Fixed missing subsystem cert token name

The code that configures the shared secret between TKS and TPS has been modified to use the subsystem certificate token name if it is specified in the deployment configuration. This is needed to install TPS with HSM. https://bugzilla.redhat.com/show_bug.cgi?id=1809210
dogtagpki · Mar 4, 2020 · 766011e · 766011e
1 parent 28a3a11
commit 766011e
Showing 1 changed file with 43 additions and 6 deletions.
diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py
@@ -379,6 +379,12 @@ def get_tps_connector(self, instance, subsystem):
         tks_uri = self.mdict['pki_tks_uri']
         subsystem_cert = subsystem.get_subsystem_cert('subsystem')
 
+        nickname = subsystem_cert['nickname']
+        token = subsystem_cert['token']
+
+        if pki.nssdb.normalize_token(token):
+            nickname = token + ':' + nickname
+
         server_config = instance.get_server_config()
         securePort = server_config.get_secure_port()
 
@@ -387,7 +393,7 @@ def get_tps_connector(self, instance, subsystem):
             '-U', tks_uri,
             '-d', instance.nssdb_dir,
             '-f', instance.password_conf,
-            '-n', subsystem_cert['nickname'],
+            '-n', nickname,
             'tks-tpsconnector-show',
             '--host', self.mdict['pki_hostname'],
             '--port', securePort,
@@ -408,6 +414,12 @@ def create_tps_connector(self, instance, subsystem):
         tks_uri = self.mdict['pki_tks_uri']
         subsystem_cert = subsystem.get_subsystem_cert('subsystem')
 
+        nickname = subsystem_cert['nickname']
+        token = subsystem_cert['token']
+
+        if pki.nssdb.normalize_token(token):
+            nickname = token + ':' + nickname
+
         server_config = instance.get_server_config()
         securePort = server_config.get_secure_port()
 
@@ -416,7 +428,7 @@ def create_tps_connector(self, instance, subsystem):
             '-U', tks_uri,
             '-d', instance.nssdb_dir,
             '-f', instance.password_conf,
-            '-n', subsystem_cert['nickname'],
+            '-n', nickname,
             'tks-tpsconnector-add',
             '--host', self.mdict['pki_hostname'],
             '--port', securePort,
@@ -437,12 +449,18 @@ def get_shared_secret(self, instance, subsystem, tps_connector_id):
         tks_uri = self.mdict['pki_tks_uri']
         subsystem_cert = subsystem.get_subsystem_cert('subsystem')
 
+        nickname = subsystem_cert['nickname']
+        token = subsystem_cert['token']
+
+        if pki.nssdb.normalize_token(token):
+            nickname = token + ':' + nickname
+
         cmd = [
             'pki',
             '-U', tks_uri,
             '-d', instance.nssdb_dir,
             '-f', instance.password_conf,
-            '-n', subsystem_cert['nickname'],
+            '-n', nickname,
             'tks-key-export', tps_connector_id
         ]
 
@@ -460,12 +478,18 @@ def create_shared_secret(self, instance, subsystem, tps_connector_id):
         tks_uri = self.mdict['pki_tks_uri']
         subsystem_cert = subsystem.get_subsystem_cert('subsystem')
 
+        nickname = subsystem_cert['nickname']
+        token = subsystem_cert['token']
+
+        if pki.nssdb.normalize_token(token):
+            nickname = token + ':' + nickname
+
         cmd = [
             'pki',
             '-U', tks_uri,
             '-d', instance.nssdb_dir,
             '-f', instance.password_conf,
-            '-n', subsystem_cert['nickname'],
+            '-n', nickname,
             'tks-key-create', tps_connector_id,
             '--output-format', 'json'
         ]
@@ -484,12 +508,18 @@ def replace_shared_secret(self, instance, subsystem, tps_connector_id):
         tks_uri = self.mdict['pki_tks_uri']
         subsystem_cert = subsystem.get_subsystem_cert('subsystem')
 
+        nickname = subsystem_cert['nickname']
+        token = subsystem_cert['token']
+
+        if pki.nssdb.normalize_token(token):
+            nickname = token + ':' + nickname
+
         cmd = [
             'pki',
             '-U', tks_uri,
             '-d', instance.nssdb_dir,
             '-f', instance.password_conf,
-            '-n', subsystem_cert['nickname'],
+            '-n', nickname,
             'tks-key-replace', tps_connector_id,
             '--output-format', 'json'
         ]
@@ -511,14 +541,21 @@ def import_shared_secret(self, instance, subsystem, shared_secret):
         securePort = server_config.get_secure_port()
 
         subsystem_cert = subsystem.get_subsystem_cert('subsystem')
+
+        nickname = subsystem_cert['nickname']
+        token = subsystem_cert['token']
+
+        if pki.nssdb.normalize_token(token):
+            nickname = token + ':' + nickname
+
         secret_nickname = 'TPS-%s-%s sharedSecret' % (hostname, securePort)
 
         cmd = [
             'pki',
             '-d', instance.nssdb_dir,
             '-f', instance.password_conf,
             'nss-key-import', secret_nickname,
-            '--wrapper', subsystem_cert['nickname']
+            '--wrapper', nickname
         ]
 
         logger.debug('Command: %s', ' '.join(cmd))