Update pki-server cert-import

The pki-server cert-import has been updated to provide options to specify the nickname and token so that the cert can be imported before creating any subsystem in the instance. The tests for installing CA with existing NSS database and HSM have been updated to use this command.
dogtagpki · Nov 16, 2023 · 24a66c3 · 24a66c3
1 parent 169c68f
commit 24a66c3
Show file tree

Hide file tree

Showing 5 changed files with 93 additions and 87 deletions.
diff --git a/.github/workflows/ca-existing-hsm-test.yml b/.github/workflows/ca-existing-hsm-test.yml
@@ -84,14 +84,8 @@ jobs:
               --token HSM \
               --ext /usr/share/pki/server/certs/ca_signing.conf \
               ca_signing
-          docker exec pki runuser -u pkiuser -- \
-              pki \
-              -d /etc/pki/pki-tomcat/alias \
-              -f /etc/pki/pki-tomcat/password.conf \
+          docker exec pki pki-server cert-import \
               --token HSM \
-              nss-cert-import \
-              --cert /etc/pki/pki-tomcat/certs/ca_signing.crt \
-              --trust CT,C,C \
               ca_signing
 
           # check original cert
@@ -124,13 +118,8 @@ jobs:
               --issuer HSM:ca_signing \
               --ext /usr/share/pki/server/certs/ocsp_signing.conf \
               ca_ocsp_signing
-          docker exec pki runuser -u pkiuser -- \
-              pki \
-              -d /etc/pki/pki-tomcat/alias \
-              -f /etc/pki/pki-tomcat/password.conf \
+          docker exec pki pki-server cert-import \
               --token HSM \
-              nss-cert-import \
-              --cert /etc/pki/pki-tomcat/certs/ca_ocsp_signing.crt \
               ca_ocsp_signing
 
           # check original cert
@@ -163,14 +152,8 @@ jobs:
               --issuer HSM:ca_signing \
               --ext /usr/share/pki/server/certs/audit_signing.conf \
               ca_audit_signing
-          docker exec pki runuser -u pkiuser -- \
-              pki \
-              -d /etc/pki/pki-tomcat/alias \
-              -f /etc/pki/pki-tomcat/password.conf \
+          docker exec pki pki-server cert-import \
               --token HSM \
-              nss-cert-import \
-              --cert /etc/pki/pki-tomcat/certs/ca_audit_signing.crt \
-              --trust ,,P \
               ca_audit_signing
 
           # check original cert
@@ -203,13 +186,8 @@ jobs:
               --issuer HSM:ca_signing \
               --ext /usr/share/pki/server/certs/subsystem.conf \
               subsystem
-          docker exec pki runuser -u pkiuser -- \
-              pki \
-              -d /etc/pki/pki-tomcat/alias \
-              -f /etc/pki/pki-tomcat/password.conf \
+          docker exec pki pki-server cert-import \
               --token HSM \
-              nss-cert-import \
-              --cert /etc/pki/pki-tomcat/certs/subsystem.crt \
               subsystem
 
           # check original cert
@@ -241,13 +219,7 @@ jobs:
               --issuer HSM:ca_signing \
               --ext /usr/share/pki/server/certs/sslserver.conf \
               sslserver
-          docker exec pki runuser -u pkiuser -- \
-              pki \
-              -d /etc/pki/pki-tomcat/alias \
-              -f /etc/pki/pki-tomcat/password.conf \
-              nss-cert-import \
-              --cert /etc/pki/pki-tomcat/certs/sslserver.crt \
-              sslserver
+          docker exec pki pki-server cert-import sslserver
 
           # check original cert
           docker exec pki runuser -u pkiuser -- \

diff --git a/.github/workflows/ca-existing-nssdb-test.yml b/.github/workflows/ca-existing-nssdb-test.yml
@@ -61,12 +61,7 @@ jobs:
           docker exec pki pki-server cert-create \
               --ext /usr/share/pki/server/certs/ca_signing.conf \
               ca_signing
-          docker exec pki pki \
-              -d /etc/pki/pki-tomcat/alias \
-              nss-cert-import \
-              --cert /etc/pki/pki-tomcat/certs/ca_signing.crt \
-              --trust CT,C,C \
-              ca_signing
+          docker exec pki pki-server cert-import ca_signing
 
