Added p11-kit-trust for pki CLI #265
Conversation
| // All rights reserved. | ||
| // --- END COPYRIGHT BLOCK --- | ||
|
|
||
| package org.dogtagpki.nss; |
There was a problem hiding this comment.
Should this live in JSS instead? Generally we have to initialize a CryptoManager explicitly. I could see using shims for now (er, ProcessBuilder to call certutil/modutil) until we have a fuller implementation. Since its static, and wouldn't necessarily require initializing NSS, I think its fine to put this under JSS.
The flow would look like:
if (!db_exists) {
NSSDatabase.create(db)
NSSDatabase.makeUseful(db)
}
CryptoManager.initialize(db);| } | ||
| // Install p11-kit-trust module if it doesn't exist | ||
| if (!nssdb.isModuleInstalled("p11-kit-trust")) { | ||
| nssdb.addModule("p11-kit-trust", "/usr/lib64/pkcs11/p11-kit-trust.so"); |
There was a problem hiding this comment.
Ugh, please don't hard-code this path. We should check with Bob if there's an alternative way to get this path and/or at least handle non-/usr/lib64 installations.
|
As discussed on IRC, this depends on the following JSS ticket: |
|
That looks better. I won't hold it up based on moving it to JSS, we can do that at a later date when we have more time. Java doesn't need to be multi-arch clean, so I think we're fine here. I just worry about the occasional non-Intel system (ppc64 and s390x) but other than that I think we're good. |
The pki CLI has been modified to add the p11-kit-trust module into the NSS database such that it trusts the CA certificates provided by the system.
|
|
||
| // Install p11-kit-trust module if it doesn't exist | ||
| if (!isModuleInstalled("p11-kit-trust")) { | ||
| addModule("p11-kit-trust", "/usr/share/pki/lib/p11-kit-trust.so"); |
There was a problem hiding this comment.
The last remaining thing I want a discussion on is this: automatically adding root system store to the client.
There's an argument that, by only explicitly adding certificates of CAs you trust (namely, only the Dogtag CA -- that's generally the only CA necessary for PKI interactions), you're safer here. It probably only matters on say, KRA operations, and matters less on say, CSR submissions.
I'm not inclined to care too much here; we can assume this is a fairly safe list of CA certs. However, I am inclined to ask @ladycfu if there's any wording that CC perhaps might care about this that we'll need to explicitly mention. Thoughts?
(If they do care, I'd prefer to make this a separate command, something like pki trust-root-store perhaps).
There was a problem hiding this comment.
As discussed on IRC, the p11-kit-trust will only be added to a new NSS database created by the CLI. If the user already has an NSS database without the module (e.g. for CC), the CLI will not add the module. Also if the system administrator wants to limit the trusted certs, that can be done centrally on the system, and the CLI should continue to use the p11-kit-trust to trust the system-provided certs.
|
Thanks! |
The pki CLI has been modified to add the p11-kit-trust module
into the NSS database such that it trusts the CA certificates
provided by the system.
This can be tested with this command:
Expected results:
Docs: https://www.dogtagpki.org/wiki/PKI_10.8_PKI_CLI_Changes