diff options
author | Endi S. Dewata <edewata@redhat.com> | 2016-03-17 15:23:34 +0100 |
---|---|---|
committer | Endi S. Dewata <edewata@redhat.com> | 2016-04-05 22:46:11 +0200 |
commit | b214755763a31545cfb8980e0625fcccb4e00300 (patch) | |
tree | 803bd4e0d81ce07da82ec7803f96a236a6bcf36c /base/server/python/pki/server | |
parent | 2009b97646f2321a806fcebbc33c329de16793e6 (diff) | |
download | pki-b214755763a31545cfb8980e0625fcccb4e00300.tar.gz pki-b214755763a31545cfb8980e0625fcccb4e00300.tar.xz pki-b214755763a31545cfb8980e0625fcccb4e00300.zip |
Added support for cloning 3rd-party CA certificates.
The installation code has been modified such that it imports all
CA certificates from the PKCS #12 file for cloning before the
server is started using certutil. The user certificates will
continue to be imported using the existing JSS code after the
server is started. This is necessary since JSS is unable to
preserve the CA certificate nicknames.
The PKCS12Util has been modified to support multiple certificates
with the same nicknames.
The pki pkcs12-cert-find has been modified to show certificate ID
and another field indicating whether the certificate has a key.
The pki pkcs12-cert-export has been modified to accept either
certificate nickname or ID.
The pki pkcs12-import has been modified to provide options for
importing only user certificates or CA certificates.
https://fedorahosted.org/pki/ticket/1742
Diffstat (limited to 'base/server/python/pki/server')
-rw-r--r-- | base/server/python/pki/server/deployment/scriptlets/security_databases.py | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py index c3d4d9e49..166ba6c9f 100644 --- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py +++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py @@ -20,6 +20,10 @@ # # PKI Deployment Imports +from __future__ import absolute_import + +import pki.nssdb + from .. import pkiconfig as config from .. import pkimessages as log from .. import pkiscriptlet @@ -35,8 +39,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): config.pki_log.info(log.SKIP_SECURITY_DATABASES_SPAWN_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) return self.rv + config.pki_log.info(log.SECURITY_DATABASES_SPAWN_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) + if config.str2bool(deployer.mdict['pki_hsm_enable']): deployer.password.create_hsm_password_conf( deployer.mdict['pki_shared_password_conf'], @@ -46,6 +52,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): deployer.password.create_password_conf( deployer.mdict['pki_shared_password_conf'], deployer.mdict['pki_pin']) + # Since 'certutil' does NOT strip the 'token=' portion of # the 'token=password' entries, create a temporary server 'pfile' # which ONLY contains the 'password' for the purposes of @@ -54,12 +61,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): deployer.mdict['pki_shared_pfile'], deployer.mdict['pki_pin'], pin_sans_token=True) deployer.file.modify(deployer.mdict['pki_shared_password_conf']) + deployer.certutil.create_security_databases( deployer.mdict['pki_database_path'], deployer.mdict['pki_cert_database'], deployer.mdict['pki_key_database'], deployer.mdict['pki_secmod_database'], password_file=deployer.mdict['pki_shared_pfile']) + if config.str2bool(deployer.mdict['pki_hsm_enable']): deployer.modutil.register_security_module( deployer.mdict['pki_database_path'], @@ -75,6 +84,25 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): deployer.mdict['pki_secmod_database'], perms=config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) + # import CA certificates from PKCS #12 file for cloning + pki_clone_pkcs12_path = deployer.mdict['pki_clone_pkcs12_path'] + + if pki_clone_pkcs12_path: + + pki_clone_pkcs12_password = deployer.mdict[ + 'pki_clone_pkcs12_password'] + if not pki_clone_pkcs12_password: + raise Exception('Missing pki_clone_pkcs12_password property.') + + nssdb = pki.nssdb.NSSDatabase( + directory=deployer.mdict['pki_database_path'], + password_file=deployer.mdict['pki_shared_pfile']) + + nssdb.import_pkcs12( + pkcs12_file=pki_clone_pkcs12_path, + pkcs12_password=pki_clone_pkcs12_password, + no_user_certs=True) + if len(deployer.instance.tomcat_instance_subsystems()) < 2: # only create a self signed cert for a new instance # |