summaryrefslogtreecommitdiffstats
path: root/base/server/python/pki/server/cli
diff options
context:
space:
mode:
authorAde Lee <alee@redhat.com>2016-02-27 02:32:14 -0500
committerEndi S. Dewata <edewata@redhat.com>2016-04-02 07:36:42 +0200
commit574eb27a2db7be57e7e887f3a790cb6370044e5f (patch)
tree163c5a38257b9914a3396b9462d22bb142e98b03 /base/server/python/pki/server/cli
parenta8d12675dbc3d77203efbe2f9f551d4d07a5cab2 (diff)
downloadpki-574eb27a2db7be57e7e887f3a790cb6370044e5f.tar.gz
pki-574eb27a2db7be57e7e887f3a790cb6370044e5f.tar.xz
pki-574eb27a2db7be57e7e887f3a790cb6370044e5f.zip
Handle import and export of external certs
Ticket 1742 has a case where a third party CA certificate has been added by IPA to the dogtag certdb for the proxy cert. There is no way to ensure that this certificate is imported when the system is cloned. This patch will allow the user to import third party certificates into a dogtag instance through CLI commands (pki-server). The certs are tracked by a new instance level configuration file external_certs.conf. Then, when cloning: 1. When the pk12 file is created by the pki-server ca-clone-prepare command, the external certs are automatically included. 2. When creating the clone, the new pki_server_pk12_path and password must be provided. Also, a copy of the external_certs.conf file must be provided. 3. This copy will be read and merged with the existing external_certs.conf if one exists.
Diffstat (limited to 'base/server/python/pki/server/cli')
-rw-r--r--base/server/python/pki/server/cli/ca.py10
-rw-r--r--base/server/python/pki/server/cli/instance.py185
-rw-r--r--base/server/python/pki/server/cli/kra.py10
-rw-r--r--base/server/python/pki/server/cli/ocsp.py7
-rw-r--r--base/server/python/pki/server/cli/tks.py7
-rw-r--r--base/server/python/pki/server/cli/tps.py7
6 files changed, 214 insertions, 12 deletions
diff --git a/base/server/python/pki/server/cli/ca.py b/base/server/python/pki/server/cli/ca.py
index af0d941f5..c6da12143 100644
--- a/base/server/python/pki/server/cli/ca.py
+++ b/base/server/python/pki/server/cli/ca.py
@@ -398,9 +398,13 @@ class CAClonePrepareCLI(pki.cli.CLI):
subsystem.export_system_cert(
'subsystem', pkcs12_file, pkcs12_password_file, new_file=True)
- subsystem.export_system_cert('signing', pkcs12_file, pkcs12_password_file)
- subsystem.export_system_cert('ocsp_signing', pkcs12_file, pkcs12_password_file)
- subsystem.export_system_cert('audit_signing', pkcs12_file, pkcs12_password_file)
+ subsystem.export_system_cert(
+ 'signing', pkcs12_file, pkcs12_password_file)
+ subsystem.export_system_cert(
+ 'ocsp_signing', pkcs12_file, pkcs12_password_file)
+ subsystem.export_system_cert(
+ 'audit_signing', pkcs12_file, pkcs12_password_file)
+ instance.export_external_certs(pkcs12_file, pkcs12_password_file)
finally:
shutil.rmtree(tmpdir)
diff --git a/base/server/python/pki/server/cli/instance.py b/base/server/python/pki/server/cli/instance.py
index 16a3355c3..3119629e1 100644
--- a/base/server/python/pki/server/cli/instance.py
+++ b/base/server/python/pki/server/cli/instance.py
@@ -26,6 +26,7 @@ import os
import sys
import pki.cli
+import pki.nssdb
import pki.server
import pki.server.cli.nuxwdog
@@ -44,6 +45,8 @@ class InstanceCLI(pki.cli.CLI):
self.add_module(InstanceMigrateCLI())
self.add_module(InstanceNuxwdogEnableCLI())
self.add_module(InstanceNuxwdogDisableCLI())
+ self.add_module(InstanceExternalCertAddCLI())
+ self.add_module(InstanceExternalCertDeleteCLI())
@staticmethod
def print_instance(instance):
@@ -528,3 +531,185 @@ class InstanceNuxwdogDisableCLI(pki.cli.CLI):
module.disable_nuxwdog(instance) # pylint: disable=no-member,maybe-no-member
self.print_message('Nuxwdog disabled for instance %s.' % instance_name)
+
+
+class InstanceExternalCertAddCLI(pki.cli.CLI):
+
+ def __init__(self):
+ super(InstanceExternalCertAddCLI, self).__init__(
+ 'externalcert-add',
+ 'Add external certificate or chain to the instance')
+
+ def print_help(self):
+ print('Usage: pki-server instance-externalcert-add [OPTIONS]')
+ print()
+ print(' -i, --instance <instance ID> Instance ID (default: pki-tomcat).')
