commit 0fe7bf5ff989bbc24875dce30cec8f32e89c0a8f
Author: Ade Lee <[email protected]>
Date: Fri Apr 22 15:31:43 2016 -0400
Add validity check for the signing certificate in pkispawn
When either an existing CA or external CA installation is
performed, use the pki-server cert validation tool to check
the signing certiticate and chain.
Ticket #2043
commit 9104fdda145c4f2bbbedec7256c73922e8bffcef
Author: Ade Lee <[email protected]>
Date: Wed Apr 20 17:26:23 2016 -0400
Add CLI to check system certificate status
We add two different calls:
1. pki client-cert-validate - which checks a certificate in the client
certdb and calls the System cert verification call performed by JSS
in the system self test. This does some basic extensions and trust
tests, and also validates cert validity and cert trust chain.
2. pki-server subsystem-cert-validate <subsystem>
This calls pki client-cert-validate using the nssdb for the subsystem
on all of the system certificates by default (or just one if the
nickname is defined).
This is a great thing to call when healthchecking an instance,
and also will be used by pkispawn to verify the signing cert in the
externally signed CA case.
Trac Ticket 2043From 0fe7bf5ff989bbc24875dce30cec8f32e89c0a8f Mon Sep 17 00:00:00 2001
From: Ade Lee <[email protected]>
Date: Fri, 22 Apr 2016 15:31:43 -0400
Subject: [PATCH 298/298] Add validity check for the signing certificate in
pkispawn
When either an existing CA or external CA installation is
performed, use the pki-server cert validation tool to check
the signing certiticate and chain.
Ticket #2043
---
.../python/pki/server/deployment/pkihelper.py | 29 +++++++++++++
.../server/deployment/scriptlets/configuration.py | 50 +++++++++++++++-------
2 files changed, 64 insertions(+), 15 deletions(-)
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
index f01f6f69ff66d3687875c8f3d88840daf2115e3f..2c7ab0ef143839159887f595e9e9577f3fe0647d 100644
--- a/base/server/python/pki/server/deployment/pkihelper.py
+++ b/base/server/python/pki/server/deployment/pkihelper.py
@@ -4592,6 +4592,34 @@ class ConfigClient:
return cert
+class SubsystemCertificateVerifier:
+ """ Verifies system certificates for a subsystem"""
+
+ def __init__(self, instance=None, subsystem=None):
+ self.instance = instance
+ self.subsystem = subsystem
+
+ def verify_certificate(self, cert_id=None):
+ cmd = ['pki-server', 'subsystem-cert-validate',
+ '-i', self.instance.name,
+ self.subsystem]
+ if cert_id is not None:
+ cmd.append(cert_id)
+ try:
+ subprocess.check_output(
+ cmd,
+ stderr=subprocess.STDOUT)
+ except subprocess.CalledProcessError as e:
+ config.pki_log.error(
+ "pki subsystem-cert-validate return code: " + str(e.returncode),
+ extra=config.PKI_INDENTATION_LEVEL_2
+ )
+ config.pki_log.error(
+ e.output,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ raise
+
+
class PKIDeployer:
"""Holds the global dictionaries and the utility objects"""
@@ -4621,6 +4649,7 @@ class PKIDeployer:
self.systemd = Systemd(self)
self.tps_connector = TPSConnector(self)
self.config_client = ConfigClient(self)
+ self.subsystem_cert_verifier = SubsystemCertificateVerifier(self)
def deploy_webapp(self, name, doc_base, descriptor):
"""
diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py
index 5f77ac52379be0ca08b1a5dff9f71626c731bd3f..42d6b401224a76c036307b33b2d1febd5400f452 100644
--- a/base/server/python/pki/server/deployment/scriptlets/configuration.py
+++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py
@@ -88,7 +88,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
instance = pki.server.PKIInstance(deployer.mdict['pki_instance_name'])
instance.load()
- subsystem = instance.get_subsystem(deployer.mdict['pki_subsystem'].lower())
+ subsystem = instance.get_subsystem(
+ deployer.mdict['pki_subsystem'].lower())
token = deployer.mdict['pki_token_name']
nssdb = instance.open_nssdb(token)
@@ -146,7 +147,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
with open(external_csr_path) as f:
signing_csr = f.read()
- signing_csr = pki.nssdb.convert_csr(signing_csr, 'pem', 'base64')
+ signing_csr = pki.nssdb.convert_csr(
+ signing_csr, 'pem', 'base64')
