Lightweight CAs: indicate when CA does not yet have keys

When a lightweight CA is created, clones will initialise a local object when the LDAP replication takes place, however, the signing keys will not yet have been replicated. Therefore, indicate CA readiness in authority data and respond appropriately (HTTP 503) when signing operations are attempted. Part of: https://fedorahosted.org/pki/ticket/1625
author: Fraser Tweedale <ftweedal@redhat.com> 2016-03-16 16:48:43 +1100
committer: Fraser Tweedale <ftweedal@redhat.com> 2016-04-14 16:07:17 +1000
commit: 8f93e60e0057b0706c5d5ad762d7ff7ce20b7b39 (patch)
tree: be9830bd2da459a955050b240bfc10e52c010e8d /base/ca
parent: 28bc4ed903bc9e2618390ec412602d889e28354b (diff)
download: pki-8f93e60e0057b0706c5d5ad762d7ff7ce20b7b39.tar.gz
pki-8f93e60e0057b0706c5d5ad762d7ff7ce20b7b39.tar.xz
pki-8f93e60e0057b0706c5d5ad762d7ff7ce20b7b39.zip
3 files changed, 31 insertions, 10 deletions
diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
index 60f6b3621..d96b88414 100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
@@ -363,9 +363,20 @@ public class CertificateAuthority
         return hostCA == this;
     }
 
-    private void ensureEnabled() throws CADisabledException {
+    public void ensureReady()
+            throws ECAException {
         if (!authorityEnabled)
             throw new CADisabledException("Authority is disabled");
+        if (!isReady()) {
+            if (signingUnitException != null)
+                throw signingUnitException;
+            else
+                throw new CAMissingKeyException("Authority does not yet have signing key and cert in local NSSDB");
+        }
+    }
+
+    public boolean isReady() {
+        return hasKeys;
     }
 
     public boolean getAuthorityEnabled() {
@@ -1191,7 +1202,7 @@ public class CertificateAuthority
      */
     public X509CRLImpl sign(X509CRLImpl crl, String algname)
             throws EBaseException {
-        ensureEnabled();
+        ensureReady();
         X509CRLImpl signedcrl = null;
 
         IStatsSubsystem statsSub = (IStatsSubsystem) CMS.getSubsystem("stats");
@@ -1264,7 +1275,7 @@ public class CertificateAuthority
      */
     public X509CertImpl sign(X509CertInfo certInfo, String algname)
             throws EBaseException {
-        ensureEnabled();
+        ensureReady();
 
         X509CertImpl signedcert = null;
 
@@ -1349,7 +1360,7 @@ public class CertificateAuthority
      */
     public byte[] sign(byte[] data, String algname)
             throws EBaseException {
-        ensureEnabled();
+        ensureReady();
         return mSigningUnit.sign(data, algname);
     }
 
@@ -2261,7 +2272,7 @@ public class CertificateAuthority
     }
 
     private BasicOCSPResponse sign(ResponseData rd) throws EBaseException {
-        ensureEnabled();
+        ensureReady();
         try (DerOutputStream out = new DerOutputStream()) {
             DerOutputStream tmp = new DerOutputStream();
 
@@ -2490,8 +2501,7 @@ public class CertificateAuthority
             String subjectDN, String description)
             throws EBaseException {
 
-        if (!authorityEnabled)
-            throw new CADisabledException("Parent CA is disabled");
+        ensureReady();
 
