def remove_temp_sslserver_cert(self, instance, sslserver):
# TODO: replace with pki-server cert-import sslserver
nickname = sslserver['nickname']
token = sslserver['token']
config.pki_log.info(
"removing temp SSL server cert from internal token: %s",
nickname,
extra=config.PKI_INDENTATION_LEVEL_2)
nssdb = instance.open_nssdb()
try:
# Remove temp SSL server cert from internal token.
# Remove temp key too if the perm cert uses HSM.
if pki.nssdb.normalize_token(token):
remove_key = True
else:
remove_key = False
nssdb.remove_cert(nickname=nickname, remove_key=remove_key)
finally:
nssdb.close()
def remove_temp_sslserver_cert(self, deployer, instance, sslserver):
if len(deployer.instance.tomcat_instance_subsystems()) == 1:
# Modify contents of 'serverCertNick.conf' (if necessary)
deployer.servercertnick_conf.modify()
# TODO: replace with pki-server cert-import sslserver
nickname = sslserver['nickname']
token = deployer.mdict['pki_token_name']
config.pki_log.info(
"removing temp SSL server cert from internal token: %s",
nickname,
extra=config.PKI_INDENTATION_LEVEL_2)
nssdb = instance.open_nssdb()
try:
# Remove temp SSL server cert from internal token.
# Remove temp key too if the perm cert uses HSM.
if not token or token == 'internal':
remove_key = False
else:
remove_key = True
nssdb.remove_cert(nickname, remove_key=remove_key)
finally:
nssdb.close()
def remove_temp_sslserver_cert(self, instance, sslserver):
# TODO: replace with pki-server cert-import sslserver
nickname = sslserver['nickname']
token = sslserver['token']
logger.info(
'Removing temp SSL server cert from internal token: %s',
nickname)
nssdb = instance.open_nssdb()
try:
# Remove temp SSL server cert from internal token.
# Remove temp key too if the perm cert uses HSM.
if pki.nssdb.normalize_token(token):
remove_key = True
else:
remove_key = False
nssdb.remove_cert(
nickname=nickname,
remove_key=remove_key)
finally:
nssdb.close()
def cert_del(self, cert_id, remove_key=False):
"""
Delete a cert from NSS db
:param cert_id: Cert ID
:type cert_id: str
:param remove_key: Remove associate private key
:type remove_key: bool
"""
subsystem_name, cert_tag = pki.server.PKIServer.split_cert_id(cert_id)
if not subsystem_name:
subsystem_name = self.get_subsystems()[0].name
subsystem = self.get_subsystem(subsystem_name)
cert = subsystem.get_subsystem_cert(cert_tag)
nssdb = self.open_nssdb()
try:
logger.debug('Removing %s certificate from NSS database from '
'subsystem %s in instance %s', cert_tag, subsystem.name, self.name)
nssdb.remove_cert(
nickname=cert['nickname'],
token=cert['token'],
remove_key=remove_key)
finally:
nssdb.close()
def remove_cert(self, instance, nickname, token):
nssdb = instance.open_nssdb()
try:
nssdb.remove_cert(
nickname=nickname,
token=token)
finally:
nssdb.close()
def remove_cert(self, instance, nickname, token):
nssdb = instance.open_nssdb()
try:
nssdb.remove_cert(
nickname=nickname,
token=token)
finally:
nssdb.close()
def replace_sslserver_cert(self, deployer, instance, sslserver):
if len(deployer.instance.tomcat_instance_subsystems()) == 1:
# Modify contents of 'serverCertNick.conf' (if necessary)
deployer.servercertnick_conf.modify()
# TODO: replace with pki-server cert-import sslserver
nickname = sslserver['nickname']
config.pki_log.info(
"removing temp SSL server cert from internal token: %s",
nickname,
extra=config.PKI_INDENTATION_LEVEL_2)
nssdb = instance.open_nssdb()
try:
# remove temp SSL server cert but keep the key
nssdb.remove_cert(nickname)
finally:
nssdb.close()
token = deployer.mdict['pki_token_name']
config.pki_log.info(
"importing permanent SSL server cert into %s token: %s",
token,
nickname,
extra=config.PKI_INDENTATION_LEVEL_2)
tmpdir = tempfile.mkdtemp()
nssdb = instance.open_nssdb(token)
try:
pem_cert = pki.nssdb.convert_cert(sslserver['cert'], 'base64',
'pem')
cert_file = os.path.join(tmpdir, 'sslserver.crt')
with open(cert_file, 'w') as f:
f.write(pem_cert)
nssdb.add_cert(nickname, cert_file)
finally:
nssdb.close()
shutil.rmtree(tmpdir)
def cert_del(self, cert_tag, remove_key=False):
"""
Delete a cert from NSS db
:param cert_tag: Cert Tag
:param remove_key: Remove associate private key
"""
cert = self.get_subsystem_cert(cert_tag)
nssdb = self.instance.open_nssdb()
try:
logger.debug('Removing %s certificate from NSS database for '
'subsystem %s instance %s', cert_tag, self.name, self.instance)
nssdb.remove_cert(