subsystem.config['ca.signing.certreq'] = signing_csr
# This is needed by IPA to detect step 1 completion.
@@ -155,7 +157,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
subsystem.save()
- if existing or external and step_two: # existing CA or external CA step 2
+ if existing or external and step_two:
+ # existing CA or external CA step 2
# If specified, import CA signing CSR into CS.cfg.
signing_csr_path = deployer.mdict['pki_external_csr_path']
@@ -166,7 +169,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
extra=config.PKI_INDENTATION_LEVEL_2)
with open(signing_csr_path) as f:
signing_csr = f.read()
- signing_csr = pki.nssdb.convert_csr(signing_csr, 'pem', 'base64')
+ signing_csr = pki.nssdb.convert_csr(
+ signing_csr, 'pem', 'base64')
subsystem.config['ca.signing.certreq'] = signing_csr
# If specified, import CA signing cert into NSS database.
@@ -174,32 +178,38 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
signing_cert_file = deployer.mdict['pki_external_ca_cert_path']
if signing_cert_file:
config.pki_log.info(
- "importing %s from %s", signing_nickname, signing_cert_file,
+ "importing %s from %s",
+ signing_nickname, signing_cert_file,
extra=config.PKI_INDENTATION_LEVEL_2)
nssdb.add_cert(
nickname=signing_nickname,
cert_file=signing_cert_file,
trust_attributes='CT,C,C')
- # If specified, import certs and keys from PKCS #12 file into NSS database.
+ # If specified, import certs and keys from PKCS #12 file
+ # into NSS database.
pkcs12_file = deployer.mdict['pki_external_pkcs12_path']
if pkcs12_file:
config.pki_log.info(
"importing certificates and keys from %s", pkcs12_file,
extra=config.PKI_INDENTATION_LEVEL_2)
- pkcs12_password = deployer.mdict['pki_external_pkcs12_password']
+ pkcs12_password = deployer.mdict[
+ 'pki_external_pkcs12_password']
nssdb.import_pkcs12(pkcs12_file, pkcs12_password)
# If specified, import cert chain into NSS database.
- # Note: Cert chain must be imported after the system certs to ensure that
- # the system certs are imported with the correct nicknames.
+ # Note: Cert chain must be imported after the system certs
+ # to ensure that the system certs are imported with
+ # the correct nicknames.
external_ca_cert_chain_nickname = \
deployer.mdict['pki_external_ca_cert_chain_nickname']
- external_ca_cert_chain_file = deployer.mdict['pki_external_ca_cert_chain_path']
+ external_ca_cert_chain_file = deployer.mdict[
+ 'pki_external_ca_cert_chain_path']
if external_ca_cert_chain_file:
config.pki_log.info(
"importing certificate chain %s from %s",
- external_ca_cert_chain_nickname, external_ca_cert_chain_file,
+ external_ca_cert_chain_nickname,
+ external_ca_cert_chain_file,
extra=config.PKI_INDENTATION_LEVEL_2)
cert_chain, _nicks = nssdb.import_cert_chain(
nickname=external_ca_cert_chain_nickname,
@@ -207,19 +217,29 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
trust_attributes='CT,C,C')
subsystem.config['ca.external_ca_chain.cert'] = cert_chain
- # Export CA signing cert from NSS database and import it into CS.cfg.
