Add custodia store for lightweight CA key replication

Due to limitations in Dogtag's use of NSSDB, importing private keys must be done by the Dogtag Java process itself. This requires a PKIArchiveOptions format (signing key wrapped with host CA key) - PKCS #12 cannot be used because that would require decrypting the key in Dogtag's memory, albeit temporarily. Add a new custodia store that executes a 'pki' command to acquire the wrapped key. Part of: https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2025-02-25 18:55:28 -06:00 · 2016-04-19 11:47:29 +10:00
parent 903a90fb4e
commit 4660bb7ff0
2 changed files with 57 additions and 0 deletions
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -215,6 +215,7 @@ class BasePathNamespace(object):
    NTPD = "/usr/sbin/ntpd"
    PKIDESTROY = "/usr/sbin/pkidestroy"
    PKISPAWN = "/usr/sbin/pkispawn"
+    PKI = "/usr/bin/pki"
    REMOVE_DS_PL = "/usr/sbin/remove-ds.pl"
    RESTORECON = "/usr/sbin/restorecon"
    SELINUXENABLED = "/usr/sbin/selinuxenabled"
--- a/ipapython/secrets/store.py
+++ b/ipapython/secrets/store.py
@@ -51,6 +51,56 @@ def HTTPD_password_callback():
    return password


+class NSSWrappedCertDB(DBMAPHandler):
+    '''
+    Store that extracts private keys from an NSSDB, wrapped with the
+    private key of the primary CA.
+    '''
+
+    def __init__(self, config, dbmap, nickname):
+        if 'path' not in dbmap:
+            raise ValueError(
+                'Configuration does not provide NSSDB path')
+        if 'pwcallback' not in dbmap:
+            raise ValueError(
+                'Configuration does not provide Password Calback')
+        if 'wrap_nick' not in dbmap:
+            raise ValueError(
+                'Configuration does not provide nickname of wrapping key')
+        self.nssdb_path = dbmap['path']
+        self.nssdb_password = dbmap['pwcallback']()
+        self.wrap_nick = dbmap['wrap_nick']
+        self.target_nick = nickname
+
+    def export_key(self):
+        tdir = tempfile.mkdtemp(dir=paths.TMP)
+        try:
+            nsspwfile = os.path.join(tdir, 'nsspwfile')
+            with open(nsspwfile, 'w+') as f:
+                f.write(self.nssdb_password)
+            wrapped_key_file = os.path.join(tdir, 'wrapped_key')
+            certificate_file = os.path.join(tdir, 'certificate')
+            ipautil.run([
+                paths.PKI, '-d', self.nssdb_path, '-C', nsspwfile,
+                'ca-authority-key-export',
+                '--wrap-nickname', self.wrap_nick,
+                '--target-nickname', self.target_nick,
+                '-o', wrapped_key_file])
+            ipautil.run([
+                paths.CERTUTIL, '-d', self.nssdb_path,
+                '-L', '-n', self.target_nick,
+                '-a', '-o', certificate_file])
+            with open(wrapped_key_file, 'r') as f:
+                wrapped_key = f.read()
+            with open(certificate_file, 'r') as f:
+                certificate = f.read()
+        finally:
+            shutil.rmtree(tdir)
+        return json_encode({
+            'wrapped_key': b64encode(wrapped_key),
+            'certificate': certificate})
+
+
 class NSSCertDB(DBMAPHandler):

    def __init__(self, config, dbmap, nickname):
@@ -148,6 +198,12 @@ NAME_DB_MAP = {
        'handler': NSSCertDB,
        'pwcallback': PKI_TOMCAT_password_callback,
    },
+    'ca_wrapped': {
+        'handler': NSSWrappedCertDB,
+        'path': paths.PKI_TOMCAT_ALIAS_DIR,
+        'pwcallback': PKI_TOMCAT_password_callback,
+        'wrap_nick': 'caSigningCert cert-pki-ca',
+    },
    'ra': {
        'type': 'NSSDB',
        'path': paths.HTTPD_ALIAS_DIR,