Added support to create system certificates in different tokens.

Previously all system certificates were always created in the same token specified in the pki_token_name parameter. To allow creating system certificates in different tokens, the configuration.py has been modified to store the system certificate token names specified in pki_<cert>_token parameters into the CS.cfg before the server is started. After the server is started, the configuration servlet will read the token names from the CS.cfg and create the certificates in the appropriate token. https://fedorahosted.org/pki/ticket/2449
author: Endi S. Dewata <edewata@redhat.com> 2016-08-29 08:33:05 +0200
committer: Ade Lee <alee@redhat.com> 2016-09-02 11:16:47 -0400
commit: bc65e12500cbc3381b4e755a4a50214f43049ad3 (patch)
tree: 17e1307b8eab94dddd9a9f4775e642d4d8a3def5 /base/server/cms/src
parent: 1195ee9d6e45783d238edc1799363c21590febce (diff)
2 files changed, 14 insertions, 13 deletions
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
index cdb284495..f6e125c4f 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
@@ -2826,7 +2826,7 @@ public class ConfigurationUtils {
         }
 
         config.putString(subsystem + "." + certTag + ".nickname", nickname);
-        config.putString(subsystem + "." + certTag + ".tokenname", token);
+
         if (certTag.equals("audit_signing")) {
             if (!token.equals("Internal Key Storage Token") && !token.equals("")) {
                 config.putString("log.instance.SignedAudit.signedAuditCertNickname",
@@ -3325,14 +3325,15 @@ public class ConfigurationUtils {
         return 0;
     }
 
-    public static void setCertPermissions(String tag) throws EBaseException, NotInitializedException,
+    public static void setCertPermissions(Cert cert) throws EBaseException, NotInitializedException,
             ObjectNotFoundException, TokenException {
+
+        String tag = cert.getCertTag();
         if (tag.equals("signing") || tag.equals("external_signing"))
             return;
 
-        IConfigStore cs = CMS.getConfigStore();
-        String nickname = cs.getString("preop.cert." + tag + ".nickname", "");
-        String tokenname = cs.getString("preop.module.token", "");
+        String nickname = cert.getNickname();
+        String tokenname = cert.getTokenname();
         if (!tokenname.equals("Internal Key Storage Token"))
             nickname = tokenname + ":" + nickname;
 
@@ -4554,9 +4555,11 @@ public class ConfigurationUtils {
 
     public static String getSubsystemCert() throws EBaseException, NotInitializedException, ObjectNotFoundException,
             TokenException, CertificateEncodingException, IOException {
+
         IConfigStore cs = CMS.getConfigStore();
-        String nickname = cs.getString("preop.cert.subsystem.nickname", "");
-        String tokenname = cs.getString("preop.module.token", "");
+        String subsystem = cs.getString("cs.type").toLowerCase();
+        String nickname = cs.getString(subsystem + ".subsystem.nickname", "");
+        String tokenname = cs.getString(subsystem + ".subsystem.tokenname", "");
 
         if (!tokenname.equals("internal") && !tokenname.equals("Internal Key Storage Token")
                 && !tokenname.equals("")) {
@@ -4571,6 +4574,7 @@ public class ConfigurationUtils {
             CMS.debug("ConfigurationUtils: getSubsystemCert: subsystem cert is null");
             return null;
         }
+
         byte[] bytes = cert.getEncoded();
         String s = CryptoUtil.normalizeCertStr(CryptoUtil.base64Encode(bytes));
         return s;
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
index 9d7c176ec..5cc6f63dc 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
@@ -199,7 +199,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
             try {
                 CMS.debug("Processing '" + cert.getCertTag() + "' certificate:");
                 ret = ConfigurationUtils.handleCerts(cert);
-                ConfigurationUtils.setCertPermissions(cert.getCertTag());
+                ConfigurationUtils.setCertPermissions(cert);
                 CMS.debug("Processed '" + cert.getCertTag() + "' certificate.");
             } catch (Exception e) {
                 CMS.debug(e);
@@ -386,7 +386,6 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
 
                 processCert(
                         request,
-                        token,
                         certList,
                         certs,
                         hasSigningCert,
@@ -415,7 +414,6 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
 
     public void processCert(
             ConfigurationRequest request,
-            String token,
             Collection<String> certList,
             Collection<Cert> certs,
             MutableBoolean hasSigningCert,
@@ -460,13 +458,13 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
                 String curvename = certData.getKeyCurveName() != null ?
                         certData.getKeyCurveName() : cs.getString("keys.ecc.curve.default");
                 cs.putString("preop.cert." + tag + ".curvename.name", curvename);
-                ConfigurationUtils.createECCKeyPair(token, curvename, cs, tag);
+                ConfigurationUtils.createECCKeyPair(tokenName, curvename, cs, tag);
 
             } else {
                 String keysize = certData.getKeySize() != null ? certData.getKeySize() : cs
                         .getString("keys.rsa.keysize.default");
                 cs.putString("preop.cert." + tag + ".keysize.size", keysize);
-                ConfigurationUtils.createRSAKeyPair(token, Integer.parseInt(keysize), cs, tag);
+                ConfigurationUtils.createRSAKeyPair(tokenName, Integer.parseInt(keysize), cs, tag);
             }
 
         } else {
@@ -600,7 +598,6 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
         }
 
         cs.putString(csSubsystem + "." + tag + ".nickname", cdata.getNickname());
-        cs.putString(csSubsystem + "." + tag + ".tokenname", cdata.getToken());
         cs.putString(csSubsystem + "." + tag + ".certreq", cdata.getRequest());
         cs.putString(csSubsystem + "." + tag + ".cert", cdata.getCert());
         cs.putString(csSubsystem + "." + tag + ".dn", cdata.getSubjectDN());
author	Endi S. Dewata <edewata@redhat.com>	2016-08-29 08:33:05 +0200
committer	Ade Lee <alee@redhat.com>	2016-09-02 11:16:47 -0400
commit	bc65e12500cbc3381b4e755a4a50214f43049ad3 (patch)
tree	17e1307b8eab94dddd9a9f4775e642d4d8a3def5 /base/server/cms/src
parent	1195ee9d6e45783d238edc1799363c21590febce (diff)