From bc65e12500cbc3381b4e755a4a50214f43049ad3 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Mon, 29 Aug 2016 08:33:05 +0200
Subject: Added support to create system certificates in different tokens.

Previously all system certificates were always created in the same
token specified in the pki_token_name parameter.

To allow creating system certificates in different tokens, the
configuration.py has been modified to store the system certificate
token names specified in pki_<cert>_token parameters into the
CS.cfg before the server is started.

After the server is started, the configuration servlet will read
the token names from the CS.cfg and create the certificates in the
appropriate token.

https://fedorahosted.org/pki/ticket/2449
---
 .../server/deployment/scriptlets/configuration.py  | 37 +++++++++++++++++++---
 1 file changed, 33 insertions(+), 4 deletions(-)

(limited to 'base/server/python')

diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py
index 64ee4e5f6..97f6d3e60 100644
--- a/base/server/python/pki/server/deployment/scriptlets/configuration.py
+++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py
@@ -39,6 +39,31 @@ import pki.util
 # PKI Deployment Configuration Scriptlet
 class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
 
+    def store_cert_tokens(self, subsystem, deployer):
+
+        subsystem.config[subsystem.name + '.audit_signing.tokenname'] = (
+            deployer.mdict['pki_audit_signing_token'])
+        subsystem.config[subsystem.name + '.sslserver.tokenname'] = (
+            deployer.mdict['pki_ssl_server_token'])
+        subsystem.config[subsystem.name + '.subsystem.tokenname'] = (
+            deployer.mdict['pki_subsystem_token'])
+
+        if subsystem.name == 'ca':
+            subsystem.config['ca.signing.tokenname'] = (
+                deployer.mdict['pki_ca_signing_token'])
+            subsystem.config['ca.ocsp_signing.tokenname'] = (
+                deployer.mdict['pki_ocsp_signing_token'])
+
+        elif subsystem.name == 'kra':
+            subsystem.config['kra.storage.tokenname'] = (
+                deployer.mdict['pki_storage_token'])
+            subsystem.config['kra.transport.tokenname'] = (
+                deployer.mdict['pki_transport_token'])
+
+        elif subsystem.name == 'ocsp':
+            subsystem.config['ocsp.signing.tokenname'] = (
+                deployer.mdict['pki_ocsp_signing_token'])
+
     def spawn(self, deployer):
 
         if config.str2bool(deployer.mdict['pki_skip_configuration']):
@@ -265,13 +290,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                     nickname=signing_nickname,
                     output_format='base64')
                 subsystem.config['ca.signing.nickname'] = signing_nickname
-                subsystem.config['ca.signing.tokenname'] = (
-                    deployer.mdict['pki_ca_signing_token'])
                 subsystem.config['ca.signing.cert'] = signing_cert_data
                 subsystem.config['ca.signing.cacertnickname'] = signing_nickname
                 subsystem.config['ca.signing.defaultSigningAlgorithm'] = (
                     deployer.mdict['pki_ca_signing_signing_algorithm'])
 
+                # Store cert tokens in CS.cfg.
+                self.store_cert_tokens(subsystem, deployer)
+
                 subsystem.save()
 
                 # verify the signing certificate
@@ -282,7 +308,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                     instance, 'ca')
                 verifier.verify_certificate('signing')
 
-            else:  # self-signed CA
+            else:  # other installation types
 
                 # To be implemented in ticket #1692.
 
@@ -290,7 +316,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                 # Self sign CA cert.
                 # Import self-signed CA cert into NSS database.
 
-                pass
+                # Store cert tokens in CS.cfg.
+                self.store_cert_tokens(subsystem, deployer)
+
+                subsystem.save()
 
         finally:
             nssdb.close()
-- 
cgit