Lightweight CAs: add exceptions for missing signing key or cert

Add the CAMissingCertException and CAMissingKeyException classes and throw when signing unit initialisation fails due to a missing object. In CertificateAuthority, store the exception if it occurs for possible re-throwing later. Also add the private 'hasKeys' field for internal use. Part of: https://fedorahosted.org/pki/ticket/1625
author: Fraser Tweedale <ftweedal@redhat.com> 2016-03-31 12:46:03 +1100
committer: Fraser Tweedale <ftweedal@redhat.com> 2016-04-14 16:07:16 +1000
commit: 6d72a9c7fc067df42a3259fc5ea87b65e94f76ad (patch)
tree: a7ad9fd5b73724d19f7deee6856149f416c0c30c
parent: e832349f8846ab398b17b98ebe9862bc700d1b7f (diff)
download: pki-6d72a9c7fc067df42a3259fc5ea87b65e94f76ad.tar.gz
pki-6d72a9c7fc067df42a3259fc5ea87b65e94f76ad.tar.xz
pki-6d72a9c7fc067df42a3259fc5ea87b65e94f76ad.zip
4 files changed, 59 insertions, 7 deletions
diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
index 2e1f9d7c8..b087f26b6 100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
@@ -77,6 +77,8 @@ import com.netscape.certsrv.base.PKIException;
 import com.netscape.certsrv.ca.AuthorityID;
 import com.netscape.certsrv.ca.CADisabledException;
 import com.netscape.certsrv.ca.CAEnabledException;
+import com.netscape.certsrv.ca.CAMissingCertException;
+import com.netscape.certsrv.ca.CAMissingKeyException;
 import com.netscape.certsrv.ca.CANotFoundException;
 import com.netscape.certsrv.ca.CANotLeafException;
 import com.netscape.certsrv.ca.CATypeException;
@@ -188,6 +190,8 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori
     protected AuthorityID authorityParentID = null;
     protected String authorityDescription = null;
     protected boolean authorityEnabled = true;
+    private boolean hasKeys = false;
+    private ECAException signingUnitException = null;
 
     protected ISubsystem mOwner = null;
     protected IConfigStore mConfig = null;
@@ -1358,7 +1362,15 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori
                 mIssuerObj = new CertificateIssuerName((X500Name)mSubjectObj.get(CertificateIssuerName.DN_NAME));
             }
 
-            mSigningUnit.init(this, caSigningCfg, mNickname);
+            try {
+                mSigningUnit.init(this, caSigningCfg, mNickname);
+                hasKeys = true;
+                signingUnitException = null;
+            } catch (CAMissingCertException | CAMissingKeyException e) {
+                CMS.debug("CA signing key and cert not (yet) present in NSSDB");
+                signingUnitException = e;
+                return;
+            }
             CMS.debug("CA signing unit inited");
 
             // for identrus
diff --git a/base/ca/src/com/netscape/ca/SigningUnit.java b/base/ca/src/com/netscape/ca/SigningUnit.java
index 0ac4b7a1c..60bd84e3b 100644
--- a/base/ca/src/com/netscape/ca/SigningUnit.java
+++ b/base/ca/src/com/netscape/ca/SigningUnit.java
@@ -43,6 +43,8 @@ import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.IConfigStore;
 import com.netscape.certsrv.base.ISubsystem;
 import com.netscape.certsrv.ca.ECAException;
+import com.netscape.certsrv.ca.CAMissingCertException;
+import com.netscape.certsrv.ca.CAMissingKeyException;
 import com.netscape.certsrv.common.Constants;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.security.ISigningUnit;
@@ -165,14 +167,22 @@ public final class SigningUnit implements ISigningUnit {
 
             mToken.login(cb); // ONE_TIME by default.
 
