pki client-cert-import support for HSM token

[pki-bot]

This issue was migrated from Pagure Issue #3133. Originally filed by cipherboy (@cipherboy) on 2020-03-15 14:16:49:

• Assigned to nobody
• Associated bugzillas
  • https://bugzilla.redhat.com/show_bug.cgi?id=1594401

---

Description of problem: Currently pki client-cert-import doesn't support HSM token.

Version-Release number of selected component (if applicable):

pki-tools-10.5.1-13.1.el7_5.x86_64

How reproducible:

Steps to Reproduce:

1. Using PKCS10Client create a CSR using HSM token.
2. Approve the certificate using CMC method. Base 64 encoded certificate is stored in /opt/rhqa_pki/ca_IssuanceProtectionSystemCert.pem
3. Execute:

   # pki -vvvv -d /var/lib/pki/rhcs93-ECC-CA-aakkiang-nocp11/alias -c $PASSWORD --token $HSM client-cert-import "IssuanceProtectionSystemCert" --cert /opt/rhqa_pki/ca_IssuanceProtectionSystemCert.pem  
   Server URI: http://$HOSTNAME:8080
   Client security database: /var/lib/pki/rhcs93-ECC-CA-aakkiang-nocp11/alias
   Message format: null
   Command: client-cert-import IssuanceProtectionSystemCert --cert /opt/rhqa_pki/ca_IssuanceProtectionSystemCert.pem
   Module: client
   Module: cert-import
   Importing certificate from /opt/rhqa_pki/ca_IssuanceProtectionSystemCert.pem.
   External command: /bin/certutil -A -d /var/lib/pki/rhcs93-ECC-CA-aakkiang-nocp11/alias -f /tmp/pki-client-cert-import-899064207899981979.nssdb-pwd -i /opt/rhqa_pki/ca_IssuanceProtectionSystemCert.pem -n IssuanceProtectionSystemCert -t u,u,u
   java.lang.Exception: Unable to import certificate file
       at com.netscape.cmstools.client.ClientCertImportCLI.importCert(ClientCertImportCLI.java:351)
       at com.netscape.cmstools.client.ClientCertImportCLI.execute(ClientCertImportCLI.java:171)
       at com.netscape.cmstools.cli.CLI.execute(CLI.java:345)
       at com.netscape.cmstools.cli.CLI.execute(CLI.java:345)
       at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:633)
       at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:669)
   Caused by: com.netscape.cmstools.cli.CLIException: External command failed. RC: 255
       at com.netscape.cmstools.cli.CLI.runExternal(CLI.java:386)
       at com.netscape.cmstools.cli.CLI.runExternal(CLI.java:358)
       at com.netscape.cmstools.client.ClientCertImportCLI.importCert(ClientCertImportCLI.java:349)
       ... 5 more

Actual results: client-cert-import fails.

Expected results: Certificate should be imported successfully.

[pki-bot]

Comment from cipherboy (@cipherboy) at 2020-03-15 14:18:01

https://bugzilla.redhat.com/show_bug.cgi?id=1594401

[pki-bot]

Comment from cipherboy (@cipherboy) at 2020-03-15 14:18:02

Metadata Update from @cipherboy:

• Custom field component adjusted to None
• Custom field feature adjusted to None
• Custom field origin adjusted to None
• Custom field proposedmilestone adjusted to None
• Custom field proposedpriority adjusted to None
• Custom field reviewer adjusted to None
• Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1594401
• Custom field type adjusted to None
• Custom field version adjusted to None