diff options
author | Matthew Harmsen <mharmsen@redhat.com> | 2015-05-22 18:15:31 -0600 |
---|---|---|
committer | Matthew Harmsen <mharmsen@redhat.com> | 2015-05-22 19:00:00 -0600 |
commit | 0bf9c6bc326de463f7ec35efb0ae448419ec579a (patch) | |
tree | 3126cd5d552311e67e045c2951c25dfe2249f744 /base/server/cms | |
parent | c6d781ee897deb213411f6caba9ae8a1770af732 (diff) | |
download | pki-0bf9c6bc326de463f7ec35efb0ae448419ec579a.tar.gz pki-0bf9c6bc326de463f7ec35efb0ae448419ec579a.tar.xz pki-0bf9c6bc326de463f7ec35efb0ae448419ec579a.zip |
disable backup keys and share master keys when using an HSM
- PKI TRAC Ticket #1371 - pkispawn: need to disable backup_keys when using an
HSM (and provide recommendation); allow clones to share keys
Diffstat (limited to 'base/server/cms')
-rw-r--r-- | base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java index c341d14f7..3e7ea5b75 100644 --- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java +++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java @@ -1116,6 +1116,14 @@ public class SystemConfigService extends PKIService implements SystemConfigResou if (data.getP12Password() == null) { throw new BadRequestException("P12 password not provided"); } + } else { + if (data.getP12File() != null) { + throw new BadRequestException("P12 filename should not be provided since HSM clones must share their HSM master's private keys"); + } + + if (data.getP12Password() != null) { + throw new BadRequestException("P12 password should not be provided since HSM clones must share their HSM master's private keys"); + } } } else { data.setClone("false"); @@ -1177,6 +1185,10 @@ public class SystemConfigService extends PKIService implements SystemConfigResou } if ((data.getBackupKeys() != null) && data.getBackupKeys().equals("true")) { + if (! data.getToken().equals(ConfigurationRequest.TOKEN_DEFAULT)) { + throw new BadRequestException("HSMs cannot publish private keys to PKCS #12 files"); + } + if ((data.getBackupFile() == null) || (data.getBackupFile().length()<=0)) { //TODO: also check for valid path, perhaps by touching file there throw new BadRequestException("Invalid key backup file name"); |