diff --git a/.github/workflows/est-ds-realm-separate-test.yml b/.github/workflows/est-ds-realm-separate-test.yml index a6231b5238a..bff04bb1c7e 100644 --- a/.github/workflows/est-ds-realm-separate-test.yml +++ b/.github/workflows/est-ds-realm-separate-test.yml @@ -69,46 +69,12 @@ jobs: docker exec ca pki info - - name: Create EST server certificates in p12 - run: | - docker exec ca pki nss-cert-request --csr estSSLServer.csr \ - --ext /usr/share/pki/server/certs/sslserver.conf --subject 'CN=est.example.com' - - docker exec ca pki \ - -n caadmin \ - ca-cert-issue \ - --csr-file estSSLServer.csr \ - --profile caServerCert \ - --output-file estSSLServer.crt - - docker exec ca pki nss-cert-import --cert estSSLServer.crt sslserver - - docker exec ca pki pkcs12-cert-import sslserver --pkcs12-file $SHARED/est_server.p12 --pkcs12-password Secret.123 - - name: Add CA EST user run: | docker exec ca pki -n caadmin ca-group-add "EST RA Agents" docker exec ca pki -n caadmin ca-user-add \ est-ra-1 --fullName "EST RA 1" --password Secret.est docker exec ca pki -n caadmin ca-group-member-add "EST RA Agents" est-ra-1 - - - name: Create CA EST user certificate end store top p12 - run: | - docker exec ca pki nss-cert-request --csr estUser.csr \ - --ext /usr/share/pki/server/certs/admin.conf --subject 'UID=estUser' - - docker exec ca pki \ - -n caadmin \ - ca-cert-issue \ - --csr-file estUser.csr \ - --profile caUserCert \ - --output-file estUser.crt - - docker exec ca pki nss-cert-import --cert estUser.crt estUser - - docker exec ca pki -n caadmin ca-user-cert-add est-ra-1 --input estUser.crt $CERT_ID - - docker exec ca pki pkcs12-cert-import estUser --pkcs12-file $SHARED/est_server.p12 --pkcs12-password Secret.123 --append - name: Configure CA est profile run: | @@ -177,10 +143,8 @@ jobs: -s EST \ -D est_realm_url=ldap://estds.example.com:3389 \ -D pki_ca_uri=https://ca.example.com:8443 \ - -D est_ca_user_password= \ - -D est_ca_user_certificate=estUser \ - -D pki_server_pkcs12_path=$SHARED/est_server.p12 \ - -D pki_server_pkcs12_password=Secret.123 \ + -D pki_cert_chain_path=$SHARED/ca_signing.crt \ + -D pki_cert_chain_nickname=caSigning \ -v - name: Check EST server base dir after installation @@ -229,6 +193,7 @@ jobs: lrwxrwxrwx pkiuser pkiuser logging.properties -> /usr/share/pki/server/conf/logging.properties -rw-rw---- pkiuser pkiuser password.conf -rw-rw---- pkiuser pkiuser server.xml + -rw-rw---- pkiuser pkiuser serverCertNick.conf -rw-rw---- pkiuser pkiuser tomcat.conf lrwxrwxrwx pkiuser pkiuser web.xml -> /etc/tomcat/web.xml EOF @@ -275,7 +240,7 @@ jobs: -rw-rw---- pkiuser pkiuser authorizer.conf -rw-rw---- pkiuser pkiuser backend.conf -rw-rw-r-- pkiuser pkiuser realm.conf - -rw-r--r-- pkiuser pkiuser registry.cfg + -rw-rw-r-- pkiuser pkiuser registry.cfg EOF diff expected output @@ -352,6 +317,7 @@ jobs: lrwxrwxrwx pkiuser pkiuser logging.properties -> /usr/share/pki/server/conf/logging.properties -rw-rw---- pkiuser pkiuser password.conf -rw-rw---- pkiuser pkiuser server.xml + -rw-rw---- pkiuser pkiuser serverCertNick.conf -rw-rw---- pkiuser pkiuser tomcat.conf lrwxrwxrwx pkiuser pkiuser web.xml -> /etc/tomcat/web.xml EOF diff --git a/.github/workflows/est-ds-realm-test.yml b/.github/workflows/est-ds-realm-test.yml index aaa795741e0..13ae3acb17e 100644 --- a/.github/workflows/est-ds-realm-test.yml +++ b/.github/workflows/est-ds-realm-test.yml @@ -219,6 +219,7 @@ jobs: -rw-rw---- pkiuser pkiuser authorizer.conf -rw-rw---- pkiuser pkiuser backend.conf -rw-rw-r-- pkiuser pkiuser realm.conf + -rw-rw-r-- pkiuser pkiuser registry.cfg EOF diff expected output diff --git a/.github/workflows/est-postgresql-realm-test.yml b/.github/workflows/est-postgresql-realm-test.yml index 97ef412f87d..72bf5c208bb 100644 --- a/.github/workflows/est-postgresql-realm-test.yml +++ b/.github/workflows/est-postgresql-realm-test.yml @@ -301,6 +301,7 @@ jobs: -rw-rw---- pkiuser pkiuser authorizer.conf -rw-rw---- pkiuser pkiuser backend.conf -rw-rw-r-- pkiuser pkiuser realm.conf + -rw-rw-r-- pkiuser pkiuser registry.cfg EOF diff expected output diff --git a/.github/workflows/est-separate-provided-certs-test.yml b/.github/workflows/est-separate-provided-certs-test.yml new file mode 100644 index 00000000000..1784b6b6f8e --- /dev/null +++ b/.github/workflows/est-separate-provided-certs-test.yml @@ -0,0 +1,432 @@ +name: EST on separate instance with provided certificates + +on: workflow_call + +env: + DB_IMAGE: ${{ vars.DB_IMAGE || 'quay.io/389ds/dirsrv' }} + +jobs: + # docs/installation/ca/Installing_CA.md + test: + name: Test + runs-on: ubuntu-latest + env: + SHARED: /tmp/workdir/pki + steps: + - name: Clone repository + uses: actions/checkout@v4 + + - name: Retrieve PKI images + uses: actions/cache@v4 + with: + key: pki-images-${{ github.sha }} + path: pki-images.tar + + - name: Load PKI images + run: docker load --input pki-images.tar + + - name: Create network + run: docker network create example + + - name: Set up CA DS container + run: | + tests/bin/ds-create.sh \ + --image=${{ env.DB_IMAGE }} \ + --hostname=cads.example.com \ + --password=Secret.123 \ + --network=example \ + --network-alias=cads.example.com \ + cads + + - name: Set up CA container + run: | + tests/bin/runner-init.sh \ + --hostname=ca.example.com \ + --network=example \ + --network-alias=ca.example.com \ + ca + + - name: Install CA + run: | + docker exec ca pkispawn \ + -f /usr/share/pki/server/examples/installation/ca.cfg \ + -s CA \ + -D pki_ds_url=ldap://cads.example.com:3389 \ + -v + + - name: Initialize PKI client + run: | + docker exec ca pki-server cert-export ca_signing --cert-file $SHARED/ca_signing.crt + + docker exec ca pki nss-cert-import \ + --cert $SHARED/ca_signing.crt \ + --trust CT,C,C \ + ca_signing + + docker exec ca pki pkcs12-import \ + --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \ + --pkcs12-password Secret.123 + + docker exec ca pki info + + - name: Create EST server certificates in p12 + run: | + docker exec ca pki nss-cert-request --csr estSSLServer.csr \ + --ext /usr/share/pki/server/certs/sslserver.conf --subject 'CN=est.example.com' + + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --csr-file estSSLServer.csr \ + --profile caServerCert \ + --output-file estSSLServer.crt + + docker exec ca pki nss-cert-import --cert estSSLServer.crt sslserver + + docker exec ca pki pkcs12-cert-import sslserver --pkcs12-file $SHARED/est_server.p12 --pkcs12-password Secret.123 + + - name: Add CA EST user + run: | + docker exec ca pki -n caadmin ca-group-add "EST RA Agents" + docker exec ca pki -n caadmin ca-user-add \ + est-ra-1 --fullName "EST RA 1" --password Secret.est + docker exec ca pki -n caadmin ca-group-member-add "EST RA Agents" est-ra-1 + + - name: Create CA EST user certificate end store top p12 + run: | + docker exec ca pki nss-cert-request --csr