Hi all, The following patch adds a pki-server subcommand for updating certificate records to add the issuerName attribute.
It is for #1667 (Database upgrade script to add issuerName attribute to all cert entries). Follow-up question: should I (and if so, how should I) also add an upgrade scriptlet to perform the upgrade for Dogtag CA subsystem on the host? Is there a precedent for invoking pki-server (or subroutines thereof) from pki-server-upgrade scriptlets? Cheers, Fraser
From 9d994fe2c4e31c3d4212673f1dd3a0c8e84c40a3 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Mon, 9 May 2016 17:00:54 +1000 Subject: [PATCH] Add pki-server ca-cert-db-upgrade command Add the 'ca-cert-db-upgrade' command to 'pki-server', which updates certificate records to add the issuerName attribute where missing. Part of: https://fedorahosted.org/pki/ticket/1667 --- base/server/python/pki/server/cli/ca.py | 81 +++++++++++++++++++++++++++++++++ 1 file changed, 81 insertions(+) diff --git a/base/server/python/pki/server/cli/ca.py b/base/server/python/pki/server/cli/ca.py index dbf8239f4f548714beb0c68d7bca2c84f6c0fb74..b76a8f8834cc0c7d802b38b83d3a8ce99fbb0d84 100644 --- a/base/server/python/pki/server/cli/ca.py +++ b/base/server/python/pki/server/cli/ca.py @@ -22,6 +22,8 @@ from __future__ import absolute_import from __future__ import print_function import getopt import io +import ldap +import nss.nss as nss import os import shutil import sys @@ -48,6 +50,7 @@ class CACertCLI(pki.cli.CLI): self.add_module(CACertChainCLI()) self.add_module(CACertRequestCLI()) + self.add_module(CACertDBUpgrade()) class CACertChainCLI(pki.cli.CLI): @@ -407,3 +410,81 @@ class CAClonePrepareCLI(pki.cli.CLI): finally: shutil.rmtree(tmpdir) + + +class CACertDBUpgrade(pki.cli.CLI): + def __init__(self): + super(CACertDBUpgrade, self).__init__( + 'db-upgrade', 'Upgrade certificate records') + + def usage(self): + print('Usage: pki-server ca-cert-db-upgrade [OPTIONS]') + print() + print(' -i, --instance <instance ID> Instance ID (default: pki-tomcat).') + print(' -v, --verbose Run in verbose mode.') + print(' --help Show help message.') + print() + + def execute(self, args): + try: + opts, _ = getopt.gnu_getopt( + args, 'i:v', ['instance=', 'verbose', 'help']) + + except getopt.GetoptError as e: + print('ERROR: ' + str(e)) + self.usage() + sys.exit(1) + + instance_name = 'pki-tomcat' + + for o, a in opts: + if o in ('-i', '--instance'): + instance_name = a + + elif o in ('-v', '--verbose'): + self.set_verbose(True) + + elif o == '--help': + self.print_help() + sys.exit() + + else: + print('ERROR: unknown option ' + o) + self.usage() + sys.exit(1) + + nss.nss_init_nodb() + + instance = pki.server.PKIInstance(instance_name) + instance.load() + + subsystem = instance.get_subsystem('ca') + base_dn = subsystem.config['internaldb.basedn'] + conn = subsystem.open_database() + try: + entries = conn.ldap.search_s( + 'ou=certificateRepository,ou=ca,%s' % base_dn, + ldap.SCOPE_ONELEVEL, + '(&(objectclass=certificateRecord)(!(issuerName=*)))', + None) + for entry in entries: + self.__add_issuer(conn, entry) + finally: + conn.close() + + @staticmethod + def __add_issuer(conn, entry): + dn, attrs = entry + attr_cert = attrs.get('userCertificate;binary') + if not attr_cert: + return # shouldn't happen, but nothing we can do if it does + + cert = nss.Certificate(bytearray(attr_cert[0])) + issuer_name = str(cert.issuer) + + try: + conn.ldap.modify_s(dn, [(ldap.MOD_ADD, 'issuerName', issuer_name)]) + except ldap.LDAPError as e: + print( + 'Failed to add issuerName to certificate {}: {}' + .format(attrs.get('cn', ['<unknown>'])[0], e)) -- 2.5.5
_______________________________________________ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