           # check original cert
           docker exec pki pki \
@@ -90,11 +85,7 @@ jobs:
               --issuer ca_signing \
               --ext /usr/share/pki/server/certs/ocsp_signing.conf \
               ca_ocsp_signing
-          docker exec pki pki \
-              -d /etc/pki/pki-tomcat/alias \
-              nss-cert-import \
-              --cert /etc/pki/pki-tomcat/certs/ca_ocsp_signing.crt \
-              ca_ocsp_signing
+          docker exec pki pki-server cert-import ca_ocsp_signing
 
           # check original cert
           docker exec pki pki \
@@ -118,12 +109,7 @@ jobs:
               --issuer ca_signing \
               --ext /usr/share/pki/server/certs/audit_signing.conf \
               ca_audit_signing
-          docker exec pki pki \
-              -d /etc/pki/pki-tomcat/alias \
-              nss-cert-import \
-              --cert /etc/pki/pki-tomcat/certs/ca_audit_signing.crt \
-              --trust ,,P \
-              ca_audit_signing
+          docker exec pki pki-server cert-import ca_audit_signing
 
           # check original cert
           docker exec pki pki \
@@ -147,11 +133,7 @@ jobs:
               --issuer ca_signing \
               --ext /usr/share/pki/server/certs/subsystem.conf \
               subsystem
-          docker exec pki pki \
-              -d /etc/pki/pki-tomcat/alias \
-              nss-cert-import \
-              --cert /etc/pki/pki-tomcat/certs/subsystem.crt \
-              subsystem
+          docker exec pki pki-server cert-import subsystem
 
           # check original cert
           docker exec pki pki \
@@ -175,11 +157,7 @@ jobs:
               --issuer ca_signing \
               --ext /usr/share/pki/server/certs/sslserver.conf \
               sslserver
-          docker exec pki pki \
-              -d /etc/pki/pki-tomcat/alias \
-              nss-cert-import \
-              --cert /etc/pki/pki-tomcat/certs/sslserver.crt \
-              sslserver
+          docker exec pki pki-server cert-import sslserver
 
           # check original cert
           docker exec pki pki \

diff --git a/base/server/python/pki/server/cli/cert.py b/base/server/python/pki/server/cli/cert.py
@@ -792,27 +792,41 @@ def execute(self, argv):
 
 
 class CertImportCLI(pki.cli.CLI):
+    '''
+    Import system certificate.
+    '''
+
+    help = '''\
+        Usage: pki-server cert-import [OPTIONS] <Cert ID>
+
+          -i, --instance <instance ID>    Instance ID (default: pki-tomcat)
+              --token <name>              Token to store the certificate
+              --nickname <nickname>       Certificate nickname
+              --input <file>              Certificate file
+          -v, --verbose                   Run in verbose mode.
+              --debug                     Run in debug mode.
+              --help                      Show help message.
+
+        Cert ID:
+            ca_signing, ca_ocsp_signing, ca_audit_signing,
+            kra_storage, kra_transport, kra_audit_signing,
+            ocsp_signing, ocsp_audit_signing,
+            tks_audit_signing,
+            tps_audit_signing,
+            subsystem, sslserver
+    '''  # noqa: E501
+
     def __init__(self):
-        super().__init__('import', 'Import system certificate.')
+        super().__init__('import', inspect.cleandoc(self.__class__.__doc__))
 
     def print_help(self):
-        print('Usage: pki-server cert-import [OPTIONS] <Cert ID>')
-        # CertID:  subsystem, sslserver, kra_storage, kra_transport, ca_ocsp_signing,
-        # ca_audit_signing, kra_audit_signing
-        # ca.cert.list=signing,ocsp_signing,sslserver,subsystem,audit_signing
-        print()
-        print('  -i, --instance <instance ID>    Instance ID (default: pki-tomcat).')
-        print('      --input <file>              Provide input file name.')
-        print('  -v, --verbose                   Run in verbose mode.')
-        print('      --debug                     Run in debug mode.')
-        print('      --help                      Show help message.')
-        print()
+        print(textwrap.dedent(self.__class__.help))
 
     def execute(self, argv):
 
         try:
             opts, args = getopt.gnu_getopt(argv, 'i:v', [
-                'instance=', 'input=',
+                'instance=', 'token=', 'nickname=', 'input=',
                 'verbose', 'debug', 'help'])
 
         except getopt.GetoptError as e:
@@ -821,12 +835,20 @@ def execute(self, argv):
             sys.exit(1)
 
         instance_name = 'pki-tomcat'
+        token = None
+        nickname = None
         cert_file = None
 
         for o, a in opts:
             if o in ('-i', '--instance'):
                 instance_name = a
 
