From 04055a9bc40486950a3288acf610522e767c1e27 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Thu, 17 Mar 2016 15:23:34 +0100 Subject: Additional clean-ups for PKCS #12 utilities. The pki_server_external_cert_path has been renamed to pki_server_external_certs_path to match the file name. A default pki_server_external_certs_path has been added to default.cfg. The pki pkcs12-export has been modified to export into existing PKCS #12 file by default. The pki-server instance-cert-export has been modified to accept a list of nicknames to export. https://fedorahosted.org/pki/ticket/1742 --- base/common/python/pki/nssdb.py | 6 ++++-- .../netscape/cmstools/pkcs12/PKCS12CertAddCLI.java | 2 +- .../com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java | 15 +++++++++++++-- base/server/etc/default.cfg | 5 +++-- base/server/man/man8/pkispawn.8 | 6 +++--- base/server/python/pki/server/cli/instance.py | 11 +++++++---- base/server/python/pki/server/cli/subsystem.py | 4 ++-- .../deployment/scriptlets/security_databases.py | 19 ++++++++----------- 8 files changed, 41 insertions(+), 27 deletions(-) (limited to 'base') diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py index 43a97146d..2fc2d420f 100644 --- a/base/common/python/pki/nssdb.py +++ b/base/common/python/pki/nssdb.py @@ -531,8 +531,10 @@ class NSSDatabase(object): finally: shutil.rmtree(tmpdir) - def export_pkcs12(self, pkcs12_file, nicknames=None, pkcs12_password=None, - pkcs12_password_file=None): + def export_pkcs12(self, pkcs12_file, + pkcs12_password=None, + pkcs12_password_file=None, + nicknames=None): tmpdir = tempfile.mkdtemp() diff --git a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertAddCLI.java b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertAddCLI.java index c3c5ef489..48e4907cf 100644 --- a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertAddCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertAddCLI.java @@ -151,7 +151,7 @@ public class PKCS12CertAddCLI extends CLI { pkcs12 = new PKCS12(); } else { - // otherwise, add into the same file + // otherwise, add into the existing file pkcs12 = util.loadFromFile(filename, password); } diff --git a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java index 52a993125..d42c449b4 100644 --- a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java @@ -18,6 +18,7 @@ package com.netscape.cmstools.pkcs12; import java.io.BufferedReader; +import java.io.File; import java.io.FileReader; import java.util.logging.Level; import java.util.logging.Logger; @@ -60,6 +61,7 @@ public class PKCS12ExportCLI extends CLI { option.setArgName("path"); options.addOption(option); + options.addOption(null, "new-file", false, "Create a new PKCS #12 file"); options.addOption(null, "no-trust-flags", false, "Do not include trust flags"); options.addOption("v", "verbose", false, "Run in verbose mode."); @@ -124,14 +126,23 @@ public class PKCS12ExportCLI extends CLI { Password password = new Password(passwordString.toCharArray()); + boolean newFile = cmd.hasOption("new-file"); boolean trustFlagsEnabled = !cmd.hasOption("no-trust-flags"); try { PKCS12Util util = new PKCS12Util(); util.setTrustFlagsEnabled(trustFlagsEnabled); - // overwrite existing file - PKCS12 pkcs12 = new PKCS12(); + PKCS12 pkcs12; + + if (newFile || !new File(filename).exists()) { + // if new file requested or file does not exist, create a new file + pkcs12 = new PKCS12(); + + } else { + // otherwise, export into the existing file + pkcs12 = util.loadFromFile(filename, password); + } if (nicknames.length == 0) { // load all certificates diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg index 98fbb2fe7..ae0021bb1 100644 --- a/base/server/etc/default.cfg +++ b/base/server/etc/default.cfg @@ -109,8 +109,6 @@ pki_security_domain_https_port=8443 pki_security_domain_name=%(pki_dns_domainname)s Security Domain pki_security_domain_password= pki_security_domain_user=caadmin -pki_server_pkcs12_path= -pki_server_pkcs12_password= #for supporting server cert SAN injection pki_san_inject=False pki_san_for_server_cert= @@ -192,6 +190,9 @@ pki_subsystem_registry_link=%(pki_subsystem_path)s/registry ############################################################################### [Tomcat] pki_ajp_port=8009 +pki_server_pkcs12_path= +pki_server_pkcs12_password= +pki_server_external_certs_path= pki_clone=False pki_clone_pkcs12_password= pki_clone_pkcs12_path= diff --git a/base/server/man/man8/pkispawn.8 b/base/server/man/man8/pkispawn.8 index 92751d7d7..fa601fcae 100644 --- a/base/server/man/man8/pkispawn.8 +++ b/base/server/man/man8/pkispawn.8 @@ -607,10 +607,10 @@ pki_security_domain_https_port= pki_security_domain_user=caadmin [Tomcat] -pki_clone=True +pki_server_pkcs12_path= pki_server_pkcs12_password=\fISecret123\fP -pki_server_pkcs12_path= -pki_server_external_cert_path= +pki_server_external_certs_path= +pki_clone=True pki_clone_replicate_schema=True pki_clone_uri=https://: .fi diff --git a/base/server/python/pki/server/cli/instance.py b/base/server/python/pki/server/cli/instance.py index 5d1615329..a779f3c16 100644 --- a/base/server/python/pki/server/cli/instance.py +++ b/base/server/python/pki/server/cli/instance.py @@ -67,10 +67,10 @@ class InstanceCertExportCLI(pki.cli.CLI): def __init__(self): super(InstanceCertExportCLI, self).__init__( - 'export', 'Export subsystem certificate') + 'export', 'Export system certificates') def print_help(self): # flake8: noqa - print('Usage: pki-server instance-cert-export [OPTIONS]') + print('Usage: pki-server instance-cert-export [OPTIONS] [nicknames...]') print() print(' -i, --instance Instance ID (default: pki-tomcat).') print(' --pkcs12-file Output file to store the exported certificate and key in PKCS #12 format.') @@ -83,7 +83,7 @@ class InstanceCertExportCLI(pki.cli.CLI): def execute(self, argv): try: - opts, _ = getopt.gnu_getopt(argv, 'i:v', [ + opts, args = getopt.gnu_getopt(argv, 'i:v', [ 'instance=', 'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=', 'verbose', 'help']) @@ -93,6 +93,8 @@ class InstanceCertExportCLI(pki.cli.CLI): self.print_help() sys.exit(1) + nicknames = args + instance_name = 'pki-tomcat' pkcs12_file = None pkcs12_password = None @@ -139,7 +141,8 @@ class InstanceCertExportCLI(pki.cli.CLI): nssdb.export_pkcs12( pkcs12_file=pkcs12_file, pkcs12_password=pkcs12_password, - pkcs12_password_file=pkcs12_password_file) + pkcs12_password_file=pkcs12_password_file, + nicknames=nicknames) finally: nssdb.close() diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py index 8450f7b61..5ab232cc1 100644 --- a/base/server/python/pki/server/cli/subsystem.py +++ b/base/server/python/pki/server/cli/subsystem.py @@ -577,9 +577,9 @@ class SubsystemCertExportCLI(pki.cli.CLI): try: nssdb.export_pkcs12( pkcs12_file=pkcs12_file, - nicknames=nicknames, pkcs12_password=pkcs12_password, - pkcs12_password_file=pkcs12_password_file) + pkcs12_password_file=pkcs12_password_file, + nicknames=nicknames) finally: nssdb.close() diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py index 027c4c4cf..3947ad64c 100644 --- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py +++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py @@ -85,12 +85,11 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): deployer.mdict['pki_secmod_database'], perms=config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) - pki_server_pkcs12_path = deployer.mdict['pki_server_pkcs12_path'] + # import system certificates before starting the server + pki_server_pkcs12_path = deployer.mdict['pki_server_pkcs12_path'] if pki_server_pkcs12_path: - # importing system certificates - pki_server_pkcs12_password = deployer.mdict[ 'pki_server_pkcs12_password'] if not pki_server_pkcs12_password: @@ -105,9 +104,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): pkcs12_password=pki_server_pkcs12_password) # update external CA file (if needed) - external_cert_path = deployer.mdict['pki_server_external_cert_path'] - if external_cert_path is not None: - self.update_external_cert_conf(external_cert_path, deployer) + external_certs_path = deployer.mdict['pki_server_external_certs_path'] + if external_certs_path is not None: + self.update_external_certs_conf(external_certs_path, deployer) if len(deployer.instance.tomcat_instance_subsystems()) < 2: # only create a self signed cert for a new instance @@ -183,20 +182,18 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): deployer.file.delete(deployer.mdict['pki_shared_pfile']) return self.rv - def update_external_cert_conf(self, external_path, deployer): + def update_external_certs_conf(self, external_path, deployer): external_certs = pki.server.PKIInstance.read_external_certs( external_path) if len(external_certs) > 0: - instance = pki.server.PKIInstance( - deployer.mdict['pki_instance_name']) - instance.load_external_certs( + deployer.instance.load_external_certs( os.path.join(deployer.mdict['pki_instance_configuration_path'], 'external_certs.conf') ) for cert in external_certs: - instance.add_external_cert(cert.nickname, cert.token) + deployer.instance.add_external_cert(cert.nickname, cert.token) def destroy(self, deployer): -- cgit