summaryrefslogtreecommitdiffstats
path: root/base/server/cms/src
diff options
context:
space:
mode:
authorEndi S. Dewata <edewata@redhat.com>2016-06-15 04:00:27 +0200
committerEndi S. Dewata <edewata@redhat.com>2016-06-15 18:22:39 +0200
commit293d57ab40ed6af0a39a4db5ec45ecc6c691029b (patch)
tree9c4239de28066ecf128dc166a77ead1600c1658b /base/server/cms/src
parent41aef5254c20301851716ef46b614d185b33a87b (diff)
Refactored SystemConfigService.processCerts().
To simplify future enhancements the code that processes each certificate in SystemConfigService.processCerts() has been moved into a separate method.
Diffstat (limited to 'base/server/cms/src')
-rw-r--r--base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java276
1 files changed, 148 insertions, 128 deletions
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
index 3720116b9..6fc37b5ee 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
@@ -382,169 +382,189 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
continue;
}
- String keytype = certData.getKeyType() != null ? certData.getKeyType() : "rsa";
-
- String keyalgorithm = certData.getKeyAlgorithm();
- if (keyalgorithm == null) {
- keyalgorithm = keytype.equals("ecc") ? "SHA256withEC" : "SHA256withRSA";
- }
+ processCert(
+ request,
+ token,
+ certList,
+ certs,
+ hasSigningCert,
+ certData,
+ tokenName);
+ }
- String signingalgorithm = certData.getSigningAlgorithm() != null ? certData.getSigningAlgorithm() : keyalgorithm;
- String nickname = cs.getString("preop.cert." + tag + ".nickname");
- String dn = cs.getString("preop.cert." + tag + ".dn");
+ // make sure to commit changes here for step 1
+ cs.commit(false);
- cs.putString("preop.cert." + tag + ".keytype", keytype);
- cs.putString("preop.cert." + tag + ".keyalgorithm", keyalgorithm);
- cs.putString("preop.cert." + tag + ".signingalgorithm", signingalgorithm);
+ } catch (NumberFormatException e) {
+ // move these validations to validate()?
+ throw new BadRequestException("Non-integer value for key size");
- // support injecting SAN into server cert
- if ( tag.equals("sslserver") && certData.getServerCertSAN() != null) {
- CMS.debug("updateConfiguration(): san_server_cert found");
- cs.putString("service.injectSAN", "true");
- cs.putString("service.sslserver.san", certData.getServerCertSAN());
- } else {
- if ( tag.equals("sslserver"))
- CMS.debug("SystemConfigService:processCerts(): san_server_cert not found for tag sslserver");
- }
- cs.commit(false);
+ } catch (NoSuchAlgorithmException e) {
+ throw new BadRequestException("Invalid algorithm " + e);
- if (request.isExternal() && tag.equals("signing")) { // external/existing CA
- // load key pair for existing and externally-signed signing cert
- CMS.debug("SystemConfigService: loading signing cert key pair");
- KeyPair pair = ConfigurationUtils.loadKeyPair(certData.getNickname(), certData.getToken());
- ConfigurationUtils.storeKeyPair(cs, tag, pair);
+ } catch (PKIException e) {
+ throw e;
- } else if (!request.getStepTwo()) {
- if (keytype.equals("ecc")) {
- String curvename = certData.getKeyCurveName() != null ?
- certData.getKeyCurveName() : cs.getString("keys.ecc.curve.default");
- cs.putString("preop.cert." + tag + ".curvename.name", curvename);
- ConfigurationUtils.createECCKeyPair(token, curvename, cs, tag);
+ } catch (Exception e) {
+ CMS.debug(e);
+ throw new PKIException("Error in setting certificate names and key sizes: " + e);
+ }
+ }
- } else {
- String keysize = certData.getKeySize() != null ? certData.getKeySize() : cs
- .getString("keys.rsa.keysize.default");
- cs.putString("preop.cert." + tag + ".keysize.size", keysize);
- ConfigurationUtils.createRSAKeyPair(token, Integer.parseInt(keysize), cs, tag);
- }
+ public void processCert(
+ ConfigurationRequest request,
+ String token,
+ Collection<String> certList,
+ Collection<Cert> certs,
+ MutableBoolean hasSigningCert,
+ SystemCertData certData,
+ String tokenName) throws Exception {
+
+ String tag = certData.getTag();
+ String keytype = certData.getKeyType() != null ? certData.getKeyType() : "rsa";
+
+ String keyalgorithm = certData.getKeyAlgorithm();
+ if (keyalgorithm == null) {
+ keyalgorithm = keytype.equals("ecc") ? "SHA256withEC" : "SHA256withRSA";
+ }
- } else {
- CMS.debug("configure(): step two selected. keys will not be generated for '" + tag + "'");
- }
+ String signingalgorithm = certData.getSigningAlgorithm() != null ? certData.getSigningAlgorithm() : keyalgorithm;
