3 files changed, 118 insertions, 7 deletions

diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py
index a0b030214..ed456540b 100644
--- a/base/common/python/pki/nssdb.py
+++ b/base/common/python/pki/nssdb.py
@@ -398,6 +398,16 @@ class NSSDatabase(object):
         if rc:
             raise Exception('Failed to generate self-signed CA certificate. RC: %d' % rc)
 
+    def show_certs(self):
+
+        cmd = [
+            'certutil',
+            '-L',
+            '-d', self.directory
+        ]
+
+        subprocess.check_call(cmd)
+
     def get_cert(self, nickname, output_format='pem'):
 
         if output_format == 'pem':
diff --git a/base/common/python/pki/pkcs12.py b/base/common/python/pki/pkcs12.py
new file mode 100644
index 000000000..a62ca0913
--- /dev/null
+++ b/base/common/python/pki/pkcs12.py
@@ -0,0 +1,73 @@
+# Authors:
+#     Endi S. Dewata <edewata@redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the Lesser GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+#  along with this program; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2016 Red Hat, Inc.
+# All rights reserved.
+#
+
+from __future__ import absolute_import
+import os
+import shutil
+import subprocess
+import tempfile
+
+
+class PKCS12(object):
+
+    def __init__(self, path, password=None, password_file=None, nssdb=None):
+
+        # The pki CLI needs an NSS database to run PKCS #12 operations
+        # as required by JSS. If the nssdb parameter is provided, the CLI
+        # will use the specified NSS database object. Otherwise, it will use
+        # the default NSS database in ~/.dogtag/nssdb.
+
+        self.path = path
+        self.nssdb = nssdb
+
+        self.tmpdir = tempfile.mkdtemp()
+
+        if password:
+            self.password_file = os.path.join(self.tmpdir, 'password.txt')
+            with open(self.password_file, 'w') as f:
+                f.write(password)
+
+        elif password_file:
+            self.password_file = password_file
+
+        else:
+            raise Exception('Missing PKCS #12 password')
+
+    def close(self):
+        shutil.rmtree(self.tmpdir)
+
+    def show_certs(self):
+
+        cmd = ['pki']
+
+        if self.nssdb:
+            cmd.extend([
+                '-d', self.nssdb.directory,
+                '-C', self.nssdb.password_file
+            ])
+
+        cmd.extend([
+            'pkcs12-cert-find',
+            '--pkcs12-file', self.path,
+            '--pkcs12-password-file', self.password_file
+        ])
+
+        subprocess.check_call(cmd)
diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
index 18fc3e1ef..99daf1564 100644
--- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py
+++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
@@ -19,9 +19,11 @@
 #
 
 from __future__ import absolute_import
+from __future__ import print_function
 
 import os
 import pki.nssdb
+import pki.pkcs12
 import pki.server
 
 # PKI Deployment Imports
@@ -104,9 +106,12 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                 directory=deployer.mdict['pki_database_path'],
                 password_file=deployer.mdict['pki_shared_pfile'])
 
-            nssdb.import_pkcs12(
-                pkcs12_file=pki_server_pkcs12_path,
-                pkcs12_password=pki_server_pkcs12_password)
+            try:
+                nssdb.import_pkcs12(
+                    pkcs12_file=pki_server_pkcs12_path,
+                    pkcs12_password=pki_server_pkcs12_password)
+            finally:
+                nssdb.close()
 
             # update external CA file (if needed)
             external_certs_path = deployer.mdict['pki_server_external_certs_path']
@@ -127,10 +132,33 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                 directory=deployer.mdict['pki_database_path'],
                 password_file=deployer.mdict['pki_shared_pfile'])
 
-            nssdb.import_pkcs12(
-                pkcs12_file=pki_clone_pkcs12_path,
-                pkcs12_password=pki_clone_pkcs12_password,
-                no_user_certs=True)
+            try:
+                print('Importing certificates from %s:' % pki_clone_pkcs12_path)
+
+                # The PKCS12 class requires an NSS database to run. For simplicity
+                # it uses the NSS database that has just been created.
+                pkcs12 = pki.pkcs12.PKCS12(
+                    path=pki_clone_pkcs12_path,
+                    password=pki_clone_pkcs12_password,
+                    nssdb=nssdb)
+
+                try:
+                    pkcs12.show_certs()
+                finally:
+                    pkcs12.close()
+
+                # Import certificates
+                nssdb.import_pkcs12(
+                    pkcs12_file=pki_clone_pkcs12_path,
+                    pkcs12_password=pki_clone_pkcs12_password,
+                    no_user_certs=True)
+
+                print('Imported certificates in %s:' % deployer.mdict['pki_database_path'])
+
+                nssdb.show_certs()
+
+            finally:
+                nssdb.close()
 
         if len(deployer.instance.tomcat_instance_subsystems()) < 2: