From 93622005ba0f14e68010a84b07cc050cfdc4bedc Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Fri, 9 Dec 2022 21:44:43 -0500 Subject: [PATCH] Add token support to the renew_ca_cert certmonger helper The certificates live on the token so need to be retrieved from there with the token name. The certificates are visible in NSS softoken but operations need to be done on the HSM version. The right password is necessary so retrieve it from the PKI password store. Fixes: https://pagure.io/freeipa/issue/9273 Signed-off-by: Rob Crittenden Reviewed-By: Florence Blanc-Renaud --- install/restart_scripts/renew_ca_cert.in | 27 ++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/install/restart_scripts/renew_ca_cert.in b/install/restart_scripts/renew_ca_cert.in index 7b7b9b30d..6a69d7676 100644 --- a/install/restart_scripts/renew_ca_cert.in +++ b/install/restart_scripts/renew_ca_cert.in @@ -49,6 +49,10 @@ def _main(): dogtag_service = services.knownservices['pki_tomcatd'] + ca = cainstance.CAInstance(host_name=api.env.host) + if ca.token_name: + nickname = f"{ca.token_name}:{nickname}" + # dogtag opens its NSS database in read/write mode so we need it # shut down so certmonger can open it read/write mode. This avoids # database corruption. It should already be stopped by the pre-command @@ -66,8 +70,28 @@ def _main(): syslog.syslog( syslog.LOG_NOTICE, "Stopped %s" % dogtag_service.service_name) + pwdfile = None + if ca.hsm_enabled: + token_pw = None + with open(paths.PKI_TOMCAT_PASSWORD_CONF, "r") as passfile: + contents = passfile.readlines() + for line in contents: + data = line.split('=', 1) + if data[0] == 'hardware-' + ca.token_name: + token_pw = data[1] + break + if token_pw: + pwfile = ipautil.write_tmp_file(token_pw) + pwdfile = pwfile.name + else: + syslog.syslog( + syslog.LOG_ERR, + 'Unable to find pin for token %s' % ca.token_name + ) + # Fetch the new certificate - db = certs.CertDB(api.env.realm, nssdir=paths.PKI_TOMCAT_ALIAS_DIR) + db = certs.CertDB(api.env.realm, nssdir=paths.PKI_TOMCAT_ALIAS_DIR, + pwd_file=pwdfile) cert = db.get_cert_from_db(nickname) if not cert: syslog.syslog(syslog.LOG_ERR, 'No certificate %s found.' % nickname) @@ -82,7 +106,6 @@ def _main(): api.Backend.ldap2.connect() - ca = cainstance.CAInstance(host_name=api.env.host) ca.update_cert_config(nickname, cert) if ca.is_renewal_master(): cainstance.update_people_entry(cert)