nickname=cert['nickname'],
token=cert['token'],
remove_key=remove_key)
finally:
nssdb.close()
def execute(self, argv):
try:
opts, _ = getopt.gnu_getopt(argv, 'v', [
'pkcs12=', 'password='******'password-file=', 'pkcs12-file=',
'pkcs12-password='******'pkcs12-password-file=', 'no-trust-flags',
'no-user-certs', 'no-ca-certs', 'overwrite', 'verbose',
'debug', 'help'
])
except getopt.GetoptError as e:
logger.error(e)
self.print_help()
sys.exit(1)
pkcs12_file = None
pkcs12_password = None
password_file = None
no_trust_flags = False
import_user_certs = True
import_ca_certs = True
overwrite = False
for o, a in opts:
if o == '--pkcs12':
pkcs12_file = a
elif o == '--pkcs12-file':
pkcs12_file = a
elif o == '--password':
pkcs12_password = a
elif o == '--pkcs12-password':
pkcs12_password = a
elif o == '--password-file':
password_file = a
elif o == '--pkcs12-password-file':
password_file = a
elif o == '--no-trust-flags':
no_trust_flags = True
elif o == '--no-user-certs':
import_user_certs = False
elif o == '--no-ca-certs':
import_ca_certs = False
elif o == '--overwrite':
overwrite = True
elif o in ('-v', '--verbose'):
logging.getLogger().setLevel(logging.INFO)
elif o == '--debug':
logging.getLogger().setLevel(logging.DEBUG)
elif o == '--help':
self.print_help()
sys.exit()
else:
logger.error('Invalid option: %s', o)
self.print_help()
sys.exit(1)
if not pkcs12_file:
logger.error('Missing PKCS #12 file')
self.print_help()
sys.exit(1)
if not pkcs12_password and not password_file:
logger.error('Missing PKCS #12 password')
self.print_help()
sys.exit(1)
main_cli = self.parent.parent
# Due to JSS limitation, CA certificates need to be imported
# using certutil in order to preserve the nickname stored in
# the PKCS #12 file.
logger.info('Certificates in PKCS #12 file:')
certs = []
tmpdir = tempfile.mkdtemp()
try:
# find all certs in PKCS #12 file
output_file = os.path.join(tmpdir, 'pkcs12-cert-find.txt')
with open(output_file, 'wb') as f:
cmd = ['pkcs12-cert-find']
if pkcs12_file:
cmd.extend(['--pkcs12', pkcs12_file])
if pkcs12_password:
cmd.extend(['--password', pkcs12_password])
if password_file:
cmd.extend(['--password-file', password_file])
if logger.isEnabledFor(logging.DEBUG):
cmd.extend(['--debug'])
elif logger.isEnabledFor(logging.INFO):
cmd.extend(['--verbose'])
main_cli.execute_java(cmd, stdout=f)
# parse results
with open(output_file, 'r') as f:
cert_info = {}
for line in f:
match = re.match(r' Certificate ID: (.*)$', line)
if match:
cert_info = {}
cert_info['id'] = match.group(1)
certs.append(cert_info)
continue
match = re.match(r' Friendly Name: (.*)$', line)
if match:
nickname = match.group(1)
cert_info['nickname'] = nickname
logger.info('- %s', nickname)
continue
match = re.match(r' Trust Flags: (.*)$', line)
if match:
cert_info['trust_flags'] = match.group(1)
continue
match = re.match(r' Has Key: (.*)$', line)
if match:
cert_info['has_key'] = match.group(1) == 'true'
continue
finally:
shutil.rmtree(tmpdir)
# import CA certificates if requested
if import_ca_certs:
logger.info('Importing CA certificates:')
tmpdir = tempfile.mkdtemp()
try:
cert_file = os.path.join(tmpdir, 'ca-cert.pem')
nssdb = pki.nssdb.NSSDatabase(
main_cli.database,
token=main_cli.token,
password=main_cli.password,
password_file=main_cli.password_file,
password_conf=main_cli.password_conf)
for cert_info in certs:
has_key = cert_info['has_key']
if has_key:
continue
cert_id = cert_info['id']
nickname = cert_info['nickname']
logger.info('- %s', nickname)
cert = nssdb.get_cert(nickname=nickname)
if cert:
if not overwrite:
logger.warning('Certificate already exists: %s',
nickname)
continue
nssdb.remove_cert(nickname=nickname)
if 'trust_flags' in cert_info:
trust_flags = cert_info['trust_flags']
else:
# default trust flags for CA certificates
trust_flags = 'CT,C,C'
logger.info('Exporting %s (%s) from PKCS #12 file',
nickname, cert_id)
cmd = ['pkcs12-cert-export']
if pkcs12_file:
cmd.extend(['--pkcs12-file', pkcs12_file])
if pkcs12_password:
cmd.extend(['--pkcs12-password', pkcs12_password])
if password_file:
cmd.extend(['--pkcs12-password-file', password_file])
cmd.extend(['--cert-file', cert_file])
cmd.extend(['--cert-id', cert_id])
if logger.isEnabledFor(logging.DEBUG):
cmd.extend(['--debug'])
elif logger.isEnabledFor(logging.INFO):
cmd.extend(['-v'])
main_cli.execute_java(cmd)
logger.info('Importing %s', nickname)
nssdb.add_cert(nickname=nickname,
cert_file=cert_file,
