From e98428031c51016f7adc2774c97d0c815682db73 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Tue, 9 Feb 2021 12:05:19 -0600 Subject: [PATCH] Add PKIDeployer.request_admin_cert() The code that requests the admin cert from the CA has been moved to PKIDeployer.request_admin_cert(). --- .../python/pki/server/deployment/__init__.py | 68 ++++++++++++++++++- .../cms/servlet/csadmin/Configurator.java | 53 +-------------- 2 files changed, 68 insertions(+), 53 deletions(-) diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py index 00364e12eda..58d089ab056 100644 --- a/base/server/python/pki/server/deployment/__init__.py +++ b/base/server/python/pki/server/deployment/__init__.py @@ -754,6 +754,69 @@ def load_admin_cert(self, subsystem): return b64cert + def request_admin_cert(self, subsystem, csr): + + ca_type = subsystem.config['preop.ca.type'] + + if ca_type == 'sdca': + ca_hostname = subsystem.config['preop.ca.hostname'] + ca_port = subsystem.config['preop.ca.httpsport'] + else: + ca_hostname = subsystem.config['securitydomain.host'] + ca_port = subsystem.config['securitydomain.httpseeport'] + + ca_url = 'https://%s:%s' % (ca_hostname, ca_port) + logger.info('Requesting admin cert from %s', ca_url) + + request_type = self.mdict['pki_admin_cert_request_type'] + key_type = self.mdict['pki_admin_key_type'] + + if key_type.lower() == 'ecc': + profile = 'caECAdminCert' + else: + profile = self.mdict['pki_admin_profile_id'] + + subject = self.mdict['pki_admin_subject_dn'] + + tmpdir = tempfile.mkdtemp() + try: + pem_csr = pki.nssdb.convert_csr(csr, 'base64', 'pem') + csr_file = os.path.join(tmpdir, 'admin.csr') + with open(csr_file, 'w') as f: + f.write(pem_csr) + + install_token = os.path.join(tmpdir, 'install-token') + with open(install_token, 'w') as f: + f.write(self.install_token.token) + + cmd = [ + 'pki', + '-d', subsystem.instance.nssdb_dir, + '-f', subsystem.instance.password_conf, + '-U', ca_url, + 'ca-cert-request-submit', + '--request-type', request_type, + '--csr-file', csr_file, + '--profile', profile, + '--subject', subject, + '--install-token', install_token, + '--output-format', 'PEM' + ] + + if logger.isEnabledFor(logging.DEBUG): + cmd.append('--debug') + + elif logger.isEnabledFor(logging.INFO): + cmd.append('--verbose') + + logger.debug('Command: %s', ' '.join(cmd)) + result = subprocess.run(cmd, stdout=subprocess.PIPE, check=True) + + return pki.nssdb.convert_cert(result.stdout.decode(), 'pem', 'base64') + + finally: + shutil.rmtree(tmpdir) + def create_admin_csr(self): if self.mdict['pki_admin_cert_request_type'] != 'pkcs10': @@ -829,7 +892,10 @@ def get_admin_cert(self, subsystem, client): b64cert = self.load_admin_cert(subsystem) else: b64csr = self.create_admin_csr() - b64cert = self.create_admin_cert(client, b64csr) + if subsystem.type == 'CA': + b64cert = self.create_admin_cert(client, b64csr) + else: + b64cert = self.request_admin_cert(subsystem, b64csr) logger.info('Admin cert: %s', b64cert) diff --git a/base/server/src/com/netscape/cms/servlet/csadmin/Configurator.java b/base/server/src/com/netscape/cms/servlet/csadmin/Configurator.java index 5cf28553382..63c3e775a32 100644 --- a/base/server/src/com/netscape/cms/servlet/csadmin/Configurator.java +++ b/base/server/src/com/netscape/cms/servlet/csadmin/Configurator.java @@ -56,8 +56,6 @@ import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.EPropertyNotFound; import com.netscape.certsrv.base.PKIException; -import com.netscape.certsrv.ca.CACertClient; -import com.netscape.certsrv.ca.CAClient; import com.netscape.certsrv.client.ClientConfig; import com.netscape.certsrv.client.PKIClient; import com.netscape.certsrv.system.AdminSetupRequest; @@ -86,10 +84,6 @@ public class Configurator { public final static Logger logger = LoggerFactory.getLogger(Configurator.class); - // Hard coded values for ECC and RSA internal cert profile names - public static final String ECC_INTERNAL_ADMIN_CERT_PROFILE = "caECAdminCert"; - public static final String RSA_INTERNAL_ADMIN_CERT_PROFILE = "caAdminCert"; - public static String SUCCESS = "0"; public static String FAILURE = "1"; public static String AUTH_FAILURE = "2"; @@ -825,52 +819,7 @@ public Cert setupCert(CertificateSetupRequest request) throws Exception { } public X509CertImpl createAdminCertificate(AdminSetupRequest request) throws Exception { - - String certRequestType = request.getAdminCertRequestType(); - String certRequest = request.getAdminCertRequest(); - String sessionID = request.getInstallToken().getToken(); - - PreOpConfig preopConfig = cs.getPreOpConfig(); - String adminSubjectDN = request.getAdminSubjectDN(); - - logger.info("Configurator: Requesting admin cert from CA"); - - String type = preopConfig.getString("ca.type", ""); - String ca_hostname = ""; - int ca_port = -1; - - if (type.equals("sdca")) { - ca_hostname = preopConfig.getString("ca.hostname"); - ca_port = preopConfig.getInteger("ca.httpsport"); - } else { - ca_hostname = cs.getString("securitydomain.host", ""); - ca_port = cs.getInteger("securitydomain.httpseeport"); - } - - String caURL = "https://" + ca_hostname + ":" + ca_port; - logger.info("Configurator: CA URL: " + caURL); - - String keyType = request.getAdminKeyType(); - String profileID; - - if ("ecc".equalsIgnoreCase(keyType)) { - profileID = ECC_INTERNAL_ADMIN_CERT_PROFILE; - } else { // rsa - profileID = RSA_INTERNAL_ADMIN_CERT_PROFILE; - } - - logger.debug("Configurator: profile: " + profileID); - - PKIClient client = Configurator.createClient(caURL, null, null); - CAClient caClient = new CAClient(client); - CACertClient caCertClient = new CACertClient(caClient); - - return caCertClient.submitRequest( - certRequestType, - certRequest, - profileID, - adminSubjectDN, - sessionID); + return null; } /**