Fixed PKCS #12 import for cloning.

To fix cloning issue in IPA the security_database.py has been modified to import all certificates and keys in the PKCS #12 file before the PKI server is started. Since the PKCS #12 generated by IPA may not contain the certificate trust flags, the script will also reset the trust flags on the imported certificates (i.e. CT,C,C for CA certificate and u,u,Pu for audit certificate). The ConfigurationUtils.restoreCertsFromP12() is now redundant and it should be removed in the future, but for now it has been modified to set the same trust flags on imported certificates. The CryptoUtil.importCertificateChain() has also been modified to set the same trust flags on imported certificates. https://fedorahosted.org/pki/ticket/2424
author: Endi S. Dewata <edewata@redhat.com> 2016-08-01 22:35:32 +0200
committer: Endi S. Dewata <edewata@redhat.com> 2016-08-05 22:23:50 +0200
commit: b7d4f6e9efd8b2e7d26a001f6c18a10b82df6b56 (patch)
tree: fd80f34ed91ffb38b9eedd3a0d65ec7d101e1468 /base/server/cms/src/com
parent: da66600e8ae07fa4169d24909c7d04ed69d2906c (diff)
1 files changed, 7 insertions, 2 deletions
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
index fe65bb855..34948822b 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
@@ -834,7 +834,8 @@ public class ConfigurationUtils {
             BadPaddingException, NotInitializedException, NicknameConflictException, UserCertConflictException,
             NoSuchItemOnTokenException, InvalidBERException, IOException {
 
-        // TODO: refactor into a PKCS #12 utility class
+        // TODO: The PKCS #12 file is already imported in security_database.py.
+        // This method should be removed.
 
         byte b[] = new byte[1000000];
         FileInputStream fis = new FileInputStream(p12File);
@@ -1109,10 +1110,14 @@ public class ConfigurationUtils {
                 InternalCertificate icert = (InternalCertificate) xcert;
 
                 if (isCASigningCert) {
-                    // we need to change the trust attribute to CT
+                    // set trust flags to CT,C,C
                     icert.setSSLTrust(InternalCertificate.TRUSTED_CA
                             | InternalCertificate.TRUSTED_CLIENT_CA
                             | InternalCertificate.VALID_CA);
+                    icert.setEmailTrust(InternalCertificate.TRUSTED_CA
+                            | InternalCertificate.VALID_CA);
+                    icert.setObjectSigningTrust(InternalCertificate.TRUSTED_CA
+                            | InternalCertificate.VALID_CA);
 
                 } else if (isAuditSigningCert(name)) {
                     icert.setObjectSigningTrust(InternalCertificate.USER
author	Endi S. Dewata <edewata@redhat.com>	2016-08-01 22:35:32 +0200
committer	Endi S. Dewata <edewata@redhat.com>	2016-08-05 22:23:50 +0200
commit	b7d4f6e9efd8b2e7d26a001f6c18a10b82df6b56 (patch)
tree	fd80f34ed91ffb38b9eedd3a0d65ec7d101e1468 /base/server/cms/src/com
parent	da66600e8ae07fa4169d24909c7d04ed69d2906c (diff)