-            mCert = mManager.findCertByNickname(mNickname);
-            CMS.debug("Found cert by nickname: '" + mNickname + "' with serial number: " + mCert.getSerialNumber());
+            try {
+                mCert = mManager.findCertByNickname(mNickname);
+                CMS.debug("Found cert by nickname: '" + mNickname + "' with serial number: " + mCert.getSerialNumber());
+            } catch (ObjectNotFoundException e) {
+                throw new CAMissingCertException(CMS.getUserMessage("CMS_CA_CERT_OBJECT_NOT_FOUND"));
+            }
 
             mCertImpl = new X509CertImpl(mCert.getEncoded());
             CMS.debug("converted to x509CertImpl");
 
-            mPrivk = mManager.findPrivKeyByCert(mCert);
-            CMS.debug("Got private key from cert");
+            try {
+                mPrivk = mManager.findPrivKeyByCert(mCert);
+                CMS.debug("Got private key from cert");
+            } catch (ObjectNotFoundException e) {
+                throw new CAMissingKeyException(CMS.getUserMessage("CMS_CA_CERT_OBJECT_NOT_FOUND"));
+            }
 
             mPubk = mCert.getPublicKey();
             CMS.debug("Got public key from cert");
@@ -200,10 +210,10 @@ public final class SigningUnit implements ISigningUnit {
             CMS.debug("SigningUnit init: debug " + e.toString());
             log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_TOKEN_NOT_FOUND", tokenname, e.toString()));
             throw new ECAException(CMS.getUserMessage("CMS_CA_TOKEN_NOT_FOUND", tokenname));
-        } catch (ObjectNotFoundException e) {
+        } catch (CAMissingCertException | CAMissingKeyException e) {
             CMS.debug("SigningUnit init: debug " + e.toString());
             log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_CERT_NOT_FOUND", e.toString()));
-            throw new ECAException(CMS.getUserMessage("CMS_CA_CERT_OBJECT_NOT_FOUND"));
+            throw e;  // re-throw
         } catch (TokenException e) {
             CMS.debug("SigningUnit init: debug " + e.toString());
             log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString()));
diff --git a/base/common/src/com/netscape/certsrv/ca/CAMissingCertException.java b/base/common/src/com/netscape/certsrv/ca/CAMissingCertException.java
new file mode 100644
index 000000000..49c5063f2
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/ca/CAMissingCertException.java
@@ -0,0 +1,15 @@
+package com.netscape.certsrv.ca;
+
+/**
+ * Exception to throw when a (sub-)CA's signing certificate is not
+ * (yet) present in the local NSSDB.
+ */
+public class CAMissingCertException extends ECAException {
+
+    private static final long serialVersionUID = 7261805480088539689L;
+
+    public CAMissingCertException(String msgFormat) {
+        super(msgFormat);
+    }
+
+}
diff --git a/base/common/src/com/netscape/certsrv/ca/CAMissingKeyException.java b/base/common/src/com/netscape/certsrv/ca/CAMissingKeyException.java
new file mode 100644
index 000000000..8f5e1e72a
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/ca/CAMissingKeyException.java
@@ -0,0 +1,15 @@
+package com.netscape.certsrv.ca;
+
+/**
+ * Exception to throw when a (sub-)CA's signing key is not (yet)
+ * present in the local NSSDB.
+ */
+public class CAMissingKeyException extends ECAException {
+
+    private static final long serialVersionUID = -364157165997677925L;
+
+    public CAMissingKeyException(String msgFormat) {
+        super(msgFormat);
+    }
+
+}
author	Fraser Tweedale <ftweedal@redhat.com>	2016-03-31 12:46:03 +1100
committer	Fraser Tweedale <ftweedal@redhat.com>	2016-04-14 16:07:16 +1000
commit	6d72a9c7fc067df42a3259fc5ea87b65e94f76ad (patch)
tree	a7ad9fd5b73724d19f7deee6856149f416c0c30c
parent	e832349f8846ab398b17b98ebe9862bc700d1b7f (diff)
download	pki-6d72a9c7fc067df42a3259fc5ea87b65e94f76ad.tar.gz pki-6d72a9c7fc067df42a3259fc5ea87b65e94f76ad.tar.xz pki-6d72a9c7fc067df42a3259fc5ea87b65e94f76ad.zip