diff options
author | Ade Lee <alee@redhat.com> | 2013-10-30 15:50:28 -0400 |
---|---|---|
committer | Ade Lee <alee@redhat.com> | 2013-10-31 01:23:27 -0400 |
commit | 2e54c85990e7969f7e36c324052b67f62debe4c2 (patch) | |
tree | 302b7a24e03d5625b186b50b277f3d126523bb21 /base/server | |
parent | 3b2b7ea239fe85c0b90169402e0d1480122d20cc (diff) | |
download | pki-2e54c85990e7969f7e36c324052b67f62debe4c2.tar.gz pki-2e54c85990e7969f7e36c324052b67f62debe4c2.tar.xz pki-2e54c85990e7969f7e36c324052b67f62debe4c2.zip |
Fixed logic for setting admin cert signing algorithm
Should now be SHA256 by default.
Bugzilla BZ 1024445
Diffstat (limited to 'base/server')
-rw-r--r-- | base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java | 123 |
1 files changed, 79 insertions, 44 deletions
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java index 789c0aab5..1936b2c5a 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java @@ -17,14 +17,15 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.csadmin; -import java.io.BufferedReader; import java.io.ByteArrayInputStream; -import java.io.DataInputStream; import java.io.FileInputStream; +import java.io.FileNotFoundException; import java.io.IOException; -import java.io.InputStreamReader; import java.math.BigInteger; import java.util.Date; +import java.util.Iterator; +import java.util.Properties; +import java.util.Set; import javax.servlet.http.HttpServletResponse; @@ -36,6 +37,8 @@ import netscape.security.x509.X509CertImpl; import netscape.security.x509.X509CertInfo; import netscape.security.x509.X509Key; +import org.apache.commons.lang.ArrayUtils; +import org.apache.commons.lang.StringUtils; import org.apache.velocity.context.Context; import org.mozilla.jss.CryptoManager; import org.mozilla.jss.crypto.PrivateKey; @@ -271,52 +274,84 @@ public class CertUtil { } /** - * reads from the admin cert profile caAdminCert.profile and takes the first - * entry in the list of allowed algorithms. Users that wish a different algorithm - * can specify it in the profile using default.params.signingAlg + * reads from the admin cert profile caAdminCert.profile and determines the algorithm as follows: + * + * 1. First gets list of allowed algorithms from profile (constraint.params.signingAlgsAllowed) + * If entry does not exist, uses entry "ca.profiles.defaultSigningAlgsAllowed" from CS.cfg + * If that entry does not exist, uses basic default + * + * 2. Gets default.params.signingAlg from profile. + * If entry does not exist or equals "-", selects first algorithm in allowed algorithm list + * that matches CA signing key type + * Otherwise returns entry if it matches signing CA key type. + * + * @throws EBaseException + * @throws IOException + * @throws FileNotFoundException */ - public static String getAdminProfileAlgorithm(IConfigStore config) { - String algorithm = "SHA256withRSA"; - try { - String caSigningKeyType = config.getString("preop.cert.signing.keytype", "rsa"); - String pfile = config.getString("profile.caAdminCert.config"); - FileInputStream fis = new FileInputStream(pfile); - DataInputStream in = new DataInputStream(fis); - BufferedReader br = new BufferedReader(new InputStreamReader(in)); - - String strLine; - while ((strLine = br.readLine()) != null) { - String marker2 = "default.params.signingAlg="; - int indx = strLine.indexOf(marker2); - if (indx != -1) { - String alg = strLine.substring(indx + marker2.length()); - if ((alg.length() > 0) && (!alg.equals("-"))) { - algorithm = alg; - break; - } - ; - } - ; - - String marker = "signingAlgsAllowed="; - indx = strLine.indexOf(marker); - if (indx != -1) { - String[] algs = strLine.substring(indx + marker.length()).split(","); - for (int i = 0; i < algs.length; i++) { - if ((caSigningKeyType.equals("rsa") && (algs[i].indexOf("RSA") != -1)) || - (caSigningKeyType.equals("ecc") && (algs[i].indexOf("EC") != -1))) { - algorithm = algs[i]; - break; - } - } + public static String getAdminProfileAlgorithm(IConfigStore config) throws EBaseException, FileNotFoundException, + IOException { + String caSigningKeyType = config.getString("preop.cert.signing.keytype", "rsa"); + String pfile = config.getString("profile.caAdminCert.config"); + Properties props = new Properties(); + props.load(new FileInputStream(pfile)); + + Set<String> keys = props.stringPropertyNames(); + Iterator<String> iter = keys.iterator(); + String defaultAlg = null; + String[] algsAllowed = null; + + while (iter.hasNext()) { + String key = iter.next(); + if (key.endsWith("default.params.signingAlg")) { + defaultAlg = props.getProperty(key); + } + if (key.endsWith("constraint.params.signingAlgsAllowed")) { + algsAllowed = StringUtils.split(props.getProperty(key), ","); + } + } + + if (algsAllowed == null) { //algsAllowed not defined in profile, use a global setting + algsAllowed = StringUtils.split(config.getString("ca.profiles.defaultSigningAlgsAllowed", + "SHA256withRSA,SHA256withEC,SHA1withDSA"), ","); + } + + if (ArrayUtils.isEmpty(algsAllowed)) { + throw new EBaseException("No allowed signing algorithms defined."); + } + + if (StringUtils.isNotEmpty(defaultAlg) && !defaultAlg.equals("-")) { + // check if the defined default algorithm is valid + if (! isAlgorithmValid(caSigningKeyType, defaultAlg)) { + throw new EBaseException("Administrator cert cannot be signed by specfied algorithm." + + "Algorithm incompatible with signing key"); + } + + for (String alg : algsAllowed) { + if (defaultAlg.trim().equals(alg.trim())) { + return defaultAlg; } } - in.close(); - } catch (Exception e) { - CMS.debug("getAdminProfleAlgorithm: exception: " + e); + throw new EBaseException( + "Administrator Certificate cannot be signed by the specified algorithm " + + "as it is not one of the allowed signing algorithms. Check the admin cert profile."); } - return algorithm; + + // no algorithm specified. Pick the first allowed algorithm. + for (String alg : algsAllowed) { + if (isAlgorithmValid(caSigningKeyType, alg)) return alg; + } + + throw new EBaseException( + "Admin certificate cannot be signed by any of the specified possible algorithms." + + "Algorithm is incompatible with the CA signing key type" ); + } + + private static boolean isAlgorithmValid(String signingKeyType, String algorithm) { + return ((signingKeyType.equals("rsa") && algorithm.contains("RSA")) || + (signingKeyType.equals("ecc") && algorithm.contains("EC")) || + (signingKeyType.equals("dsa") && algorithm.contains("DSA"))); } public static X509CertImpl createLocalCert(IConfigStore config, X509Key x509key, |