Fixed key archival problem in CLI with separate KRA instance.

The CLI has been modified such that when enrolling a certificate with key archival it will obtain the transport certificate from the CA instead of KRA because the KRA may not reside on the same instance. The CA REST service has been modified such that it will obtain the transport certificate from the KRA connector. https://fedorahosted.org/pki/ticket/1384
author: Endi S. Dewata <edewata@redhat.com> 2015-05-21 23:48:41 -0400
committer: Endi S. Dewata <edewata@redhat.com> 2015-05-22 18:17:33 -0400
commit: e7c6b5ea5a109da2a2385aeb616825082c2ddd60 (patch)
tree: 93e71ff4657842cdc01bfa2aac3498b379176e06 /base/server/cms
parent: 8c2fb0b89be2216f91d9e250850a27e40e4dbd7f (diff)
download: pki-e7c6b5ea5a109da2a2385aeb616825082c2ddd60.tar.gz
pki-e7c6b5ea5a109da2a2385aeb616825082c2ddd60.tar.xz
pki-e7c6b5ea5a109da2a2385aeb616825082c2ddd60.zip
2 files changed, 96 insertions, 54 deletions
diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java b/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java
index 2fe78bf2a..4ebf075cb 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java
@@ -19,14 +19,13 @@ package com.netscape.cms.servlet.base;
 
 import java.lang.reflect.Method;
 import java.net.URI;
-import java.security.Principal;
-import java.security.cert.CertificateEncodingException;
 import java.util.Arrays;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Locale;
 import java.util.Map;
 
+import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.FormParam;
 import javax.ws.rs.core.CacheControl;
 import javax.ws.rs.core.Context;
@@ -36,11 +35,10 @@ import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Request;
 import javax.ws.rs.core.Response;
 import javax.ws.rs.core.Response.ResponseBuilder;
+import javax.ws.rs.core.UriInfo;
 
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.base.PKIException;
-import com.netscape.certsrv.cert.CertData;
-import com.netscape.certsrv.dbs.certdb.CertId;
 import com.netscape.certsrv.logging.IAuditor;
 import com.netscape.certsrv.logging.ILogger;
 
@@ -65,7 +63,17 @@ public class PKIService {
     public final static int DEFAULT_SIZE = 20;
 
     @Context
-    private HttpHeaders headers;
+    protected UriInfo uriInfo;
+
+    @Context
+    protected HttpHeaders headers;
+
+    @Context
+    protected Request request;
+
+    @Context
+    protected HttpServletRequest servletRequest;
+
 
     public ILogger logger = CMS.getLogger();
     public IAuditor auditor = CMS.getAuditor();
@@ -169,25 +177,6 @@ public class PKIService {
         return builder.build();
     }
 
-    public CertData createCertificateData(org.mozilla.jss.crypto.X509Certificate cert)
-            throws CertificateEncodingException {
-
-        CertData data = new CertData();
-
-        data.setSerialNumber(new CertId(cert.getSerialNumber()));
-
-        Principal issuerDN = cert.getIssuerDN();
-        if (issuerDN != null) data.setIssuerDN(issuerDN.toString());
-
-        Principal subjectDN = cert.getSubjectDN();
-        if (subjectDN != null) data.setSubjectDN(subjectDN.toString());
-
-        String b64 = CertData.HEADER + "\n" + CMS.BtoA(cert.getEncoded()) + CertData.FOOTER;
-        data.setEncoded(b64);
-
-        return data;
-    }
-
     public Locale getLocale(HttpHeaders headers) {
 
         if (headers == null) return Locale.getDefault();
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemCertService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemCertService.java
index 02f9004ec..e4bb09cc2 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/SystemCertService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemCertService.java
@@ -19,25 +19,28 @@
 package org.dogtagpki.server.rest;
 
 import java.net.URI;
-import java.security.cert.CertificateEncodingException;
+import java.security.Principal;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.core.Context;
-import javax.ws.rs.core.HttpHeaders;
-import javax.ws.rs.core.Request;
 import javax.ws.rs.core.Response;
-import javax.ws.rs.core.UriInfo;
+
+import netscape.security.x509.X509CertImpl;
 
 import org.jboss.resteasy.plugins.providers.atom.Link;
+import org.mozilla.jss.crypto.X509Certificate;
 
 import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
 import com.netscape.certsrv.base.PKIException;
 import com.netscape.certsrv.base.ResourceNotFoundException;
 import com.netscape.certsrv.cert.CertData;
+import com.netscape.certsrv.dbs.certdb.CertId;
 import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
 import com.netscape.certsrv.security.ITransportKeyUnit;
+import com.netscape.certsrv.system.KRAConnectorInfo;
 import com.netscape.certsrv.system.SystemCertResource;
+import com.netscape.cms.servlet.admin.KRAConnectorProcessor;
 import com.netscape.cms.servlet.base.PKIService;
+import com.netscape.cmsutil.util.Utils;
 
 /**
  * This is the class used to list, retrieve and modify system certificates for all Java subsystems.
@@ -47,26 +50,52 @@ import com.netscape.cms.servlet.base.PKIService;
  */
 public class SystemCertService extends PKIService implements SystemCertResource {
 
