summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEndi S. Dewata <edewata@redhat.com>2016-04-27 01:42:12 +0200
committerEndi S. Dewata <edewata@redhat.com>2016-05-03 02:54:25 +0200
commitcc4ae760c4267dc0d8851d98198e69b833e2e8ab (patch)
tree3e1b742cdd3318401c0cd2d2ba64a8b67d723017
parent599cf1a65203e4b6ec83cf46fe776fc9ebc07ddd (diff)
downloadpki-cc4ae760c4267dc0d8851d98198e69b833e2e8ab.zip
pki-cc4ae760c4267dc0d8851d98198e69b833e2e8ab.tar.gz
pki-cc4ae760c4267dc0d8851d98198e69b833e2e8ab.tar.xz
Added CSR generation scriptlet.
The code that generates the CSR for external CA installation has been moved into a new scriptlet. The code that displays the external CA step one installation summary has been moved into the configuration servlet. https://fedorahosted.org/pki/ticket/2278
-rw-r--r--base/server/etc/default.cfg1
-rw-r--r--base/server/python/pki/server/deployment/pkimessages.py1
-rw-r--r--base/server/python/pki/server/deployment/scriptlets/client_database.py1
-rw-r--r--base/server/python/pki/server/deployment/scriptlets/configuration.py76
-rw-r--r--base/server/python/pki/server/deployment/scriptlets/csr_generation.py139
5 files changed, 149 insertions, 69 deletions
diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg
index 984c104..f217f68 100644
--- a/base/server/etc/default.cfg
+++ b/base/server/etc/default.cfg
@@ -42,6 +42,7 @@ spawn_scriplets=
slot_substitution
security_databases
client_database
+ csr_generation
configuration
finalization
diff --git a/base/server/python/pki/server/deployment/pkimessages.py b/base/server/python/pki/server/deployment/pkimessages.py
index ee35a2f..9ec38c2 100644
--- a/base/server/python/pki/server/deployment/pkimessages.py
+++ b/base/server/python/pki/server/deployment/pkimessages.py
@@ -447,6 +447,7 @@ WEBAPP_DEPLOYMENT_SPAWN_1 = "deploying '%s'"
SKIP_ADMIN_DOMAIN_SPAWN_1 = "skip populating '%s'"
SKIP_CLIENT_DATABASE_SPAWN_1 = "skip generating '%s'"
SKIP_CONFIGURATION_SPAWN_1 = "skip configuring '%s'"
+SKIP_CSR_GENERATION_SPAWN_1 = "skip generating '%s'"
SKIP_FINALIZATION_SPAWN_1 = "skip finalizing '%s'"
SKIP_INITIALIZATION_SPAWN_1 = "skip initializing '%s'"
SKIP_INSTANCE_SPAWN_1 = "skip populating '%s'"
diff --git a/base/server/python/pki/server/deployment/scriptlets/client_database.py b/base/server/python/pki/server/deployment/scriptlets/client_database.py
index 31abb6f..1faa3c2 100644
--- a/base/server/python/pki/server/deployment/scriptlets/client_database.py
+++ b/base/server/python/pki/server/deployment/scriptlets/client_database.py
@@ -77,7 +77,6 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
deployer.mdict['pki_client_secmod_database'],
password_file=deployer.mdict['pki_client_password_conf'])
-
def destroy(self, deployer):
pass
diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py
index 17ca836..23f32b4 100644
--- a/base/server/python/pki/server/deployment/scriptlets/configuration.py
+++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py
@@ -20,7 +20,6 @@
from __future__ import absolute_import
import json
-import re
# PKI Deployment Imports
from .. import pkiconfig as config
@@ -65,67 +64,11 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
existing = deployer.configuration_file.existing
external = deployer.configuration_file.external
+ standalone = deployer.configuration_file.standalone
step_one = deployer.configuration_file.external_step_one
step_two = deployer.configuration_file.external_step_two
try:
- if external and step_one: # external CA step 1 only
-
- # Determine CA signing key type and algorithm
- key_type = deployer.mdict['pki_ca_signing_key_type']
- key_alg = deployer.mdict['pki_ca_signing_key_algorithm']
-
- if key_type == 'rsa':
- key_size = int(deployer.mdict['pki_ca_signing_key_size'])
- curve = None
-
- m = re.match(r'(.*)withRSA', key_alg)
- if not m:
- raise Exception('Invalid key algorithm: %s' % key_alg)
- hash_alg = m.group(1)
-
- elif key_type == 'ec' or key_type == 'ecc':
- key_type = 'ec'
- key_size = None
- curve = deployer.mdict['pki_ca_signing_key_size']
-
- m = re.match(r'(.*)withEC', key_alg)
- if not m:
- raise Exception('Invalid key algorithm: %s' % key_alg)
- hash_alg = m.group(1)
-
- else:
- raise Exception('Invalid key type: %s' % key_type)
-
- # If filename specified, generate CA cert request and
- # import it into CS.cfg.
- external_csr_path = deployer.mdict['pki_external_csr_path']
- if external_csr_path:
- config.pki_log.info(
- "generating CA signing certificate request in %s",
- external_csr_path,
- extra=config.PKI_INDENTATION_LEVEL_2)
- nssdb.create_request(
- subject_dn=deployer.mdict['pki_ca_signing_subject_dn'],
- request_file=external_csr_path,
- key_type=key_type,
- key_size=key_size,
- curve=curve,
- hash_alg=hash_alg)
-
- with open(external_csr_path) as f:
- signing_csr = f.read()
-
- signing_csr = pki.nssdb.convert_csr(
- signing_csr, 'pem', 'base64')
- subsystem.config['ca.signing.certreq'] = signing_csr
-
- # This is needed by IPA to detect step 1 completion.
