On 4/15/2016 10:31 AM, Ade Lee wrote:
ack on patches with a couple of small provisos.
Thanks!
1. Please ensure that IPA is not using the replaced parameters. If so, create a ticket to give them heads-up that they are changing.
I revised patch #713 (see attachments) to add aliases instead of renaming the properties, so the existing properties are still working the same way. So now pki_pkcs12_path is an alias for pki_external_pkcs12_path.
I also verified that IPA is not using any these parameters yet. Patch #714 has been rebased. The other patches are unchanged.
2. Make sure man pages do not documents these replaced parameters. If so, fix them. Otherwise add ticket to document these new parameters. Man page fix if necessary can be a separate patch.
We actually have a man page for pki_server_pkcs12_path to import 3rd party certificates, but it's used differently. Ideally we should merge all these PKCS #12 properties, but they are unchanged for now. In these patches I'm only adding aliases.
3. The last patch (716) moves a bunch of code to a different scriptlet. Thats fine, but please encapsulate that code in a helper function. The spawn() functions are already too massive and need to be refactored.
I'm planning to do that in a separate patch. There are methods in the nssdb module that can simplify that.
Ade
-- Endi S. Dewata
>From 495cbc6f41d478a0c92398af265b915adf5cc443 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" <[email protected]> Date: Thu, 14 Apr 2016 23:21:57 +0200 Subject: [PATCH] Added PKCS #12 deployment properties. New PKCS #12 deployment properties have been added as aliases for some external CA properties to allow them to be used in more general cases: - pki_pkcs12_path -> pki_external_pkcs12_path - pki_pkcs12_password -> pki_external_pkcs12_password https://fedorahosted.org/pki/ticket/1736 --- base/server/etc/default.cfg | 7 +++++-- .../python/pki/server/deployment/scriptlets/configuration.py | 6 +++--- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg index 21c792472c7757ce5eda5e96ccfbd0552cec8b98..924df9ddcd0001209c8552d1fba813980222c1b3 100644 --- a/base/server/etc/default.cfg +++ b/base/server/etc/default.cfg @@ -23,6 +23,7 @@ sensitive_parameters= pki_clone_pkcs12_password pki_ds_password pki_external_pkcs12_password + pki_pkcs12_password pki_one_time_pin pki_pin pki_replication_password @@ -134,6 +135,8 @@ pki_theme_server_dir=/usr/share/pki/common-ui pki_token_name=internal pki_token_password= pki_user=pkiuser +pki_pkcs12_path= +pki_pkcs12_password= # Paths: # These are used in the processing of pkispawn and are not supposed @@ -378,8 +381,8 @@ pki_external_step_two=False pki_external_ca_cert_chain_path= pki_external_ca_cert_chain_nickname=caSigningCert External CA pki_external_ca_cert_path= -pki_external_pkcs12_path= -pki_external_pkcs12_password= +pki_external_pkcs12_path=%(pki_pkcs12_path)s +pki_external_pkcs12_password=%(pki_pkcs12_password)s pki_import_admin_cert=False pki_ocsp_signing_key_algorithm=SHA256withRSA pki_ocsp_signing_key_size=2048 diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py index f93a24723375ee3fc5139473f2d37daea0866910..b5d743894d2dcedbad38f7edf109915100c3b0f3 100644 --- a/base/server/python/pki/server/deployment/scriptlets/configuration.py +++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py @@ -158,8 +158,6 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): subsystem.config['ca.signing.certreq'] = signing_csr # If specified, import externally-signed CA cert into NSS database. - # Note: CA cert must be imported before the cert chain to ensure that - # the CA cert is imported with the correct nickname. signing_nickname = deployer.mdict['pki_ca_signing_nickname'] signing_cert_file = deployer.mdict['pki_external_ca_cert_path'] if signing_cert_file: @@ -168,13 +166,15 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): cert_file=signing_cert_file, trust_attributes='CT,C,C') - # If specified, import CA cert and key from PKCS #12 file into NSS database. + # If specified, import certs and keys from PKCS #12 file into NSS database. pkcs12_file = deployer.mdict['pki_external_pkcs12_path'] if pkcs12_file: pkcs12_password = deployer.mdict['pki_external_pkcs12_password'] nssdb.import_pkcs12(pkcs12_file, pkcs12_password) # If specified, import cert chain into NSS database. + # Note: Cert chain must be imported after the system certs to ensure that + # the system certs are imported with the correct nicknames. external_ca_cert_chain_nickname = \ deployer.mdict['pki_external_ca_cert_chain_nickname'] external_ca_cert_chain_file = deployer.mdict['pki_external_ca_cert_chain_path'] -- 2.5.5
