diff options
| author | Endi S. Dewata <edewata@redhat.com> | 2016-08-20 10:47:15 +0200 |
|---|---|---|
| committer | Endi S. Dewata <edewata@redhat.com> | 2016-08-22 21:39:02 +0200 |
| commit | eb28cf05cfad246383dbda054c8cd477bc7acc73 (patch) | |
| tree | 388cd3c0f1dce9559948fd73f19de06bd931970f /base/server/python/pki/server | |
| parent | bde2cd1d3e65850c82a6ea7a6cebcae46a4408f2 (diff) | |
| download | pki-eb28cf05cfad246383dbda054c8cd477bc7acc73.tar.gz pki-eb28cf05cfad246383dbda054c8cd477bc7acc73.tar.xz pki-eb28cf05cfad246383dbda054c8cd477bc7acc73.zip | |
Updated pki-server subsystem-cert-update CLI.
The pki-server subsystem-cert-update CLI has been updated to
use certutil to retrieve the certificate data from the proper
token. It will also show a warning if the certificate request
cannot be found.
The NSSDatabase constructor has been modified to normalize the
name of internal NSS token to None. If the token name is None,
the certutil will be executed without the -h option.
The NSSDatabase.get_cert() has been modified to prepend the token
name to the certificate nickname.
https://fedorahosted.org/pki/ticket/2440
Diffstat (limited to 'base/server/python/pki/server')
| -rw-r--r-- | base/server/python/pki/server/cli/subsystem.py | 49 |
1 files changed, 29 insertions, 20 deletions
diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py index c173ea255..42da26e10 100644 --- a/base/server/python/pki/server/cli/subsystem.py +++ b/base/server/python/pki/server/cli/subsystem.py @@ -21,10 +21,8 @@ from __future__ import absolute_import from __future__ import print_function -import base64 import getopt import getpass -import nss.nss as nss import os import string import subprocess @@ -778,36 +776,47 @@ class SubsystemCertUpdateCLI(pki.cli.CLI): sys.exit(1) subsystem_cert = subsystem.get_subsystem_cert(cert_id) - # get cert data from NSS database - nss.nss_init(instance.nssdb_dir) - nss_cert = nss.find_cert_from_nickname(subsystem_cert['nickname']) - data = base64.b64encode(nss_cert.der_data) - del nss_cert - nss.nss_shutdown() + if self.verbose: + print('Retrieving certificate %s from %s' % + (subsystem_cert['nickname'], subsystem_cert['token'])) + + token = subsystem_cert['token'] + nssdb = instance.open_nssdb(token) + data = nssdb.get_cert( + nickname=subsystem_cert['nickname'], + output_format='base64') subsystem_cert['data'] = data # format cert data for LDAP database lines = [data[i:i + 64] for i in range(0, len(data), 64)] data = string.join(lines, '\r\n') + '\r\n' - # get cert request from local CA + if self.verbose: + print('Retrieving certificate request from CA database') + # TODO: add support for remote CA ca = instance.get_subsystem('ca') if not ca: print('ERROR: No CA subsystem in instance %s.' % instance_name) sys.exit(1) + results = ca.find_cert_requests(cert=data) - cert_request = results[-1] - request = cert_request['request'] - - # format cert request for CS.cfg - lines = request.splitlines() - if lines[0] == '-----BEGIN CERTIFICATE REQUEST-----': - lines = lines[1:] - if lines[-1] == '-----END CERTIFICATE REQUEST-----': - lines = lines[:-1] - request = string.join(lines, '') - subsystem_cert['request'] = request + + if results: + cert_request = results[-1] + request = cert_request['request'] + + # format cert request for CS.cfg + lines = request.splitlines() + if lines[0] == '-----BEGIN CERTIFICATE REQUEST-----': + lines = lines[1:] + if lines[-1] == '-----END CERTIFICATE REQUEST-----': + lines = lines[:-1] + request = string.join(lines, '') + subsystem_cert['request'] = request + + else: + print('WARNING: Certificate request not found') # store cert data and request in CS.cfg subsystem.update_subsystem_cert(subsystem_cert) |