From e7f83ceb78ebc1bd2e122711228ea7cade73d649 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Mon, 15 Jan 2024 13:39:40 +0700 Subject: [PATCH] Update pki-server ca-cert-import The pki-server ca-cert-import has been updated to support an absolute bootstrap profile path. --- .../server/ca/cli/CACertImportCLI.java | 29 ++++++++++--------- base/server/python/pki/server/cli/ca.py | 8 ++--- .../python/pki/server/deployment/__init__.py | 4 +-- base/server/python/pki/server/subsystem.py | 8 ++--- 4 files changed, 26 insertions(+), 23 deletions(-) diff --git a/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CACertImportCLI.java b/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CACertImportCLI.java index 41a6d219927..c291793fe80 100644 --- a/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CACertImportCLI.java +++ b/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CACertImportCLI.java @@ -7,6 +7,7 @@ import java.io.File; import java.nio.file.Files; +import java.nio.file.Path; import java.nio.file.Paths; import java.security.SecureRandom; @@ -65,11 +66,11 @@ public void createOptions() { option.setArgName("format"); options.addOption(option); - option = new Option(null, "request", true, "Request ID"); - option.setArgName("ID"); + option = new Option(null, "profile", true, "Bootstrap profile path"); + option.setArgName("path"); options.addOption(option); - option = new Option(null, "profile", true, "Profile ID"); + option = new Option(null, "request", true, "Request ID"); option.setArgName("ID"); options.addOption(option); @@ -95,17 +96,13 @@ public void execute(CommandLine cmd) throws Exception { String certPath = cmd.getOptionValue("cert"); String certFormat = cmd.getOptionValue("format"); - if (!cmd.hasOption("request")) { - throw new Exception("Missing request ID"); - } - - RequestId requestID = new RequestId(cmd.getOptionValue("request")); - if (!cmd.hasOption("profile")) { - throw new Exception("Missing profile ID"); + throw new Exception("Missing bootstrap profile path"); } - String profileID = cmd.getOptionValue("profile"); + if (!cmd.hasOption("request")) { + throw new Exception("Missing request ID"); + } // initialize JSS in pki-server CLI TomcatJSS tomcatjss = TomcatJSS.getInstance(); @@ -147,10 +144,14 @@ public void execute(CommandLine cmd) throws Exception { CAEngineConfig cs = new CAEngineConfig(storage); cs.load(); - String profilePath = confDir + File.separator + profileID; + // If the bootstrap profile path is relative (e.g. caCert.profile), + // convert it to /var/lib/pki/pki-tomcat/ca/conf/. + // If the bootstrap profile path is absolute, use it as is. + String profile = cmd.getOptionValue("profile"); + Path profilePath = Paths.get(confDir).resolve(profile); logger.info("Loading " + profilePath); - ConfigStorage profileStorage = new FileConfigStorage(profilePath); + ConfigStorage profileStorage = new FileConfigStorage(profilePath.toString()); ConfigStore profileConfig = new ConfigStore(profileStorage); profileConfig.load(); @@ -172,6 +173,8 @@ public void execute(CommandLine cmd) throws Exception { dbSubsystem.setEngineConfig(cs); dbSubsystem.init(dbConfig, ldapConfig, socketConfig, passwordStore); + RequestId requestID = new RequestId(cmd.getOptionValue("request")); + try { CertificateRepository certificateRepository = new CertificateRepository(secureRandom, dbSubsystem); certificateRepository.init(); diff --git a/base/server/python/pki/server/cli/ca.py b/base/server/python/pki/server/cli/ca.py index 8d79680f4fc..1d1f6ba08d8 100644 --- a/base/server/python/pki/server/cli/ca.py +++ b/base/server/python/pki/server/cli/ca.py @@ -301,7 +301,7 @@ def print_help(self): print(' -i, --instance Instance ID (default: pki-tomcat)') print(' --cert Certificate path') print(' --format Certificate format: PEM (default), DER') - print(' --profile Bootstrap profile filename') + print(' --profile Bootstrap profile path') print(' --request Request ID') print(' -v, --verbose Run in verbose mode.') print(' --debug Run in debug mode.') @@ -324,7 +324,7 @@ def execute(self, argv): instance_name = 'pki-tomcat' cert_path = None cert_format = None - profile_id = None + profile_path = None request_id = None for o, a in opts: @@ -338,7 +338,7 @@ def execute(self, argv): cert_format = a elif o == '--profile': - profile_id = a + profile_path = a elif o == '--request': request_id = a @@ -373,7 +373,7 @@ def execute(self, argv): subsystem.import_cert( cert_path=cert_path, cert_format=cert_format, - profile_id=profile_id, + profile_path=profile_path, request_id=request_id) diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py index 310d607c592..52e3899860d 100644 --- a/base/server/python/pki/server/deployment/__init__.py +++ b/base/server/python/pki/server/deployment/__init__.py @@ -3242,8 +3242,8 @@ def import_cert(self, subsystem, tag, request, cert_data): subsystem.import_cert( cert_data=pem_cert, cert_format='PEM', - request_id=request.systemCert.requestID, - profile_id=request.systemCert.profile) + profile_path=request.systemCert.profile, + request_id=request.systemCert.requestID) def setup_system_cert(self, nssdb, subsystem, tag, system_cert, request): diff --git a/base/server/python/pki/server/subsystem.py b/base/server/python/pki/server/subsystem.py index 38089ae3236..5711790d23f 100644 --- a/base/server/python/pki/server/subsystem.py +++ b/base/server/python/pki/server/subsystem.py @@ -2333,8 +2333,8 @@ def import_cert( cert_data=None, cert_path=None, cert_format=None, - request_id=None, - profile_id=None): + profile_path=None, + request_id=None): tmpdir = tempfile.mkdtemp() @@ -2361,8 +2361,8 @@ def import_cert( if request_id: cmd.extend(['--request', request_id]) - if profile_id: - cmd.extend(['--profile', profile_id]) + if profile_path: + cmd.extend(['--profile', profile_path]) # run as current user so it can read the input file self.run(cmd, as_current_user=True)