diff options
author | Matthew Harmsen <mharmsen@redhat.com> | 2015-06-17 18:36:20 -0600 |
---|---|---|
committer | Matthew Harmsen <mharmsen@redhat.com> | 2015-06-17 21:58:33 -0600 |
commit | ce50ced9c842f6232bf136ba77233f05e95c80b7 (patch) | |
tree | f65bbc28f2c496f72fde8380343405c85cd00c90 /base/server/cms/src/com/netscape/cms | |
parent | aaeb8ade5604b14ff9a704aed372177a26d28d04 (diff) | |
download | pki-ce50ced9c842f6232bf136ba77233f05e95c80b7.tar.gz pki-ce50ced9c842f6232bf136ba77233f05e95c80b7.tar.xz pki-ce50ced9c842f6232bf136ba77233f05e95c80b7.zip |
Fix for HSM cloning issue
Diffstat (limited to 'base/server/cms/src/com/netscape/cms')
-rw-r--r-- | base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java index 5bad42d8e..ce9e3bf49 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java @@ -1155,6 +1155,45 @@ public class ConfigurationUtils { } } + /* We need to import the audit signing cert and CA signing cert to the soft token in order to + * correctly set the trust permissions. + */ + public static void importAndSetCertPermissionsFromHSM() throws EBaseException, NotInitializedException, + IOException, CertificateEncodingException, NicknameConflictException, UserCertConflictException, + NoSuchItemOnTokenException, TokenException { + + CryptoManager cm = CryptoManager.getInstance(); + IConfigStore cs = CMS.getConfigStore(); + + // nickname has no token prepended to it, so no need to strip + String nickname = cs.getString("preop.master.audit_signing.nickname"); + String cstype = cs.getString("cs.type", ""); + cstype = cstype.toLowerCase(); + + //audit signing cert + String certStr = cs.getString(cstype + ".audit_signing.cert"); + byte[] cert = CryptoUtil.base64Decode(certStr); + X509Certificate xcert = cm.importUserCACertPackage(cert, nickname); + + InternalCertificate icert = (InternalCertificate) xcert; + icert.setObjectSigningTrust(InternalCertificate.USER + | InternalCertificate.VALID_PEER + | InternalCertificate.TRUSTED_PEER); + + // ca signing cert + if (cstype.equals("ca")) { + // nickname has no token prepended to it, so no need to strip + nickname = cs.getString("preop.master.signing.nickname"); + certStr = cs.getString(cstype + ".signing.cert"); + cert = CryptoUtil.base64Decode(certStr); + xcert = cm.importUserCACertPackage(cert, nickname); + icert = (InternalCertificate) xcert; + icert.setSSLTrust(InternalCertificate.TRUSTED_CA + | InternalCertificate.TRUSTED_CLIENT_CA + | InternalCertificate.VALID_CA); + } + } + private static boolean importRequired(ArrayList<String> masterList, String nickname) { if (masterList.contains(nickname)) return true; |