diff options
author | Endi S. Dewata <edewata@redhat.com> | 2015-05-21 23:48:41 -0400 |
---|---|---|
committer | Endi S. Dewata <edewata@redhat.com> | 2015-05-22 18:17:33 -0400 |
commit | e7c6b5ea5a109da2a2385aeb616825082c2ddd60 (patch) | |
tree | 93e71ff4657842cdc01bfa2aac3498b379176e06 /base/server/cms/src/org/dogtagpki/server | |
parent | 8c2fb0b89be2216f91d9e250850a27e40e4dbd7f (diff) | |
download | pki-e7c6b5ea5a109da2a2385aeb616825082c2ddd60.tar.gz pki-e7c6b5ea5a109da2a2385aeb616825082c2ddd60.tar.xz pki-e7c6b5ea5a109da2a2385aeb616825082c2ddd60.zip |
Fixed key archival problem in CLI with separate KRA instance.
The CLI has been modified such that when enrolling a certificate
with key archival it will obtain the transport certificate from
the CA instead of KRA because the KRA may not reside on the same
instance. The CA REST service has been modified such that it will
obtain the transport certificate from the KRA connector.
https://fedorahosted.org/pki/ticket/1384
Diffstat (limited to 'base/server/cms/src/org/dogtagpki/server')
-rw-r--r-- | base/server/cms/src/org/dogtagpki/server/rest/SystemCertService.java | 113 |
1 files changed, 83 insertions, 30 deletions
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemCertService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemCertService.java index 02f9004ec..e4bb09cc2 100644 --- a/base/server/cms/src/org/dogtagpki/server/rest/SystemCertService.java +++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemCertService.java @@ -19,25 +19,28 @@ package org.dogtagpki.server.rest; import java.net.URI; -import java.security.cert.CertificateEncodingException; +import java.security.Principal; -import javax.servlet.http.HttpServletRequest; -import javax.ws.rs.core.Context; -import javax.ws.rs.core.HttpHeaders; -import javax.ws.rs.core.Request; import javax.ws.rs.core.Response; -import javax.ws.rs.core.UriInfo; + +import netscape.security.x509.X509CertImpl; import org.jboss.resteasy.plugins.providers.atom.Link; +import org.mozilla.jss.crypto.X509Certificate; import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.base.PKIException; import com.netscape.certsrv.base.ResourceNotFoundException; import com.netscape.certsrv.cert.CertData; +import com.netscape.certsrv.dbs.certdb.CertId; import com.netscape.certsrv.kra.IKeyRecoveryAuthority; import com.netscape.certsrv.security.ITransportKeyUnit; +import com.netscape.certsrv.system.KRAConnectorInfo; import com.netscape.certsrv.system.SystemCertResource; +import com.netscape.cms.servlet.admin.KRAConnectorProcessor; import com.netscape.cms.servlet.base.PKIService; +import com.netscape.cmsutil.util.Utils; /** * This is the class used to list, retrieve and modify system certificates for all Java subsystems. @@ -47,26 +50,52 @@ import com.netscape.cms.servlet.base.PKIService; */ public class SystemCertService extends PKIService implements SystemCertResource { - @Context - private UriInfo uriInfo; + /** + * Used to retrieve the transport certificate + */ + public Response getTransportCert() { + + try { + IConfigStore cs = CMS.getConfigStore(); + String type = cs.getString("cs.type"); + + CertData certData; + if ("CA".equals(type)) { + certData = getTransportCertFromCA(); - @Context - private HttpHeaders headers; + } else if ("KRA".equals(type)) { + certData = getTransportCertFromKRA(); - @Context - private Request request; + } else { + throw new ResourceNotFoundException("Transport certificate not available in " + type); + } + + URI uri = uriInfo.getRequestUri(); + certData.setLink(new Link("self", uri)); - @Context - private HttpServletRequest servletRequest; + return sendConditionalGetResponse(DEFAULT_LONG_CACHE_LIFETIME, certData, request); - public SystemCertService() { - CMS.debug("SystemCertService.<init>()"); + } catch (PKIException e) { + throw e; + + } catch (Exception e) { + CMS.debug(e); + throw new PKIException(e); + } } - /** - * Used to retrieve the transport certificate - */ - public Response getTransportCert() { + public CertData getTransportCertFromCA() throws Exception { + KRAConnectorProcessor processor = new KRAConnectorProcessor(getLocale(headers)); + KRAConnectorInfo info = processor.getConnectorInfo(); + String encodedCert = info.getTransportCert(); + + byte[] bytes = Utils.base64decode(encodedCert); + X509CertImpl cert = new X509CertImpl(bytes); + + return createCertificateData(cert); + } + + public CertData getTransportCertFromKRA() throws Exception { IKeyRecoveryAuthority kra = (IKeyRecoveryAuthority) CMS.getSubsystem("kra"); if (kra == null) { @@ -80,24 +109,48 @@ public class SystemCertService extends PKIService implements SystemCertResource throw new PKIException("No transport key unit."); } - org.mozilla.jss.crypto.X509Certificate transportCert = tu.getCertificate(); + X509Certificate transportCert = tu.getCertificate(); if (transportCert == null) { CMS.debug("getTransportCert: transport cert is null"); throw new PKIException("Transport cert not found."); } - try { - CertData cert = createCertificateData(transportCert); + return createCertificateData(transportCert); + } - URI uri = uriInfo.getRequestUri(); - cert.setLink(new Link("self", uri)); + public CertData createCertificateData(X509CertImpl cert) throws Exception { - return sendConditionalGetResponse(DEFAULT_LONG_CACHE_LIFETIME, cert, request); + CertData data = new CertData(); - } catch (CertificateEncodingException e) { - CMS.debug(e); - throw new PKIException("Unable to encode transport cert"); - } + data.setSerialNumber(new CertId(cert.getSerialNumber())); + + Principal issuerDN = cert.getIssuerDN(); + if (issuerDN != null) data.setIssuerDN(issuerDN.toString()); + + Principal subjectDN = cert.getSubjectDN(); + if (subjectDN != null) data.setSubjectDN(subjectDN.toString()); + + String b64 = CertData.HEADER + "\n" + CMS.BtoA(cert.getEncoded()) + CertData.FOOTER; + data.setEncoded(b64); + + return data; } + public CertData createCertificateData(X509Certificate cert) throws Exception { + + CertData data = new CertData(); + + data.setSerialNumber(new CertId(cert.getSerialNumber())); + + Principal issuerDN = cert.getIssuerDN(); + if (issuerDN != null) data.setIssuerDN(issuerDN.toString()); + + Principal subjectDN = cert.getSubjectDN(); + if (subjectDN != null) data.setSubjectDN(subjectDN.toString()); + + String b64 = CertData.HEADER + "\n" + CMS.BtoA(cert.getEncoded()) + CertData.FOOTER; + data.setEncoded(b64); + + return data; + } } |