+ # Export CA signing cert from NSS database and import
+ # it into CS.cfg.
signing_cert_data = nssdb.get_cert(
nickname=signing_nickname,
output_format='base64')
subsystem.config['ca.signing.nickname'] = signing_nickname
- subsystem.config['ca.signing.tokenname'] = deployer.mdict['pki_ca_signing_token']
+ subsystem.config['ca.signing.tokenname'] = (
+ deployer.mdict['pki_ca_signing_token'])
subsystem.config['ca.signing.cert'] = signing_cert_data
subsystem.config['ca.signing.cacertnickname'] = signing_nickname
- subsystem.config['ca.signing.defaultSigningAlgorithm'] = \
- deployer.mdict['pki_ca_signing_signing_algorithm']
+ subsystem.config['ca.signing.defaultSigningAlgorithm'] = (
+ deployer.mdict['pki_ca_signing_signing_algorithm'])
subsystem.save()
+ # verify the signing certificate
+ # raises exception on failure
+ config.pki_log.info("validating the signing certificate",
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ deployer.subsystem_cert_verifier.instance = instance
+ deployer.subsystem_cert_verifier.subsystem = 'ca'
+ deployer.subsystem_cert_verifier.verify_certificate('signing')
+
else: # self-signed CA
# To be implemented in ticket #1692.
--
2.4.3
From 9104fdda145c4f2bbbedec7256c73922e8bffcef Mon Sep 17 00:00:00 2001
From: Ade Lee <[email protected]>
Date: Wed, 20 Apr 2016 17:26:23 -0400
Subject: [PATCH 297/298] Add CLI to check system certificate status
We add two different calls:
1. pki client-cert-validate - which checks a certificate in the client
certdb and calls the System cert verification call performed by JSS
in the system self test. This does some basic extensions and trust
tests, and also validates cert validity and cert trust chain.
2. pki-server subsystem-cert-validate <subsystem>
This calls pki client-cert-validate using the nssdb for the subsystem
on all of the system certificates by default (or just one if the
nickname is defined).
This is a great thing to call when healthchecking an instance,
and also will be used by pkispawn to verify the signing cert in the
externally signed CA case.
Trac Ticket 2043
---
.classpath | 2 +-
.../com/netscape/cmstools/client/ClientCLI.java | 1 +
.../cmstools/client/ClientCertValidateCLI.java | 194 +++++++++++++++++++++
base/server/python/pki/server/__init__.py | 2 +
base/server/python/pki/server/cli/subsystem.py | 118 +++++++++++++
5 files changed, 316 insertions(+), 1 deletion(-)
create mode 100644 base/java-tools/src/com/netscape/cmstools/client/ClientCertValidateCLI.java
diff --git a/.classpath b/.classpath
index 9fd5144bf32f3a4af6b6992f7b5027ef55d9f2df..7e6eb01c45e2166fb2d323f3b948e911d884b471 100644
--- a/.classpath
+++ b/.classpath
@@ -57,7 +57,7 @@
<classpathentry kind="lib" path="/usr/share/java/tomcat/tomcat-util.jar"/>
<classpathentry kind="lib" path="/usr/share/java/commons-io.jar"/>
<classpathentry kind="lib" path="/usr/lib/java/nuxwdog.jar"/>
- <classpathentry kind="lib" path="/usr/lib/java/jss4.jar"/>
+ <classpathentry kind="lib" path="/usr/lib/java/jss4.jar" sourcepath="/home/alee/rpmbuild/BUILD/jss-4.2.6"/>
<classpathentry kind="lib" path="/usr/share/java/tomcatjss.jar"/>
<classpathentry kind="output" path="build/classes"/>
</classpath>
diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCLI.java
index f09ea74e9ca514e7c9c5448ef4e2a028038cdd98..8bafd84f67f61da24f5df212c9c5b6c0debfe97f 100644
--- a/base/java-tools/src/com/netscape/cmstools/client/ClientCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCLI.java
@@ -39,6 +39,7 @@ public class ClientCLI extends CLI {
addModule(new ClientCertRemoveCLI(this));
addModule(new ClientCertRequestCLI(this));
addModule(new ClientCertShowCLI(this));
+ addModule(new ClientCertValidateCLI(this));
}
public String getFullName() {
diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertValidateCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertValidateCLI.java
new file mode 100644
index 0000000000000000000000000000000000000000..3988c71e25df58bef2bca2d5ff111a7d295ddcd1
