tmp_cert_chain_file,
                     nickname=nickname,
                     trust_attributes=trust_attributes)
 
-                return base64_data
+                return base64_data, nicks
 
         finally:
             shutil.rmtree(tmpdir)
 
-    def import_pkcs7(self, pkcs7_file, nickname, trust_attributes=None, output_format='pem'):
+    def import_pkcs7(self, pkcs7_file, nickname, trust_attributes=None,
+                     output_format='pem'):
 
         tmpdir = tempfile.mkdtemp()
 
@@ -453,6 +457,7 @@ class NSSDatabase(object):
             # parse PEM output into separate PEM certificates
             certs = []
             lines = []
+            nicks = []
             state = 'header'
 
             for line in output.splitlines():
@@ -494,6 +499,7 @@ class NSSDatabase(object):
                     n = '%s #%d' % (nickname, counter)
 
                 self.add_cert(n, cert_file, trust_attributes)
+                nicks.append(n)
 
                 counter += 1
 
@@ -501,12 +507,13 @@ class NSSDatabase(object):
             with open(pkcs7_file, 'r') as f:
                 data = f.read()
 
-            return convert_pkcs7(data, 'pem', output_format)
+            return convert_pkcs7(data, 'pem', output_format), nicks
 
         finally:
             shutil.rmtree(tmpdir)
 
-    def import_pkcs12(self, pkcs12_file, pkcs12_password=None, pkcs12_password_file=None):
+    def import_pkcs12(self, pkcs12_file, pkcs12_password=None,
+                      pkcs12_password_file=None):
 
         tmpdir = tempfile.mkdtemp()
 
diff --git a/base/server/python/pki/server/cli/ca.py b/base/server/python/pki/server/cli/ca.py
index af0d941f5..fcc76fa25 100644
--- a/base/server/python/pki/server/cli/ca.py
+++ b/base/server/python/pki/server/cli/ca.py
@@ -398,9 +398,12 @@ class CAClonePrepareCLI(pki.cli.CLI):
 
             subsystem.export_system_cert(
                 'subsystem', pkcs12_file, pkcs12_password_file, new_file=True)
-            subsystem.export_system_cert('signing', pkcs12_file, pkcs12_password_file)
-            subsystem.export_system_cert('ocsp_signing', pkcs12_file, pkcs12_password_file)
-            subsystem.export_system_cert('audit_signing', pkcs12_file, pkcs12_password_file)
+            subsystem.export_system_cert(
+                'signing', pkcs12_file, pkcs12_password_file)
+            subsystem.export_system_cert(
+                'ocsp_signing', pkcs12_file, pkcs12_password_file)
+            subsystem.export_system_cert(
+                'audit_signing', pkcs12_file, pkcs12_password_file)
 
         finally:
             shutil.rmtree(tmpdir)
diff --git a/base/server/python/pki/server/cli/kra.py b/base/server/python/pki/server/cli/kra.py
index d1b27dbc1..c11fda6ab 100644
--- a/base/server/python/pki/server/cli/kra.py
+++ b/base/server/python/pki/server/cli/kra.py
@@ -131,9 +131,12 @@ class KRAClonePrepareCLI(pki.cli.CLI):
 
             subsystem.export_system_cert(
                 'subsystem', pkcs12_file, pkcs12_password_file, new_file=True)
-            subsystem.export_system_cert('transport', pkcs12_file, pkcs12_password_file)
-            subsystem.export_system_cert('storage', pkcs12_file, pkcs12_password_file)
-            subsystem.export_system_cert('audit_signing', pkcs12_file, pkcs12_password_file)
+            subsystem.export_system_cert(
+                'transport', pkcs12_file, pkcs12_password_file)
+            subsystem.export_system_cert(
+                'storage', pkcs12_file, pkcs12_password_file)
+            subsystem.export_system_cert(
+                'audit_signing', pkcs12_file, pkcs12_password_file)
 
         finally:
             shutil.rmtree(tmpdir)
diff --git a/base/server/python/pki/server/cli/ocsp.py b/base/server/python/pki/server/cli/ocsp.py
index 7b1b43487..88fff4330 100644
--- a/base/server/python/pki/server/cli/ocsp.py
+++ b/base/server/python/pki/server/cli/ocsp.py
@@ -131,8 +131,10 @@ class OCSPClonePrepareCLI(pki.cli.CLI):
 
             subsystem.export_system_cert(
                 'subsystem', pkcs12_file, pkcs12_password_file, new_file=True)
-            subsystem.export_system_cert('signing', pkcs12_file, pkcs12_password_file)
-            subsystem.export_system_cert('audit_signing', pkcs12_file, pkcs12_password_file)
+            subsystem.export_system_cert(
+                'signing', pkcs12_file, pkcs12_password_file)
+            subsystem.export_system_cert(
+                'audit_signing', pkcs12_file, pkcs12_password_file)
 
         finally:
             shutil.rmtree(tmpdir)
diff --git a/base/server/python/pki/server/cli/tks.py b/base/server/python/pki/server/cli/tks.py
index 39343db98..55b506bde 100644
--- a/base/server/python/pki/server/cli/tks.py
+++ b/base/server/python/pki/server/cli/tks.py
@@ -131,8 +131,10 @@ class TKSClonePrepareCLI(pki.cli.CLI):
 
             subsystem.export_system_cert(
                 'subsystem', pkcs12_file, pkcs12_password_file, new_file=True)
-            subsystem.export_system_cert('signing', pkcs12_file, pkcs12_password_file)
-            subsystem.export_system_cert('audit_signing', pkcs12_file, pkcs12_password_file)
+            subsystem.export_system_cert(
+                'signing', pkcs12_file, pkcs12_password_file)
+            subsystem.export_system_cert(
+                'audit_signing', pkcs12_file, pkcs12_password_file)
 
         finally:
             shutil.rmtree(tmpdir)
diff --git a/base/server/python/pki/server/cli/tps.py b/base/server/python/pki/server/cli/tps.py
index 05045cb0d..54c99a6de 100644
--- a/base/server/python/pki/server/cli/tps.py
+++ b/base/server/python/pki/server/cli/tps.py
@@ -131,8 +131,10 @@ class TPSClonePrepareCLI(pki.cli.CLI):
 
             subsystem.export_system_cert(
                 'subsystem', pkcs12_file, pkcs12_password_file, new_file=True)
-            subsystem.export_system_cert('signing', pkcs12_file, pkcs12_password_file)
-            subsystem.export_system_cert('audit_signing', pkcs12_file, pkcs12_password_file)
+            subsystem.export_system_cert(
+                'signing', pkcs12_file, pkcs12_password_file)
+            subsystem.export_system_cert(
+                'audit_signing', pkcs12_file, pkcs12_password_file)
 
         finally:
             shutil.rmtree(tmpdir)
diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py
index 278ac644b..fc6877d36 100644
--- a/base/server/python/pki/server/deployment/scriptlets/configuration.py
+++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py
@@ -162,7 +162,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                 external_ca_cert_chain_nickname = deployer.mdict['pki_external_ca_cert_chain_nickname']
                 external_ca_cert_chain_file = deployer.mdict['pki_external_ca_cert_chain_path']
                 if external_ca_cert_chain_file:
-                    cert_chain = nssdb.import_cert_chain(
+                    cert_chain, _nicks = nssdb.import_cert_chain(
                         nickname=external_ca_cert_chain_nickname,
                         cert_chain_file=external_ca_cert_chain_file,
                         trust_attributes='CT,C,C')