Added mechanism to import existing CA certificate.

The deployment procedure for external CA has been modified such that it generates the CA CSR before starting the server. This allows the same procedure to be used to import CA certificate from an existing server. It also removes the requirement to keep the server running while waiting to get the CSR signed by an external CA. https://fedorahosted.org/pki/ticket/456
author: Endi S. Dewata <edewata@redhat.com> 2015-11-07 00:09:19 +0100
committer: Endi S. Dewata <edewata@redhat.com> 2015-11-25 00:26:21 +0100
commit: 20c985ae773b26f653cac6d22bd9d93923e18c8e (patch)
tree: d10cf2d40b0434e35c0214700f26d4998db6778c /base/server/cms/src
parent: ec9c68d68eabff3784fcf6dabf2c6745734b3c9c (diff)
2 files changed, 135 insertions, 4 deletions
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
index 88118adf8..91dad159b 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
@@ -126,6 +126,7 @@ import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.EPropertyNotFound;
 import com.netscape.certsrv.base.IConfigStore;
 import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.base.MetaInfo;
 import com.netscape.certsrv.base.PKIException;
 import com.netscape.certsrv.base.ResourceNotFoundException;
 import com.netscape.certsrv.ca.ICertificateAuthority;
@@ -133,6 +134,8 @@ import com.netscape.certsrv.client.ClientConfig;
 import com.netscape.certsrv.client.PKIClient;
 import com.netscape.certsrv.client.PKIConnection;
 import com.netscape.certsrv.dbs.IDBSubsystem;
+import com.netscape.certsrv.dbs.certdb.ICertRecord;
+import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
 import com.netscape.certsrv.dbs.crldb.ICRLIssuingPointRecord;
 import com.netscape.certsrv.key.KeyData;
 import com.netscape.certsrv.ldap.ILdapConnFactory;
@@ -2248,6 +2251,54 @@ public class ConfigurationUtils {
         certObj.setCertChain(certChainStr);
     }
 
+    public static KeyPair loadKeyPair(String nickname) throws Exception {
+
+        CMS.debug("ConfigurationUtils: loadKeyPair(" + nickname + ")");
+
+        CryptoManager cm = CryptoManager.getInstance();
+
+        X509Certificate cert = cm.findCertByNickname(nickname);
+        PublicKey publicKey = cert.getPublicKey();
+        PrivateKey privateKey = cm.findPrivKeyByCert(cert);
+
+        return new KeyPair(publicKey, privateKey);
+    }
+
+    public static void storeKeyPair(IConfigStore config, String tag, KeyPair pair)
+            throws TokenException, EBaseException {
+
+        CMS.debug("ConfigurationUtils: storeKeyPair(" + tag + ")");
+
+        PublicKey publicKey = pair.getPublic();
+
+        if (publicKey instanceof RSAPublicKey) {
+
+            RSAPublicKey rsaPublicKey = (RSAPublicKey) publicKey;
+
+            byte modulus[] = rsaPublicKey.getModulus().toByteArray();
+            config.putString(PCERT_PREFIX + tag + ".pubkey.modulus",
+                    CryptoUtil.byte2string(modulus));
+
+            byte exponent[] = rsaPublicKey.getPublicExponent().toByteArray();
+            config.putString(PCERT_PREFIX + tag + ".pubkey.exponent",
+                    CryptoUtil.byte2string(exponent));
+
+        } else { // ECC
+
+            CMS.debug("ConfigurationUtils: Public key class: " + publicKey.getClass().getName());
+            byte encoded[] = publicKey.getEncoded();
+            config.putString(PCERT_PREFIX + tag + ".pubkey.encoded", CryptoUtil.byte2string(encoded));
+        }
+
+        PrivateKey privateKey = (PrivateKey) pair.getPrivate();
+        byte id[] = privateKey.getUniqueID();
+        String kid = CryptoUtil.byte2string(id);
+        config.putString(PCERT_PREFIX + tag + ".privkey.id", kid);
+
+        String keyAlgo = config.getString(PCERT_PREFIX + tag + ".signingalgorithm");
+        setSigningAlgorithm(tag, keyAlgo, config);
+    }
+
     public static void createECCKeyPair(String token, String curveName, IConfigStore config, String ct)
             throws NoSuchAlgorithmException, NoSuchTokenException, TokenException,
             CryptoManager.NotInitializedException, EPropertyNotFound, EBaseException {
@@ -2812,6 +2863,20 @@ public class ConfigurationUtils {
         }
     }
 
+    public static void loadCertRequest(IConfigStore config, String tag, Cert cert) throws Exception {
+
+        CMS.debug("ConfigurationUtils.loadCertRequest(" + tag + ")");
+
+        String subjectDN = config.getString(PCERT_PREFIX + tag + ".dn");
+        cert.setDN(subjectDN);
+
+        String subsystem = config.getString(PCERT_PREFIX + tag + ".subsystem");
+        String certreq = config.getString(subsystem + "." + tag + ".certreq");
+        String formattedCertreq = CryptoUtil.reqFormat(certreq);
+
+        cert.setRequest(formattedCertreq);
+    }
+
     public static void handleCertRequest(IConfigStore config, String certTag, Cert cert) throws EPropertyNotFound,
             EBaseException, InvalidKeyException, NotInitializedException, TokenException, NoSuchAlgorithmException,
             NoSuchProviderException, CertificateException, SignatureException, IOException {
@@ -2953,6 +3018,42 @@ public class ConfigurationUtils {
         return pubk;
     }
 
