Make sure only the master keys and certs are imported.

The key import code was written for when there was only one subsystem per tomcat instance, and only one subsystems certs and keys per p12 file. We need to ensure that only the master's subsystem keys and certs are imported. Otherwise, unpredictable behavior happens, like in Ticket 665.
author: Ade Lee <alee@redhat.com> 2013-06-26 14:20:57 -0400
committer: Ade Lee <alee@redhat.com> 2013-06-26 23:43:14 -0400
commit: e02ee210e3808fce149b4dd23e4d9fd35f03d755 (patch)
tree: a2335253bbc3f2a5a888fd9af17aed5b496a42c8 /base/common/src
parent: a80cb95f655040d09ba1f91a56daf346ae9df411 (diff)
1 files changed, 27 insertions, 5 deletions
diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
index 99ccdf5be..893a95a89 100644
--- a/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+++ b/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
@@ -71,6 +71,7 @@ import netscape.security.pkcs.PKCS7;
 import netscape.security.pkcs.SignerInfo;
 import netscape.security.x509.AlgorithmId;
 import netscape.security.x509.CertificateChain;
+import netscape.security.x509.X500Name;
 import netscape.security.x509.X509CertImpl;
 import netscape.security.x509.X509Key;
 
@@ -970,12 +971,12 @@ public class ConfigurationUtils {
             Vector<Object> pkeyinfo_v = pkeyinfo_collection.elementAt(i);
             PrivateKeyInfo pkeyinfo = (PrivateKeyInfo) pkeyinfo_v.elementAt(0);
             String nickname = (String) pkeyinfo_v.elementAt(1);
-            if (! masterList.contains(nickname)) {
-                // TODO - fix this to only import the keys that we need.
-                CMS.debug("Ignoring " + nickname);
-                // only import the master's system keys
-            //    continue;
+
+            if (! importRequired(masterList,nickname)) {
+                CMS.debug("Ignoring key " + nickname);
+                continue;
             }
+
             byte[] x509cert = getX509Cert(nickname, cert_collection);
             X509Certificate cert = cm.importCACertPackage(x509cert);
             ByteArrayOutputStream bos = new ByteArrayOutputStream();
@@ -1053,6 +1054,27 @@ public class ConfigurationUtils {
         }
     }
 
+    private static boolean importRequired(ArrayList<String> masterList, String nickname) {
+        if (masterList.contains(nickname))
+            return true;
+        try {
+            X500Name xname = new X500Name(nickname);
+            for (String key: masterList) {
+                try {
+                    X500Name xkey = new X500Name(key);
+                    if (xkey.equals(xname)) return true;
+                } catch (IOException e) {
+                    // xkey not an X500Name
+                }
+            }
+
+        } catch (IOException e) {
+            // nickname is not a x500Name
+            return false;
+        }
+        return false;
+    }
+
     public static X509Certificate getX509CertFromToken(byte[] cert)
             throws IOException, CertificateException, NotInitializedException {
author	Ade Lee <alee@redhat.com>	2013-06-26 14:20:57 -0400
committer	Ade Lee <alee@redhat.com>	2013-06-26 23:43:14 -0400
commit	e02ee210e3808fce149b4dd23e4d9fd35f03d755 (patch)
tree	a2335253bbc3f2a5a888fd9af17aed5b496a42c8 /base/common/src
parent	a80cb95f655040d09ba1f91a56daf346ae9df411 (diff)