--- /dev/null
+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertValidateCLI.java
@@ -0,0 +1,194 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2016 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package com.netscape.cmstools.client;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
+import org.apache.commons.cli.CommandLine;
+import org.apache.commons.cli.Option;
+import org.apache.commons.lang.StringUtils;
+import org.mozilla.jss.CryptoManager;
+import org.mozilla.jss.CryptoManager.CertificateUsage;
+
+import com.netscape.cmstools.cli.CLI;
+
+/**
+ * @author Ade Lee
+ */
+public class ClientCertValidateCLI extends CLI {
+
+ public ClientCLI clientCLI;
+
+ public ClientCertValidateCLI(ClientCLI clientCLI) {
+ super("cert-validate", "Validate certificate", clientCLI);
+ this.clientCLI = clientCLI;
+
+ createOptions();
+ }
+
+ public void createOptions() {
+ Option option = new Option(null, "certusage", true, "Certificate usage.");
+ option.setArgName("certusage");
+ options.addOption(option);
+ }
+
+ public void printHelp() {
+ formatter.printHelp(getFullName() + " nickname", options);
+ }
+
+ public void execute(String[] args) throws Exception {
+ // Always check for "--help" prior to parsing
+ if (Arrays.asList(args).contains("--help")) {
+ // Display usage
+ printHelp();
+ System.exit(0);
+ }
+
+ CommandLine cmd = null;
+
+ try {
+ cmd = parser.parse(options, args);
+
+ } catch (Exception e) {
+ System.err.println("Error: " + e.getMessage());
+ printHelp();
+ System.exit(-1);
+ }
+
+ String[] cmdArgs = cmd.getArgs();
+
+ if (cmdArgs.length != 1) {
+ System.err.println("Error: Invalid number of arguments.");
+ printHelp();
+ System.exit(-1);
+ }
+
+ // Get nickname from command argument.
+ String nickname = cmdArgs[0];
+
+ // get usages from options
+ String certusage = cmd.getOptionValue("certusage");
+ boolean isValid = false;
+
+ try {
+ isValid = verifySystemCertByNickname(nickname, certusage);
+ } catch (Exception e) {
+ System.err.println("Certificate verification failed: " + e);
+ isValid = false;
+ }
+
+ if (isValid) {
+ System.exit(0);
+ } else {
+ System.exit(1);
+ }
+ }
+
+ public boolean verifySystemCertByNickname(String nickname, String certusage) throws Exception {
+ CertificateUsage cu = getCertificateUsage(certusage);
+ int ccu = 0;
+
+ if (cu == null) {
+ throw new Exception("Unsupported certificate usage " + certusage +
+ " in certificate " + nickname);
+ }
+
+ CryptoManager cm = CryptoManager.getInstance();
+ if (cu.getUsage() != CryptoManager.CertificateUsage.CheckAllUsages.getUsage()) {
+ if (cm.isCertValid(nickname, true, cu)) {
+ System.out.println("Valid certificate: " + nickname);
+ return true;
+ } else {
+ System.out.println("Invalid certificate: " + nickname);
+ return false;
+ }
+
+ } else {
+ // check all possible usages
+ ccu = cm.isCertValid(nickname, true);
+ if (ccu == CertificateUsage.basicCertificateUsages) {
+ /* cert is good for nothing */
+ System.out.println("Cert is good for nothing: " + nickname);
+ return false;
+ } else {
+ List<String> usages = new ArrayList<String>();
+ if ((ccu & CryptoManager.CertificateUsage.SSLServer.getUsage()) != 0)
+ usages.add("SSLServer");
+ if ((ccu & CryptoManager.CertificateUsage.SSLClient.getUsage()) != 0)
+ usages.add("SSLClient");
+ if ((ccu & CryptoManager.CertificateUsage.SSLServerWithStepUp.getUsage()) != 0)
+ usages.add("SSLServerWithStepUp");
+ if ((ccu & CryptoManager.CertificateUsage.SSLCA.getUsage()) != 0)
+ usages.add("SSLCA");
+ if ((ccu & CryptoManager.CertificateUsage.EmailSigner.getUsage()) != 0)
+ usages.add("EmailSigner");
+ if ((ccu & CryptoManager.CertificateUsage.EmailRecipient.getUsage()) != 0)
+ usages.add("EmailRecipient");
+ if ((ccu & CryptoManager.CertificateUsage.ObjectSigner.getUsage()) != 0)
+ usages.add("ObjectSigner");
+ if ((ccu & CryptoManager.CertificateUsage.UserCertImport.getUsage()) != 0)
