diff options
author | Christina Fu <cfu@redhat.com> | 2015-12-03 15:00:55 -0800 |
---|---|---|
committer | Christina Fu <cfu@redhat.com> | 2016-01-15 09:14:02 -0800 |
commit | 9a6a3d1cbf6e347b2cf0737afca4f793a6a0d0ba (patch) | |
tree | dfc8f4f4fcf01200cbc2e1063abcbe3c697a904a /base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java | |
parent | 933004ba052ec1ce93526616c67b5ed272f29779 (diff) | |
download | pki-9a6a3d1cbf6e347b2cf0737afca4f793a6a0d0ba.tar.gz pki-9a6a3d1cbf6e347b2cf0737afca4f793a6a0d0ba.tar.xz pki-9a6a3d1cbf6e347b2cf0737afca4f793a6a0d0ba.zip |
Ticket #1375 Provide cert/key retention for externalReg
Ticket #1514 TPS: Recovered certs on a token has status expired
Ticket #1587 External Registration Recovery only works for 1024 sized keys out of the box
This patch provides the cert/key retention feature for externalReg.
If the certsToAdd field contains (serial,ca#) instead of the full
(serial, ca#, keyId, kra#), then it is expecting the cert/keys to be
retained from token without having to do a full retrieval (recovery);
If an exisiting cert (and its keys) on the token is not explicitly
retained then it is deleted.
This patch also fixes the issues reported in #1514 and #1587 as testing
of #1375 is easier with those two issues addressed.
An issue was found during development where Coolkey puts limits on the
cert/key ids on the token and make it impossible to inject cert ID higher
than 4, as it would then result in key ids into two digits.
Another issue that adds to running into the limit is that the function
that gets the next free certid number does not make any attempt to search
for "holes" to reuse.
The cert/key id assignment/limit issue will be filed as a separte ticket
and addressed separately. More complicated testing will be conducted then.
Diffstat (limited to 'base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java')
-rw-r--r-- | base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java | 34 |
1 files changed, 23 insertions, 11 deletions
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java index a9355b9bf..6ea8fa2ba 100644 --- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java +++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java @@ -33,8 +33,6 @@ import java.util.List; import java.util.Map; import java.util.Set; -import netscape.security.x509.RevocationReason; - import org.dogtagpki.server.tps.TPSSession; import org.dogtagpki.server.tps.TPSSubsystem; import org.dogtagpki.server.tps.authentication.AuthUIParameter; @@ -93,6 +91,8 @@ import com.netscape.certsrv.common.Constants; import com.netscape.certsrv.tps.token.TokenStatus; import com.netscape.symkey.SessionKey; +import netscape.security.x509.RevocationReason; + public class TPSProcessor { public static final int RESULT_NO_ERROR = 0; @@ -1669,20 +1669,20 @@ public class TPSProcessor { new ExternalRegCertToRecover(); int i = 0; for (i = 0; i < items.length; i++) { - if (i == 0) + if (i == 0) { + CMS.debug(method + "setting serial: " + items[i]); erCert.setSerial(new BigInteger(items[i])); - else if (i == 1) + } else if (i == 1) erCert.setCaConn(items[i]); - else if (i == 2) + else if (i == 2) { + CMS.debug(method + "setting keyid: " + items[i]); erCert.setKeyid(new BigInteger(items[i])); - else if (i == 3) + } else if (i == 3) erCert.setKraConn(items[i]); } - /* TODO: for phase 3, retenable certs/keys if (i<3) { erCert.setIsRetainable(true); } - */ erAttrs.addCertToRecover(erCert); } } else { @@ -1877,6 +1877,21 @@ public class TPSProcessor { throw new TPSException(auditMsg, TPSStatus.STATUS_ERROR_MISCONFIGURATION); } session.setExternalRegAttrs(erAttrs); + /* test + ArrayList<ExternalRegCertToRecover> erCertsToRecover = + session.getExternalRegAttrs().getCertsToRecover(); + + for (ExternalRegCertToRecover erCert : erCertsToRecover) { + BigInteger serial = erCert.getSerial(); + CMS.debug("In TPSProcessor.format: " + "serial: " + serial.toString()); + BigInteger keyid = erCert.getKeyid(); + if (keyid != null) + CMS.debug("In TPSProcessor.format: " + "keyid: " + keyid.toString()); + else + CMS.debug("In TPSProcessor.format: " + "no keyid"); + } + test ends */ + setSelectedTokenType(erAttrs.getTokenType()); } CMS.debug("In TPSProcessor.format: isExternalReg: about to process keySet resolver"); @@ -2057,9 +2072,6 @@ public class TPSProcessor { tokenRecord.setStatus("uninitialized"); try { tps.tdb.tdbUpdateTokenEntry(tokenRecord); - String successMsg = "update token success"; - tps.tdb.tdbActivity(ActivityDatabase.OP_FORMAT, tokenRecord, session.getIpAddress(), successMsg, - "success"); } catch (Exception e) { String failMsg = "update token failure"; auditMsg = failMsg + ":" + e.toString(); |