diff options
author | Matthew Harmsen <mharmsen@redhat.com> | 2015-06-17 18:36:20 -0600 |
---|---|---|
committer | Matthew Harmsen <mharmsen@redhat.com> | 2015-06-17 21:58:33 -0600 |
commit | ce50ced9c842f6232bf136ba77233f05e95c80b7 (patch) | |
tree | f65bbc28f2c496f72fde8380343405c85cd00c90 /base | |
parent | aaeb8ade5604b14ff9a704aed372177a26d28d04 (diff) | |
download | pki-ce50ced9c842f6232bf136ba77233f05e95c80b7.tar.gz pki-ce50ced9c842f6232bf136ba77233f05e95c80b7.tar.xz pki-ce50ced9c842f6232bf136ba77233f05e95c80b7.zip |
Fix for HSM cloning issue
Diffstat (limited to 'base')
-rw-r--r-- | base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java | 39 | ||||
-rw-r--r-- | base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java | 8 |
2 files changed, 47 insertions, 0 deletions
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java index 5bad42d8e..ce9e3bf49 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java @@ -1155,6 +1155,45 @@ public class ConfigurationUtils { } } + /* We need to import the audit signing cert and CA signing cert to the soft token in order to + * correctly set the trust permissions. + */ + public static void importAndSetCertPermissionsFromHSM() throws EBaseException, NotInitializedException, + IOException, CertificateEncodingException, NicknameConflictException, UserCertConflictException, + NoSuchItemOnTokenException, TokenException { + + CryptoManager cm = CryptoManager.getInstance(); + IConfigStore cs = CMS.getConfigStore(); + + // nickname has no token prepended to it, so no need to strip + String nickname = cs.getString("preop.master.audit_signing.nickname"); + String cstype = cs.getString("cs.type", ""); + cstype = cstype.toLowerCase(); + + //audit signing cert + String certStr = cs.getString(cstype + ".audit_signing.cert"); + byte[] cert = CryptoUtil.base64Decode(certStr); + X509Certificate xcert = cm.importUserCACertPackage(cert, nickname); + + InternalCertificate icert = (InternalCertificate) xcert; + icert.setObjectSigningTrust(InternalCertificate.USER + | InternalCertificate.VALID_PEER + | InternalCertificate.TRUSTED_PEER); + + // ca signing cert + if (cstype.equals("ca")) { + // nickname has no token prepended to it, so no need to strip + nickname = cs.getString("preop.master.signing.nickname"); + certStr = cs.getString(cstype + ".signing.cert"); + cert = CryptoUtil.base64Decode(certStr); + xcert = cm.importUserCACertPackage(cert, nickname); + icert = (InternalCertificate) xcert; + icert.setSSLTrust(InternalCertificate.TRUSTED_CA + | InternalCertificate.TRUSTED_CLIENT_CA + | InternalCertificate.VALID_CA); + } + } + private static boolean importRequired(ArrayList<String> masterList, String nickname) { if (masterList.contains(nickname)) return true; diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java index 3e7ea5b75..2de087bad 100644 --- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java +++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java @@ -852,6 +852,14 @@ public class SystemConfigService extends PKIService implements SystemConfigResou CMS.debug(e); throw new PKIException("Failed to restore certificates from p12 file" + e); } + } else { + CMS.debug("SystemConfigService.getCloningData(): set permissions for certs stored in hardware"); + try { + ConfigurationUtils.importAndSetCertPermissionsFromHSM(); + } catch (Exception e) { + CMS.debug(e); + throw new PKIException("Failed to import certs from HSM and set permissions:" + e); + } } CMS.debug("SystemConfigService.getCloningData(): verify certs"); |