Clean up cert chain retrieval

The code that retrieves the cert chain for various installation scenarios has been reorganized which removes the dependency on hierarcy.select param.
dogtagpki · Aug 11, 2023 · 9c46b74 · 9c46b74
1 parent e738cf7
commit 9c46b74
Showing 1 changed file with 23 additions and 12 deletions.
diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py
@@ -37,6 +37,7 @@ def spawn(self, deployer):
 
         external = deployer.configuration_file.external
         standalone = deployer.configuration_file.standalone
+        subordinate = deployer.configuration_file.subordinate
         step_one = deployer.configuration_file.external_step_one
         skip_configuration = deployer.configuration_file.skip_configuration
 
@@ -113,27 +114,37 @@ def spawn(self, deployer):
         if config.str2bool(deployer.mdict['pki_security_domain_setup']):
             deployer.setup_security_domain(instance, subsystem)
 
-        hierarchy = subsystem.config.get('hierarchy.select')
-
         system_certs_imported = \
             deployer.mdict['pki_server_pkcs12_path'] != '' or \
             deployer.mdict['pki_clone_pkcs12_path'] != ''
 
-        if not (subsystem.type == 'CA' and hierarchy == 'Root'):
+        if subsystem.type == 'CA' and external or \
+                subsystem.type in ['KRA', 'OCSP'] and standalone:
+
+            # For external sub-CA and standalone KRA/OCSP, no need to retrieve
+            # the cert chain since it's already imported from a local file by
+            # PKIDeployer.import_cert_chain().
+
+            subsystem.config['preop.ca.pkcs7'] = ''
 
-            if external and subsystem.type == 'CA' or \
-                    standalone and subsystem.type in ['KRA', 'OCSP']:
-                subsystem.config['preop.ca.pkcs7'] = ''
+        elif (subsystem.type == 'CA' and subordinate or subsystem.type != 'CA') and \
+                not clone and not system_certs_imported:
 
-            elif not clone and not system_certs_imported:
+            # For primary (not clone) sub-CA and KRA, OCSP, TKS, and TPS,
+            # retrieve the cert chain from the issuing CA unless it's already
+            # imported from PKCS #12 file by PKIDeployer.import_server_pkcs12().
 
-                issuing_ca = deployer.mdict['pki_issuing_ca']
-                pem_chain = deployer.retrieve_cert_chain(instance, issuing_ca)
+            issuing_ca = deployer.mdict['pki_issuing_ca']
+            pem_chain = deployer.retrieve_cert_chain(instance, issuing_ca)
+
+            base64_chain = pki.nssdb.convert_pkcs7(pem_chain, 'pem', 'base64')
+            subsystem.config['preop.ca.pkcs7'] = base64_chain
 
-                base64_chain = pki.nssdb.convert_pkcs7(pem_chain, 'pem', 'base64')
-                subsystem.config['preop.ca.pkcs7'] = base64_chain
+        elif subsystem.type == 'CA' and clone and not system_certs_imported:
 
-        if subsystem.type == 'CA' and clone and not system_certs_imported:
+            # For root CA and sub-CA clone, retrieve the cert chain from the
+            # primary server unless it's already imported from a PKCS #12 file
+            # by PKIDeployer.import_clone_pkcs12().
 
             master_url = deployer.mdict['pki_clone_uri']
             pem_chain = deployer.retrieve_cert_chain(instance, master_url)