diff options
author | Fraser Tweedale <ftweedal@redhat.com> | 2016-03-31 12:46:03 +1100 |
---|---|---|
committer | Fraser Tweedale <ftweedal@redhat.com> | 2016-04-14 16:07:16 +1000 |
commit | 6d72a9c7fc067df42a3259fc5ea87b65e94f76ad (patch) | |
tree | a7ad9fd5b73724d19f7deee6856149f416c0c30c /base | |
parent | e832349f8846ab398b17b98ebe9862bc700d1b7f (diff) | |
download | pki-6d72a9c7fc067df42a3259fc5ea87b65e94f76ad.tar.gz pki-6d72a9c7fc067df42a3259fc5ea87b65e94f76ad.tar.xz pki-6d72a9c7fc067df42a3259fc5ea87b65e94f76ad.zip |
Lightweight CAs: add exceptions for missing signing key or cert
Add the CAMissingCertException and CAMissingKeyException classes and
throw when signing unit initialisation fails due to a missing
object. In CertificateAuthority, store the exception if it occurs
for possible re-throwing later. Also add the private 'hasKeys'
field for internal use.
Part of: https://fedorahosted.org/pki/ticket/1625
Diffstat (limited to 'base')
4 files changed, 59 insertions, 7 deletions
diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java index 2e1f9d7c8..b087f26b6 100644 --- a/base/ca/src/com/netscape/ca/CertificateAuthority.java +++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java @@ -77,6 +77,8 @@ import com.netscape.certsrv.base.PKIException; import com.netscape.certsrv.ca.AuthorityID; import com.netscape.certsrv.ca.CADisabledException; import com.netscape.certsrv.ca.CAEnabledException; +import com.netscape.certsrv.ca.CAMissingCertException; +import com.netscape.certsrv.ca.CAMissingKeyException; import com.netscape.certsrv.ca.CANotFoundException; import com.netscape.certsrv.ca.CANotLeafException; import com.netscape.certsrv.ca.CATypeException; @@ -188,6 +190,8 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori protected AuthorityID authorityParentID = null; protected String authorityDescription = null; protected boolean authorityEnabled = true; + private boolean hasKeys = false; + private ECAException signingUnitException = null; protected ISubsystem mOwner = null; protected IConfigStore mConfig = null; @@ -1358,7 +1362,15 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori mIssuerObj = new CertificateIssuerName((X500Name)mSubjectObj.get(CertificateIssuerName.DN_NAME)); } - mSigningUnit.init(this, caSigningCfg, mNickname); + try { + mSigningUnit.init(this, caSigningCfg, mNickname); + hasKeys = true; + signingUnitException = null; + } catch (CAMissingCertException | CAMissingKeyException e) { + CMS.debug("CA signing key and cert not (yet) present in NSSDB"); + signingUnitException = e; + return; + } CMS.debug("CA signing unit inited"); // for identrus diff --git a/base/ca/src/com/netscape/ca/SigningUnit.java b/base/ca/src/com/netscape/ca/SigningUnit.java index 0ac4b7a1c..60bd84e3b 100644 --- a/base/ca/src/com/netscape/ca/SigningUnit.java +++ b/base/ca/src/com/netscape/ca/SigningUnit.java @@ -43,6 +43,8 @@ import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.base.ISubsystem; import com.netscape.certsrv.ca.ECAException; +import com.netscape.certsrv.ca.CAMissingCertException; +import com.netscape.certsrv.ca.CAMissingKeyException; import com.netscape.certsrv.common.Constants; import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.security.ISigningUnit; @@ -165,14 +167,22 @@ public final class SigningUnit implements ISigningUnit { mToken.login(cb); // ONE_TIME by default. - mCert = mManager.findCertByNickname(mNickname); - CMS.debug("Found cert by nickname: '" + mNickname + "' with serial number: " + mCert.getSerialNumber()); + try { + mCert = mManager.findCertByNickname(mNickname); + CMS.debug("Found cert by nickname: '" + mNickname + "' with serial number: " + mCert.getSerialNumber()); + } catch (ObjectNotFoundException e) { + throw new CAMissingCertException(CMS.getUserMessage("CMS_CA_CERT_OBJECT_NOT_FOUND")); + } mCertImpl = new X509CertImpl(mCert.getEncoded()); CMS.debug("converted to x509CertImpl"); - mPrivk = mManager.findPrivKeyByCert(mCert); - CMS.debug("Got private key from cert"); + try { + mPrivk = mManager.findPrivKeyByCert(mCert); + CMS.debug("Got private key from cert"); + } catch (ObjectNotFoundException e) { + throw new CAMissingKeyException(CMS.getUserMessage("CMS_CA_CERT_OBJECT_NOT_FOUND")); + } mPubk = mCert.getPublicKey(); CMS.debug("Got public key from cert"); @@ -200,10 +210,10 @@ public final class SigningUnit implements ISigningUnit { CMS.debug("SigningUnit init: debug " + e.toString()); log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_TOKEN_NOT_FOUND", tokenname, e.toString())); throw new ECAException(CMS.getUserMessage("CMS_CA_TOKEN_NOT_FOUND", tokenname)); - } catch (ObjectNotFoundException e) { + } catch (CAMissingCertException | CAMissingKeyException e) { CMS.debug("SigningUnit init: debug " + e.toString()); log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_CERT_NOT_FOUND", e.toString())); - throw new ECAException(CMS.getUserMessage("CMS_CA_CERT_OBJECT_NOT_FOUND")); + throw e; // re-throw } catch (TokenException e) { CMS.debug("SigningUnit init: debug " + e.toString()); log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString())); diff --git a/base/common/src/com/netscape/certsrv/ca/CAMissingCertException.java b/base/common/src/com/netscape/certsrv/ca/CAMissingCertException.java new file mode 100644 index 000000000..49c5063f2 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/ca/CAMissingCertException.java @@ -0,0 +1,15 @@ +package com.netscape.certsrv.ca; + +/** + * Exception to throw when a (sub-)CA's signing certificate is not + * (yet) present in the local NSSDB. + */ +public class CAMissingCertException extends ECAException { + + private static final long serialVersionUID = 7261805480088539689L; + + public CAMissingCertException(String msgFormat) { + super(msgFormat); + } + +} diff --git a/base/common/src/com/netscape/certsrv/ca/CAMissingKeyException.java b/base/common/src/com/netscape/certsrv/ca/CAMissingKeyException.java new file mode 100644 index 000000000..8f5e1e72a --- /dev/null +++ b/base/common/src/com/netscape/certsrv/ca/CAMissingKeyException.java @@ -0,0 +1,15 @@ +package com.netscape.certsrv.ca; + +/** + * Exception to throw when a (sub-)CA's signing key is not (yet) + * present in the local NSSDB. + */ +public class CAMissingKeyException extends ECAException { + + private static final long serialVersionUID = -364157165997677925L; + + public CAMissingKeyException(String msgFormat) { + super(msgFormat); + } + +} |