diff options
| author | Endi S. Dewata <edewata@redhat.com> | 2015-09-02 04:50:24 +0200 |
|---|---|---|
| committer | Endi S. Dewata <edewata@redhat.com> | 2015-09-04 23:11:19 +0200 |
| commit | 2ab352e1756d02695b73a9dbe782d353708ef553 (patch) | |
| tree | a86e660ce07868b52b80da06d07b3ce989b22212 /base/server/python | |
| parent | 0a97324178c8c6353e20dfe35e78699a44e89fd5 (diff) | |
| download | pki-2ab352e1756d02695b73a9dbe782d353708ef553.tar.gz pki-2ab352e1756d02695b73a9dbe782d353708ef553.tar.xz pki-2ab352e1756d02695b73a9dbe782d353708ef553.zip | |
Added CLI to update cert data and request in CS.cfg.
A set of new pki-server commands have been added to simplify
updating the cert data and cert request stored in the CS.cfg with
the cert data and cert request stored in the NSS and LDAP database,
respectively.
https://fedorahosted.org/pki/ticket/1551
Diffstat (limited to 'base/server/python')
| -rw-r--r-- | base/server/python/pki/server/__init__.py | 115 | ||||
| -rw-r--r-- | base/server/python/pki/server/ca.py | 92 | ||||
| -rw-r--r-- | base/server/python/pki/server/cli/ca.py | 206 | ||||
| -rw-r--r-- | base/server/python/pki/server/cli/subsystem.py | 313 | ||||
| -rw-r--r-- | base/server/python/pki/server/upgrade.py | 3 |
5 files changed, 682 insertions, 47 deletions
diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py index 97b2e9799..70e35b8f2 100644 --- a/base/server/python/pki/server/__init__.py +++ b/base/server/python/pki/server/__init__.py @@ -21,7 +21,11 @@ from __future__ import absolute_import from lxml import etree +import getpass import grp +import io +import ldap +import operator import os import pwd import re @@ -32,7 +36,7 @@ import pki INSTANCE_BASE_DIR = '/var/lib/pki' REGISTRY_DIR = '/etc/sysconfig/pki' SUBSYSTEM_TYPES = ['ca', 'kra', 'ocsp', 'tks', 'tps'] - +SUBSYSTEM_CLASSES = {} class PKIServer(object): @@ -66,6 +70,7 @@ class PKISubsystem(object): self.base_dir = instance.base_dir self.conf_dir = os.path.join(self.base_dir, 'conf') + self.cs_conf = os.path.join(self.conf_dir, 'CS.cfg') self.context_xml_template = os.path.join( pki.SHARE_DIR, self.name, 'conf', 'Catalina', 'localhost', self.name + '.xml') @@ -73,9 +78,62 @@ class PKISubsystem(object): self.context_xml = os.path.join( instance.conf_dir, 'Catalina', 'localhost', self.name + '.xml') + self.config = {} + self.type = None + self.prefix = None + # custom subsystem location self.doc_base = os.path.join(self.base_dir, 'webapps', self.name) + def load(self): + self.config.clear() + + lines = open(self.cs_conf).read().splitlines() + + for line in lines: + parts = line.split('=', 1) + name = parts[0] + value = parts[1] + self.config[name] = value + + self.type = self.config['cs.type'] + self.prefix = self.type.lower() + + def find_subsystem_certs(self): + certs = [] + + cert_ids = self.config['%s.cert.list' % self.name].split(',') + for cert_id in cert_ids: + cert = self.create_subsystem_cert_object(cert_id) + certs.append(cert) + + return certs + + def get_subsystem_cert(self, cert_id): + return self.create_subsystem_cert_object(cert_id) + + def create_subsystem_cert_object(self, cert_id): + cert = {} + cert['id'] = cert_id + cert['nickname'] = self.config.get('%s.%s.nickname' % (self.name, cert_id), None) + cert['token'] = self.config.get('%s.%s.tokenname' % (self.name, cert_id), None) + cert['data'] = self.config.get('%s.%s.cert' % (self.name, cert_id), None) + cert['request'] = self.config.get('%s.%s.certreq' % (self.name, cert_id), None) + return cert + + def update_subsystem_cert(self, cert): + cert_id = cert['id'] + self.config['%s.