diff options
| author | Christina Fu <cfu@redhat.com> | 2017-05-19 11:55:14 -0700 |
|---|---|---|
| committer | Christina Fu <cfu@redhat.com> | 2017-05-22 09:39:55 -0700 |
| commit | 8aafe1d4345f8b8d20b2f87c68b2e6be4eee18eb (patch) | |
| tree | 7c47fc7fe49d48c2a442bb386fc4372b2d630842 /base/java-tools/src/com/netscape/cmstools | |
| parent | 62841380c6400023cf973e273ab974352885fabd (diff) | |
| download | pki-8aafe1d4345f8b8d20b2f87c68b2e6be4eee18eb.tar.gz pki-8aafe1d4345f8b8d20b2f87c68b2e6be4eee18eb.tar.xz pki-8aafe1d4345f8b8d20b2f87c68b2e6be4eee18eb.zip | |
Ticket#2618 feature: pre-signed CMC renewal request
This patch provides the feature implementation to allow CA to process pre-signed CMC renewal requests. In the world of CMC, renewal request are full CMC requests that are signed by previously issued signing certificate.
The implementation approach is to use the caFullCMCUserSignedCert with the enhanced profile constraint: UniqueKeyConstraint.
UniqueKeyConstraint has been updated to disallow renewal of same key shared by a revoked certificate. It also saves the origNotAfter of the newest certificate sharing the same key in the request to be used by the RenewGracePeriodConstraint. To not interfere with the existing "renewal by serial" flow, if an existing origNotAfter is found, it is not overwritten.
The profile caFullCMCUserSignedCert.cfg has been updated to have both UniqueKeyConstraint and RenewGracePeriodConstraint. They must be placed in the correct order. By default in the UniqueKeyConstraint the constraint parameter allowSameKeyRenewal=true.
Diffstat (limited to 'base/java-tools/src/com/netscape/cmstools')
| -rw-r--r-- | base/java-tools/src/com/netscape/cmstools/CMCRequest.java | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java index 6e27cb100..9c4140304 100644 --- a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java +++ b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java @@ -2014,10 +2014,12 @@ public class CMCRequest { certname.append(tokenName); certname.append(":"); } - certname.append(nickname); - signerCert = cm.findCertByNickname(certname.toString()); - if (signerCert != null) { - System.out.println("got signerCert: "+ certname.toString()); + if (!selfSign.equals("true") && nickname != null) { + certname.append(nickname); + signerCert = cm.findCertByNickname(certname.toString()); + if (signerCert != null) { + System.out.println("got signerCert: "+ certname.toString()); + } } ContentInfo cmcblob = null; @@ -2239,11 +2241,11 @@ public class CMCRequest { // sign the request SignedData signedData = null; if (selfSign.equalsIgnoreCase("true")) { - // selfSign signes with private key + // selfSign signs with private key System.out.println("selfSign is true..."); signedData = signData(privk, pkidata); } else { - // none selfSign signes with existing cert + // none selfSign signs with existing cert System.out.println("selfSign is false..."); signedData = signData(signerCert, tokenName, nickname, cm, pkidata); } |