diff options
author | Matthew Harmsen <mharmsen@redhat.com> | 2017-05-16 12:58:17 -0600 |
---|---|---|
committer | Matthew Harmsen <mharmsen@redhat.com> | 2017-05-16 12:58:17 -0600 |
commit | 641180a465d7fdf12a978c9c458e39bf6829cac2 (patch) | |
tree | 1adf1f659c785712d161959d18e7cf64e010265a /base/server/python/pki/server | |
parent | 3edee861f0f31910020825a4bdc18f36017b6a26 (diff) | |
download | pki-641180a465d7fdf12a978c9c458e39bf6829cac2.tar.gz pki-641180a465d7fdf12a978c9c458e39bf6829cac2.tar.xz pki-641180a465d7fdf12a978c9c458e39bf6829cac2.zip |
Added FIPS class to pkispawn
Bugzilla Bug #1450143 - CA installation with HSM in FIPS mode fails
dogtagpki Pagure Issue #2684 - CA installation with HSM in FIPS mode fails
Diffstat (limited to 'base/server/python/pki/server')
4 files changed, 55 insertions, 2 deletions
diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py index 3d719ded2..709fe7014 100644 --- a/base/server/python/pki/server/deployment/__init__.py +++ b/base/server/python/pki/server/deployment/__init__.py @@ -55,6 +55,7 @@ class PKIDeployer: self.symlink = None self.war = None self.password = None + self.fips = None self.hsm = None self.certutil = None self.modutil = None @@ -99,6 +100,7 @@ class PKIDeployer: self.symlink = util.Symlink(self) self.war = util.War(self) self.password = util.Password(self) + self.fips = util.FIPS(self) self.hsm = util.HSM(self) self.certutil = util.Certutil(self) self.modutil = util.Modutil(self) diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py index a1345de2c..cf2a7486c 100644 --- a/base/server/python/pki/server/deployment/pkihelper.py +++ b/base/server/python/pki/server/deployment/pkihelper.py @@ -2172,6 +2172,47 @@ class Password: return token_pwd +class FIPS: + """PKI Deployment FIPS class""" + + def __init__(self, deployer): + self.mdict = deployer.mdict + + def is_fips_enabled(self, critical_failure=False): + try: + # Always initialize FIPS mode as NOT enabled + self.mdict['pki_fips_mode_enabled'] = False + + # Check to see if FIPS is enabled on this system + command = ["sysctl", "crypto.fips_enabled", "-bn"] + + # Execute this "sysctl" command. + with open(os.devnull, "w") as fnull: + output = subprocess.check_output(command, stderr=fnull, + close_fds=True) + if (output != "0"): + # Set FIPS mode as enabled + self.mdict['pki_fips_mode_enabled'] = True + config.pki_log.info(log.PKIHELPER_FIPS_MODE_IS_ENABLED, + extra=config.PKI_INDENTATION_LEVEL_3) + return True + else: + config.pki_log.info(log.PKIHELPER_FIPS_MODE_IS_NOT_ENABLED, + extra=config.PKI_INDENTATION_LEVEL_3) + return False + except subprocess.CalledProcessError as exc: + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure: + raise + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure: + raise + return False + + class HSM: """PKI Deployment HSM class""" diff --git a/base/server/python/pki/server/deployment/pkimessages.py b/base/server/python/pki/server/deployment/pkimessages.py index c8821bbb6..52c8e62f3 100644 --- a/base/server/python/pki/server/deployment/pkimessages.py +++ b/base/server/python/pki/server/deployment/pkimessages.py @@ -222,6 +222,10 @@ PKIHELPER_GROUP_ADD_2 = "adding GID '%s' for group '%s' . . ." PKIHELPER_GROUP_ADD_DEFAULT_2 = "adding default GID '%s' for group '%s' . . ." PKIHELPER_GROUP_ADD_GID_KEYERROR_1 = "KeyError: pki_gid %s" PKIHELPER_GROUP_ADD_KEYERROR_1 = "KeyError: pki_group %s" +PKIHELPER_FIPS_MODE_IS_ENABLED = "FIPS mode is enabled on this operating "\ + "system." +PKIHELPER_FIPS_MODE_IS_NOT_ENABLED = "FIPS mode is NOT enabled on this "\ + "operating system." PKIHELPER_HSM_CLONES_MUST_SHARE_HSM_MASTER_PRIVATE_KEYS = \ "Since clones using Hardware Security Modules (HSMs) must share their "\ "master's private keys, the 'pki_clone_pkcs12_path' and "\ diff --git a/base/server/python/pki/server/deployment/scriptlets/finalization.py b/base/server/python/pki/server/deployment/scriptlets/finalization.py index 75bb80e2b..ef750b95d 100644 --- a/base/server/python/pki/server/deployment/scriptlets/finalization.py +++ b/base/server/python/pki/server/deployment/scriptlets/finalization.py @@ -58,8 +58,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): if config.str2bool(deployer.mdict['pki_restart_configured_instance']): deployer.systemd.restart() # wait for startup - # (must use 'http' protocol due to potential FIPS configuration) - status = deployer.instance.wait_for_startup(60, False) + status = None + if deployer.fips.is_fips_enabled(): + # must use 'http' protocol when FIPS mode is enabled + status = deployer.instance.wait_for_startup( + 60, secure_connection=False) + else: + status = deployer.instance.wait_for_startup( + 60, secure_connection=True) if status is None: config.pki_log.error( "server failed to restart", |