def execute(self, argv): logging.basicConfig(format='%(levelname)s: %(message)s') try: opts, args = getopt.gnu_getopt( argv, 'i:v', ['instance=', 'remove-key', 'verbose', 'debug', 'help']) except getopt.GetoptError as e: logger.error(e) self.print_help() sys.exit(1) instance_name = 'pki-tomcat' remove_key = False for o, a in opts: if o in ('-i', '--instance'): instance_name = a elif o == '--remove-key': remove_key = True elif o in ('-v', '--verbose'): self.set_verbose(True) logging.getLogger().setLevel(logging.INFO) elif o == '--debug': self.set_verbose(True) self.set_debug(True) logging.getLogger().setLevel(logging.DEBUG) elif o == '--help': self.print_help() sys.exit() else: logger.error('option %s not recognized', o) self.print_help() sys.exit(1) if len(args) < 1: logger.error('Missing cert ID.') self.print_help() sys.exit(1) cert_id = args[0] instance = server.PKIInstance(instance_name) if not instance.is_valid(): logger.error('Invalid instance %s.', instance_name) sys.exit(1) # Load the instance. Default: pki-tomcat instance.load() logger.info('Removing %s certificate from NSS database', cert_id) instance.cert_del(cert_id=cert_id, remove_key=remove_key)
def execute(self, argv): try: opts, args = getopt.gnu_getopt(argv, 'i:', ['subsystem=', 'instance=', 'help']) except getopt.GetoptError as e: print('ERROR: ' + str(e)) self.print_help() sys.exit(1) subsystem = None test = None instance_name = 'pki-tomcat' if len(args) == 1: test = args[0] for o, a in opts: if o in ('-i', '--instance'): instance_name = a elif o == '--subsystem': subsystem = a elif o == '--help': self.print_help() sys.exit() else: print('ERROR: unknown option ' + o) self.print_help() sys.exit(1) # Load instance instance = server.PKIInstance(instance_name) if not instance.is_valid(): print('ERROR: Invalid instance %s.' % instance_name) sys.exit(1) instance.load() SelfTestCLI.set_startup_test_critical(instance=instance, subsystem=subsystem, test=test, critical=True)
def execute(self, argv): try: opts, args = getopt.gnu_getopt(argv, 'i:d:c:C:n:v', [ 'instance=', 'verbose', 'temp', 'serial=', 'output=', 'renew', 'help' ]) except getopt.GetoptError as e: print('ERROR: ' + str(e)) self.usage() sys.exit(1) instance_name = 'pki-tomcat' create_temp_cert = False serial = None client_nssdb_location = os.getenv('HOME') + '/.dogtag/nssdb' client_nssdb_password = None client_nssdb_pass_file = None client_cert = None output = None renew = False connection = None for o, a in opts: if o in ('-i', '--instance'): instance_name = a elif o in ('-v', '--verbose'): self.set_verbose(True) elif o == '-d': client_nssdb_location = a elif o == '-c': client_nssdb_password = a elif o == '-C': client_nssdb_pass_file = a elif o == '-n': client_cert = a elif o == '--help': self.usage() sys.exit() elif o == '--temp': create_temp_cert = True elif o == '--serial': serial = a elif o == '--output': output = a elif o == '--renew': renew = True else: self.print_message('ERROR: unknown option ' + o) self.usage() sys.exit(1) if len(args) < 1: print('ERROR: missing cert ID') self.usage() sys.exit(1) if not create_temp_cert: # For permanent certificate, password of NSS db is required. if not client_nssdb_password and not client_nssdb_pass_file: print('ERROR: NSS db password is required.') self.usage() sys.exit(1) cert_id = args[0] instance = server.PKIInstance(instance_name) if not instance.is_valid(): print('ERROR: Invalid instance %s.' % instance_name) sys.exit(1) # Load the instance. Default: pki-tomcat instance.load() subsystem_name = None cert_tag = cert_id if cert_id != 'sslserver' and cert_id != 'subsystem': # To avoid ambiguity where cert ID can contain more than 1 _, we limit to one split temp_cert_identify = cert_id.split('_', 1) subsystem_name = temp_cert_identify[0] cert_tag = temp_cert_identify[1] # If cert ID is instance specific, get it from first subsystem if not subsystem_name: subsystem_name = instance.subsystems[0].name # Get the subsystem - Eg: ca, kra, tps, tks subsystem = instance.get_subsystem(subsystem_name) if not subsystem: print('ERROR: No %s subsystem in instance ' '%s.' % (subsystem_name, instance_name)) sys.exit(1) nssdb = instance.open_nssdb() tmpdir = tempfile.mkdtemp() try: cert_folder = os.path.join(pki.CONF_DIR, instance_name, 'certs') if not os.path.exists(cert_folder): os.makedirs(cert_folder) new_cert_file = os.path.join(cert_folder, cert_id + '.crt') if output: new_cert_file = output if create_temp_cert: if not serial: # If admin doesn't provide a serial number, find the highest in NSS db # and add 1 to it serial = 0 for sub in instance.subsystems: for n_cert in sub.find_system_certs(): if int(n_cert['serial_number']) > serial: serial = int(n_cert['serial_number']) # Add 1 and then rewrap it as a string serial = str(serial + 1) else: # Create permanent certificate if not renew: # Fixme: Support rekey raise Exception('Rekey is not supported yet.') connection = self.setup_authentication( subsystem=subsystem, c_nssdb_pass=client_nssdb_password, c_cert=client_cert, c_nssdb_pass_file=client_nssdb_pass_file, c_nssdb=client_nssdb_location, tmpdir=tmpdir) if cert_tag == 'sslserver': self.create_ssl_cert(instance=instance, subsystem=subsystem, is_temp_cert=create_temp_cert, new_cert_file=new_cert_file, nssdb=nssdb, serial=serial, tmpdir=tmpdir, connection=connection) elif cert_tag == 'subsystem': self.create_subsystem_cert(is_temp_cert=create_temp_cert, serial=serial, subsystem=subsystem, new_cert_file=new_cert_file, connection=connection) elif cert_id in ['ca_ocsp_signing', 'ocsp_signing']: self.create_ocsp_cert(is_temp_cert=create_temp_cert, serial=serial, subsystem=subsystem, new_cert_file=new_cert_file, connection=connection) elif cert_tag == 'audit_signing': self.create_audit_cert(is_temp_cert=create_temp_cert, serial=serial, subsystem=subsystem, new_cert_file=new_cert_file, connection=connection) else: # renewal not yet supported raise Exception('Renewal for %s not yet supported.' % cert_id) finally: nssdb.close() shutil.rmtree(tmpdir)
