From 6b36d7418319a0f35b93a2897b1e43904668be97 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Wed, 19 Jul 2023 09:37:24 -0500
Subject: [PATCH] Refactor set_signing_algs_for_pss()

The code that updates RSA-PSS algorithms has been simplified
and moved into PKIDeployer.
---
 .../python/pki/server/deployment/__init__.py  | 41 +++++++++
 .../scriptlets/security_databases.py          | 91 +------------------
 2 files changed, 44 insertions(+), 88 deletions(-)

diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py
index da23a4cc95d..fb49664b187 100644
--- a/base/server/python/pki/server/deployment/__init__.py
+++ b/base/server/python/pki/server/deployment/__init__.py
@@ -380,6 +380,47 @@ def create_server_xml(self, instance):
 
         server_config.save()
 
+    def update_rsa_pss_algorithm(self, cert_id, alg_type):
+
+        param = 'pki_%s_%s_algorithm' % (cert_id, alg_type)
+        algorithm = self.mdict[param]
+
+        # if algorithm is XXXwithRSA, change it into XXXwithRSA/PSS
+        if not re.search(r'withRSA$', algorithm):
+            return
+
+        self.mdict[param] = '%s/PSS' % algorithm
+
+    def update_rsa_pss_algorithms(self, subsystem):
+
+        logger.info('Updating RSA-PSS algorithms')
+
+        if subsystem.type == 'CA':
+            self.update_rsa_pss_algorithm('ca_signing', 'key')
+            self.update_rsa_pss_algorithm('ca_signing', 'signing')
+
+        if subsystem.type == 'KRA':
+            self.update_rsa_pss_algorithm('storage', 'key')
+            self.update_rsa_pss_algorithm('storage', 'signing')
+
+            self.update_rsa_pss_algorithm('transport', 'key')
+            self.update_rsa_pss_algorithm('transport', 'signing')
+
+        if subsystem.type in ['CA', 'OCSP']:
+            self.update_rsa_pss_algorithm('ocsp_signing', 'key')
+            self.update_rsa_pss_algorithm('ocsp_signing', 'signing')
+
+        self.update_rsa_pss_algorithm('audit_signing', 'key')
+        self.update_rsa_pss_algorithm('audit_signing', 'signing')
+
+        self.update_rsa_pss_algorithm('sslserver', 'key')
+        self.update_rsa_pss_algorithm('sslserver', 'signing')
+
+        self.update_rsa_pss_algorithm('subsystem', 'key')
+        self.update_rsa_pss_algorithm('subsystem', 'signing')
+
+        self.update_rsa_pss_algorithm('admin', 'key')
+
     def get_key_params(self, cert_id):
 
         key_type = self.mdict['pki_%s_key_type' % cert_id]
diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
index 188581bade6..edaba54467c 100644
--- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py
+++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
@@ -49,14 +49,11 @@ def spawn(self, deployer):
         instance = self.instance
         instance.load()
 
-        usePSSForRSASigningAlg = \
-            deployer.mdict['pki_use_pss_rsa_signing_algorithm']
-
-        if usePSSForRSASigningAlg == "True":
-            self.set_signing_algs_for_pss(deployer)
-
         subsystem = instance.get_subsystem(deployer.mdict['pki_subsystem'].lower())
 
+        if config.str2bool(deployer.mdict['pki_use_pss_rsa_signing_algorithm']):
+            deployer.update_rsa_pss_algorithms(subsystem)
+
         if config.str2bool(deployer.mdict['pki_hsm_enable']):
             hsm_token = deployer.mdict['pki_token_name']
             subsystem.config['preop.module.token'] = hsm_token
@@ -436,88 +433,6 @@ def spawn(self, deployer):
         finally:
             nssdb.close()
 