trust_attributes=trust_flags)
finally:
shutil.rmtree(tmpdir)
# import user certificates if requested
if import_user_certs:
logger.info('Importing user certificates:')
nicknames = []
for cert_info in certs:
has_key = cert_info['has_key']
if not has_key:
continue
nickname = cert_info['nickname']
logger.info('- %s', nickname)
if nickname not in nicknames:
nicknames.append(nickname)
cmd = ['pkcs12-import']
if pkcs12_file:
cmd.extend(['--pkcs12', pkcs12_file])
if pkcs12_password:
cmd.extend(['--password', pkcs12_password])
if password_file:
cmd.extend(['--password-file', password_file])
if no_trust_flags:
cmd.extend(['--no-trust-flags'])
if overwrite:
cmd.extend(['--overwrite'])
if logger.isEnabledFor(logging.DEBUG):
cmd.extend(['--debug'])
elif logger.isEnabledFor(logging.INFO):
cmd.extend(['-v'])
cmd.extend(nicknames)
with open(os.devnull, 'w') as f:
main_cli.execute_java(cmd, stdout=f)
def execute(self, argv):
logging.basicConfig(format='%(levelname)s: %(message)s')
try:
opts, args = getopt.gnu_getopt(
argv, 'i:v',
['instance=', 'remove-key', 'verbose', 'debug', 'help'])
except getopt.GetoptError as e:
logger.error(e)
self.print_help()
sys.exit(1)
instance_name = 'pki-tomcat'
remove_key = False
for o, a in opts:
if o in ('-i', '--instance'):
instance_name = a
elif o == '--remove-key':
remove_key = True
elif o in ('-v', '--verbose'):
self.set_verbose(True)
logging.getLogger().setLevel(logging.INFO)
elif o == '--debug':
self.set_verbose(True)
self.set_debug(True)
logging.getLogger().setLevel(logging.DEBUG)
elif o == '--help':
self.print_help()
sys.exit()
else:
logger.error('option %s not recognized', o)
self.print_help()
sys.exit(1)
if len(args) < 1:
logger.error('Missing cert ID.')
self.print_help()
sys.exit(1)
cert_id = args[0]
instance = server.PKIInstance(instance_name)
if not instance.is_valid():
logger.error('Invalid instance %s.', instance_name)
sys.exit(1)
# Load the instance. Default: pki-tomcat
instance.load()
if cert_id == 'sslserver' or cert_id == 'subsystem':
subsystem_name = None
cert_tag = cert_id
else:
parts = cert_id.split('_', 1)
subsystem_name = parts[0]
cert_tag = parts[1]
# If cert ID is instance specific, get it from first subsystem
if not subsystem_name:
subsystem_name = instance.subsystems[0].name
subsystem = instance.get_subsystem(subsystem_name)
if not subsystem:
logger.error('No %s subsystem in instance %s.', subsystem_name,
instance_name)
sys.exit(1)
cert = subsystem.get_subsystem_cert(cert_tag)
nssdb = instance.open_nssdb()
try:
logger.info('Removing %s certificate from NSS database', cert_id)
nssdb.remove_cert(nickname=cert['nickname'],
token=cert['token'],
remove_key=remove_key)
finally:
nssdb.close()
def create_temp_sslserver_cert(self, deployer, instance):
if len(deployer.instance.tomcat_instance_subsystems()) > 1:
return False
nickname = deployer.mdict['pki_sslserver_nickname']
instance.set_sslserver_cert_nickname(nickname)
tmpdir = tempfile.mkdtemp()
nssdb = instance.open_nssdb()
try:
logger.info('Checking existing SSL server cert: %s', nickname)
pem_cert = nssdb.get_cert(nickname=nickname)
if pem_cert:
cert = x509.load_pem_x509_certificate(pem_cert, default_backend())
cn = cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0]
hostname = cn.value
logger.info('Existing SSL server cert is for %s', hostname)
# if hostname is correct, don't create temp cert
if hostname == deployer.mdict['pki_hostname']:
return False
logger.info('Removing SSL server cert for %s', hostname)
nssdb.remove_cert(
nickname=nickname,
remove_key=True)
logger.info('Creating temp SSL server cert for %s', deployer.mdict['pki_hostname'])
# TODO: replace with pki-server create-cert sslserver --temp
# NOTE: ALWAYS create the temporary sslserver certificate
# in the software DB regardless of whether the
# instance will utilize 'softokn' or an HSM
csr_file = os.path.join(tmpdir, 'sslserver.csr')
cert_file = os.path.join(tmpdir, 'sslserver.crt')
nssdb.create_request(
subject_dn=deployer.mdict['pki_self_signed_subject'],
request_file=csr_file,
token=deployer.mdict['pki_self_signed_token'],
key_type=deployer.mdict['pki_sslserver_key_type'],
key_size=deployer.mdict['pki_sslserver_key_size']
)
nssdb.create_cert(
request_file=csr_file,
cert_file=cert_file,
serial=deployer.mdict['pki_self_signed_serial_number'],
validity=deployer.mdict['pki_self_signed_validity_period']
)
nssdb.add_cert(
nickname=nickname,
cert_file=cert_file,
