[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Pki-devel] [PATCH] 821 Updated pki-server subsystem-cert-update CLI.



The pki-server subsystem-cert-update CLI has been updated to
use certutil to retrieve the certificate data from the proper
token. It will also show a warning if the certificate request
cannot be found.

The NSSDatabase constructor has been modified to normalize the
name of internal NSS token to None. If the token name is None,
the certutil will be executed without the -h option.

The NSSDatabase.get_cert() has been modified to prepend the token
name to the certificate nickname.

https://fedorahosted.org/pki/ticket/2440

--
Endi S. Dewata
>From eb28cf05cfad246383dbda054c8cd477bc7acc73 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata redhat com>
Date: Sat, 20 Aug 2016 10:47:15 +0200
Subject: [PATCH] Updated pki-server subsystem-cert-update CLI.

The pki-server subsystem-cert-update CLI has been updated to
use certutil to retrieve the certificate data from the proper
token. It will also show a warning if the certificate request
cannot be found.

The NSSDatabase constructor has been modified to normalize the
name of internal NSS token to None. If the token name is None,
the certutil will be executed without the -h option.

The NSSDatabase.get_cert() has been modified to prepend the token
name to the certificate nickname.

https://fedorahosted.org/pki/ticket/2440
---
 base/common/python/pki/nssdb.py                | 11 ++++--
 base/server/python/pki/server/cli/subsystem.py | 47 +++++++++++++++-----------
 2 files changed, 37 insertions(+), 21 deletions(-)

diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py
index ed456540b7174284a0b933f5a589560812fa168e..736efcac3f4127658800bf549b7718a947cee8bd 100644
--- a/base/common/python/pki/nssdb.py
+++ b/base/common/python/pki/nssdb.py
@@ -105,7 +105,11 @@ class NSSDatabase(object):
             directory = os.path.join(os.path.expanduser("~"), '.dogtag', 'nssdb')
 
         self.directory = directory
-        self.token = token
+
+        if token == 'internal' or token == 'Internal Key Storage Token':
+            self.token = None
+        else:
+            self.token = token
 
         self.tmpdir = tempfile.mkdtemp()
 
@@ -425,12 +429,15 @@ class NSSDatabase(object):
             '-d', self.directory
         ]
 
+        fullname = nickname
+
         if self.token:
             cmd.extend(['-h', self.token])
+            fullname = self.token + ':' + fullname
 
         cmd.extend([
             '-f', self.password_file,
-            '-n', nickname,
+            '-n', fullname,
             output_format_option
         ])
 
diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py
index c173ea255e5e7bca26e2ada5a4685ca14ba2b03f..42da26e10b3741a230e7f2344508b0c3a42d86e6 100644
--- a/base/server/python/pki/server/cli/subsystem.py
+++ b/base/server/python/pki/server/cli/subsystem.py
@@ -21,10 +21,8 @@
 
 from __future__ import absolute_import
 from __future__ import print_function
-import base64
 import getopt
 import getpass
-import nss.nss as nss
 import os
 import string
 import subprocess
@@ -778,36 +776,47 @@ class SubsystemCertUpdateCLI(pki.cli.CLI):
             sys.exit(1)
         subsystem_cert = subsystem.get_subsystem_cert(cert_id)
 
-        # get cert data from NSS database
-        nss.nss_init(instance.nssdb_dir)
-        nss_cert = nss.find_cert_from_nickname(subsystem_cert['nickname'])
-        data = base64.b64encode(nss_cert.der_data)
-        del nss_cert
-        nss.nss_shutdown()
+        if self.verbose:
+            print('Retrieving certificate %s from %s' %
+                  (subsystem_cert['nickname'], subsystem_cert['token']))
+
+        token = subsystem_cert['token']
+        nssdb = instance.open_nssdb(token)
+        data = nssdb.get_cert(
+            nickname=subsystem_cert['nickname'],
+            output_format='base64')
         subsystem_cert['data'] = data
 
         # format cert data for LDAP database
         lines = [data[i:i + 64] for i in range(0, len(data), 64)]
         data = string.join(lines, '\r\n') + '\r\n'
 
-        # get cert request from local CA
+        if self.verbose:
+            print('Retrieving certificate request from CA database')
+
         # TODO: add support for remote CA
         ca = instance.get_subsystem('ca')
         if not ca:
             print('ERROR: No CA subsystem in instance %s.' % instance_name)
             sys.exit(1)
+
         results = ca.find_cert_requests(cert=data)
-        cert_request = results[-1]
-        request = cert_request['request']
 
-        # format cert request for CS.cfg
-        lines = request.splitlines()
-        if lines[0] == '-----BEGIN CERTIFICATE REQUEST-----':
-            lines = lines[1:]
-        if lines[-1] == '-----END CERTIFICATE REQUEST-----':
-            lines = lines[:-1]
-        request = string.join(lines, '')
-        subsystem_cert['request'] = request
+        if results:
+            cert_request = results[-1]
+            request = cert_request['request']
+
+            # format cert request for CS.cfg
+            lines = request.splitlines()
+            if lines[0] == '-----BEGIN CERTIFICATE REQUEST-----':
+                lines = lines[1:]
+            if lines[-1] == '-----END CERTIFICATE REQUEST-----':
+                lines = lines[:-1]
+            request = string.join(lines, '')
+            subsystem_cert['request'] = request
+
+        else:
+            print('WARNING: Certificate request not found')
 
         # store cert data and request in CS.cfg
         subsystem.update_subsystem_cert(subsystem_cert)
-- 
2.5.5


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]