diff options
5 files changed, 149 insertions, 69 deletions
diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg index 984c10429..f217f6850 100644 --- a/base/server/etc/default.cfg +++ b/base/server/etc/default.cfg @@ -42,6 +42,7 @@ spawn_scriplets= slot_substitution security_databases client_database + csr_generation configuration finalization diff --git a/base/server/python/pki/server/deployment/pkimessages.py b/base/server/python/pki/server/deployment/pkimessages.py index ee35a2f8d..9ec38c218 100644 --- a/base/server/python/pki/server/deployment/pkimessages.py +++ b/base/server/python/pki/server/deployment/pkimessages.py @@ -447,6 +447,7 @@ WEBAPP_DEPLOYMENT_SPAWN_1 = "deploying '%s'" SKIP_ADMIN_DOMAIN_SPAWN_1 = "skip populating '%s'" SKIP_CLIENT_DATABASE_SPAWN_1 = "skip generating '%s'" SKIP_CONFIGURATION_SPAWN_1 = "skip configuring '%s'" +SKIP_CSR_GENERATION_SPAWN_1 = "skip generating '%s'" SKIP_FINALIZATION_SPAWN_1 = "skip finalizing '%s'" SKIP_INITIALIZATION_SPAWN_1 = "skip initializing '%s'" SKIP_INSTANCE_SPAWN_1 = "skip populating '%s'" diff --git a/base/server/python/pki/server/deployment/scriptlets/client_database.py b/base/server/python/pki/server/deployment/scriptlets/client_database.py index 31abb6feb..1faa3c29c 100644 --- a/base/server/python/pki/server/deployment/scriptlets/client_database.py +++ b/base/server/python/pki/server/deployment/scriptlets/client_database.py @@ -77,7 +77,6 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): deployer.mdict['pki_client_secmod_database'], password_file=deployer.mdict['pki_client_password_conf']) - def destroy(self, deployer): pass diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py index 17ca83681..23f32b452 100644 --- a/base/server/python/pki/server/deployment/scriptlets/configuration.py +++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py @@ -20,7 +20,6 @@ from __future__ import absolute_import import json -import re # PKI Deployment Imports from .. import pkiconfig as config @@ -65,67 +64,11 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): existing = deployer.configuration_file.existing external = deployer.configuration_file.external + standalone = deployer.configuration_file.standalone step_one = deployer.configuration_file.external_step_one step_two = deployer.configuration_file.external_step_two try: - if external and step_one: # external CA step 1 only - - # Determine CA signing key type and algorithm - key_type = deployer.mdict['pki_ca_signing_key_type'] - key_alg = deployer.mdict['pki_ca_signing_key_algorithm'] - - if key_type == 'rsa': - key_size = int(deployer.mdict['pki_ca_signing_key_size']) - curve = None - - m = re.match(r'(.*)withRSA', key_alg) - if not m: - raise Exception('Invalid key algorithm: %s' % key_alg) - hash_alg = m.group(1) - - elif key_type == 'ec' or key_type == 'ecc': - key_type = 'ec' - key_size = None - curve = deployer.mdict['pki_ca_signing_key_size'] - - m = re.match(r'(.*)withEC', key_alg) - if not m: - raise Exception('Invalid key algorithm: %s' % key_alg) - hash_alg = m.group(1) - - else: - raise Exception('Invalid key type: %s' % key_type) - - # If filename specified, generate CA cert request and - # import it into CS.cfg. - external_csr_path = deployer.mdict['pki_external_csr_path'] - if external_csr_path: - config.pki_log.info( - "generating CA signing certificate request in %s", - external_csr_path, - extra=config.PKI_INDENTATION_LEVEL_2) - nssdb.create_request( - subject_dn=deployer.mdict['pki_ca_signing_subject_dn'], - request_file=external_csr_path, - key_type=key_type, - key_size=key_size, - curve=curve, - hash_alg=hash_alg) - - with open(external_csr_path) as f: - signing_csr = f.read() - - signing_csr = pki.nssdb.convert_csr( - signing_csr, 'pem', 'base64') - subsystem.config['ca.signing.certreq'] = signing_csr - - # This is needed by IPA to detect step 1 completion. - # See is_step_one_done() in ipaserver/install/cainstance.py. - subsystem.config['preop.ca.type'] = 'otherca' - - subsystem.save() - if existing or external and step_two: # existing CA or external CA step 2 @@ -201,20 +144,17 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): subsystem.save() - # verify the signing certificate - # raises exception on failure - config.pki_log.info("validating the signing