Lightweight CAs: enrol cert via profile subsystem

Enrol new CA certs via the profile subsystem to ensure that the
usual audit events are logged and to avoid the nasty ConfigStore
hack used to generate the cert via CertUtil.

This commit also fixes an issue where the new CA certificate does
not have the correct Authority Key Identifier extension.

Fixes: https://fedorahosted.org/pki/ticket/1624
Fixes: https://fedorahosted.org/pki/ticket/1632

2 files changed, 24 insertions, 6 deletions

diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CertEnrollmentRequestFactory.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CertEnrollmentRequestFactory.java
index d74a285f3..2b608259f 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertEnrollmentRequestFactory.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertEnrollmentRequestFactory.java
@@ -37,6 +37,17 @@ public class CertEnrollmentRequestFactory {
             throws EProfileException {
         IArgBlock params = cmsReq.getHttpParams();
 
+        CertEnrollmentRequest request = create(params, profile, locale);
+
+        HttpServletRequest httpRequest = cmsReq.getHttpReq();
+        request.setRemoteHost(httpRequest.getRemoteHost());
+        request.setRemoteAddr(httpRequest.getRemoteAddr());
+
+        return request;
+    }
+
+    public static CertEnrollmentRequest create(IArgBlock params, IProfile profile, Locale locale)
+            throws EProfileException {
         CertEnrollmentRequest request = new CertEnrollmentRequest();
         request.setProfileId(profile.getId());
 
@@ -48,10 +59,6 @@ public class CertEnrollmentRequestFactory {
             request.addInput(addInput);
         }
 
-        HttpServletRequest httpRequest = cmsReq.getHttpReq();
-        request.setRemoteHost(httpRequest.getRemoteHost());
-        request.setRemoteAddr(httpRequest.getRemoteAddr());
-
         return request;
     }
 
diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java
index dadd34cfe..3e92d5948 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java
@@ -83,6 +83,15 @@ public class EnrollmentProcessor extends CertProcessor {
 
     }
 
+    public HashMap<String, Object> processEnrollment(
+            CertEnrollmentRequest data,
+            HttpServletRequest request,
+            AuthorityID aid,
+            AuthCredentials credentials)
+            throws EBaseException {
+        return processEnrollment(data, request, aid, credentials, null);
+    }
+
     /**
      * Process the HTTP request
      * <P>
@@ -104,7 +113,8 @@ public class EnrollmentProcessor extends CertProcessor {
             CertEnrollmentRequest data,
             HttpServletRequest request,
             AuthorityID aid,
-            AuthCredentials credentials)
+            AuthCredentials credentials,
+            IAuthToken authToken)
         throws EBaseException {
 
         try {
@@ -153,7 +163,8 @@ public class EnrollmentProcessor extends CertProcessor {
             CMS.debug("EnrollmentProcessor: set sslClientCertProvider");
 
             // before creating the request, authenticate the request
-            IAuthToken authToken = authenticate(request, null, authenticator, context, false, credentials);
+            if (authToken == null)
+                authToken = authenticate(request, null, authenticator, context, false, credentials);
 
             // authentication success, now authorize
             authorize(profileId, profile, authToken);