Added support for cloning 3rd-party CA certificates.

The installation code has been modified such that it imports all CA certificates from the PKCS #12 file for cloning before the server is started using certutil. The user certificates will continue to be imported using the existing JSS code after the server is started. This is necessary since JSS is unable to preserve the CA certificate nicknames. The PKCS12Util has been modified to support multiple certificates with the same nicknames. The pki pkcs12-cert-find has been modified to show certificate ID and another field indicating whether the certificate has a key. The pki pkcs12-cert-export has been modified to accept either certificate nickname or ID. The pki pkcs12-import has been modified to provide options for importing only user certificates or CA certificates. https://fedorahosted.org/pki/ticket/1742
author: Endi S. Dewata <edewata@redhat.com> 2016-03-17 15:23:34 +0100
committer: Endi S. Dewata <edewata@redhat.com> 2016-04-05 22:46:11 +0200
commit: b214755763a31545cfb8980e0625fcccb4e00300 (patch)
tree: 803bd4e0d81ce07da82ec7803f96a236a6bcf36c /base/server/python/pki/server
parent: 2009b97646f2321a806fcebbc33c329de16793e6 (diff)
download: pki-b214755763a31545cfb8980e0625fcccb4e00300.tar.gz
pki-b214755763a31545cfb8980e0625fcccb4e00300.tar.xz
pki-b214755763a31545cfb8980e0625fcccb4e00300.zip
1 files changed, 28 insertions, 0 deletions
diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
index c3d4d9e49..166ba6c9f 100644
--- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py
+++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
@@ -20,6 +20,10 @@
 #
 
 # PKI Deployment Imports
+from __future__ import absolute_import
+
+import pki.nssdb
+
 from .. import pkiconfig as config
 from .. import pkimessages as log
 from .. import pkiscriptlet
@@ -35,8 +39,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
             config.pki_log.info(log.SKIP_SECURITY_DATABASES_SPAWN_1, __name__,
                                 extra=config.PKI_INDENTATION_LEVEL_1)
             return self.rv
+
         config.pki_log.info(log.SECURITY_DATABASES_SPAWN_1, __name__,
                             extra=config.PKI_INDENTATION_LEVEL_1)
+
         if config.str2bool(deployer.mdict['pki_hsm_enable']):
             deployer.password.create_hsm_password_conf(
                 deployer.mdict['pki_shared_password_conf'],
@@ -46,6 +52,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
             deployer.password.create_password_conf(
                 deployer.mdict['pki_shared_password_conf'],
                 deployer.mdict['pki_pin'])
+
         # Since 'certutil' does NOT strip the 'token=' portion of
         # the 'token=password' entries, create a temporary server 'pfile'
         # which ONLY contains the 'password' for the purposes of
@@ -54,12 +61,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
             deployer.mdict['pki_shared_pfile'],
             deployer.mdict['pki_pin'], pin_sans_token=True)
         deployer.file.modify(deployer.mdict['pki_shared_password_conf'])
+
         deployer.certutil.create_security_databases(
             deployer.mdict['pki_database_path'],
             deployer.mdict['pki_cert_database'],
             deployer.mdict['pki_key_database'],
             deployer.mdict['pki_secmod_database'],
             password_file=deployer.mdict['pki_shared_pfile'])
+
         if config.str2bool(deployer.mdict['pki_hsm_enable']):
             deployer.modutil.register_security_module(
                 deployer.mdict['pki_database_path'],
@@ -75,6 +84,25 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
             deployer.mdict['pki_secmod_database'],
             perms=config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS)
 
+        # import CA certificates from PKCS #12 file for cloning
+        pki_clone_pkcs12_path = deployer.mdict['pki_clone_pkcs12_path']
+
+        if pki_clone_pkcs12_path:
+
+            pki_clone_pkcs12_password = deployer.mdict[
+                'pki_clone_pkcs12_password']
+            if not pki_clone_pkcs12_password:
+                raise Exception('Missing pki_clone_pkcs12_password property.')
+
+            nssdb = pki.nssdb.NSSDatabase(
+                directory=deployer.mdict['pki_database_path'],
+                password_file=deployer.mdict['pki_shared_pfile'])
+
+            nssdb.import_pkcs12(
+                pkcs12_file=pki_clone_pkcs12_path,
+                pkcs12_password=pki_clone_pkcs12_password,
+                no_user_certs=True)
+
         if len(deployer.instance.tomcat_instance_subsystems()) < 2:
             # only create a self signed cert for a new instance
             #
author	Endi S. Dewata <edewata@redhat.com>	2016-03-17 15:23:34 +0100
committer	Endi S. Dewata <edewata@redhat.com>	2016-04-05 22:46:11 +0200
commit	b214755763a31545cfb8980e0625fcccb4e00300 (patch)
tree	803bd4e0d81ce07da82ec7803f96a236a6bcf36c /base/server/python/pki/server
parent	2009b97646f2321a806fcebbc33c329de16793e6 (diff)
download	pki-b214755763a31545cfb8980e0625fcccb4e00300.tar.gz pki-b214755763a31545cfb8980e0625fcccb4e00300.tar.xz pki-b214755763a31545cfb8980e0625fcccb4e00300.zip