diff options
| author | Endi S. Dewata <edewata@redhat.com> | 2016-08-01 22:35:32 +0200 |
|---|---|---|
| committer | Endi S. Dewata <edewata@redhat.com> | 2016-08-05 22:23:50 +0200 |
| commit | b7d4f6e9efd8b2e7d26a001f6c18a10b82df6b56 (patch) | |
| tree | fd80f34ed91ffb38b9eedd3a0d65ec7d101e1468 /base/util/src/com/netscape/cmsutil | |
| parent | da66600e8ae07fa4169d24909c7d04ed69d2906c (diff) | |
| download | pki-b7d4f6e9efd8b2e7d26a001f6c18a10b82df6b56.tar.gz pki-b7d4f6e9efd8b2e7d26a001f6c18a10b82df6b56.tar.xz pki-b7d4f6e9efd8b2e7d26a001f6c18a10b82df6b56.zip | |
Fixed PKCS #12 import for cloning.
To fix cloning issue in IPA the security_database.py has been
modified to import all certificates and keys in the PKCS #12 file
before the PKI server is started. Since the PKCS #12 generated by
IPA may not contain the certificate trust flags, the script will
also reset the trust flags on the imported certificates (i.e.
CT,C,C for CA certificate and u,u,Pu for audit certificate).
The ConfigurationUtils.restoreCertsFromP12() is now redundant and
it should be removed in the future, but for now it has been
modified to set the same trust flags on imported certificates.
The CryptoUtil.importCertificateChain() has also been modified to
set the same trust flags on imported certificates.
https://fedorahosted.org/pki/ticket/2424
Diffstat (limited to 'base/util/src/com/netscape/cmsutil')
| -rw-r--r-- | base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java | 60 |
1 files changed, 33 insertions, 27 deletions
diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java index 9cabdc5cc..b02c363e2 100644 --- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java @@ -47,33 +47,6 @@ import java.util.Random; import java.util.StringTokenizer; import java.util.Vector; -import netscape.security.pkcs.PKCS10; -import netscape.security.pkcs.PKCS10Attribute; -import netscape.security.pkcs.PKCS10Attributes; -import netscape.security.pkcs.PKCS7; -import netscape.security.pkcs.PKCS9Attribute; -import netscape.security.util.BigInt; -import netscape.security.util.DerInputStream; -import netscape.security.util.DerOutputStream; -import netscape.security.util.DerValue; -import netscape.security.util.ObjectIdentifier; -import netscape.security.x509.AlgorithmId; -import netscape.security.x509.CertificateAlgorithmId; -import netscape.security.x509.CertificateChain; -import netscape.security.x509.CertificateExtensions; -import netscape.security.x509.CertificateIssuerName; -import netscape.security.x509.CertificateSerialNumber; -import netscape.security.x509.CertificateSubjectName; -import netscape.security.x509.CertificateValidity; -import netscape.security.x509.CertificateVersion; -import netscape.security.x509.CertificateX509Key; -import netscape.security.x509.Extensions; -import netscape.security.x509.X500Name; -import netscape.security.x509.X500Signer; -import netscape.security.x509.X509CertImpl; -import netscape.security.x509.X509CertInfo; -import netscape.security.x509.X509Key; - import org.mozilla.jss.CryptoManager; import org.mozilla.jss.CryptoManager.NotInitializedException; import org.mozilla.jss.NoSuchTokenException; @@ -132,6 +105,33 @@ import org.mozilla.jss.util.Password; import com.netscape.cmsutil.util.Cert; import com.netscape.cmsutil.util.Utils; +import netscape.security.pkcs.PKCS10; +import netscape.security.pkcs.PKCS10Attribute; +import netscape.security.pkcs.PKCS10Attributes; +import netscape.security.pkcs.PKCS7; +import netscape.security.pkcs.PKCS9Attribute; +import netscape.security.util.BigInt; +import netscape.security.util.DerInputStream; +import netscape.security.util.DerOutputStream; +import netscape.security.util.DerValue; +import netscape.security.util.ObjectIdentifier; +import netscape.security.x509.AlgorithmId; +import netscape.security.x509.CertificateAlgorithmId; +import netscape.security.x509.CertificateChain; +import netscape.security.x509.CertificateExtensions; +import netscape.security.x509.CertificateIssuerName; +import netscape.security.x509.CertificateSerialNumber; +import netscape.security.x509.CertificateSubjectName; +import netscape.security.x509.CertificateValidity; +import netscape.security.x509.CertificateVersion; +import netscape.security.x509.CertificateX509Key; +import netscape.security.x509.Extensions; +import netscape.security.x509.X500Name; +import netscape.security.x509.X500Signer; +import netscape.security.x509.X509CertImpl; +import netscape.security.x509.X509CertInfo; +import netscape.security.x509.X509Key; + @SuppressWarnings("serial") public class CryptoUtil { @@ -1164,10 +1164,16 @@ public class CryptoUtil { if (certchains != null) { cert = certchains[certchains.length - 1]; } + + // set trust flags to CT,C,C InternalCertificate icert = (InternalCertificate) cert; icert.setSSLTrust(InternalCertificate.TRUSTED_CA | InternalCertificate.TRUSTED_CLIENT_CA | InternalCertificate.VALID_CA); + icert.setEmailTrust(InternalCertificate.TRUSTED_CA + | InternalCertificate.VALID_CA); + icert.setObjectSigningTrust(InternalCertificate.TRUSTED_CA + | InternalCertificate.VALID_CA); } public static SEQUENCE parseCRMFMsgs(byte cert_request[]) |