Add est to pkispawn

This initial commit add est configuration for deployment in instance with existing CA. Actually, several step are just skipped which could be required like creating initial users, reporting the status, etc.... The final installation is compliant with the page: https://github.com/dogtagpki/pki/blob/master/docs/installation/est/Installing_EST.md
dogtagpki · Sep 6, 2024 · f61256e · f61256e
1 parent f3c1ec9
commit f61256e
Show file tree

Hide file tree

Showing 23 changed files with 290 additions and 20 deletions.
diff --git a/base/ca/database/ds/acl.ldif b/base/ca/database/ds/acl.ldif
@@ -6,7 +6,7 @@ resourceACLS: certServer.general.configuration:read,modify,delete:allow (read) g
 resourceACLS: certServer.policy.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents and auditors are allowed to read policy configuration but only administrators allowed to modify
 resourceACLS: certServer.acl.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents and auditors are allowed to read ACL configuration but only administrators allowed to modify
 resourceACLS: certServer.log.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents";allow (modify) group="Administrators":Administrators, Agents, and auditors are allowed to read the log configuration but only administrators are allowed to modify
-resourceACLS: certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Anybody is allowed to read domain.xml but only Subsystem group and Enterprise Administrators are allowed to modify the domain.xml
+resourceACLS: certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" ||  group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" || group="Enterprise EST Administrators":Anybody is allowed to read domain.xml but only Subsystem group and Enterprise Administrators are allowed to modify the domain.xml
 resourceACLS: certServer.log.configuration.fileName:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" ;deny (modify) user=anybody:Nobody is allowed to modify a fileName parameter
 #resourceACLS: certServer.log.configuration.signedAudit.expirationTime:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents";deny (modify) user=anybody:Nobody is allowed to modify an expirationTime parameter.
 resourceACLS: certServer.log.content.signedAudit:read:allow (read) group="Auditors":Only auditor is allowed to read the signed audit log

diff --git a/base/ca/database/ds/create.ldif b/base/ca/database/ds/create.ldif
@@ -93,6 +93,12 @@ objectClass: groupOfUniqueNames
 cn: Enterprise TPS Administrators
 description: People who are the administrators for the security domain for TPS
 
+dn: cn=Enterprise EST Administrators,ou=groups,{rootSuffix}
+objectClass: top
+objectClass: groupOfUniqueNames
+cn: Enterprise EST Administrators
+description: People who are the administrators for the security domain for EST
+
 dn: ou=requests,{rootSuffix}
 objectClass: top
 objectClass: organizationalUnit

diff --git a/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg
@@ -3,7 +3,7 @@ visible=false
 enable=true
 enableBy=admin
 auth.instance_id=TokenAuth
-authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"
+authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" || group="Enterprise EST Administrators"
 name=Audit Signing Certificate Enrollment
 input.list=i1,i2
 input.i1.class_id=certReqInputImpl

diff --git a/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg
@@ -3,7 +3,7 @@ visible=false
 enable=true
 enableBy=admin
 auth.instance_id=TokenAuth
-authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"
+authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" || group="Enterprise EST Administrators"
 name=Security Domain DRM storage Certificate Enrollment
 input.list=i1,i2
 input.i1.class_id=certReqInputImpl

diff --git a/base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg
@@ -3,7 +3,7 @@ visible=false
 enable=true
 enableBy=admin
 auth.instance_id=TokenAuth
-authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"
+authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" || group="Enterprise EST Administrators"
 name=Security Domain OCSP Manager Signing Certificate Enrollment
 input.list=i1,i2
 input.i1.class_id=certReqInputImpl

diff --git a/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg
@@ -3,7 +3,7 @@ visible=false
 enable=true
 enableBy=admin
 auth.instance_id=TokenAuth
-authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"
+authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" || group="Enterprise EST Administrators"
 name=Security Domain Server Certificate Enrollment
 input.list=i1,i2
 input.i1.class_id=certReqInputImpl

diff --git a/base/ca/shared/profiles/ca/caInternalAuthSubsystemCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthSubsystemCert.cfg
@@ -3,7 +3,7 @@ visible=false
 enable=true
 enableBy=admin
 auth.instance_id=TokenAuth
-authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"
+authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" || group="Enterprise EST Administrators"
 name=Security Domain Subsystem Certificate Enrollment
 input.list=i1,i2
 input.i1.class_id=certReqInputImpl

diff --git a/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg
@@ -3,7 +3,7 @@ visible=false
 enable=true
 enableBy=admin
 auth.instance_id=TokenAuth
-authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"
+authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" || group="Enterprise EST Administrators"
 name=Security Domain Data Recovery Manager Transport Certificate Enrollment
 input.list=i1,i2
 input.i1.class_id=certReqInputImpl

diff --git a/base/est/CMakeLists.txt b/base/est/CMakeLists.txt
@@ -1,5 +1,7 @@
 project(est NONE)
 
