diff options
Diffstat (limited to 'base/server/python')
| -rw-r--r-- | base/server/python/pki/server/__init__.py | 59 | ||||
| -rw-r--r-- | base/server/python/pki/server/cli/instance.py | 4 | ||||
| -rw-r--r-- | base/server/python/pki/server/cli/subsystem.py | 11 |
3 files changed, 50 insertions, 24 deletions
diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py index bf705fd35..454408f6a 100644 --- a/base/server/python/pki/server/__init__.py +++ b/base/server/python/pki/server/__init__.py @@ -186,9 +186,11 @@ class PKISubsystem(object): cert = self.get_subsystem_cert(cert_id) nickname = cert['nickname'] token = cert['token'] - if token == 'Internal Key Storage Token': - token = 'internal' - nssdb_password = self.instance.get_password(token) + + if token and token.lower() in ['internal', 'internal key storage token']: + token = None + + nssdb_password = self.instance.get_token_password(token) tmpdir = tempfile.mkdtemp() @@ -204,7 +206,7 @@ class PKISubsystem(object): '-C', nssdb_password_file ] - if token and token != 'internal': + if token: cmd.extend(['--token', token]) cmd.extend([ @@ -234,9 +236,11 @@ class PKISubsystem(object): cert = self.get_subsystem_cert('subsystem') nickname = cert['nickname'] token = cert['token'] - if token == 'Internal Key Storage Token': - token = 'internal' - nssdb_password = self.instance.get_password(token) + + if token and token.lower() in ['internal', 'internal key storage token']: + token = None + + nssdb_password = self.instance.get_token_password(token) tmpdir = tempfile.mkdtemp() @@ -252,7 +256,7 @@ class PKISubsystem(object): '-C', nssdb_password_file ] - if token and token != 'internal': + if token: cmd.extend(['--token', token]) cmd.extend([ @@ -271,7 +275,7 @@ class PKISubsystem(object): '-C', nssdb_password_file ] - if token and token != 'internal': + if token: cmd.extend(['--token', token]) cmd.extend([ @@ -359,7 +363,8 @@ class PKISubsystem(object): connection.set_credentials( client_cert_nickname=self.config[ '%s.ldapauth.clientCertNickname' % name], - nssdb_password=self.instance.get_password('internal') + # TODO: remove hard-coded token name + nssdb_password=self.instance.get_token_password('internal') ) else: @@ -543,19 +548,41 @@ class PKIInstance(object): return external_certs def get_password(self, name): + + # find password (e.g. internaldb, replicationdb) in password.conf if name in self.passwords: return self.passwords[name] + # prompt for password if not found password = getpass.getpass(prompt='Enter password for %s: ' % name) self.passwords[name] = password return password + def get_token_password(self, token='internal'): + + # determine the password name for the token + if token.lower() in ['internal', 'internal key storage token']: + name = 'internal' + + else: + name = 'hardware-%s' % token + + # find password in password.conf + if name in self.passwords: + return self.passwords[name] + + # prompt for password if not found + password = getpass.getpass(prompt='Enter password for %s: ' % token) + self.passwords[name] = password + + return password + def open_nssdb(self, token='internal'): return pki.nssdb.NSSDatabase( directory=self.nssdb_dir, token=token, - password=self.get_password(token)) + password=self.get_token_password(token)) def external_cert_exists(self, nickname, token): for cert in self.external_certs: @@ -588,9 +615,11 @@ class PKIInstance(object): for cert in self.external_certs: nickname = cert.nickname token = cert.token - if token == 'Internal Key Storage Token': - token = 'internal' - nssdb_password = self.get_password(token) + + if token and token.lower() in ['internal', 'internal key storage token']: + token = None + + nssdb_password = self.get_token_password(token) tmpdir = tempfile.mkdtemp() @@ -606,7 +635,7 @@ class PKIInstance(object): '-C', nssdb_password_file ] - if token and token != 'internal': + if token: cmd.extend(['--token', token]) cmd.extend([ diff --git a/base/server/python/pki/server/cli/instance.py b/base/server/python/pki/server/cli/instance.py index 6e336e111..4a5a3b3e0 100644 --- a/base/server/python/pki/server/cli/instance.py +++ b/base/server/python/pki/server/cli/instance.py @@ -679,7 +679,7 @@ class InstanceExternalCertAddCLI(pki.cli.CLI): instance_name) def import_certs(self, instance, cert_file, nickname, token, trust_args): - password = instance.get_password(token) + password = instance.get_token_password(token) certdb = pki.nssdb.NSSDatabase( directory=instance.nssdb_dir, password=password, @@ -762,7 +762,7 @@ class InstanceExternalCertDeleteCLI(pki.cli.CLI): instance_name) def remove_cert(self, instance, nickname, token): - password = instance.get_password(token) + password = instance.get_token_password(token) certdb = pki.nssdb.NSSDatabase( directory=instance.nssdb_dir, password=password, diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py index c92ed16be..615b55e15 100644 --- a/base/server/python/pki/server/cli/subsystem.py +++ b/base/server/python/pki/server/cli/subsystem.py @@ -843,14 +843,11 @@ class SubsystemCertValidateCLI(pki.cli.CLI): print(' Token: %s' % token) - if token == 'Internal Key Storage Token': - token = 'internal' + if token and token.lower() in ['internal', 'internal key storage token']: + token = None # get token password and store in temporary file - if token == 'internal': - passwd = instance.get_password('internal') - else: - passwd = instance.get_password("hardware-%s" % token) + passwd = instance.get_token_password(token) pwfile_handle, pwfile_path = mkstemp() os.write(pwfile_handle, passwd) @@ -860,7 +857,7 @@ class SubsystemCertValidateCLI(pki.cli.CLI): cmd = ['pki', '-d', instance.nssdb_dir, '-C', pwfile_path ] - if token != 'internal': + if token: cmd.extend(['--token', token]) cmd.extend(['client-cert-validate', |