From b6bba0ff4d35444ae9b5123c089a13d93ad94af8 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Fri, 13 May 2016 18:10:03 +0200
Subject: Fixed pki-server subsystem-cert-validate command.

The system certificate validation command has been modified to
check for both 'internal' and 'Internal Key Storage Token' since
both are valid names for the internal token.

Additional checks have been added to validate the certificate
parameters in CS.cfg.

The output of the command has been modified to be more consistent
with other pki-server commands.

The pki client-cert-validate invocation has been fixed to use -C
option to specify the NSS database password in a file.

https://fedorahosted.org/pki/ticket/2043
---
 base/server/python/pki/server/cli/subsystem.py | 115 ++++++++++++++++++-------
 1 file changed, 83 insertions(+), 32 deletions(-)

(limited to 'base/server/python')

diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py
index 6d60468a6..c92ed16be 100644
--- a/base/server/python/pki/server/cli/subsystem.py
+++ b/base/server/python/pki/server/cli/subsystem.py
@@ -779,55 +779,106 @@ class SubsystemCertValidateCLI(pki.cli.CLI):
         instance.load()
 
         subsystem = instance.get_subsystem(subsystem_name)
+        if not subsystem:
+            self.print_message('ERROR: missing subsystem ' + subsystem_name)
+            sys.exit(1)
 
         if cert_id is not None:
             certs = [subsystem.get_subsystem_cert(cert_id)]
         else:
             certs = subsystem.find_system_certs()
 
+        first = True
         certs_valid = True
+
         for cert in certs:
-            token = cert['token']
 
-            # get token password and store in temporary file
-            if token == 'Internal Key Storage Token':
-                passwd = instance.get_password('internal')
+            if first:
+                first = False
             else:
-                passwd = instance.get_password("hardware-%s" % token)
+                print()
+
+            certs_valid &= self.validate_certificate(instance, cert)
+
+        if certs_valid:
+            self.print_message("Validation succeeded")
+            sys.exit(0)
+        else:
+            self.print_message("Validation failed")
+            sys.exit(1)
+
+    def validate_certificate(self, instance, cert):
+
+        if self.verbose:
+            print(cert)
+
+        print('  Cert ID: %s' % cert['id'])
+
+        if not cert['request']:
+            print('  Status: ERROR: missing certificate request')
+            return False
+
+        if not cert['data']:
+            print('  Status: ERROR: missing certificate data')
+            return False
 
-            pwfile_handle, pwfile_path = mkstemp()
-            os.write(pwfile_handle, passwd)
-            os.close(pwfile_handle)
+        nickname = cert['nickname']
+        if not nickname:
+            print('  Status: ERROR: missing nickname')
+            return False
 
+        print('  Nickname: %s' % nickname)
+
+        usage = cert['certusage']
+        if not usage:
+            print('  Status: ERROR: missing usage')
+            return False
+
+        print('  Usage: %s' % usage)
+
+        token = cert['token']
+        if not token:
+            print('  Status: ERROR: missing token name')
+            return False
+
+        print('  Token: %s' % token)
+
+        if token == 'Internal Key Storage Token':
+            token = 'internal'
+
+        # get token password and store in temporary file
+        if token == 'internal':
+            passwd = instance.get_password('internal')
+        else:
+            passwd = instance.get_password("hardware-%s" % token)
+
+        pwfile_handle, pwfile_path = mkstemp()
+        os.write(pwfile_handle, passwd)
+        os.close(pwfile_handle)
+
+        try:
             cmd = ['pki', '-d', instance.nssdb_dir,
-                   '-W', pwfile_path ]
+                   '-C', pwfile_path ]
 
-            if token != 'Internal Key Storage Token':
+            if token != 'internal':
                 cmd.extend(['--token', token])
 
-            cmd.extend(
-                ['client-cert-validate',
-                 cert['nickname'],
-                 '--certusage', cert['certusage']]
+            cmd.extend(['client-cert-validate',
+                nickname,
+                '--certusage', usage]
             )
 
-            try:
-                subprocess.check_output(cmd, stderr=subprocess.STDOUT)
-                self.print_message("Valid certificate : %s" %cert['nickname'])
-            except subprocess.CalledProcessError as e:
-                certs_valid = False
-                if e.returncode == 1:
-                    self.print_message("Invalid certificate: %s"
-                                       % cert['nickname'])
-                else:
-                    self.print_message("Error in validating certificate: %s"
-                                       % cert['nickname'])
-                self.print_message(e.output)
-            finally:
-                os.unlink(pwfile_path)
+            subprocess.check_output(cmd, stderr=subprocess.STDOUT)
+            print('  Status: VALID')
 
-        if certs_valid:
-            sys.exit(0)
-        else:
-            sys.exit(1)
+            return True
+
+        except subprocess.CalledProcessError as e:
+            if e.returncode == 1:
+                print('  Status: INVALID')
+            else:
+                print('  Status: ERROR: %s' % e.output)
+            return False
 
+        finally:
+            os.unlink(pwfile_path)
-- 
cgit