The pki-server subsystem-cert-update CLI has been updated to use certutil to retrieve the certificate data from the proper token. It will also show a warning if the certificate request cannot be found.
The NSSDatabase constructor has been modified to normalize the name of internal NSS token to None. If the token name is None, the certutil will be executed without the -h option. The NSSDatabase.get_cert() has been modified to prepend the token name to the certificate nickname. https://fedorahosted.org/pki/ticket/2440 -- Endi S. Dewata
>From eb28cf05cfad246383dbda054c8cd477bc7acc73 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" <[email protected]> Date: Sat, 20 Aug 2016 10:47:15 +0200 Subject: [PATCH] Updated pki-server subsystem-cert-update CLI. The pki-server subsystem-cert-update CLI has been updated to use certutil to retrieve the certificate data from the proper token. It will also show a warning if the certificate request cannot be found. The NSSDatabase constructor has been modified to normalize the name of internal NSS token to None. If the token name is None, the certutil will be executed without the -h option. The NSSDatabase.get_cert() has been modified to prepend the token name to the certificate nickname. https://fedorahosted.org/pki/ticket/2440 --- base/common/python/pki/nssdb.py | 11 ++++-- base/server/python/pki/server/cli/subsystem.py | 47 +++++++++++++++----------- 2 files changed, 37 insertions(+), 21 deletions(-) diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py index ed456540b7174284a0b933f5a589560812fa168e..736efcac3f4127658800bf549b7718a947cee8bd 100644 --- a/base/common/python/pki/nssdb.py +++ b/base/common/python/pki/nssdb.py @@ -105,7 +105,11 @@ class NSSDatabase(object): directory = os.path.join(os.path.expanduser("~"), '.dogtag', 'nssdb') self.directory = directory - self.token = token + + if token == 'internal' or token == 'Internal Key Storage Token': + self.token = None + else: + self.token = token self.tmpdir = tempfile.mkdtemp() @@ -425,12 +429,15 @@ class NSSDatabase(object): '-d', self.directory ] + fullname = nickname + if self.token: cmd.extend(['-h', self.token]) + fullname = self.token + ':' + fullname cmd.extend([ '-f', self.password_file, - '-n', nickname, + '-n', fullname, output_format_option ]) diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py index c173ea255e5e7bca26e2ada5a4685ca14ba2b03f..42da26e10b3741a230e7f2344508b0c3a42d86e6 100644 --- a/base/server/python/pki/server/cli/subsystem.py +++ b/base/server/python/pki/server/cli/subsystem.py @@ -21,10 +21,8 @@ from __future__ import absolute_import from __future__ import print_function -import base64 import getopt import getpass -import nss.nss as nss import os import string import subprocess @@ -778,36 +776,47 @@ class SubsystemCertUpdateCLI(pki.cli.CLI): sys.exit(1) subsystem_cert = subsystem.get_subsystem_cert(cert_id) - # get cert data from NSS database - nss.nss_init(instance.nssdb_dir) - nss_cert = nss.find_cert_from_nickname(subsystem_cert['nickname']) - data = base64.b64encode(nss_cert.der_data) - del nss_cert - nss.nss_shutdown() + if self.verbose: + print('Retrieving certificate %s from %s' % + (subsystem_cert['nickname'], subsystem_cert['token'])) + + token = subsystem_cert['token'] + nssdb = instance.open_nssdb(token) + data = nssdb.get_cert( + nickname=subsystem_cert['nickname'], + output_format='base64') subsystem_cert['data'] = data # format cert data for LDAP database lines = [data[i:i + 64] for i in range(0, len(data), 64)] data = string.join(lines, '\r\n') + '\r\n' - # get cert request from local CA + if self.verbose: + print('Retrieving certificate request from CA database') + # TODO: add support for remote CA ca = instance.get_subsystem('ca') if not ca: print('ERROR: No CA subsystem in instance %s.' % instance_name) sys.exit(1) + results = ca.find_cert_requests(cert=data) - cert_request = results[-1] - request = cert_request['request'] - # format cert request for CS.cfg - lines = request.splitlines() - if lines[0] == '-----BEGIN CERTIFICATE REQUEST-----': - lines = lines[1:] - if lines[-1] == '-----END CERTIFICATE REQUEST-----': - lines = lines[:-1] - request = string.join(lines, '') - subsystem_cert['request'] = request + if results: + cert_request = results[-1] + request = cert_request['request'] + + # format cert request for CS.cfg + lines = request.splitlines() + if lines[0] == '-----BEGIN CERTIFICATE REQUEST-----': + lines = lines[1:] + if lines[-1] == '-----END CERTIFICATE REQUEST-----': + lines = lines[:-1] + request = string.join(lines, '') + subsystem_cert['request'] = request + + else: + print('WARNING: Certificate request not found') # store cert data and request in CS.cfg subsystem.update_subsystem_cert(subsystem_cert) -- 2.5.5
_______________________________________________ Pki-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/pki-devel
