diff options
Diffstat (limited to 'base/server/python/pki/server/deployment/scriptlets/configuration.py')
-rw-r--r-- | base/server/python/pki/server/deployment/scriptlets/configuration.py | 76 |
1 files changed, 8 insertions, 68 deletions
diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py index 17ca83681..23f32b452 100644 --- a/base/server/python/pki/server/deployment/scriptlets/configuration.py +++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py @@ -20,7 +20,6 @@ from __future__ import absolute_import import json -import re # PKI Deployment Imports from .. import pkiconfig as config @@ -65,67 +64,11 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): existing = deployer.configuration_file.existing external = deployer.configuration_file.external + standalone = deployer.configuration_file.standalone step_one = deployer.configuration_file.external_step_one step_two = deployer.configuration_file.external_step_two try: - if external and step_one: # external CA step 1 only - - # Determine CA signing key type and algorithm - key_type = deployer.mdict['pki_ca_signing_key_type'] - key_alg = deployer.mdict['pki_ca_signing_key_algorithm'] - - if key_type == 'rsa': - key_size = int(deployer.mdict['pki_ca_signing_key_size']) - curve = None - - m = re.match(r'(.*)withRSA', key_alg) - if not m: - raise Exception('Invalid key algorithm: %s' % key_alg) - hash_alg = m.group(1) - - elif key_type == 'ec' or key_type == 'ecc': - key_type = 'ec' - key_size = None - curve = deployer.mdict['pki_ca_signing_key_size'] - - m = re.match(r'(.*)withEC', key_alg) - if not m: - raise Exception('Invalid key algorithm: %s' % key_alg) - hash_alg = m.group(1) - - else: - raise Exception('Invalid key type: %s' % key_type) - - # If filename specified, generate CA cert request and - # import it into CS.cfg. - external_csr_path = deployer.mdict['pki_external_csr_path'] - if external_csr_path: - config.pki_log.info( - "generating CA signing certificate request in %s", - external_csr_path, - extra=config.PKI_INDENTATION_LEVEL_2) - nssdb.create_request( - subject_dn=deployer.mdict['pki_ca_signing_subject_dn'], - request_file=external_csr_path, - key_type=key_type, - key_size=key_size, - curve=curve, - hash_alg=hash_alg) - - with open(external_csr_path) as f: - signing_csr = f.read() - - signing_csr = pki.nssdb.convert_csr( - signing_csr, 'pem', 'base64') - subsystem.config['ca.signing.certreq'] = signing_csr - - # This is needed by IPA to detect step 1 completion. - # See is_step_one_done() in ipaserver/install/cainstance.py. - subsystem.config['preop.ca.type'] = 'otherca' - - subsystem.save() - if existing or external and step_two: # existing CA or external CA step 2 @@ -201,20 +144,17 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): subsystem.save() - # verify the signing certificate - # raises exception on failure - config.pki_log.info("validating the signing certificate", - extra=config.PKI_INDENTATION_LEVEL_2) - verifier = pkihelper.PKIDeployer.create_system_cert_verifier( - instance, 'ca') - verifier.verify_certificate('signing') + elif standalone and step_two: + + # To be implemented in ticket #1692. + # Import standalone system certificates into NSS database. + + pass else: # self-signed CA # To be implemented in ticket #1692. - - # Generate CA cert request. - # Self sign CA cert. + # Generate self-signed CA cert. # Import self-signed CA cert into NSS database. pass |