Add HSM options to pkispawn

- PKI TRAC Ticket #1346 - pkispawn should have an HSM library option

3 files changed, 74 insertions, 0 deletions

diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
index d11badf5c..5099887cc 100644
--- a/base/server/python/pki/server/deployment/pkihelper.py
+++ b/base/server/python/pki/server/deployment/pkihelper.py
@@ -2531,6 +2531,68 @@ class Certutil:
         return
 
 
+class Modutil:
+    """PKI Deployment NSS 'modutil' Class"""
+
+    def __init__(self, deployer):
+        self.mdict = deployer.mdict
+
+    def register_security_module(self, path, modulename, libfile,
+                                 prefix=None, critical_failure=True):
+        try:
+            # Compose this "modutil" command
+            command = ["modutil"]
+            #   Provide a path to the NSS security databases
+            if path:
+                command.extend(["-dbdir", path])
+            else:
+                config.pki_log.error(
+                    log.PKIHELPER_MODUTIL_MISSING_PATH,
+                    extra=config.PKI_INDENTATION_LEVEL_2)
+                raise Exception(log.PKIHELPER_MODUTIL_MISSING_PATH)
+            #   Add optional security database prefix
+            if prefix is not None:
+                command.extend(["--dbprefix", prefix])
+            #   Append '-nocertdb' switch
+            command.extend(["-nocertdb"])
+            #   Specify a 'modulename'
+            if modulename:
+                command.extend(["-add", modulename])
+            else:
+                config.pki_log.error(
+                    log.PKIHELPER_MODUTIL_MISSING_MODULENAME,
+                    extra=config.PKI_INDENTATION_LEVEL_2)
+                raise Exception(log.PKIHELPER_MODUTIL_MISSING_MODULENAME)
+            #   Specify a 'libfile'
+            if libfile:
+                command.extend(["-libfile", libfile])
+            else:
+                config.pki_log.error(
+                    log.PKIHELPER_MODUTIL_MISSING_LIBFILE,
+                    extra=config.PKI_INDENTATION_LEVEL_2)
+                raise Exception(log.PKIHELPER_MODUTIL_MISSING_LIBFILE)
+            #   Append '-force' switch
+            command.extend(["-force"])
+            # Display this "modutil" command
+            config.pki_log.info(
+                log.PKIHELPER_REGISTER_SECURITY_MODULE_1,
+                ' '.join(command),
+                extra=config.PKI_INDENTATION_LEVEL_2)
+            # Execute this "modutil" command
+            subprocess.check_call(command)
+        except subprocess.CalledProcessError as exc:
+            config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc,
+                                 extra=config.PKI_INDENTATION_LEVEL_2)
+            if critical_failure:
+                raise
+        except OSError as exc:
+            config.pki_log.error(log.PKI_OSERROR_1, exc,
+                                 extra=config.PKI_INDENTATION_LEVEL_2)
+            if critical_failure:
+                raise
+        return
+
+
 class PK12util:
     """PKI Deployment pk12util class"""
 
@@ -4282,6 +4344,7 @@ class PKIDeployer:
         self.war = War(self)
         self.password = Password(self)
         self.certutil = Certutil(self)
+        self.modutil = Modutil(self)
         self.pk12util = PK12util(self)
         self.kra_connector = KRAConnector(self)
         self.security_domain = SecurityDomain(self)
diff --git a/base/server/python/pki/server/deployment/pkimessages.py b/base/server/python/pki/server/deployment/pkimessages.py
index e63bc582a..a3e1b6f43 100644
--- a/base/server/python/pki/server/deployment/pkimessages.py
+++ b/base/server/python/pki/server/deployment/pkimessages.py
@@ -217,6 +217,11 @@ PKIHELPER_MKDIR_1 = "mkdir -p %s"
 PKIHELPER_MODIFY_DIR_1 = "modifying '%s'"
 PKIHELPER_MODIFY_FILE_1 = "modifying '%s'"
 PKIHELPER_MODIFY_SYMLINK_1 = "modifying '%s'"
+PKIHELPER_MODUTIL_MISSING_LIBFILE = \
+    "modutil:  Missing '-libfile libfile' option!"
+PKIHELPER_MODUTIL_MISSING_MODULENAME = \
+    "modutil:  Missing '-add modulename' option!"
+PKIHELPER_MODUTIL_MISSING_PATH = "modutil:  Missing '-dbdir path' option!"
 PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_EXTERNAL_CA = \
     "cloned CAs and external CAs MUST be MUTUALLY EXCLUSIVE in '%s'"
 PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_EXTERNAL_SUB_CA = \
@@ -244,6 +249,7 @@ PKIHELPER_PK12UTIL_MISSING_OUTFILE = \
     "pk12util missing -o output-file option!"
 PKIHELPER_PK12UTIL_MISSING_PWFILE = \
     "pk12util missing -w pw-file option!"
+PKIHELPER_REGISTER_SECURITY_MODULE_1 = "executing '%s'"
 
 PKIHELPER_PKI_INSTANCE_SUBSYSTEMS_2 = \
     "instance '%s' contains '%d' PKI subsystems"
diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
index 546050725..16cd92da0 100644
--- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py
+++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
@@ -54,6 +54,11 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
             deployer.mdict['pki_key_database'],
             deployer.mdict['pki_secmod_database'],
             password_file=deployer.mdict['pki_shared_pfile'])
+        if config.str2bool(deployer.mdict['pki_hsm_enable']):
+            deployer.modutil.register_security_module(
+                deployer.mdict['pki_database_path'],
+                deployer.mdict['pki_hsm_modulename'],
+                deployer.mdict['pki_hsm_libfile'])
         deployer.file.modify(
             deployer.mdict['pki_cert_database'],
             perms=config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS)