diff options
-rw-r--r-- | base/common/python/pki/nssdb.py | 10 | ||||
-rw-r--r-- | base/common/python/pki/pkcs12.py | 73 | ||||
-rw-r--r-- | base/server/python/pki/server/deployment/scriptlets/security_databases.py | 42 |
3 files changed, 118 insertions, 7 deletions
diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py index a0b030214..ed456540b 100644 --- a/base/common/python/pki/nssdb.py +++ b/base/common/python/pki/nssdb.py @@ -398,6 +398,16 @@ class NSSDatabase(object): if rc: raise Exception('Failed to generate self-signed CA certificate. RC: %d' % rc) + def show_certs(self): + + cmd = [ + 'certutil', + '-L', + '-d', self.directory + ] + + subprocess.check_call(cmd) + def get_cert(self, nickname, output_format='pem'): if output_format == 'pem': diff --git a/base/common/python/pki/pkcs12.py b/base/common/python/pki/pkcs12.py new file mode 100644 index 000000000..a62ca0913 --- /dev/null +++ b/base/common/python/pki/pkcs12.py @@ -0,0 +1,73 @@ +# Authors: +# Endi S. Dewata <edewata@redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the Lesser GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this program; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2016 Red Hat, Inc. +# All rights reserved. +# + +from __future__ import absolute_import +import os +import shutil +import subprocess +import tempfile + + +class PKCS12(object): + + def __init__(self, path, password=None, password_file=None, nssdb=None): + + # The pki CLI needs an NSS database to run PKCS #12 operations + # as required by JSS. If the nssdb parameter is provided, the CLI + # will use the specified NSS database object. Otherwise, it will use + # the default NSS database in ~/.dogtag/nssdb. + + self.path = path + self.nssdb = nssdb + + self.tmpdir = tempfile.mkdtemp() + + if password: + self.password_file = os.path.join(self.tmpdir, 'password.txt') + with open(self.password_file, 'w') as f: + f.write(password) + + elif password_file: + self.password_file = password_file + + else: + raise Exception('Missing PKCS #12 password') + + def close(self): + shutil.rmtree(self.tmpdir) + + def show_certs(self): + + cmd = ['pki'] + + if self.nssdb: + cmd.extend([ + '-d', self.nssdb.directory, + '-C', self.nssdb.password_file + ]) + + cmd.extend([ + 'pkcs12-cert-find', + '--pkcs12-file', self.path, + '--pkcs12-password-file', self.password_file + ]) + + subprocess.check_call(cmd) diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py index 18fc3e1ef..99daf1564 100644 --- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py +++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py @@ -19,9 +19,11 @@ # from __future__ import absolute_import +from __future__ import print_function import os import pki.nssdb +import pki.pkcs12 import pki.server # PKI Deployment Imports @@ -104,9 +106,12 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): directory=deployer.mdict['pki_database_path'], password_file=deployer.mdict['pki_shared_pfile']) - nssdb.import_pkcs12( - pkcs12_file=pki_server_pkcs12_path, - pkcs12_password=pki_server_pkcs12_password) + try: + nssdb.import_pkcs12( + pkcs12_file=pki_server_pkcs12_path, + pkcs12_password=pki_server_pkcs12_password) + finally: + nssdb.close() # update external CA file (if needed) external_certs_path = deployer.mdict['pki_server_external_certs_path'] @@ -127,10 +132,33 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): directory=deployer.mdict['pki_database_path'], password_file=deployer.mdict['pki_shared_pfile']) - nssdb.import_pkcs12( - pkcs12_file=pki_clone_pkcs12_path, - pkcs12_password=pki_clone_pkcs12_password, - no_user_certs=True) + try: + print('Importing certificates from %s:' % pki_clone_pkcs12_path) + + # The PKCS12 class requires an NSS database to run. For simplicity + # it uses the NSS database that has just been created. + pkcs12 = pki.pkcs12.PKCS12( + path=pki_clone_pkcs12_path, + password=pki_clone_pkcs12_password, + nssdb=nssdb) + + try: + pkcs12.show_certs() + finally: + pkcs12.close() + + # Import certificates + nssdb.import_pkcs12( + pkcs12_file=pki_clone_pkcs12_path, + pkcs12_password=pki_clone_pkcs12_password, + no_user_certs=True) + + print('Imported certificates in %s:' % deployer.mdict['pki_database_path']) + + nssdb.show_certs() + + finally: + nssdb.close() if len(deployer.instance.tomcat_instance_subsystems()) < 2: |