def execute(self, argv): try: opts, args = getopt.gnu_getopt(argv, 'i:v', ['instance=', 'verbose', 'help']) except getopt.GetoptError as e: print('ERROR: ' + str(e)) self.usage() sys.exit(1) instance_name = 'pki-tomcat' for o, a in opts: if o in ('-i', '--instance'): instance_name = a elif o in ('-v', '--verbose'): self.set_verbose(True) elif o == '--help': self.usage() sys.exit() else: print('ERROR: unknown option ' + o) self.usage() sys.exit(1) if len(args) < 1: print('ERROR: missing cert ID') self.usage() sys.exit(1) cert_id = args[0] instance = server.PKIInstance(instance_name) if not instance.is_valid(): print('ERROR: Invalid instance %s.' % instance_name) sys.exit(1) instance.load() subsystem_name = None cert_tag = cert_id if cert_id != 'sslserver' and cert_id != 'subsystem': # To avoid ambiguity where cert ID can contain more than 1 _, we limit to one split temp_cert_identify = cert_id.split('_', 1) subsystem_name = temp_cert_identify[0] cert_tag = temp_cert_identify[1] # If cert ID is instance specific, get it from first subsystem if not subsystem_name: subsystem_name = instance.subsystems[0].name subsystem = instance.get_subsystem(subsystem_name) if not subsystem: print('ERROR: No %s subsystem in instance ' '%s.' % (subsystem_name, instance_name)) sys.exit(1) subsystem_cert = subsystem.get_subsystem_cert(cert_tag) if self.verbose: print('Retrieving certificate %s from %s' % (subsystem_cert['nickname'], subsystem_cert['token'])) token = subsystem_cert['token'] nssdb = instance.open_nssdb(token) # Get the cert data from NSS DB data = nssdb.get_cert(nickname=subsystem_cert['nickname'], output_format='base64') subsystem_cert['data'] = data # format cert data for LDAP database lines = [data[i:i + 64] for i in range(0, len(data), 64)] data = '\r\n'.join(lines) + '\r\n' # Get the cert request from LDAP database if self.verbose: print('Retrieving certificate request from CA database') # TODO: add support for remote CA ca = instance.get_subsystem('ca') if not ca: print('ERROR: No CA subsystem in instance %s.' % instance_name) sys.exit(1) results = ca.find_cert_requests(cert=data) if results: cert_request = results[-1] request = cert_request['request'] # format cert request for CS.cfg lines = request.splitlines() if lines[0] == '-----BEGIN CERTIFICATE REQUEST-----': lines = lines[1:] if lines[-1] == '-----END CERTIFICATE REQUEST-----': lines = lines[:-1] request = ''.join(lines) subsystem_cert['request'] = request else: print('WARNING: Certificate request not found') # store cert data and request in CS.cfg if cert_id == 'sslserver' or cert_id == 'subsystem': # Update for all subsystems for subsystem in instance.subsystems: subsystem.update_subsystem_cert(subsystem_cert) subsystem.save() else: subsystem.update_subsystem_cert(subsystem_cert) subsystem.save() self.print_message('Updated "%s" system certificate' % cert_id)
def execute(self, argv): try: opts, _ = getopt.gnu_getopt( argv, 'i:v', ['instance=', 'show-all', 'verbose', 'help']) except getopt.GetoptError as e: print('ERROR: ' + str(e)) self.print_help() sys.exit(1) instance_name = 'pki-tomcat' show_all = False for o, a in opts: if o in ('-i', '--instance'): instance_name = a elif o == '--show-all': show_all = True elif o in ('-v', '--verbose'): self.set_verbose(True) elif o == '--help': self.print_help() sys.exit() else: print('ERROR: unknown option ' + o) self.print_help() sys.exit(1) instance = server.PKIInstance(instance_name) if not instance.is_valid(): print('ERROR: Invalid instance %s.' % instance_name) sys.exit(1) instance.load() results = [] for subsystem in instance.subsystems: # Retrieve the subsystem's system certificate sub_system_certs = subsystem.find_system_certs() # Iterate on all subsystem's system certificate to prepend subsystem name to the ID for subsystem_cert in sub_system_certs: if subsystem_cert['id'] != 'sslserver' and subsystem_cert[ 'id'] != 'subsystem': subsystem_cert[ 'id'] = subsystem.name + '_' + subsystem_cert['id'] # Append only unique certificates to other subsystem certificate list if subsystem_cert not in results: results.append(subsystem_cert) self.print_message('%s entries matched' % len(results)) first = True for cert in results: if first: first = False else: print() CertCLI.print_system_cert(cert, show_all)
def execute(self, argv): logging.basicConfig(format='%(levelname)s: %(message)s') try: opts, args = getopt.gnu_getopt( argv, 'i:v', ['instance=', 'input=', 'verbose', 'debug', 'help']) except getopt.GetoptError as e: logger.error(e) self.print_help() sys.exit(1) instance_name = 'pki-tomcat' cert_file = None for o, a in opts: if o in ('-i', '--instance'): instance_name = a elif o == '--input': cert_file = a elif o in ('-v', '--verbose'): self.set_verbose(True) logging.getLogger().setLevel(logging.INFO) elif o == '--debug': self.set_verbose(True) self.set_debug(True) logging.getLogger().setLevel(logging.DEBUG) elif o == '--help': self.print_help() sys.exit() else: logger.error('option %s not recognized', o) self.print_help() sys.exit(1) if len(args) < 1: logger.error('Missing cert ID.') self.print_help() sys.exit(1) cert_id = args[0] instance = server.PKIInstance(instance_name) if not instance.is_valid(): logger.error('Invalid instance %s.', instance_name) sys.exit(1) # Load the instance. Default: pki-tomcat instance.load() if cert_id == 'sslserver' or cert_id == 'subsystem': subsystem_name = None cert_tag = cert_id else: parts = cert_id.split('_', 1) subsystem_name = parts[0] cert_tag = parts[1] # If cert ID is instance specific, get it from first subsystem if not subsystem_name: subsystem_name = instance.subsystems[0].name subsystem = instance.get_subsystem(subsystem_name) if not subsystem: logger.error('No %s subsystem in instance %s.', subsystem_name, instance_name) sys.exit(1) nssdb = instance.open_nssdb() try: cert_folder = os.path.join(pki.CONF_DIR, instance_name, 'certs') if not cert_file: cert_file = os.path.join(cert_folder, cert_id + '.crt') if not os.path.isfile(cert_file): logger.error('No %s such file.', cert_file) self.print_help() sys.exit(1) cert = subsystem.get_subsystem_cert(cert_tag) logger.info('Checking existing %s certificate in NSS database', cert_id) if nssdb.get_cert(nickname=cert['nickname'], token=cert['token']): logger.error('Certificate already exists: %s', cert_id) sys.exit(1) logger.info('Importing new %s certificate into NSS database', cert_id) nssdb.add_cert(nickname=cert['nickname'], token=cert['token'], cert_file=cert_file) logger.info('Updating CS.cfg with the new certificate') data = nssdb.get_cert(nickname=cert['nickname'], token=cert['token'], output_format='base64') cert['data'] = data if cert_id == 'sslserver' or cert_id == 'subsystem': # Update all subsystem's CS.cfg for subsystem in instance.subsystems: subsystem.update_subsystem_cert(cert) subsystem.save() else: subsystem.update_subsystem_cert(cert) subsystem.save() finally: nssdb.close()
def execute(self, argv): logging.basicConfig(format='%(levelname)s: %(message)s') try: opts, args = getopt.gnu_getopt(argv, 'i:d:c:C:n:v', [ 'instance=', 'temp', 'serial=', 'output=', 'renew', 'verbose', 'debug', 'help' ]) except getopt.GetoptError as e: logger.error(e) self.print_help() sys.exit(1) instance_name = 'pki-tomcat' create_temp_cert = False serial = None client_nssdb_location = os.getenv('HOME') + '/.dogtag/nssdb' client_nssdb_password = None client_nssdb_pass_file = None client_cert = None output = None renew = False connection = None for o, a in opts: if o in ('-i', '--instance'): instance_name = a elif o == '-d': client_nssdb_location = a elif o == '-c': client_nssdb_password = a elif o == '-C': client_nssdb_pass_file = a elif o == '-n': client_cert = a elif o == '--temp': create_temp_cert = True elif o == '--serial': serial = a elif o == '--output': output = a elif o == '--renew': renew = True elif o in ('-v', '--verbose'): self.set_verbose(True) logging.getLogger().setLevel(logging.INFO) elif o == '--debug': self.set_verbose(True) self.set_debug(True) logging.getLogger().setLevel(logging.DEBUG) elif o == '--help': self.print_help() sys.exit() else: logger.error('option %s not recognized', o) self.print_help() sys.exit(1) if len(args) < 1: logger.error('Missing cert ID.') self.print_help() sys.exit(1) if not create_temp_cert: # For permanent certificate, password of NSS db is required. if not client_nssdb_password and not client_nssdb_pass_file: logger.error('NSS database password is required.') self.print_help() sys.exit(1) cert_id = args[0] instance = server.PKIInstance(instance_name) if not instance.is_valid(): logger.error('Invalid instance %s.', instance_name) sys.exit(1) # Load the instance. Default: pki-tomcat instance.load() subsystem_name = None cert_tag = cert_id if cert_id == 'sslserver' or cert_id == 'subsystem': subsystem_name = None cert_tag = cert_id else: parts = cert_id.split('_', 1) subsystem_name = parts[0] cert_tag = parts[1] # If cert ID is instance specific, get it from first subsystem if not subsystem_name: subsystem_name = instance.subsystems[0].name subsystem = instance.get_subsystem(subsystem_name) if not subsystem: logger.error('No %s subsystem in instance %s.', subsystem_name, instance_name) sys.exit(1) nssdb = instance.open_nssdb() tmpdir = tempfile.mkdtemp() try: cert_folder = os.path.join(pki.CONF_DIR, instance_name, 'certs') if not os.path.exists(cert_folder): os.makedirs(cert_folder) new_cert_file = os.path.join(cert_folder, cert_id + '.crt') if output: new_cert_file = output if create_temp_cert: if not serial: # If admin doesn't provide a serial number, find the highest in NSS db # and add 1 to it serial = 0 for sub in instance.subsystems: for n_cert in sub.find_system_certs(): if int(n_cert['serial_number']) > serial: serial = int(n_cert['serial_number']) # Add 1 and then rewrap it as a string serial = str(serial + 1) else: # Create permanent certificate if not renew: # Fixme: Support rekey raise Exception('Rekey is not supported yet.') connection = self.setup_authentication( subsystem=subsystem, c_nssdb_pass=client_nssdb_password, c_cert=client_cert, c_nssdb_pass_file=client_nssdb_pass_file, c_nssdb=client_nssdb_location, tmpdir=tmpdir) if cert_tag == 'sslserver': self.create_ssl_cert(instance=instance, subsystem=subsystem, is_temp_cert=create_temp_cert, new_cert_file=new_cert_file, nssdb=nssdb, serial=serial, tmpdir=tmpdir, connection=connection) elif cert_tag == 'subsystem': self.create_subsystem_cert(is_temp_cert=create_temp_cert, serial=serial, subsystem=subsystem, new_cert_file=new_cert_file, connection=connection) elif cert_id in ['ca_ocsp_signing', 'ocsp_signing']: self.create_ocsp_cert(is_temp_cert=create_temp_cert, serial=serial, subsystem=subsystem, new_cert_file=new_cert_file, connection=connection) elif cert_tag == 'audit_signing': self.create_audit_cert(is_temp_cert=create_temp_cert, serial=serial, subsystem=subsystem, new_cert_file=new_cert_file, connection=connection) else: # renewal not yet supported raise Exception('Renewal for %s not yet supported.' % cert_id) finally: nssdb.close() shutil.rmtree(tmpdir)