-    def set_signing_algs_for_pss(self, deployer):
-        # We know that the use pss flag is true.
-        # Only modify SHAXXXwithRSA series of algs for PSS.
-        logger.debug('In security_databases.set_signing_algs_for_pss')
-        if ('pki_admin_key_algorithm' in deployer.mdict):
-            if ('RSA' in deployer.mdict['pki_admin_key_algorithm'] and
-                    'PSS' not in deployer.mdict['pki_admin_key_algorithm']):
-                deployer.mdict['pki_admin_key_algorithm'] = \
-                    deployer.mdict['pki_admin_key_algorithm'] + '/PSS'
-        if ('pki_audit_signing_key_algorithm' in deployer.mdict):
-            if ('RSA' in deployer.mdict['pki_audit_signing_key_algorithm'] and
-                    'PSS' not in deployer.mdict['pki_audit_signing_key_algorithm']):
-                deployer.mdict['pki_audit_signing_key_algorithm'] = \
-                    deployer.mdict['pki_audit_signing_key_algorithm'] + '/PSS'
-        if ('pki_audit_signing_signing_algorithm' in deployer.mdict):
-            if ('RSA' in deployer.mdict['pki_audit_signing_signing_algorithm'] and
-                    'PSS' not in deployer.mdict['pki_audit_signing_signing_algorithm']):
-                deployer.mdict['pki_audit_signing_signing_algorithm'] = \
-                    deployer.mdict['pki_audit_signing_signing_algorithm'] + '/PSS'
-        if ('pki_ca_signing_key_algorithm' in deployer.mdict):
-            if ('RSA' in deployer.mdict['pki_ca_signing_key_algorithm'] and
-                    'PSS' not in deployer.mdict['pki_ca_signing_key_algorithm']):
-                deployer.mdict['pki_ca_signing_key_algorithm'] = \
-                    deployer.mdict['pki_ca_signing_key_algorithm'] + '/PSS'
-        if ('pki_ca_signing_signing_algorithm' in deployer.mdict):
-            if ('RSA' in deployer.mdict['pki_ca_signing_signing_algorithm'] and
-                    'PSS' not in deployer.mdict['pki_ca_signing_signing_algorithm']):
-                deployer.mdict['pki_ca_signing_signing_algorithm'] = \
-                    deployer.mdict['pki_ca_signing_signing_algorithm'] + '/PSS'
-        if ('pki_ocsp_signing_key_algorithm' in deployer.mdict):
-            if ('RSA' in deployer.mdict['pki_ocsp_signing_key_algorithm'] and
-                    'PSS' not in deployer.mdict['pki_ocsp_signing_key_algorithm']):
-                deployer.mdict['pki_ocsp_signing_key_algorithm'] = \
-                    deployer.mdict['pki_ocsp_signing_key_algorithm'] + '/PSS'
-        if ('pki_ocsp_signing_signing_algorithm' in deployer.mdict):
-            if ('RSA' in deployer.mdict['pki_ocsp_signing_signing_algorithm'] and
-                    'PSS' not in deployer.mdict['pki_ocsp_signing_signing_algorithm']):
-                deployer.mdict['pki_ocsp_signing_signing_algorithm'] = \
-                    deployer.mdict['pki_ocsp_signing_signing_algorithm'] + '/PSS'
-        if ('pki_transport_signing_algorithm' in deployer.mdict):
-            if ('pki_transport_signing_algorithm' in deployer.mdict):
-                if ('RSA' in deployer.mdict['pki_transport_signing_algorithm'] and
-                        'PSS' not in deployer.mdict['pki_transport_signing_algorithm']):
-                    deployer.mdict['pki_transport_signing_algorithm'] = \
-                        deployer.mdict['pki_transport_signing_algorithm'] + '/PSS'
-        if ('pki_transport_key_algorithm' in deployer.mdict):
-            if ('pki_transport_key_algorithm' in deployer.mdict):
-                if ('RSA' in deployer.mdict['pki_transport_key_algorithm'] and
-                        'PSS' not in deployer.mdict['pki_transport_key_algorithm']):
-                    deployer.mdict['pki_transport_key_algorithm'] = \
-                        deployer.mdict['pki_transport_key_algorithm'] + '/PSS'
-        if ('pki_sslserver_key_algorithm' in deployer.mdict):
-            if ('RSA' in deployer.mdict['pki_sslserver_key_algorithm'] and
-                    'PSS' not in deployer.mdict['pki_sslserver_key_algorithm']):
-                deployer.mdict['pki_sslserver_key_algorithm'] = \
-                    deployer.mdict['pki_sslserver_key_algorithm'] + '/PSS'
-        if ('pki_sslserver_signing_algorithm' in deployer.mdict):
-            if ('RSA' in deployer.mdict['pki_sslserver_signing_algorithm'] and
-                    'PSS' not in deployer.mdict['pki_sslserver_signing_algorithm']):
-                deployer.mdict['pki_sslserver_signing_algorithm'] = \
-                    deployer.mdict['pki_sslserver_signing_algorithm'] + '/PSS'
-        if ('pki_storage_signing_algorithm' in deployer.mdict):
-            if ('RSA' in deployer.mdict['pki_storage_signing_algorithm'] and
-                    'PSS' not in deployer.mdict['pki_storage_signing_algorithm']):
-                deployer.mdict['pki_storage_signing_algorithm'] = \
-                    deployer.mdict['pki_storage_signing_algorithm'] + '/PSS'
-        if ('pki_storage_key_algorithm' in deployer.mdict):
-            if ('RSA' in deployer.mdict['pki_storage_key_algorithm'] and
-                    'PSS' not in deployer.mdict['pki_storage_key_algorithm']):
-                deployer.mdict['pki_storage_key_algorithm'] = \
-                    deployer.mdict['pki_storage_key_algorithm'] + '/PSS'
-        if ('pki_subsystem_key_algorithm' in deployer.mdict):
-            if ('RSA' in deployer.mdict['pki_subsystem_key_algorithm'] and
-                    'PSS' not in deployer.mdict['pki_subsystem_key_algorithm']):
-                deployer.mdict['pki_subsystem_key_algorithm'] = \
-                    deployer.mdict['pki_subsystem_key_algorithm'] + '/PSS'
-        if ('pki_subsystem_signing_algorithm' in deployer.mdict):
-            if ('RSA' in deployer.mdict['pki_subsystem_signing_algorithm'] and
-                    'PSS' not in deployer.mdict['pki_subsystem_signing_algorithm']):
-                deployer.mdict['pki_subsystem_signing_algorithm'] = \
-                    deployer.mdict['pki_subsystem_signing_algorithm'] + '/PSS'
-
     def update_external_certs_conf(self, external_path, deployer):
         external_certs = pki.server.instance.PKIInstance.read_external_certs(
             external_path)