(SIMP-10456) Load multiple CA certificates (#15)

* (SIMP-10456) Load multiple CA certificates

SIMP-10456 #close

* increase password complexity for FIPS compat

* set complexity to safe chars

Author: trevor-vaughan

CHANGELOG

@@ -1,3 +1,6 @@
+* Wed Sep 22 2021 Trevor Vaughan <tvaughan@onyxpoint.com> - 0.1.2
+- Ensure that the instances can load multiple CA certificates
+
 * Tue Aug 03 2021 Trevor Vaughan <tvaughan@onyxoint.com> - 0.1.1
 - Fixed
   - Ensure that dirsrv.target is enabled so that all 389ds instances start at boot

manifests/init.pp

@@ -40,6 +40,14 @@
     recurse => true
   }
 
+  file { "$config_dir/ca_import.sh":
+    ensure  => 'file',
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0700',
+    content => epp("${module_name}/ca_import.sh.epp")
+  }
+
   $instances.each |$id, $options| {
     ds389::instance { $id:
       * => $options

manifests/instance/tls.pp

@@ -60,7 +60,7 @@
   Stdlib::Absolutepath                      $key           = "/etc/pki/simp_apps/${module_name}_${title}/x509/private/${facts['fqdn']}.pem",
   Stdlib::Absolutepath                      $cafile        = "/etc/pki/simp_apps/${module_name}_${title}/x509/cacerts/cacerts.pem",
   Ds389::ConfigItems                        $dse_config    = simplib::dlookup('ds389::instance::tls', 'dse_config', { 'default_value' => {} }),
-  String[16]                                $token         = simplib::passgen("ds389_${title}_pki", { 'length' => 32 }),
+  String[16]                                $token         = simplib::passgen("ds389_${title}_pki", { 'length' => 32, 'complexity' => 1 }),
   String[1]                                 $service_group = 'dirsrv'
 ) {
   assert_private()
@@ -192,10 +192,11 @@
         subscribe => Exec["Build ${title} p12"]
       }
 
-      exec { "Import ${title} CA":
-        command   => "certutil -D -d ${_instance_base} -n 'CA Certificate' ||:; certutil -A -i ${cafile} -d ${_instance_base} -n 'CA Certificate' -t 'CT,,' -a -f ${_token_file}",
-        unless    => "certutil -d ${_instance_base} -L -n 'CA Certificate'",
+      exec { "Import ${title} CAs":
+        command   => "${ds389::config_dir}/ca_import.sh -i '${cafile}' -o '${_instance_base}'",
+        onlyif    => "${ds389::config_dir}/ca_import.sh -i '${cafile}' -o '${_instance_base}' -c; [ \$? -eq 2 ]",
         path      => ['/bin', '/usr/bin'],
+        require   => File["${ds389::config_dir}/ca_import.sh"],
         subscribe => Exec["Build ${title} p12"]
       }
 

metadata.json

@@ -1,6 +1,6 @@
 {
   "name": "simp-ds389",
-  "version": "0.1.1",
+  "version": "0.1.2",
   "author": "SIMP Team",
   "summary": "Management of 389 Directory Server",
   "license": "Apache-2.0",

spec/acceptance/nodesets/default.yml

@@ -24,12 +24,8 @@ HOSTS:
 CONFIG:
   log_level: verbose
   type: aio
-<% if ENV['BEAKER_fips'] -%>
   vagrant_memsize: 1024
-<% else -%>
-  vagrant_memsize: 512
-<% end -%>
-  vagrant_cpus: 1
+  vagrant_cpus: 2
 <% if ENV['BEAKER_PUPPET_ENVIRONMENT'] -%>
   puppet_environment: <%= ENV['BEAKER_PUPPET_ENVIRONMENT'] %>
 <% end -%>

spec/defines/instance/tls_spec.rb

@@ -56,7 +56,7 @@
           it { is_expected.to_not create_exec("Validate #{title} p12") }
           it { is_expected.to_not create_exec("Build #{title} p12") }
           it { is_expected.to_not create_exec("Import #{title} p12") }
-          it { is_expected.to_not create_exec("Import #{title} CA") }
+          it { is_expected.to_not create_exec("Import #{title} CAs") }
           it { is_expected.to_not create_ds389__instance__dn__add("RSA DN for #{title}") }
           it { is_expected.to_not create_ds389__instance__attr__set("Configure PKI for #{title}") }
         end
@@ -129,8 +129,9 @@
           end
 
