diff options
Diffstat (limited to 'base/server/python/pki/server/deployment/scriptlets/csr_generation.py')
-rw-r--r-- | base/server/python/pki/server/deployment/scriptlets/csr_generation.py | 139 |
1 files changed, 139 insertions, 0 deletions
diff --git a/base/server/python/pki/server/deployment/scriptlets/csr_generation.py b/base/server/python/pki/server/deployment/scriptlets/csr_generation.py new file mode 100644 index 000000000..9ada62473 --- /dev/null +++ b/base/server/python/pki/server/deployment/scriptlets/csr_generation.py @@ -0,0 +1,139 @@ +# Authors: +# Matthew Harmsen <mharmsen@redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2016 Red Hat, Inc. +# All rights reserved. +# + +from __future__ import absolute_import +from __future__ import print_function +import re + +# PKI Deployment Imports +from .. import pkiconfig as config +from .. import pkimessages as log +from .. import pkiscriptlet + +import pki.nssdb +import pki.server + + +# PKI Deployment CSR Generation Scriptlet +class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + + def spawn(self, deployer): + + external = deployer.configuration_file.external + standalone = deployer.configuration_file.standalone + step_one = deployer.configuration_file.external_step_one + skip_configuration = deployer.configuration_file.skip_configuration + + if skip_configuration: + config.pki_log.info(log.SKIP_CSR_GENERATION_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return + + instance = pki.server.PKIInstance(deployer.mdict['pki_instance_name']) + instance.load() + + subsystem = instance.get_subsystem(deployer.mdict['pki_subsystem'].lower()) + + token = deployer.mdict['pki_token_name'] + nssdb = instance.open_nssdb(token) + + try: + if external and step_one: # external CA step 1 + + # Determine CA signing key type and algorithm + key_type = deployer.mdict['pki_ca_signing_key_type'] + key_alg = deployer.mdict['pki_ca_signing_key_algorithm'] + + if key_type == 'rsa': + key_size = int(deployer.mdict['pki_ca_signing_key_size']) + curve = None + + m = re.match(r'(.*)withRSA', key_alg) + if not m: + raise Exception('Invalid key algorithm: %s' % key_alg) + hash_alg = m.group(1) + + elif key_type == 'ec' or key_type == 'ecc': + key_type = 'ec' + key_size = None + curve = deployer.mdict['pki_ca_signing_key_size'] + + m = re.match(r'(.*)withEC', key_alg) + if not m: + raise Exception('Invalid key algorithm: %s' % key_alg) + hash_alg = m.group(1) + + else: + raise Exception('Invalid key type: %s' % key_type) + + # If filename specified, generate CA cert request and + # import it into CS.cfg. + external_csr_path = deployer.mdict['pki_external_csr_path'] + if external_csr_path: + config.pki_log.info( + "generating CA signing certificate request in %s", + external_csr_path, + extra=config.PKI_INDENTATION_LEVEL_2) + nssdb.create_request( + subject_dn=deployer.mdict['pki_ca_signing_subject_dn'], + request_file=external_csr_path, + key_type=key_type, + key_size=key_size, + curve=curve, + hash_alg=hash_alg) + + with open(external_csr_path) as f: + signing_csr = f.read() + + signing_csr = pki.nssdb.convert_csr(signing_csr, 'pem', 'base64') + subsystem.config['ca.signing.certreq'] = signing_csr + + # This is needed by IPA to detect step 1 completion. + # See is_step_one_done() in ipaserver/install/cainstance.py. + subsystem.config['preop.ca.type'] = 'otherca' + + subsystem.save() + + # verify the signing certificate + # raises exception on failure + config.pki_log.info("validating the signing certificate", + extra=config.PKI_INDENTATION_LEVEL_2) + verifier = pkihelper.PKIDeployer.create_system_cert_verifier( + instance, 'ca') + verifier.verify_certificate('signing') + + elif standalone and step_one: # standalone step 1 + + # To be implemented in ticket #1692. + # Generate CSRs for standalone system certs. + + else: # self-signed CA + + # To be implemented in ticket #1692. + # Generate CSR for self-signed CA cert. + + pass + + finally: + nssdb.close() + + def destroy(self, deployer): + + pass |