         // check requested DN
         X500Name subjectX500Name = null;
diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
index fa9e1038b..582248d4c 100644
--- a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
@@ -43,9 +43,12 @@ import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.ForbiddenException;
 import com.netscape.certsrv.base.PKIException;
 import com.netscape.certsrv.base.ResourceNotFoundException;
+import com.netscape.certsrv.base.ServiceUnavailableException;
 import com.netscape.certsrv.ca.AuthorityID;
 import com.netscape.certsrv.ca.CAEnabledException;
 import com.netscape.certsrv.ca.CADisabledException;
+import com.netscape.certsrv.ca.CAMissingCertException;
+import com.netscape.certsrv.ca.CAMissingKeyException;
 import com.netscape.certsrv.ca.CANotFoundException;
 import com.netscape.certsrv.ca.CANotLeafException;
 import com.netscape.certsrv.ca.CATypeException;
@@ -207,6 +210,8 @@ public class AuthorityService extends PKIService implements AuthorityResource {
             auditParams.put("exception", e.toString());
             audit(ILogger.FAILURE, OpDef.OP_ADD, "<unknown>", auditParams);
             throw new ConflictingOperationException(e.toString());
+        } catch (CAMissingCertException | CAMissingKeyException e) {
+            throw new ServiceUnavailableException(e.toString());
         } catch (Exception e) {
             CMS.debug(e);
             auditParams.put("exception", e.toString());
@@ -261,14 +266,14 @@ public class AuthorityService extends PKIService implements AuthorityResource {
     public Response enableCA(String aidString) {
         return modifyCA(
             aidString,
-            new AuthorityData(null, null, null, null, true, null));
+            new AuthorityData(null, null, null, null, true, null, null));
     }
 
     @Override
     public Response disableCA(String aidString) {
         return modifyCA(
             aidString,
-            new AuthorityData(null, null, null, null, false, null));
+            new AuthorityData(null, null, null, null, false, null, null));
     }
 
     @Override
@@ -322,7 +327,8 @@ public class AuthorityService extends PKIService implements AuthorityResource {
             ca.getAuthorityID().toString(),
             parentAID != null ? parentAID.toString() : null,
             ca.getAuthorityEnabled(),
-            ca.getAuthorityDescription()
+            ca.getAuthorityDescription(),
+            ca.isReady()
         );
     }
 
diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java b/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java
index cddbeb1ba..80aaf6f78 100644
--- a/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java
@@ -43,9 +43,12 @@ import com.netscape.certsrv.base.ConflictingOperationException;
 import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.PKIException;
 import com.netscape.certsrv.base.ResourceNotFoundException;
+import com.netscape.certsrv.base.ServiceUnavailableException;
 import com.netscape.certsrv.base.UnauthorizedException;
 import com.netscape.certsrv.ca.AuthorityID;
 import com.netscape.certsrv.ca.CADisabledException;
+import com.netscape.certsrv.ca.CAMissingCertException;
+import com.netscape.certsrv.ca.CAMissingKeyException;
 import com.netscape.certsrv.ca.ICertificateAuthority;
 import com.netscape.certsrv.cert.CertEnrollmentRequest;
 import com.netscape.certsrv.cert.CertRequestInfo;
@@ -252,6 +255,8 @@ public class CertRequestService extends PKIService implements CertRequestResourc
         } catch (CADisabledException e) {
             CMS.debug("changeRequestState: CA disabled: " + e);
             throw new ConflictingOperationException(e.toString());
+        } catch (CAMissingCertException | CAMissingKeyException e) {
+            throw new ServiceUnavailableException(e.toString());
         } catch (EPropertyException e) {
             CMS.debug("changeRequestState: execution error " + e);
             throw new PKIException(CMS.getUserMessage(getLocale(headers),
author	Fraser Tweedale <ftweedal@redhat.com>	2016-03-16 16:48:43 +1100
committer	Fraser Tweedale <ftweedal@redhat.com>	2016-04-14 16:07:17 +1000
commit	8f93e60e0057b0706c5d5ad762d7ff7ce20b7b39 (patch)
tree	be9830bd2da459a955050b240bfc10e52c010e8d /base/ca
parent	28bc4ed903bc9e2618390ec412602d889e28354b (diff)
download	pki-8f93e60e0057b0706c5d5ad762d7ff7ce20b7b39.tar.gz pki-8f93e60e0057b0706c5d5ad762d7ff7ce20b7b39.tar.xz pki-8f93e60e0057b0706c5d5ad762d7ff7ce20b7b39.zip