def temp_cert_create(self, nssdb, tmpdir, cert_tag, serial, new_cert_file):
"""
Generates temp cert with validity of 3 months by default
**Note**: Currently, supports only *sslserver* cert
:param nssdb: NSS db instance
:type nssdb: NSSDatabase
:param tmpdir: Path to temp dir to write cert's csr and ca's cert file
:type tmpdir: str
:param cert_tag: Cert for which temp cert needs to be created
:type cert_tag: str
:param serial: Serial number to be assigned to new cert
:type serial: str
:param new_cert_file: Path where the new temp cert needs to be written to
:type new_cert_file: str
:return: None
:rtype: None
"""
logger.info('Generate temp SSL certificate')
if cert_tag != 'sslserver':
raise pki.server.PKIServerException(
'Temp cert for %s is not supported yet.' % cert_tag)
ca_signing_cert, aki, csr_file = \
self.setup_temp_renewal(tmpdir=tmpdir, cert_tag=cert_tag)
# --keyUsage
key_usage_ext = {
'digitalSignature': True,
'nonRepudiation': True,
'keyEncipherment': True,
'dataEncipherment': True,
'critical': True
}
# -3
aki_ext = {
'auth_key_id': aki
}
# --extKeyUsage
ext_key_usage_ext = {
'serverAuth': True
}
logger.debug('Creating temp cert')
rc = nssdb.create_cert(
issuer=ca_signing_cert['nickname'],
request_file=csr_file,
cert_file=new_cert_file,
serial=serial,
key_usage_ext=key_usage_ext,
aki_ext=aki_ext,
ext_key_usage_ext=ext_key_usage_ext)
if rc:
raise pki.server.PKIServerException(
'Failed to generate CA-signed temp SSL certificate. RC: %d' % rc)
def temp_cert_create(self, nssdb, tmpdir, cert_tag, serial, new_cert_file):
"""
Generates temp cert with validity of 3 months by default
**Note**: Currently, supports only *sslserver* cert
:param nssdb: NSS db instance
:type nssdb: NSSDatabase
:param tmpdir: Path to temp dir to write cert's csr and ca's cert file
:type tmpdir: str
:param cert_tag: Cert for which temp cert needs to be created
:type cert_tag: str
:param serial: Serial number to be assigned to new cert
:type serial: str
:param new_cert_file: Path where the new temp cert needs to be written to
:type new_cert_file: str
:return: None
:rtype: None
"""
logger.info('Generate temp SSL certificate')
if cert_tag != 'sslserver':
raise PKIServerException('Temp cert for %s is not supported yet.' % cert_tag)
ca_signing_cert, aki, csr_file = \
self.setup_temp_renewal(tmpdir=tmpdir, cert_tag=cert_tag)
# --keyUsage
key_usage_ext = {
'digitalSignature': True,
'nonRepudiation': True,
'keyEncipherment': True,
'dataEncipherment': True,
'critical': True
}
# -3
aki_ext = {
'auth_key_id': aki
}
# --extKeyUsage
ext_key_usage_ext = {
'serverAuth': True
}
logger.debug('Creating temp cert')
rc = nssdb.create_cert(
issuer=ca_signing_cert['nickname'],
request_file=csr_file,
cert_file=new_cert_file,
serial=serial,
key_usage_ext=key_usage_ext,
aki_ext=aki_ext,
ext_key_usage_ext=ext_key_usage_ext)
if rc:
raise PKIServerException('Failed to generate CA-signed temp SSL '
'certificate. RC: %d' % rc)
def create_ssl_cert(self, instance, subsystem, serial, is_temp_cert,
tmpdir, new_cert_file, nssdb, connection):
if self.verbose:
print('Creating SSL server certificate.')
if is_temp_cert:
# Generate temp SSL Certificate signed by CA
ca_signing_cert, aki, csr_file = self.setup_temp_renewal(
instance=instance,
subsystem=subsystem,
tmpdir=tmpdir,
cert_id='sslserver')
# --keyUsage
key_usage_ext = {
'digitalSignature': True,
'nonRepudiation': True,
'keyEncipherment': True,
'dataEncipherment': True,
'critical': True
}
# -3
aki_ext = {'auth_key_id': aki}
# --extKeyUsage
ext_key_usage_ext = {'serverAuth': True}
rc = nssdb.create_cert(issuer=ca_signing_cert['nickname'],
request_file=csr_file,
cert_file=new_cert_file,
serial=serial,
key_usage_ext=key_usage_ext,
aki_ext=aki_ext,
ext_key_usage_ext=ext_key_usage_ext)
if rc:
raise Exception(
'Failed to generate CA-signed temp SSL certificate. '
'RC: %d' % rc)
else:
if not serial:
# If serial number is not provided, get Serial Number from NSS db
serial = subsystem.get_subsystem_cert(
'sslserver')["serial_number"]
if self.verbose:
print('Renewing for certificate with serial number: %s' %
serial)
self.renew_system_certificate(connection=connection,
output=new_cert_file,
serial=serial)
def create_temp_sslserver_cert(self, deployer, instance):
if len(deployer.instance.tomcat_instance_subsystems()) > 1:
return False
nickname = deployer.mdict['pki_sslserver_nickname']
instance.set_sslserver_cert_nickname(nickname)
tmpdir = tempfile.mkdtemp()
nssdb = instance.open_nssdb()
try:
logger.info('Checking existing SSL server cert: %s', nickname)
pem_cert = nssdb.get_cert(nickname=nickname)
if pem_cert:
cert = x509.load_pem_x509_certificate(pem_cert, default_backend())
cn = cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0]
hostname = cn.value
logger.info('Existing SSL server cert is for %s', hostname)
# if hostname is correct, don't create temp cert
if hostname == deployer.mdict['pki_hostname']:
return False
logger.info('Removing SSL server cert for %s', hostname)
nssdb.remove_cert(
nickname=nickname,
remove_key=True)
logger.info('Creating temp SSL server cert for %s', deployer.mdict['pki_hostname'])
# TODO: replace with pki-server create-cert sslserver --temp
# NOTE: ALWAYS create the temporary sslserver certificate
# in the software DB regardless of whether the
# instance will utilize 'softokn' or an HSM
csr_file = os.path.join(tmpdir, 'sslserver.csr')
cert_file = os.path.join(tmpdir, 'sslserver.crt')
nssdb.create_request(
subject_dn=deployer.mdict['pki_self_signed_subject'],
request_file=csr_file,
token=deployer.mdict['pki_self_signed_token'],
key_type=deployer.mdict['pki_sslserver_key_type'],
key_size=deployer.mdict['pki_sslserver_key_size']
)
nssdb.create_cert(
request_file=csr_file,
cert_file=cert_file,
serial=deployer.mdict['pki_self_signed_serial_number'],
validity=deployer.mdict['pki_self_signed_validity_period']
)
nssdb.add_cert(
nickname=nickname,
cert_file=cert_file,
token=deployer.mdict['pki_self_signed_token'],
trust_attributes=deployer.mdict['pki_self_signed_trustargs']
)
return True
finally:
nssdb.close()
shutil.rmtree(tmpdir)