Lightweight CAs: add exceptions for missing signing key or cert

Add the CAMissingCertException and CAMissingKeyException classes and
throw when signing unit initialisation fails due to a missing
object.  In CertificateAuthority, store the exception if it occurs
for possible re-throwing later.  Also add the private 'hasKeys'
field for internal use.

Part of: https://fedorahosted.org/pki/ticket/1625

2 files changed, 29 insertions, 7 deletions

diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
index 2e1f9d7c8..b087f26b6 100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
@@ -77,6 +77,8 @@ import com.netscape.certsrv.base.PKIException;
 import com.netscape.certsrv.ca.AuthorityID;
 import com.netscape.certsrv.ca.CADisabledException;
 import com.netscape.certsrv.ca.CAEnabledException;
+import com.netscape.certsrv.ca.CAMissingCertException;
+import com.netscape.certsrv.ca.CAMissingKeyException;
 import com.netscape.certsrv.ca.CANotFoundException;
 import com.netscape.certsrv.ca.CANotLeafException;
 import com.netscape.certsrv.ca.CATypeException;
@@ -188,6 +190,8 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori
     protected AuthorityID authorityParentID = null;
     protected String authorityDescription = null;
     protected boolean authorityEnabled = true;
+    private boolean hasKeys = false;
+    private ECAException signingUnitException = null;
 
     protected ISubsystem mOwner = null;
     protected IConfigStore mConfig = null;
@@ -1358,7 +1362,15 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori
                 mIssuerObj = new CertificateIssuerName((X500Name)mSubjectObj.get(CertificateIssuerName.DN_NAME));
             }
 
-            mSigningUnit.init(this, caSigningCfg, mNickname);
+            try {
+                mSigningUnit.init(this, caSigningCfg, mNickname);
+                hasKeys = true;
+                signingUnitException = null;
+            } catch (CAMissingCertException | CAMissingKeyException e) {
+                CMS.debug("CA signing key and cert not (yet) present in NSSDB");
+                signingUnitException = e;
+                return;
+            }
             CMS.debug("CA signing unit inited");
 
             // for identrus
diff --git a/base/ca/src/com/netscape/ca/SigningUnit.java b/base/ca/src/com/netscape/ca/SigningUnit.java
index 0ac4b7a1c..60bd84e3b 100644
--- a/base/ca/src/com/netscape/ca/SigningUnit.java
+++ b/base/ca/src/com/netscape/ca/SigningUnit.java
@@ -43,6 +43,8 @@ import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.IConfigStore;
 import com.netscape.certsrv.base.ISubsystem;
 import com.netscape.certsrv.ca.ECAException;
+import com.netscape.certsrv.ca.CAMissingCertException;
+import com.netscape.certsrv.ca.CAMissingKeyException;
 import com.netscape.certsrv.common.Constants;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.security.ISigningUnit;
@@ -165,14 +167,22 @@ public final class SigningUnit implements ISigningUnit {
 
             mToken.login(cb); // ONE_TIME by default.
 
-            mCert = mManager.findCertByNickname(mNickname);
-            CMS.debug("Found cert by nickname: '" + mNickname + "' with serial number: " + mCert.getSerialNumber());
+            try {
+                mCert = mManager.findCertByNickname(mNickname);
+                CMS.debug("Found cert by nickname: '" + mNickname + "' with serial number: " + mCert.getSerialNumber());
+            } catch (ObjectNotFoundException e) {
+                throw new CAMissingCertException(CMS.getUserMessage("CMS_CA_CERT_OBJECT_NOT_FOUND"));
+            }
 
             mCertImpl = new X509CertImpl(mCert.getEncoded());
             CMS.debug("converted to x509CertImpl");
 
-            mPrivk = mManager.findPrivKeyByCert(mCert);
-            CMS.debug("Got private key from cert");
+            try {
+                mPrivk = mManager.findPrivKeyByCert(mCert);
+                CMS.debug("Got private key from cert");
+            } catch (ObjectNotFoundException e) {
+                throw new CAMissingKeyException(CMS.getUserMessage("CMS_CA_CERT_OBJECT_NOT_FOUND"));
+            }
 
             mPubk = mCert.getPublicKey();
             CMS.debug("Got public key from cert");
@@ -200,10 +210,10 @@ public final class SigningUnit implements ISigningUnit {
             CMS.debug("SigningUnit init: debug " + e.toString());
             log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_TOKEN_NOT_FOUND", tokenname, e.toString()));
             throw new ECAException(CMS.getUserMessage("CMS_CA_TOKEN_NOT_FOUND", tokenname));
-        } catch (ObjectNotFoundException e) {
+        } catch (CAMissingCertException | CAMissingKeyException e) {
             CMS.debug("SigningUnit init: debug " + e.toString());
             log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_CERT_NOT_FOUND", e.toString()));
-            throw new ECAException(CMS.getUserMessage("CMS_CA_CERT_OBJECT_NOT_FOUND"));
+            throw e;  // re-throw
         } catch (TokenException e) {
             CMS.debug("SigningUnit init: debug " + e.toString());
             log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString()));