diff options
| author | Endi S. Dewata <edewata@redhat.com> | 2016-05-12 20:30:56 +0200 |
|---|---|---|
| committer | Endi S. Dewata <edewata@redhat.com> | 2016-05-13 16:53:30 +0200 |
| commit | 882bd048dbe01d3b879dc450d2eab7b0a3f0c2ba (patch) | |
| tree | 560e44818bd451a854d6772a0df9ba5cadabc60b /base/server/cms/src/com | |
| parent | b932140728e34eb6f986646690a69d494c341ff7 (diff) | |
| download | pki-882bd048dbe01d3b879dc450d2eab7b0a3f0c2ba.tar.gz pki-882bd048dbe01d3b879dc450d2eab7b0a3f0c2ba.tar.xz pki-882bd048dbe01d3b879dc450d2eab7b0a3f0c2ba.zip | |
Added log messages for pre-op mode.
To help troubleshooting the code has been modified to log more
detailed information in pre-op mode.
https://fedorahosted.org/pki/ticket/1654
Diffstat (limited to 'base/server/cms/src/com')
4 files changed, 35 insertions, 29 deletions
diff --git a/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java b/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java index bdf3f5e9c..4f14f4c40 100644 --- a/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java +++ b/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java @@ -19,15 +19,6 @@ package com.netscape.cms.authorization; import java.util.Enumeration; -import netscape.ldap.LDAPAttribute; -import netscape.ldap.LDAPConnection; -import netscape.ldap.LDAPEntry; -import netscape.ldap.LDAPException; -import netscape.ldap.LDAPModification; -import netscape.ldap.LDAPModificationSet; -import netscape.ldap.LDAPSearchResults; -import netscape.ldap.LDAPv2; - import com.netscape.certsrv.acls.ACL; import com.netscape.certsrv.acls.EACLsException; import com.netscape.certsrv.apps.CMS; @@ -43,6 +34,15 @@ import com.netscape.certsrv.ldap.ELdapException; import com.netscape.certsrv.ldap.ILdapConnFactory; import com.netscape.certsrv.logging.ILogger; +import netscape.ldap.LDAPAttribute; +import netscape.ldap.LDAPConnection; +import netscape.ldap.LDAPEntry; +import netscape.ldap.LDAPException; +import netscape.ldap.LDAPModification; +import netscape.ldap.LDAPModificationSet; +import netscape.ldap.LDAPSearchResults; +import netscape.ldap.LDAPv2; + /** * A class for ldap acls based authorization manager * The ldap server used for acls is the cms internal ldap db. @@ -139,8 +139,11 @@ public class DirAclAuthz extends AAclAuthz @SuppressWarnings("unused") String hostname = ldapConfig.getString("ldapconn.host"); // check for errors } catch (EBaseException e) { - if (CMS.isPreOpMode()) + CMS.debug(e); + if (CMS.isPreOpMode()) { + CMS.debug("DirAclAuthz.init(): Swallow exception in pre-op mode"); return; + } } mLdapConnFactory = CMS.getLdapBoundConnFactory("DirAclAuthz"); diff --git a/base/server/cms/src/com/netscape/cms/policy/constraints/SubCANameConstraints.java b/base/server/cms/src/com/netscape/cms/policy/constraints/SubCANameConstraints.java index 07cc3b956..bc41d1bcb 100644 --- a/base/server/cms/src/com/netscape/cms/policy/constraints/SubCANameConstraints.java +++ b/base/server/cms/src/com/netscape/cms/policy/constraints/SubCANameConstraints.java @@ -20,11 +20,6 @@ package com.netscape.cms.policy.constraints; import java.util.Locale; import java.util.Vector; -import netscape.security.x509.CertificateSubjectName; -import netscape.security.x509.X500Name; -import netscape.security.x509.X509CertImpl; -import netscape.security.x509.X509CertInfo; - import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.authority.ICertAuthority; import com.netscape.certsrv.base.EBaseException; @@ -40,6 +35,11 @@ import com.netscape.certsrv.request.PolicyResult; import com.netscape.certsrv.security.ISigningUnit; import com.netscape.cms.policy.APolicyRule; +import netscape.security.x509.CertificateSubjectName; +import netscape.security.x509.X500Name; +import netscape.security.x509.X509CertImpl; +import netscape.security.x509.X509CertInfo; + /** * This simple policy checks the subordinate CA CSR to see * if it is the same as the local CA. @@ -104,6 +104,7 @@ public class SubCANameConstraints extends APolicyRule implements IEnrollmentPoli mCA = (ICertificateAuthority) certAuthority; ISigningUnit su = mCA.getSigningUnit(); if (su == null || CMS.isPreOpMode()) { + CMS.debug("SubCANameConstraints.init(): Abort due to missing signing unit or in pre-op mode"); return; } diff --git a/base/server/cms/src/com/netscape/cms/policy/extensions/AuthorityKeyIdentifierExt.java b/base/server/cms/src/com/netscape/cms/policy/extensions/AuthorityKeyIdentifierExt.java index d7e058bf8..1a2220239 100644 --- a/base/server/cms/src/com/netscape/cms/policy/extensions/AuthorityKeyIdentifierExt.java +++ b/base/server/cms/src/com/netscape/cms/policy/extensions/AuthorityKeyIdentifierExt.java @@ -22,14 +22,6 @@ import java.security.cert.CertificateException; import java.util.Locale; import java.util.Vector; -import netscape.security.x509.AuthorityKeyIdentifierExtension; -import netscape.security.x509.CertificateExtensions; -import netscape.security.x509.CertificateVersion; -import netscape.security.x509.KeyIdentifier; -import netscape.security.x509.SubjectKeyIdentifierExtension; -import netscape.security.x509.X509CertImpl; -import netscape.security.x509.X509CertInfo; - import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.authority.ICertAuthority; import com.netscape.certsrv.base.EBaseException; @@ -44,6 +36,14 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; +import netscape.security.x509.AuthorityKeyIdentifierExtension; +import netscape.security.x509.CertificateExtensions; +import netscape.security.x509.CertificateVersion; +import netscape.security.x509.KeyIdentifier; +import netscape.security.x509.SubjectKeyIdentifierExtension; +import netscape.security.x509.X509CertImpl; +import netscape.security.x509.X509CertInfo; + /** * Authority Public Key Extension Policy * Adds the subject public key id extension to certificates. @@ -163,6 +163,7 @@ public class AuthorityKeyIdentifierExt extends APolicyRule //X509Certificate caCert = caChain.getFirstCertificate(); X509CertImpl caCert = certAuthority.getCACert(); if (caCert == null || CMS.isPreOpMode()) { + CMS.debug("AuthorityKeyIdentifierExt.init(): Abort due to missing CA certificate or in pre-op-mode"); return; } KeyIdentifier keyId = formKeyIdentifier(caCert); diff --git a/base/server/cms/src/com/netscape/cms/policy/extensions/BasicConstraintsExt.java b/base/server/cms/src/com/netscape/cms/policy/extensions/BasicConstraintsExt.java index eeee26994..5c05d86d9 100644 --- a/base/server/cms/src/com/netscape/cms/policy/extensions/BasicConstraintsExt.java +++ b/base/server/cms/src/com/netscape/cms/policy/extensions/BasicConstraintsExt.java @@ -23,12 +23,6 @@ import java.security.cert.X509Certificate; import java.util.Locale; import java.util.Vector; -import netscape.security.x509.BasicConstraintsExtension; -import netscape.security.x509.CertificateChain; -import netscape.security.x509.CertificateExtensions; -import netscape.security.x509.CertificateVersion; -import netscape.security.x509.X509CertInfo; - import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.authority.ICertAuthority; import com.netscape.certsrv.base.EBaseException; @@ -46,6 +40,12 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; +import netscape.security.x509.BasicConstraintsExtension; +import netscape.security.x509.CertificateChain; +import netscape.security.x509.CertificateExtensions; +import netscape.security.x509.CertificateVersion; +import netscape.security.x509.X509CertInfo; + /** * Basic Constraints policy. * Adds the Basic constraints extension. @@ -121,6 +121,7 @@ public class BasicConstraintsExt extends APolicyRule } else { CertificateChain caChain = certAuthority.getCACertChain(); if (caChain == null || CMS.isPreOpMode()) { + CMS.debug("BasicConstraintsExt.init(): Abort due to missing CA certificate chain or in pre-op-mode"); return; } X509Certificate caCert = caChain.getFirstCertificate(); |