+ print(' --cert-file <path> Input file containing the external certificate or certificate chain.')
+ print(' --trust-args <trust-args> Trust args (default \",,\").')
+ print(' --nickname <nickname> Nickname to be used.')
+ print(' --token <token_name> Token (default: internal).')
+ print(' -v, --verbose Run in verbose mode.')
+ print(' --help Show help message.')
+ print()
+
+ def execute(self, argv):
+ try:
+ opts, _ = getopt.gnu_getopt(argv, 'i:v', [
+ 'instance=',
+ 'cert-file=', 'trust-args=', 'nickname=','token=',
+ 'verbose', 'help'])
+
+ except getopt.GetoptError as e:
+ print('ERROR: ' + str(e))
+ self.print_help()
+ sys.exit(1)
+
+ instance_name = 'pki-tomcat'
+ cert_file = None
+ trust_args = '\",,\"'
+ nickname = None
+ token = 'internal'
+
+ for o, a in opts:
+ if o in ('-i', '--instance'):
+ instance_name = a
+
+ elif o == '--cert-file':
+ cert_file = a
+
+ elif o == '--trust-args':
+ trust_args = a
+
+ elif o == '--nickname':
+ nickname = a
+
+ elif o == '--token':
+ token = a
+
+ elif o in ('-v', '--verbose'):
+ self.set_verbose(True)
+
+ elif o == '--help':
+ self.print_help()
+ sys.exit()
+
+ else:
+ print('ERROR: unknown option ' + o)
+ self.print_help()
+ sys.exit(1)
+
+ if not cert_file:
+ print('ERROR: missing input file containing certificate')
+ self.print_help()
+ sys.exit(1)
+
+ if not nickname:
+ print('ERROR: missing nickname')
+ self.print_help()
+ sys.exit(1)
+
+ instance = pki.server.PKIInstance(instance_name)
+ instance.load()
+
+ if instance.external_cert_exists(nickname, token):
+ print('ERROR: Certificate already imported for instance %s.' %
+ instance_name)
+ sys.exit(1)
+
+ nicks = self.import_certs(
+ instance, cert_file, nickname, token, trust_args)
+ self.update_instance_config(instance, nicks, token)
+
+ self.print_message('Certificate imported for instance %s.' %
+ instance_name)
+
+ def import_certs(self, instance, cert_file, nickname, token, trust_args):
+ password = instance.get_password(token)
+ certdb = pki.nssdb.NSSDatabase(
+ directory=instance.nssdb_dir,
+ password=password,
+ token=token)
+ _chain, nicks = certdb.import_cert_chain(
+ nickname, cert_file, trust_attributes=trust_args)
+ return nicks
+
+ def update_instance_config(self, instance, nicks, token):
+ for nickname in nicks:
+ instance.add_external_cert(nickname, token)
+
+
+class InstanceExternalCertDeleteCLI(pki.cli.CLI):
+
+ def __init__(self):
+ super(InstanceExternalCertDeleteCLI, self).__init__(
+ 'externalcert-del',
+ 'Delete external certificate from the instance')
+
+ def print_help(self):
+ print('Usage: pki-server instance-externalcert-del [OPTIONS]')
+ print()
+ print(' -i, --instance <instance ID> Instance ID (default: pki-tomcat).')
+ print(' --nickname <nickname> Nickname to be used.')
+ print(' --token <token_name> Token (default: internal).')
+ print(' -v, --verbose Run in verbose mode.')
+ print(' --help Show help message.')
