Lightweight CAs: add IPACustodiaKeyRetriever

Add 'IPACustodiaKeyRetriever', a 'KeyRetriever' implementation for use when Dogtag is deployed as a FreeIPA CA. The Java class invokes 'pki-ipa-retrieve-key', a Python script that retrieves lightweight CA keys from the Custodia server on a replica that possesses the keys. 'pki-ipa-retrieve-key' depends on FreeIPA libraries, FreeIPA server configuration, and Kerberos and Custodia keys owned by 'pkiuser'. Part of: https://fedorahosted.org/pki/ticket/1625
author: Fraser Tweedale <ftweedal@redhat.com> 2016-04-08 22:23:42 +1000
committer: Fraser Tweedale <ftweedal@redhat.com> 2016-05-03 11:42:49 +1000
commit: a2a4117dbc7e489cbb1964d6ce5f95b786a03fde (patch)
tree: 7a8ccedb469915d7755d4a021905664c395f6273 /base/ca/src
parent: 94ee373d053b34e534fbb61826e586693a38c934 (diff)
download: pki-a2a4117dbc7e489cbb1964d6ce5f95b786a03fde.tar.gz
pki-a2a4117dbc7e489cbb1964d6ce5f95b786a03fde.tar.xz
pki-a2a4117dbc7e489cbb1964d6ce5f95b786a03fde.zip
2 files changed, 83 insertions, 1 deletions
diff --git a/base/ca/src/CMakeLists.txt b/base/ca/src/CMakeLists.txt
index 5b805e1b3..1817dacfb 100644
--- a/base/ca/src/CMakeLists.txt
+++ b/base/ca/src/CMakeLists.txt
@@ -24,6 +24,13 @@ find_file(COMMONS_CODEC_JAR
         /usr/share/java
 )
 
+find_file(COMMONS_IO_JAR
+    NAMES
+        commons-io.jar
+    PATHS
+        /usr/share/java
+)
+
 find_file(COMMONS_LANG_JAR
     NAMES
         commons-lang.jar
@@ -73,7 +80,7 @@ javac(pki-ca-classes
         com/netscape/ca/*.java
         org/dogtagpki/server/ca/*.java
     CLASSPATH
-        ${COMMONS_CODEC_JAR} ${COMMONS_LANG_JAR}
+        ${COMMONS_CODEC_JAR} ${COMMONS_IO_JAR} ${COMMONS_LANG_JAR}
         ${JSS_JAR} ${SYMKEY_JAR}
         ${LDAPJDK_JAR}
         ${SERVLET_JAR} ${TOMCAT_CATALINA_JAR}
diff --git a/base/ca/src/com/netscape/ca/IPACustodiaKeyRetriever.java b/base/ca/src/com/netscape/ca/IPACustodiaKeyRetriever.java
new file mode 100644
index 000000000..4a162d370
--- /dev/null
+++ b/base/ca/src/com/netscape/ca/IPACustodiaKeyRetriever.java
@@ -0,0 +1,75 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2016 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package com.netscape.ca;
+
+import java.lang.Process;
+import java.lang.ProcessBuilder;
+import java.util.Collection;
+import java.util.Stack;
+
+import org.apache.commons.io.IOUtils;
+import org.apache.commons.lang.ArrayUtils;
+
+import com.netscape.certsrv.apps.CMS;
+
+public class IPACustodiaKeyRetriever implements KeyRetriever {
+    public Result retrieveKey(String nickname, Collection<String> hostPorts) {
+        CMS.debug("Running IPACustodiaKeyRetriever");
+
+        Stack<String> command = new Stack<>();
+        command.push("/usr/libexec/pki-ipa-retrieve-key");
+        command.push(nickname);
+
+        for (String hostPort : hostPorts) {
+            String host = hostPort.split(":")[0];
+            command.push(host);
+            CMS.debug("About to execute command: " + command);
+            ProcessBuilder pb = new ProcessBuilder(command);
+            try {
+                Process p = pb.start();
+                int exitValue = p.waitFor();
+                if (exitValue != 0)
+                    continue;
+
+                /* Custodia returns a PEM-encoded certificate and a
+                 * base64-encoded PKIArchiveOptions containing the
+                 * wrapped private key.  These values are output by
+                 * the Python 'pki-ipa-retrieve-key' program,
+                 * separated by a null byte (password first)
+                 */
+                byte[] output = IOUtils.toByteArray(p.getInputStream());
+                int splitIndex = ArrayUtils.indexOf(output, (byte) 0);
+                if (splitIndex == ArrayUtils.INDEX_NOT_FOUND) {
+                    CMS.debug("Invalid output: null byte not found");
+                    continue;
+                }
+                return new Result(
+                    ArrayUtils.subarray(output, 0, splitIndex),
+                    ArrayUtils.subarray(output, splitIndex + 1, output.length)
+                );
+            } catch (Throwable e) {
+                CMS.debug("Caught exception while executing command: " + e);
+            } finally {
+                command.pop();
+            }
+        }
+        CMS.debug("Failed to retrieve key from any host.");
+        return null;
+    }
+}
author	Fraser Tweedale <ftweedal@redhat.com>	2016-04-08 22:23:42 +1000
committer	Fraser Tweedale <ftweedal@redhat.com>	2016-05-03 11:42:49 +1000
commit	a2a4117dbc7e489cbb1964d6ce5f95b786a03fde (patch)
tree	7a8ccedb469915d7755d4a021905664c395f6273 /base/ca/src
parent	94ee373d053b34e534fbb61826e586693a38c934 (diff)
download	pki-a2a4117dbc7e489cbb1964d6ce5f95b786a03fde.tar.gz pki-a2a4117dbc7e489cbb1964d6ce5f95b786a03fde.tar.xz pki-a2a4117dbc7e489cbb1964d6ce5f95b786a03fde.zip