token=deployer.mdict['pki_self_signed_token'],
trust_attributes=deployer.mdict['pki_self_signed_trustargs']
)
return True
finally:
nssdb.close()
shutil.rmtree(tmpdir)
def execute(self, argv):
logging.basicConfig(format='%(levelname)s: %(message)s')
try:
opts, _ = getopt.gnu_getopt(argv, 'v', [
'pkcs12-file=', 'pkcs12-password='******'pkcs12-password-file=',
'no-trust-flags', 'no-user-certs', 'no-ca-certs', 'overwrite',
'verbose', 'debug', 'help'])
except getopt.GetoptError as e:
logger.error(e)
self.print_help()
sys.exit(1)
pkcs12_file = None
pkcs12_password = None
password_file = None
no_trust_flags = False
import_user_certs = True
import_ca_certs = True
overwrite = False
for o, a in opts:
if o == '--pkcs12-file':
pkcs12_file = a
elif o == '--pkcs12-password':
pkcs12_password = a
elif o == '--pkcs12-password-file':
password_file = a
elif o == '--no-trust-flags':
no_trust_flags = True
elif o == '--no-user-certs':
import_user_certs = False
elif o == '--no-ca-certs':
import_ca_certs = False
elif o == '--overwrite':
overwrite = True
elif o in ('-v', '--verbose'):
self.set_verbose(True)
logging.getLogger().setLevel(logging.INFO)
elif o == '--debug':
self.set_debug(True)
logging.getLogger().setLevel(logging.DEBUG)
elif o == '--help':
self.print_help()
sys.exit()
else:
logger.error('option %s not recognized', o)
self.print_help()
sys.exit(1)
if not pkcs12_file:
logger.error('Missing PKCS #12 file')
self.print_help()
sys.exit(1)
if not pkcs12_password and not password_file:
logger.error('Missing PKCS #12 password')
self.print_help()
sys.exit(1)
main_cli = self.parent.parent
# Due to JSS limitation, CA certificates need to be imported
# using certutil in order to preserve the nickname stored in
# the PKCS #12 file.
logger.info('Getting certificate infos in PKCS #12 file')
certs = []
tmpdir = tempfile.mkdtemp()
try:
# find all certs in PKCS #12 file
output_file = os.path.join(tmpdir, 'pkcs12-cert-find.txt')
with open(output_file, 'wb') as f:
cmd = ['pkcs12-cert-find']
if pkcs12_file:
cmd.extend(['--pkcs12-file', pkcs12_file])
if pkcs12_password:
cmd.extend(['--pkcs12-password', pkcs12_password])
if password_file:
cmd.extend(['--pkcs12-password-file', password_file])
if self.verbose:
cmd.extend(['--verbose'])
if self.debug:
cmd.extend(['--debug'])
main_cli.execute_java(cmd, stdout=f)
# parse results
with open(output_file, 'r') as f:
cert_info = {}
for line in f:
match = re.match(r' Certificate ID: (.*)$', line)
if match:
cert_info = {}
cert_info['id'] = match.group(1)
certs.append(cert_info)
continue
match = re.match(r' Friendly Name: (.*)$', line)
if match:
cert_info['nickname'] = match.group(1)
continue
match = re.match(r' Trust Flags: (.*)$', line)
if match:
cert_info['trust_flags'] = match.group(1)
continue
match = re.match(r' Has Key: (.*)$', line)
if match:
cert_info['has_key'] = match.group(1) == 'true'
continue
finally:
shutil.rmtree(tmpdir)
# import CA certificates if requested
if import_ca_certs:
logger.info('Importing CA certificates')
tmpdir = tempfile.mkdtemp()
try:
cert_file = os.path.join(tmpdir, 'ca-cert.pem')
nssdb = pki.nssdb.NSSDatabase(
main_cli.database,
token=main_cli.token,
password=main_cli.password,
password_file=main_cli.password_file)
for cert_info in certs:
has_key = cert_info['has_key']
if has_key:
continue
cert_id = cert_info['id']
nickname = cert_info['nickname']
cert = nssdb.get_cert(
nickname=nickname)
if cert:
if not overwrite:
logger.warning('cert %s already exists', nickname)
continue
nssdb.remove_cert(
nickname=nickname)
if 'trust_flags' in cert_info:
trust_flags = cert_info['trust_flags']
else:
# default trust flags for CA certificates
trust_flags = 'CT,C,C'
logger.info('Exporting %s (%s) from PKCS #12 file', nickname, cert_id)
cmd = ['pkcs12-cert-export']
if pkcs12_file:
cmd.extend(['--pkcs12-file', pkcs12_file])
if pkcs12_password:
cmd.extend(['--pkcs12-password', pkcs12_password])
if password_file:
cmd.extend(['--pkcs12-password-file', password_file])
cmd.extend(['--cert-file', cert_file])
cmd.extend(['--cert-id', cert_id])
if self.verbose:
cmd.extend(['--verbose'])
if self.debug:
cmd.extend(['--debug'])
main_cli.execute_java(cmd)
logger.info('Importing %s', nickname)
nssdb.add_cert(
nickname=nickname,
cert_file=cert_file,
trust_attributes=trust_flags)
finally:
shutil.rmtree(tmpdir)
# import user certificates if requested
if import_user_certs:
logger.info('Importing user certificates')
