Refactored CertUtil.importExternalCert().

The code for importing external cert into NSS database has been
moved into CertUtil.importExternalCert().

https://pagure.io/dogtagpki/issue/2280

Change-Id: Icb347943fc432ad97105229c14768822b070d99f

2 files changed, 62 insertions, 63 deletions

diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java
index c2f87bb83..827b71a2a 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java
@@ -856,4 +856,49 @@ public class CertUtil {
             CryptoUtil.importUserCertificate(impl, nickname, false);
         }
     }
+
+    public static void importExternalCert(
+            String tag,
+            String tokenname,
+            String nickname,
+            byte[] cert,
+            byte[] certChain
+            ) throws Exception {
+
+        CMS.debug("CertUtil.importExternalCert(" + tag + ")");
+
+        if (tag.equals("sslserver") && findBootstrapServerCert()) {
+            CMS.debug("CertUtil: deleting temporary SSL server cert");
+            deleteBootstrapServerCert();
+        }
+
+        if (findCertificate(tokenname, nickname)) {
+            CMS.debug("CertUtil: deleting existing " + tag + " cert");
+            deleteCert(tokenname, nickname);
+        }
+
+        if (certChain != null) {
+            CMS.debug("CertUtil: importing cert chain for " + tag + " cert");
+            CryptoUtil.importCertificateChain(certChain);
+        }
+
+        CMS.debug("CertUtil: importing " + tag + " cert");
+
+        CryptoManager cm = CryptoManager.getInstance();
+        X509Certificate x509cert = cm.importCertPackage(cert, nickname);
+
+        CMS.debug("CertUtil: trusting cert: " + x509cert.getSubjectDN());
+        CryptoUtil.trustCertByNickname(nickname);
+
+        X509Certificate[] certs = cm.buildCertificateChain(x509cert);
+        CMS.debug("CertUtil: cert chain:");
+        for (X509Certificate c : certs) {
+            CMS.debug("ConfigurationUtils: - " + c.getSubjectDN());
+        }
+
+        X509Certificate rootCert = certs[certs.length - 1];
+        CMS.debug("CertUtil: trusting root cert: " + rootCert.getSubjectDN());
+
+        CryptoUtil.trustRootCert(rootCert);
+    }
 }
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
index 97a4bc3a8..510518571 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
@@ -296,7 +296,9 @@ public class ConfigurationUtils {
                 }
 
                 cs.commit(false);
-                CryptoUtil.importCertificateChain(certchain);
+
+                byte[] bytes = CryptoUtil.base64Decode(certchain);
+                CryptoUtil.importCertificateChain(bytes);
 
             } else {
                 throw new IOException("importCertChain: Security Domain response does not contain certificate chain");
@@ -3241,74 +3243,26 @@ public class ConfigurationUtils {
 
         } else if (cert.getType().equals("remote")) {
 
-            CMS.debug("handleCerts(): processing remote cert");
-
-            if (b64 != null && b64.length() > 0 && !b64.startsWith("...")) {
-
-                CMS.debug("handleCerts(): deleting existing cert");
-                String b64chain = cert.getCertChain();
-
-                try {
-                    if (certTag.equals("sslserver") && CertUtil.findBootstrapServerCert())
-                        CertUtil.deleteBootstrapServerCert();
-                    if (CertUtil.findCertificate(tokenname, nickname)) {
-                        CertUtil.deleteCert(tokenname, nickname);
-                    }
-                } catch (Exception e) {
-                    CMS.debug(e);
-                }
-
-                CMS.debug("handleCerts(): importing new cert");
-                b64 = CryptoUtil.stripCertBrackets(b64.trim());
-                String certs = CryptoUtil.normalizeCertStr(b64);
-                byte[] certb = CryptoUtil.base64Decode(certs);
-
-                config.putString(subsystem + "." + certTag + ".cert", certs);
-                try {
-                    CryptoManager cm = CryptoManager.getInstance();
-                    X509Certificate x509cert = cm.importCertPackage(certb, nickname);
-                    CryptoUtil.trustCertByNickname(nickname);
-
-                    X509Certificate[] certchains = cm.buildCertificateChain(x509cert);
-                    X509Certificate leaf = null;
-
-                    if (certchains != null) {
-                        CMS.debug("handleCerts(): certchains length=" + certchains.length);
-                        leaf = certchains[certchains.length - 1];
-                    }
-
-                    if (leaf == null) {
-                        CMS.debug("handleCerts(): leaf is null!");
-                        throw new IOException("leaf is null");
-                    }
+            if (b64 == null || b64.length() == 0 || b64.startsWith("...")) {
+                throw new PKIException("Missing certificate data for " + certTag + " cert");
+            }
 
-                    if (b64chain != null && b64chain.length() != 0) {
-                        CMS.debug("handlecerts: cert might not have contained chain...calling importCertificateChain: "
-                                + b64chain);
-                        try {
-                            CryptoUtil.importCertificateChain(CryptoUtil.normalizeCertAndReq(b64chain));
-                        } catch (Exception e) {
-                            CMS.debug("handleCerts(): importCertChain: Exception: " + e.toString());
-                        }
-                    }
+            b64 = CryptoUtil.stripCertBrackets(b64.trim());
+            String strCert = CryptoUtil.normalizeCertStr(b64);
+            byte[] binCert = CryptoUtil.base64Decode(strCert);
 
-                    InternalCertificate icert = (InternalCertificate) leaf;
+            config.putString(subsystem + "." + certTag + ".cert", strCert);
 
-                    icert.setSSLTrust(
-                            InternalCertificate.TRUSTED_CA
-                                    | InternalCertificate.TRUSTED_CLIENT_CA
-                                    | InternalCertificate.VALID_CA);
-                    CMS.debug("handleCerts(): import certificate successfully, certTag=" + certTag);
-                } catch (Exception ee) {
-                    ee.printStackTrace();
-                    CMS.debug("handleCerts: import certificate for certTag=" + certTag + " Exception: " + ee.toString());
-                }
+            String strStrChain = cert.getCertChain();
+            byte[] binCertChain = null;
 
-            } else {
-                CMS.debug("handleCerts(): b64 not set");
-                throw new PKIException("Missing " + certTag + " certificate to import");
+            if (strStrChain != null && strStrChain.length() != 0) {
+                strStrChain = CryptoUtil.normalizeCertAndReq(strStrChain);
+                binCertChain = CryptoUtil.base64Decode(strStrChain);
             }
 
+            CertUtil.importExternalCert(certTag, tokenname, nickname, binCert, binCertChain);
+
         } else {
 
             b64 = CryptoUtil.stripCertBrackets(b64.trim());