Update PKIDeployer.finalize_ocsp()

The PKIDeployer.finalize_ocsp() has been updated to get the CA signing PKCS #7 from the OCSP signing PKCS #7 which is already available locally instead of from preop.cert.pkcs7 which has to be retrieved from the issuing/master CA.
dogtagpki · May 17, 2024 · bbe6472 · bbe6472
1 parent c59e500
commit bbe6472
Showing 1 changed file with 32 additions and 9 deletions.
diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py
@@ -4676,19 +4676,38 @@ def finalize_ocsp(self, subsystem):
         clone = self.configuration_file.clone
         standalone = self.configuration_file.standalone
 
-        if standalone:
-            ca_url = None
-        else:
-            ca_url = self.mdict['pki_issuing_ca']
+        if clone or standalone:
+            return
 
-        if ca_url and not clone:
+        ca_url = self.mdict['pki_issuing_ca']
+        if not ca_url:
+            return
+
+        tmpdir = tempfile.mkdtemp()
+        nssdb = self.instance.open_nssdb()
+        try:
+            nickname = self.mdict['pki_ocsp_signing_nickname']
+            logger.info('Loading OCSP signing PKCS #7: %s', nickname)
+
+            # get OCSP signing PKCS #7
+            ocsp_signing_pkcs7 = nssdb.export_pkcs7(nickname)
+            logger.debug('OCSP signing PKCS #7:\n%s', ocsp_signing_pkcs7)
+
+            # get cert chain from OCSP signing PKCS #7
+            cert_chain = nssdb.get_pkcs7_certs(pkcs7_data=ocsp_signing_pkcs7)
+
+            # remove leaf cert to create CA signing cert chain
+            del cert_chain[-1]
+
+            logger.info('Creating CA signing PKCS #7')
+            ca_signing_pkcs7 = nssdb.create_pkcs7(
+                cert_chain=cert_chain,
+                cert_format='PEM')
 
             logger.info('Adding CRL issuing point')
-            base64_chain = subsystem.config['preop.ca.pkcs7']
-            cert_chain = base64.b64decode(base64_chain)
             subsystem.add_crl_issuing_point(
-                cert_chain=cert_chain,
-                cert_format='DER',
+                cert_chain=ca_signing_pkcs7.encode('utf-8'),
+                cert_format='PEM',
                 ignore_duplicate=True)
 
             url = urllib.parse.urlparse(ca_url)
@@ -4724,6 +4743,10 @@ def finalize_ocsp(self, subsystem):
             # and fail over amongst them.
             self.add_ocsp_publisher(subsystem, ca_url)
 
+        finally:
+            nssdb.close()
+            shutil.rmtree(tmpdir)
+
     def finalize_tks(self, subsystem):
 
         ca_type = subsystem.config.get('preop.ca.type')