diff options
author | Endi S. Dewata <edewata@redhat.com> | 2016-03-17 15:23:34 +0100 |
---|---|---|
committer | Endi S. Dewata <edewata@redhat.com> | 2016-04-02 07:48:04 +0200 |
commit | 9bd9548d5c1718ad8159f2134f170649c092a581 (patch) | |
tree | 0eacbafd403e00afe823c0fc3997cc7d1ffafc4e | |
parent | a1de52ab41d0b0c9d5df4163224525ce940e91a8 (diff) | |
download | pki-9bd9548d5c1718ad8159f2134f170649c092a581.tar.gz pki-9bd9548d5c1718ad8159f2134f170649c092a581.tar.xz pki-9bd9548d5c1718ad8159f2134f170649c092a581.zip |
Additional clean-ups for PKCS #12 utilities.
The pki_server_external_cert_path has been renamed to
pki_server_external_certs_path to match the file name.
A default pki_server_external_certs_path has been added to
default.cfg.
The pki pkcs12-export has been modified to export into existing
PKCS #12 file by default.
The pki-server instance-cert-export has been modified to accept a
list of nicknames to export.
https://fedorahosted.org/pki/ticket/1742
7 files changed, 38 insertions, 24 deletions
diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py index 9bb917fa1..e6aa0a6c2 100644 --- a/base/common/python/pki/nssdb.py +++ b/base/common/python/pki/nssdb.py @@ -549,8 +549,10 @@ class NSSDatabase(object): finally: shutil.rmtree(tmpdir) - def export_pkcs12(self, pkcs12_file, nicknames=None, pkcs12_password=None, - pkcs12_password_file=None): + def export_pkcs12(self, pkcs12_file, + pkcs12_password=None, + pkcs12_password_file=None, + nicknames=None): tmpdir = tempfile.mkdtemp() diff --git a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertAddCLI.java b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertAddCLI.java index c3c5ef489..48e4907cf 100644 --- a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertAddCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertAddCLI.java @@ -151,7 +151,7 @@ public class PKCS12CertAddCLI extends CLI { pkcs12 = new PKCS12(); } else { - // otherwise, add into the same file + // otherwise, add into the existing file pkcs12 = util.loadFromFile(filename, password); } diff --git a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java index 52a993125..d42c449b4 100644 --- a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java @@ -18,6 +18,7 @@ package com.netscape.cmstools.pkcs12; import java.io.BufferedReader; +import java.io.File; import java.io.FileReader; import java.util.logging.Level; import java.util.logging.Logger; @@ -60,6 +61,7 @@ public class PKCS12ExportCLI extends CLI { option.setArgName("path"); options.addOption(option); + options.addOption(null, "new-file", false, "Create a new PKCS #12 file"); options.addOption(null, "no-trust-flags", false, "Do not include trust flags"); options.addOption("v", "verbose", false, "Run in verbose mode."); @@ -124,14 +126,23 @@ public class PKCS12ExportCLI extends CLI { Password password = new Password(passwordString.toCharArray()); + boolean newFile = cmd.hasOption("new-file"); boolean trustFlagsEnabled = !cmd.hasOption("no-trust-flags"); try { PKCS12Util util = new PKCS12Util(); util.setTrustFlagsEnabled(trustFlagsEnabled); - // overwrite existing file - PKCS12 pkcs12 = new PKCS12(); + PKCS12 pkcs12; + + if (newFile || !new File(filename).exists()) { + // if new file requested or file does not exist, create a new file + pkcs12 = new PKCS12(); + + } else { + // otherwise, export into the existing file + pkcs12 = util.loadFromFile(filename, password); + } if (nicknames.length == 0) { // load all certificates diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg index c503e6345..3e4b38f54 100644 --- a/base/server/etc/default.cfg +++ b/base/server/etc/default.cfg @@ -109,8 +109,6 @@ pki_security_domain_https_port=8443 pki_security_domain_name=%(pki_dns_domainname)s Security Domain pki_security_domain_password= pki_security_domain_user=caadmin -pki_server_pkcs12_path= -pki_server_pkcs12_password= #for supporting server cert SAN injection pki_san_inject=False pki_san_for_server_cert= @@ -190,6 +188,9 @@ pki_subsystem_registry_link=%(pki_subsystem_path)s/registry ############################################################################### [Tomcat] pki_ajp_port=8009 +pki_server_pkcs12_path= +pki_server_pkcs12_password= +pki_server_external_certs_path= pki_clone=False pki_clone_pkcs12_password= pki_clone_pkcs12_path= diff --git a/base/server/python/pki/server/cli/instance.py b/base/server/python/pki/server/cli/instance.py index 3119629e1..212a411cd 100644 --- a/base/server/python/pki/server/cli/instance.py +++ b/base/server/python/pki/server/cli/instance.py @@ -67,10 +67,10 @@ class InstanceCertExportCLI(pki.cli.CLI): def __init__(self): super(InstanceCertExportCLI, self).