nicknames = []
for cert_info in certs:
has_key = cert_info['has_key']
if not has_key:
continue
nickname = cert_info['nickname']
if nickname not in nicknames:
nicknames.append(nickname)
cmd = ['pkcs12-import']
if pkcs12_file:
cmd.extend(['--pkcs12-file', pkcs12_file])
if pkcs12_password:
cmd.extend(['--pkcs12-password', pkcs12_password])
if password_file:
cmd.extend(['--pkcs12-password-file', password_file])
if no_trust_flags:
cmd.extend(['--no-trust-flags'])
if overwrite:
cmd.extend(['--overwrite'])
if self.verbose:
cmd.extend(['--verbose'])
if self.debug:
cmd.extend(['--debug'])
cmd.extend(nicknames)
with open(os.devnull, 'w') as f:
main_cli.execute_java(cmd, stdout=f)
self.print_message('Import complete')
def execute(self, argv):
try:
opts, args = getopt.gnu_getopt(
argv, 'i:v', ['instance=', 'verbose', 'help', 'cert='])
except getopt.GetoptError as e:
print('ERROR: ' + str(e))
self.usage()
sys.exit(1)
instance_name = 'pki-tomcat'
cert_file = None
for o, a in opts:
if o in ('-i', '--instance'):
instance_name = a
elif o in ('-v', '--verbose'):
self.set_verbose(True)
elif o == '--help':
self.usage()
sys.exit()
elif o == '--cert':
cert_file = a
else:
print('ERROR: unknown option ' + o)
self.usage()
sys.exit(1)
if len(args) < 1:
print('ERROR: missing subsystem ID')
self.usage()
sys.exit(1)
if len(args) < 2:
print('ERROR: missing cert ID')
self.usage()
sys.exit(1)
subsystem_name = args[0]
cert_id = args[1]
instance = pki.server.PKIInstance(instance_name)
if not instance.is_valid():
print('ERROR: Invalid instance %s.' % instance_name)
sys.exit(1)
instance.load()
subsystem = instance.get_subsystem(subsystem_name)
if not subsystem:
print('ERROR: No %s subsystem in instance '
'%s.' % (subsystem_name, instance_name))
sys.exit(1)
subsystem_cert = subsystem.get_subsystem_cert(cert_id)
if self.verbose:
print('Retrieving certificate %s from %s' %
(subsystem_cert['nickname'], subsystem_cert['token']))
token = subsystem_cert['token']
nssdb = instance.open_nssdb(token)
if cert_file:
if not os.path.isfile(cert_file):
print('ERROR: %s certificate does not exist.' % cert_file)
self.usage()
sys.exit(1)
data = nssdb.get_cert(nickname=subsystem_cert['nickname'],
output_format='base64')
if data:
if self.verbose:
print('Removing old %s certificate from database.' %
subsystem_cert['nickname'])
nssdb.remove_cert(nickname=subsystem_cert['nickname'])
if self.verbose:
print('Adding new %s certificate into database.' %
subsystem_cert['nickname'])
nssdb.add_cert(nickname=subsystem_cert['nickname'],
cert_file=cert_file)
# Retrieve the cert info from NSSDB
# Note: This reloads `data` object if --cert option is provided
data = nssdb.get_cert(nickname=subsystem_cert['nickname'],
output_format='base64')
subsystem_cert['data'] = data
# format cert data for LDAP database
lines = [data[i:i + 64] for i in range(0, len(data), 64)]
data = '\r\n'.join(lines) + '\r\n'
if self.verbose:
print('Retrieving certificate request from CA database')
# TODO: add support for remote CA
ca = instance.get_subsystem('ca')
if not ca:
print('ERROR: No CA subsystem in instance %s.' % instance_name)
sys.exit(1)
results = ca.find_cert_requests(cert=data)
if results:
cert_request = results[-1]
request = cert_request['request']
# format cert request for CS.cfg
lines = request.splitlines()
if lines[0] == '-----BEGIN CERTIFICATE REQUEST-----':
lines = lines[1:]
if lines[-1] == '-----END CERTIFICATE REQUEST-----':
lines = lines[:-1]
request = ''.join(lines)
subsystem_cert['request'] = request
else:
print('WARNING: Certificate request not found')
# store cert data and request in CS.cfg
subsystem.update_subsystem_cert(subsystem_cert)
subsystem.save()
self.print_message('Updated "%s" subsystem certificate' % cert_id)
def execute(self, argv):
try:
opts, args = getopt.gnu_getopt(argv, 'i:v', [
'instance=',
'verbose', 'help',
'cert='])
except getopt.GetoptError as e:
print('ERROR: ' + str(e))
self.usage()
sys.exit(1)
instance_name = 'pki-tomcat'
cert_file = None
for o, a in opts:
if o in ('-i', '--instance'):
instance_name = a
elif o in ('-v', '--verbose'):
self.set_verbose(True)
elif o == '--help':
self.usage()
sys.exit()
elif o == '--cert':
cert_file = a
else:
print('ERROR: unknown option ' + o)
self.usage()
sys.exit(1)
if len(args) < 1:
print('ERROR: missing subsystem ID')
self.usage()
sys.exit(1)
if len(args) < 2:
print('ERROR: missing cert ID')
self.usage()
sys.exit(1)