%s.nickname' % (self.name, cert_id)] = cert.get('nickname', None) + self.config['%s.%s.tokenname' % (self.name, cert_id)] = cert.get('token', None) + self.config['%s.%s.cert' % (self.name, cert_id)] = cert.get('data', None) + self.config['%s.%s.certreq' % (self.name, cert_id)] = cert.get('request', None) + + def save(self): + sorted_config = sorted(self.config.items(), key=operator.itemgetter(0)) + with io.open(self.cs_conf, 'wb') as f: + for (key, value) in sorted_config: + f.write('%s=%s\n' % (key, value)) + def is_valid(self): return os.path.exists(self.conf_dir) @@ -103,6 +161,21 @@ class PKISubsystem(object): def disable(self): self.instance.undeploy(self.name) + def open_database(self, name='internaldb'): + + hostname = self.config['%s.ldapconn.host' % name] + port = self.config['%s.ldapconn.port' % name] + bind_dn = self.config['%s.ldapauth.bindDN' % name] + + # TODO: add support for other authentication + # mechanisms (e.g. client cert authentication, LDAPI) + bind_password = self.instance.get_password(name) + + con = ldap.initialize('ldap://%s:%s' % (hostname, port)) + con.simple_bind_s(bind_dn, bind_password) + + return con + def __repr__(self): return str(self.instance) + '/' + self.name @@ -120,6 +193,9 @@ class PKIInstance(object): self.base_dir = os.path.join(pki.BASE_DIR, name) self.conf_dir = os.path.join(self.base_dir, 'conf') + self.password_conf = os.path.join(self.conf_dir, 'password.conf') + + self.nssdb_dir = os.path.join(self.base_dir, 'alias') self.lib_dir = os.path.join(self.base_dir, 'lib') self.registry_dir = os.path.join( @@ -136,6 +212,8 @@ class PKIInstance(object): self.uid = None self.gid = None + self.passwords = {} + self.subsystems = [] def is_valid(self): @@ -158,6 +236,7 @@ class PKIInstance(object): return rc == 0 def load(self): + # load UID and GID with open(self.registry_file, 'r') as registry: lines = registry.readlines() @@ -173,11 +252,41 @@ class PKIInstance(object): self.group = m.group(1) self.gid = grp.getgrnam(self.group).gr_gid + # load passwords + self.passwords.clear() + lines = open(self.password_conf).read().splitlines() + + for line in lines: + parts = line.split('=', 1) + name = parts[0] + value = parts[1] + self.passwords[name] = value + + # load subsystems for subsystem_name in os.listdir(self.registry_dir): - if subsystem_name in pki.server.SUBSYSTEM_TYPES: - subsystem = PKISubsystem(self, subsystem_name) + if subsystem_name in SUBSYSTEM_TYPES: + if subsystem_name in SUBSYSTEM_CLASSES: + subsystem = SUBSYSTEM_CLASSES[subsystem_name](self) + else: + subsystem = PKISubsystem(self, subsystem_name) + subsystem.load() self.subsystems.append(subsystem) + def get_password(self, name): + if name in self.passwords: + return self.passwords[name] + + password = getpass.getpass(prompt='Enter password for %s: ' % name) + self.passwords[name] = password + + return password + + def get_subsystem(self, name): + for subsystem in self.subsystems: + if name == subsystem.name: + return subsystem + return None + def is_deployed(self, webapp_name): context_xml = os.path.join( self.conf_dir, 'Catalina', 'localhost', webapp_name + '.xml') diff --git a/base/server/python/pki/server/ca.py b/base/server/python/pki/server/ca.py new file mode 100644 index 000000000..70ebf4dd1 --- /dev/null +++ b/base/server/python/pki/server/ca.py @@ -0,0 +1,92 @@ +#!