diff options
| author | Endi S. Dewata <edewata@redhat.com> | 2016-05-11 19:33:51 +0200 |
|---|---|---|
| committer | Endi S. Dewata <edewata@redhat.com> | 2016-05-25 00:21:54 +0200 |
| commit | 4950f167d628b04c3859baf512328bff8538bd2d (patch) | |
| tree | 6cdb0cd9947c48a19b5752ffc82d2c599bf11f97 /base/server/python | |
| parent | 4bf6c1abb6159c795493991c31f7f3ef24d7c5a6 (diff) | |
| download | pki-4950f167d628b04c3859baf512328bff8538bd2d.tar.gz pki-4950f167d628b04c3859baf512328bff8538bd2d.tar.xz pki-4950f167d628b04c3859baf512328bff8538bd2d.zip | |
Fixed support for generic CSR extensions.
The deployment tool has been modified to support adding Subordinate
CA extension into the CSR for Microsoft CA, and also adding generic
extensions to any system certificate.
https://fedorahosted.org/pki/ticket/2312
Diffstat (limited to 'base/server/python')
| -rw-r--r-- | base/server/python/pki/server/deployment/scriptlets/configuration.py | 25 | ||||
| -rw-r--r-- | base/server/python/pki/server/deployment/scriptlets/security_databases.py | 49 |
2 files changed, 72 insertions, 2 deletions
diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py index 6da08c587..b8505dd9b 100644 --- a/base/server/python/pki/server/deployment/scriptlets/configuration.py +++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py @@ -19,6 +19,7 @@ # from __future__ import absolute_import +import binascii import json import re @@ -97,6 +98,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): try: if external and step_one: # external CA step 1 only + subject_dn = subsystem.config['preop.cert.signing.dn'] + # Determine CA signing key type and algorithm key_type = deployer.mdict['pki_ca_signing_key_type'] @@ -149,15 +152,33 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): 'critical': True } + # if specified, add generic CSR extension + generic_exts = None + + if 'preop.cert.signing.ext.oid' in subsystem.config and \ + 'preop.cert.signing.ext.data' in subsystem.config: + + data = subsystem.config['preop.cert.signing.ext.data'] + critical = subsystem.config['preop.cert.signing.ext.critical'] + + generic_ext = { + 'oid': subsystem.config['preop.cert.signing.ext.oid'], + 'data': binascii.unhexlify(data), + 'critical': config.str2bool(critical) + } + + generic_exts = [generic_ext] + nssdb.create_request( - subject_dn=deployer.mdict['pki_ca_signing_subject_dn'], + subject_dn=subject_dn, request_file=external_csr_path, key_type=key_type, key_size=key_size, curve=curve, hash_alg=hash_alg, basic_constraints_ext=basic_constraints_ext, - key_usage_ext=key_usage_ext) + key_usage_ext=key_usage_ext, + generic_exts=generic_exts) with open(external_csr_path) as f: signing_csr = f.read() diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py index c3ae89090..18fc3e1ef 100644 --- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py +++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py @@ -43,6 +43,12 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): config.pki_log.info(log.SECURITY_DATABASES_SPAWN_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) + instance = pki.server.PKIInstance(deployer.mdict['pki_instance_name']) + instance.load() + + subsystem = instance.get_subsystem( + deployer.mdict['pki_subsystem'].lower()) + if config.str2bool(deployer.mdict['pki_hsm_enable']): deployer.password.create_hsm_password_conf( deployer.mdict['pki_shared_password_conf'], @@ -158,6 +164,49 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # Always delete the temporary 'pfile' deployer.file.delete(deployer.mdict['pki_shared_pfile']) + # Store system cert parameters in installation step to guarantee the + # parameters exist during configuration step and to allow customization. + + certs = subsystem.find_system_certs() + for cert in certs: + + # get CS.cfg tag and pkispawn tag + config_tag = cert['id'] + deploy_tag = config_tag + + if config_tag == 'signing': # for CA and OCSP + deploy_tag = subsystem.name + '_signing' + + elif config_tag == 'sslserver': + deploy_tag = 'ssl_server' + + # store nickname + nickname = deployer.mdict['pki_%s_nickname' % deploy_tag] + subsystem.config['preop.cert.%s.nickname' % config_tag] = nickname + + # store subject DN + subject_dn = deployer.mdict['pki_%s_subject_dn' % deploy_tag] + subsystem.config['preop.cert.%s.dn' % config_tag] = subject_dn + + # TODO: move more system cert params here + + # If specified in the deployment parameter, add generic CA signing cert + # extension parameters into the CS.cfg. Generic extension for other + # system certs can be added directly into CS.cfg after before the + # configuration step. + + if subsystem.type == 'CA': + if deployer.configuration_file.add_req_ext: + + subsystem.config['preop.cert.signing.ext.oid'] = \ + deployer.configuration_file.req_ext_oid + subsystem.config['preop.cert.signing.ext.data'] = \ + deployer.configuration_file.req_ext_data + subsystem.config['preop.cert.signing.ext.critical'] = \ + deployer.configuration_file.req_ext_critical.lower() + + subsystem.save() + def update_external_certs_conf(self, external_path, deployer): external_certs = pki.server.PKIInstance.read_external_certs( external_path) |