subsystem_name = args[0]
cert_id = args[1]
instance = pki.server.PKIInstance(instance_name)
if not instance.is_valid():
print('ERROR: Invalid instance %s.' % instance_name)
sys.exit(1)
instance.load()
subsystem = instance.get_subsystem(subsystem_name)
if not subsystem:
print('ERROR: No %s subsystem in instance '
'%s.' % (subsystem_name, instance_name))
sys.exit(1)
subsystem_cert = subsystem.get_subsystem_cert(cert_id)
if self.verbose:
print('Retrieving certificate %s from %s' %
(subsystem_cert['nickname'], subsystem_cert['token']))
token = subsystem_cert['token']
nssdb = instance.open_nssdb(token)
if cert_file:
if not os.path.isfile(cert_file):
print('ERROR: %s certificate does not exist.' % cert_file)
self.usage()
sys.exit(1)
data = nssdb.get_cert(
nickname=subsystem_cert['nickname'],
output_format='base64')
if data:
if self.verbose:
print('Removing old %s certificate from database.' % subsystem_cert['nickname'])
nssdb.remove_cert(nickname=subsystem_cert['nickname'])
if self.verbose:
print('Adding new %s certificate into database.' % subsystem_cert['nickname'])
nssdb.add_cert(
nickname=subsystem_cert['nickname'],
cert_file=cert_file)
# Retrieve the cert info from NSSDB
# Note: This reloads `data` object if --cert option is provided
data = nssdb.get_cert(
nickname=subsystem_cert['nickname'],
output_format='base64')
subsystem_cert['data'] = data
# format cert data for LDAP database
lines = [data[i:i + 64] for i in range(0, len(data), 64)]
data = '\r\n'.join(lines) + '\r\n'
if self.verbose:
print('Retrieving certificate request from CA database')
# TODO: add support for remote CA
ca = instance.get_subsystem('ca')
if not ca:
print('ERROR: No CA subsystem in instance %s.' % instance_name)
sys.exit(1)
results = ca.find_cert_requests(cert=data)
if results:
cert_request = results[-1]
request = cert_request['request']
# format cert request for CS.cfg
lines = request.splitlines()
if lines[0] == '-----BEGIN CERTIFICATE REQUEST-----':
lines = lines[1:]
if lines[-1] == '-----END CERTIFICATE REQUEST-----':
lines = lines[:-1]
request = ''.join(lines)
subsystem_cert['request'] = request
else:
print('WARNING: Certificate request not found')
# store cert data and request in CS.cfg
subsystem.update_subsystem_cert(subsystem_cert)
subsystem.save()
self.print_message('Updated "%s" subsystem certificate' % cert_id)
def create_temp_sslserver_cert(self, deployer, instance, token):
if len(deployer.instance.tomcat_instance_subsystems()) > 1:
return False
nssdb = instance.open_nssdb(token)
try:
nickname = deployer.mdict['pki_self_signed_nickname']
config.pki_log.info("checking existing SSL server cert: %s",
nickname,
extra=config.PKI_INDENTATION_LEVEL_2)
pem_cert = nssdb.get_cert(nickname)
if pem_cert:
cert = x509.load_pem_x509_certificate(pem_cert,
default_backend())
cn = cert.subject.get_attributes_for_oid(
NameOID.COMMON_NAME)[0]
hostname = cn.value
config.pki_log.info("existing SSL server cert is for %s",
hostname,
extra=config.PKI_INDENTATION_LEVEL_2)
# if hostname is correct, don't create temp cert
if hostname == deployer.mdict['pki_hostname']:
return False
config.pki_log.info("removing SSL server cert for %s",
hostname,
extra=config.PKI_INDENTATION_LEVEL_2)
nssdb.remove_cert(nickname, remove_key=True)
config.pki_log.info("creating temp SSL server cert for %s",
deployer.mdict['pki_hostname'],
extra=config.PKI_INDENTATION_LEVEL_2)
# TODO: replace with pki-server create-cert sslserver --temp
deployer.password.create_password_conf(
deployer.mdict['pki_shared_pfile'],
deployer.mdict['pki_pin'],
pin_sans_token=True)
# only create a self signed cert for a new instance
#
# NOTE: ALWAYS create the temporary sslserver certificate
# in the software DB regardless of whether the
# instance will utilize 'softokn' or an HSM
#
# note: in the function below, certutil is used to generate
# the request for the self signed cert. The keys are generated
# by NSS, which does not actually use the data in the noise
# file, so it does not matter what is in this file. Certutil
# still requires it though, otherwise it waits for keyboard
# input
with open(deployer.mdict['pki_self_signed_noise_file'], 'w') as f:
f.write("not_so_random_data")
deployer.certutil.generate_self_signed_certificate(
deployer.mdict['pki_database_path'],
deployer.mdict['pki_cert_database'],
deployer.mdict['pki_key_database'],
deployer.mdict['pki_secmod_database'],