- # See is_step_one_done() in ipaserver/install/cainstance.py.
- subsystem.config['preop.ca.type'] = 'otherca'
-
- subsystem.save()
-
if existing or external and step_two:
# existing CA or external CA step 2
@@ -201,20 +144,17 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
subsystem.save()
- # verify the signing certificate
- # raises exception on failure
- config.pki_log.info("validating the signing certificate",
- extra=config.PKI_INDENTATION_LEVEL_2)
- verifier = pkihelper.PKIDeployer.create_system_cert_verifier(
- instance, 'ca')
- verifier.verify_certificate('signing')
+ elif standalone and step_two:
+
+ # To be implemented in ticket #1692.
+ # Import standalone system certificates into NSS database.
+
+ pass
else: # self-signed CA
# To be implemented in ticket #1692.
-
- # Generate CA cert request.
- # Self sign CA cert.
+ # Generate self-signed CA cert.
# Import self-signed CA cert into NSS database.
pass
diff --git a/base/server/python/pki/server/deployment/scriptlets/csr_generation.py b/base/server/python/pki/server/deployment/scriptlets/csr_generation.py
new file mode 100644
index 0000000..9ada624
--- /dev/null
+++ b/base/server/python/pki/server/deployment/scriptlets/csr_generation.py
@@ -0,0 +1,139 @@
+# Authors:
+# Matthew Harmsen <mharmsen@redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2016 Red Hat, Inc.
+# All rights reserved.
+#
+
+from __future__ import absolute_import
+from __future__ import print_function
+import re
+
+# PKI Deployment Imports
+from .. import pkiconfig as config
+from .. import pkimessages as log
+from .. import pkiscriptlet
+
+import pki.nssdb
+import pki.server
+
+
+# PKI Deployment CSR Generation Scriptlet
+class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
+
+ def spawn(self, deployer):
+
+ external = deployer.configuration_file.external
+ standalone = deployer.configuration_file.standalone
+ step_one = deployer.configuration_file.external_step_one
+ skip_configuration = deployer.configuration_file.skip_configuration
+
+ if skip_configuration:
+ config.pki_log.info(log.SKIP_CSR_GENERATION_SPAWN_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ return
+
+ instance = pki.server.PKIInstance(deployer.mdict['pki_instance_name'])
+ instance.load()
+
+ subsystem = instance.get_subsystem(deployer.mdict['pki_subsystem'].lower())
+
+ token = deployer.mdict['pki_token_name']
+ nssdb = instance.open_nssdb(token)
+
+ try:
+ if external and step_one: # external CA step 1
+
+ # Determine CA signing key type and algorithm
+ key_type = deployer.mdict['pki_ca_signing_key_type']
+ key_alg = deployer.mdict['pki_ca_signing_key_algorithm']
+
+ if key_type == 'rsa':
+ key_size = int(deployer.mdict['pki_ca_signing_key_size'])
+ curve = None
+
+ m = re.match(r'(.*)withRSA', key_alg)
+ if not m:
+ raise Exception('Invalid key algorithm: %s' % key_alg)
+ hash_alg = m.group(1)
+
+ elif key_type == 'ec' or key_type == 'ecc':
+ key_type = 'ec'
+ key_size = None
+ curve = deployer.mdict['pki_ca_signing_key_size']
+
+ m = re.match(r'(.*)withEC', key_alg)
+ if not m:
+ raise Exception('Invalid key algorithm: %s' % key_alg)
+ hash_alg = m.group(1)
+
+ else:
+ raise Exception('Invalid key type: %s' % key_type)
+
+ # If filename specified, generate CA cert request and
+ # import it into CS.cfg.
+ external_csr_path = deployer.mdict['pki_external_csr_path']
+ if external_csr_path:
+ config.pki_log.info(
+ "generating CA signing certificate request in %s",
+ external_csr_path,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ nssdb.create_request(
+ subject_dn=deployer.mdict['pki_ca_signing_subject_dn'],
+ request_file=external_csr_path,
+ key_type=key_type,
+ key_size=key_size,
+ curve=curve,
+ hash_alg=hash_alg)
+
+ with open(external_csr_path) as f:
+ signing_csr = f.read()
+
+ signing_csr = pki.nssdb.convert_csr(signing_csr, 'pem', 'base64')
+ subsystem.config['ca.signing.certreq'] = signing_csr
+
+ # This is needed by IPA to detect step 1 completion.
+ # See is_step_one_done() in ipaserver/install/cainstance.py.
+ subsystem.config['preop.ca.type'] = 'otherca'
+
+ subsystem.save()
+
+ # verify the signing certificate
+ # raises exception on failure
+ config.pki_log.info("validating the signing certificate",
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ verifier = pkihelper.PKIDeployer.create_system_cert_verifier(
+ instance, 'ca')
+ verifier.verify_certificate('signing')
+
+ elif standalone and step_one: # standalone step 1
+
+ # To be implemented in ticket #1692.
+ # Generate CSRs for standalone system certs.
+
+ else: # self-signed CA
+
+ # To be implemented in ticket #1692.
+ # Generate CSR for self-signed CA cert.
+
+ pass
+
+ finally:
+ nssdb.close()
+
+ def destroy(self, deployer):
+
+ pass