+ usages.add("UserCertImport");
+ if ((ccu & CryptoManager.CertificateUsage.VerifyCA.getUsage()) != 0)
+ usages.add("VerifyCA");
+ if ((ccu & CryptoManager.CertificateUsage.ProtectedObjectSigner.getUsage()) != 0)
+ usages.add("ProtectedObjectSigner");
+ if ((ccu & CryptoManager.CertificateUsage.StatusResponder.getUsage()) != 0)
+ usages.add("StatusResponder");
+ if ((ccu & CryptoManager.CertificateUsage.AnyCA.getUsage()) != 0)
+ usages.add("AnyCA");
+ System.out.println("Cert has the following usages: " + StringUtils.join(usages, ','));
+ return true;
+ }
+ }
+ }
+
+ public CertificateUsage getCertificateUsage(String certusage) {
+ CertificateUsage cu = null;
+ if ((certusage == null) || certusage.equals(""))
+ cu = CryptoManager.CertificateUsage.CheckAllUsages;
+ else if (certusage.equalsIgnoreCase("CheckAllUsages"))
+ cu = CryptoManager.CertificateUsage.CheckAllUsages;
+ else if (certusage.equalsIgnoreCase("SSLServer"))
+ cu = CryptoManager.CertificateUsage.SSLServer;
+ else if (certusage.equalsIgnoreCase("SSLServerWithStepUp"))
+ cu = CryptoManager.CertificateUsage.SSLServerWithStepUp;
+ else if (certusage.equalsIgnoreCase("SSLClient"))
+ cu = CryptoManager.CertificateUsage.SSLClient;
+ else if (certusage.equalsIgnoreCase("SSLCA"))
+ cu = CryptoManager.CertificateUsage.SSLCA;
+ else if (certusage.equalsIgnoreCase("AnyCA"))
+ cu = CryptoManager.CertificateUsage.AnyCA;
+ else if (certusage.equalsIgnoreCase("StatusResponder"))
+ cu = CryptoManager.CertificateUsage.StatusResponder;
+ else if (certusage.equalsIgnoreCase("ObjectSigner"))
+ cu = CryptoManager.CertificateUsage.ObjectSigner;
+ else if (certusage.equalsIgnoreCase("UserCertImport"))
+ cu = CryptoManager.CertificateUsage.UserCertImport;
+ else if (certusage.equalsIgnoreCase("ProtectedObjectSigner"))
+ cu = CryptoManager.CertificateUsage.ProtectedObjectSigner;
+ else if (certusage.equalsIgnoreCase("VerifyCA"))
+ cu = CryptoManager.CertificateUsage.VerifyCA;
+ else if (certusage.equalsIgnoreCase("EmailSigner"))
+ cu = CryptoManager.CertificateUsage.EmailSigner;
+
+ return cu;
+ }
+}
diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py
index 64688b3c4ad80ac5371f621f6046d62564317521..1c590c37e75315d27de6b42674f6de1d8bd651f6 100644
--- a/base/server/python/pki/server/__init__.py
+++ b/base/server/python/pki/server/__init__.py
@@ -156,6 +156,8 @@ class PKISubsystem(object):
'%s.%s.cert' % (self.name, cert_id), None)
cert['request'] = self.config.get(
'%s.%s.certreq' % (self.name, cert_id), None)
+ cert['certusage'] = self.config.get(
+ '%s.cert.%s.certusage' % (self.name, cert_id), None)
return cert
def update_subsystem_cert(self, cert):
diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py
index 03d48f9262f8ac15e1dfbb8df63111c9cf0dabce..6d60468a657a048367c146ef8216acf646364976 100644
--- a/base/server/python/pki/server/cli/subsystem.py
+++ b/base/server/python/pki/server/cli/subsystem.py
@@ -24,8 +24,11 @@ import base64
import getopt
import getpass
import nss.nss as nss
+import os
import string
+import subprocess
import sys
+from tempfile import mkstemp
import pki.cli
import pki.nssdb
@@ -299,6 +302,7 @@ class SubsystemCertCLI(pki.cli.CLI):
self.add_module(SubsystemCertShowCLI())
self.add_module(SubsystemCertExportCLI())
self.add_module(SubsystemCertUpdateCLI())
+ self.add_module(SubsystemCertValidateCLI())
@staticmethod
def print_subsystem_cert(cert, show_all=False):
@@ -713,3 +717,117 @@ class SubsystemCertUpdateCLI(pki.cli.CLI):
self.print_message('Updated "%s" subsystem certificate' % cert_id)
SubsystemCertCLI.print_subsystem_cert(subsystem_cert)
+
+
+class SubsystemCertValidateCLI(pki.cli.CLI):
+
+ def __init__(self):
+ super(SubsystemCertValidateCLI, self).__init__(
+ 'validate', 'Validate subsystem certificates')
+
+ def usage(self):
+ print('Usage: pki-server subsystem-cert-validate [OPTIONS] <subsystem ID> [<cert_id>]')
+ print()
+ print(' -i, --instance <instance ID> Instance ID (default: pki-tomcat).')