>From f0eaad1327aebc01a1d15a4d5a2c7873e6cb9ed3 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" <[email protected]> Date: Fri, 25 Mar 2016 03:12:27 +0100 Subject: [PATCH] Simplified deployment properties for existing CA case. A new pki_existing deployment property has been added to install CA with existing CA certificate and key in a single step. New certificate deployment properties have been added as aliases for some external CA properties to allow them to be used in more general cases: - pki_ca_signing_csr_path -> pki_external_csr_path - pki_ca_signing_cert_path -> pki_external_ca_cert_path - pki_cert_chain_path -> pki_external_ca_cert_chain_path - pki_cert_chain_nickname -> pki_external_ca_cert_chain_nickname https://fedorahosted.org/pki/ticket/1736 --- base/server/etc/default.cfg | 13 +++++--- .../python/pki/server/deployment/pkihelper.py | 7 +++- .../server/deployment/scriptlets/configuration.py | 38 +++++++++++++++++----- 3 files changed, 45 insertions(+), 13 deletions(-) diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg index 924df9ddcd0001209c8552d1fba813980222c1b3..dc30468df7808b9962d2ad82f94f88be4c6be897 100644 --- a/base/server/etc/default.cfg +++ b/base/server/etc/default.cfg @@ -135,6 +135,9 @@ pki_theme_server_dir=/usr/share/pki/common-ui pki_token_name=internal pki_token_password= pki_user=pkiuser +pki_existing=False +pki_cert_chain_path= +pki_cert_chain_nickname=caSigningCert External CA pki_pkcs12_path= pki_pkcs12_password= @@ -370,17 +373,19 @@ pki_ca_signing_nickname=caSigningCert cert-%(pki_instance_name)s CA pki_ca_signing_signing_algorithm=SHA256withRSA pki_ca_signing_subject_dn=cn=CA Signing Certificate,o=%(pki_security_domain_name)s pki_ca_signing_token=Internal Key Storage Token +pki_ca_signing_csr_path= +pki_ca_signing_cert_path= pki_external=False pki_req_ext_add=False # MS subca request ext data pki_req_ext_oid=1.3.6.1.4.1.311.20.2 pki_req_ext_critical=False pki_req_ext_data=1E0A00530075006200430041 -pki_external_csr_path= pki_external_step_two=False -pki_external_ca_cert_chain_path= -pki_external_ca_cert_chain_nickname=caSigningCert External CA -pki_external_ca_cert_path= +pki_external_csr_path=%(pki_ca_signing_csr_path)s +pki_external_ca_cert_path=%(pki_ca_signing_cert_path)s +pki_external_ca_cert_chain_path=%(pki_cert_chain_path)s +pki_external_ca_cert_chain_nickname=%(pki_cert_chain_nickname)s pki_external_pkcs12_path=%(pki_pkcs12_path)s pki_external_pkcs12_password=%(pki_pkcs12_password)s pki_import_admin_cert=False diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py index cd4e3e26f72ad175aa13fd87d1c8344c6d9248f4..f01f6f69ff66d3687875c8f3d88840daf2115e3f 100644 --- a/base/server/python/pki/server/deployment/pkihelper.py +++ b/base/server/python/pki/server/deployment/pkihelper.py @@ -501,6 +501,7 @@ class ConfigurationFile: self.add_req_ext = config.str2bool( self.mdict['pki_req_ext_add']) + self.existing = config.str2bool(self.mdict['pki_existing']) self.external = config.str2bool(self.mdict['pki_external']) self.external_step_one = not config.str2bool(self.mdict['pki_external_step_two']) self.external_step_two = not self.external_step_one @@ -3786,9 +3787,12 @@ class ConfigClient: self.mdict = deployer.mdict # set useful 'boolean' object variables for this class self.clone = config.str2bool(self.mdict['pki_clone']) + + self.existing = config.str2bool(self.mdict['pki_existing']) self.external = config.str2bool(self.mdict['pki_external']) self.external_step_two = config.str2bool( self.mdict['pki_external_step_two']) + self.standalone = config.str2bool(self.mdict['pki_standalone']) self.subordinate = config.str2bool(self.mdict['pki_subordinate']) # set useful 'string' object variables for this class @@ -3999,7 +4003,8 @@ class ConfigClient: data.tokenPassword = self.mdict['pki_token_password'] data.subsystemName = self.mdict['pki_subsystem_name'] - data.external = self.external + # Process existing CA installation like external CA + data.external = self.external or self.existing data.standAlone = self.standalone if self.standalone: diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py