+ String nickname = cs.getString("preop.cert." + tag + ".nickname");
+ String dn = cs.getString("preop.cert." + tag + ".dn");
- Cert cert = new Cert(tokenName, nickname, tag);
- cert.setDN(dn);
- cert.setSubsystem(cs.getString("preop.cert." + tag + ".subsystem"));
- cert.setType(cs.getString("preop.cert." + tag + ".type"));
+ cs.putString("preop.cert." + tag + ".keytype", keytype);
+ cs.putString("preop.cert." + tag + ".keyalgorithm", keyalgorithm);
+ cs.putString("preop.cert." + tag + ".signingalgorithm", signingalgorithm);
- if (request.isExternal() && tag.equals("signing")) { // external/existing CA
+ // support injecting SAN into server cert
+ if ( tag.equals("sslserver") && certData.getServerCertSAN() != null) {
+ CMS.debug("updateConfiguration(): san_server_cert found");
+ cs.putString("service.injectSAN", "true");
+ cs.putString("service.sslserver.san", certData.getServerCertSAN());
+ } else {
+ if ( tag.equals("sslserver"))
+ CMS.debug("SystemConfigService:processCerts(): san_server_cert not found for tag sslserver");
+ }
+ cs.commit(false);
- // update configuration for existing or externally-signed signing certificate
- String certStr = cs.getString("ca." + tag + ".cert" );
- cert.setCert(certStr);
- CMS.debug("SystemConfigService: certificate " + tag + ": " + certStr);
- ConfigurationUtils.updateConfig(cs, tag);
+ if (request.isExternal() && tag.equals("signing")) { // external/existing CA
+ // load key pair for existing and externally-signed signing cert
+ CMS.debug("SystemConfigService: loading signing cert key pair");
+ KeyPair pair = ConfigurationUtils.loadKeyPair(certData.getNickname(), certData.getToken());
+ ConfigurationUtils.storeKeyPair(cs, tag, pair);
- } else if (!request.getStepTwo()) {
- ConfigurationUtils.configCert(null, null, null, cert);
+ } else if (!request.getStepTwo()) {
+ if (keytype.equals("ecc")) {
+ String curvename = certData.getKeyCurveName() != null ?
+ certData.getKeyCurveName() : cs.getString("keys.ecc.curve.default");
+ cs.putString("preop.cert." + tag + ".curvename.name", curvename);
+ ConfigurationUtils.createECCKeyPair(token, curvename, cs, tag);
- } else {
- String subsystem = cs.getString("preop.cert." + tag + ".subsystem");
- String certStr;
+ } else {
+ String keysize = certData.getKeySize() != null ? certData.getKeySize() : cs
+ .getString("keys.rsa.keysize.default");
+ cs.putString("preop.cert." + tag + ".keysize.size", keysize);
+ ConfigurationUtils.createRSAKeyPair(token, Integer.parseInt(keysize), cs, tag);
+ }
- if (request.getStandAlone()) {
- // Stand-alone PKI (Step 2)
- certStr = certData.getCert();
- certStr = CryptoUtil.stripCertBrackets(certStr.trim());
- certStr = CryptoUtil.normalizeCertStr(certStr);
- cs.putString(subsystem + "." + tag + ".cert", certStr);
+ } else {
+ CMS.debug("configure(): step two selected. keys will not be generated for '" + tag + "'");
+ }
- } else {
- certStr = cs.getString(subsystem + "." + tag + ".cert" );
- }
+ Cert cert = new Cert(tokenName, nickname, tag);
+ cert.setDN(dn);
+ cert.setSubsystem(cs.getString("preop.cert." + tag + ".subsystem"));
+ cert.setType(cs.getString("preop.cert." + tag + ".type"));
- cert.setCert(certStr);
- CMS.debug("Step 2: certStr for '" + tag + "' is " + certStr);
- }
+ if (request.isExternal() && tag.equals("signing")) { // external/existing CA
- if (request.isExternal() && tag.equals("signing")) { // external/existing CA
+ // update configuration for existing or externally-signed signing certificate
+ String certStr = cs.getString("ca." + tag + ".cert" );
+ cert.setCert(certStr);
+ CMS.debug("SystemConfigService: certificate " + tag + ": " + certStr);
+ ConfigurationUtils.updateConfig(cs, tag);
- CMS.debug("SystemConfigService: Loading cert request for " + tag + " cert");
- ConfigurationUtils.loadCertRequest(cs, tag, cert);
+ } else if (!request.getStepTwo()) {
+ ConfigurationUtils.configCert(null, null, null, cert);
- CMS.debug("SystemConfigService: Loading cert " + tag);
- ConfigurationUtils.loadCert(cs, cert);
+ } else {
+ String subsystem = cs.getString("preop.cert." + tag + ".subsystem");
+ String certStr;
- } else if (request.getStandAlone()) {
- // Handle Cert Requests for everything EXCEPT Stand-alone PKI (Step 2)
- if (!request.getStepTwo()) {
- // Stand-alone PKI (Step 1)
- ConfigurationUtils.generateCertRequest(cs, tag, cert);
+ if (request.getStandAlone()) {
+ // Stand-alone PKI (Step 2)
+ certStr = certData.getCert();
