[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Pki-devel] [PATCH] Check security module registration



On 06/18/15 11:52, Matthew Harmsen wrote:
Please review the following patch which addresses the issue of the pre-registered security module for shared PKI instances:

The patch has been tested successfully on a machine using an nCipher HSM.



_______________________________________________
Pki-devel mailing list
Pki-devel redhat com
https://www.redhat.com/mailman/listinfo/pki-devel
Minor fix in attached patch.
From 383d395b21158ce2344a58d9d89a24dfd63101e4 Mon Sep 17 00:00:00 2001
From: Matthew Harmsen <mharmsen redhat com>
Date: Thu, 18 Jun 2015 13:01:34 -0600
Subject: [PATCH] Check security module registration

- PKI TRAC Ticket #1426 - pkispawn of KRA on HSM fails (shared instances)
- PKI TRAC Ticket #1427 - pkispawn of OCSP on HSM fails (shared instances)
- PKI TRAC Ticket #1429 - pkispawn of TKS on HSM fails (shared instances)
---
 .../python/pki/server/deployment/pkihelper.py      | 54 ++++++++++++++++++++++
 .../python/pki/server/deployment/pkimessages.py    |  5 ++
 2 files changed, 59 insertions(+)

diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
index a944447..42ca0d9 100644
--- a/base/server/python/pki/server/deployment/pkihelper.py
+++ b/base/server/python/pki/server/deployment/pkihelper.py
@@ -2688,9 +2688,63 @@ class Modutil:
     def __init__(self, deployer):
         self.mdict = deployer.mdict
 
+    def is_security_module_registered(self, path, modulename,
+                                      prefix=None, critical_failure=True):
+        status = False
+        try:
+            # Compose this "modutil" command
+            command = ["modutil"]
+            #   Provide a path to the NSS security databases
+            if path:
+                command.extend(["-dbdir", path])
+            else:
+                config.pki_log.error(
+                    log.PKIHELPER_MODUTIL_MISSING_PATH,
+                    extra=config.PKI_INDENTATION_LEVEL_2)
+                raise Exception(log.PKIHELPER_MODUTIL_MISSING_PATH)
+            #   Add optional security database prefix
+            if prefix is not None:
+                command.extend(["--dbprefix", prefix])
+            #   Append '-nocertdb' switch
+            command.extend(["-nocertdb"])
+            #   Specify a 'modulename'
+            if modulename:
+                command.extend(["-list", modulename])
+            else:
+                config.pki_log.error(
+                    log.PKIHELPER_MODUTIL_MISSING_MODULENAME,
+                    extra=config.PKI_INDENTATION_LEVEL_2)
+                raise Exception(log.PKIHELPER_MODUTIL_MISSING_MODULENAME)
+            # Display this "modutil" command
+            config.pki_log.info(
+                log.PKIHELPER_REGISTERED_SECURITY_MODULE_CHECK_1,
+                ' '.join(command),
+                extra=config.PKI_INDENTATION_LEVEL_2)
+            # Execute this "modutil" command
+            subprocess.check_call(command)
+            # 'modulename' is already registered
+            status = True
+            config.pki_log.info(
+                log.PKIHELPER_REGISTERED_SECURITY_MODULE_1, modulename,
+                extra=config.PKI_INDENTATION_LEVEL_2)
+        except subprocess.CalledProcessError as exc:
+            # 'modulename' is not registered
+            config.pki_log.info(
+                log.PKIHELPER_UNREGISTERED_SECURITY_MODULE_1, modulename,
+                extra=config.PKI_INDENTATION_LEVEL_2)
+        except OSError as exc:
+            config.pki_log.error(log.PKI_OSERROR_1, exc,
+                                 extra=config.PKI_INDENTATION_LEVEL_2)
+            if critical_failure:
+                raise
+        return status
+
     def register_security_module(self, path, modulename, libfile,
                                  prefix=None, critical_failure=True):
         try:
+            # First check if security module is already registered
+            if self.is_security_module_registered(path, modulename):
+                return
             # Compose this "modutil" command
             command = ["modutil"]
             #   Provide a path to the NSS security databases
diff --git a/base/server/python/pki/server/deployment/pkimessages.py b/base/server/python/pki/server/deployment/pkimessages.py
index dd6ba41..6528407 100644
--- a/base/server/python/pki/server/deployment/pkimessages.py
+++ b/base/server/python/pki/server/deployment/pkimessages.py
@@ -260,6 +260,11 @@ PKIHELPER_PK12UTIL_MISSING_OUTFILE = \
 PKIHELPER_PK12UTIL_MISSING_PWFILE = \
     "pk12util missing -w pw-file option!"
 PKIHELPER_REGISTER_SECURITY_MODULE_1 = "executing '%s'"
+PKIHELPER_REGISTERED_SECURITY_MODULE_CHECK_1 = "executing '%s'"
+PKIHELPER_REGISTERED_SECURITY_MODULE_1 = \
+    "security module '%s' is already registered."
+PKIHELPER_UNREGISTERED_SECURITY_MODULE_1 = \
+    "security module '%s' is not registered."
 
 PKIHELPER_PKI_INSTANCE_SUBSYSTEMS_2 = \
     "instance '%s' contains '%d' PKI subsystems"
-- 
1.8.3.1


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]