estUser.csr \ + --ext /usr/share/pki/server/certs/admin.conf --subject 'UID=estUser' + + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --csr-file estUser.csr \ + --profile caUserCert \ + --output-file estUser.crt + + docker exec ca pki nss-cert-import --cert estUser.crt estUser + + docker exec ca pki -n caadmin ca-user-cert-add est-ra-1 --input estUser.crt + + docker exec ca pki pkcs12-cert-import estUser --pkcs12-file $SHARED/est_server.p12 --pkcs12-password Secret.123 --append + + - name: Configure CA est profile + run: | + docker exec ca pki -n caadmin ca-profile-add \ + --raw /usr/share/pki/ca/profiles/ca/estServiceCert.cfg + docker exec ca pki -n caadmin ca-profile-enable estServiceCert + docker exec ca pki-server restart --wait + + - name: Set up EST DS container + run: | + tests/bin/ds-create.sh \ + --image=${{ env.DB_IMAGE }} \ + --hostname=estds.example.com \ + --password=Secret.123 \ + --network=example \ + --network-alias=estds.example.com \ + estds + + - name: Create EST users + run: | + docker exec -i estds ldapadd -x -H ldap://estds.example.com:3389 \ + -D "cn=Directory Manager" -w Secret.123 << EOF + dn: dc=est,dc=pki,dc=example,dc=com + objectClass: domain + dc: est + + dn: ou=people,dc=est,dc=pki,dc=example,dc=com + ou: people + objectClass: top + objectClass: organizationalUnit + + dn: ou=groups,dc=est,dc=pki,dc=example,dc=com + ou: groups + objectClass: top + objectClass: organizationalUnit + + dn: uid=est-test-user,ou=people,dc=est,dc=pki,dc=example,dc=com + objectClass: top + objectClass: person + objectClass: organizationalPerson + objectClass: inetOrgPerson + uid: est-test-user + sn: EST TEST USER + cn: EST TEST USER + userPassword: Secret.123 + + dn: cn=estclient,ou=groups,dc=est,dc=pki,dc=example,dc=com + objectClass: top + objectClass: groupOfUniqueNames + cn: estclient + uniqueMember: uid=est-test-user,ou=People,dc=est,dc=pki,dc=example,dc=com + EOF + + - name: Set up EST container + run: | + tests/bin/runner-init.sh \ + --hostname=est.example.com \ + --network=example \ + --network-alias=est.example.com \ + est + + - name: Install EST + run: | + docker exec est pkispawn \ + -f /usr/share/pki/server/examples/installation/est.cfg \ + -s EST \ + -D est_realm_url=ldap://estds.example.com:3389 \ + -D pki_ca_uri=https://ca.example.com:8443 \ + -D est_ca_user_password= \ + -D est_ca_user_certificate=estUser \ + -D pki_server_pkcs12_path=$SHARED/est_server.p12 \ + -D pki_server_pkcs12_password=Secret.123 \ + -v + + - name: Check EST server base dir after installation + run: | + # check file types, owners, and permissions + docker exec est ls -l /var/lib/pki/pki-tomcat \ + | sed \ + -e '/^total/d' \ + -e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \ + | tee output + + # TODO: review permissions + cat > expected << EOF + lrwxrwxrwx pkiuser pkiuser alias -> /var/lib/pki/pki-tomcat/conf/alias + lrwxrwxrwx pkiuser pkiuser bin -> /usr/share/tomcat/bin + drwxrwx--- pkiuser pkiuser common + lrwxrwxrwx pkiuser pkiuser conf -> /etc/pki/pki-tomcat + drwxrwx--- pkiuser pkiuser est + lrwxrwxrwx pkiuser pkiuser lib -> /usr/share/pki/server/lib + lrwxrwxrwx pkiuser pkiuser logs -> /var/log/pki/pki-tomcat + drwxrwx--- pkiuser pkiuser temp + drwxr-xr-x pkiuser pkiuser webapps + drwxrwx--- pkiuser pkiuser work + EOF + + diff expected output + + - name: Check EST server conf dir after installation + run: | + # check file types, owners, and permissions + docker exec est ls -l /etc/pki/pki-tomcat \ + | sed \ + -e '/^total/d' \ + -e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \ + | tee output + + # TODO: review permissions + cat > expected << EOF + drwxrwx--- pkiuser pkiuser Catalina + drwxrwx--- pkiuser pkiuser alias + -rw-r--r-- pkiuser pkiuser catalina.policy + lrwxrwxrwx pkiuser pkiuser catalina.properties -> /usr/share/pki/server/conf/catalina.properties + drwxrwx--- pkiuser pkiuser certs + lrwxrwxrwx pkiuser pkiuser context.xml -> /etc/tomcat/context.xml + drwxrwx--- pkiuser pkiuser est + lrwxrwxrwx pkiuser pkiuser logging.properties -> /usr/share/pki/server/conf/logging.properties + -rw-rw---- pkiuser pkiuser password.conf + -rw-rw---- pkiuser pkiuser server.xml + -rw-rw---- pkiuser pkiuser serverCertNick.conf + -rw-rw---- pkiuser pkiuser tomcat.conf + lrwxrwxrwx pkiuser pkiuser web.xml -> /etc/tomcat/web.xml + EOF + + diff expected output + + - name: Check EST server logs dir after installation + run: | + # check file types, owners, and permissions + docker exec est ls -l /var/log/pki/pki-tomcat \ + | sed \ + -e '/^total/d' \ + -e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \ + | tee output + + DATE=$(date +'%Y-%m-%d') + + # TODO: review permissions + cat > expected << EOF + drwxr-x--- pkiuser pkiuser backup + -rw-r--r-- pkiuser pkiuser catalina.$DATE.log + drwxrwx--- pkiuser pkiuser est + -rw-r--r-- pkiuser pkiuser host-manager.$DATE.log + -rw-r--r-- pkiuser pkiuser localhost.$DATE.log + -rw-r--r-- pkiuser pkiuser localhost_access_log.$DATE.txt + -rw-r--r-- pkiuser pkiuser manager.$DATE.log + drwxr-xr-x pkiuser pkiuser pki + EOF + + diff expected output + + - name: Check EST conf dir + run: | + # check file types, owners, and permissions + docker exec est ls -l /etc/pki/pki-tomcat/est \ + | sed \ + -e '/^total/d' \ + -e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \ + | tee output + + # TODO: review permissions + cat > expected << EOF + -rw-rw-r-- pkiuser pkiuser CS.cfg + -rw-rw---- pkiuser pkiuser authorizer.conf + -rw-rw---- pkiuser pkiuser backend.conf + -rw-rw-r-- pkiuser pkiuser realm.conf + -rw-rw-r-- pkiuser pkiuser registry.cfg + EOF + + diff expected output + + - name: Test CA certs + run: | + docker exec est curl -o cacert.p7 -k https://est.example.com:8443/.well-known/est/cacerts + + docker exec est openssl base64 -d --in cacert.p7 --out cacert.p7.der + docker exec est openssl pkcs7 --in cacert.p7.der -inform DER -print_certs -out cacert.pem + docker exec est openssl x509 -in cacert.pem -text -noout | tee actual + docker exec est openssl x509 -in $SHARED/ca_signing.crt -text -noout | tee expected + diff expected actual + + - name: Install est client + run: | + docker exec est dnf copr enable -y @pki/libest + docker exec est dnf install -y libest + + - name: Enroll certificate + run: | + docker exec -e EST_OPENSSL_CACERT=cacert.pem est estclient -e -s est.example.com -p 8443 \ + --common-name test.example.com -o . -u est-test-user -h Secret.123 + + docker exec est openssl base64 -d --in cert-0-0.pkcs7 --out cert-0-0.pkcs7.der + docker exec est openssl pkcs7 -in cert-0-0.pkcs7.der -inform DER -print_certs -out cert.pem + docker exec est openssl x509 -in cert.pem -subject -noout | tee actual + echo "subject=CN=test.example.com" > expected + diff expected actual + + - name: Remove EST + run: | + docker exec est pkidestroy -i pki-tomcat -s EST -v + + - name: Remove CA + run: | + docker exec ca pkidestroy -i pki-tomcat -s CA -v + + - name: Check EST server base dir after removal + run: | + # check file types, owners, and permissions + docker exec est ls -l /var/lib/pki/pki-tomcat \ + | sed \ + -e '/^total/d' \ + -e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \ + | tee output + + # TODO: review permissions + cat > expected << EOF + lrwxrwxrwx pkiuser pkiuser conf -> /etc/pki/pki-tomcat + lrwxrwxrwx pkiuser pkiuser logs -> /var/log/pki/pki-tomcat + EOF + + diff expected output + + - name: Check EST server conf dir after removal + run: | + # check file types, owners, and permissions + docker exec est ls -l /etc/pki/pki-tomcat \ + | sed \ + -e '/^total/d' \ + -e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \ + | tee output + + # TODO: review permissions + cat > expected << EOF + drwxrwx--- pkiuser pkiuser Catalina + drwxrwx--- pkiuser pkiuser alias + -rw-r--r-- pkiuser pkiuser catalina.policy + lrwxrwxrwx pkiuser pkiuser catalina.properties -> /usr/share/pki/server/conf/catalina.properties + drwxrwx--- pkiuser pkiuser certs + lrwxrwxrwx pkiuser pkiuser context.xml -> /etc/tomcat/context.xml + drwxrwx--- pkiuser pkiuser est + lrwxrwxrwx pkiuser pkiuser logging.properties -> /usr/share/pki/server/conf/logging.properties + -rw-rw---- pkiuser pkiuser password.conf + -rw-rw---- pkiuser pkiuser server.xml + -rw-rw---- pkiuser pkiuser serverCertNick.conf + -rw-rw---- pkiuser pkiuser tomcat.conf + lrwxrwxrwx pkiuser pkiuser web.xml -> /etc/tomcat/web.xml + EOF + + diff expected output + + - name: Check EST server logs dir after removal + run: | + # check file types, owners, and permissions + docker exec est ls -l /var/log/pki/pki-tomcat \ + | sed \ + -e '/^total/d' \ + -e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \ + | tee output + + DATE=$(date +'%Y-%m-%d') + + # TODO: review permissions + cat > expected << EOF + drwxr-x--- pkiuser pkiuser backup + -rw-r--r-- pkiuser pkiuser catalina.$DATE.log + drwxrwx--- pkiuser pkiuser est + -rw-r--r-- pkiuser pkiuser host-manager.$DATE.log + -rw-r--r-- pkiuser pkiuser localhost.$DATE.log + -rw-r--r-- pkiuser pkiuser localhost_access_log.$DATE.txt + -rw-r--r-- pkiuser pkiuser manager.$DATE.log + drwxr-xr-x pkiuser pkiuser pki + EOF + + diff expected output + + - name: Check CA DS server systemd journal + if: always() + run: | + docker exec cads journalctl -x --no-pager -u dirsrv@localhost.service + + - name: Check CA DS container logs + if: always() + run: | + docker logs cads + + - name: Check CA PKI server systemd journal + if: always() + run: | + docker exec ca journalctl -x --no-pager -u pki-tomcatd@pki-tomcat.service + + - name: Check EST PKI server systemd journal + if: always() + run: | + docker exec est journalctl -x --no-pager -u pki-tomcatd@pki-tomcat.service + + - name: Check CA debug log + if: always() + run: | + docker exec ca find /var/lib/pki/pki-tomcat/logs/ca -name "debug.*" -exec cat {} \; + + - name: Check EST debug log + if: always() + run: | + docker exec est find /var/lib/pki/pki-tomcat/logs/est -name "debug.