def execute(self, argv): logging.basicConfig(format='%(levelname)s: %(message)s') try: opts, args = getopt.gnu_getopt( argv, 'i:v', ['instance=', 'verbose', 'debug', 'help']) except getopt.GetoptError as e: logger.error(e) self.print_help() sys.exit(1) instance_name = 'pki-tomcat' for o, a in opts: if o in ('-i', '--instance'): instance_name = a elif o in ('-v', '--verbose'): self.set_verbose(True) logging.getLogger().setLevel(logging.INFO) elif o == '--debug': self.set_verbose(True) self.set_debug(True) logging.getLogger().setLevel(logging.DEBUG) elif o == '--help': self.print_help() sys.exit() else: logger.error('option %s not recognized', o) self.print_help() sys.exit(1) if len(args) < 1: logger.error('Missing cert ID.') self.print_help() sys.exit(1) cert_id = args[0] instance = server.PKIInstance(instance_name) if not instance.is_valid(): logger.error('Invalid instance %s.', instance_name) sys.exit(1) instance.load() subsystem_name = None cert_tag = cert_id if cert_id == 'sslserver' or cert_id == 'subsystem': subsystem_name = None cert_tag = cert_id else: parts = cert_id.split('_', 1) subsystem_name = parts[0] cert_tag = parts[1] # If cert ID is instance specific, get it from first subsystem if not subsystem_name: subsystem_name = instance.subsystems[0].name subsystem = instance.get_subsystem(subsystem_name) if not subsystem: logger.error('No %s subsystem in instance %s.', subsystem_name, instance_name) sys.exit(1) subsystem_cert = subsystem.get_subsystem_cert(cert_tag) logger.info('Retrieving certificate %s from %s', subsystem_cert['nickname'], subsystem_cert['token']) token = subsystem_cert['token'] nssdb = instance.open_nssdb(token) # Get the cert data from NSS DB data = nssdb.get_cert(nickname=subsystem_cert['nickname'], output_format='base64') subsystem_cert['data'] = data # format cert data for LDAP database lines = [data[i:i + 64] for i in range(0, len(data), 64)] data = '\r\n'.join(lines) + '\r\n' # Get the cert request from LDAP database logger.info('Retrieving certificate request from CA database') # TODO: add support for remote CA ca = instance.get_subsystem('ca') if not ca: logger.error('No CA subsystem in instance %s.', instance_name) sys.exit(1) results = ca.find_cert_requests(cert=data) if results: cert_request = results[-1] request = cert_request['request'] # format cert request for CS.cfg lines = request.splitlines() if lines[0] == '-----BEGIN CERTIFICATE REQUEST-----': lines = lines[1:] if lines[-1] == '-----END CERTIFICATE REQUEST-----': lines = lines[:-1] request = ''.join(lines) subsystem_cert['request'] = request else: print('WARNING: Certificate request not found') # store cert data and request in CS.cfg if cert_id == 'sslserver' or cert_id == 'subsystem': # Update for all subsystems for subsystem in instance.subsystems: subsystem.update_subsystem_cert(subsystem_cert) subsystem.save() else: subsystem.update_subsystem_cert(subsystem_cert) subsystem.save() self.print_message('Updated "%s" system certificate' % cert_id)
def execute(self, argv): logging.basicConfig(format='%(levelname)s: %(message)s') try: opts, args = getopt.gnu_getopt( argv, 'i:v', ['instance=', 'remove-key', 'verbose', 'debug', 'help']) except getopt.GetoptError as e: logger.error(e) self.print_help() sys.exit(1) instance_name = 'pki-tomcat' remove_key = False for o, a in opts: if o in ('-i', '--instance'): instance_name = a elif o == '--remove-key': remove_key = True elif o in ('-v', '--verbose'): self.set_verbose(True) logging.getLogger().setLevel(logging.INFO) elif o == '--debug': self.set_verbose(True) self.set_debug(True) logging.getLogger().setLevel(logging.DEBUG) elif o == '--help': self.print_help() sys.exit() else: logger.error('option %s not recognized', o) self.print_help() sys.exit(1) if len(args) < 1: logger.error('Missing cert ID.') self.print_help() sys.exit(1) cert_id = args[0] instance = server.PKIInstance(instance_name) if not instance.is_valid(): logger.error('Invalid instance %s.', instance_name) sys.exit(1) # Load the instance. Default: pki-tomcat instance.load() if cert_id == 'sslserver' or cert_id == 'subsystem': subsystem_name = None cert_tag = cert_id else: parts = cert_id.split('_', 1) subsystem_name = parts[0] cert_tag = parts[1] # If cert ID is instance specific, get it from first subsystem if not subsystem_name: subsystem_name = instance.subsystems[0].name subsystem = instance.get_subsystem(subsystem_name) if not subsystem: logger.error('No %s subsystem in instance %s.', subsystem_name, instance_name) sys.exit(1) cert = subsystem.get_subsystem_cert(cert_tag) nssdb = instance.open_nssdb() try: logger.info('Removing %s certificate from NSS database', cert_id) nssdb.remove_cert(nickname=cert['nickname'], token=cert['token'], remove_key=remove_key) finally: nssdb.close()
