Add option to remove signing cert entry

In the migration case, it is useful to delete the initially created signing certificate database record and have that be imported through the ldif data import instead. Therefore, we add an option to remove this entry. The user also needs to provide the serial number for the entry. This resolves the following tickets/BZs: BZ# 1409949/Trac 2573 - CA Certificate Issuance Date displayed on CA website incorrect BZ# 1409946/Trac 2571 - Request ID undefined for CA signing certificate
author: Ade Lee <alee@redhat.com> 2017-01-20 11:01:41 -0500
committer: Ade Lee <alee@redhat.com> 2017-01-24 12:49:47 -0500
commit: 049a4e3e09328bfcdff62dc189ad95917647fb22 (patch)
tree: 71689109650a38e015322a8659e51e389b9fc644 /base
parent: c57875a84e61d6e0a71da5b74a3c2ce0e13132a6 (diff)
4 files changed, 87 insertions, 3 deletions
diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/CAInstallerService.java b/base/ca/src/org/dogtagpki/server/ca/rest/CAInstallerService.java
index 3c7e48319..309f68d2d 100644
--- a/base/ca/src/org/dogtagpki/server/ca/rest/CAInstallerService.java
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/CAInstallerService.java
@@ -24,8 +24,7 @@ import java.net.MalformedURLException;
 import java.net.URL;
 import java.util.StringTokenizer;
 
-import netscape.ldap.LDAPAttribute;
-
+import org.apache.commons.lang.StringUtils;
 import org.dogtagpki.server.rest.SystemConfigService;
 
 import com.netscape.certsrv.apps.CMS;
@@ -41,6 +40,10 @@ import com.netscape.cms.servlet.csadmin.ConfigurationUtils;
 import com.netscape.cmscore.base.LDAPConfigStore;
 import com.netscape.cmscore.profile.LDAPProfileSubsystem;
 
+import netscape.ldap.LDAPAttribute;
+import netscape.ldap.LDAPConnection;
+import netscape.ldap.LDAPException;
+
 /**
  * @author alee
  *
@@ -93,6 +96,19 @@ public class CAInstallerService extends SystemConfigService {
             CMS.debug(e);
             throw new PKIException("Error enabling profile subsystem");
         }
+
+        if (! request.createSigningCertRecord()) {
+            // This is the migration case.  In this case, we will delete the
+            // record that was created during the install process.
+
+            try {
+                String serialNumber = request.getSigningCertSerialNumber();
+                deleteSigningRecord(serialNumber);
+            } catch (Exception e) {
+                CMS.debug(e);
+                throw new PKIException("Error deleting signing cert record:" + e, e);
+            }
+        }
     }
 
     @Override
@@ -189,9 +205,37 @@ public class CAInstallerService extends SystemConfigService {
         configStore.commit(false /* no backup */);
     }
 
+    private void deleteSigningRecord(String serialNumber) throws EBaseException, LDAPException {
+
+        if (StringUtils.isEmpty(serialNumber)) {
+            throw new PKIException("signing certificate serial number not specified in configuration request");
+        }
+
+        LDAPConnection conn = null;
+        try {
+            IConfigStore dbCfg = cs.getSubStore("internaldb");
+            ILdapConnFactory dbFactory = CMS.getLdapBoundConnFactory("CAInstallerService");
+            dbFactory.init(dbCfg);
+            conn = dbFactory.getConn();
+
+            String basedn = dbCfg.getString("basedn", "");
+            String dn = "cn=" + serialNumber + ",ou=certificateRepository,ou=ca," + basedn;
+
+            conn.delete(dn);
+        } finally {
+            try {
+                if (conn != null)
+                    conn.disconnect();
+            } catch (LDAPException e) {
+                CMS.debug(e);
+                CMS.debug("releaseConnection: " + e);
+            }
+        }
+    }
+
     private void configureStartingCRLNumber(ConfigurationRequest data) {
         CMS.debug("CAInstallerService:configureStartingCRLNumber entering.");
-        cs.putString("ca.crl.MasterCRL.startingCrlNumber",data.getStartingCRLNumber() );
+        cs.putString("ca.crl.MasterCRL.startingCrlNumber",data.getStartingCRLNumber());
 
