def migrate_nssdb(self, instance): if not os.path.exists(instance.nssdb_dir): return logger.info('Migrating %s instance to NSS SQL database', instance.name) nssdb = instance.open_nssdb() try: # Only attempt to convert if target format is sql and DB is dbm if nssdb.needs_conversion(): nssdb.convert_db() finally: nssdb.close() ca_path = os.path.join(instance.nssdb_dir, 'ca.crt') token = pki.nssdb.INTERNAL_TOKEN_NAME nickname = instance.get_sslserver_cert_nickname() if ':' in nickname: token = nickname.split(':', 1)[0] # Re-open NSS DB with correct token name nssdb = instance.open_nssdb(token=token) try: nssdb.extract_ca_cert(ca_path, nickname) finally: nssdb.close()
def migrate_nssdb(self, instance): if not os.path.exists(instance.nssdb_dir): return logger.info('Migrating %s instance to NSS SQL database', instance.name) nssdb = instance.open_nssdb() try: # Only attempt to convert if target format is sql and DB is dbm if nssdb.needs_conversion(): nssdb.convert_db() ca_path = os.path.join(instance.nssdb_dir, 'ca.crt') nickname = instance.get_sslserver_cert_nickname() nssdb.extract_ca_cert(ca_path, nickname) finally: nssdb.close()
def migrate_server_xml_to_tomcat85(self, instance, document): self.migrate_server_xml_to_tomcat80(instance, document) server = document.getroot() services = server.findall('Service') for service in services: children = list(service) for child in children: if isinstance(child, etree._Comment): # pylint: disable=protected-access if 'Java HTTP Connector: /docs/config/http.html' in child.text: child.text = child.text.replace( ' (blocking & non-blocking)', '') elif 'Shared Ports: Agent, EE, and Admin Secure Port Connector' in child.text: service.remove(child) elif 'DO NOT REMOVE - Begin define PKI secure port' in child.text: service.remove(child) elif 'DO NOT REMOVE - End define PKI secure port' in child.text: service.remove(child) elif 'protocol="AJP/1.3"' in child.text: child.text = re.sub(r'^ *([^ ]+)=', r' \g<1>=', child.text, flags=re.MULTILINE) logger.debug('* adding SSLHostConfig') connectors = server.findall('Service/Connector') for connector in connectors: if connector.get('secure') != 'true': continue connector.set('sslImplementationName', 'org.dogtagpki.tomcat.JSSImplementation') connector.attrib.pop('sslProtocol', None) connector.attrib.pop('clientAuth', None) connector.attrib.pop('keystoreType', None) connector.attrib.pop('keystoreProvider', None) connector.attrib.pop('keyAlias', None) connector.attrib.pop('trustManagerClassName', None) sslHostConfigs = connector.findall('SSLHostConfig') if len(sslHostConfigs) > 0: sslHostConfig = sslHostConfigs[0] else: sslHostConfig = etree.SubElement(connector, 'SSLHostConfig') sslHostConfig.set('sslProtocol', 'SSL') sslHostConfig.set('certificateVerification', 'optional') sslHostConfig.attrib.pop('trustManagerClassName', None) certificates = sslHostConfig.findall('Certificate') if len(certificates) > 0: certificate = certificates[0] else: certificate = etree.SubElement(sslHostConfig, 'Certificate') certificate.set('certificateKeystoreType', 'pkcs11') certificate.set('certificateKeystoreProvider', 'Mozilla-JSS') full_name = instance.get_sslserver_cert_nickname() certificate.set('certificateKeyAlias', full_name)
def migrate_server_xml_to_tomcat80(self, instance, document): server = document.getroot() version_logger_listener = etree.Element('Listener') version_logger_listener.set( 'className', 'org.apache.catalina.startup.VersionLoggerListener') security_listener_comment = etree.Comment( ''' Security listener. Documentation at /docs/config/listeners.html <Listener className="org.apache.catalina.security.SecurityListener" /> ''') jre_memory_leak_prevention_listener = etree.Element('Listener') jre_memory_leak_prevention_listener.set( 'className', 'org.apache.catalina.core.JreMemoryLeakPreventionListener') global_resources_lifecycle_listener = None thread_local_leak_prevention_listener = etree.Element('Listener') thread_local_leak_prevention_listener.set( 'className', 'org.apache.catalina.core.ThreadLocalLeakPreventionListener') prevent_comment = etree.Comment( ' Prevent memory leaks due to use of particular java/javax APIs') children = list(server) for child in children: if isinstance(child, etree._Comment): # pylint: disable=protected-access if 'org.apache.catalina.security.SecurityListener' in child.text: security_listener_comment = None elif 'Initialize Jasper prior to webapps are loaded.' in child.text: server.remove(child) elif 'JMX Support for the Tomcat server.' in child.text: server.remove(child) elif 'The following class has been commented out because it' in child.text: server.remove(child) elif 'has been EXCLUDED from the Tomcat 7 \'tomcat-lib\' RPM!' in child.text: server.remove(child) elif 'org.apache.catalina.mbeans.ServerLifecycleListener' in child.text: server.remove(child) elif 'Prevent memory leaks due to use of particular java/javax APIs' in child.text: prevent_comment = None elif child.tag == 'Listener': class_name = child.get('className') if class_name == 'org.apache.catalina.core.JasperListener'\ or class_name == 'org.apache.catalina.mbeans.ServerLifecycleListener': logger.debug('* removing %s', class_name) server.remove(child) elif class_name == 'org.apache.catalina.startup.VersionLoggerListener': version_logger_listener = None elif class_name == 'org.apache.catalina.core.JreMemoryLeakPreventionListener': jre_memory_leak_prevention_listener = None elif class_name == 'org.apache.catalina.mbeans.GlobalResourcesLifecycleListener': global_resources_lifecycle_listener = child elif class_name == 'org.apache.catalina.core.ThreadLocalLeakPreventionListener': thread_local_leak_prevention_listener = None # add at the top index = 0 if version_logger_listener is not None: logger.debug('* adding VersionLoggerListener') server.insert(index, version_logger_listener) index += 1 if security_listener_comment is not None: server.insert(index, security_listener_comment) index += 1 # add before GlobalResourcesLifecycleListener if exists if global_resources_lifecycle_listener is not None: index = list(server).index(global_resources_lifecycle_listener) if prevent_comment is not None: server.insert(index, prevent_comment) index += 1 if jre_memory_leak_prevention_listener is not None: logger.debug('* adding JreMemoryLeakPreventionListener') server.insert(index, jre_memory_leak_prevention_listener) index += 1 # add after GlobalResourcesLifecycleListener if exists if global_resources_lifecycle_listener is not None: index = list(server).index(global_resources_lifecycle_listener) + 1 if thread_local_leak_prevention_listener is not None: logger.debug('* adding ThreadLocalLeakPreventionListener') server.insert(index, thread_local_leak_prevention_listener) index += 1 logger.debug('* updating secure Connector') connectors = server.findall('Service/Connector') for connector in connectors: if connector.get('secure') != 'true': continue connector.set('protocol', 'org.dogtagpki.tomcat.Http11NioProtocol') connector.attrib.pop('sslImplementationName', None) connector.set('keystoreType', 'pkcs11') connector.set('keystoreProvider', 'Mozilla-JSS') connector.attrib.pop('keystoreFile', None) connector.attrib.pop('keystorePassFile', None) full_name = instance.get_sslserver_cert_nickname() connector.set('keyAlias', full_name) connector.set('trustManagerClassName', 'org.dogtagpki.tomcat.PKITrustManager') logger.debug('* updating AccessLogValve') valves = server.findall('Service/Engine/Host/Valve') for valve in valves: if valve.get('className' ) == 'org.apache.catalina.valves.AccessLogValve': valve.set('prefix', 'localhost_access_log')