def execute(self, argv): logging.basicConfig(format='%(levelname)s: %(message)s') try: opts, args = getopt.gnu_getopt(argv, 'i:v', [ 'instance=', 'cert-file=', 'csr-file=', 'pkcs12-file=', 'pkcs12-password='******'pkcs12-password-file=', 'friendly-name=', 'cert-encryption=', 'key-encryption=', 'append', 'no-trust-flags', 'no-key', 'no-chain', 'verbose', 'debug', 'help' ]) except getopt.GetoptError as e: logger.error(e) self.print_help() sys.exit(1) instance_name = 'pki-tomcat' cert_file = None csr_file = None pkcs12_file = None pkcs12_password = None pkcs12_password_file = None friendly_name = None cert_encryption = None key_encryption = None append = False include_trust_flags = True include_key = True include_chain = True for o, a in opts: if o in ('-i', '--instance'): instance_name = a elif o == '--cert-file': cert_file = a elif o == '--csr-file': csr_file = a elif o == '--pkcs12-file': pkcs12_file = a elif o == '--pkcs12-password': pkcs12_password = a elif o == '--pkcs12-password-file': pkcs12_password_file = a elif o == '--friendly-name': friendly_name = a elif o == '--cert-encryption': cert_encryption = a elif o == '--key-encryption': key_encryption = a elif o == '--append': append = True elif o == '--no-trust-flags': include_trust_flags = False elif o == '--no-key': include_key = False elif o == '--no-chain': include_chain = False elif o in ('-v', '--verbose'): self.set_verbose(True) logging.getLogger().setLevel(logging.INFO) elif o == '--debug': self.set_verbose(True) self.set_debug(True) logging.getLogger().setLevel(logging.DEBUG) elif o == '--help': self.print_help() sys.exit() else: logger.error('option %s not recognized', o) self.print_help() sys.exit(1) if len(args) < 1: logger.error('Missing cert ID.') self.print_help() sys.exit(1) cert_id = args[0] if not (cert_file or csr_file or pkcs12_file): logger.error('missing output file') self.print_help() sys.exit(1) instance = server.PKIInstance(instance_name) if not instance.is_valid(): logger.error('Invalid instance %s.', instance_name) sys.exit(1) instance.load() subsystem_name = None cert_tag = cert_id if cert_id == 'sslserver' or cert_id == 'subsystem': subsystem_name = None cert_tag = cert_id else: parts = cert_id.split('_', 1) subsystem_name = parts[0] cert_tag = parts[1] # If cert ID is instance specific, get it from first subsystem if not subsystem_name: subsystem_name = instance.subsystems[0].name subsystem = instance.get_subsystem(subsystem_name) if not subsystem: logger.error('No %s subsystem in instance %s.', subsystem_name, instance_name) sys.exit(1) cert = subsystem.get_subsystem_cert(cert_tag) if not cert: logger.error('missing %s certificate', cert_id) self.print_help() sys.exit(1) if cert_id == 'sslserver': # get nickname and token from serverCertNick.conf full_name = instance.get_sslserver_cert_nickname() i = full_name.find(':') if i < 0: nickname = full_name token = None else: nickname = full_name[i + 1:] token = full_name[:i] else: # get nickname and token from CS.cfg nickname = cert['nickname'] token = cert['token'] logger.info('Nickname: %s', nickname) logger.info('Token: %s', token) nssdb = instance.open_nssdb(token) try: if cert_file: logger.info('Exporting %s certificate into %s.', cert_id, cert_file) cert_data = cert.get('data', None) if cert_data is None: logger.error('Unable to find certificate data for %s', cert_id) sys.exit(1) cert_data = pki.nssdb.convert_cert(cert_data, 'base64', 'pem') with open(cert_file, 'w') as f: f.write(cert_data) if csr_file: logger.info('Exporting %s CSR into %s.', cert_id, csr_file) cert_request = cert.get('request', None) if cert_request is None: logger.error('Unable to find certificate request for %s', cert_id) sys.exit(1) csr_data = pki.nssdb.convert_csr(cert_request, 'base64', 'pem') with open(csr_file, 'w') as f: f.write(csr_data) if pkcs12_file: logger.info('Exporting %s certificate and key into %s.', cert_id, pkcs12_file) if not pkcs12_password and not pkcs12_password_file: pkcs12_password = getpass.getpass( prompt='Enter password for PKCS #12 file: ') logger.info('Friendly name: %s', friendly_name) nssdb.export_cert(nickname=nickname, pkcs12_file=pkcs12_file, pkcs12_password=pkcs12_password, pkcs12_password_file=pkcs12_password_file, friendly_name=friendly_name, cert_encryption=cert_encryption, key_encryption=key_encryption, append=append, include_trust_flags=include_trust_flags, include_key=include_key, include_chain=include_chain, debug=self.debug) finally: nssdb.close()
def execute(self, argv): logging.basicConfig(format='%(levelname)s: %(message)s') try: opts, _ = getopt.gnu_getopt( argv, 'i:v', ['instance=', 'show-all', 'verbose', 'debug', 'help']) except getopt.GetoptError as e: logger.error(e) self.print_help() sys.exit(1) instance_name = 'pki-tomcat' show_all = False for o, a in opts: if o in ('-i', '--instance'): instance_name = a elif o == '--show-all': show_all = True elif o in ('-v', '--verbose'): self.set_verbose(True) logging.getLogger().setLevel(logging.INFO) elif o == '--debug': self.set_verbose(True) self.set_debug(True) logging.getLogger().setLevel(logging.DEBUG) elif o == '--help': self.print_help() sys.exit() else: logger.error('option %s not recognized', o) self.print_help() sys.exit(1) instance = server.PKIInstance(instance_name) if not instance.is_valid(): logger.error('Invalid instance %s.', instance_name) sys.exit(1) instance.load() first = True results = [] for subsystem in instance.subsystems: # Retrieve the subsystem's system certificate certs = subsystem.find_system_certs() # Iterate on all subsystem's system certificate to prepend subsystem name to the ID for cert in certs: if cert['id'] != 'sslserver' and cert['id'] != 'subsystem': cert['id'] = subsystem.name + '_' + cert['id'] # Append only unique certificates to other subsystem certificate list if cert['id'] in results: continue results.append(cert['id']) if first: first = False else: print() CertCLI.print_system_cert(cert, show_all)