/usr/bin/python +# Authors: +# Endi S. Dewata <edewata@redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2015 Red Hat, Inc. +# All rights reserved. +# + +from __future__ import absolute_import +import ldap +import ldap.filter + +import pki +import pki.server + + +class CASubsystem(pki.server.PKISubsystem): + + def __init__(self, instance): + super(CASubsystem, self).__init__(instance, 'ca') + + def find_cert_requests(self, cert=None): + + base_dn = self.config['internaldb.basedn'] + + if cert: + escaped_value = ldap.filter.escape_filter_chars(cert) + search_filter = '(extdata-req--005fissued--005fcert=%s)' % escaped_value + + else: + search_filter = '(objectClass=*)' + + con = self.open_database() + + entries = con.search_s( + 'ou=ca,ou=requests,%s' % base_dn, + ldap.SCOPE_ONELEVEL, + search_filter, + None) + + con.unbind_s() + + requests = [] + for entry in entries: + requests.append(self.create_request_object(entry)) + + return requests + + def get_cert_requests(self, request_id): + + base_dn = self.config['internaldb.basedn'] + + con = self.open_database() + + entries = con.search_s( + 'cn=%s,ou=ca,ou=requests,%s' % (request_id, base_dn), + ldap.SCOPE_BASE, + '(objectClass=*)', + None) + + con.unbind_s() + + entry = entries[0] + return self.create_request_object(entry) + + def create_request_object(self, entry): + + attrs = entry[1] + + request = {} + request['id'] = attrs['cn'][0] + request['type'] = attrs['requestType'][0] + request['status'] = attrs['requestState'][0] + request['request'] = attrs['extdata-cert--005frequest'][0] + + return request + + +pki.server.SUBSYSTEM_CLASSES['ca'] = CASubsystem diff --git a/base/server/python/pki/server/cli/ca.py b/base/server/python/pki/server/cli/ca.py new file mode 100644 index 000000000..2ad8652f4 --- /dev/null +++ b/base/server/python/pki/server/cli/ca.py @@ -0,0 +1,206 @@ +#!/usr/bin/python +# Authors: +# Endi S. Dewata <edewata@redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2015 Red Hat, Inc. +# All rights reserved. +# + +from __future__ import absolute_import +from __future__ import print_function +import getopt +import io +import sys + +import pki.cli +import pki.server.ca + + +class CACLI(pki.cli.CLI): + + def __init__(self): + super(CACLI, self).__init__( + 'ca', 'CA management commands') + + self.add_module(CACertCLI()) + + +class CACertCLI(pki.cli.CLI): + + def __init__(self): + super(CACertCLI, self).__init__( + 'cert', 'CA certificates management commands') + + self.add_module(CACertRequestCLI()) + + +class CACertRequestCLI(pki.cli.CLI): + + def __init__(self): + super(CACertRequestCLI, self).__init__( + 'request', 'CA certificate requests management commands') + + self.add_module(CACertRequestFindCLI()) + self.add_module(CACertRequestShowCLI()) + + @staticmethod + def print_request(request, details=False): + print(' Request ID: %s' % request['id']) + print(' Type: %s' % request['type']) + print(' Status: %s' % request['status']) + + if details: + print(' Request: %s' % request['request']) + + +class CACertRequestFindCLI(pki.cli.CLI): + + def __init__(self): + super(CACertRequestFindCLI, self).