[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Pki-devel] [PATCH] 827 Added support to create system certificates in different tokens.



Previously all system certificates were always created in the same
token specified in the pki_token_name parameter.

To allow creating system certificates in different tokens, the
configuration.py has been modified to store the system certificate
token names specified in pki_<cert>_token parameters into the
CS.cfg before the server is started.

After the server is started, the configuration servlet will read
the token names from the CS.cfg and create the certificates in the
appropriate token.

https://fedorahosted.org/pki/ticket/2449

--
Endi S. Dewata
>From 55c228b9643f4a254446721d85630a2686ff608b Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata redhat com>
Date: Mon, 29 Aug 2016 08:33:05 +0200
Subject: [PATCH] Added support to create system certificates in different
 tokens.

Previously all system certificates were always created in the same
token specified in the pki_token_name parameter.

To allow creating system certificates in different tokens, the
configuration.py has been modified to store the system certificate
token names specified in pki_<cert>_token parameters into the
CS.cfg before the server is started.

After the server is started, the configuration servlet will read
the token names from the CS.cfg and create the certificates in the
appropriate token.

https://fedorahosted.org/pki/ticket/2449
---
 .../cms/servlet/csadmin/ConfigurationUtils.java    | 18 +++++++----
 .../dogtagpki/server/rest/SystemConfigService.java |  9 ++----
 .../src/com/netscape/cmscore/apps/CMSEngine.java   |  4 +--
 .../server/deployment/scriptlets/configuration.py  | 37 +++++++++++++++++++---
 4 files changed, 49 insertions(+), 19 deletions(-)

diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
index cdb2844953e788abaed3acb70793a4fe857303e7..f6e125c4fe5d3c6b4492fa9f0fd8bd8e84b8de24 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
@@ -2826,7 +2826,7 @@ public class ConfigurationUtils {
         }
 
         config.putString(subsystem + "." + certTag + ".nickname", nickname);
-        config.putString(subsystem + "." + certTag + ".tokenname", token);
+
         if (certTag.equals("audit_signing")) {
             if (!token.equals("Internal Key Storage Token") && !token.equals("")) {
                 config.putString("log.instance.SignedAudit.signedAuditCertNickname",
@@ -3325,14 +3325,15 @@ public class ConfigurationUtils {
         return 0;
     }
 
-    public static void setCertPermissions(String tag) throws EBaseException, NotInitializedException,
+    public static void setCertPermissions(Cert cert) throws EBaseException, NotInitializedException,
             ObjectNotFoundException, TokenException {
+
+        String tag = cert.getCertTag();
         if (tag.equals("signing") || tag.equals("external_signing"))
             return;
 
-        IConfigStore cs = CMS.getConfigStore();
-        String nickname = cs.getString("preop.cert." + tag + ".nickname", "");
-        String tokenname = cs.getString("preop.module.token", "");
+        String nickname = cert.getNickname();
+        String tokenname = cert.getTokenname();
         if (!tokenname.equals("Internal Key Storage Token"))
             nickname = tokenname + ":" + nickname;
 
@@ -4554,9 +4555,11 @@ public class ConfigurationUtils {
 
     public static String getSubsystemCert() throws EBaseException, NotInitializedException, ObjectNotFoundException,
             TokenException, CertificateEncodingException, IOException {
+
         IConfigStore cs = CMS.getConfigStore();
-        String nickname = cs.getString("preop.cert.subsystem.nickname", "");
-        String tokenname = cs.getString("preop.module.token", "");
+        String subsystem = cs.getString("cs.type").toLowerCase();
+        String nickname = cs.getString(subsystem + ".subsystem.nickname", "");
+        String tokenname = cs.getString(subsystem + ".subsystem.tokenname", "");
 
         if (!tokenname.equals("internal") && !tokenname.equals("Internal Key Storage Token")
                 && !tokenname.equals("")) {
@@ -4571,6 +4574,7 @@ public class ConfigurationUtils {
             CMS.debug("ConfigurationUtils: getSubsystemCert: subsystem cert is null");
             return null;
         }
+
         byte[] bytes = cert.getEncoded();
         String s = CryptoUtil.normalizeCertStr(CryptoUtil.base64Encode(bytes));
         return s;
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
index 9d7c176ecdbf2c87cb961fa3f6eb74fb41eb8ef5..5cc6f63dc7f455bedbf06ac94f72ee982dd38e12 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
@@ -199,7 +199,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
             try {
                 CMS.debug("Processing '" + cert.getCertTag() + "' certificate:");
                 ret = ConfigurationUtils.handleCerts(cert);
-                ConfigurationUtils.setCertPermissions(cert.getCertTag());
+                ConfigurationUtils.setCertPermissions(cert);
                 CMS.debug("Processed '" + cert.getCertTag() + "' certificate.");
             } catch (Exception e) {
                 CMS.debug(e);
@@ -386,7 +386,6 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
 
                 processCert(
                         request,
-                        token,
                         certList,
                         certs,
                         hasSigningCert,
@@ -415,7 +414,6 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
 
     public void processCert(
             ConfigurationRequest request,
-            String token,
             Collection<String> certList,
             Collection<Cert> certs,
             MutableBoolean hasSigningCert,
@@ -460,13 +458,13 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
                 String curvename = certData.getKeyCurveName() != null ?
                         certData.getKeyCurveName() : cs.getString("keys.ecc.curve.default");
                 cs.putString("preop.cert." + tag + ".curvename.name", curvename);
-                ConfigurationUtils.createECCKeyPair(token, curvename, cs, tag);
+                ConfigurationUtils.createECCKeyPair(tokenName, curvename, cs, tag);
 
