diff options
| author | Fraser Tweedale <ftweedal@redhat.com> | 2016-05-13 09:00:44 +1000 |
|---|---|---|
| committer | Endi S. Dewata <edewata@redhat.com> | 2016-06-05 18:59:30 +0200 |
| commit | cb9eb967b5e24f5fde8bbf8ae87aa615b7033db7 (patch) | |
| tree | 1d51d87f1e09df6592a928e5bf66a8d0b1f4f25a /base/server/cms/src | |
| parent | 45c26ba97095a82bb91a12e0427fdb14cbe77699 (diff) | |
| download | pki-cb9eb967b5e24f5fde8bbf8ae87aa615b7033db7.tar.gz pki-cb9eb967b5e24f5fde8bbf8ae87aa615b7033db7.tar.xz pki-cb9eb967b5e24f5fde8bbf8ae87aa615b7033db7.zip | |
Lightweight CAs: add method to renew certificate
Add the CertificateAuthority.renewAuthority() method that creates
and processes a renewal request for the lightweight CA's signing
cert. The new certificate replaces the old certificate in the NSSDB
and the serial number is stored in the 'authoritySerial' attribute.
Clones observe when the 'authoritySerial' attribute has changed and
update the certificate in their NSSDB, too.
The renewal behaviour is available in the REST API as a POST to
/ca/rest/authorities/<id>/renew.
Fixes: https://fedorahosted.org/pki/ticket/2327
Diffstat (limited to 'base/server/cms/src')
| -rw-r--r-- | base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java index 8efa9162a..206d23a5d 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java +++ b/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java @@ -19,6 +19,7 @@ package com.netscape.cms.servlet.cert; import java.math.BigInteger; import java.security.cert.X509Certificate; +import java.security.Principal; import java.util.ArrayList; import java.util.Date; import java.util.Enumeration; @@ -51,6 +52,7 @@ import com.netscape.certsrv.registry.IPluginInfo; import com.netscape.certsrv.registry.IPluginRegistry; import com.netscape.certsrv.request.IRequest; import com.netscape.cms.profile.input.SerialNumRenewInput; +import com.netscape.cms.realm.PKIPrincipal; import com.netscape.cms.servlet.common.AuthCredentials; import com.netscape.cms.servlet.common.CMSTemplate; import com.netscape.cms.servlet.profile.SSLClientCertProvider; @@ -265,7 +267,12 @@ public class RenewalProcessor extends CertProcessor { context.put("origSubjectDN", origSubjectDN); // before creating the request, authenticate the request - IAuthToken authToken = authenticate(request, origReq, authenticator, context, true, credentials); + IAuthToken authToken = null; + Principal principal = request.getUserPrincipal(); + if (principal instanceof PKIPrincipal) + authToken = ((PKIPrincipal) principal).getAuthToken(); + if (authToken == null) + authToken = authenticate(request, origReq, authenticator, context, true, credentials); // authentication success, now authorize authorize(profileId, renewProfile, authToken); |