From 602fae0c54a14a0e3b339f08c82e7044e3b4665d Mon Sep 17 00:00:00 2001 From: Ian Tewksbury Date: Fri, 13 Jun 2014 11:47:23 -0400 Subject: [PATCH 1/2] add option to enable FIPS on the NSS DB. --- README.md | 10 +++++++++- manifests/create.pp | 27 +++++++++++++++++++++------ 2 files changed, 30 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index dcfc419..d802870 100644 --- a/README.md +++ b/README.md @@ -74,6 +74,7 @@ nsstools::create { '/etc/dirsrv/slapd-ldap1': mode => '0660', password => 'example', manage_certdir => false, + enable_fips => false, } nsstools::add_cert_and_key{ 'Server-Cert': @@ -128,7 +129,8 @@ nsstools::create { : group => undef, mode => '0600', certdir_mode => '0700', - manage_certdir => true + manage_certdir => true, + enable_fips => false, } ``` @@ -175,6 +177,12 @@ nsstools::create { <title>: `String` Defaults to: `0700` + * `enable_fips` + + `Boolean` Defaults to: `true` + + If `true` enables FIPS compliance mode on the NSS DB. + ### `add_cert` Insert a certificate into an existing NSS database. diff --git a/manifests/create.pp b/manifests/create.pp index a1ee8c4..125984d 100644 --- a/manifests/create.pp +++ b/manifests/create.pp @@ -8,6 +8,7 @@ # $mode - optional - defaults to '0600' # $certdir_mode - optional - defaults to '0700' # $manage_certdir - optional - defaults to true +# $enable_fips - optional - defaults to false # # Actions: # creates a new NSS database, consisting of 4 files: @@ -25,7 +26,8 @@ # group => 'root', # mode => '0600', # certdir_mode => '0700', -# manage_certdir => true +# manage_certdir => true, +# enable_fips => false, # } # # @@ -36,7 +38,8 @@ $group = undef, $mode = '0600', $certdir_mode = '0700', - $manage_certdir = true + $manage_certdir = true, + $enable_fips = false, ) { include nsstools @@ -47,6 +50,7 @@ validate_string($mode) validate_string($certdir_mode) validate_bool($manage_certdir) + validate_bool($enable_fips) if $manage_certdir { file { $certdir: @@ -62,7 +66,8 @@ $require_certdir = undef } - file { "${certdir}/nss-password.txt": + $_password_file = "${certdir}/nss-password.txt" + file { $_password_file: ensure => file, owner => $owner, group => $group, @@ -81,17 +86,27 @@ group => $group, mode => $mode, require => [ - File["${certdir}/nss-password.txt"], + File[$_password_file], Exec["create_nss_db_${title}"], ], } exec { "create_nss_db_${title}": - command => "/usr/bin/certutil -N -d ${certdir} -f ${certdir}/nss-password.txt", + command => "/usr/bin/certutil -N -d ${certdir} -f ${_password_file}", creates => ["${certdir}/cert8.db", "${certdir}/key3.db", "${certdir}/secmod.db"], require => [ - File["${certdir}/nss-password.txt"], + File[$_password_file], Class['nsstools'], ] } + + if $enable_fips { + # enable fips mode on the NSS DB after DB creation + exec { "enable_fips_mode_${title}": + command => "/usr/bin/modutil -fips true -dbdir ${certdir} -force", + unless => "/usr/bin/modutil -chkfips true -dbdir ${certdir}", + subscribe => [Exec["create_nss_db_${title}"],], + refreshonly => true, + } + } } From 34f21938063ac2ba1e926558695511b99ed5d8ca Mon Sep 17 00:00:00 2001 From: Ian Tewksbury <itewksbu@redhat.com> Date: Fri, 13 Jun 2014 13:20:18 -0400 Subject: [PATCH 2/2] Add type for creating a cert and key directly in the NSS DB. --- README.md | 50 +++++++++++++++++++++++++-- manifests/create.pp | 3 +- manifests/create_cert_and_key.pp | 58 ++++++++++++++++++++++++++++++++ manifests/params.pp | 2 ++ 4 files changed, 110 insertions(+), 3 deletions(-) create mode 100644 manifests/create_cert_and_key.pp diff --git a/README.md b/README.md index d802870..cdf6be8 100644 --- a/README.md +++ b/README.md @@ -202,8 +202,7 @@ nsstools::add_cert { <title>: * `certdir` - `String`/absolute path required - + `String`/absolute path required Absolute path to the directory to contain the database files. * `cert` @@ -266,6 +265,53 @@ nsstools::add_cert_and_key { <title>: The "nickname" of the certificate in the database. +### `create_cert_and_key` + +Create a certificate and it's associated private key directly in an existing NSS database. + +```puppet +nsstools::create_cert_and_key { <title>: + nickname => <title>, # defaults to $title + subject => <subject>, # required + certdir => <certdir>, # required +} +``` + + * `title` + + Used as the default value for the `nickname` parameter. + + * `nickname` + + `String` defaults to: `title` + + The "nickname" of the certificate in the database. + + * `subject` + + `String` required + + The subject of the certificate. The subject identification format follows RFC #1485. + + * `keytype` + + `String` defaults to: 'rsa' + + The type of key to generate with the self signed cert. + Valid options: ras|dsa|ec|all + + * `noisefile` + + `String`/absolute path defaults to: '/var/log/messages' + + The path to a file to use as noise to generate the cert. The minimum file size is 20 bytes. + + * `certdir` + + `String`/absolute path required + + Absolute path to the directory that contains the already created NSS database. + ## Functions ### `nsstools_add_cert` diff --git a/manifests/create.pp b/manifests/create.pp index 125984d..5eced2e 100644 --- a/manifests/create.pp +++ b/manifests/create.pp @@ -42,6 +42,7 @@ $enable_fips = false, ) { include nsstools + include nsstools::params validate_string($password) validate_absolute_path($certdir) @@ -66,7 +67,7 @@ $require_certdir = undef } - $_password_file = "${certdir}/nss-password.txt" + $_password_file = "${certdir}/${nsstools::params::password_file_name}" file { $_password_file: ensure => file, owner => $owner, diff --git a/manifests/create_cert_and_key.pp b/manifests/create_cert_and_key.pp new file mode 100644 index 0000000..dc49e36 --- /dev/null +++ b/manifests/create_cert_and_key.pp @@ -0,0 +1,58 @@ +# Creates a self signed certificate with key directly in the NSS database. +# +# Parameters: +# $nickname - optional - The nickname for the NSS certificate, defaults to the title +# $subject - required - The subject of the certificate. +# The subject identification format follows RFC #1485. +# $keytype - optional - The type of key to generate with the self signed cert. +# Valid options: ras|dsa|ec|all +# $noisefile - optional - The path to a file to use as noise to generate the cert. +# The minimum file size is 20 bytes. +# $certdir - required - The path to the NSS DB to add the cert to +# +# Actions: +# Creates a self signed certifacate directly in the NSS databae. +# +# Requires: +# $subject +# $certdir +# +# Sample Usage: +# +# nsstools::create_cert_and_key { 'server_cert': +# nickname => 'Servert Cert', +# subject => 'CN=localhost, OU=OrgUnit, O=Org, L=City, ST=State, C=MY\', +# certdir => '/etc/pki/foo', +# } +# +define nsstools::create_cert_and_key( + $nickname = $title, + $subject, + $keytype = 'rsa', + $noisefile = '/var/log/messages', + $certdir, +) { + include nsstools + include nsstools::params + + validate_string($nickname) + validate_string($subject) + validate_re($keytype, [ '^rsa', '^dsa', '^ec', '^all' ]) + validate_absolute_path($certdir) + validate_absolute_path($noisefile) + + $_password_file = "${certdir}/${nsstools::params::password_file_name}" + + # create the cert and key in the NSS database + exec { "create_cert_and_key_${title}": + path => ['/usr/bin'], + command => "certutil -S -k ${keytype} -n '${nickname}' -t \"u,u,u\" -x -s \"${subject}\" -d ${certdir} -f ${_password_file} -z ${noisefile}", + unless => "certutil -d ${certdir} -L -n '${nickname}'", + logoutput => true, + require => [ + Nsstools::Create[$certdir], + File[$_password_file], + Class['nsstools'], + ], + } +} diff --git a/manifests/params.pp b/manifests/params.pp index 0c9dcf6..e60b388 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -1,5 +1,7 @@ # this class should be considered private class nsstools::params { + $password_file_name = 'nss-password.txt' + case $::osfamily { 'redhat': { $package_name = ['nss-tools']