def execute(self, argv): logging.basicConfig(format='%(levelname)s: %(message)s') try: opts, args = getopt.gnu_getopt( argv, 'i:v', ['instance=', 'input=', 'verbose', 'debug', 'help']) except getopt.GetoptError as e: logger.error(e) self.print_help() sys.exit(1) instance_name = 'pki-tomcat' cert_file = None for o, a in opts: if o in ('-i', '--instance'): instance_name = a elif o == '--input': cert_file = a elif o in ('-v', '--verbose'): self.set_verbose(True) logging.getLogger().setLevel(logging.INFO) elif o == '--debug': self.set_verbose(True) self.set_debug(True) logging.getLogger().setLevel(logging.DEBUG) elif o == '--help': self.print_help() sys.exit() else: logger.error('option %s not recognized', o) self.print_help() sys.exit(1) if len(args) < 1: logger.error('Missing cert ID.') self.print_help() sys.exit(1) cert_id = args[0] instance = server.PKIInstance(instance_name) if not instance.is_valid(): logger.error('Invalid instance %s.', instance_name) sys.exit(1) # Load the instance. Default: pki-tomcat instance.load() try: # Load the cert into NSS db and update all corresponding subsystem's CS.cfg instance.cert_import(cert_id, cert_file) except server.PKIServerException as e: logger.error(str(e)) sys.exit(1)
def execute(self, argv): logging.basicConfig(format='%(levelname)s: %(message)s') try: opts, args = getopt.gnu_getopt(argv, 'i:d:c:C:n:v', [ 'instance=', 'temp', 'serial=', 'output=', 'renew', 'verbose', 'debug', 'help' ]) except getopt.GetoptError as e: logger.error(e) self.print_help() sys.exit(1) instance_name = 'pki-tomcat' temp_cert = False serial = None client_nssdb = os.getenv('HOME') + '/.dogtag/nssdb' client_nssdb_password = None client_nssdb_pass_file = None client_cert = None output = None renew = False for o, a in opts: if o in ('-i', '--instance'): instance_name = a elif o == '-d': client_nssdb = a elif o == '-c': client_nssdb_password = a elif o == '-C': client_nssdb_pass_file = a elif o == '-n': client_cert = a elif o == '--temp': temp_cert = True elif o == '--serial': # string containing the dec or hex value for the identifier serial = str(int(a, 0)) elif o == '--output': output = a elif o == '--renew': renew = True elif o in ('-v', '--verbose'): self.set_verbose(True) logging.getLogger().setLevel(logging.INFO) elif o == '--debug': self.set_verbose(True) self.set_debug(True) logging.getLogger().setLevel(logging.DEBUG) elif o == '--help': self.print_help() sys.exit() else: logger.error('option %s not recognized', o) self.print_help() sys.exit(1) if len(args) < 1: logger.error('Missing cert ID.') self.print_help() sys.exit(1) if not temp_cert: # For permanent certificate, password of NSS db is required. if not client_nssdb_password and not client_nssdb_pass_file: logger.error('NSS database password is required.') self.print_help() sys.exit(1) cert_id = args[0] instance = server.PKIInstance(instance_name) if not instance.is_valid(): logger.error('Invalid instance %s.', instance_name) sys.exit(1) # Load the instance. Default: pki-tomcat instance.load() try: instance.cert_create(cert_id, client_cert, client_nssdb, client_nssdb_password, client_nssdb_pass_file, serial, temp_cert, renew, output) except server.PKIServerException as e: logger.error(str(e)) sys.exit(1)
def execute(self, argv): logging.basicConfig(format='%(levelname)s: %(message)s') try: opts, _ = getopt.gnu_getopt( argv, 'i:d:c:C:n:v', ['instance=', 'cert=', 'verbose', 'debug', 'help']) except getopt.GetoptError as e: logger.error(e) self.print_help() sys.exit(1) instance_name = 'pki-tomcat' all_certs = True client_nssdb = os.getenv('HOME') + '/.dogtag/nssdb' client_nssdb_pass = None client_nssdb_pass_file = None client_cert = None fix_certs = [] for o, a in opts: if o in ('-i', '--instance'): instance_name = a elif o == '--cert': all_certs = False fix_certs.append(a) elif o == '-d': client_nssdb = a elif o == '-c': client_nssdb_pass = a elif o == '-C': client_nssdb_pass_file = a elif o == '-n': client_cert = a elif o in ('-v', '--verbose'): self.set_verbose(True) logging.getLogger().setLevel(logging.INFO) elif o == '--debug': self.set_verbose(True) self.set_debug(True) logging.getLogger().setLevel(logging.DEBUG) elif o == '--help': self.print_help() sys.exit() else: logger.error('option %s not recognized', o) self.print_help() sys.exit(1) if not client_cert: logger.error('Client nick name is required.') self.print_help() sys.exit(1) if not client_nssdb_pass and not client_nssdb_pass_file: logger.error('Client NSS db password is required.') self.print_help() sys.exit(1) instance = server.PKIInstance(instance_name) if not instance.is_valid(): logger.error('Invalid instance %s.', instance_name) sys.exit(1) instance.load() # 1. Make a list of certs to fix OR use the list provided through CLI options if all_certs: # TODO: Identify only certs that are EXPIRED or ALMOST EXPIRED for subsystem in instance.subsystems: # Retrieve the subsystem's system certificate certs = subsystem.find_system_certs() # Iterate on all subsystem's system certificate to prepend # subsystem name to the ID for cert in certs: if cert['id'] != 'sslserver' and cert['id'] != 'subsystem': cert['id'] = subsystem.name + '_' + cert['id'] # Append only unique certificates to other subsystem certificate list # ca_signing isn't supported yet if cert['id'] in fix_certs or cert['id'] == 'ca_signing': continue fix_certs.append(cert['id']) logger.info('Fixing the following certs: %s', fix_certs) # 2. Stop the server, if it's up instance.stop() # 3. Find the subsystem and disable Self-tests try: # Placeholder used to hold subsystems whose selftest have been turned off # Note: This is initialized as a set to avoid duplicates # Example of duplicates: # fix_certs = [ca_ocsp_signing, ca_audit_signing] -> will add 'ca' entry twice target_subsys = set() if 'sslserver' in fix_certs or 'subsystem' in fix_certs: # If the cert is either sslserver/subsystem, disable selftest for all # subsystems