From b0a4981937abb1a3decad7decc0a788473464039 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Thu, 8 Sep 2016 20:06:19 +0200
Subject: Removed support for creating system certificates in different tokens.

The patch that added the support for creating system certificates
in different tokens causes issues in certain cases, so for now it
has been reverted.

https://fedorahosted.org/pki/ticket/2449
---
 .../server/deployment/scriptlets/configuration.py  | 37 +++-------------------
 1 file changed, 4 insertions(+), 33 deletions(-)

(limited to 'base/server/python')

diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py
index 97f6d3e60..64ee4e5f6 100644
--- a/base/server/python/pki/server/deployment/scriptlets/configuration.py
+++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py
@@ -39,31 +39,6 @@ import pki.util
 # PKI Deployment Configuration Scriptlet
 class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
 
-    def store_cert_tokens(self, subsystem, deployer):
-
-        subsystem.config[subsystem.name + '.audit_signing.tokenname'] = (
-            deployer.mdict['pki_audit_signing_token'])
-        subsystem.config[subsystem.name + '.sslserver.tokenname'] = (
-            deployer.mdict['pki_ssl_server_token'])
-        subsystem.config[subsystem.name + '.subsystem.tokenname'] = (
-            deployer.mdict['pki_subsystem_token'])
-
-        if subsystem.name == 'ca':
-            subsystem.config['ca.signing.tokenname'] = (
-                deployer.mdict['pki_ca_signing_token'])
-            subsystem.config['ca.ocsp_signing.tokenname'] = (
-                deployer.mdict['pki_ocsp_signing_token'])
-
-        elif subsystem.name == 'kra':
-            subsystem.config['kra.storage.tokenname'] = (
-                deployer.mdict['pki_storage_token'])
-            subsystem.config['kra.transport.tokenname'] = (
-                deployer.mdict['pki_transport_token'])
-
-        elif subsystem.name == 'ocsp':
-            subsystem.config['ocsp.signing.tokenname'] = (
-                deployer.mdict['pki_ocsp_signing_token'])
-
     def spawn(self, deployer):
 
         if config.str2bool(deployer.mdict['pki_skip_configuration']):
@@ -290,14 +265,13 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                     nickname=signing_nickname,
                     output_format='base64')
                 subsystem.config['ca.signing.nickname'] = signing_nickname
+                subsystem.config['ca.signing.tokenname'] = (
+                    deployer.mdict['pki_ca_signing_token'])
                 subsystem.config['ca.signing.cert'] = signing_cert_data
                 subsystem.config['ca.signing.cacertnickname'] = signing_nickname
                 subsystem.config['ca.signing.defaultSigningAlgorithm'] = (
                     deployer.mdict['pki_ca_signing_signing_algorithm'])
 
-                # Store cert tokens in CS.cfg.
-                self.store_cert_tokens(subsystem, deployer)
-
                 subsystem.save()
 
                 # verify the signing certificate
@@ -308,7 +282,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                     instance, 'ca')
                 verifier.verify_certificate('signing')
 
-            else:  # other installation types
+            else:  # self-signed CA
 
                 # To be implemented in ticket #1692.
 
@@ -316,10 +290,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                 # Self sign CA cert.
                 # Import self-signed CA cert into NSS database.
 
-                # Store cert tokens in CS.cfg.
-                self.store_cert_tokens(subsystem, deployer)
-
-                subsystem.save()
+                pass
 
         finally:
             nssdb.close()
-- 
cgit