certificate", - extra=config.PKI_INDENTATION_LEVEL_2) - verifier = pkihelper.PKIDeployer.create_system_cert_verifier( - instance, 'ca') - verifier.verify_certificate('signing') + elif standalone and step_two: + + # To be implemented in ticket #1692. + # Import standalone system certificates into NSS database. + + pass else: # self-signed CA # To be implemented in ticket #1692. - - # Generate CA cert request. - # Self sign CA cert. + # Generate self-signed CA cert. # Import self-signed CA cert into NSS database. pass diff --git a/base/server/python/pki/server/deployment/scriptlets/csr_generation.py b/base/server/python/pki/server/deployment/scriptlets/csr_generation.py new file mode 100644 index 000000000..9ada62473 --- /dev/null +++ b/base/server/python/pki/server/deployment/scriptlets/csr_generation.py @@ -0,0 +1,139 @@ +# Authors: +# Matthew Harmsen <mharmsen@redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2016 Red Hat, Inc. +# All rights reserved. +# + +from __future__ import absolute_import +from __future__ import print_function +import re + +# PKI Deployment Imports +from .. import pkiconfig as config +from .. import pkimessages as log +from .. import pkiscriptlet + +import pki.nssdb +import pki.server + + +# PKI Deployment CSR Generation Scriptlet +class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + + def spawn(self, deployer): + + external = deployer.configuration_file.external + standalone = deployer.configuration_file.standalone + step_one = deployer.configuration_file.external_step_one + skip_configuration = deployer.configuration_file.skip_configuration + + if skip_configuration: + config.pki_log.info(log.SKIP_CSR_GENERATION_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return + + instance = pki.server.PKIInstance(deployer.mdict['pki_instance_name']) + instance.load() + + subsystem = instance.get_subsystem(deployer.mdict['pki_subsystem'].lower()) + + token = deployer.mdict['pki_token_name'] + nssdb = instance.open_nssdb(token) + + try: + if external and step_one: # external CA step 1 + + # Determine CA signing key type and algorithm + key_type = deployer.mdict['pki_ca_signing_key_type'] + key_alg = deployer.mdict['pki_ca_signing_key_algorithm'] + + if key_type == 'rsa': + key_size = int(deployer.mdict['pki_ca_signing_key_size']) + curve = None + + m = re.match(r'(.*)withRSA', key_alg) + if not m: + raise Exception('Invalid key algorithm: %s' % key_alg) + hash_alg = m.group(1) + + elif key_type == 'ec' or key_type == 'ecc': + key_type = 'ec' + key_size = None + curve = deployer.mdict['pki_ca_signing_key_size'] + + m = re.match(r'(.*)withEC', key_alg) + if not m: + raise Exception('Invalid key algorithm: %s' % key_alg) + hash_alg = m.group(1) + + else: + raise Exception('Invalid key type: %s' % key_type) + + # If filename specified, generate CA cert request and + # import it into CS.cfg. + external_csr_path = deployer.mdict['pki_external_csr_path'] + if external_csr_path: + config.pki_log.info( + "generating CA signing certificate request in %s", + external_csr_path, + extra=config.PKI_INDENTATION_LEVEL_2) + nssdb.create_request( + subject_dn=deployer.mdict['pki_ca_signing_subject_dn'], + request_file=external_csr_path, + key_type=key_type, + key_size=key_size, + curve=curve, + hash_alg=hash_alg) + + with open(external_csr_path) as f: + signing_csr = f.read() + + signing_csr = pki.nssdb.convert_csr(signing_csr, 'pem', 'base64') + subsystem.config['ca.signing.certreq'] = signing_csr + + # This is needed by IPA to detect step 1 completion. + # See is_step_one_done() in ipaserver/install/cainstance.py. + subsystem.config['preop.ca.type'] = 'otherca' + + subsystem.save() + + # verify the signing certificate + # raises exception on failure + config.pki_log.info("validating the signing certificate", + extra=config.PKI_INDENTATION_LEVEL_2) + verifier = pkihelper.PKIDeployer.create_system_cert_verifier( + instance, 'ca') + verifier.verify_certificate('signing') + + elif standalone and step_one: # standalone step 1 + + # To be implemented in ticket #1692. + # Generate CSRs for standalone system certs. + + else: # self-signed CA + + # To be implemented in ticket #1692. + # Generate CSR for self-signed CA cert. + + pass + + finally: + nssdb.close() + + def destroy(self, deployer): + + pass |