+            elif o == '--token':
+                token = a
+
+            elif o == '--nickname':
+                nickname = a
+
             elif o == '--input':
                 cert_file = a
 
@@ -858,12 +880,14 @@ def execute(self, argv):
             logger.error('Invalid instance %s.', instance_name)
             sys.exit(1)
 
-        # Load the instance. Default: pki-tomcat
         instance.load()
 
         try:
-            # Load the cert into NSS db and update all corresponding subsystem's CS.cfg
-            instance.cert_import(cert_id, cert_file)
+            instance.cert_import(
+                cert_id,
+                cert_file=cert_file,
+                token=token,
+                nickname=nickname)
 
         except pki.server.PKIServerException as e:
             logger.error(str(e))

diff --git a/base/server/python/pki/server/instance.py b/base/server/python/pki/server/instance.py
@@ -699,14 +699,23 @@ def cert_update_config(self, cert_id, cert):
                 raise pki.server.PKIServerException(
                     'No subsystem can be loaded for %s in instance %s.' % (cert_id, self.name))
 
-    def cert_import(self, cert_id, cert_file=None):
+    def cert_import(
+            self,
+            cert_id,
+            cert_file=None,
+            token=None,
+            nickname=None):
         """
         Import cert from cert_file into NSS db with appropriate trust
 
         :param cert_id: Cert ID
         :type cert_id: str
         :param cert_file: Cert file to be imported into NSS db
         :type cert_file: str
+        :param token: Token to store the certificate
+        :type token: str
+        :param nickname: Certificate nickname
+        :type nickname: str
         :return: None
         :rtype: None
         """
@@ -722,13 +731,33 @@ def cert_import(self, cert_id, cert_file=None):
 
         subsystem_name, cert_tag = pki.server.PKIServer.split_cert_id(cert_id)
 
-        if not subsystem_name:
-            subsystem_name = self.get_subsystems()[0].name
-
         logger.debug('- subsystem: %s', subsystem_name)
         logger.debug('- cert tag: %s', cert_tag)
 
-        subsystem = self.get_subsystem(subsystem_name)
+        if subsystem_name:
+            # if cert ID contains subsystem name, get that subsystem
+            subsystem = self.get_subsystem(subsystem_name)
+        else:
+            # if cert ID does not contain subsystem name (i.e. sslserver, subsystem),
+            # get the first available subsystem
+            subsystems = self.get_subsystems()
+            if len(subsystems) > 0:
+                subsystem = subsystems[0]
+            else:
+                subsystem = None
+
+        if subsystem:
+            # if the subsystem exists, use the nickname and token
+            # specified in CS.cfg
+            cert_info = subsystem.get_subsystem_cert(cert_tag)
+            nickname = cert_info['nickname']
+            token = cert_info['token']
+        else:
+            # if the subsystem does not exist, use the specified
+            # nickname and token
+            if not nickname:
+                # if nickname not specified, use the cert ID
+                nickname = cert_id
 
         # audit and CA signing cert require special flags set in NSSDB
         trust_attributes = None
@@ -742,21 +771,19 @@ def cert_import(self, cert_id, cert_file=None):
         nssdb = self.open_nssdb()
 
         try:
-            cert = subsystem.get_subsystem_cert(cert_tag)
-
             logger.debug('Checking existing %s cert', cert_id)
 
             if nssdb.get_cert(
-                    nickname=cert['nickname'],
-                    token=cert['token']):
+                    nickname=nickname,
+                    token=token):
                 raise pki.server.PKIServerException(
                     'Certificate already exists: %s' % cert_id)
 
             logger.debug('Importing %s cert', cert_id)
 
             nssdb.add_cert(
-                nickname=cert['nickname'],
-                token=cert['token'],
+                nickname=nickname,
+                token=token,
                 cert_file=cert_file,
                 trust_attributes=trust_attributes)
 

diff --git a/docs/changes/v11.5.0/Tools-Changes.adoc b/docs/changes/v11.5.0/Tools-Changes.adoc
@@ -47,3 +47,8 @@ The `pki-server cert-request` command has been added to generate a key pair and
 The `pki-server cert-create` command has been updated to support
 creating permanent system certificate using the server's NSS database
 and RSNv3 serial numbers.
+
+== Update pki-server cert-import CLI ==
+
+The `pki-server cert-import` command has been updated to provide
+options to specify the certificate nickname and token name.