     }
     private void disableCRLCachingAndGenerationForClone(ConfigurationRequest data) throws MalformedURLException {
diff --git a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java
index 2ac1f5a15..26f45f078 100644
--- a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java
+++ b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java
@@ -238,6 +238,12 @@ public class ConfigurationRequest {
     @XmlElement
     protected String startingCRLNumber;
 
+    @XmlElement
+    protected Boolean createSigningCertRecord;
+
+    @XmlElement
+    protected String signingCertSerialNumber;
+
     public ConfigurationRequest() {
         // required for JAXB
     }
@@ -944,6 +950,30 @@ public class ConfigurationRequest {
         this.startingCRLNumber = startingCRLNumber;
     }
 
+    public String getIsClone() {
+        return isClone;
+    }
+
+    public void setIsClone(String isClone) {
+        this.isClone = isClone;
+    }
+
+    public Boolean createSigningCertRecord() {
+        return createSigningCertRecord;
+    }
+
+    public void setCreateSigningCertRecord(Boolean createSigningCertRecord) {
+        this.createSigningCertRecord = createSigningCertRecord;
+    }
+
+    public String getSigningCertSerialNumber() {
+        return signingCertSerialNumber;
+    }
+
+    public void setSigningCertSerialNumber(String signingCertSerialNumber) {
+        this.signingCertSerialNumber = signingCertSerialNumber;
+    }
+
     @Override
     public String toString() {
         return "ConfigurationRequest [pin=XXXX" +
@@ -1008,6 +1038,8 @@ public class ConfigurationRequest {
                ", subordinateSecurityDomainName=" + subordinateSecurityDomainName +
                ", reindexData=" + reindexData +
                ", startingCrlNumber=" + startingCRLNumber +
+               ", createSigningCertRecord=" + createSigningCertRecord +
+               ", signingCertSerialNumber=" + signingCertSerialNumber +
                "]";
     }
 
diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg
index f35b6a7d5..b3e056a33 100644
--- a/base/server/etc/default.cfg
+++ b/base/server/etc/default.cfg
@@ -291,6 +291,8 @@ pki_ca_signing_key_algorithm=SHA256withRSA
 pki_ca_signing_key_size=2048
 pki_ca_signing_key_type=rsa
 pki_ca_signing_nickname=caSigningCert cert-%(pki_instance_name)s CA
+pki_ca_signing_record_create=True
+pki_ca_signing_serial_number=1
 pki_ca_signing_signing_algorithm=SHA256withRSA
 pki_ca_signing_subject_dn=cn=CA Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
 pki_ca_signing_token=
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
index c9fe50d96..2e276f522 100644
--- a/base/server/python/pki/server/deployment/pkihelper.py
+++ b/base/server/python/pki/server/deployment/pkihelper.py
@@ -4020,6 +4020,12 @@ class ConfigClient:
         # Misc CA parameters
         if self.subsystem == "CA":
             data.startingCRLNumber = self.mdict['pki_ca_starting_crl_number']
+            data.createSigningCertRecord = (
+                self.mdict['pki_ca_signing_record_create'].lower()
+            )
+            data.signingCertSerialNumber = (
+                self.mdict['pki_ca_signing_serial_number'].lower()
+            )
 
         return data
author	Ade Lee <alee@redhat.com>	2017-01-20 11:01:41 -0500
committer	Ade Lee <alee@redhat.com>	2017-01-24 12:49:47 -0500
commit	049a4e3e09328bfcdff62dc189ad95917647fb22 (patch)
tree	71689109650a38e015322a8659e51e389b9fc644 /base
parent	c57875a84e61d6e0a71da5b74a3c2ce0e13132a6 (diff)