diff options
| author | Fraser Tweedale <ftweedal@redhat.com> | 2016-05-13 09:00:44 +1000 |
|---|---|---|
| committer | Endi S. Dewata <edewata@redhat.com> | 2016-06-05 18:59:30 +0200 |
| commit | cb9eb967b5e24f5fde8bbf8ae87aa615b7033db7 (patch) | |
| tree | 1d51d87f1e09df6592a928e5bf66a8d0b1f4f25a /base/ca/src/org | |
| parent | 45c26ba97095a82bb91a12e0427fdb14cbe77699 (diff) | |
| download | pki-cb9eb967b5e24f5fde8bbf8ae87aa615b7033db7.tar.gz pki-cb9eb967b5e24f5fde8bbf8ae87aa615b7033db7.tar.xz pki-cb9eb967b5e24f5fde8bbf8ae87aa615b7033db7.zip | |
Lightweight CAs: add method to renew certificate
Add the CertificateAuthority.renewAuthority() method that creates
and processes a renewal request for the lightweight CA's signing
cert. The new certificate replaces the old certificate in the NSSDB
and the serial number is stored in the 'authoritySerial' attribute.
Clones observe when the 'authoritySerial' attribute has changed and
update the certificate in their NSSDB, too.
The renewal behaviour is available in the REST API as a POST to
/ca/rest/authorities/<id>/renew.
Fixes: https://fedorahosted.org/pki/ticket/2327
Diffstat (limited to 'base/ca/src/org')
| -rw-r--r-- | base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java index 199ebef1a..0993b5c0d 100644 --- a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java +++ b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java @@ -282,6 +282,37 @@ public class AuthorityService extends PKIService implements AuthorityResource { } @Override + public Response renewCA(String aidString) { + AuthorityID aid = null; + try { + aid = new AuthorityID(aidString); + } catch (IllegalArgumentException e) { + throw new BadRequestException("Bad AuthorityID: " + aidString); + } + + ICertificateAuthority ca = hostCA.getCA(aid); + if (ca == null) + throw new ResourceNotFoundException("CA \"" + aidString + "\" not found"); + + Map<String, String> auditParams = new LinkedHashMap<>(); + + try { + ca.renewAuthority(servletRequest); + audit(ILogger.SUCCESS, OpDef.OP_MODIFY, aidString, null); + return createNoContentResponse(); + } catch (CADisabledException e) { + auditParams.put("exception", e.toString()); + audit(ILogger.FAILURE, OpDef.OP_MODIFY, aidString, auditParams); + throw new ConflictingOperationException(e.toString()); + } catch (EBaseException e) { + CMS.debug(e); + auditParams.put("exception", e.toString()); + audit(ILogger.FAILURE, OpDef.OP_MODIFY, aidString, auditParams); + throw new PKIException("Error renewing authority: " + e.toString()); + } + } + + @Override public Response deleteCA(String aidString) { AuthorityID aid = null; try { |