summaryrefslogtreecommitdiffstats
path: root/base/server/python/pki/server/deployment/scriptlets/csr_generation.py
diff options
context:
space:
mode:
Diffstat (limited to 'base/server/python/pki/server/deployment/scriptlets/csr_generation.py')
-rw-r--r--base/server/python/pki/server/deployment/scriptlets/csr_generation.py139
1 files changed, 139 insertions, 0 deletions
diff --git a/base/server/python/pki/server/deployment/scriptlets/csr_generation.py b/base/server/python/pki/server/deployment/scriptlets/csr_generation.py
new file mode 100644
index 000000000..9ada62473
--- /dev/null
+++ b/base/server/python/pki/server/deployment/scriptlets/csr_generation.py
@@ -0,0 +1,139 @@
+# Authors:
+# Matthew Harmsen <mharmsen@redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2016 Red Hat, Inc.
+# All rights reserved.
+#
+
+from __future__ import absolute_import
+from __future__ import print_function
+import re
+
+# PKI Deployment Imports
+from .. import pkiconfig as config
+from .. import pkimessages as log
+from .. import pkiscriptlet
+
+import pki.nssdb
+import pki.server
+
+
+# PKI Deployment CSR Generation Scriptlet
+class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
+
+ def spawn(self, deployer):
+
+ external = deployer.configuration_file.external
+ standalone = deployer.configuration_file.standalone
+ step_one = deployer.configuration_file.external_step_one
+ skip_configuration = deployer.configuration_file.skip_configuration
+
+ if skip_configuration:
+ config.pki_log.info(log.SKIP_CSR_GENERATION_SPAWN_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ return
+
+ instance = pki.server.PKIInstance(deployer.mdict['pki_instance_name'])
+ instance.load()
+
+ subsystem = instance.get_subsystem(deployer.mdict['pki_subsystem'].lower())
+
+ token = deployer.mdict['pki_token_name']
+ nssdb = instance.open_nssdb(token)
+
+ try:
+ if external and step_one: # external CA step 1
+
+ # Determine CA signing key type and algorithm
+ key_type = deployer.mdict['pki_ca_signing_key_type']
+ key_alg = deployer.mdict['pki_ca_signing_key_algorithm']
+
+ if key_type == 'rsa':
+ key_size = int(deployer.mdict['pki_ca_signing_key_size'])
+ curve = None
+
+ m = re.match(r'(.*)withRSA', key_alg)
+ if not m:
+ raise Exception('Invalid key algorithm: %s' % key_alg)
+ hash_alg = m.group(1)
+
+ elif key_type == 'ec' or key_type == 'ecc':
+ key_type = 'ec'
+ key_size = None
+ curve = deployer.mdict['pki_ca_signing_key_size']
+
+ m = re.match(r'(.*)withEC', key_alg)
+ if not m:
+ raise Exception('Invalid key algorithm: %s' % key_alg)
+ hash_alg = m.group(1)
+
+ else:
+ raise Exception('Invalid key type: %s' % key_type)
+
+ # If filename specified, generate CA cert request and
+ # import it into CS.cfg.
+ external_csr_path = deployer.mdict['pki_external_csr_path']
+ if external_csr_path:
+ config.pki_log.info(
+ "generating CA signing certificate request in %s",
+ external_csr_path,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ nssdb.create_request(
+ subject_dn=deployer.mdict['pki_ca_signing_subject_dn'],
+ request_file=external_csr_path,
+ key_type=key_type,
+ key_size=key_size,
+ curve=curve,
+ hash_alg=hash_alg)
+
+ with open(external_csr_path) as f:
+ signing_csr = f.read()
+
+ signing_csr = pki.nssdb.convert_csr(signing_csr, 'pem', 'base64')
+ subsystem.config['ca.signing.certreq'] = signing_csr
+
+ # This is needed by IPA to detect step 1 completion.
+ # See is_step_one_done() in ipaserver/install/cainstance.py.
+ subsystem.config['preop.ca.type'] = 'otherca'
+
+ subsystem.save()
+
+ # verify the signing certificate
+ # raises exception on failure
+ config.pki_log.info("validating the signing certificate",
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ verifier = pkihelper.PKIDeployer.create_system_cert_verifier(
+ instance, 'ca')
+ verifier.verify_certificate('signing')
+
+ elif standalone and step_one: # standalone step 1
+
+ # To be implemented in ticket #1692.
+ # Generate CSRs for standalone system certs.
+
+ else: # self-signed CA
+
+ # To be implemented in ticket #1692.
+ # Generate CSR for self-signed CA cert.
+
+ pass
+
+ finally:
+ nssdb.close()
+
+ def destroy(self, deployer):
+
+ pass