Added pki-server commands to export system certificates.

Some pki-server commands have been added to simplify exporting
the required certificates for subsystem installations. These
commands will invoke the pki pkcs12 utility to export the
certificates from the instance NSS database.

The pki-server ca-cert-chain-export command will export the
the certificate chain needed for installing additional
subsystems running on a separate instance.

The pki-server <subsystem>-clone-prepare commands will export
the certificates required for cloning a subsystem.

https://fedorahosted.org/pki/ticket/1742

1 files changed, 138 insertions, 0 deletions

diff --git a/base/server/python/pki/server/cli/tks.py b/base/server/python/pki/server/cli/tks.py
new file mode 100644
index 000000000..39343db98
--- /dev/null
+++ b/base/server/python/pki/server/cli/tks.py
@@ -0,0 +1,138 @@
+# Authors:
+#     Endi S. Dewata <edewata@redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2016 Red Hat, Inc.
+# All rights reserved.
+#
+
+from __future__ import absolute_import
+from __future__ import print_function
+import getopt
+import io
+import os
+import shutil
+import sys
+import tempfile
+
+import pki.cli
+
+
+class TKSCLI(pki.cli.CLI):
+
+    def __init__(self):
+        super(TKSCLI, self).__init__(
+            'tks', 'TKS management commands')
+
+        self.add_module(TKSCloneCLI())
+
+
+class TKSCloneCLI(pki.cli.CLI):
+
+    def __init__(self):
+        super(TKSCloneCLI, self).__init__(
+            'clone', 'TKS clone management commands')
+
+        self.add_module(TKSClonePrepareCLI())
+
+
+class TKSClonePrepareCLI(pki.cli.CLI):
+
+    def __init__(self):
+        super(TKSClonePrepareCLI, self).__init__(
+            'prepare', 'Prepare TKS clone')
+
+    def print_help(self):
+        print('Usage: pki-server tks-clone-prepare [OPTIONS]')
+        print()
+        print('  -i, --instance <instance ID>    Instance ID (default: pki-tomcat).')
+        print('      --pkcs12-file               PKCS #12 file to store certificates and keys.')
+        print('      --pkcs12-password           Password for the PKCS #12 file.')
+        print('      --pkcs12-password-file      File containing the PKCS #12 password.')
+        print('  -v, --verbose                   Run in verbose mode.')
+        print('      --help                      Show help message.')
+        print()
+
+    def execute(self, args):
+
+        try:
+            opts, _ = getopt.gnu_getopt(args, 'i:v', [
+                'instance=', 'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=',
+                'verbose', 'help'])
+
+        except getopt.GetoptError as e:
+            print('ERROR: ' + str(e))
+            self.print_help()
+            sys.exit(1)
+
+        instance_name = 'pki-tomcat'
+        pkcs12_file = None
+        pkcs12_password = None
+
+        for o, a in opts:
+            if o in ('-i', '--instance'):
+                instance_name = a
+
+            elif o == '--pkcs12-file':
+                pkcs12_file = a
+
+            elif o == '--pkcs12-password':
+                pkcs12_password = a
+
+            elif o == '--pkcs12-password-file':
+                with io.open(a, 'rb') as f:
+                    pkcs12_password = f.read()
+
+            elif o in ('-v', '--verbose'):
+                self.set_verbose(True)
+
+            elif o == '--help':
+                self.print_help()
+                sys.exit()
+
+            else:
+                print('ERROR: unknown option ' + o)
+                self.print_help()
+                sys.exit(1)
+
+        if not pkcs12_file:
+            print('ERROR: Missing PKCS #12 file')
+            self.print_help()
+            sys.exit(1)
+
+        if not pkcs12_password:
+            print('ERROR: Missing PKCS #12 password')
+            self.print_help()
+            sys.exit(1)
+
+        instance = pki.server.PKIInstance(instance_name)
+        instance.load()
+
+        subsystem = instance.get_subsystem('tks')
+
+        tmpdir = tempfile.mkdtemp()
+
+        try:
+            pkcs12_password_file = os.path.join(tmpdir, 'pkcs12_password.txt')
+            with open(pkcs12_password_file, 'w') as f:
+                f.write(pkcs12_password)
+
+            subsystem.export_system_cert(
+                'subsystem', pkcs12_file, pkcs12_password_file, new_file=True)
+            subsystem.export_system_cert('signing', pkcs12_file, pkcs12_password_file)
+            subsystem.export_system_cert('audit_signing', pkcs12_file, pkcs12_password_file)
+
+        finally:
+            shutil.rmtree(tmpdir)