diff options
| author | Endi S. Dewata <edewata@redhat.com> | 2016-02-19 15:09:49 +0100 |
|---|---|---|
| committer | Endi S. Dewata <edewata@redhat.com> | 2016-04-02 06:10:24 +0200 |
| commit | 9667921a5a2489a3fccc6f4f7f7af88f60eadbd2 (patch) | |
| tree | 6989057c4a7759e8ecf96542da6538454515e1e7 /base/server/python/pki/server/__init__.py | |
| parent | 943b62447dc41286e172bd8e11f747a0f524695b (diff) | |
| download | pki-9667921a5a2489a3fccc6f4f7f7af88f60eadbd2.tar.gz pki-9667921a5a2489a3fccc6f4f7f7af88f60eadbd2.tar.xz pki-9667921a5a2489a3fccc6f4f7f7af88f60eadbd2.zip | |
Added pki-server commands to export system certificates.
Some pki-server commands have been added to simplify exporting
the required certificates for subsystem installations. These
commands will invoke the pki pkcs12 utility to export the
certificates from the instance NSS database.
The pki-server ca-cert-chain-export command will export the
the certificate chain needed for installing additional
subsystems running on a separate instance.
The pki-server <subsystem>-clone-prepare commands will export
the certificates required for cloning a subsystem.
https://fedorahosted.org/pki/ticket/1742
Diffstat (limited to 'base/server/python/pki/server/__init__.py')
| -rw-r--r-- | base/server/python/pki/server/__init__.py | 121 |
1 files changed, 115 insertions, 6 deletions
diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py index b2fffd5e6..4376135e7 100644 --- a/base/server/python/pki/server/__init__.py +++ b/base/server/python/pki/server/__init__.py @@ -63,10 +63,9 @@ class PKISubsystem(object): def __init__(self, instance, subsystem_name): self.instance = instance - self.name = subsystem_name - self.type = instance.type + self.name = subsystem_name # e.g. ca, kra - if self.type >= 10: + if instance.type >= 10: self.base_dir = os.path.join(self.instance.base_dir, self.name) else: self.base_dir = instance.base_dir @@ -81,8 +80,8 @@ class PKISubsystem(object): instance.conf_dir, 'Catalina', 'localhost', self.name + '.xml') self.config = {} - self.type = None - self.prefix = None + self.type = None # e.g. CA, KRA + self.prefix = None # e.g. ca, kra # custom subsystem location self.doc_base = os.path.join(self.base_dir, 'webapps', self.name) @@ -101,7 +100,7 @@ class PKISubsystem(object): self.type = self.config['cs.type'] self.prefix = self.type.lower() - def find_subsystem_certs(self): + def find_system_certs(self): certs = [] cert_ids = self.config['%s.cert.list' % self.name].split(',') @@ -130,6 +129,116 @@ class PKISubsystem(object): self.config['%s.%s.cert' % (self.name, cert_id)] = cert.get('data', None) self.config['%s.%s.certreq' % (self.name, cert_id)] = cert.get('request', None) + def export_system_cert( + self, + cert_id, + pkcs12_file, + pkcs12_password_file, + new_file=False): + + cert = self.get_subsystem_cert(cert_id) + nickname = cert['nickname'] + token = cert['token'] + if token == 'Internal Key Storage Token': + token = 'internal' + nssdb_password = self.instance.get_password(token) + + tmpdir = tempfile.mkdtemp() + + try: + nssdb_password_file = os.path.join(tmpdir, 'password.txt') + with open(nssdb_password_file, 'w') as f: + f.write(nssdb_password) + + # add the certificate, key, and chain + cmd = [ + 'pki', + '-d', self.instance.nssdb_dir, + '-C', nssdb_password_file + ] + + if token and token != 'internal': + cmd.extend(['--token', token]) + + cmd.extend([ + 'pkcs12-cert-add', + '--pkcs12', pkcs12_file, + '--pkcs12-password-file', pkcs12_password_file, + ]) + + if new_file: + cmd.extend(['--new-file']) + + cmd.extend([ + nickname + ]) + + subprocess.check_call(cmd) + + finally: + shutil.rmtree(tmpdir) + + def export_cert_chain( + self, + pkcs12_file, + pkcs12_password_file): + + # use subsystem certificate to get certificate chain + cert = self.get_subsystem_cert('subsystem') + nickname = cert['nickname'] + token = cert['token'] + if token == 'Internal Key Storage Token': + token = 'internal' + nssdb_password = self.instance.get_password(token) + + tmpdir = tempfile.mkdtemp() + + try: + nssdb_password_file = os.path.join(tmpdir, 'password.txt') + with open(nssdb_password_file, 'w') as f: + f.write(nssdb_password) + + # export the certificate, key, and chain + cmd = [ + 'pki', + '-d', self.instance.nssdb_dir, + '-C', nssdb_password_file + ] + + if token and token != 'internal': + cmd.extend(['--token', token]) + + cmd.extend([ + 'pkcs12-export', + '--pkcs12', pkcs12_file, + '--pkcs12-password-file', pkcs12_password_file, + nickname + ]) + + subprocess.check_call(cmd) + + # remove the certificate and key, but keep the chain + cmd = [ + 'pki', + '-d', self.instance.nssdb_dir, + '-C', nssdb_password_file + ] + + if token and token != 'internal': + cmd.extend(['--token', token]) + + cmd.extend([ + 'pkcs12-cert-del', + '--pkcs12', pkcs12_file, + '--pkcs12-password-file', pkcs12_password_file, + nickname + ]) + + subprocess.check_call(cmd) + + finally: + shutil.rmtree(tmpdir) + def save(self): sorted_config = sorted(self.config.items(), key=operator.itemgetter(0)) with io.open(self.cs_conf, 'wb') as f: |