+add_subdirectory(shared/conf)
+
 javac(pki-est-classes
     SOURCES
         src/main/java/*.java

diff --git a/base/est/shared/conf/CMakeLists.txt b/base/est/shared/conf/CMakeLists.txt
@@ -0,0 +1,8 @@
+configure_file(${CMAKE_CURRENT_SOURCE_DIR}/CS.cfg ${CMAKE_CURRENT_BINARY_DIR}/CS.cfg @ONLY)
+
+install(
+    FILES
+        ${CMAKE_CURRENT_BINARY_DIR}/CS.cfg
+    DESTINATION
+        ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf
+)
diff --git a/base/est/shared/conf/CS.cfg b/base/est/shared/conf/CS.cfg
@@ -0,0 +1,14 @@
+_000=##
+_001=## Enrollment over Secure Transport (EST) Configuration File
+_002=##
+est.cert.list=sslserver,subsystem,audit_signing
+est.cert.sslserver.certusage=SSLServer
+est.cert.subsystem.certusage=SSLClient
+est.cert.audit_signing.certusage=ObjectSigner
+preop.cert.list=sslserver,subsystem,audit_signing
+preop.cert.audit_signing.profile=caInternalAuthAuditSigningCert
+preop.cert.sslserver.profile=caInternalAuthServerCert
+preop.cert.subsystem.profile=caInternalAuthSubsystemCert
+preop.cert.admin.profile=adminCert.profile
+preop.module.token=Internal Key Storage Token
+
diff --git a/base/est/webapps/est/index.jsp b/base/est/webapps/est/index.jsp
@@ -0,0 +1,23 @@
+<!-- --- BEGIN COPYRIGHT BLOCK ---
+     This program is free software; you can redistribute it and/or modify
+     it under the terms of the GNU General Public License as published by
+     the Free Software Foundation; version 2 of the License.
+
+     This program is distributed in the hope that it will be useful,
+     but WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+     GNU General Public License for more details.
+
+     You should have received a copy of the GNU General Public License along
+     with this program; if not, write to the Free Software Foundation, Inc.,
+     51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+     Copyright (C) 2007 Red Hat, Inc.
+     All rights reserved.
+     --- END COPYRIGHT BLOCK --- -->
+<html>
+<head>
+</head>
+<body>
+</body>
+</html>
diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg
@@ -589,3 +589,33 @@ pki_import_shared_secret=False
 pki_share_db=True
 pki_share_dbuser_dn=uid=pkidbuser,ou=people,%(pki_ds_base_dn)s
 pki_source_phone_home_xml=/usr/share/pki/%(pki_subsystem_type)s/conf/phoneHome.xml
+
+
+###############################################################################
+##  EST Configuration:                                                       ##
+##                                                                           ##
+##  Values in this section are common to PKI EST subsystems, and contain     ##
+##  required information which MAY be overridden by users as necessary.      ##
+###############################################################################
+[EST]
+pki_realm_config=True
+pki_import_admin_cert=True
+pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s
+pki_admin_name=%(pki_admin_uid)s
+pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
+pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
+pki_admin_uid=estadmin
+pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s EST
+pki_audit_signing_subject_dn=cn=EST Audit Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
+pki_ds_base_dn=o=%(pki_instance_name)s-EST
+pki_ds_database=%(pki_instance_name)s-EST
+pki_ds_hostname=%(pki_hostname)s
+pki_subsystem_name=EST %(pki_hostname)s %(pki_https_port)s
+pki_ca_uri=https://%(pki_hostname)s:%(pki_https_port)s
+pki_share_db=True
+pki_share_dbuser_dn=uid=pkidbuser,ou=people,%(pki_ds_base_dn)s
+pki_est_ca_profile=estServiceCert
+pki_est_ca_user=
+pki_est_ca_password=
+pki_est_ca_certificate=%(pki_subsystem_nickname)s
+
diff --git a/base/server/examples/installation/est.cfg b/base/server/examples/installation/est.cfg
@@ -0,0 +1,26 @@
+[DEFAULT]
+pki_server_database_password=Secret.123
+
+[EST]
+pki_admin_email[email protected]
+pki_admin_name=estadmin
+pki_admin_nickname=estadmin
+pki_admin_password=Secret.123
+pki_admin_uid=estadmin
+
+pki_admin_setup=False
+pki_realm_config=True
+
+pki_client_pkcs12_password=Secret.123
+
+pki_ds_base_dn=dc=est,dc=pki,dc=example,dc=com
+pki_ds_database=est
+pki_ds_password=Secret.123
+
+pki_security_domain_name=EXAMPLE
+pki_security_domain_user=caadmin
+pki_security_domain_password=Secret.123
+
+pki_audit_signing_nickname=est_audit_signing
+pki_sslserver_nickname=sslserver
+pki_subsystem_nickname=subsystem
diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py
@@ -55,7 +55,7 @@
 ETC_SYSTEMD_DIR = '/etc/systemd'
 LIB_SYSTEMD_DIR = '/lib/systemd'
 