since all subsystems use these 2 certs. target_subsys = set(instance.subsystems) else: for cert_id in fix_certs: # Since we already filtered sslserver/subsystem, we can be quite sure # that this split will definitely be of form: <subsys>_<cert_tag> subsystem_name = cert_id.split('_', 1)[0] subsystem = instance.get_subsystem(subsystem_name) # If the subsystem is wrong, stop the process if not subsystem: logger.error('No %s subsystem in instance %s.', subsystem_name, instance_name) sys.exit(1) target_subsys.add(subsystem) # Convert set to list target_subsys = list(target_subsys) for subsystem in target_subsys: subsystem.set_startup_test_criticality(False) subsystem.save() logger.info('Selftests disabled for subsystems: %s', ', '.join(str(x.name) for x in target_subsys)) # 4. Bring up the server using a temp SSL cert if the sslcert is expired if 'sslserver' in fix_certs: # 4a. Create temp SSL cert instance.cert_create(cert_id='sslserver', temp_cert=True) # 4b. Delete the existing SSL Cert instance.cert_del('sslserver') # 4d. Import the temp sslcert into the instance instance.cert_import('sslserver') # 5. Bring up the server temporarily instance.start() # 6. Place renewal request for all certs in fix_certs for cert_id in fix_certs: instance.cert_create( cert_id=cert_id, client_cert=client_cert, client_nssdb=client_nssdb, client_nssdb_pass=client_nssdb_pass, client_nssdb_pass_file=client_nssdb_pass_file, renew=True) # 7. Stop the server instance.stop() # 8. Delete existing certs and then import the renewed system cert(s) for cert_id in fix_certs: # Delete the existing cert from the instance instance.cert_del(cert_id) # Import this new cert into the instance instance.cert_import(cert_id) # 9. Enable self tests for the subsystems disabled earlier for subsystem in target_subsys: subsystem.set_startup_test_criticality(True) # 10. Bring up the server instance.start() except server.PKIServerException as e: logger.error(str(e)) sys.exit(1)
def execute(self, argv): try: opts, args = getopt.gnu_getopt( argv, 'i:v', ['instance=', 'verbose', 'input=', 'help']) except getopt.GetoptError as e: print('ERROR: ' + str(e)) self.usage() sys.exit(1) instance_name = 'pki-tomcat' cert_file = None for o, a in opts: if o in ('-i', '--instance'): instance_name = a elif o in ('-v', '--verbose'): self.set_verbose(True) elif o == '--help': self.usage() sys.exit() elif o == '--input': cert_file = a else: self.print_message('ERROR: unknown option ' + o) self.usage() sys.exit(1) if len(args) < 1: print('ERROR: missing cert ID') self.usage() sys.exit(1) cert_id = args[0] instance = server.PKIInstance(instance_name) if not instance.is_valid(): print('ERROR: Invalid instance %s.' % instance_name) sys.exit(1) # Load the instance. Default: pki-tomcat instance.load() subsystem_name = None cert_tag = cert_id if cert_id != 'sslserver' and cert_id != 'subsystem': # To avoid ambiguity where cert ID can contain more than 1 _, we limit to one split temp_cert_identify = cert_id.split('_', 1) subsystem_name = temp_cert_identify[0] cert_tag = temp_cert_identify[1] # If cert ID is instance specific, get it from first subsystem if not subsystem_name: subsystem_name = instance.subsystems[0].name # Get the subsystem - Eg: ca, kra, tps, tks subsystem = instance.get_subsystem(subsystem_name) if not subsystem: print('ERROR: No %s subsystem in instance.' '%s.' % (subsystem_name, instance_name)) sys.exit(1) nssdb = instance.open_nssdb() try: cert_folder = os.path.join(pki.CONF_DIR, instance_name, 'certs') if not cert_file: cert_file = os.path.join(cert_folder, cert_id + '.crt') if not os.path.isfile(cert_file): print('ERROR: No %s such file.' % cert_file) self.usage() sys.exit(1) cert = subsystem.get_subsystem_cert(cert_tag) # Import cert into NSS db if self.verbose: print('Removing old %s certificate from NSS database.' % cert_id) nssdb.remove_cert(cert['nickname']) if self.verbose: print('Adding new %s certificate into NSS database.' % cert_id) nssdb.add_cert(nickname=cert['nickname'], cert_file=cert_file) # Update CS.cfg with the new certificate if self.verbose: print('Updating CS.cfg') data = nssdb.get_cert(nickname=cert['nickname'], output_format='base64') cert['data'] = data if cert_id == 'sslserver' or cert_id == 'subsystem': # Update all subsystem's CS.cfg for subsystem in instance.subsystems: subsystem.update_subsystem_cert(cert) subsystem.save() else: subsystem.update_subsystem_cert(cert) subsystem.save() finally: nssdb.close()
def execute(self, argv): logging.basicConfig(format='%(levelname)s: %(message)s') try: opts, args = getopt.gnu_getopt(argv, 'i:v', [ 'instance=', 'show-all', 'pretty-print', 'verbose', 'debug', 'help' ]) except getopt.GetoptError as e: logger.error(e) self.print_help() sys.exit(1) instance_name = 'pki-tomcat' show_all = False pretty_print = False for o, a in opts: if o in ('-i', '--instance'): instance_name = a elif o == '--show-all': show_all = True elif o == '--pretty-print': pretty_print = True elif o in ('-v', '--verbose'): self.set_verbose(True) logging.getLogger().setLevel(logging.INFO) elif o == '--debug': self.set_verbose(True) self.set_debug(True) logging.getLogger().setLevel(logging.DEBUG) elif o == '--help': self.print_help() sys.exit() else: logger.error('option %s not recognized', o) self.print_help() sys.exit(1) if len(args) < 1: logger.error('Missing cert ID.') self.print_help() sys.exit(1) cert_id = args[0] instance = server.PKIInstance(instance_name) if not instance.is_valid(): logger.error('Invalid instance %s.', instance_name) sys.exit(1) instance.load() if cert_id == 'sslserver' or cert_id == 'subsystem': subsystem_name = None cert_tag = cert_id else: parts = cert_id.split('_', 1) subsystem_name = parts[0] cert_tag = parts[1] # If cert ID is instance specific, get it from first subsystem if not subsystem_name: subsystem_name = instance.subsystems[0].name subsystem = instance.get_subsystem(subsystem_name) if not subsystem: logger.error('No %s subsystem in instance %s.', subsystem_name, instance_name) sys.exit(1) cert = subsystem.get_subsystem_cert(cert_tag) CertCLI.print_system_cert(cert, show_all) if pretty_print: nssdb = instance.open_nssdb() try: output = nssdb.get_cert(nickname=cert['nickname'], token=cert['token'], output_format='pretty-print') print() print(output) finally: nssdb.close()
