Skip to content

Commit

Permalink
Merge NSSDatabase.create_request_with_wrapping_key() into create_requ…
Browse files Browse the repository at this point in the history
…est()
  • Loading branch information
edewata committed Sep 19, 2024
1 parent d07d0c7 commit 47414b8
Show file tree
Hide file tree
Showing 2 changed files with 36 additions and 26 deletions.
16 changes: 15 additions & 1 deletion base/common/python/pki/nssdb.py
Original file line number Diff line number Diff line change
Expand Up @@ -949,6 +949,7 @@ def create_request(
cka_id=None,
key_type=None,
key_size=None,
key_wrap=False,
curve=None,
hash_alg=None,
basic_constraints_ext=None,
Expand Down Expand Up @@ -985,6 +986,14 @@ def create_request(
Raw extension data (``bytes``)
"""

if key_wrap:
self.__create_request_for_key_wrap(
subject_dn=subject_dn,
request_file=request_file,
key_size=key_size)
return

if os.geteuid() == 0 and self.user:
os.chown(os.path.dirname(request_file), self.uid, self.gid)

Expand All @@ -998,6 +1007,7 @@ def create_request(
cka_id=cka_id,
key_type=key_type,
key_size=key_size,
key_wrap=key_wrap,
curve=curve,
hash_alg=hash_alg,
basic_constraints_ext=basic_constraints_ext,
Expand Down Expand Up @@ -1187,7 +1197,7 @@ def create_request(
finally:
shutil.rmtree(tmpdir)

def create_request_with_wrapping_key(
def __create_request_for_key_wrap(
self,
subject_dn,
request_file,
Expand Down Expand Up @@ -1473,6 +1483,7 @@ def __create_request(
cka_id=None,
key_type=None,
key_size=None,
key_wrap=False,
curve=None,
hash_alg=None,
basic_constraints_ext=None,
Expand Down Expand Up @@ -1569,6 +1580,9 @@ def __create_request(
if key_size:
cmd.extend(['--key-size', str(key_size)])

if key_wrap:
cmd.append('--key-wrap')

if curve:
cmd.extend(['--curve', curve])

Expand Down
46 changes: 21 additions & 25 deletions base/server/python/pki/server/deployment/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -3112,7 +3112,6 @@ def generate_csr(self,

cert_id = self.get_cert_id(subsystem, tag)
logger.info('Generating %s CSR in %s', cert_id, csr_path)
csr_pathname = os.path.join(nssdb.tmpdir, os.path.basename(csr_path))

subject_dn = self.mdict['pki_%s_subject_dn' % cert_id]

Expand All @@ -3136,32 +3135,29 @@ def generate_csr(self,
if (subsystem.type == 'KRA' and
config.str2bool(self.mdict['pki_hsm_enable']) and
(cert_id in ['storage', 'transport'])):

logger.debug('generate_csr: calling PKCS10Client for %s', cert_id)

nssdb.create_request_with_wrapping_key(
subject_dn=subject_dn,
request_file=csr_path,
key_size=key_size)
key_wrap = True
csr_pathname = csr_path

else:

logger.debug('generate_csr: calling certutil for %s', cert_id)

nssdb.create_request(
subject_dn=subject_dn,
request_file=csr_pathname,
key_type=key_type,
key_size=key_size,
curve=curve,
hash_alg=hash_alg,
basic_constraints_ext=basic_constraints_ext,
key_usage_ext=key_usage_ext,
extended_key_usage_ext=extended_key_usage_ext,
subject_key_id=subject_key_id,
generic_exts=generic_exts,
use_jss=True)

key_wrap = False
csr_pathname = os.path.join(nssdb.tmpdir, os.path.basename(csr_path))

nssdb.create_request(
subject_dn=subject_dn,
request_file=csr_pathname,
key_type=key_type,
key_size=key_size,
key_wrap=key_wrap,
curve=curve,
hash_alg=hash_alg,
basic_constraints_ext=basic_constraints_ext,
key_usage_ext=key_usage_ext,
extended_key_usage_ext=extended_key_usage_ext,
subject_key_id=subject_key_id,
generic_exts=generic_exts,
use_jss=True)

if not key_wrap:
shutil.move(csr_pathname, csr_path)

new_csr_path = subsystem.csr_file(tag)
Expand Down

0 comments on commit 47414b8

Please sign in to comment.