Skip to content

Commit

Permalink
Add PKIDeployer.request_admin_cert()
Browse files Browse the repository at this point in the history
The code that requests the admin cert from the CA has been
moved to PKIDeployer.request_admin_cert().
  • Loading branch information
edewata committed Feb 9, 2021
1 parent 7030bea commit e984280
Show file tree
Hide file tree
Showing 2 changed files with 68 additions and 53 deletions.
68 changes: 67 additions & 1 deletion base/server/python/pki/server/deployment/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -754,6 +754,69 @@ def load_admin_cert(self, subsystem):

return b64cert

def request_admin_cert(self, subsystem, csr):

ca_type = subsystem.config['preop.ca.type']

if ca_type == 'sdca':
ca_hostname = subsystem.config['preop.ca.hostname']
ca_port = subsystem.config['preop.ca.httpsport']
else:
ca_hostname = subsystem.config['securitydomain.host']
ca_port = subsystem.config['securitydomain.httpseeport']

ca_url = 'https://%s:%s' % (ca_hostname, ca_port)
logger.info('Requesting admin cert from %s', ca_url)

request_type = self.mdict['pki_admin_cert_request_type']
key_type = self.mdict['pki_admin_key_type']

if key_type.lower() == 'ecc':
profile = 'caECAdminCert'
else:
profile = self.mdict['pki_admin_profile_id']

subject = self.mdict['pki_admin_subject_dn']

tmpdir = tempfile.mkdtemp()
try:
pem_csr = pki.nssdb.convert_csr(csr, 'base64', 'pem')
csr_file = os.path.join(tmpdir, 'admin.csr')
with open(csr_file, 'w') as f:
f.write(pem_csr)

install_token = os.path.join(tmpdir, 'install-token')
with open(install_token, 'w') as f:
f.write(self.install_token.token)

cmd = [
'pki',
'-d', subsystem.instance.nssdb_dir,
'-f', subsystem.instance.password_conf,
'-U', ca_url,
'ca-cert-request-submit',
'--request-type', request_type,
'--csr-file', csr_file,
'--profile', profile,
'--subject', subject,
'--install-token', install_token,
'--output-format', 'PEM'
]

if logger.isEnabledFor(logging.DEBUG):
cmd.append('--debug')

elif logger.isEnabledFor(logging.INFO):
cmd.append('--verbose')

logger.debug('Command: %s', ' '.join(cmd))
result = subprocess.run(cmd, stdout=subprocess.PIPE, check=True)

return pki.nssdb.convert_cert(result.stdout.decode(), 'pem', 'base64')

finally:
shutil.rmtree(tmpdir)

def create_admin_csr(self):

if self.mdict['pki_admin_cert_request_type'] != 'pkcs10':
Expand Down Expand Up @@ -829,7 +892,10 @@ def get_admin_cert(self, subsystem, client):
b64cert = self.load_admin_cert(subsystem)
else:
b64csr = self.create_admin_csr()
b64cert = self.create_admin_cert(client, b64csr)
if subsystem.type == 'CA':
b64cert = self.create_admin_cert(client, b64csr)
else:
b64cert = self.request_admin_cert(subsystem, b64csr)

logger.info('Admin cert: %s', b64cert)

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -56,8 +56,6 @@
import com.netscape.certsrv.base.EBaseException;
import com.netscape.certsrv.base.EPropertyNotFound;
import com.netscape.certsrv.base.PKIException;
import com.netscape.certsrv.ca.CACertClient;
import com.netscape.certsrv.ca.CAClient;
import com.netscape.certsrv.client.ClientConfig;
import com.netscape.certsrv.client.PKIClient;
import com.netscape.certsrv.system.AdminSetupRequest;
Expand Down Expand Up @@ -86,10 +84,6 @@ public class Configurator {

public final static Logger logger = LoggerFactory.getLogger(Configurator.class);

// Hard coded values for ECC and RSA internal cert profile names
public static final String ECC_INTERNAL_ADMIN_CERT_PROFILE = "caECAdminCert";
public static final String RSA_INTERNAL_ADMIN_CERT_PROFILE = "caAdminCert";

public static String SUCCESS = "0";
public static String FAILURE = "1";
public static String AUTH_FAILURE = "2";
Expand Down Expand Up @@ -825,52 +819,7 @@ public Cert setupCert(CertificateSetupRequest request) throws Exception {
}

public X509CertImpl createAdminCertificate(AdminSetupRequest request) throws Exception {

String certRequestType = request.getAdminCertRequestType();
String certRequest = request.getAdminCertRequest();
String sessionID = request.getInstallToken().getToken();

PreOpConfig preopConfig = cs.getPreOpConfig();
String adminSubjectDN = request.getAdminSubjectDN();

logger.info("Configurator: Requesting admin cert from CA");

String type = preopConfig.getString("ca.type", "");
String ca_hostname = "";
int ca_port = -1;

if (type.equals("sdca")) {
ca_hostname = preopConfig.getString("ca.hostname");
ca_port = preopConfig.getInteger("ca.httpsport");
} else {
ca_hostname = cs.getString("securitydomain.host", "");
ca_port = cs.getInteger("securitydomain.httpseeport");
}

String caURL = "https://" + ca_hostname + ":" + ca_port;
logger.info("Configurator: CA URL: " + caURL);

String keyType = request.getAdminKeyType();
String profileID;

if ("ecc".equalsIgnoreCase(keyType)) {
profileID = ECC_INTERNAL_ADMIN_CERT_PROFILE;
} else { // rsa
profileID = RSA_INTERNAL_ADMIN_CERT_PROFILE;
}

logger.debug("Configurator: profile: " + profileID);

PKIClient client = Configurator.createClient(caURL, null, null);
CAClient caClient = new CAClient(client);
CACertClient caCertClient = new CACertClient(caClient);

return caCertClient.submitRequest(
certRequestType,
certRequest,
profileID,
adminSubjectDN,
sessionID);
return null;
}

/**
Expand Down

0 comments on commit e984280

Please sign in to comment.