diff options
author | Matthew Harmsen <mharmsen@redhat.com> | 2015-04-14 20:05:17 -0600 |
---|---|---|
committer | Matthew Harmsen <mharmsen@redhat.com> | 2015-04-14 20:05:17 -0600 |
commit | cde899c8e8516125b26818d5668487c99267420c (patch) | |
tree | f17f837e0e89aef299fa724df11be9a91528011b /base/server/python/pki/server | |
parent | 711d3ca66b6702a33839c3a436550464fa49d0d8 (diff) | |
download | pki-cde899c8e8516125b26818d5668487c99267420c.tar.gz pki-cde899c8e8516125b26818d5668487c99267420c.tar.xz pki-cde899c8e8516125b26818d5668487c99267420c.zip |
Add HSM options to pkispawn
- PKI TRAC Ticket #1346 - pkispawn should have an HSM library option
Diffstat (limited to 'base/server/python/pki/server')
3 files changed, 74 insertions, 0 deletions
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py index d11badf5c..5099887cc 100644 --- a/base/server/python/pki/server/deployment/pkihelper.py +++ b/base/server/python/pki/server/deployment/pkihelper.py @@ -2531,6 +2531,68 @@ class Certutil: return +class Modutil: + """PKI Deployment NSS 'modutil' Class""" + + def __init__(self, deployer): + self.mdict = deployer.mdict + + def register_security_module(self, path, modulename, libfile, + prefix=None, critical_failure=True): + try: + # Compose this "modutil" command + command = ["modutil"] + # Provide a path to the NSS security databases + if path: + command.extend(["-dbdir", path]) + else: + config.pki_log.error( + log.PKIHELPER_MODUTIL_MISSING_PATH, + extra=config.PKI_INDENTATION_LEVEL_2) + raise Exception(log.PKIHELPER_MODUTIL_MISSING_PATH) + # Add optional security database prefix + if prefix is not None: + command.extend(["--dbprefix", prefix]) + # Append '-nocertdb' switch + command.extend(["-nocertdb"]) + # Specify a 'modulename' + if modulename: + command.extend(["-add", modulename]) + else: + config.pki_log.error( + log.PKIHELPER_MODUTIL_MISSING_MODULENAME, + extra=config.PKI_INDENTATION_LEVEL_2) + raise Exception(log.PKIHELPER_MODUTIL_MISSING_MODULENAME) + # Specify a 'libfile' + if libfile: + command.extend(["-libfile", libfile]) + else: + config.pki_log.error( + log.PKIHELPER_MODUTIL_MISSING_LIBFILE, + extra=config.PKI_INDENTATION_LEVEL_2) + raise Exception(log.PKIHELPER_MODUTIL_MISSING_LIBFILE) + # Append '-force' switch + command.extend(["-force"]) + # Display this "modutil" command + config.pki_log.info( + log.PKIHELPER_REGISTER_SECURITY_MODULE_1, + ' '.join(command), + extra=config.PKI_INDENTATION_LEVEL_2) + # Execute this "modutil" command + subprocess.check_call(command) + except subprocess.CalledProcessError as exc: + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure: + raise + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure: + raise + return + + class PK12util: """PKI Deployment pk12util class""" @@ -4282,6 +4344,7 @@ class PKIDeployer: self.war = War(self) self.password = Password(self) self.certutil = Certutil(self) + self.modutil = Modutil(self) self.pk12util = PK12util(self) self.kra_connector = KRAConnector(self) self.security_domain = SecurityDomain(self) diff --git a/base/server/python/pki/server/deployment/pkimessages.py b/base/server/python/pki/server/deployment/pkimessages.py index e63bc582a..a3e1b6f43 100644 --- a/base/server/python/pki/server/deployment/pkimessages.py +++ b/base/server/python/pki/server/deployment/pkimessages.py @@ -217,6 +217,11 @@ PKIHELPER_MKDIR_1 = "mkdir -p %s" PKIHELPER_MODIFY_DIR_1 = "modifying '%s'" PKIHELPER_MODIFY_FILE_1 = "modifying '%s'" PKIHELPER_MODIFY_SYMLINK_1 = "modifying '%s'" +PKIHELPER_MODUTIL_MISSING_LIBFILE = \ + "modutil: Missing '-libfile libfile' option!" +PKIHELPER_MODUTIL_MISSING_MODULENAME = \ + "modutil: Missing '-add modulename' option!" +PKIHELPER_MODUTIL_MISSING_PATH = "modutil: Missing '-dbdir path' option!" PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_EXTERNAL_CA = \ "cloned CAs and external CAs MUST be MUTUALLY EXCLUSIVE in '%s'" PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_EXTERNAL_SUB_CA = \ @@ -244,6 +249,7 @@ PKIHELPER_PK12UTIL_MISSING_OUTFILE = \ "pk12util missing -o output-file option!" PKIHELPER_PK12UTIL_MISSING_PWFILE = \ "pk12util missing -w pw-file option!" +PKIHELPER_REGISTER_SECURITY_MODULE_1 = "executing '%s'" PKIHELPER_PKI_INSTANCE_SUBSYSTEMS_2 = \ "instance '%s' contains '%d' PKI subsystems" diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py index 546050725..16cd92da0 100644 --- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py +++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py @@ -54,6 +54,11 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): deployer.mdict['pki_key_database'], deployer.mdict['pki_secmod_database'], password_file=deployer.mdict['pki_shared_pfile']) + if config.str2bool(deployer.mdict['pki_hsm_enable']): + deployer.modutil.register_security_module( + deployer.mdict['pki_database_path'], + deployer.mdict['pki_hsm_modulename'], + deployer.mdict['pki_hsm_libfile']) deployer.file.modify( deployer.mdict['pki_cert_database'], perms=config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) |