diff options
author | Fraser Tweedale <ftweedal@redhat.com> | 2016-03-16 16:48:43 +1100 |
---|---|---|
committer | Fraser Tweedale <ftweedal@redhat.com> | 2016-04-14 16:07:17 +1000 |
commit | 8f93e60e0057b0706c5d5ad762d7ff7ce20b7b39 (patch) | |
tree | be9830bd2da459a955050b240bfc10e52c010e8d /base/ca/src | |
parent | 28bc4ed903bc9e2618390ec412602d889e28354b (diff) | |
download | pki-8f93e60e0057b0706c5d5ad762d7ff7ce20b7b39.tar.gz pki-8f93e60e0057b0706c5d5ad762d7ff7ce20b7b39.tar.xz pki-8f93e60e0057b0706c5d5ad762d7ff7ce20b7b39.zip |
Lightweight CAs: indicate when CA does not yet have keys
When a lightweight CA is created, clones will initialise a local
object when the LDAP replication takes place, however, the signing
keys will not yet have been replicated. Therefore, indicate CA
readiness in authority data and respond appropriately (HTTP 503)
when signing operations are attempted.
Part of: https://fedorahosted.org/pki/ticket/1625
Diffstat (limited to 'base/ca/src')
3 files changed, 31 insertions, 10 deletions
diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java index 60f6b3621..d96b88414 100644 --- a/base/ca/src/com/netscape/ca/CertificateAuthority.java +++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java @@ -363,9 +363,20 @@ public class CertificateAuthority return hostCA == this; } - private void ensureEnabled() throws CADisabledException { + public void ensureReady() + throws ECAException { if (!authorityEnabled) throw new CADisabledException("Authority is disabled"); + if (!isReady()) { + if (signingUnitException != null) + throw signingUnitException; + else + throw new CAMissingKeyException("Authority does not yet have signing key and cert in local NSSDB"); + } + } + + public boolean isReady() { + return hasKeys; } public boolean getAuthorityEnabled() { @@ -1191,7 +1202,7 @@ public class CertificateAuthority */ public X509CRLImpl sign(X509CRLImpl crl, String algname) throws EBaseException { - ensureEnabled(); + ensureReady(); X509CRLImpl signedcrl = null; IStatsSubsystem statsSub = (IStatsSubsystem) CMS.getSubsystem("stats"); @@ -1264,7 +1275,7 @@ public class CertificateAuthority */ public X509CertImpl sign(X509CertInfo certInfo, String algname) throws EBaseException { - ensureEnabled(); + ensureReady(); X509CertImpl signedcert = null; @@ -1349,7 +1360,7 @@ public class CertificateAuthority */ public byte[] sign(byte[] data, String algname) throws EBaseException { - ensureEnabled(); + ensureReady(); return mSigningUnit.sign(data, algname); } @@ -2261,7 +2272,7 @@ public class CertificateAuthority } private BasicOCSPResponse sign(ResponseData rd) throws EBaseException { - ensureEnabled(); + ensureReady(); try (DerOutputStream out = new DerOutputStream()) { DerOutputStream tmp = new DerOutputStream(); @@ -2490,8 +2501,7 @@ public class CertificateAuthority String subjectDN, String description) throws EBaseException { - if (!authorityEnabled) - throw new CADisabledException("Parent CA is disabled"); + ensureReady(); // check requested DN X500Name subjectX500Name = null; diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java index fa9e1038b..582248d4c 100644 --- a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java +++ b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java @@ -43,9 +43,12 @@ import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.ForbiddenException; import com.netscape.certsrv.base.PKIException; import com.netscape.certsrv.base.ResourceNotFoundException; +import com.netscape.certsrv.base.ServiceUnavailableException; import com.netscape.certsrv.ca.AuthorityID; import com.netscape.certsrv.ca.CAEnabledException; import com.netscape.certsrv.ca.CADisabledException; +import com.netscape.certsrv.ca.CAMissingCertException; +import com.netscape.certsrv.ca.CAMissingKeyException; import com.netscape.certsrv.ca.CANotFoundException; import com.netscape.certsrv.ca.CANotLeafException; import com.netscape.certsrv.ca.CATypeException; @@ -207,6 +210,8 @@ public class AuthorityService extends PKIService implements AuthorityResource { auditParams.put("exception", e.toString()); audit(ILogger.FAILURE, OpDef.OP_ADD, "<unknown>", auditParams); throw new ConflictingOperationException(e.toString()); + } catch (CAMissingCertException | CAMissingKeyException e) { + throw new ServiceUnavailableException(e.toString()); } catch (Exception e) { CMS.debug(e); auditParams.put("exception", e.toString()); @@ -261,14 +266,14 @@ public class AuthorityService extends PKIService implements AuthorityResource { public Response enableCA(String aidString) { return modifyCA( aidString, - new AuthorityData(null, null, null, null, true, null)); + new AuthorityData(null, null, null, null, true, null, null)); } @Override public Response disableCA(String aidString) { return modifyCA( aidString, - new AuthorityData(null, null, null, null, false, null)); + new AuthorityData(null, null, null, null, false, null, null)); } @Override @@ -322,7 +327,8 @@ public class AuthorityService extends PKIService implements AuthorityResource { ca.getAuthorityID().toString(), parentAID != null ? parentAID.toString() : null, ca.getAuthorityEnabled(), - ca.getAuthorityDescription() + ca.getAuthorityDescription(), + ca.isReady() ); } diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java b/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java index cddbeb1ba..80aaf6f78 100644 --- a/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java +++ b/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java @@ -43,9 +43,12 @@ import com.netscape.certsrv.base.ConflictingOperationException; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.PKIException; import com.netscape.certsrv.base.ResourceNotFoundException; +import com.netscape.certsrv.base.ServiceUnavailableException; import com.netscape.certsrv.base.UnauthorizedException; import com.netscape.certsrv.ca.AuthorityID; import com.netscape.certsrv.ca.CADisabledException; +import com.netscape.certsrv.ca.CAMissingCertException; +import com.netscape.certsrv.ca.CAMissingKeyException; import com.netscape.certsrv.ca.ICertificateAuthority; import com.netscape.certsrv.cert.CertEnrollmentRequest; import com.netscape.certsrv.cert.CertRequestInfo; @@ -252,6 +255,8 @@ public class CertRequestService extends PKIService implements CertRequestResourc } catch (CADisabledException e) { CMS.debug("changeRequestState: CA disabled: " + e); throw new ConflictingOperationException(e.toString()); + } catch (CAMissingCertException | CAMissingKeyException e) { + throw new ServiceUnavailableException(e.toString()); } catch (EPropertyException e) { CMS.debug("changeRequestState: execution error " + e); throw new PKIException(CMS.getUserMessage(getLocale(headers), |