From 24a66c3f3ace8c38ed4c475a7ff18e4d89a288d3 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Wed, 15 Nov 2023 11:09:51 -0600 Subject: [PATCH] Update pki-server cert-import The pki-server cert-import has been updated to provide options to specify the nickname and token so that the cert can be imported before creating any subsystem in the instance. The tests for installing CA with existing NSS database and HSM have been updated to use this command. --- .github/workflows/ca-existing-hsm-test.yml | 38 ++----------- .github/workflows/ca-existing-nssdb-test.yml | 32 ++--------- base/server/python/pki/server/cli/cert.py | 56 ++++++++++++++------ base/server/python/pki/server/instance.py | 49 +++++++++++++---- docs/changes/v11.5.0/Tools-Changes.adoc | 5 ++ 5 files changed, 93 insertions(+), 87 deletions(-) diff --git a/.github/workflows/ca-existing-hsm-test.yml b/.github/workflows/ca-existing-hsm-test.yml index 9ee9ff0c718..7a3a1079a9c 100644 --- a/.github/workflows/ca-existing-hsm-test.yml +++ b/.github/workflows/ca-existing-hsm-test.yml @@ -84,14 +84,8 @@ jobs: --token HSM \ --ext /usr/share/pki/server/certs/ca_signing.conf \ ca_signing - docker exec pki runuser -u pkiuser -- \ - pki \ - -d /etc/pki/pki-tomcat/alias \ - -f /etc/pki/pki-tomcat/password.conf \ + docker exec pki pki-server cert-import \ --token HSM \ - nss-cert-import \ - --cert /etc/pki/pki-tomcat/certs/ca_signing.crt \ - --trust CT,C,C \ ca_signing # check original cert @@ -124,13 +118,8 @@ jobs: --issuer HSM:ca_signing \ --ext /usr/share/pki/server/certs/ocsp_signing.conf \ ca_ocsp_signing - docker exec pki runuser -u pkiuser -- \ - pki \ - -d /etc/pki/pki-tomcat/alias \ - -f /etc/pki/pki-tomcat/password.conf \ + docker exec pki pki-server cert-import \ --token HSM \ - nss-cert-import \ - --cert /etc/pki/pki-tomcat/certs/ca_ocsp_signing.crt \ ca_ocsp_signing # check original cert @@ -163,14 +152,8 @@ jobs: --issuer HSM:ca_signing \ --ext /usr/share/pki/server/certs/audit_signing.conf \ ca_audit_signing - docker exec pki runuser -u pkiuser -- \ - pki \ - -d /etc/pki/pki-tomcat/alias \ - -f /etc/pki/pki-tomcat/password.conf \ + docker exec pki pki-server cert-import \ --token HSM \ - nss-cert-import \ - --cert /etc/pki/pki-tomcat/certs/ca_audit_signing.crt \ - --trust ,,P \ ca_audit_signing # check original cert @@ -203,13 +186,8 @@ jobs: --issuer HSM:ca_signing \ --ext /usr/share/pki/server/certs/subsystem.conf \ subsystem - docker exec pki runuser -u pkiuser -- \ - pki \ - -d /etc/pki/pki-tomcat/alias \ - -f /etc/pki/pki-tomcat/password.conf \ + docker exec pki pki-server cert-import \ --token HSM \ - nss-cert-import \ - --cert /etc/pki/pki-tomcat/certs/subsystem.crt \ subsystem # check original cert @@ -241,13 +219,7 @@ jobs: --issuer HSM:ca_signing \ --ext /usr/share/pki/server/certs/sslserver.conf \ sslserver - docker exec pki runuser -u pkiuser -- \ - pki \ - -d /etc/pki/pki-tomcat/alias \ - -f /etc/pki/pki-tomcat/password.conf \ - nss-cert-import \ - --cert /etc/pki/pki-tomcat/certs/sslserver.crt \ - sslserver + docker exec pki pki-server cert-import sslserver # check original cert docker exec pki runuser -u pkiuser -- \ diff --git a/.github/workflows/ca-existing-nssdb-test.yml b/.github/workflows/ca-existing-nssdb-test.yml index 7add5a2a10c..8bcdcf72b67 100644 --- a/.github/workflows/ca-existing-nssdb-test.yml +++ b/.github/workflows/ca-existing-nssdb-test.yml @@ -61,12 +61,7 @@ jobs: docker exec pki pki-server cert-create \ --ext /usr/share/pki/server/certs/ca_signing.conf \ ca_signing - docker exec pki pki \ - -d /etc/pki/pki-tomcat/alias \ - nss-cert-import \ - --cert /etc/pki/pki-tomcat/certs/ca_signing.crt \ - --trust CT,C,C \ - ca_signing + docker exec pki pki-server cert-import ca_signing # check original cert docker exec pki pki \ @@ -90,11 +85,7 @@ jobs: --issuer ca_signing \ --ext /usr/share/pki/server/certs/ocsp_signing.conf \ ca_ocsp_signing - docker exec pki pki \ - -d /etc/pki/pki-tomcat/alias \ - nss-cert-import \ - --cert /etc/pki/pki-tomcat/certs/ca_ocsp_signing.crt \ - ca_ocsp_signing + docker exec pki pki-server cert-import ca_ocsp_signing # check original cert docker exec pki pki \ @@ -118,12 +109,7 @@ jobs: --issuer ca_signing \ --ext /usr/share/pki/server/certs/audit_signing.conf \ ca_audit_signing - docker exec pki pki \ - -d /etc/pki/pki-tomcat/alias \ - nss-cert-import \ - --cert /etc/pki/pki-tomcat/certs/ca_audit_signing.crt \ - --trust ,,P \ - ca_audit_signing + docker exec pki pki-server cert-import ca_audit_signing # check original cert docker exec pki pki \ @@ -147,11 +133,7 @@ jobs: --issuer ca_signing \ --ext /usr/share/pki/server/certs/subsystem.conf \ subsystem - docker exec pki pki \ - -d /etc/pki/pki-tomcat/alias \ - nss-cert-import \ - --cert /etc/pki/pki-tomcat/certs/subsystem.crt \ - subsystem + docker exec pki pki-server cert-import subsystem # check original cert docker exec pki pki \ @@ -175,11 +157,7 @@ jobs: --issuer ca_signing \ --ext /usr/share/pki/server/certs/sslserver.conf \ sslserver - docker exec pki pki \ - -d /etc/pki/pki-tomcat/alias \ - nss-cert-import \ - --cert /etc/pki/pki-tomcat/certs/sslserver.crt \ - sslserver + docker exec pki pki-server cert-import sslserver # check original cert docker exec pki pki \ diff --git a/base/server/python/pki/server/cli/cert.py b/base/server/python/pki/server/cli/cert.py index 06f0da93de8..8a5d43472ec 100644 --- a/base/server/python/pki/server/cli/cert.py +++ b/base/server/python/pki/server/cli/cert.py @@ -792,27 +792,41 @@ def execute(self, argv): class CertImportCLI(pki.cli.CLI): + ''' + Import system certificate. + ''' + + help = '''\ + Usage: pki-server cert-import [OPTIONS] + + -i, --instance Instance ID (default: pki-tomcat) + --token Token to store the certificate + --nickname Certificate nickname + --input Certificate file + -v, --verbose Run in verbose mode. + --debug Run in debug mode. + --help Show help message. + + Cert ID: + ca_signing, ca_ocsp_signing, ca_audit_signing, + kra_storage, kra_transport, kra_audit_signing, + ocsp_signing, ocsp_audit_signing, + tks_audit_signing, + tps_audit_signing, + subsystem, sslserver + ''' # noqa: E501 + def __init__(self): - super().__init__('import', 'Import system certificate.') + super().__init__('import', inspect.cleandoc(self.__class__.__doc__)) def print_help(self): - print('Usage: pki-server cert-import [OPTIONS] ') - # CertID: subsystem, sslserver, kra_storage, kra_transport, ca_ocsp_signing, - # ca_audit_signing, kra_audit_signing - # ca.cert.list=signing,ocsp_signing,sslserver,subsystem,audit_signing - print() - print(' -i, --instance Instance ID (default: pki-tomcat).') - print(' --input Provide input file name.') - print(' -v, --verbose Run in verbose mode.') - print(' --debug Run in debug mode.') - print(' --help Show help message.') - print() + print(textwrap.dedent(self.__class__.help)) def execute(self, argv): try: opts, args = getopt.gnu_getopt(argv, 'i:v', [ - 'instance=', 'input=', + 'instance=', 'token=', 'nickname=', 'input=', 'verbose', 'debug', 'help']) except getopt.GetoptError as e: @@ -821,12 +835,20 @@ def execute(self, argv): sys.exit(1) instance_name = 'pki-tomcat' + token = None + nickname = None cert_file = None for o, a in opts: if o in ('-i', '--instance'): instance_name = a + elif o == '--token': + token = a + + elif o == '--nickname': + nickname = a + elif o == '--input': cert_file = a @@ -858,12 +880,14 @@ def execute(self, argv): logger.error('Invalid instance %s.', instance_name) sys.exit(1) - # Load