# Authors: # Matthew Harmsen # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; version 2 of the License. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # # Copyright (C) 2016 Red Hat, Inc. # All rights reserved. # from __future__ import absolute_import from __future__ import print_function import re # PKI Deployment Imports from .. import pkiconfig as config from .. import pkimessages as log from .. import pkiscriptlet import pki.nssdb import pki.server # PKI Deployment CSR Generation Scriptlet class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): def spawn(self, deployer): external = deployer.configuration_file.external standalone = deployer.configuration_file.standalone step_one = deployer.configuration_file.external_step_one skip_configuration = deployer.configuration_file.skip_configuration if skip_configuration: config.pki_log.info(log.SKIP_CSR_GENERATION_SPAWN_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) return instance = pki.server.PKIInstance(deployer.mdict['pki_instance_name']) instance.load() subsystem = instance.get_subsystem(deployer.mdict['pki_subsystem'].lower()) token = deployer.mdict['pki_token_name'] nssdb = instance.open_nssdb(token) try: if external and step_one: # external CA step 1 # Determine CA signing key type and algorithm key_type = deployer.mdict['pki_ca_signing_key_type'] key_alg = deployer.mdict['pki_ca_signing_key_algorithm'] if key_type == 'rsa': key_size = int(deployer.mdict['pki_ca_signing_key_size']) curve = None m = re.match(r'(.*)withRSA', key_alg) if not m: raise Exception('Invalid key algorithm: %s' % key_alg) hash_alg = m.group(1) elif key_type == 'ec' or key_type == 'ecc': key_type = 'ec' key_size = None curve = deployer.mdict['pki_ca_signing_key_size'] m = re.match(r'(.*)withEC', key_alg) if not m: raise Exception('Invalid key algorithm: %s' % key_alg) hash_alg = m.group(1) else: raise Exception('Invalid key type: %s' % key_type) # If filename specified, generate CA cert request and # import it into CS.cfg. external_csr_path = deployer.mdict['pki_external_csr_path'] if external_csr_path: config.pki_log.info( "generating CA signing certificate request in %s", external_csr_path, extra=config.PKI_INDENTATION_LEVEL_2) nssdb.create_request( subject_dn=deployer.mdict['pki_ca_signing_subject_dn'], request_file=external_csr_path, key_type=key_type, key_size=key_size, curve=curve, hash_alg=hash_alg) with open(external_csr_path) as f: signing_csr = f.read() signing_csr = pki.nssdb.convert_csr(signing_csr, 'pem', 'base64') subsystem.config['ca.signing.certreq'] = signing_csr # This is needed by IPA to detect step 1 completion. # See is_step_one_done() in ipaserver/install/cainstance.py. subsystem.config['preop.ca.type'] = 'otherca' subsystem.save() # verify the signing certificate # raises exception on failure config.pki_log.info("validating the signing certificate", extra=config.PKI_INDENTATION_LEVEL_2) verifier = pkihelper.PKIDeployer.create_system_cert_verifier( instance, 'ca') verifier.verify_certificate('signing') elif standalone and step_one: # standalone step 1 # To be implemented in ticket #1692. # Generate CSRs for standalone system certs. else: # self-signed CA # To be implemented in ticket #1692. # Generate CSR for self-signed CA cert. pass finally: nssdb.close() def destroy(self, deployer): pass