diff options
author | Christina Fu <cfu@redhat.com> | 2015-12-03 15:00:55 -0800 |
---|---|---|
committer | Christina Fu <cfu@redhat.com> | 2016-01-15 09:14:02 -0800 |
commit | 9a6a3d1cbf6e347b2cf0737afca4f793a6a0d0ba (patch) | |
tree | dfc8f4f4fcf01200cbc2e1063abcbe3c697a904a /base/server/cmscore/src/com/netscape | |
parent | 933004ba052ec1ce93526616c67b5ed272f29779 (diff) | |
download | pki-9a6a3d1cbf6e347b2cf0737afca4f793a6a0d0ba.tar.gz pki-9a6a3d1cbf6e347b2cf0737afca4f793a6a0d0ba.tar.xz pki-9a6a3d1cbf6e347b2cf0737afca4f793a6a0d0ba.zip |
Ticket #1375 Provide cert/key retention for externalReg
Ticket #1514 TPS: Recovered certs on a token has status expired
Ticket #1587 External Registration Recovery only works for 1024 sized keys out of the box
This patch provides the cert/key retention feature for externalReg.
If the certsToAdd field contains (serial,ca#) instead of the full
(serial, ca#, keyId, kra#), then it is expecting the cert/keys to be
retained from token without having to do a full retrieval (recovery);
If an exisiting cert (and its keys) on the token is not explicitly
retained then it is deleted.
This patch also fixes the issues reported in #1514 and #1587 as testing
of #1375 is easier with those two issues addressed.
An issue was found during development where Coolkey puts limits on the
cert/key ids on the token and make it impossible to inject cert ID higher
than 4, as it would then result in key ids into two digits.
Another issue that adds to running into the limit is that the function
that gets the next free certid number does not make any attempt to search
for "holes" to reuse.
The cert/key id assignment/limit issue will be filed as a separte ticket
and addressed separately. More complicated testing will be conducted then.
Diffstat (limited to 'base/server/cmscore/src/com/netscape')
-rw-r--r-- | base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java index 1e1f844cd..d050060d9 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java +++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java @@ -1203,14 +1203,20 @@ public class CMSEngine implements ICMSEngine { */ mSAuditCertNickName = mConfig.getString(PROP_SIGNED_AUDIT_CERT_NICKNAME); mManager = CryptoManager.getInstance(); - org.mozilla.jss.crypto.X509Certificate cert = mManager.findCertByNickname(mSAuditCertNickName); + CMS.debug("CMSEngine: about to look for cert for auto-shutdown support:" + mSAuditCertNickName); + org.mozilla.jss.crypto.X509Certificate cert = null; + try { + cert = mManager.findCertByNickname(mSAuditCertNickName); + } catch (Exception as) { + // can't support auto-shutdown at this point + CMS.debug("CMSEngine: cert not found:" + mSAuditCertNickName); + CMS.debug("CMSEngine: Exception:" + as.toString()); + } if (cert != null) { CMS.debug("CMSEngine: found cert:" + mSAuditCertNickName); - } else { - CMS.debug("CMSEngine: cert not found:" + mSAuditCertNickName); + mSigningKey = mManager.findPrivKeyByCert(cert); + mSigningData = cert.getPublicKey().getEncoded(); } - mSigningKey = mManager.findPrivKeyByCert(cert); - mSigningData = cert.getPublicKey().getEncoded(); } catch (Exception e) { CMS.debug("CMSEngine: " + e.toString()); |