*" -exec cat {} \; + + - name: Gather artifacts + if: always() + run: | + tests/bin/ds-artifacts-save.sh cads + tests/bin/ds-artifacts-save.sh estds + tests/bin/pki-artifacts-save.sh ca + tests/bin/pki-artifacts-save.sh est + continue-on-error: true + + - name: Upload artifacts + if: always() + uses: actions/upload-artifact@v4 + with: + name: est-separate-provided-certs + path: /tmp/artifacts diff --git a/.github/workflows/est-tests.yml b/.github/workflows/est-tests.yml index f9431ea57c5..c39465c576f 100644 --- a/.github/workflows/est-tests.yml +++ b/.github/workflows/est-tests.yml @@ -56,3 +56,8 @@ jobs: name: EST with ds realm on a separate instance needs: build uses: ./.github/workflows/est-ds-realm-separate-test.yml + + est-separate-provided-certs-test: + name: EST with ds realm on a separate instance + needs: build + uses: ./.github/workflows/est-separate-provided-certs-test.yml diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg index 29e77aa2e7e..fa2e8928865 100644 --- a/base/server/etc/default.cfg +++ b/base/server/etc/default.cfg @@ -668,9 +668,11 @@ pki_registry_enable=True # See /usr/share/pki/acme/realm//realm.conf [EST] pki_ds_setup=False +pki_share_db=False pki_security_domain_setup=False pki_registry_enable=True pki_ca_uri=https://%(pki_hostname)s:%(pki_https_port)s +pki_audit_signing_nickname= est_ca_profile=estServiceCert est_ca_user_name= est_ca_user_password= diff --git a/base/server/examples/installation/est.cfg b/base/server/examples/installation/est.cfg index 3a64da4694e..3ab91037abc 100644 --- a/base/server/examples/installation/est.cfg +++ b/base/server/examples/installation/est.cfg @@ -1,5 +1,6 @@ [DEFAULT] pki_server_database_password=Secret.123 +pki_admin_setup=False [EST] est_realm_type=ds @@ -7,3 +8,4 @@ est_realm_url=ldap://localhost.localdomain:3389 est_realm_bind_password=Secret.123 est_ca_user_name=est-ra-1 est_ca_user_password=Secret.est +pki_sslserver_nickname=sslserver \ No newline at end of file diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py index 01e6905433e..af2ae196020 100644 --- a/base/server/python/pki/server/deployment/__init__.py +++ b/base/server/python/pki/server/deployment/__init__.py @@ -943,6 +943,9 @@ def init_system_cert_params(self, subsystem): subsystem.set_config('ocsp.signing.certnickname', signing_nickname) subsystem.set_config('ocsp.signing.cacertnickname', signing_nickname) + if subsystem.type == 'EST': + return + audit_nickname = subsystem.config['%s.audit_signing.nickname' % subsystem.name] audit_token = subsystem.config['%s.audit_signing.tokenname' % subsystem.name] @@ -3307,8 +3310,12 @@ def remove_temp_sslserver_cert(self): def update_sslserver_cert_nickname(self, subsystem): sslserver = subsystem.get_subsystem_cert('sslserver') - nickname = sslserver['nickname'] - token = sslserver['token'] + if sslserver: + nickname = sslserver['nickname'] + token = sslserver['token'] + else: + nickname = self.mdict['pki_sslserver_nickname'] + token = self.mdict['pki_sslserver_token'] self.instance.set_sslserver_cert_nickname(nickname, token) def create_cert_id(self, subsystem, tag, request): @@ -3563,7 +3570,7 @@ def setup_system_certs(self, nssdb, subsystem): external = config.str2bool(self.mdict['pki_external']) or \ config.str2bool(self.mdict['pki_standalone']) - tags = subsystem.config['%s.cert.list' % subsystem.name].split(',') + tags = subsystem.get_subsystem_certs() for tag in tags: @@ -3594,6 +3601,9 @@ def setup_system_certs(self, nssdb, subsystem): self.setup_system_cert(nssdb, subsystem, tag, system_cert, request) + if subsystem.type == 'EST': + system_certs['sslserver'] = self.create_est_sslserver(nssdb) + logger.info('Setting up trust flags') if pki.nssdb.internal_token(self.mdict.get('pki_token_name')): @@ -5640,6 +5650,86 @@ def