+ print()
+
+ def execute(self, argv):
+ try:
+ opts, _ = getopt.gnu_getopt(argv, 'i:v', [
+ 'instance=', 'nickname=','token=',
+ 'verbose', 'help'])
+
+ except getopt.GetoptError as e:
+ print('ERROR: ' + str(e))
+ self.print_help()
+ sys.exit(1)
+
+ instance_name = 'pki-tomcat'
+ nickname = None
+ token = 'internal'
+
+ for o, a in opts:
+ if o in ('-i', '--instance'):
+ instance_name = a
+
+ elif o == '--nickname':
+ nickname = a
+
+ elif o == '--token':
+ token = a
+
+ elif o in ('-v', '--verbose'):
+ self.set_verbose(True)
+
+ elif o == '--help':
+ self.print_help()
+ sys.exit()
+
+ else:
+ print('ERROR: unknown option ' + o)
+ self.print_help()
+ sys.exit(1)
+
+ if not nickname:
+ print('ERROR: missing nickname')
+ self.print_help()
+ sys.exit(1)
+
+ instance = pki.server.PKIInstance(instance_name)
+ instance.load()
+
+ self.remove_cert(instance, nickname, token)
+ instance.delete_external_cert(nickname, token)
+
+ self.print_message('Certificate removed from instance %s.' %
+ instance_name)
+
+ def remove_cert(self, instance, nickname, token):
+ password = instance.get_password(token)
+ certdb = pki.nssdb.NSSDatabase(
+ directory=instance.nssdb_dir,
+ password=password,
+ token=token)
+ certdb.remove_cert(nickname)
diff --git a/base/server/python/pki/server/cli/kra.py b/base/server/python/pki/server/cli/kra.py
index d1b27dbc1..ba1bf5a97 100644
--- a/base/server/python/pki/server/cli/kra.py
+++ b/base/server/python/pki/server/cli/kra.py
@@ -131,9 +131,13 @@ class KRAClonePrepareCLI(pki.cli.CLI):
subsystem.export_system_cert(
'subsystem', pkcs12_file, pkcs12_password_file, new_file=True)
- subsystem.export_system_cert('transport', pkcs12_file, pkcs12_password_file)
- subsystem.export_system_cert('storage', pkcs12_file, pkcs12_password_file)
- subsystem.export_system_cert('audit_signing', pkcs12_file, pkcs12_password_file)
+ subsystem.export_system_cert(
+ 'transport', pkcs12_file, pkcs12_password_file)
+ subsystem.export_system_cert(
+ 'storage', pkcs12_file, pkcs12_password_file)
+ subsystem.export_system_cert(
+ 'audit_signing', pkcs12_file, pkcs12_password_file)
+ instance.export_external_certs(pkcs12_file, pkcs12_password_file)
finally:
shutil.rmtree(tmpdir)
diff --git a/base/server/python/pki/server/cli/ocsp.py b/base/server/python/pki/server/cli/ocsp.py
index 7b1b43487..45d7fca83 100644
--- a/base/server/python/pki/server/cli/ocsp.py
+++ b/base/server/python/pki/server/cli/ocsp.py
@@ -131,8 +131,11 @@ class OCSPClonePrepareCLI(pki.cli.CLI):
subsystem.export_system_cert(
'subsystem', pkcs12_file, pkcs12_password_file, new_file=True)
- subsystem.export_system_cert('signing', pkcs12_file, pkcs12_password_file)
- subsystem.export_system_cert('audit_signing', pkcs12_file, pkcs12_password_file)
+ subsystem.export_system_cert(
+ 'signing', pkcs12_file, pkcs12_password_file)
+ subsystem.export_system_cert(
+ 'audit_signing', pkcs12_file, pkcs12_password_file)
+ instance.export_external_certs(pkcs12_file, pkcs12_password_file)
finally:
shutil.rmtree(tmpdir)
diff --git a/base/server/python/pki/server/cli/tks.py b/base/server/python/pki/server/cli/tks.py
index 39343db98..2bdfce84a 100644
--- a/base/server/python/pki/server/cli/tks.py
+++ b/base/server/python/pki/server/cli/tks.py
@@ -131,8 +131,11 @@ class TKSClonePrepareCLI(pki.cli.CLI):
subsystem.export_system_cert(
'subsystem', pkcs12_file, pkcs12_password_file, new_file=True)
- subsystem.export_system_cert('signing', pkcs12_file, pkcs12_password_file)
- subsystem.export_system_cert('audit_signing', pkcs12_file, pkcs12_password_file)
+ subsystem.export_system_cert(
+ 'signing', pkcs12_file, pkcs12_password_file)
+ subsystem.export_system_cert(
+ 'audit_signing', pkcs12_file, pkcs12_password_file)
+ instance.export_external_certs(pkcs12_file, pkcs12_password_file)
finally:
shutil.rmtree(tmpdir)
diff --git a/base/server/python/pki/server/cli/tps.py b/base/server/python/pki/server/cli/tps.py
index 05045cb0d..731b9720c 100644
--- a/base/server/python/pki/server/cli/tps.py
+++ b/base/server/python/pki/server/cli/tps.py
@@ -131,8 +131,11 @@ class TPSClonePrepareCLI(pki.cli.CLI):
subsystem.export_system_cert(
'subsystem', pkcs12_file, pkcs12_password_file, new_file=True)
- subsystem.export_system_cert('signing', pkcs12_file, pkcs12_password_file)
- subsystem.export_system_cert('audit_signing', pkcs12_file, pkcs12_password_file)
+ subsystem.export_system_cert(
+ 'signing', pkcs12_file, pkcs12_password_file)
+ subsystem.export_system_cert(
+ 'audit_signing', pkcs12_file, pkcs12_password_file)
+ instance.export_external_certs(pkcs12_file, pkcs12_password_file)
finally:
shutil.rmtree(tmpdir)
generated by cgit (git 2.34.1) at 2024-05-27 12:08:56 +0000