index b5d743894d2dcedbad38f7edf109915100c3b0f3..cc8c7f9b68f9a943da4d640843224cc5533fba5d 100644 --- a/base/server/python/pki/server/deployment/scriptlets/configuration.py +++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py @@ -93,13 +93,15 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): token = deployer.mdict['pki_token_name'] nssdb = instance.open_nssdb(token) + existing = deployer.configuration_file.existing external = deployer.configuration_file.external step_one = deployer.configuration_file.external_step_one step_two = deployer.configuration_file.external_step_two try: - if external and step_one: # external/existing CA step 1 + if external and step_one: # external CA step 1 only + # Determine CA signing key type and algorithm key_type = deployer.mdict['pki_ca_signing_key_type'] key_alg = deployer.mdict['pki_ca_signing_key_algorithm'] @@ -129,6 +131,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # import it into CS.cfg. external_csr_path = deployer.mdict['pki_external_csr_path'] if external_csr_path: + config.pki_log.info( + "generating CA signing certificate request in %s", + external_csr_path, + extra=config.PKI_INDENTATION_LEVEL_2) nssdb.create_request( subject_dn=deployer.mdict['pki_ca_signing_subject_dn'], request_file=external_csr_path, @@ -136,8 +142,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): key_size=key_size, curve=curve, hash_alg=hash_alg) + with open(external_csr_path) as f: signing_csr = f.read() + signing_csr = pki.nssdb.convert_csr(signing_csr, 'pem', 'base64') subsystem.config['ca.signing.certreq'] = signing_csr @@ -147,20 +155,27 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): subsystem.save() - elif external and step_two: # external/existing CA step 2 + if existing or external and step_two: # existing CA or external CA step 2 - # If specified, import existing CA cert request into CS.cfg. - external_csr_path = deployer.mdict['pki_external_csr_path'] - if external_csr_path: - with open(external_csr_path) as f: + # If specified, import CA signing CSR into CS.cfg. + signing_csr_path = deployer.mdict['pki_external_csr_path'] + if signing_csr_path: + config.pki_log.info( + "importing CA signing CSR from %s", + signing_csr_path, + extra=config.PKI_INDENTATION_LEVEL_2) + with open(signing_csr_path) as f: signing_csr = f.read() signing_csr = pki.nssdb.convert_csr(signing_csr, 'pem', 'base64') subsystem.config['ca.signing.certreq'] = signing_csr - # If specified, import externally-signed CA cert into NSS database. + # If specified, import CA signing cert into NSS database. signing_nickname = deployer.mdict['pki_ca_signing_nickname'] signing_cert_file = deployer.mdict['pki_external_ca_cert_path'] if signing_cert_file: + config.pki_log.info( + "importing %s from %s", signing_nickname, signing_cert_file, + extra=config.PKI_INDENTATION_LEVEL_2) nssdb.add_cert( nickname=signing_nickname, cert_file=signing_cert_file, @@ -169,6 +184,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # If specified, import certs and keys from PKCS #12 file into NSS database. pkcs12_file = deployer.mdict['pki_external_pkcs12_path'] if pkcs12_file: + config.pki_log.info( + "importing certificates and keys from %s", pkcs12_file, + extra=config.PKI_INDENTATION_LEVEL_2) pkcs12_password = deployer.mdict['pki_external_pkcs12_password'] nssdb.import_pkcs12(pkcs12_file, pkcs12_password) @@ -179,13 +197,17 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): deployer.mdict['pki_external_ca_cert_chain_nickname'] external_ca_cert_chain_file = deployer.mdict['pki_external_ca_cert_chain_path'] if external_ca_cert_chain_file: + config.pki_log.info( + "importing certificate chain %s from %s", + external_ca_cert_chain_nickname, external_ca_cert_chain_file, + extra=config.PKI_INDENTATION_LEVEL_2) cert_chain, _nicks = nssdb.import_cert_chain( nickname=external_ca_cert_chain_nickname, cert_chain_file=external_ca_cert_chain_file, trust_attributes='CT,C,C') subsystem.config['ca.external_ca_chain.cert'] = cert_chain - # Export CA cert from NSS database and import it into CS.cfg. + # Export CA signing cert from NSS database and import it into CS.cfg. signing_cert_data = nssdb.get_cert( nickname=signing_nickname, output_format='base64') -- 2.5.5
_______________________________________________ Pki-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/pki-devel
