diff options
| author | Endi Sukma Dewata <edewata@redhat.com> | 2013-04-26 13:47:30 -0400 |
|---|---|---|
| committer | Ade Lee <alee@redhat.com> | 2013-04-28 01:06:37 -0400 |
| commit | bc03ee6c31e5390e76d2f92d00931d19a71eea7b (patch) | |
| tree | c90bbc8ebb474ed2eb1e0f7f3a4d55f4bd843c09 | |
| parent | 4dbd2579662d3ba7d31cbedda96293de71b06844 (diff) | |
| download | pki-bc03ee6c31e5390e76d2f92d00931d19a71eea7b.tar.gz pki-bc03ee6c31e5390e76d2f92d00931d19a71eea7b.tar.xz pki-bc03ee6c31e5390e76d2f92d00931d19a71eea7b.zip | |
Ignoring warnings/errors during installation.
The code used by pkispawn and pkidestroy has been modified to ignore
certificate validity warnings/errors that happens during installation.
The instanceCreationMode is now redundant and has been removed from
ClientConfig.
5 files changed, 51 insertions, 52 deletions
diff --git a/base/common/src/com/netscape/certsrv/client/ClientConfig.java b/base/common/src/com/netscape/certsrv/client/ClientConfig.java index ca17c8575..885b60a26 100644 --- a/base/common/src/com/netscape/certsrv/client/ClientConfig.java +++ b/base/common/src/com/netscape/certsrv/client/ClientConfig.java @@ -48,8 +48,6 @@ public class ClientConfig { } } - boolean instanceCreationMode; - URI serverURI; String certDatabase; @@ -57,15 +55,6 @@ public class ClientConfig { String username; String password; - @XmlElement(defaultValue="false") - public boolean getInstanceCreationMode() { - return instanceCreationMode; - } - - public void setInstanceCreationMode(boolean mode) { - this.instanceCreationMode = mode; - } - @XmlElement(name="ServerURI") public URI getServerURI() { return serverURI; @@ -186,7 +175,6 @@ public class ClientConfig { public static void main(String args[]) throws Exception { ClientConfig before = new ClientConfig(); - before.setInstanceCreationMode(false); before.setServerURI("http://localhost:9180/ca"); before.setCertDatabase("certs"); before.setCertNickname("caadmin"); diff --git a/base/common/src/com/netscape/certsrv/client/PKIConnection.java b/base/common/src/com/netscape/certsrv/client/PKIConnection.java index 940575b87..e0d459850 100644 --- a/base/common/src/com/netscape/certsrv/client/PKIConnection.java +++ b/base/common/src/com/netscape/certsrv/client/PKIConnection.java @@ -71,8 +71,8 @@ public class PKIConnection { PKIClient client; ClientConfig config; - Collection<Integer> rejectedCertStatuses; - Collection<Integer> ignoredCertStatuses; + Collection<Integer> rejectedCertStatuses = new HashSet<Integer>(); + Collection<Integer> ignoredCertStatuses = new HashSet<Integer>(); // List to prevent displaying the same warnings/errors again. Collection<Integer> statuses = new HashSet<Integer>(); @@ -391,17 +391,12 @@ public class PKIConnection { // Ignore validity status } else if (reason == SSLCertificateApprovalCallback.ValidityStatus.UNTRUSTED_ISSUER) { - // Ignore the "UNTRUSTED_ISSUER" validity status - // during PKI instance creation since we are - // utilizing an untrusted temporary CA cert. - if (!config.getInstanceCreationMode()) { - // Otherwise, issue a WARNING, but allow this process - // to continue since we haven't installed a trusted CA - // cert for this operation. - if (!statuses.contains(reason)) { - System.err.println("WARNING: " + getMessage(serverCert, reason)); - handleUntrustedIssuer(serverCert); - } + // Issue a WARNING, but allow this process + // to continue since we haven't installed a trusted CA + // cert for this operation. + if (!statuses.contains(reason)) { + System.err.println("WARNING: " + getMessage(serverCert, reason)); + handleUntrustedIssuer(serverCert); } } else if (reason == SSLCertificateApprovalCallback.ValidityStatus.BAD_CERT_DOMAIN) { @@ -411,18 +406,13 @@ public class PKIConnection { System.err.println("WARNING: " + getMessage(serverCert, reason)); } else if (reason == SSLCertificateApprovalCallback.ValidityStatus.CA_CERT_INVALID) { - // Ignore the "CA_CERT_INVALID" validity status - // during PKI instance creation since we are - // utilizing an untrusted temporary CA cert. - if (!config.getInstanceCreationMode()) { - // Otherwise, set approval false to deny this - // certificate so that the connection is terminated. - // (Expect an IOException on the outstanding - // read()/write() on the socket). - if (!statuses.contains(reason)) - System.err.println("ERROR: " + getMessage(serverCert, reason)); - approval = false; - } + // Set approval false to deny this + // certificate so that the connection is terminated. + // (Expect an IOException on the outstanding + // read()/write() on the socket). + if (!statuses.contains(reason)) + System.err.println("ERROR: " + getMessage(serverCert, reason)); + approval = false; } else { // Set approval false to deny this certificate so that @@ -535,20 +525,32 @@ public class PKIConnection { return request.post(String.class); } + public void addRejectedCertStatus(Integer rejectedCertStatus) { + rejectedCertStatuses.add(rejectedCertStatus); + } + public void setRejectedCertStatuses(Collection<Integer> rejectedCertStatuses) { - this.rejectedCertStatuses = rejectedCertStatuses; + this.rejectedCertStatuses.clear(); + if (rejectedCertStatuses == null) return; + this.rejectedCertStatuses.addAll(rejectedCertStatuses); } public boolean isRejected(Integer certStatus) { - return this.rejectedCertStatuses != null && this.rejectedCertStatuses.contains(certStatus); + return rejectedCertStatuses.contains(certStatus); + } + + public void addIgnoredCertStatus(Integer ignoredCertStatus) { + ignoredCertStatuses.add(ignoredCertStatus); } public void setIgnoredCertStatuses(Collection<Integer> ignoredCertStatuses) { - this.ignoredCertStatuses = ignoredCertStatuses; + this.ignoredCertStatuses.clear(); + if (ignoredCertStatuses == null) return; + this.ignoredCertStatuses.addAll(ignoredCertStatuses); } public boolean isIgnored(Integer certStatus) { - return this.ignoredCertStatuses != null && this.ignoredCertStatuses.contains(certStatus); + return ignoredCertStatuses.contains(certStatus); } public File getOutput() { diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java index 014eb448b..719efd3bf 100644 --- a/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +++ b/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java @@ -328,9 +328,20 @@ public class ConfigurationUtils { config.setServerURI("https://" + sdhost + ":" + sdport + "/ca"); config.setUsername(user); config.setPassword(passwd); - config.setInstanceCreationMode(true); PKIClient client = new PKIClient(config); + PKIConnection connection = client.getConnection(); + + // Ignore the "UNTRUSTED_ISSUER" validity status + // during PKI instance creation since we are + // utilizing an untrusted temporary CA cert. + connection.addIgnoredCertStatus(SSLCertificateApprovalCallback.ValidityStatus.UNTRUSTED_ISSUER); + + // Ignore the "CA_CERT_INVALID" validity status + // during PKI instance creation since we are + // utilizing an untrusted temporary CA cert. + connection.addIgnoredCertStatus(SSLCertificateApprovalCallback.ValidityStatus.CA_CERT_INVALID); + AccountClient accountClient = new AccountClient(client); SecurityDomainClient sdClient = new SecurityDomainClient(client); diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java index d5707d155..9b011f0d8 100644 --- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java @@ -54,8 +54,8 @@ public class MainCLI extends CLI { public ClientConfig config = new ClientConfig(); - public Collection<Integer> rejectedCertStatuses; - public Collection<Integer> ignoredCertStatuses; + public Collection<Integer> rejectedCertStatuses = new HashSet<Integer>(); + public Collection<Integer> ignoredCertStatuses = new HashSet<Integer>(); public File certDatabase; @@ -201,17 +201,15 @@ public class MainCLI extends CLI { config.setPassword(password); String list = cmd.getOptionValue("reject-cert-status"); - rejectedCertStatuses = convertCertStatusList(list); + convertCertStatusList(list, rejectedCertStatuses); list = cmd.getOptionValue("ignore-cert-status"); - ignoredCertStatuses = convertCertStatusList(list); + convertCertStatusList(list, ignoredCertStatuses); } - public Collection<Integer> convertCertStatusList(String list) throws Exception { + public void convertCertStatusList(String list, Collection<Integer> statuses) throws Exception { - if (list == null) return null; - - Collection<Integer> statuses = new HashSet<Integer>(); + if (list == null) return; Class<SSLCertificateApprovalCallback.ValidityStatus> clazz = SSLCertificateApprovalCallback.ValidityStatus.class; @@ -224,8 +222,6 @@ public class MainCLI extends CLI { throw new Error("Invalid cert status \"" + status + "\".", e); } } - - return statuses; } public void connect() throws Exception { diff --git a/base/server/src/engine/pkihelper.py b/base/server/src/engine/pkihelper.py index 7e086a93b..1ff50cd13 100644 --- a/base/server/src/engine/pkihelper.py +++ b/base/server/src/engine/pkihelper.py @@ -2595,6 +2595,7 @@ class kra_connector: def execute_using_pki(self, caport, cahost, subsystemnick, token_pwd, krahost, kraport, critical_failure=False): command = "/bin/pki -p '{}' -h '{}' -n '{}' -P https -d '{}' -w '{}' "\ + "--ignore-cert-status UNTRUSTED_ISSUER "\ "kraconnector-del {} {}".format( caport, cahost, subsystemnick, master['pki_database_path'], @@ -2858,6 +2859,7 @@ class security_domain: secselect = cs_cfg.get('securitydomain.select') command = "/bin/pki -p '{}' -h '{}' -P https -u '{}' -w '{}' "\ + "--ignore-cert-status UNTRUSTED_ISSUER "\ "securitydomain-get-install-token --hostname {} "\ "--subsystem {}".format( secadminport, sechost, secuser, secpass, |