diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py index 2e28edb2816..895f78c01de 100644 --- a/base/common/python/pki/nssdb.py +++ b/base/common/python/pki/nssdb.py @@ -949,6 +949,7 @@ def create_request( cka_id=None, key_type=None, key_size=None, + key_wrap=False, curve=None, hash_alg=None, basic_constraints_ext=None, @@ -985,6 +986,14 @@ def create_request( Raw extension data (``bytes``) """ + + if key_wrap: + self.__create_request_for_key_wrap( + subject_dn=subject_dn, + request_file=request_file, + key_size=key_size) + return + if os.geteuid() == 0 and self.user: os.chown(os.path.dirname(request_file), self.uid, self.gid) @@ -998,6 +1007,7 @@ def create_request( cka_id=cka_id, key_type=key_type, key_size=key_size, + key_wrap=key_wrap, curve=curve, hash_alg=hash_alg, basic_constraints_ext=basic_constraints_ext, @@ -1187,7 +1197,7 @@ def create_request( finally: shutil.rmtree(tmpdir) - def create_request_with_wrapping_key( + def __create_request_for_key_wrap( self, subject_dn, request_file, @@ -1473,6 +1483,7 @@ def __create_request( cka_id=None, key_type=None, key_size=None, + key_wrap=False, curve=None, hash_alg=None, basic_constraints_ext=None, @@ -1569,6 +1580,9 @@ def __create_request( if key_size: cmd.extend(['--key-size', str(key_size)]) + if key_wrap: + cmd.append('--key-wrap') + if curve: cmd.extend(['--curve', curve]) diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py index 80a1e5f230b..2896f89cc0c 100644 --- a/base/server/python/pki/server/deployment/__init__.py +++ b/base/server/python/pki/server/deployment/__init__.py @@ -3112,7 +3112,6 @@ def generate_csr(self, cert_id = self.get_cert_id(subsystem, tag) logger.info('Generating %s CSR in %s', cert_id, csr_path) - csr_pathname = os.path.join(nssdb.tmpdir, os.path.basename(csr_path)) subject_dn = self.mdict['pki_%s_subject_dn' % cert_id] @@ -3136,32 +3135,29 @@ def generate_csr(self, if (subsystem.type == 'KRA' and config.str2bool(self.mdict['pki_hsm_enable']) and (cert_id in ['storage', 'transport'])): - - logger.debug('generate_csr: calling PKCS10Client for %s', cert_id) - - nssdb.create_request_with_wrapping_key( - subject_dn=subject_dn, - request_file=csr_path, - key_size=key_size) + key_wrap = True + csr_pathname = csr_path else: - - logger.debug('generate_csr: calling certutil for %s', cert_id) - - nssdb.create_request( - subject_dn=subject_dn, - request_file=csr_pathname, - key_type=key_type, - key_size=key_size, - curve=curve, - hash_alg=hash_alg, - basic_constraints_ext=basic_constraints_ext, - key_usage_ext=key_usage_ext, - extended_key_usage_ext=extended_key_usage_ext, - subject_key_id=subject_key_id, - generic_exts=generic_exts, - use_jss=True) - + key_wrap = False + csr_pathname = os.path.join(nssdb.tmpdir, os.path.basename(csr_path)) + + nssdb.create_request( + subject_dn=subject_dn, + request_file=csr_pathname, + key_type=key_type, + key_size=key_size, + key_wrap=key_wrap, + curve=curve, + hash_alg=hash_alg, + basic_constraints_ext=basic_constraints_ext, + key_usage_ext=key_usage_ext, + extended_key_usage_ext=extended_key_usage_ext, + subject_key_id=subject_key_id, + generic_exts=generic_exts, + use_jss=True) + + if not key_wrap: shutil.move(csr_pathname, csr_path) new_csr_path = subsystem.csr_file(tag)