deployer.mdict['pki_self_signed_token'],
deployer.mdict['pki_self_signed_nickname'],
deployer.mdict['pki_self_signed_subject'],
deployer.mdict['pki_self_signed_serial_number'],
deployer.mdict['pki_self_signed_validity_period'],
deployer.mdict['pki_self_signed_issuer_name'],
deployer.mdict['pki_self_signed_trustargs'],
deployer.mdict['pki_self_signed_noise_file'],
password_file=deployer.mdict['pki_shared_pfile'])
# Delete the temporary 'noise' file
deployer.file.delete(deployer.mdict['pki_self_signed_noise_file'])
# Always delete the temporary 'pfile'
deployer.file.delete(deployer.mdict['pki_shared_pfile'])
return True
finally:
nssdb.close()
def execute(self, argv):
try:
opts, args = getopt.gnu_getopt(
argv, 'i:v', ['instance=', 'verbose', 'input=', 'help'])
except getopt.GetoptError as e:
print('ERROR: ' + str(e))
self.usage()
sys.exit(1)
instance_name = 'pki-tomcat'
cert_file = None
for o, a in opts:
if o in ('-i', '--instance'):
instance_name = a
elif o in ('-v', '--verbose'):
self.set_verbose(True)
elif o == '--help':
self.usage()
sys.exit()
elif o == '--input':
cert_file = a
else:
self.print_message('ERROR: unknown option ' + o)
self.usage()
sys.exit(1)
if len(args) < 1:
print('ERROR: missing cert ID')
self.usage()
sys.exit(1)
cert_id = args[0]
instance = server.PKIInstance(instance_name)
if not instance.is_valid():
print('ERROR: Invalid instance %s.' % instance_name)
sys.exit(1)
# Load the instance. Default: pki-tomcat
instance.load()
subsystem_name = None
cert_tag = cert_id
if cert_id != 'sslserver' and cert_id != 'subsystem':
# To avoid ambiguity where cert ID can contain more than 1 _, we limit to one split
temp_cert_identify = cert_id.split('_', 1)
subsystem_name = temp_cert_identify[0]
cert_tag = temp_cert_identify[1]
# If cert ID is instance specific, get it from first subsystem
if not subsystem_name:
subsystem_name = instance.subsystems[0].name
# Get the subsystem - Eg: ca, kra, tps, tks
subsystem = instance.get_subsystem(subsystem_name)
if not subsystem:
print('ERROR: No %s subsystem in instance.'
'%s.' % (subsystem_name, instance_name))
sys.exit(1)
nssdb = instance.open_nssdb()
try:
cert_folder = os.path.join(pki.CONF_DIR, instance_name, 'certs')
if not cert_file:
cert_file = os.path.join(cert_folder, cert_id + '.crt')
if not os.path.isfile(cert_file):
print('ERROR: No %s such file.' % cert_file)
self.usage()
sys.exit(1)
cert = subsystem.get_subsystem_cert(cert_tag)
# Import cert into NSS db
if self.verbose:
print('Removing old %s certificate from NSS database.' %
cert_id)
nssdb.remove_cert(cert['nickname'])
if self.verbose:
print('Adding new %s certificate into NSS database.' % cert_id)
nssdb.add_cert(nickname=cert['nickname'], cert_file=cert_file)
# Update CS.cfg with the new certificate
if self.verbose:
print('Updating CS.cfg')
data = nssdb.get_cert(nickname=cert['nickname'],
output_format='base64')
cert['data'] = data
if cert_id == 'sslserver' or cert_id == 'subsystem':
# Update all subsystem's CS.cfg
for subsystem in instance.subsystems:
subsystem.update_subsystem_cert(cert)
subsystem.save()
else:
subsystem.update_subsystem_cert(cert)
subsystem.save()
finally:
nssdb.close()
def execute(self, argv):
try:
opts, _ = getopt.gnu_getopt(argv, 'v', [
'pkcs12-file=', 'pkcs12-password='******'pkcs12-password-file=',
'no-trust-flags', 'no-user-certs', 'no-ca-certs', 'overwrite',
'verbose', 'debug', 'help'
])
except getopt.GetoptError as e:
print('ERROR: ' + str(e))
self.print_help()
sys.exit(1)
pkcs12_file = None
pkcs12_password = None
password_file = None
no_trust_flags = False
import_user_certs = True
import_ca_certs = True
overwrite = False
debug = False
for o, a in opts:
if o == '--pkcs12-file':
pkcs12_file = a
elif o == '--pkcs12-password':
pkcs12_password = a
elif o == '--pkcs12-password-file':
password_file = a
elif o == '--no-trust-flags':
no_trust_flags = True
elif o == '--no-user-certs':
import_user_certs = False
elif o == '--no-ca-certs':
import_ca_certs = False
elif o == '--overwrite':
overwrite = True
elif o in ('-v', '--verbose'):
self.set_verbose(True)
elif o == '--debug':
debug = True
elif o == '--help':
self.print_help()
sys.exit()
else:
print('ERROR: unknown option ' + o)
self.print_help()
sys.exit(1)
if not pkcs12_file:
print('ERROR: Missing PKCS #12 file')
self.print_help()
sys.exit(1)
if not pkcs12_password and not password_file:
print('ERROR: Missing PKCS #12 password')
self.print_help()
sys.exit(1)
