Added mechanism to import system certs via PKCS #12 file.

The installation tool has been modified to provide an optional pki_server_pkcs12_path property to specify a PKCS #12 file containing certificate chain, system certificates, and third-party certificates needed by the subsystem being installed. If the pki_server_pkcs12_path is specified the installation tool will no longer download the certificate chain from the security domain directly, and it will no longer import the PKCS #12 containing the entire master NSS database specified in pki_clone_pkcs12_path. For backward compatibility, if the pki_server_pkcs12_path is not specified the installation tool will use the old mechanism to import the system certificates. The ConfigurationUtils.verifySystemCertificates() has been modified not to catch the exception to help troubleshooting. https://fedorahosted.org/pki/ticket/1742
author: Endi S. Dewata <edewata@redhat.com> 2016-02-19 08:42:30 +0100
committer: Ade Lee <alee@redhat.com> 2016-02-26 13:12:01 -0500
commit: 1d58b883ff9d0056d89d74d30f1375ab12d01f03 (patch)
tree: a91fabd83ddfb0e3424badb49a883acab5c71f72 /base/server/python/pki/server/deployment/scriptlets/security_databases.py
parent: 1f2d7dbab0e6a7b26f7aa12b8a58fb4c3a6da825 (diff)
download: pki-1d58b883ff9d0056d89d74d30f1375ab12d01f03.tar.gz
pki-1d58b883ff9d0056d89d74d30f1375ab12d01f03.tar.xz
pki-1d58b883ff9d0056d89d74d30f1375ab12d01f03.zip
1 files changed, 25 insertions, 0 deletions
diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
index 94ecbc2f0..a723b1da9 100644
--- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py
+++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
@@ -20,6 +20,8 @@
 
 from __future__ import absolute_import
 
+import pki.nssdb
+
 # PKI Deployment Imports
 from .. import pkiconfig as config
 from .. import pkimessages as log
@@ -36,8 +38,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
             config.pki_log.info(log.SKIP_SECURITY_DATABASES_SPAWN_1, __name__,
                                 extra=config.PKI_INDENTATION_LEVEL_1)
             return self.rv
+
         config.pki_log.info(log.SECURITY_DATABASES_SPAWN_1, __name__,
                             extra=config.PKI_INDENTATION_LEVEL_1)
+
         if config.str2bool(deployer.mdict['pki_hsm_enable']):
             deployer.password.create_hsm_password_conf(
                 deployer.mdict['pki_shared_password_conf'],
@@ -47,6 +51,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
             deployer.password.create_password_conf(
                 deployer.mdict['pki_shared_password_conf'],
                 deployer.mdict['pki_pin'])
+
         # Since 'certutil' does NOT strip the 'token=' portion of
         # the 'token=password' entries, create a temporary server 'pfile'
         # which ONLY contains the 'password' for the purposes of
@@ -55,12 +60,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
             deployer.mdict['pki_shared_pfile'],
             deployer.mdict['pki_pin'], pin_sans_token=True)
         deployer.file.modify(deployer.mdict['pki_shared_password_conf'])
+
         deployer.certutil.create_security_databases(
             deployer.mdict['pki_database_path'],
             deployer.mdict['pki_cert_database'],
             deployer.mdict['pki_key_database'],
             deployer.mdict['pki_secmod_database'],
             password_file=deployer.mdict['pki_shared_pfile'])
+
         if config.str2bool(deployer.mdict['pki_hsm_enable']):
             deployer.modutil.register_security_module(
                 deployer.mdict['pki_database_path'],
@@ -76,6 +83,24 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
             deployer.mdict['pki_secmod_database'],
             perms=config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS)
 
+        pki_server_pkcs12_path = deployer.mdict['pki_server_pkcs12_path']
+
+        if pki_server_pkcs12_path:
+
+            # importing system certificates
+
+            pki_server_pkcs12_password = deployer.mdict['pki_server_pkcs12_password']
+            if not pki_server_pkcs12_password:
+                raise Exception('Missing pki_server_pkcs12_password property.')
+
+            nssdb = pki.nssdb.NSSDatabase(
+                directory=deployer.mdict['pki_database_path'],
+                password_file=deployer.mdict['pki_shared_pfile'])
+
+            nssdb.import_pkcs12(
+                pkcs12_file=pki_server_pkcs12_path,
+                pkcs12_password=pki_server_pkcs12_password)
+
         if len(deployer.instance.tomcat_instance_subsystems()) < 2:
             # only create a self signed cert for a new instance
             #
author	Endi S. Dewata <edewata@redhat.com>	2016-02-19 08:42:30 +0100
committer	Ade Lee <alee@redhat.com>	2016-02-26 13:12:01 -0500
commit	1d58b883ff9d0056d89d74d30f1375ab12d01f03 (patch)
tree	a91fabd83ddfb0e3424badb49a883acab5c71f72 /base/server/python/pki/server/deployment/scriptlets/security_databases.py
parent	1f2d7dbab0e6a7b26f7aa12b8a58fb4c3a6da825 (diff)
download	pki-1d58b883ff9d0056d89d74d30f1375ab12d01f03.tar.gz pki-1d58b883ff9d0056d89d74d30f1375ab12d01f03.tar.xz pki-1d58b883ff9d0056d89d74d30f1375ab12d01f03.zip