__init__( + 'find', 'Find CA certificate requests') + + def usage(self): + print('Usage: pki-server ca-cert-request-find [OPTIONS]') + print() + print(' -i, --instance <instance ID> Instance ID (default: pki-tomcat).') + print(' --cert Issued certificate.') + print(' --cert-file File containing issued certificate.') + print(' -v, --verbose Run in verbose mode.') + print(' --help Show help message.') + print() + + def execute(self, args): + + try: + opts, _ = getopt.gnu_getopt(args, 'i:v', [ + 'instance=', 'cert=', 'cert-file=', + 'verbose', 'help']) + + except getopt.GetoptError as e: + print('ERROR: ' + str(e)) + self.usage() + sys.exit(1) + + instance_name = 'pki-tomcat' + cert = None + + for o, a in opts: + if o in ('-i', '--instance'): + instance_name = a + + elif o == '--cert': + cert = a + + elif o == '--cert-file': + with io.open(a, 'rb') as f: + cert = f.read() + + elif o in ('-v', '--verbose'): + self.set_verbose(True) + + elif o == '--help': + self.print_help() + sys.exit() + + else: + print('ERROR: unknown option ' + o) + self.usage() + sys.exit(1) + + instance = pki.server.PKIInstance(instance_name) + instance.load() + + subsystem = instance.get_subsystem('ca') + results = subsystem.find_cert_requests(cert=cert) + + self.print_message('%s entries matched' % len(results)) + + first = True + for request in results: + if first: + first = False + else: + print() + + CACertRequestCLI.print_request(request) + + +class CACertRequestShowCLI(pki.cli.CLI): + + def __init__(self): + super(CACertRequestShowCLI, self).__init__( + 'show', 'Show CA certificate request') + + def usage(self): + print('Usage: pki-server ca-cert-request-show <request ID> [OPTIONS]') + print() + print(' -i, --instance <instance ID> Instance ID (default: pki-tomcat).') + print(' -v, --verbose Run in verbose mode.') + print(' --help Show help message.') + print() + + def execute(self, args): + + try: + opts, args = getopt.gnu_getopt(args, 'i:v', [ + 'instance=', 'output-file=', + 'verbose', 'help']) + + except getopt.GetoptError as e: + print('ERROR: ' + str(e)) + self.usage() + sys.exit(1) + + if len(args) != 1: + print('ERROR: missing request ID') + self.usage() + sys.exit(1) + + request_id = args[0] + instance_name = 'pki-tomcat' + output_file = None + + for o, a in opts: + if o in ('-i', '--instance'): + instance_name = a + + elif o == '--output-file': + output_file = a + + elif o in ('-v', '--verbose'): + self.set_verbose(True) + + elif o == '--help': + self.print_help() + sys.exit() + + else: + print('ERROR: unknown option ' + o) + self.usage() + sys.exit(1) + + instance = pki.server.PKIInstance(instance_name) + instance.load() + + subsystem = instance.get_subsystem('ca') + request = subsystem.get_cert_requests(request_id) + + if output_file: + with io.open(output_file, 'wb') as f: + f.write(request['request']) + + else: + CACertRequestCLI.print_request(request, details=True) diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py index b1c20af59..688a5c6ed 100644 --- a/base/server/python/pki/server/cli/subsystem.py +++ b/base/server/python/pki/server/cli/subsystem.py @@ -21,8 +21,10 @@ from __future__ import absolute_import from __future__ import print_function +import base64 import getopt -import os +import nss.nss as nss +import string import sys import pki.cli @@ -40,6 +42,8 @@ class SubsystemCLI(pki.cli.CLI): self.add_module(SubsystemFindCLI()) self.add_module(SubsystemShowCLI()) + self.add_module(SubsystemCertCLI()) + @staticmethod def print_subsystem(subsystem): print(' Subsystem ID: %s' % subsystem.name) @@ -55,7 +59,7 @@ class SubsystemFindCLI(pki.cli.CLI): def usage(self): print('Usage: pki-server subsystem-find [OPTIONS]') print() - print(' -i, --instance <instance ID> Instance ID.') + print(' -i, --instance <instance ID> Instance ID (default: pki-tomcat).') print(' -v, --verbose Run in verbose mode.') print(' --help Show help message.') print() @@ -72,7 +76,7 @@ class SubsystemFindCLI(pki.cli.CLI): self.usage() sys.exit(1) - instance_name = None + instance_name = 