summaryrefslogtreecommitdiffstats
path: root/base/server/python/pki/server/deployment/scriptlets/configuration.py
diff options
context:
space:
mode:
Diffstat (limited to 'base/server/python/pki/server/deployment/scriptlets/configuration.py')
-rw-r--r--base/server/python/pki/server/deployment/scriptlets/configuration.py76
1 files changed, 8 insertions, 68 deletions
diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py
index 17ca83681..23f32b452 100644
--- a/base/server/python/pki/server/deployment/scriptlets/configuration.py
+++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py
@@ -20,7 +20,6 @@
from __future__ import absolute_import
import json
-import re
# PKI Deployment Imports
from .. import pkiconfig as config
@@ -65,67 +64,11 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
existing = deployer.configuration_file.existing
external = deployer.configuration_file.external
+ standalone = deployer.configuration_file.standalone
step_one = deployer.configuration_file.external_step_one
step_two = deployer.configuration_file.external_step_two
try:
- if external and step_one: # external CA step 1 only
-
- # Determine CA signing key type and algorithm
- key_type = deployer.mdict['pki_ca_signing_key_type']
- key_alg = deployer.mdict['pki_ca_signing_key_algorithm']
-
- if key_type == 'rsa':
- key_size = int(deployer.mdict['pki_ca_signing_key_size'])
- curve = None
-
- m = re.match(r'(.*)withRSA', key_alg)
- if not m:
- raise Exception('Invalid key algorithm: %s' % key_alg)
- hash_alg = m.group(1)
-
- elif key_type == 'ec' or key_type == 'ecc':
- key_type = 'ec'
- key_size = None
- curve = deployer.mdict['pki_ca_signing_key_size']
-
- m = re.match(r'(.*)withEC', key_alg)
- if not m:
- raise Exception('Invalid key algorithm: %s' % key_alg)
- hash_alg = m.group(1)
-
- else:
- raise Exception('Invalid key type: %s' % key_type)
-
- # If filename specified, generate CA cert request and
- # import it into CS.cfg.
- external_csr_path = deployer.mdict['pki_external_csr_path']
- if external_csr_path:
- config.pki_log.info(
- "generating CA signing certificate request in %s",
- external_csr_path,
- extra=config.PKI_INDENTATION_LEVEL_2)
- nssdb.create_request(
- subject_dn=deployer.mdict['pki_ca_signing_subject_dn'],
- request_file=external_csr_path,
- key_type=key_type,
- key_size=key_size,
- curve=curve,
- hash_alg=hash_alg)
-
- with open(external_csr_path) as f:
- signing_csr = f.read()
-
- signing_csr = pki.nssdb.convert_csr(
- signing_csr, 'pem', 'base64')
- subsystem.config['ca.signing.certreq'] = signing_csr
-
- # This is needed by IPA to detect step 1 completion.
- # See is_step_one_done() in ipaserver/install/cainstance.py.
- subsystem.config['preop.ca.type'] = 'otherca'
-
- subsystem.save()
-
if existing or external and step_two:
# existing CA or external CA step 2
@@ -201,20 +144,17 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
subsystem.save()
- # verify the signing certificate
- # raises exception on failure
- config.pki_log.info("validating the signing certificate",
- extra=config.PKI_INDENTATION_LEVEL_2)
- verifier = pkihelper.PKIDeployer.create_system_cert_verifier(
- instance, 'ca')
- verifier.verify_certificate('signing')
+ elif standalone and step_two:
+
+ # To be implemented in ticket #1692.
+ # Import standalone system certificates into NSS database.
+
+ pass
else: # self-signed CA
# To be implemented in ticket #1692.
-
- # Generate CA cert request.
- # Self sign CA cert.
+ # Generate self-signed CA cert.
# Import self-signed CA cert into NSS database.
pass
generated by cgit (git 2.34.1) at 2024-05-02 22:32:42 +0000