The system certificate validation command has been modified to check for both 'internal' and 'Internal Key Storage Token' since both are valid names for the internal token.
Additional checks have been added to validate the certificate parameters in CS.cfg. The output of the command has been modified to be more consistent with other pki-server commands. The pki client-cert-validate invocation has been fixed to use -C option to specify the NSS database password file. https://fedorahosted.org/pki/ticket/2043 -- Endi S. Dewata
>From 3462397fd60db41cd3289ac89cb88b58b5afe457 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" <[email protected]> Date: Fri, 13 May 2016 18:10:03 +0200 Subject: [PATCH] Fixed pki-server subsystem-cert-validate command. The system certificate validation command has been modified to check for both 'internal' and 'Internal Key Storage Token' since both are valid names for the internal token. Additional checks have been added to validate the certificate parameters in CS.cfg. The output of the command has been modified to be more consistent with other pki-server commands. The pki client-cert-validate invocation has been fixed to use -C option to specify the NSS database password file. https://fedorahosted.org/pki/ticket/2043 --- base/server/python/pki/server/cli/subsystem.py | 115 ++++++++++++++++++------- 1 file changed, 83 insertions(+), 32 deletions(-) diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py index 6d60468a657a048367c146ef8216acf646364976..c92ed16be251af87aa20ddada17da48de2ea4511 100644 --- a/base/server/python/pki/server/cli/subsystem.py +++ b/base/server/python/pki/server/cli/subsystem.py @@ -779,55 +779,106 @@ class SubsystemCertValidateCLI(pki.cli.CLI): instance.load() subsystem = instance.get_subsystem(subsystem_name) + if not subsystem: + self.print_message('ERROR: missing subsystem ' + subsystem_name) + sys.exit(1) if cert_id is not None: certs = [subsystem.get_subsystem_cert(cert_id)] else: certs = subsystem.find_system_certs() + first = True certs_valid = True + for cert in certs: - token = cert['token'] - # get token password and store in temporary file - if token == 'Internal Key Storage Token': - passwd = instance.get_password('internal') + if first: + first = False else: - passwd = instance.get_password("hardware-%s" % token) + print() - pwfile_handle, pwfile_path = mkstemp() - os.write(pwfile_handle, passwd) - os.close(pwfile_handle) + certs_valid &= self.validate_certificate(instance, cert) + if certs_valid: + self.print_message("Validation succeeded") + sys.exit(0) + else: + self.print_message("Validation failed") + sys.exit(1) + + def validate_certificate(self, instance, cert): + + if self.verbose: + print(cert) + + print(' Cert ID: %s' % cert['id']) + + if not cert['request']: + print(' Status: ERROR: missing certificate request') + return False + + if not cert['data']: + print(' Status: ERROR: missing certificate data') + return False + + nickname = cert['nickname'] + if not nickname: + print(' Status: ERROR: missing nickname') + return False + + print(' Nickname: %s' % nickname) + + usage = cert['certusage'] + if not usage: + print(' Status: ERROR: missing usage') + return False + + print(' Usage: %s' % usage) + + token = cert['token'] + if not token: + print(' Status: ERROR: missing token name') + return False + + print(' Token: %s' % token) + + if token == 'Internal Key Storage Token': + token = 'internal' + + # get token password and store in temporary file + if token == 'internal': + passwd = instance.get_password('internal') + else: + passwd = instance.get_password("hardware-%s" % token) + + pwfile_handle, pwfile_path = mkstemp() + os.write(pwfile_handle, passwd) + os.close(pwfile_handle) + + try: cmd = ['pki', '-d', instance.nssdb_dir, - '-W', pwfile_path ] + '-C', pwfile_path ] - if token != 'Internal Key Storage Token': + if token != 'internal': cmd.extend(['--token', token]) - cmd.extend( - ['client-cert-validate', - cert['nickname'], - '--certusage', cert['certusage']] + cmd.extend(['client-cert-validate', + nickname, + '--certusage', usage] ) - try: - subprocess.check_output(cmd, stderr=subprocess.STDOUT) - self.print_message("Valid certificate : %s" %cert['nickname']) - except subprocess.CalledProcessError as e: - certs_valid = False - if e.returncode == 1: - self.print_message("Invalid certificate: %s" - % cert['nickname']) - else: - self.print_message("Error in validating certificate: %s" - % cert['nickname']) - self.print_message(e.output) - finally: - os.unlink(pwfile_path) + subprocess.check_output(cmd, stderr=subprocess.STDOUT) + print(' Status: VALID') - if certs_valid: - sys.exit(0) - else: - sys.exit(1) + return True + except subprocess.CalledProcessError as e: + if e.returncode == 1: + print(' Status: INVALID') + else: + print(' Status: ERROR: %s' % e.output) + return False + + finally: + os.unlink(pwfile_path) -- 2.4.11
_______________________________________________ Pki-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/pki-devel
