diff options
author | Christina Fu <cfu@redhat.com> | 2014-10-15 10:30:31 -0700 |
---|---|---|
committer | Christina Fu <cfu@redhat.com> | 2014-10-23 11:01:23 -0700 |
commit | 5bbd06e6e77729c63d65b77445f71f63ea0cdd1f (patch) | |
tree | 5c580f2390ef5d9dc164a161e6b82a025dbd2184 /base/ca | |
parent | 223c483d1bc6b3425a86439f73bcf5031a2af4d6 (diff) | |
download | pki-5bbd06e6e77729c63d65b77445f71f63ea0cdd1f.tar.gz pki-5bbd06e6e77729c63d65b77445f71f63ea0cdd1f.tar.xz pki-5bbd06e6e77729c63d65b77445f71f63ea0cdd1f.zip |
Bug1151147 issuerDN encoding correction
Diffstat (limited to 'base/ca')
-rw-r--r-- | base/ca/src/com/netscape/ca/CAService.java | 13 | ||||
-rw-r--r-- | base/ca/src/com/netscape/ca/CertificateAuthority.java | 39 |
2 files changed, 49 insertions, 3 deletions
diff --git a/base/ca/src/com/netscape/ca/CAService.java b/base/ca/src/com/netscape/ca/CAService.java index 19778505e..6edaf2ade 100644 --- a/base/ca/src/com/netscape/ca/CAService.java +++ b/base/ca/src/com/netscape/ca/CAService.java @@ -821,8 +821,17 @@ public class CAService implements ICAService, IService { } try { - certi.set(X509CertInfo.ISSUER, - new CertificateIssuerName(mCA.getX500Name())); + if (mCA.getIssuerObj() != null) { + // this ensures the isserDN has the same encoding as the + // subjectDN of the CA signing cert + CMS.debug("CAService: issueX509Cert: setting issuerDN using exact CA signing cert subjectDN encoding"); + certi.set(X509CertInfo.ISSUER, + mCA.getIssuerObj()); + } else { + CMS.debug("CAService: issueX509Cert: mCA.getIssuerObj() is null, creating new CertificateIssuerName"); + certi.set(X509CertInfo.ISSUER, + new CertificateIssuerName(mCA.getX500Name())); + } } catch (CertificateException e) { mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SET_ISSUER", e.toString())); throw new ECAException(CMS.getUserMessage("CMS_CA_SET_ISSUER_FAILED", rid)); diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java index 73ce6dfe4..65296113e 100644 --- a/base/ca/src/com/netscape/ca/CertificateAuthority.java +++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java @@ -43,6 +43,8 @@ import netscape.security.util.DerOutputStream; import netscape.security.util.DerValue; import netscape.security.x509.AlgorithmId; import netscape.security.x509.CertificateChain; +import netscape.security.x509.CertificateIssuerName; +import netscape.security.x509.CertificateSubjectName; import netscape.security.x509.CertificateVersion; import netscape.security.x509.X500Name; import netscape.security.x509.X509CRLImpl; @@ -143,6 +145,8 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori protected SigningUnit mOCSPSigningUnit; protected SigningUnit mCRLSigningUnit; + protected CertificateIssuerName mIssuerObj = null; + protected CertificateSubjectName mSubjectObj = null; protected X500Name mName = null; protected X500Name mCRLName = null; protected X500Name mOCSPName = null; @@ -888,6 +892,14 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori return mName; } + public CertificateIssuerName getIssuerObj() { + return mIssuerObj; + } + + public CertificateSubjectName getSubjectObj() { + return mSubjectObj; + } + public X500Name getCRLX500Name() { return mCRLName; } @@ -1199,6 +1211,21 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori IConfigStore caSigningCfg = mConfig.getSubStore(PROP_SIGNING_SUBSTORE); + String caSigningCertStr = caSigningCfg.getString("cert", ""); + if (caSigningCertStr.equals("")) { + CMS.debug("CertificateAuthority:initSigUnit: ca.signing.cert not found"); + } else { //ca cert found + CMS.debug("CertificateAuthority:initSigUnit: ca cert found"); + mCaCert = new X509CertImpl(CMS.AtoB(caSigningCertStr)); + // this ensures the isserDN and subjectDN have the same encoding + // as that of the CA signing cert + CMS.debug("CertificateAuthority: initSigUnit 1- setting mIssuerObj and mSubjectObj"); + mSubjectObj = mCaCert.getSubjectObj(); + // this mIssuerObj is the "issuerDN" obj for the certs this CA + // issues, NOT necessarily the isserDN obj of the CA signing cert + mIssuerObj = new CertificateIssuerName((X500Name)mSubjectObj.get(CertificateIssuerName.DN_NAME)); + } + mSigningUnit.init(this, caSigningCfg); CMS.debug("CA signing unit inited"); @@ -1295,11 +1322,21 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori } mOCSPCertChain = new CertificateChain(ocspImplchain); CMS.debug("in init - got OCSP chain from JSS."); - // init issuer name - take name from the cert. mCaX509Cert = mSigningUnit.getCert(); mCaCert = new X509CertImpl(mCaX509Cert.getEncoded()); getCASigningAlgorithms(); + mSubjectObj = mCaCert.getSubjectObj(); + if (mSubjectObj != null) { + // this ensures the isserDN and subjectDN have the same encoding + // as that of the CA signing cert + CMS.debug("CertificateAuthority: initSigUnit - setting mIssuerObj and mSubjectObj"); + // this mIssuerObj is the "issuerDN" obj for the certs this CA + // issues, NOT necessarily the isserDN obj of the CA signing cert + // unless the CA is self-signed + mIssuerObj = + new CertificateIssuerName((X500Name)mSubjectObj.get(CertificateIssuerName.DN_NAME)); + } mName = (X500Name) mCaCert.getSubjectDN(); mCRLX509Cert = mCRLSigningUnit.getCert(); |