Lightweight CAs: implement deletion API and CLI

Implement lightweight authority deletion including CLI command. To be deleted an authority must be disabled and have no sub-CAs. Fixes: https://fedorahosted.org/pki/ticket/1324
author: Fraser Tweedale <ftweedal@redhat.com> 2015-09-29 11:17:21 -0400
committer: Fraser Tweedale <ftweedal@redhat.com> 2015-10-06 09:41:38 +1000
commit: 9a2f79f9fb4dce130d1495450e7a680e04648626 (patch)
tree: 2932e430e402f3993d5282ae003e9cc1b31af9fc /base/ca/src/com/netscape/ca
parent: dec7fe7aea653d1192bab47a503c98970f8d898f (diff)
download: pki-9a2f79f9fb4dce130d1495450e7a680e04648626.tar.gz
pki-9a2f79f9fb4dce130d1495450e7a680e04648626.tar.xz
pki-9a2f79f9fb4dce130d1495450e7a680e04648626.zip
1 files changed, 75 insertions, 0 deletions
diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
index af4afbdef..449da301f 100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
@@ -72,9 +72,11 @@ import org.mozilla.jss.asn1.INTEGER;
 import org.mozilla.jss.asn1.InvalidBERException;
 import org.mozilla.jss.asn1.OBJECT_IDENTIFIER;
 import org.mozilla.jss.asn1.OCTET_STRING;
+import org.mozilla.jss.crypto.CryptoStore;
 import org.mozilla.jss.crypto.CryptoToken;
 import org.mozilla.jss.crypto.KeyPairAlgorithm;
 import org.mozilla.jss.crypto.KeyPairGenerator;
+import org.mozilla.jss.crypto.NoSuchItemOnTokenException;
 import org.mozilla.jss.crypto.SignatureAlgorithm;
 import org.mozilla.jss.crypto.TokenException;
 import org.mozilla.jss.pkix.cert.Extension;
@@ -90,7 +92,9 @@ import com.netscape.certsrv.base.Nonces;
 import com.netscape.certsrv.base.PKIException;
 import com.netscape.certsrv.ca.AuthorityID;
 import com.netscape.certsrv.ca.CADisabledException;
+import com.netscape.certsrv.ca.CAEnabledException;
 import com.netscape.certsrv.ca.CANotFoundException;
+import com.netscape.certsrv.ca.CANotLeafException;
 import com.netscape.certsrv.ca.CATypeException;
 import com.netscape.certsrv.ca.ECAException;
 import com.netscape.certsrv.ca.ICRLIssuingPoint;
@@ -2624,4 +2628,75 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori
         }
     }
 
+    public void deleteAuthority() throws EBaseException {
+        if (isHostAuthority())
+            throw new CATypeException("Cannot delete the host CA");
+
+        if (authorityEnabled)
+            throw new CAEnabledException("Must disable CA before deletion");
+
+        boolean hasSubCAs = false;
+        for (ICertificateAuthority ca : getCAs()) {
+            AuthorityID parentAID = ca.getAuthorityParentID();
+            if (parentAID != null && parentAID.equals(this.authorityID)) {
+                hasSubCAs = true;
+                break;
+            }
+        }
+        if (hasSubCAs)
+            throw new CANotLeafException("CA with sub-CAs cannot be deleted (delete sub-CAs first)");
+
+        caMap.remove(authorityID);
+        shutdown();
+
+        // delete ldap entry
+        ILdapConnFactory dbFactory = CMS.getLdapBoundConnFactory("updateAuthority");
+        dbFactory.init(CMS.getConfigStore().getSubStore("internaldb"));
+        LDAPConnection conn = dbFactory.getConn();
+        String dn = "cn=" + authorityID.toString() + ",ou=authorities,ou="
+            + getId() + "," + getDBSubsystem().getBaseDN();
+        try {
+            conn.delete(dn);
+        } catch (LDAPException e) {
+            throw new ELdapException("Error deleting authority entry '" + dn + "': " + e);
+        } finally {
+            dbFactory.returnConn(conn);
+            dbFactory.reset();
+        }
+
+        CryptoManager cryptoManager;
+        try {
+            cryptoManager = CryptoManager.getInstance();
+        } catch (CryptoManager.NotInitializedException e) {
+            // can't happen
+            throw new ECAException("CryptoManager not initialized");
+        }
+
+        // delete cert
+        CryptoStore cryptoStore =
+            cryptoManager.getInternalKeyStorageToken().getCryptoStore();
+        try {
+            cryptoStore.deleteCert(mCaX509Cert);
+        } catch (NoSuchItemOnTokenException e) {
+            CMS.debug("deleteAuthority: cert is not on token: " + e);
+            // if the cert isn't there, never mind
+        } catch (TokenException e) {
+            CMS.debug("deleteAuthority: TokenExcepetion while deleting cert: " + e);
+            throw new ECAException("TokenException while deleting cert: " + e);
+        }
+
+        // delete key
+        try {
+            cryptoStore.deletePrivateKey(mSigningUnit.getPrivateKey());
+        } catch (NoSuchItemOnTokenException e) {
+            CMS.debug("deleteAuthority: private key is not on token: " + e);
+            // if the key isn't there, never mind
+        } catch (TokenException e) {
+            CMS.debug("deleteAuthority: TokenExcepetion while deleting private key: " + e);
+            // TODO don't know what causes this yet, or how to
+            // prevent it.
+            //throw new ECAException("TokenException while deleting private key: " + e);
+        }
+    }
+
 }
author	Fraser Tweedale <ftweedal@redhat.com>	2015-09-29 11:17:21 -0400
committer	Fraser Tweedale <ftweedal@redhat.com>	2015-10-06 09:41:38 +1000
commit	9a2f79f9fb4dce130d1495450e7a680e04648626 (patch)
tree	2932e430e402f3993d5282ae003e9cc1b31af9fc /base/ca/src/com/netscape/ca
parent	dec7fe7aea653d1192bab47a503c98970f8d898f (diff)
download	pki-9a2f79f9fb4dce130d1495450e7a680e04648626.tar.gz pki-9a2f79f9fb4dce130d1495450e7a680e04648626.tar.xz pki-9a2f79f9fb4dce130d1495450e7a680e04648626.zip