__init__( - 'export', 'Export subsystem certificate') + 'export', 'Export system certificates') def print_help(self): # flake8: noqa - print('Usage: pki-server instance-cert-export [OPTIONS]') + print('Usage: pki-server instance-cert-export [OPTIONS] [nicknames...]') print() print(' -i, --instance <instance ID> Instance ID (default: pki-tomcat).') print(' --pkcs12-file <path> Output file to store the exported certificate and key in PKCS #12 format.') @@ -83,7 +83,7 @@ class InstanceCertExportCLI(pki.cli.CLI): def execute(self, argv): try: - opts, _ = getopt.gnu_getopt(argv, 'i:v', [ + opts, args = getopt.gnu_getopt(argv, 'i:v', [ 'instance=', 'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=', 'verbose', 'help']) @@ -93,6 +93,8 @@ class InstanceCertExportCLI(pki.cli.CLI): self.print_help() sys.exit(1) + nicknames = args + instance_name = 'pki-tomcat' pkcs12_file = None pkcs12_password = None @@ -139,7 +141,8 @@ class InstanceCertExportCLI(pki.cli.CLI): nssdb.export_pkcs12( pkcs12_file=pkcs12_file, pkcs12_password=pkcs12_password, - pkcs12_password_file=pkcs12_password_file) + pkcs12_password_file=pkcs12_password_file, + nicknames=nicknames) finally: nssdb.close() diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py index 92d4c3deb..b6c694f88 100644 --- a/base/server/python/pki/server/cli/subsystem.py +++ b/base/server/python/pki/server/cli/subsystem.py @@ -576,9 +576,9 @@ class SubsystemCertExportCLI(pki.cli.CLI): try: nssdb.export_pkcs12( pkcs12_file=pkcs12_file, - nicknames=nicknames, pkcs12_password=pkcs12_password, - pkcs12_password_file=pkcs12_password_file) + pkcs12_password_file=pkcs12_password_file, + nicknames=nicknames) finally: nssdb.close() diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py index a2ba8f436..0c3d606de 100644 --- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py +++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py @@ -86,12 +86,11 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): deployer.mdict['pki_secmod_database'], perms=config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) - pki_server_pkcs12_path = deployer.mdict['pki_server_pkcs12_path'] + # import system certificates before starting the server + pki_server_pkcs12_path = deployer.mdict['pki_server_pkcs12_path'] if pki_server_pkcs12_path: - # importing system certificates - pki_server_pkcs12_password = deployer.mdict[ 'pki_server_pkcs12_password'] if not pki_server_pkcs12_password: @@ -106,9 +105,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): pkcs12_password=pki_server_pkcs12_password) # update external CA file (if needed) - external_cert_path = deployer.mdict['pki_server_external_cert_path'] - if external_cert_path is not None: - self.update_external_cert_conf(external_cert_path, deployer) + external_certs_path = deployer.mdict['pki_server_external_certs_path'] + if external_certs_path is not None: + self.update_external_certs_conf(external_certs_path, deployer) if len(deployer.instance.tomcat_instance_subsystems()) < 2: # only create a self signed cert for a new instance @@ -183,20 +182,18 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): deployer.file.delete(deployer.mdict['pki_shared_pfile']) return self.rv - def update_external_cert_conf(self, external_path, deployer): + def update_external_certs_conf(self, external_path, deployer): external_certs = pki.server.PKIInstance.read_external_certs( external_path) if len(external_certs) > 0: - instance = pki.server.PKIInstance( - deployer.mdict['pki_instance_name']) - instance.load_external_certs( + deployer.instance.load_external_certs( os.path.join(deployer.mdict['pki_instance_configuration_path'], 'external_certs.conf') ) for cert in external_certs: - instance.add_external_cert(cert.nickname, cert.token) + deployer.instance.add_external_cert(cert.nickname, cert.token) def destroy(self, deployer): |