def execute(self, argv): try: opts, args = getopt.gnu_getopt(argv, 'i:v', [ 'instance=', 'cert-file=', 'csr-file=', 'pkcs12-file=', 'pkcs12-password='******'pkcs12-password-file=', 'append', 'no-trust-flags', 'no-key', 'no-chain', 'verbose', 'debug', 'help' ]) except getopt.GetoptError as e: print('ERROR: ' + str(e)) self.usage() sys.exit(1) instance_name = 'pki-tomcat' cert_file = None csr_file = None pkcs12_file = None pkcs12_password = None pkcs12_password_file = None append = False include_trust_flags = True include_key = True include_chain = True debug = False for o, a in opts: if o in ('-i', '--instance'): instance_name = a elif o == '--cert-file': cert_file = a elif o == '--csr-file': csr_file = a elif o == '--pkcs12-file': pkcs12_file = a elif o == '--pkcs12-password': pkcs12_password = a elif o == '--pkcs12-password-file': pkcs12_password_file = a elif o == '--append': append = True elif o == '--no-trust-flags': include_trust_flags = False elif o == '--no-key': include_key = False elif o == '--no-chain': include_chain = False elif o in ('-v', '--verbose'): self.set_verbose(True) elif o == '--debug': debug = True elif o == '--help': self.usage() sys.exit() else: self.print_message('ERROR: unknown option ' + o) self.usage() sys.exit(1) if len(args) < 1: print('ERROR: missing cert ID') self.usage() sys.exit(1) cert_id = args[0] if not (cert_file or csr_file or pkcs12_file): print('ERROR: missing output file') self.usage() sys.exit(1) instance = server.PKIInstance(instance_name) if not instance.is_valid(): print('ERROR: Invalid instance %s.' % instance_name) sys.exit(1) instance.load() subsystem_name = None cert_tag = cert_id if cert_id != 'sslserver' and cert_id != 'subsystem': # To avoid ambiguity where cert ID can contain more than 1 _, we limit to one split temp_cert_identify = cert_id.split('_', 1) subsystem_name = temp_cert_identify[0] cert_tag = temp_cert_identify[1] # If cert ID is instance specific, get it from first subsystem if not subsystem_name: subsystem_name = instance.subsystems[0].name subsystem = instance.get_subsystem(subsystem_name) if not subsystem: print('ERROR: No %s subsystem in instance.' '%s.' % (subsystem_name, instance_name)) sys.exit(1) nssdb = instance.open_nssdb() try: cert = subsystem.get_subsystem_cert(cert_tag) if not cert: print('ERROR: missing %s certificate' % cert_id) self.usage() sys.exit(1) if cert_file: if self.verbose: print('Exporting %s certificate into %s.' % (cert_id, cert_file)) cert_data = cert.get('data', None) if cert_data is None: print("ERROR: Unable to find certificate data for %s" % cert_id) sys.exit(1) cert_data = pki.nssdb.convert_cert(cert_data, 'base64', 'pem') with open(cert_file, 'w') as f: f.write(cert_data) if csr_file: if self.verbose: print('Exporting %s CSR into %s.' % (cert_id, csr_file)) cert_request = cert.get('request', None) if cert_request is None: print("ERROR: Unable to find certificate request for %s" % cert_id) sys.exit(1) csr_data = pki.nssdb.convert_csr(cert_request, 'base64', 'pem') with open(csr_file, 'w') as f: f.write(csr_data) if pkcs12_file: if self.verbose: print('Exporting %s certificate and key into %s.' % (cert_id, pkcs12_file)) if not pkcs12_password and not pkcs12_password_file: pkcs12_password = getpass.getpass( prompt='Enter password for PKCS #12 file: ') nicknames = [] nicknames.append(cert['nickname']) nssdb.export_pkcs12(pkcs12_file=pkcs12_file, pkcs12_password=pkcs12_password, pkcs12_password_file=pkcs12_password_file, nicknames=nicknames, append=append, include_trust_flags=include_trust_flags, include_key=include_key, include_chain=include_chain, debug=debug) finally: nssdb.close()
def execute(self, argv): try: opts, args = getopt.gnu_getopt(argv, 'i:', [ 'subsystem=', 'instance=', 'help']) except getopt.GetoptError as e: print('ERROR: ' + str(e)) self.print_help() sys.exit(1) # To hold the subsystem names subsystems = [] test = None instance_name = 'pki-tomcat' if len(args) == 1: test = args[0] for o, a in opts: if o in ('-i', '--instance'): instance_name = a elif o == '--subsystem': subsystems.append(a) elif o == '--help': self.print_help() sys.exit() else: print('ERROR: unknown option ' + o) self.print_help() sys.exit(1) # Load instance instance = server.PKIInstance(instance_name) if not instance.is_valid(): print('ERROR: Invalid instance %s.' % instance_name) sys.exit(1) instance.load() # To hold the instance of the loaded subsystems target_subsystems = [] # Load subsystem or subsystems if not subsystems: for subsys in instance.subsystems: target_subsystems.append(subsys) else: for subsys in subsystems: target_subsystems.append(instance.get_subsystem(subsys)) try: # Enable critical tests for all subsystems listed in target_subsystems for subsys in target_subsystems: subsys.set_startup_test_criticality(test=test, critical=True) # Save the updated CS.cfg to disk subsys.save() except server.PKIServerException as e: logger.error(str(e)) sys.exit(1)