diff options
author | Endi S. Dewata <edewata@redhat.com> | 2017-06-29 08:15:26 +0200 |
---|---|---|
committer | Endi S. Dewata <edewata@redhat.com> | 2017-07-05 23:41:20 +0200 |
commit | c39cc840b5c2f322cee88ab94e53d20a8e3bfad0 (patch) | |
tree | e56c6a8ba788aeba04c918f5ac9613851133babb /base/server/cms | |
parent | 7524be0fb18304d2562059a82607da0fdd9a2f1d (diff) | |
download | pki-c39cc840b5c2f322cee88ab94e53d20a8e3bfad0.tar.gz pki-c39cc840b5c2f322cee88ab94e53d20a8e3bfad0.tar.xz pki-c39cc840b5c2f322cee88ab94e53d20a8e3bfad0.zip |
Refactored CertUtil.importExternalCert().
The code for importing external cert into NSS database has been
moved into CertUtil.importExternalCert().
https://pagure.io/dogtagpki/issue/2280
Change-Id: Icb347943fc432ad97105229c14768822b070d99f
Diffstat (limited to 'base/server/cms')
-rw-r--r-- | base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java | 45 | ||||
-rw-r--r-- | base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java | 80 |
2 files changed, 62 insertions, 63 deletions
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java index c2f87bb83..827b71a2a 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java @@ -856,4 +856,49 @@ public class CertUtil { CryptoUtil.importUserCertificate(impl, nickname, false); } } + + public static void importExternalCert( + String tag, + String tokenname, + String nickname, + byte[] cert, + byte[] certChain + ) throws Exception { + + CMS.debug("CertUtil.importExternalCert(" + tag + ")"); + + if (tag.equals("sslserver") && findBootstrapServerCert()) { + CMS.debug("CertUtil: deleting temporary SSL server cert"); + deleteBootstrapServerCert(); + } + + if (findCertificate(tokenname, nickname)) { + CMS.debug("CertUtil: deleting existing " + tag + " cert"); + deleteCert(tokenname, nickname); + } + + if (certChain != null) { + CMS.debug("CertUtil: importing cert chain for " + tag + " cert"); + CryptoUtil.importCertificateChain(certChain); + } + + CMS.debug("CertUtil: importing " + tag + " cert"); + + CryptoManager cm = CryptoManager.getInstance(); + X509Certificate x509cert = cm.importCertPackage(cert, nickname); + + CMS.debug("CertUtil: trusting cert: " + x509cert.getSubjectDN()); + CryptoUtil.trustCertByNickname(nickname); + + X509Certificate[] certs = cm.buildCertificateChain(x509cert); + CMS.debug("CertUtil: cert chain:"); + for (X509Certificate c : certs) { + CMS.debug("ConfigurationUtils: - " + c.getSubjectDN()); + } + + X509Certificate rootCert = certs[certs.length - 1]; + CMS.debug("CertUtil: trusting root cert: " + rootCert.getSubjectDN()); + + CryptoUtil.trustRootCert(rootCert); + } } diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java index 97a4bc3a8..510518571 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java @@ -296,7 +296,9 @@ public class ConfigurationUtils { } cs.commit(false); - CryptoUtil.importCertificateChain(certchain); + + byte[] bytes = CryptoUtil.base64Decode(certchain); + CryptoUtil.importCertificateChain(bytes); } else { throw new IOException("importCertChain: Security Domain response does not contain certificate chain"); @@ -3241,74 +3243,26 @@ public class ConfigurationUtils { } else if (cert.getType().equals("remote")) { - CMS.debug("handleCerts(): processing remote cert"); - - if (b64 != null && b64.length() > 0 && !b64.startsWith("...")) { - - CMS.debug("handleCerts(): deleting existing cert"); - String b64chain = cert.getCertChain(); - - try { - if (certTag.equals("sslserver") && CertUtil.findBootstrapServerCert()) - CertUtil.deleteBootstrapServerCert(); - if (CertUtil.findCertificate(tokenname, nickname)) { - CertUtil.deleteCert(tokenname, nickname); - } - } catch (Exception e) { - CMS.debug(e); - } - - CMS.debug("handleCerts(): importing new cert"); - b64 = CryptoUtil.stripCertBrackets(b64.trim()); - String certs = CryptoUtil.normalizeCertStr(b64); - byte[] certb = CryptoUtil.base64Decode(certs); - - config.putString(subsystem + "." + certTag + ".cert", certs); - try { - CryptoManager cm = CryptoManager.getInstance(); - X509Certificate x509cert = cm.importCertPackage(certb, nickname); - CryptoUtil.trustCertByNickname(nickname); - - X509Certificate[] certchains = cm.buildCertificateChain(x509cert); - X509Certificate leaf = null; - - if (certchains != null) { - CMS.debug("handleCerts(): certchains length=" + certchains.length); - leaf = certchains[certchains.length - 1]; - } - - if (leaf == null) { - CMS.debug("handleCerts(): leaf is null!"); - throw new IOException("leaf is null"); - } + if (b64 == null || b64.length() == 0 || b64.startsWith("...")) { + throw new PKIException("Missing certificate data for " + certTag + " cert"); + } - if (b64chain != null && b64chain.length() != 0) { - CMS.debug("handlecerts: cert might not have contained chain...calling importCertificateChain: " - + b64chain); - try { - CryptoUtil.importCertificateChain(CryptoUtil.normalizeCertAndReq(b64chain)); - } catch (Exception e) { - CMS.debug("handleCerts(): importCertChain: Exception: " + e.toString()); - } - } + b64 = CryptoUtil.stripCertBrackets(b64.trim()); + String strCert = CryptoUtil.normalizeCertStr(b64); + byte[] binCert = CryptoUtil.base64Decode(strCert); - InternalCertificate icert = (InternalCertificate) leaf; + config.putString(subsystem + "." + certTag + ".cert", strCert); - icert.setSSLTrust( - InternalCertificate.TRUSTED_CA - | InternalCertificate.TRUSTED_CLIENT_CA - | InternalCertificate.VALID_CA); - CMS.debug("handleCerts(): import certificate successfully, certTag=" + certTag); - } catch (Exception ee) { - ee.printStackTrace(); - CMS.debug("handleCerts: import certificate for certTag=" + certTag + " Exception: " + ee.toString()); - } + String strStrChain = cert.getCertChain(); + byte[] binCertChain = null; - } else { - CMS.debug("handleCerts(): b64 not set"); - throw new PKIException("Missing " + certTag + " certificate to import"); + if (strStrChain != null && strStrChain.length() != 0) { + strStrChain = CryptoUtil.normalizeCertAndReq(strStrChain); + binCertChain = CryptoUtil.base64Decode(strStrChain); } + CertUtil.importExternalCert(certTag, tokenname, nickname, binCert, binCertChain); + } else { b64 = CryptoUtil.stripCertBrackets(b64.trim()); |