-    @Context
-    private UriInfo uriInfo;
+    /**
+     * Used to retrieve the transport certificate
+     */
+    public Response getTransportCert() {
+
+        try {
+            IConfigStore cs = CMS.getConfigStore();
+            String type = cs.getString("cs.type");
+
+            CertData certData;
+            if ("CA".equals(type)) {
+                certData = getTransportCertFromCA();
 
-    @Context
-    private HttpHeaders headers;
+            } else if ("KRA".equals(type)) {
+                certData = getTransportCertFromKRA();
 
-    @Context
-    private Request request;
+            } else {
+                throw new ResourceNotFoundException("Transport certificate not available in " + type);
+            }
+
+            URI uri = uriInfo.getRequestUri();
+            certData.setLink(new Link("self", uri));
 
-    @Context
-    private HttpServletRequest servletRequest;
+            return sendConditionalGetResponse(DEFAULT_LONG_CACHE_LIFETIME, certData, request);
 
-    public SystemCertService() {
-        CMS.debug("SystemCertService.<init>()");
+        } catch (PKIException e) {
+            throw e;
+
+        } catch (Exception e) {
+            CMS.debug(e);
+            throw new PKIException(e);
+        }
     }
 
-    /**
-     * Used to retrieve the transport certificate
-     */
-    public Response getTransportCert() {
+    public CertData getTransportCertFromCA() throws Exception {
+        KRAConnectorProcessor processor = new KRAConnectorProcessor(getLocale(headers));
+        KRAConnectorInfo info = processor.getConnectorInfo();
+        String encodedCert = info.getTransportCert();
+
+        byte[] bytes = Utils.base64decode(encodedCert);
+        X509CertImpl cert = new X509CertImpl(bytes);
+
+        return createCertificateData(cert);
+    }
+
+    public CertData getTransportCertFromKRA() throws Exception {
 
         IKeyRecoveryAuthority kra = (IKeyRecoveryAuthority) CMS.getSubsystem("kra");
         if (kra == null) {
@@ -80,24 +109,48 @@ public class SystemCertService extends PKIService implements SystemCertResource
             throw new PKIException("No transport key unit.");
         }
 
-        org.mozilla.jss.crypto.X509Certificate transportCert = tu.getCertificate();
+        X509Certificate transportCert = tu.getCertificate();
         if (transportCert == null) {
             CMS.debug("getTransportCert: transport cert is null");
             throw new PKIException("Transport cert not found.");
         }
 
-        try {
-            CertData cert = createCertificateData(transportCert);
+        return createCertificateData(transportCert);
+    }
 
-            URI uri = uriInfo.getRequestUri();
-            cert.setLink(new Link("self", uri));
+    public CertData createCertificateData(X509CertImpl cert) throws Exception {
 
-            return sendConditionalGetResponse(DEFAULT_LONG_CACHE_LIFETIME, cert, request);
+        CertData data = new CertData();
 
-        } catch (CertificateEncodingException e) {
-            CMS.debug(e);
-            throw new PKIException("Unable to encode transport cert");
-        }
+        data.setSerialNumber(new CertId(cert.getSerialNumber()));
+
+        Principal issuerDN = cert.getIssuerDN();
+        if (issuerDN != null) data.setIssuerDN(issuerDN.toString());
+
+        Principal subjectDN = cert.getSubjectDN();
+        if (subjectDN != null) data.setSubjectDN(subjectDN.toString());
+
+        String b64 = CertData.HEADER + "\n" + CMS.BtoA(cert.getEncoded()) + CertData.FOOTER;
+        data.setEncoded(b64);
+
+        return data;
     }
 
+    public CertData createCertificateData(X509Certificate cert) throws Exception {
+
+        CertData data = new CertData();
+
+        data.setSerialNumber(new CertId(cert.getSerialNumber()));
+
+        Principal issuerDN = cert.getIssuerDN();
+        if (issuerDN != null) data.setIssuerDN(issuerDN.toString());
+
+        Principal subjectDN = cert.getSubjectDN();
+        if (subjectDN != null) data.setSubjectDN(subjectDN.toString());
+
+        String b64 = CertData.HEADER + "\n" + CMS.BtoA(cert.getEncoded()) + CertData.FOOTER;
+        data.setEncoded(b64);
+
+        return data;
+    }
 }
author	Endi S. Dewata <edewata@redhat.com>	2015-05-21 23:48:41 -0400
committer	Endi S. Dewata <edewata@redhat.com>	2015-05-22 18:17:33 -0400
commit	e7c6b5ea5a109da2a2385aeb616825082c2ddd60 (patch)
tree	93e71ff4657842cdc01bfa2aac3498b379176e06 /base/server/cms
parent	8c2fb0b89be2216f91d9e250850a27e40e4dbd7f (diff)
download	pki-e7c6b5ea5a109da2a2385aeb616825082c2ddd60.tar.gz pki-e7c6b5ea5a109da2a2385aeb616825082c2ddd60.tar.xz pki-e7c6b5ea5a109da2a2385aeb616825082c2ddd60.zip