           it do
-            expect(subject).to create_exec("Import #{title} CA")
-              .with_command("certutil -D -d #{instance_base} -n 'CA Certificate' ||:; certutil -A -i #{params[:cafile]} -d #{instance_base} -n 'CA Certificate' -t 'CT,,' -a -f #{token_file}")
+            expect(subject).to create_exec("Import #{title} CAs")
+              .with_command("/usr/share/puppet_ds389_config/ca_import.sh -i '#{params[:cafile]}' -o '#{instance_base}'")
+              .with_onlyif("/usr/share/puppet_ds389_config/ca_import.sh -i '#{params[:cafile]}' -o '#{instance_base}' -c; [ $? -eq 2 ]")
               .with_path(['/bin', '/usr/bin'])
               .that_subscribes_to("Exec[Build #{title} p12]")
           end
@@ -202,7 +203,7 @@
           it { is_expected.to create_exec("Validate #{title} p12") }
           it { is_expected.to create_exec("Build #{title} p12") }
           it { is_expected.to create_exec("Import #{title} p12") }
-          it { is_expected.to create_exec("Import #{title} CA") }
+          it { is_expected.to create_exec("Import #{title} CAs") }
           it { is_expected.to create_ds389__instance__dn__add("RSA DN for #{title}") }
           it { is_expected.to create_ds389__instance__attr__set("Configure PKI for #{title}") }
         end
@@ -255,7 +256,7 @@
             it { is_expected.to_not create_exec("Validate #{title} p12") }
             it { is_expected.to_not create_exec("Build #{title} p12") }
             it { is_expected.to_not create_exec("Import #{title} p12") }
-            it { is_expected.to_not create_exec("Import #{title} CA") }
+            it { is_expected.to_not create_exec("Import #{title} CAs") }
             it { is_expected.to_not create_ds389__instance__dn__add("RSA DN for #{title}") }
             it { is_expected.to_not create_ds389__instance__attr__set("Configure PKI for #{title}") }
           end

templates/ca_import.sh.epp

@@ -0,0 +1,115 @@
+#!/bin/bash
+
+usage() {
+  echo "Import PEM CA certificates into a trust store using certutil"
+  echo
+  echo "Usage: $0 -i <input_pem> -o <output_dir>"
+  echo "  -i <input_pem>  Path to the input CAcerts PEM"
+  echo "  -o <output_dir> Path to the certutil store"
+  echo "  -t <token_file> Path to the certutil token file"
+  echo "  -c              Only compare, do not update; exits with 2 if update needed"
+  echo "  -h              This help"
+  exit 0
+}
+
+compare_only=false
+
+[ $# -eq 0 ] && usage
+while getopts ":hci:o:t:" opt; do
+  case $opt in
+    c)
+      compare_only=true
+      ;;
+    i)
+      input_pem=${OPTARG}
+      ;;
+    o)
+      output_dir=${OPTARG}
+      ;;
+    t)
+      token_file=${OPTARG}
+      ;;
+    h | *)
+      usage
+      exit 0
+      ;;
+  esac
+done
+
+if [ -z "${input_pem}" ] || [ -z "${output_dir}" ]; then
+  echo "Error: You must specify both 'input_pem' and 'output_dir'"
+  exit 1
+fi
+
+if ! $compare_only; then
+  if [ -z "${token_file}" ]; then
+    token_file="${output_dir}/p12token.txt"
+  fi
+
+  if [ ! -f "${token_file}" ]; then
+    echo "Error: Could not find a token file at '${token_file}'"
+    exit 1
+  fi
+fi
+
+
+if [ ! -f "${input_pem}" ]; then
+  echo "Error: Could not find input PEM at '${input_pem}'"
+  exit 1
+fi
+
+if [ ! -d "${output_dir}" ]; then
+  echo "Error: Could not find output directory at '${output_dir}'"
+  exit 1
+fi
+
+# Validate the output dir
+certutil -d "${output_dir}" -L >/dev/null 2>&1
+if [ $? -ne 0 ]; then
+  echo "Error: '${output_dir}' is not a valid database target"
+  exit 1
+fi
+
+# Get the existing CA fingerprints
+current_fingerprints=$(
+  certutil -d "${output_dir}" -L | \
+    grep '[[:space:]]CT,' | \
+    sed 's/^\(.\+\)CT,.*/\1/' | \
+    sed 's/[[:space:]]\+$//' | \
+    while read cert; do
+      (
+        certutil -d "${output_dir}" -L -a -n "${cert}" | \
+          openssl x509 -noout -fingerprint | \
+          cut -f2 -d'='
+      )
+    done
+)
+
+umask 0077
+tmpdir=$(mktemp -d -t 389ds-cert-import-XXXXXXXXXX)
+
+(
+  cd "$tmpdir"
+
+  csplit -z -q "${input_pem}" '/^\-\+BEGIN CERTIFICATE\-\+$/' '{*}'
+
+  for x in *; do
+    fprint=$( openssl x509 -in "${x}" -noout -fingerprint | cut -f2 -d'=' )
+
+    if [[ ! ${current_fingerprints[*]} =~ $fprint ]]; then
+      if $compare_only; then
+        exit 2
+      fi
+
+      cert_name=$( openssl x509 -in "${x}" -noout -subject_hash )
+
+      certutil -D -d "${output_dir}" -n "${cert_name}" >/dev/null 2>&1 ||:
+      certutil -A -i "${x}" -d "${output_dir}" -n "${cert_name}" -t 'CT,,' -a -f "${token_file}"
+    fi
+  done
+)
+exit_code=$?
+
+rm -rf "$tmpdir"
+
+exit $exit_code