'pki-tomcat' for o, a in opts: if o in ('-i', '--instance'): @@ -90,28 +94,13 @@ class SubsystemFindCLI(pki.cli.CLI): self.usage() sys.exit(1) - if not instance_name: - print('ERROR: missing instance ID') - self.usage() - sys.exit(1) - instance = pki.server.PKIInstance(instance_name) instance.load() - results = [] - - for name in os.listdir(instance.base_dir): - - subsystem = pki.server.PKISubsystem(instance, name) - if not subsystem.is_valid(): - continue - - results.append(subsystem) - - self.print_message('%s entries matched' % len(results)) + self.print_message('%s entries matched' % len(instance.subsystems)) first = True - for subsystem in results: + for subsystem in instance.subsystems: if first: first = False else: @@ -128,7 +117,7 @@ class SubsystemShowCLI(pki.cli.CLI): def usage(self): print('Usage: pki-server subsystem-show [OPTIONS] <subsystem ID>') print() - print(' -i, --instance <instance ID> Instance ID.') + print(' -i, --instance <instance ID> Instance ID (default: pki-tomcat).') print(' -v, --verbose Run in verbose mode.') print(' --help Show help message.') print() @@ -151,7 +140,7 @@ class SubsystemShowCLI(pki.cli.CLI): sys.exit(1) subsystem_name = args[0] - instance_name = None + instance_name = 'pki-tomcat' for o, a in opts: if o in ('-i', '--instance'): @@ -169,15 +158,10 @@ class SubsystemShowCLI(pki.cli.CLI): self.usage() sys.exit(1) - if not instance_name: - print('ERROR: missing instance ID') - self.usage() - sys.exit(1) - instance = pki.server.PKIInstance(instance_name) instance.load() - subsystem = pki.server.PKISubsystem(instance, subsystem_name) + subsystem = instance.get_subsystem(subsystem_name) SubsystemCLI.print_subsystem(subsystem) @@ -190,7 +174,7 @@ class SubsystemEnableCLI(pki.cli.CLI): def usage(self): print('Usage: pki-server subsystem-enable [OPTIONS] <subsystem ID>') print() - print(' -i, --instance <instance ID> Instance ID.') + print(' -i, --instance <instance ID> Instance ID (default: pki-tomcat).') print(' -v, --verbose Run in verbose mode.') print(' --help Show help message.') print() @@ -213,7 +197,7 @@ class SubsystemEnableCLI(pki.cli.CLI): sys.exit(1) subsystem_name = args[0] - instance_name = None + instance_name = 'pki-tomcat' for o, a in opts: if o in ('-i', '--instance'): @@ -231,15 +215,10 @@ class SubsystemEnableCLI(pki.cli.CLI): self.usage() sys.exit(1) - if not instance_name: - print('ERROR: missing instance ID') - self.usage() - sys.exit(1) - instance = pki.server.PKIInstance(instance_name) instance.load() - subsystem = pki.server.PKISubsystem(instance, subsystem_name) + subsystem = instance.get_subsystem(subsystem_name) subsystem.enable() self.print_message('Enabled "%s" subsystem' % subsystem_name) @@ -257,7 +236,7 @@ class SubsystemDisableCLI(pki.cli.CLI): def usage(self): print('Usage: pki-server subsystem-disable [OPTIONS] <subsystem ID>') print() - print(' -i, --instance <instance ID> Instance ID.') + print(' -i, --instance <instance ID> Instance ID (default: pki-tomcat).') print(' -v, --verbose Run in verbose mode.') print(' --help Show help message.') print() @@ -280,7 +259,7 @@ class SubsystemDisableCLI(pki.cli.CLI): sys.exit(1) subsystem_name = args[0] - instance_name = None + instance_name = 'pki-tomcat' for o, a in opts: if o in ('-i', '--instance'): @@ -298,17 +277,263 @@ class SubsystemDisableCLI(pki.cli.CLI): self.usage() sys.exit(1) - if not instance_name: - print('ERROR: missing instance ID') - self.usage() - sys.exit(1) - instance = pki.server.PKIInstance(instance_name) instance.load() - subsystem = pki.server.PKISubsystem(instance, subsystem_name) + subsystem = instance.get_subsystem(subsystem_name) subsystem.disable() self.print_message('Disabled "%s" subsystem' % subsystem_name) SubsystemCLI.print_subsystem(subsystem) + + +class SubsystemCertCLI(pki.cli.CLI): + + def __init__(self): + super(SubsystemCertCLI, self).