-SUBSYSTEM_TYPES = ['ca', 'kra', 'ocsp', 'tks', 'tps']
+SUBSYSTEM_TYPES = ['ca', 'kra', 'ocsp', 'tks', 'tps', 'est']
 
 DEFAULT_DIR_MODE = 0o0770
 DEFAULT_FILE_MODE = 0o0660

diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py
@@ -3615,7 +3615,7 @@ def setup_system_certs(self, nssdb, subsystem):
             # For external/standalone KRA/OCSP/TKS/TPS case, all system certs will be provided.
             # No system certs will be generated including the SSL server cert.
 
-            if subsystem.type in ['KRA', 'OCSP', 'TKS', 'TPS'] and external:
+            if subsystem.type in ['KRA', 'OCSP', 'TKS', 'TPS', 'EST'] and external:
                 continue
 
             request = self.create_cert_setup_request(subsystem, tag, system_cert)
@@ -4071,7 +4071,8 @@ def setup_admin_user(self, subsystem, cert_data):
                     'Enterprise RA Administrators',
                     'Enterprise TKS Administrators',
                     'Enterprise OCSP Administrators',
-                    'Enterprise TPS Administrators'
+                    'Enterprise TPS Administrators',
+                    'Enterprise EST Administrators'
                 ])
 
             elif subsystem.type == 'KRA':
@@ -4968,6 +4969,45 @@ def finalize_tps(self, subsystem):
             logger.info('Setting up shared secret')
             self.setup_shared_secret(subsystem)
 
+    def finalize_est(self, subsystem):
+        if config.str2bool(self.mdict['pki_realm_config']):
+            logger.info('Configuring EST Realm')
+            realm_config = {
+                'class': 'com.netscape.cms.realm.PKILDAPRealm',
+                'url': self.mdict['pki_ds_url'],
+                'authType': 'BasicAuth',
+                'bindDN': self.mdict['pki_ds_bind_dn'],
+                'bindPassword': self.mdict['pki_ds_password'],
+                'usersDN': 'ou=people,{}'.format(self.mdict['pki_ds_base_dn']),
+                'groupsDN': 'ou=groups,{}'.format(self.mdict['pki_ds_base_dn'])
+            }
+            subsystem.add_realm(realm_config)
+        backend_config = {
+            'class': 'org.dogtagpki.est.DogtagRABackend',
+            'url': self.mdict['pki_ca_uri'],
+            'profile': self.mdict['pki_est_ca_profile'],
+            'username': self.mdict['pki_est_ca_user'],
+            'password': self.mdict['pki_est_ca_password'],
+            'passwordFile': self.mdict['pki_est_ca_password'],
+            'nickname': self.mdict['pki_est_ca_certificate']
+        }
+        subsystem.add_backend(backend_config)
+        est_auth_exec = '''#!/usr/bin/python3
+import json, sys
+ALLOWED_ROLE = 'estclient'
+obj = json.loads(sys.stdin.read())
+if not ALLOWED_ROLE in obj['authzData']['principal']['roles']:
+    print(f'Principal does not have required role {ALLOWED_ROLE!r}')
+    sys.exit(1)'''
+        with open('/usr/local/libexec/estauthz', 'w', ) as auth_exec:
+            auth_exec.write(est_auth_exec)
+        os.chmod("/usr/local/libexec/estauthz", 0o755)
+        authorizer_config = {
+            'class': 'org.dogtagpki.est.ExternalProcessRequestAuthorizer',
+            'executable': '/usr/local/libexec/estauthz'
+        }
+        subsystem.add_authorizer(authorizer_config)
+
     def finalize_subsystem(self, subsystem):
 
         if subsystem.type == 'CA':
@@ -4985,6 +5025,9 @@ def finalize_subsystem(self, subsystem):
         if subsystem.type == 'TPS':
             self.finalize_tps(subsystem)
 
+        if subsystem.type == 'EST':
+            self.finalize_est(subsystem)
+
         # save EC type for sslserver cert (if present)
         ec_type = subsystem.config.get('preop.cert.sslserver.ec.type', 'ECDHE')
         subsystem.set_config('jss.ssl.sslserver.ectype', ec_type)

diff --git a/base/server/python/pki/server/deployment/pkiconfig.py b/base/server/python/pki/server/deployment/pkiconfig.py
@@ -36,13 +36,13 @@
 PKI_DEPLOYMENT_DEFAULT_UID = 17
 PKI_DEPLOYMENT_DEFAULT_USER = "pkiuser"
 
