Fixed NSSDatabase.import_pkcs7() for HSM.

Previously NSSDatabase.import_pkcs7() was implemented using pki client-cert-import --pkcs7 which uses JSS to import the certificate chain from a PKCS #7 file. Apparently, when it is used with HSM outside of PKI server JSS imports the certificates incorrectly. The method has been changed to use pki pkcs7-cert-export to sort and split the certificate chain into separate files. The CA certs will be imported with pki client-cert-import --ca-cert (such that the nickname will be consistently generated by JSS), and the user certificate will be imported using certutil with the nickname provided by the caller. This method seems to be working fine with HSM. https://pagure.io/dogtagpki/issue/2901 Change-Id: If04963eb6ad86737593df7d64eef8b17f7bde75f (cherry picked from commit 3d231ae)
dogtagpki · Jan 19, 2018 · a032321 · a032321
1 parent 0c9d093
commit a032321
Showing 1 changed file with 37 additions and 9 deletions.
diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py
@@ -800,15 +800,43 @@ def import_cert_chain(self, nickname, cert_chain_file,
     def import_pkcs7(self, pkcs7_file, nickname, trust_attributes=None,
                      output_format='pem'):
 
-        subprocess.check_call([
-            'pki',
-            '-d', self.directory,
-            '-C', self.password_file,
-            'client-cert-import',
-            '--pkcs7', pkcs7_file,
-            '--trust', trust_attributes,
-            nickname
-        ])
+        tmpdir = tempfile.mkdtemp()
+
+        try:
+            # Sort and split the certs from root to leaf.
+            prefix = os.path.join(tmpdir, 'cert')
+            suffix = '.crt'
+
+            cmd = [
+                'pki',
+                '-d', self.directory,
+                'pkcs7-cert-export',
+                '--pkcs7-file', pkcs7_file,
+                '--output-prefix', prefix,
+                '--output-suffix', suffix
+            ]
+
+            subprocess.check_call(cmd)
+
+            # Count the number of certs in the chain.
+            n = 0
+            while True:
+                cert_file = prefix + str(n) + suffix
+                if not os.path.exists(cert_file):
+                    break
+                n = n + 1
+
+            # Import CA certs with default nicknames and trust attributes.
+            for i in range(0, n - 1):
+                cert_file = prefix + str(i) + suffix
+                self.add_ca_cert(cert_file)
+
+            # Import user cert with specified nickname and trust attributes.
+            cert_file = prefix + str(n - 1) + suffix
+            self.add_cert(nickname, cert_file, trust_attributes)
+
+        finally:
+            shutil.rmtree(tmpdir)
 
         # convert PKCS #7 data to the requested format
         with open(pkcs7_file, 'r') as f: