Merge pull request jhoblitt#1 from itewk/master

FIPS and Self Signed Certs

README.md

@@ -74,6 +74,7 @@ nsstools::create { '/etc/dirsrv/slapd-ldap1':
   mode           => '0660',
   password       => 'example',
   manage_certdir => false,
+  enable_fips    => false,
 }
 
 nsstools::add_cert_and_key{ 'Server-Cert':
@@ -128,7 +129,8 @@ nsstools::create { <title>:
   group          => undef,
   mode           => '0600',
   certdir_mode   => '0700',
-  manage_certdir => true
+  manage_certdir => true,
+  enable_fips    => false,
 }
 ```
 
@@ -175,6 +177,12 @@ nsstools::create { <title>:
 
     `String` Defaults to: `0700`
 
+ * `enable_fips`
+
+    `Boolean` Defaults to: `true`
+
+    If `true` enables FIPS compliance mode on the NSS DB.
+
 ### `add_cert`
 
 Insert a certificate into an existing NSS database.
@@ -194,8 +202,7 @@ nsstools::add_cert { <title>:
 
  * `certdir`
 
-    `String`/absolute path required
-
+    `String`/absolute path required 
     Absolute path to the directory to contain the database files.
 
  * `cert`
@@ -258,6 +265,53 @@ nsstools::add_cert_and_key { <title>:
 
     The "nickname" of the certificate in the database.
 
+### `create_cert_and_key`
+
+Create a certificate and it's associated private key directly in an existing NSS database.
+
+```puppet
+nsstools::create_cert_and_key { <title>:
+  nickname => <title>, # defaults to $title
+  subject  => <subject>, # required
+  certdir  => <certdir>, # required
+}
+```
+
+ * `title`
+
+    Used as the default value for the `nickname` parameter.
+
+ * `nickname`
+
+    `String` defaults to: `title`
+
+    The "nickname" of the certificate in the database.
+
+ * `subject`
+
+    `String` required
+
+    The subject of the certificate. The subject identification format follows RFC #1485.
+
+ * `keytype`
+
+    `String` defaults to: 'rsa'
+
+    The type of key to generate with the self signed cert.
+    Valid options: ras|dsa|ec|all
+
+ * `noisefile`
+
+    `String`/absolute path defaults to: '/var/log/messages'
+
+    The path to a file to use as noise to generate the cert. The minimum file size is 20 bytes.
+
+ * `certdir`
+
+    `String`/absolute path required
+
+    Absolute path to the directory that contains the already created NSS database.
+
 ## Functions
 
 ### `nsstools_add_cert`

manifests/create.pp

@@ -8,6 +8,7 @@
 #   $mode           - optional - defaults to '0600'
 #   $certdir_mode   - optional - defaults to '0700'
 #   $manage_certdir - optional - defaults to true
+#   $enable_fips    - optional - defaults to false
 #
 # Actions:
 #   creates a new NSS database, consisting of 4 files:
@@ -25,7 +26,8 @@
 #     group          => 'root',
 #     mode           => '0600',
 #     certdir_mode   => '0700',
-#     manage_certdir => true
+#     manage_certdir => true,
+#     enable_fips    => false,
 #   }
 #
 #
@@ -36,9 +38,11 @@
   $group          = undef,
   $mode           = '0600',
   $certdir_mode   = '0700',
-  $manage_certdir = true
+  $manage_certdir = true,
+  $enable_fips    = false,
 ) {
   include nsstools
+  include nsstools::params
 
   validate_string($password)
   validate_absolute_path($certdir)
@@ -47,6 +51,7 @@
   validate_string($mode)
   validate_string($certdir_mode)
   validate_bool($manage_certdir)
+  validate_bool($enable_fips)
 
   if $manage_certdir {
     file { $certdir:
@@ -62,7 +67,8 @@
     $require_certdir = undef
   }
 
-  file { "${certdir}/nss-password.txt":