+    public static void loadCert(IConfigStore config, Cert cert) throws Exception {
+
+        String tag = cert.getCertTag();
+        CMS.debug("ConfigurationUtils: loadCert(" + tag + ")");
+
+        CryptoManager cm = CryptoManager.getInstance();
+        X509Certificate x509Cert = cm.findCertByNickname(cert.getNickname());
+
+        if (!x509Cert.getSubjectDN().equals(x509Cert.getIssuerDN())) {
+            CMS.debug("ConfigurationUtils: " + tag + " cert is not self-signed");
+
+            String subsystem = config.getString(PCERT_PREFIX + tag + ".subsystem");
+            String certChain = config.getString(subsystem + ".external_ca_chain.cert");
+            cert.setCertChain(certChain);
+
+            return;
+        }
+
+        CMS.debug("ConfigurationUtils: " + tag + " cert is self-signed");
+
+        // When importing existing self-signed CA certificate, create a
+        // certificate record to reserve the serial number. Otherwise it
+        // might conflict with system certificates to be created later.
+
+        X509CertImpl x509CertImpl = new X509CertImpl(x509Cert.getEncoded());
+
+        ICertificateAuthority ca = (ICertificateAuthority) CMS.getSubsystem(ICertificateAuthority.ID);
+        ICertificateRepository cr = ca.getCertificateRepository();
+
+        BigInteger serialNo = x509Cert.getSerialNumber();
+        MetaInfo meta = new MetaInfo();
+
+        ICertRecord record = cr.createCertRecord(serialNo, x509CertImpl, meta);
+        cr.addCertificateRecord(record);
+    }
+
     public static int handleCerts(Cert cert) throws IOException, EBaseException, CertificateException,
             NotInitializedException, TokenException, InvalidKeyException {
         String certTag = cert.getCertTag();
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
index a0138681a..697196a6e 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
@@ -20,6 +20,7 @@ package org.dogtagpki.server.rest;
 import java.math.BigInteger;
 import java.net.MalformedURLException;
 import java.net.URL;
+import java.security.KeyPair;
 import java.security.NoSuchAlgorithmException;
 import java.security.PublicKey;
 import java.util.ArrayList;
@@ -420,7 +421,13 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
                 }
                 cs.commit(false);
 
-                if (!request.getStepTwo()) {
+                if (request.isExternal() && tag.equals("signing")) { // external/existing CA
+                    // load key pair for existing and externally-signed signing cert
+                    CMS.debug("SystemConfigService: loading signing cert key pair");
+                    KeyPair pair = ConfigurationUtils.loadKeyPair(certData.getNickname());
+                    ConfigurationUtils.storeKeyPair(cs, tag, pair);
+
+                } else if (!request.getStepTwo()) {
                     if (keytype.equals("ecc")) {
                         String curvename = certData.getKeyCurveName() != null ?
                                 certData.getKeyCurveName() : cs.getString("keys.ecc.curve.default");
@@ -443,7 +450,15 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
                 cert.setSubsystem(cs.getString("preop.cert." + tag + ".subsystem"));
                 cert.setType(cs.getString("preop.cert." + tag + ".type"));
 
-                if (!request.getStepTwo()) {
+                if (request.isExternal() && tag.equals("signing")) { // external/existing CA
+
+                    // update configuration for existing or externally-signed signing certificate
+                    String certStr = cs.getString("ca." + tag + ".cert" );
+                    cert.setCert(certStr);
+                    CMS.debug("SystemConfigService: certificate " + tag + ": " + certStr);
+                    ConfigurationUtils.updateConfig(cs, tag);
+
+                } else if (!request.getStepTwo()) {
                     ConfigurationUtils.configCert(null, null, null, cert);
 
                 } else {
@@ -465,8 +480,16 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
                     CMS.debug("Step 2:  certStr for '" + tag + "' is " + certStr);
                 }
 
-                // Handle Cert Requests for everything EXCEPT Stand-alone PKI (Step 2)
-                if (request.getStandAlone()) {
+                if (request.isExternal() && tag.equals("signing")) { // external/existing CA
+
+                    CMS.debug("SystemConfigService: Loading cert request for " + tag + " cert");
+                    ConfigurationUtils.loadCertRequest(cs, tag, cert);
+
+                    CMS.debug("SystemConfigService: Loading cert " + tag);
+                    ConfigurationUtils.loadCert(cs, cert);
+
+                } else if (request.getStandAlone()) {
+                    // Handle Cert Requests for everything EXCEPT Stand-alone PKI (Step 2)
                     if (!request.getStepTwo()) {
                         // Stand-alone PKI (Step 1)
                         ConfigurationUtils.handleCertRequest(cs, tag, cert);
@@ -489,6 +512,13 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
                     ConfigurationUtils.updateCloneConfig();
                 }
 
+                if (request.isExternal() && tag.equals("signing")) { // external/existing CA
+                    CMS.debug("SystemConfigService: External CA has signing cert");
+                    hasSigningCert.setValue(true);
+                    certs.add(cert);
+                    continue;
+                }
+
                 // to determine if we have the signing cert when using an external ca
                 // this will only execute on a ca or stand-alone pki
                 String b64 = certData.getCert();
author	Endi S. Dewata <edewata@redhat.com>	2015-11-07 00:09:19 +0100
committer	Endi S. Dewata <edewata@redhat.com>	2015-11-25 00:26:21 +0100
commit	20c985ae773b26f653cac6d22bd9d93923e18c8e (patch)
tree	d10cf2d40b0434e35c0214700f26d4998db6778c /base/server/cms/src
parent	ec9c68d68eabff3784fcf6dabf2c6745734b3c9c (diff)