deploy_est_webapp(self, subsystem): max_wait=self.startup_timeout, timeout=self.request_timeout) + def create_est_sslserver_csr(self, nssdb): + subject_dn = self.mdict.get('pki_sslserver_subject_dn') + + csr_file = self.instance.csr_file('sslserver') + (key_type, key_size, curve, hash_alg) = self.get_key_params('sslserver') + + key_usage_ext = { + 'digitalSignature': True, + 'nonRepudiation': True, + 'keyEncipherment': True, + 'dataEncipherment': True, + 'critical': True + } + + extended_key_usage_ext = { + 'serverAuth': True + } + + nssdb.create_request( + subject_dn=subject_dn, + request_file=csr_file, + key_type=key_type, + key_size=key_size, + curve=curve, + hash_alg=hash_alg, + key_usage_ext=key_usage_ext, + extended_key_usage_ext=extended_key_usage_ext, + use_jss=True) + + with open(csr_file, 'r', encoding='utf-8') as f: + csr_pem = f.read() + + return csr_pem + + def create_est_sslserver_cert(self, request_data): + url = self.mdict['pki_ca_uri'] + credentials = {} + + if self.mdict['est_ca_user_certificate']: + credentials['nickname'] = self.mdict['est_ca_user_certificate'] + + if self.mdict['est_ca_user_name']: + credentials['username'] = self.mdict['est_ca_user_name'] + + if self.mdict['est_ca_user_password']: + credentials['password'] = self.mdict['est_ca_user_password'] + + if self.mdict['est_ca_user_password_file']: + credentials['passwordFile'] = self.mdict['est_ca_user_password_file'] + + # TODO: do not hardcode request type + return self.issue_cert( + url=url, + request_type='pkcs10', + request_data=request_data, + profile=self.mdict['est_ca_profile'], + credentials=credentials) + + def create_est_sslserver(self, nssdb): + system_cert = { + 'nickname': self.mdict['pki_sslserver_nickname'], + 'token': pki.nssdb.normalize_token(self.mdict['pki_sslserver_token']) + } + nickname = system_cert['nickname'] + if system_cert['token']: + nickname = system_cert['token'] + ':' + nickname + logger.info('Checking existing SSL server cert: %s', nickname) + cert_pem = nssdb.get_cert(nickname) + if cert_pem: + # SSL server cert already exists + return system_cert + logger.info('Creating SSL server cert request') + csr_pem = self.create_est_sslserver_csr(nssdb) + logger.info('Issuing SSL server cert') + cert_pem = self.create_est_sslserver_cert(csr_pem) + + logger.info('Importing SSL server cert as %s', nickname) + nssdb.add_cert(nickname=nickname, cert_data=cert_pem) + return system_cert + def spawn_est(self): subsystem = self.create_est_subsystem() self.instance.add_subsystem(subsystem) @@ -5672,13 +5762,10 @@ def spawn(self): self.spawn_acme() return - if self.subsystem_type == 'EST': - self.spawn_est() - else: - scriptlet = pki.server.deployment.scriptlets.subsystem_layout.PkiScriptlet() - scriptlet.deployer = self - scriptlet.instance = self.instance - scriptlet.spawn(self) + scriptlet = pki.server.deployment.scriptlets.subsystem_layout.PkiScriptlet() + scriptlet.deployer = self + scriptlet.instance = self.instance + scriptlet.spawn(self) scriptlet = pki.server.deployment.scriptlets.security_databases.PkiScriptlet() scriptlet.deployer = self @@ -5700,11 +5787,10 @@ def spawn(self): scriptlet.instance = self.instance scriptlet.spawn(self) - if self.subsystem_type != 'EST': - scriptlet = pki.server.deployment.scriptlets.configuration.PkiScriptlet() - scriptlet.deployer = self - scriptlet.instance = self.instance - scriptlet.spawn(self) + scriptlet = pki.server.deployment.scriptlets.configuration.PkiScriptlet() + scriptlet.deployer = self + scriptlet.instance = self.instance + scriptlet.spawn(self) scriptlet = pki.server.deployment.scriptlets.finalization.PkiScriptlet() scriptlet.deployer = self diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py index 91619115e38..689d26d95b7 100644 --- a/base/server/python/pki/server/deployment/scriptlets/configuration.py +++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py @@ -182,15 +182,14 @@ def spawn(self, deployer): deployer.remove_temp_sslserver_cert() # Store perm SSL server cert nickname and token - nickname = system_certs['sslserver']['nickname'] - token = pki.nssdb.normalize_token(system_certs['sslserver']['token']) - - if not token: - token = deployer.mdict.get('pki_sslserver_token') + if 'sslserver' in system_certs: + nickname = system_certs['sslserver']['nickname'] + token = pki.nssdb.normalize_token(system_certs['sslserver']['token']) if not token: - token = deployer.mdict['pki_token_name'] - - instance.set_sslserver_cert_nickname(nickname, token) + token = deployer.mdict.get('pki_sslserver_token') + if not token: + token = deployer.mdict['pki_token_name'] + instance.set_sslserver_cert_nickname(nickname, token) else: if config.str2bool(deployer.mdict['pki_hsm_enable']): diff --git a/base/server/python/pki/server/deployment/scriptlets/subsystem_layout.py b/base/server/python/pki/server/deployment/scriptlets/subsystem_layout.py index c1369634005..58b25339736 100644 --- a/base/server/python/pki/server/deployment/scriptlets/subsystem_layout.py +++ b/base/server/python/pki/server/deployment/scriptlets/subsystem_layout.py @@ -74,7 +74,8 @@ def spawn(self, deployer): if config.str2bool(deployer.mdict['pki_registry_enable']): subsystem.create_registry(exist_ok=True) - deployer.create_cs_cfg(subsystem) + if deployer.subsystem_type != "EST": + deployer.create_cs_cfg(subsystem) if deployer.subsystem_type == "CA": @@ -288,6 +289,12 @@ def spawn(self, deployer): params=deployer.mdict, exist_ok=True) + elif deployer.subsystem_type == "EST": + subsystem.add_est_config(exist_ok=True, force=True) + deployer.configure_est_backend(subsystem) + deployer.configure_est_authorizer(subsystem) + deployer.configure_est_realm(subsystem) + instance.load() subsystem = instance.get_subsystem(subsystem_name) diff --git a/base/server/python/pki/server/subsystem.py b/base/server/python/pki/server/subsystem.py index 113ce4f346d..9ca4516110f 100644 --- a/base/server/python/pki/server/subsystem.py +++ b/base/server/python/pki/server/subsystem.py @@ -362,6 +362,12 @@ def get_cert_infos(self): for cert_tag in cert_list.split(','): yield self.get_cert_info(cert_tag) + def get_subsystem_certs(self): + certs = self.config.get('%s.cert.list' % self.name) + if certs: + return certs.split(',') + return [] + def get_subsystem_cert(self, tag): logger.debug('PKISubsystem.get_subsystem_cert(%s)', tag) @@ -3003,6 +3009,17 @@ def replace_realm_config(self, realm_path): exist_ok=False, force=True) + def get_subsystem_cert(self, tag): + + logger.debug('ESTSubsystem.get_subsystem_cert(%s)', tag) + return None + + def validate_system_cert(self, tag): + """ + EST subsystem does not keep certificate information in its configuration file so + the validation cannot be performed like for other subsystems + """ + def is_ready(self, secure_connection=True, timeout=None): """ Wait for EST subsystem to become ready to serve requests.