+ certStr = CryptoUtil.stripCertBrackets(certStr.trim());
+ certStr = CryptoUtil.normalizeCertStr(certStr);
+ cs.putString(subsystem + "." + tag + ".cert", certStr);
- CMS.debug("Stand-alone " + csType + " Admin CSR");
- String adminSubjectDN = request.getAdminSubjectDN();
- String certreqStr = request.getAdminCertRequest();
- certreqStr = CryptoUtil.normalizeCertAndReq(certreqStr);
+ } else {
+ certStr = cs.getString(subsystem + "." + tag + ".cert" );
+ }
- cs.putString("preop.cert.admin.dn", adminSubjectDN);
- cs.putString(csSubsystem + ".admin.certreq", certreqStr);
- cs.putString(csSubsystem + ".admin.cert", "...paste certificate here...");
- }
+ cert.setCert(certStr);
+ CMS.debug("Step 2: certStr for '" + tag + "' is " + certStr);
+ }
- } else {
- ConfigurationUtils.generateCertRequest(cs, tag, cert);
- }
+ if (request.isExternal() && tag.equals("signing")) { // external/existing CA
- if (request.isClone()) {
- ConfigurationUtils.updateCloneConfig();
- }
+ CMS.debug("SystemConfigService: Loading cert request for " + tag + " cert");
+ ConfigurationUtils.loadCertRequest(cs, tag, cert);
- if (request.isExternal() && tag.equals("signing")) { // external/existing CA
- CMS.debug("SystemConfigService: External CA has signing cert");
- hasSigningCert.setValue(true);
- certs.add(cert);
- continue;
- }
+ CMS.debug("SystemConfigService: Loading cert " + tag);
+ ConfigurationUtils.loadCert(cs, cert);
- // to determine if we have the signing cert when using an external ca
- // this will only execute on a ca or stand-alone pki
- String b64 = certData.getCert();
- if ((tag.equals("signing") || tag.equals("external_signing")) && b64 != null && b64.length() > 0 && !b64.startsWith("...")) {
- hasSigningCert.setValue(true);
+ } else if (request.getStandAlone()) {
+ // Handle Cert Requests for everything EXCEPT Stand-alone PKI (Step 2)
+ if (!request.getStepTwo()) {
+ // Stand-alone PKI (Step 1)
+ ConfigurationUtils.generateCertRequest(cs, tag, cert);
- if (request.getIssuingCA().equals("External CA")) {
- b64 = CryptoUtil.stripCertBrackets(b64.trim());
- cert.setCert(CryptoUtil.normalizeCertStr(b64));
+ CMS.debug("Stand-alone " + csType + " Admin CSR");
+ String adminSubjectDN = request.getAdminSubjectDN();
+ String certreqStr = request.getAdminCertRequest();
+ certreqStr = CryptoUtil.normalizeCertAndReq(certreqStr);
- if (certData.getCertChain() != null) {
- cert.setCertChain(certData.getCertChain());
+ cs.putString("preop.cert.admin.dn", adminSubjectDN);
+ cs.putString(csSubsystem + ".admin.certreq", certreqStr);
+ cs.putString(csSubsystem + ".admin.cert", "...paste certificate here...");
+ }
- } else {
- throw new BadRequestException("CertChain not provided");
- }
- }
- }
+ } else {
+ ConfigurationUtils.generateCertRequest(cs, tag, cert);
+ }
- certs.add(cert);
- }
+ if (request.isClone()) {
+ ConfigurationUtils.updateCloneConfig();
+ }
- // make sure to commit changes here for step 1
- cs.commit(false);
+ if (request.isExternal() && tag.equals("signing")) { // external/existing CA
+ CMS.debug("SystemConfigService: External CA has signing cert");
+ hasSigningCert.setValue(true);
+ certs.add(cert);
+ return;
+ }
- } catch (NumberFormatException e) {
- // move these validations to validate()?
- throw new BadRequestException("Non-integer value for key size");
+ // to determine if we have the signing cert when using an external ca
+ // this will only execute on a ca or stand-alone pki
+ String b64 = certData.getCert();
+ if ((tag.equals("signing") || tag.equals("external_signing")) && b64 != null && b64.length() > 0 && !b64.startsWith("...")) {
+ hasSigningCert.setValue(true);
- } catch (NoSuchAlgorithmException e) {
- throw new BadRequestException("Invalid algorithm " + e);
+ if (request.getIssuingCA().equals("External CA")) {
+ b64 = CryptoUtil.stripCertBrackets(b64.trim());
+ cert.setCert(CryptoUtil.normalizeCertStr(b64));
- } catch (PKIException e) {
- throw e;
+ if (certData.getCertChain() != null) {
+ cert.setCertChain(certData.getCertChain());
- } catch (Exception e) {
- CMS.debug(e);
- throw new PKIException("Error in setting certificate names and key sizes: " + e);
+ } else {
+ throw new BadRequestException("CertChain not provided");
+ }
+ }
}
+
+ certs.add(cert);
}
private void updateCloneConfiguration(SystemCertData cdata, String tag, String tokenName) throws NotInitializedException,
generated by cgit (git 2.34.1) at 2026-03-05 14:32:49 +0000