__init__( + 'cert', 'Subsystem certificate management commands') + + self.add_module(SubsystemCertFindCLI()) + self.add_module(SubsystemCertShowCLI()) + self.add_module(SubsystemCertUpdateCLI()) + + @staticmethod + def print_subsystem_cert(cert): + print(' Cert ID: %s' % cert['id']) + print(' Nickname: %s' % cert['nickname']) + print(' Token: %s' % cert['token']) + print(' Certificate: %s' % cert['data']) + print(' Request: %s' % cert['request']) + + +class SubsystemCertFindCLI(pki.cli.CLI): + + def __init__(self): + super(SubsystemCertFindCLI, self).__init__( + 'find', 'Find subsystem certificates') + + def usage(self): + print('Usage: pki-server subsystem-cert-find [OPTIONS] <subsystem ID>') + print() + print(' -i, --instance <instance ID> Instance ID (default: pki-tomcat).') + print(' -v, --verbose Run in verbose mode.') + print(' --help Show help message.') + print() + + def execute(self, argv): + + try: + opts, args = getopt.getopt(argv, 'i:v', [ + 'instance=', + 'verbose', 'help']) + + except getopt.GetoptError as e: + print('ERROR: ' + str(e)) + self.usage() + sys.exit(1) + + if len(args) != 1: + print('ERROR: missing subsystem ID') + self.usage() + sys.exit(1) + + subsystem_name = args[0] + instance_name = 'pki-tomcat' + + for o, a in opts: + if o in ('-i', '--instance'): + instance_name = a + + elif o in ('-v', '--verbose'): + self.set_verbose(True) + + elif o == '--help': + self.print_help() + sys.exit() + + else: + print('ERROR: unknown option ' + o) + self.usage() + sys.exit(1) + + instance = pki.server.PKIInstance(instance_name) + instance.load() + + subsystem = instance.get_subsystem(subsystem_name) + results = subsystem.find_subsystem_certs() + + self.print_message('%s entries matched' % len(results)) + + first = True + for cert in results: + if first: + first = False + else: + print() + + SubsystemCertCLI.print_subsystem_cert(cert) + + +class SubsystemCertShowCLI(pki.cli.CLI): + + def __init__(self): + super(SubsystemCertShowCLI, self).__init__( + 'show', 'Show subsystem certificate') + + def usage(self): + print('Usage: pki-server subsystem-cert-show [OPTIONS] <subsystem ID> <cert ID>') + print() + print(' -i, --instance <instance ID> Instance ID (default: pki-tomcat).') + print(' -v, --verbose Run in verbose mode.') + print(' --help Show help message.') + print() + + def execute(self, argv): + + try: + opts, args = getopt.getopt(argv, 'i:v', [ + 'instance=', + 'verbose', 'help']) + + except getopt.GetoptError as e: + print('ERROR: ' + str(e)) + self.usage() + sys.exit(1) + + if len(args) < 1: + print('ERROR: missing subsystem ID') + self.usage() + sys.exit(1) + + if len(args) < 2: + print('ERROR: missing cert ID') + self.usage() + sys.exit(1) + + subsystem_name = args[0] + cert_id = args[1] + instance_name = 'pki-tomcat' + + for o, a in opts: + if o in ('-i', '--instance'): + instance_name = a + + elif o in ('-v', '--verbose'): + self.set_verbose(True) + + elif o == '--help': + self.print_help() + sys.exit() + + else: + print('ERROR: unknown option ' + o) + self.usage() + sys.exit(1) + + instance = pki.server.PKIInstance(instance_name) + instance.load() + + subsystem = instance.get_subsystem(subsystem_name) + subsystem_cert = subsystem.get_subsystem_cert(cert_id) + + SubsystemCertCLI.print_subsystem_cert(subsystem_cert) + + +class SubsystemCertUpdateCLI(pki.cli.CLI): + + def __init__(self): + super(SubsystemCertUpdateCLI, self).