Add token support to the renew_ca_cert certmonger helper

The certificates live on the token so need to be retrieved
from there with the token name. The certificates are visible
in NSS softoken but operations need to be done on the HSM
version. The right password is necessary so retrieve it from
the PKI password store.

Fixes: https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This commit is contained in:
Rob Crittenden 2022-12-09 21:44:43 -05:00
parent 7ad3b489f6
commit 93622005ba

View File

@ -49,6 +49,10 @@ def _main():
dogtag_service = services.knownservices['pki_tomcatd']
ca = cainstance.CAInstance(host_name=api.env.host)
if ca.token_name:
nickname = f"{ca.token_name}:{nickname}"
# dogtag opens its NSS database in read/write mode so we need it
# shut down so certmonger can open it read/write mode. This avoids
# database corruption. It should already be stopped by the pre-command
@ -66,8 +70,28 @@ def _main():
syslog.syslog(
syslog.LOG_NOTICE, "Stopped %s" % dogtag_service.service_name)
pwdfile = None
if ca.hsm_enabled:
token_pw = None
with open(paths.PKI_TOMCAT_PASSWORD_CONF, "r") as passfile:
contents = passfile.readlines()
for line in contents:
data = line.split('=', 1)
if data[0] == 'hardware-' + ca.token_name:
token_pw = data[1]
break
if token_pw:
pwfile = ipautil.write_tmp_file(token_pw)
pwdfile = pwfile.name
else:
syslog.syslog(
syslog.LOG_ERR,
'Unable to find pin for token %s' % ca.token_name
)
# Fetch the new certificate
db = certs.CertDB(api.env.realm, nssdir=paths.PKI_TOMCAT_ALIAS_DIR)
db = certs.CertDB(api.env.realm, nssdir=paths.PKI_TOMCAT_ALIAS_DIR,
pwd_file=pwdfile)
cert = db.get_cert_from_db(nickname)
if not cert:
syslog.syslog(syslog.LOG_ERR, 'No certificate %s found.' % nickname)
@ -82,7 +106,6 @@ def _main():
api.Backend.ldap2.connect()
ca = cainstance.CAInstance(host_name=api.env.host)
ca.update_cert_config(nickname, cert)
if ca.is_renewal_master():
cainstance.update_people_entry(cert)