diff options
author | Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com> | 2016-06-13 11:27:59 -0700 |
---|---|---|
committer | Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com> | 2016-07-01 17:09:34 -0700 |
commit | 0f056221d096a30307834265ecd1c527087bb0f7 (patch) | |
tree | d81d3a5616cc90136ae09705ebb1c10f543a0691 /base/tps/src | |
parent | cfab57d057c7ada71ea9c360c278249d14e018d9 (diff) | |
download | pki-0f056221d096a30307834265ecd1c527087bb0f7.tar.gz pki-0f056221d096a30307834265ecd1c527087bb0f7.tar.xz pki-0f056221d096a30307834265ecd1c527087bb0f7.zip |
Separated TPS does not automatically receive shared secret from remote TKS.
Support to allow the TPS to do the following:
1. Request that the TKS creates a shared secret with the proper ID, pointing to the TPS.
2. Have the TKS securely return the shared secret back to the TPS during the end of configuration.
3. The TPS then imports the wrapped shared secret into it's own internal NSS db permanenty and.
4. Given a name that is mapped to the TPS's id string.
Additional fixes:
1. The TKS was modified to actually be able to use multiple shared secrets registered by
multiple TPS instances.
Caveat:
At this point if the same remote TPS instance is created over and over again, the TPS's user
in the TKS will accumulate "userCert" attributes, making the exportation of teh shared secret
not functional. At this point we need to assume that the TPS user has ONE "userCert" registered
at this time.
Diffstat (limited to 'base/tps/src')
-rw-r--r-- | base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java | 8 | ||||
-rw-r--r-- | base/tps/src/org/dogtagpki/server/tps/rest/TPSInstallerService.java | 12 |
2 files changed, 13 insertions, 7 deletions
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java index ff6420879..94e6497ce 100644 --- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java +++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java @@ -33,6 +33,8 @@ import java.util.List; import java.util.Map; import java.util.Set; +import netscape.security.x509.RevocationReason; + import org.dogtagpki.server.tps.TPSSession; import org.dogtagpki.server.tps.TPSSubsystem; import org.dogtagpki.server.tps.authentication.AuthUIParameter; @@ -96,8 +98,6 @@ import com.netscape.certsrv.tps.token.TokenStatus; import com.netscape.cms.servlet.tks.SecureChannelProtocol; import com.netscape.symkey.SessionKey; -import netscape.security.x509.RevocationReason; - public class TPSProcessor { public static final int RESULT_NO_ERROR = 0; @@ -686,9 +686,6 @@ public class TPSProcessor { sessionKey = (PK11SymKey) protocol.unwrapWrappedSymKeyOnToken(token, sharedSecret, sessionKeyWrapped.toBytesArray(), false); - - - if (sessionKey == null) { CMS.debug("TPSProcessor.generateSecureChannel: Can't extract session key!"); throw new TPSException("TPSProcessor.generateSecureChannel: Can't extract session key!", @@ -708,7 +705,6 @@ public class TPSProcessor { TPSStatus.STATUS_ERROR_SECURE_CHANNEL); } - //CMS.debug("TPSProcessor.generateSecureChannel: retrieved enc session key: " + encSessionKey); CMS.debug("TPSProcessor.generateSecureChannel: retrieved enc session key"); TPSBuffer drmDesKey = null; diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/TPSInstallerService.java b/base/tps/src/org/dogtagpki/server/tps/rest/TPSInstallerService.java index dab80e491..068293e60 100644 --- a/base/tps/src/org/dogtagpki/server/tps/rest/TPSInstallerService.java +++ b/base/tps/src/org/dogtagpki/server/tps/rest/TPSInstallerService.java @@ -142,11 +142,21 @@ public class TPSInstallerService extends SystemConfigService { ConfigurationUtils.exportTransportCert(secdomainURI, tksURI, transportCert); } + String doImportStr = request.getImportSharedSecret(); + CMS.debug("finalizeConfiguration: importSharedSecret:" + doImportStr); // generate shared secret from the tks + + boolean doImport = false; + + if("true".equalsIgnoreCase(doImportStr)) { + CMS.debug("finalizeConfiguration: importSharedSecret: importSharedSecret is true."); + doImport = true; + } + ConfigurationUtils.getSharedSecret( tksURI.getHost(), tksURI.getPort(), - Boolean.getBoolean(request.getImportSharedSecret())); + doImport); } catch (URISyntaxException e) { throw new BadRequestException("Invalid URI for CA, TKS or KRA"); |