__init__( + 'update', 'Update subsystem certificate') + + def usage(self): + print('Usage: pki-server subsystem-cert-update [OPTIONS] <subsystem ID> <cert ID>') + print() + print(' -i, --instance <instance ID> Instance ID (default: pki-tomcat).') + print(' -v, --verbose Run in verbose mode.') + print(' --help Show help message.') + print() + + def execute(self, argv): + + try: + opts, args = getopt.getopt(argv, 'i:v', [ + 'instance=', + 'verbose', 'help']) + + except getopt.GetoptError as e: + print('ERROR: ' + str(e)) + self.usage() + sys.exit(1) + + if len(args) < 1: + print('ERROR: missing subsystem ID') + self.usage() + sys.exit(1) + + if len(args) < 2: + print('ERROR: missing cert ID') + self.usage() + sys.exit(1) + + subsystem_name = args[0] + cert_id = args[1] + instance_name = 'pki-tomcat' + + for o, a in opts: + if o in ('-i', '--instance'): + instance_name = a + + elif o in ('-v', '--verbose'): + self.set_verbose(True) + + elif o == '--help': + self.print_help() + sys.exit() + + else: + print('ERROR: unknown option ' + o) + self.usage() + sys.exit(1) + + instance = pki.server.PKIInstance(instance_name) + instance.load() + + subsystem = instance.get_subsystem(subsystem_name) + subsystem_cert = subsystem.get_subsystem_cert(cert_id) + + # get cert data from NSS database + nss.nss_init(instance.nssdb_dir) + nss_cert = nss.find_cert_from_nickname(subsystem_cert['nickname']) + data = base64.b64encode(nss_cert.der_data) + del nss_cert + nss.nss_shutdown() + subsystem_cert['data'] = data + + # format cert data for LDAP database + lines = [data[i:i+64] for i in range(0, len(data), 64)] + data = string.join(lines, '\r\n') + '\r\n' + + # get cert request from local CA + # TODO: add support for remote CA + ca = instance.get_subsystem('ca') + results = ca.find_cert_requests(cert=data) + cert_request = results[-1] + request = cert_request['request'] + + # format cert request for CS.cfg + lines = request.splitlines() + if lines[0] == '-----BEGIN CERTIFICATE REQUEST-----': + lines = lines[1:] + if lines[-1] == '-----END CERTIFICATE REQUEST-----': + lines = lines[:-1] + request = string.join(lines, '') + subsystem_cert['request'] = request + + # store cert data and request in CS.cfg + subsystem.update_subsystem_cert(subsystem_cert) + subsystem.save() + + self.print_message('Updated "%s" subsystem certificate' % cert_id) + + SubsystemCertCLI.print_subsystem_cert(subsystem_cert) diff --git a/base/server/python/pki/server/upgrade.py b/base/server/python/pki/server/upgrade.py index a0e52b22b..ffe7c891d 100644 --- a/base/server/python/pki/server/upgrade.py +++ b/base/server/python/pki/server/upgrade.py @@ -215,6 +215,7 @@ class PKIServerUpgrader(pki.upgrade.PKIUpgrader): if self.subsystemName: subsystem = pki.server.PKISubsystem(instance, self.subsystemName) subsystem.validate() + subsystem.load() return [subsystem] subsystem_list = [] @@ -229,6 +230,7 @@ class PKIServerUpgrader(pki.upgrade.PKIUpgrader): instance, subsystemName) subsystem.validate() + subsystem.load() subsystem_list.append(subsystem) else: for subsystemName in pki.server.SUBSYSTEM_TYPES: @@ -241,6 +243,7 @@ class PKIServerUpgrader(pki.upgrade.PKIUpgrader): instance, subsystemName) subsystem.validate() + subsystem.load() subsystem_list.append(subsystem) subsystem_list.sort() |