def execute(self, argv): try: opts, args = getopt.gnu_getopt(argv, 'i:v', [ 'instance=', 'cert-file=', 'csr-file=', 'pkcs12-file=', 'pkcs12-password='******'pkcs12-password-file=', 'friendly-name=', 'cert-encryption=', 'key-encryption=', 'append', 'no-trust-flags', 'no-key', 'no-chain', 'verbose', 'debug', 'help']) except getopt.GetoptError as e: logger.error(e) self.print_help() sys.exit(1) instance_name = 'pki-tomcat' cert_file = None csr_file = None pkcs12_file = None pkcs12_password = None pkcs12_password_file = None friendly_name = None cert_encryption = None key_encryption = None append = False include_trust_flags = True include_key = True include_chain = True for o, a in opts: if o in ('-i', '--instance'): instance_name = a elif o == '--cert-file': cert_file = a elif o == '--csr-file': csr_file = a elif o == '--pkcs12-file': pkcs12_file = a elif o == '--pkcs12-password': pkcs12_password = a elif o == '--pkcs12-password-file': pkcs12_password_file = a elif o == '--friendly-name': friendly_name = a elif o == '--cert-encryption': cert_encryption = a elif o == '--key-encryption': key_encryption = a elif o == '--append': append = True elif o == '--no-trust-flags': include_trust_flags = False elif o == '--no-key': include_key = False elif o == '--no-chain': include_chain = False elif o == '--debug': logging.getLogger().setLevel(logging.DEBUG) elif o in ('-v', '--verbose'): logging.getLogger().setLevel(logging.INFO) elif o == '--help': self.print_help() sys.exit() else: logger.error('option %s not recognized', o) self.print_help() sys.exit(1) if len(args) < 1: logger.error('Missing cert ID.') self.print_help() sys.exit(1) cert_id = args[0] if not (cert_file or csr_file or pkcs12_file): logger.error('missing output file') self.print_help() sys.exit(1) instance = pki.server.instance.PKIInstance(instance_name) if not instance.exists(): logger.error('Invalid instance %s.', instance_name) sys.exit(1) instance.load() subsystem_name, cert_tag = pki.server.PKIServer.split_cert_id(cert_id) # If cert ID is instance specific, get it from first subsystem if not subsystem_name: subsystem_name = instance.get_subsystems()[0].name subsystem = instance.get_subsystem(subsystem_name) if not subsystem: logger.error( 'No %s subsystem in instance %s.', subsystem_name, instance_name) sys.exit(1) cert = subsystem.get_subsystem_cert(cert_tag) if not cert: logger.error('missing %s certificate', cert_id) self.print_help() sys.exit(1) if cert_id == 'sslserver': full_name = instance.get_sslserver_cert_nickname() i = full_name.find(':') if i < 0: nickname = full_name token = None else: nickname = full_name[i + 1:] token = full_name[:i] else: # get nickname and token from CS.cfg nickname = cert['nickname'] token = cert['token'] logger.info('Nickname: %s', nickname) logger.info('Token: %s', token) nssdb = instance.open_nssdb(token) try: if cert_file: logger.info('Exporting %s certificate into %s.', cert_id, cert_file) cert_data = cert.get('data') if cert_data is None: logger.error('Unable to find certificate data for %s', cert_id) sys.exit(1) cert_data = pki.nssdb.convert_cert(cert_data, 'base64', 'pem') with open(cert_file, 'w') as f: f.write(cert_data) if csr_file: logger.info('Exporting %s CSR into %s.', cert_id, csr_file) cert_request = cert.get('request') if cert_request is None: logger.error('Unable to find certificate request for %s', cert_id) sys.exit(1) csr_data = pki.nssdb.convert_csr(cert_request, 'base64', 'pem') with open(csr_file, 'w') as f: f.write(csr_data) if pkcs12_file: logger.info('Exporting %s certificate and key into %s.', cert_id, pkcs12_file) if not pkcs12_password and not pkcs12_password_file: pkcs12_password = getpass.getpass(prompt='Enter password for PKCS #12 file: ') logger.info('Friendly name: %s', friendly_name) nssdb.export_cert( nickname=nickname, pkcs12_file=pkcs12_file, pkcs12_password=pkcs12_password, pkcs12_password_file=pkcs12_password_file, friendly_name=friendly_name, cert_encryption=cert_encryption, key_encryption=key_encryption, append=append, include_trust_flags=include_trust_flags, include_key=include_key, include_chain=include_chain) finally: nssdb.close()