             } else {
                 String keysize = certData.getKeySize() != null ? certData.getKeySize() : cs
                         .getString("keys.rsa.keysize.default");
                 cs.putString("preop.cert." + tag + ".keysize.size", keysize);
-                ConfigurationUtils.createRSAKeyPair(token, Integer.parseInt(keysize), cs, tag);
+                ConfigurationUtils.createRSAKeyPair(tokenName, Integer.parseInt(keysize), cs, tag);
             }
 
         } else {
@@ -600,7 +598,6 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
         }
 
         cs.putString(csSubsystem + "." + tag + ".nickname", cdata.getNickname());
-        cs.putString(csSubsystem + "." + tag + ".tokenname", cdata.getToken());
         cs.putString(csSubsystem + "." + tag + ".certreq", cdata.getRequest());
         cs.putString(csSubsystem + "." + tag + ".cert", cdata.getCert());
         cs.putString(csSubsystem + "." + tag + ".dn", cdata.getSubjectDN());
diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
index c62087e92198d5319d195395a5e2310442780a40..a334824d368cbd7c8031a6236a687e6391cdb7eb 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
@@ -1235,8 +1235,8 @@ public class CMSEngine implements ICMSEngine {
             // get SSL server nickname
             IConfigStore serverCertStore = mConfig.getSubStore(id + "." + "sslserver");
             if (serverCertStore != null && serverCertStore.size() > 0) {
-                String nickName = serverCertStore.getString("nickname");
-                String tokenName = serverCertStore.getString("tokenname");
+                String nickName = serverCertStore.getString("nickname", null);
+                String tokenName = serverCertStore.getString("tokenname", null);
                 if (tokenName != null && tokenName.length() > 0 &&
                         nickName != null && nickName.length() > 0) {
                     CMS.setServerCertNickname(tokenName, nickName);
diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py
index 64ee4e5f6f5cbc920c7ac5a27ab995d7155cf1cc..97f6d3e601d77712c49fc7a4b19286554e77660f 100644
--- a/base/server/python/pki/server/deployment/scriptlets/configuration.py
+++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py
@@ -39,6 +39,31 @@ import pki.util
 # PKI Deployment Configuration Scriptlet
 class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
 
+    def store_cert_tokens(self, subsystem, deployer):
+
+        subsystem.config[subsystem.name + '.audit_signing.tokenname'] = (
+            deployer.mdict['pki_audit_signing_token'])
+        subsystem.config[subsystem.name + '.sslserver.tokenname'] = (
+            deployer.mdict['pki_ssl_server_token'])
+        subsystem.config[subsystem.name + '.subsystem.tokenname'] = (
+            deployer.mdict['pki_subsystem_token'])
+
+        if subsystem.name == 'ca':
+            subsystem.config['ca.signing.tokenname'] = (
+                deployer.mdict['pki_ca_signing_token'])
+            subsystem.config['ca.ocsp_signing.tokenname'] = (
+                deployer.mdict['pki_ocsp_signing_token'])
+
+        elif subsystem.name == 'kra':
+            subsystem.config['kra.storage.tokenname'] = (
+                deployer.mdict['pki_storage_token'])
+            subsystem.config['kra.transport.tokenname'] = (
+                deployer.mdict['pki_transport_token'])
+
+        elif subsystem.name == 'ocsp':
+            subsystem.config['ocsp.signing.tokenname'] = (
+                deployer.mdict['pki_ocsp_signing_token'])
+
     def spawn(self, deployer):
 
         if config.str2bool(deployer.mdict['pki_skip_configuration']):
@@ -265,13 +290,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                     nickname=signing_nickname,
                     output_format='base64')
                 subsystem.config['ca.signing.nickname'] = signing_nickname
-                subsystem.config['ca.signing.tokenname'] = (
-                    deployer.mdict['pki_ca_signing_token'])
                 subsystem.config['ca.signing.cert'] = signing_cert_data
                 subsystem.config['ca.signing.cacertnickname'] = signing_nickname
                 subsystem.config['ca.signing.defaultSigningAlgorithm'] = (
                     deployer.mdict['pki_ca_signing_signing_algorithm'])
 
+                # Store cert tokens in CS.cfg.
+                self.store_cert_tokens(subsystem, deployer)
+
                 subsystem.save()
 
                 # verify the signing certificate
@@ -282,7 +308,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                     instance, 'ca')
                 verifier.verify_certificate('signing')
 
-            else:  # self-signed CA
+            else:  # other installation types
 
                 # To be implemented in ticket #1692.
 
@@ -290,7 +316,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                 # Self sign CA cert.
                 # Import self-signed CA cert into NSS database.
 
-                pass
+                # Store cert tokens in CS.cfg.
+                self.store_cert_tokens(subsystem, deployer)
+
+                subsystem.save()
 
         finally:
             nssdb.close()
-- 
2.5.5


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]