main_cli = self.parent.parent
# Due to JSS limitation, CA certificates need to be imported
# using certutil in order to preserve the nickname stored in
# the PKCS #12 file.
if main_cli.verbose:
print('Getting certificate infos in PKCS #12 file')
certs = []
tmpdir = tempfile.mkdtemp()
try:
# find all certs in PKCS #12 file
output_file = os.path.join(tmpdir, 'pkcs12-cert-find.txt')
with open(output_file, 'wb') as f:
cmd = ['pkcs12-cert-find']
if pkcs12_file:
cmd.extend(['--pkcs12-file', pkcs12_file])
if pkcs12_password:
cmd.extend(['--pkcs12-password', pkcs12_password])
if password_file:
cmd.extend(['--pkcs12-password-file', password_file])
if self.verbose:
cmd.extend(['--verbose'])
if debug:
cmd.extend(['--debug'])
main_cli.execute_java(cmd, stdout=f)
# parse results
with open(output_file, 'r') as f:
cert_info = {}
for line in f:
match = re.match(r' Certificate ID: (.*)$', line)
if match:
cert_info = {}
cert_info['id'] = match.group(1)
certs.append(cert_info)
continue
match = re.match(r' Nickname: (.*)$', line)
if match:
cert_info['nickname'] = match.group(1)
continue
match = re.match(r' Trust Flags: (.*)$', line)
if match:
cert_info['trust_flags'] = match.group(1)
continue
match = re.match(r' Has Key: (.*)$', line)
if match:
cert_info['has_key'] = match.group(1) == 'true'
continue
finally:
shutil.rmtree(tmpdir)
# import CA certificates if requested
if import_ca_certs:
if main_cli.verbose:
print('Importing CA certificates')
tmpdir = tempfile.mkdtemp()
try:
cert_file = os.path.join(tmpdir, 'ca-cert.pem')
nssdb = pki.nssdb.NSSDatabase(
main_cli.database,
token=main_cli.token,
password=main_cli.password,
password_file=main_cli.password_file)
for cert_info in certs:
has_key = cert_info['has_key']
if has_key:
continue
cert_id = cert_info['id']
nickname = cert_info['nickname']
cert = nssdb.get_cert(nickname)
if cert:
if not overwrite:
print('WARNING: cert %s already exists' % nickname)
continue
nssdb.remove_cert(nickname)
if 'trust_flags' in cert_info:
trust_flags = cert_info['trust_flags']
else:
# default trust flags for CA certificates
trust_flags = 'CT,C,C'
if main_cli.verbose:
print('Exporting %s (%s) from PKCS #12 file' %
(nickname, cert_id))
cmd = ['pkcs12-cert-export']
if pkcs12_file:
cmd.extend(['--pkcs12-file', pkcs12_file])
if pkcs12_password:
cmd.extend(['--pkcs12-password', pkcs12_password])
if password_file:
cmd.extend(['--pkcs12-password-file', password_file])
cmd.extend(['--cert-file', cert_file])
cmd.extend(['--cert-id', cert_id])
if self.verbose:
cmd.extend(['--verbose'])
if debug:
cmd.extend(['--debug'])
main_cli.execute_java(cmd)
if main_cli.verbose:
print('Importing %s' % nickname)
nssdb.add_cert(nickname, cert_file, trust_flags)
finally:
shutil.rmtree(tmpdir)
# import user certificates if requested
if import_user_certs:
if main_cli.verbose:
print('Importing user certificates')
nicknames = []
for cert_info in certs:
has_key = cert_info['has_key']
if not has_key:
continue
nickname = cert_info['nickname']
if nickname not in nicknames:
nicknames.append(nickname)
cmd = ['pkcs12-import']
if pkcs12_file:
cmd.extend(['--pkcs12-file', pkcs12_file])
if pkcs12_password:
cmd.extend(['--pkcs12-password', pkcs12_password])
if password_file:
cmd.extend(['--pkcs12-password-file', password_file])
if no_trust_flags:
cmd.extend(['--no-trust-flags'])
if overwrite:
cmd.extend(['--overwrite'])
if self.verbose:
cmd.extend(['--verbose'])
if debug:
cmd.extend(['--debug'])
cmd.extend(nicknames)
with open(os.devnull, 'w') as f:
main_cli.execute_java(cmd, stdout=f)
self.print_message('Import complete')