+ print(' -v, --verbose Run in verbose mode.')
+ print(' --help Show help message.')
+ print()
+
+ def execute(self, argv):
+
+ try:
+ opts, args = getopt.gnu_getopt(argv, 'i:v', [
+ 'instance=',
+ 'verbose', 'help'])
+
+ except getopt.GetoptError as e:
+ print('ERROR: ' + str(e))
+ self.usage()
+ sys.exit(1)
+
+ if len(args) < 1:
+ print('ERROR: missing subsystem ID')
+ self.usage()
+ sys.exit(1)
+
+ subsystem_name = args[0]
+
+ if len(args) >=2:
+ cert_id = args[1]
+ else:
+ cert_id = None
+
+ instance_name = 'pki-tomcat'
+
+ for o, a in opts:
+ if o in ('-i', '--instance'):
+ instance_name = a
+
+ elif o in ('-v', '--verbose'):
+ self.set_verbose(True)
+
+ elif o == '--help':
+ self.print_help()
+ sys.exit()
+
+ else:
+ self.print_message('ERROR: unknown option ' + o)
+ self.usage()
+ sys.exit(1)
+
+ instance = pki.server.PKIInstance(instance_name)
+ instance.load()
+
+ subsystem = instance.get_subsystem(subsystem_name)
+
+ if cert_id is not None:
+ certs = [subsystem.get_subsystem_cert(cert_id)]
+ else:
+ certs = subsystem.find_system_certs()
+
+ certs_valid = True
+ for cert in certs:
+ token = cert['token']
+
+ # get token password and store in temporary file
+ if token == 'Internal Key Storage Token':
+ passwd = instance.get_password('internal')
+ else:
+ passwd = instance.get_password("hardware-%s" % token)
+
+ pwfile_handle, pwfile_path = mkstemp()
+ os.write(pwfile_handle, passwd)
+ os.close(pwfile_handle)
+
+ cmd = ['pki', '-d', instance.nssdb_dir,
+ '-W', pwfile_path ]
+
+ if token != 'Internal Key Storage Token':
+ cmd.extend(['--token', token])
+
+ cmd.extend(
+ ['client-cert-validate',
+ cert['nickname'],
+ '--certusage', cert['certusage']]
+ )
+
+ try:
+ subprocess.check_output(cmd, stderr=subprocess.STDOUT)
+ self.print_message("Valid certificate : %s" %cert['nickname'])
+ except subprocess.CalledProcessError as e:
+ certs_valid = False
+ if e.returncode == 1:
+ self.print_message("Invalid certificate: %s"
+ % cert['nickname'])
+ else:
+ self.print_message("Error in validating certificate: %s"
+ % cert['nickname'])
+ self.print_message(e.output)
+ finally:
+ os.unlink(pwfile_path)
+
+ if certs_valid:
+ sys.exit(0)
+ else:
+ sys.exit(1)
+
--
2.4.3
_______________________________________________
Pki-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/pki-devel
