diff options
author | cfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2011-10-22 19:09:25 +0000 |
---|---|---|
committer | cfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2011-10-22 19:09:25 +0000 |
commit | 0acd942a0ff6558eb2b34b97188c7f80603911df (patch) | |
tree | be52dd916c8ac91c9bccf82b2209436570306eba | |
parent | 93a2f2630e5c10b3e1744df4daf8f0291203b17b (diff) | |
download | pki-0acd942a0ff6558eb2b34b97188c7f80603911df.tar.gz pki-0acd942a0ff6558eb2b34b97188c7f80603911df.tar.xz pki-0acd942a0ff6558eb2b34b97188c7f80603911df.zip |
Bug 744797 - KRA key recovery (retrieve pkcs#12) fails after the in-place upgrade( CS 8.0->8.1)
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@2274 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
3 files changed, 35 insertions, 16 deletions
diff --git a/pki/base/common/src/com/netscape/cms/profile/common/EnrollProfile.java b/pki/base/common/src/com/netscape/cms/profile/common/EnrollProfile.java index b60b73c9a..cc8789390 100644 --- a/pki/base/common/src/com/netscape/cms/profile/common/EnrollProfile.java +++ b/pki/base/common/src/com/netscape/cms/profile/common/EnrollProfile.java @@ -937,10 +937,16 @@ public abstract class EnrollProfile extends BasicProfile sigver = CMS.getConfigStore().getBoolean("ca.requestVerify.enabled", true); if (sigver) { CMS.debug("EnrollProfile: parsePKCS10: signature verification enabled"); - String tokenName = CMS.getConfigStore().getString("ca.requestVerify.token", - "Internal Key Storage Token"); + String tokenName = CMS.getConfigStore().getString("ca.requestVerify.token", "internal"); savedToken = cm.getThreadToken(); - CryptoToken signToken = cm.getTokenByName(tokenName); + CryptoToken signToken = null; + if (tokenName.equals("internal")) { + CMS.debug("EnrollProfile: parsePKCS10: use internal token"); + signToken = cm.getInternalCryptoToken(); + } else { + CMS.debug("EnrollProfile: parsePKCS10: tokenName="+ tokenName); + signToken = cm.getTokenByName(tokenName); + } CMS.debug("EnrollProfile: parsePKCS10 setting thread token"); cm.setThreadToken(signToken); pkcs10 = new PKCS10(data); @@ -1365,15 +1371,14 @@ public abstract class EnrollProfile extends BasicProfile try { CryptoManager cm = CryptoManager.getInstance(); - String tokenName = CMS.getConfigStore().getString("ca.requestVerify.token", - "Internal Key Storage Token"); - CryptoToken verifyToken = cm.getTokenByName(tokenName); - if (tokenName.equals("Internal Key Storage Token")) { - //use internal token + CryptoToken verifyToken = null; + String tokenName = CMS.getConfigStore().getString("ca.requestVerify.token", "internal"); + if (tokenName.equals("internal")) { CMS.debug("POP verification using internal token"); certReqMsg.verify(); } else { CMS.debug("POP verification using token:"+ tokenName); + verifyToken = cm.getTokenByName(tokenName); certReqMsg.verify(verifyToken); } diff --git a/pki/base/common/src/com/netscape/cms/profile/input/EnrollInput.java b/pki/base/common/src/com/netscape/cms/profile/input/EnrollInput.java index 949e58b1a..f704a2297 100644 --- a/pki/base/common/src/com/netscape/cms/profile/input/EnrollInput.java +++ b/pki/base/common/src/com/netscape/cms/profile/input/EnrollInput.java @@ -198,15 +198,15 @@ public abstract class EnrollInput implements IProfileInput { } CMS.debug("POP verification begins:"); CryptoManager cm = CryptoManager.getInstance(); - String tokenName = CMS.getConfigStore().getString("ca.requestVerify.token", - "Internal Key Storage Token"); - CryptoToken verifyToken = cm.getTokenByName(tokenName); - if (tokenName.equals("Internal Key Storage Token")) { - //use internal token + + CryptoToken verifyToken = null; + String tokenName = CMS.getConfigStore().getString("ca.requestVerify.token", "internal"); + if (tokenName.equals("internal")) { CMS.debug("POP verification using internal token"); certReqMsg.verify(); } else { CMS.debug("POP verification using token:"+ tokenName); + verifyToken = cm.getTokenByName(tokenName); certReqMsg.verify(verifyToken); } diff --git a/pki/base/kra/src/com/netscape/kra/RecoveryService.java b/pki/base/kra/src/com/netscape/kra/RecoveryService.java index 5e0c77e25..da3c3a87c 100644 --- a/pki/base/kra/src/com/netscape/kra/RecoveryService.java +++ b/pki/base/kra/src/com/netscape/kra/RecoveryService.java @@ -126,11 +126,21 @@ public class RecoveryService implements IService { cm = CryptoManager.getInstance(); config = CMS.getConfigStore(); tokName = config.getString("kra.storageUnit.hardware", "internal"); - CMS.debug("RecoveryService: tokenName="+tokName); - ct = cm.getTokenByName(tokName); + if (tokName.equals("internal")) { + CMS.debug("RecoveryService: serviceRequest: use internal token "); + ct = cm.getInternalCryptoToken(); + } else { + CMS.debug("RecoveryService: serviceRequest: tokenName="+tokName); + ct = cm.getTokenByName(tokName); + } allowEncDecrypt_recovery = config.getBoolean("kra.allowEncDecrypt.recovery", false); } catch (Exception e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString())); + CMS.debug("RecoveryService exception: use internal token :" + + e.toString()); + ct = cm.getInternalCryptoToken(); + } + if (ct == null) { + throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR"+ "cannot get crypto token")); } IStatsSubsystem statsSub = (IStatsSubsystem)CMS.getSubsystem("stats"); @@ -413,6 +423,7 @@ public class RecoveryService implements IService { */ public void createPFX(IRequest request, Hashtable params, PrivateKey priKey, CryptoToken ct) throws EBaseException { + CMS.debug("RecoverService: createPFX() allowEncDecrypt_recovery=false"); try { // create p12 X509Certificate x509cert = @@ -421,6 +432,7 @@ public class RecoveryService implements IService { // add certificate mKRA.log(ILogger.LL_INFO, "KRA adds certificate to P12"); + CMS.debug("RecoverService: createPFX() adds certificate to P12"); SEQUENCE encSafeContents = new SEQUENCE(); ASN1Value cert = new OCTET_STRING(x509cert.getEncoded()); String nickname = request.getExtDataInString(ATTR_NICKNAME); @@ -440,6 +452,7 @@ public class RecoveryService implements IService { // add key mKRA.log(ILogger.LL_INFO, "KRA adds key to P12"); + CMS.debug("RecoverService: createPFX() adds key to P12"); org.mozilla.jss.util.Password pass = new org.mozilla.jss.util.Password( pwd.toCharArray()); @@ -536,6 +549,7 @@ public class RecoveryService implements IService { */ public void createPFX(IRequest request, Hashtable params, byte priData[]) throws EBaseException { + CMS.debug("RecoverService: createPFX() allowEncDecrypt_recovery=true"); try { // create p12 X509Certificate x509cert = |