-PKI_SUBSYSTEMS = ["CA", "KRA", "OCSP", "TKS", "TPS"]
+PKI_SUBSYSTEMS = ["CA", "KRA", "OCSP", "TKS", "TPS", "EST"]
 PKI_BASE_RESERVED_NAMES = ["alias", "bin", "ca", "common", "conf", "kra",
                            "lib", "logs", "ocsp", "temp", "tks", "tps",
-                           "webapps", "work"]
+                           "est", "webapps", "work"]
 PKI_CONFIGURATION_RESERVED_NAMES = ["CA", "java", "nssdb", "rpm-gpg",
                                     "rsyslog", "tls"]
-PKI_TOMCAT_REGISTRY_RESERVED_NAMES = ["ca", "kra", "ocsp", "tks", "tps"]
+PKI_TOMCAT_REGISTRY_RESERVED_NAMES = ["ca", "kra", "ocsp", "tks", "tps", "est"]
 
 PKI_DEPLOYMENT_INTERRUPT_BANNER = "-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+"\
                                   "-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-"

diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py
@@ -297,7 +297,7 @@ def __init__(self, description, epilog, deployer=None):
             nargs=1, choices=config.PKI_SUBSYSTEMS,
             metavar='<subsystem>',
             help='where <subsystem> is '
-            'CA, KRA, OCSP, TKS, or TPS')
+            'CA, KRA, OCSP, TKS, TPS or EST')
         self.optional.add_argument(
             '-h', '--help',
             dest='help', action='help',

diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py
@@ -84,7 +84,8 @@ def spawn(self, deployer):
             if clone:
                 deployer.request_ranges(subsystem)
 
-            deployer.setup_database(subsystem, master_config)
+            if subsystem.type != 'EST' or config.str2bool(deployer.mdict['pki_realm_config']):
+                deployer.setup_database(subsystem, master_config)
 
             if not clone and subsystem.type == 'CA':
                 subsystem.import_profiles(

diff --git a/base/server/python/pki/server/deployment/scriptlets/subsystem_layout.py b/base/server/python/pki/server/deployment/scriptlets/subsystem_layout.py
@@ -1,3 +1,4 @@
+
 # Authors:
 #     Matthew Harmsen <[email protected]>
 #

diff --git a/base/server/python/pki/server/pkispawn.py b/base/server/python/pki/server/pkispawn.py
@@ -190,8 +190,8 @@ def main(argv):
             parser.indent = 0
 
             deployer.subsystem_type = parser.read_text(
-                'Subsystem (CA/KRA/OCSP/TKS/TPS)',
-                options=['CA', 'KRA', 'OCSP', 'TKS', 'TPS'],
+                'Subsystem (CA/KRA/OCSP/TKS/TPS/EST)',
+                options=['CA', 'KRA', 'OCSP', 'TKS', 'TPS', 'EST'],
                 default='CA', case_sensitive=False).upper()
             print()
         else:
@@ -668,6 +668,9 @@ def main(argv):
         elif deployer.subsystem_type == 'TPS':
             print_tps_step_one_information(parser.mdict, deployer.instance)
 
+        elif deployer.subsystem_type == 'EST':
+            print_est_step_one_information(parser.mdict, deployer.instance)
+
     else:
         print_final_install_information(parser.mdict, deployer.instance)
 
@@ -681,7 +684,7 @@ def validate_user_deployment_cfg(user_deployment_cfg):
         line = line.strip()
         if not line.startswith('['):
             continue
-        if line not in ['[DEFAULT]', '[Tomcat]', '[CA]', '[KRA]', '[OCSP]', '[TKS]', '[TPS]']:
+        if line not in ['[DEFAULT]', '[Tomcat]', '[CA]', '[KRA]', '[OCSP]', '[TKS]', '[TPS]', '[EST]']:
             raise Exception('Invalid deployment configuration section: %s' % line)
 
 
@@ -906,6 +909,12 @@ def print_tps_step_one_information(mdict, instance):
     print(log.PKI_RUN_INSTALLATION_STEP_TWO)
     print(log.PKI_SPAWN_INFORMATION_FOOTER)
 
+def print_tps_step_one_information(mdict, instance):
+
+    print(log.PKI_SPAWN_INFORMATION_HEADER)
+    print("TO BE COMPLETED")
+    print(log.PKI_RUN_INSTALLATION_STEP_TWO)
+    print(log.PKI_SPAWN_INFORMATION_FOOTER)
 
 def print_skip_configuration_information(mdict, instance):