+  $_password_file = "${certdir}/${nsstools::params::password_file_name}"
+  file { $_password_file:
     ensure  => file,
     owner   => $owner,
     group   => $group,
@@ -81,17 +87,27 @@
     group   => $group,
     mode    => $mode,
     require => [
-      File["${certdir}/nss-password.txt"],
+      File[$_password_file],
       Exec["create_nss_db_${title}"],
     ],
   }
 
   exec { "create_nss_db_${title}":
-    command => "/usr/bin/certutil -N -d ${certdir} -f ${certdir}/nss-password.txt",
+    command => "/usr/bin/certutil -N -d ${certdir} -f ${_password_file}",
     creates => ["${certdir}/cert8.db", "${certdir}/key3.db", "${certdir}/secmod.db"],
     require => [
-      File["${certdir}/nss-password.txt"],
+      File[$_password_file],
       Class['nsstools'],
     ]
   }
+
+  if $enable_fips {
+    # enable fips mode on the NSS DB after DB creation
+    exec { "enable_fips_mode_${title}":
+      command     => "/usr/bin/modutil -fips true -dbdir ${certdir} -force",
+      unless      => "/usr/bin/modutil -chkfips true -dbdir ${certdir}",
+      subscribe   => [Exec["create_nss_db_${title}"],],
+      refreshonly => true,
+    }
+  }
 }

manifests/create_cert_and_key.pp

@@ -0,0 +1,58 @@
+# Creates a self signed certificate with key directly in the NSS database.
+#
+# Parameters:
+#   $nickname  - optional - The nickname for the NSS certificate, defaults to the title
+#   $subject   - required - The subject of the certificate.
+#                           The subject identification format follows RFC #1485.
+#   $keytype   - optional - The type of key to generate with the self signed cert.
+#                           Valid options: ras|dsa|ec|all
+#   $noisefile - optional - The path to a file to use as noise to generate the cert.
+#                           The minimum file size is 20 bytes.
+#   $certdir   - required - The path to the NSS DB to add the cert to
+#
+# Actions:
+#  Creates a self signed certifacate directly in the NSS databae.
+#
+# Requires:
+#   $subject
+#   $certdir
+#
+# Sample Usage:
+#
+#   nsstools::create_cert_and_key { 'server_cert':
+#     nickname => 'Servert Cert',
+#     subject  => 'CN=localhost, OU=OrgUnit, O=Org, L=City, ST=State, C=MY\',
+#     certdir  => '/etc/pki/foo',
+#   }
+#
+define nsstools::create_cert_and_key(
+  $nickname  = $title,
+  $subject,
+  $keytype   = 'rsa',
+  $noisefile = '/var/log/messages',
+  $certdir,
+) {
+  include nsstools
+  include nsstools::params
+
+  validate_string($nickname)
+  validate_string($subject)
+  validate_re($keytype, [ '^rsa', '^dsa', '^ec', '^all' ])
+  validate_absolute_path($certdir)
+  validate_absolute_path($noisefile)
+
+  $_password_file = "${certdir}/${nsstools::params::password_file_name}"
+
+  # create the cert and key in the NSS database
+  exec { "create_cert_and_key_${title}":
+    path      => ['/usr/bin'],
+    command   => "certutil -S -k ${keytype} -n '${nickname}' -t \"u,u,u\" -x -s \"${subject}\" -d ${certdir} -f ${_password_file} -z ${noisefile}",
+    unless    => "certutil -d ${certdir} -L -n '${nickname}'",
+    logoutput => true,
+    require   => [
+      Nsstools::Create[$certdir],
+      File[$_password_file],
+      Class['nsstools'],
+    ],
+  }
+}

manifests/params.pp

@@ -1,5 +1,7 @@
 # this class should be considered private
 class nsstools::params {
+  $password_file_name = 'nss-password.txt'
+
   case $::osfamily {
     'redhat': {
       $package_name = ['nss-tools']