From 0bf9c6bc326de463f7ec35efb0ae448419ec579a Mon Sep 17 00:00:00 2001 From: Matthew Harmsen Date: Fri, 22 May 2015 18:15:31 -0600 Subject: disable backup keys and share master keys when using an HSM - PKI TRAC Ticket #1371 - pkispawn: need to disable backup_keys when using an HSM (and provide recommendation); allow clones to share keys --- .../python/pki/server/deployment/pkihelper.py | 36 ++++++++++++++++++---- .../python/pki/server/deployment/pkimessages.py | 9 ++++++ 2 files changed, 39 insertions(+), 6 deletions(-) (limited to 'base/server/python/pki/server') diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py index 696e3d75a..0363b084e 100644 --- a/base/server/python/pki/server/deployment/pkihelper.py +++ b/base/server/python/pki/server/deployment/pkihelper.py @@ -559,6 +559,16 @@ class ConfigurationFile: # Verify existence of Admin Password (except for Clones) if not self.clone: self.confirm_data_exists("pki_admin_password") + # If HSM, verify absence of all PKCS #12 backup parameters + if (config.str2bool(self.mdict['pki_hsm_enable']) and + (config.str2bool(self.mdict['pki_backup_keys']) or + ('pki_backup_password' in self.mdict and + len(self.mdict['pki_backup_password'])))): + config.pki_log.error( + log.PKIHELPER_HSM_KEYS_CANNOT_BE_BACKED_UP_TO_PKCS12_FILES, + extra=config.PKI_INDENTATION_LEVEL_2) + raise Exception( + log.PKIHELPER_HSM_KEYS_CANNOT_BE_BACKED_UP_TO_PKCS12_FILES) # If required, verify existence of Backup Password if config.str2bool(self.mdict['pki_backup_keys']): self.confirm_data_exists("pki_backup_password") @@ -568,9 +578,19 @@ class ConfigurationFile: self.confirm_data_exists("pki_client_database_password") # Verify existence of Client PKCS #12 Password for Admin Cert self.confirm_data_exists("pki_client_pkcs12_password") - # Verify existence of PKCS #12 Password (ONLY for Clones) if self.clone: - self.confirm_data_exists("pki_clone_pkcs12_password") + # Verify existence of PKCS #12 Password (ONLY for non-HSM Clones) + if not config.str2bool(self.mdict['pki_hsm_enable']): + self.confirm_data_exists("pki_clone_pkcs12_password") + # Verify absence of all PKCS #12 clone parameters for HSMs + elif (os.path.exists(self.mdict['pki_clone_pkcs12_path']) or + ('pki_clone_pkcs12_password' in self.mdict and + len(self.mdict['pki_clone_pkcs12_password']))): + config.pki_log.error( + log.PKIHELPER_HSM_CLONES_MUST_SHARE_HSM_MASTER_PRIVATE_KEYS, + extra=config.PKI_INDENTATION_LEVEL_2) + raise Exception( + log.PKIHELPER_HSM_CLONES_MUST_SHARE_HSM_MASTER_PRIVATE_KEYS) # Verify existence of Security Domain Password # (ONLY for PKI KRA, PKI OCSP, PKI TKS, PKI TPS, Clones, or # Subordinate CA that will be automatically configured and @@ -675,8 +695,10 @@ class ConfigurationFile: self.confirm_data_exists("pki_http_port") self.confirm_data_exists("pki_https_port") self.confirm_data_exists("pki_tomcat_server_port") - self.confirm_data_exists("pki_clone_pkcs12_path") - self.confirm_file_exists("pki_clone_pkcs12_path") + if not config.str2bool(self.mdict['pki_hsm_enable']): + # Check clone parameters for non-HSM clone + self.confirm_data_exists("pki_clone_pkcs12_path") + self.confirm_file_exists("pki_clone_pkcs12_path") self.confirm_data_exists("pki_clone_replication_security") elif self.external: # External CA @@ -4119,8 +4141,10 @@ class ConfigClient: def set_cloning_parameters(self, data): data.isClone = "true" data.cloneUri = self.mdict['pki_clone_uri'] - data.p12File = self.mdict['pki_clone_pkcs12_path'] - data.p12Password = self.mdict['pki_clone_pkcs12_password'] + if not config.str2bool(self.mdict['pki_hsm_enable']): + # Set these clone parameters for non-HSM clones only + data.p12File = self.mdict['pki_clone_pkcs12_path'] + data.p12Password = self.mdict['pki_clone_pkcs12_password'] if config.str2bool(self.mdict['pki_clone_replicate_schema']): data.replicateSchema = "true" else: diff --git a/base/server/python/pki/server/deployment/pkimessages.py b/base/server/python/pki/server/deployment/pkimessages.py index 321ea7869..0e7d143dd 100644 --- a/base/server/python/pki/server/deployment/pkimessages.py +++ b/base/server/python/pki/server/deployment/pkimessages.py @@ -199,6 +199,15 @@ PKIHELPER_GROUP_ADD_2 = "adding GID '%s' for group '%s' . . ." PKIHELPER_GROUP_ADD_DEFAULT_2 = "adding default GID '%s' for group '%s' . . ." PKIHELPER_GROUP_ADD_GID_KEYERROR_1 = "KeyError: pki_gid %s" PKIHELPER_GROUP_ADD_KEYERROR_1 = "KeyError: pki_group %s" +PKIHELPER_HSM_CLONES_MUST_SHARE_HSM_MASTER_PRIVATE_KEYS = \ + "Since clones using Hardware Security Modules (HSMs) must share their "\ + "master's private keys, the 'pki_clone_pkcs12_path' and "\ + "'pki_clone_pkcs12_password' variables may not be utilized with HSMs." +PKIHELPER_HSM_KEYS_CANNOT_BE_BACKED_UP_TO_PKCS12_FILES = \ + "Since Hardware Security Modules (HSMs) do not allow their private keys "\ + "to be extracted to PKCS #12 files, the 'pki_backup_keys' and "\ + "'pki_backup_password' variables may not be utilized with HSMs.\n"\ + "Please contact the HSM vendor regarding their specific backup mechanism." PKIHELPER_INVALID_SELINUX_CONTEXT_FOR_PORT = \ "port %s has invalid selinux context %s" PKIHELPER_IS_A_DIRECTORY_1 = "'%s' is a directory" -- cgit