the instance. Default: pki-tomcat instance.load() try: - # Load the cert into NSS db and update all corresponding subsystem's CS.cfg - instance.cert_import(cert_id, cert_file) + instance.cert_import( + cert_id, + cert_file=cert_file, + token=token, + nickname=nickname) except pki.server.PKIServerException as e: logger.error(str(e)) diff --git a/base/server/python/pki/server/instance.py b/base/server/python/pki/server/instance.py index 215015fd2b9..93d4a76ffab 100644 --- a/base/server/python/pki/server/instance.py +++ b/base/server/python/pki/server/instance.py @@ -699,7 +699,12 @@ def cert_update_config(self, cert_id, cert): raise pki.server.PKIServerException( 'No subsystem can be loaded for %s in instance %s.' % (cert_id, self.name)) - def cert_import(self, cert_id, cert_file=None): + def cert_import( + self, + cert_id, + cert_file=None, + token=None, + nickname=None): """ Import cert from cert_file into NSS db with appropriate trust @@ -707,6 +712,10 @@ def cert_import(self, cert_id, cert_file=None): :type cert_id: str :param cert_file: Cert file to be imported into NSS db :type cert_file: str + :param token: Token to store the certificate + :type token: str + :param nickname: Certificate nickname + :type nickname: str :return: None :rtype: None """ @@ -722,13 +731,33 @@ def cert_import(self, cert_id, cert_file=None): subsystem_name, cert_tag = pki.server.PKIServer.split_cert_id(cert_id) - if not subsystem_name: - subsystem_name = self.get_subsystems()[0].name - logger.debug('- subsystem: %s', subsystem_name) logger.debug('- cert tag: %s', cert_tag) - subsystem = self.get_subsystem(subsystem_name) + if subsystem_name: + # if cert ID contains subsystem name, get that subsystem + subsystem = self.get_subsystem(subsystem_name) + else: + # if cert ID does not contain subsystem name (i.e. sslserver, subsystem), + # get the first available subsystem + subsystems = self.get_subsystems() + if len(subsystems) > 0: + subsystem = subsystems[0] + else: + subsystem = None + + if subsystem: + # if the subsystem exists, use the nickname and token + # specified in CS.cfg + cert_info = subsystem.get_subsystem_cert(cert_tag) + nickname = cert_info['nickname'] + token = cert_info['token'] + else: + # if the subsystem does not exist, use the specified + # nickname and token + if not nickname: + # if nickname not specified, use the cert ID + nickname = cert_id # audit and CA signing cert require special flags set in NSSDB trust_attributes = None @@ -742,21 +771,19 @@ def cert_import(self, cert_id, cert_file=None): nssdb = self.open_nssdb() try: - cert = subsystem.get_subsystem_cert(cert_tag) - logger.debug('Checking existing %s cert', cert_id) if nssdb.get_cert( - nickname=cert['nickname'], - token=cert['token']): + nickname=nickname, + token=token): raise pki.server.PKIServerException( 'Certificate already exists: %s' % cert_id) logger.debug('Importing %s cert', cert_id) nssdb.add_cert( - nickname=cert['nickname'], - token=cert['token'], + nickname=nickname, + token=token, cert_file=cert_file, trust_attributes=trust_attributes) diff --git a/docs/changes/v11.5.0/Tools-Changes.adoc b/docs/changes/v11.5.0/Tools-Changes.adoc index b109dafc0b9..66af11cf5b1 100644 --- a/docs/changes/v11.5.0/Tools-Changes.adoc +++ b/docs/changes/v11.5.0/Tools-Changes.adoc @@ -47,3 +47,8 @@ The `pki-server cert-request` command has been added to generate a key pair and The `pki-server cert-create` command has been updated to support creating permanent system certificate using the server's NSS database and RSNv3 serial numbers. + +== Update pki-server cert-import CLI == + +The `pki-server cert-import` command has been updated to provide +options to specify the certificate nickname and token name.