diff options
author | Christina Fu <cfu@redhat.com> | 2013-04-03 19:02:40 -0700 |
---|---|---|
committer | Christina Fu <cfu@redhat.com> | 2013-04-03 19:06:32 -0700 |
commit | 2e0194dd7791eaf07d6e9eb26df57e5a4677f426 (patch) | |
tree | 210763f0b24bdbb16078b850db9483b629b0a53f /base | |
parent | 58af16ad10520d5a667427ec998127e45dd98612 (diff) | |
download | pki-2e0194dd7791eaf07d6e9eb26df57e5a4677f426.tar.gz pki-2e0194dd7791eaf07d6e9eb26df57e5a4677f426.tar.xz pki-2e0194dd7791eaf07d6e9eb26df57e5a4677f426.zip |
Bug 929043 - updated serverCert.profile with SAN results in SubjectAltNameExtDefault gname is empty, not added in cert ext during configuration
Bug 927545 - Transport Cert signing Algorithm doesn't show ECC Signing Algorithms during DRM configuration with ECC
Diffstat (limited to 'base')
5 files changed, 61 insertions, 4 deletions
diff --git a/base/ca/shared/conf/serverCert.profile.exampleWithSAN b/base/ca/shared/conf/serverCert.profile.exampleWithSAN new file mode 100644 index 000000000..3fd00f3d7 --- /dev/null +++ b/base/ca/shared/conf/serverCert.profile.exampleWithSAN @@ -0,0 +1,50 @@ +# +# Server Certificate +# +id=serverCert.profile +name=All Purpose SSL server cert Profile +description=This profile creates an SSL server certificate that is valid for SSL servers +profileIDMapping=caServerCert +profileSetIDMapping=serverCertSet +list=2,4,5,6,7,8 +2.default.class=com.netscape.cms.profile.def.ValidityDefault +2.default.name=Validity Default +2.default.params.range=720 +2.default.params.startTime=0 +4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault +4.default.name=Authority Key Identifier Default +5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault +5.default.name=AIA Extension Default +5.default.params.authInfoAccessADEnable_0=true +5.default.params.authInfoAccessADLocationType_0=URIName +5.default.params.authInfoAccessADLocation_0= +5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +5.default.params.authInfoAccessCritical=false +5.default.params.authInfoAccessNumADs=1 +6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault +6.default.name=Key Usage Default +6.default.params.keyUsageCritical=true +6.default.params.keyUsageDigitalSignature=true +6.default.params.keyUsageNonRepudiation=true +6.default.params.keyUsageDataEncipherment=true +6.default.params.keyUsageKeyEncipherment=true +6.default.params.keyUsageKeyAgreement=false +6.default.params.keyUsageKeyCertSign=false +6.default.params.keyUsageCrlSign=false +6.default.params.keyUsageEncipherOnly=false +6.default.params.keyUsageDecipherOnly=false +7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault +7.default.name=Extended Key Usage Extension Default +7.default.params.exKeyUsageCritical=false +7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 +8.default.class=com.netscape.cms.profile.def.SubjectAltNameExtDefault +8.default.name=Subject Alt Name Constraint +8.default.params.subjAltNameExtCritical=false +8.default.params.subjAltExtType_0=OtherName +8.default.params.subjAltExtSource_0=UUID4 +8.default.params.subjAltExtPattern_0=(IA5String)1.2.3.4,$server.source$ +8.default.params.subjAltExtGNEnable_0=true +8.default.params.subjAltExtType_1=DNSName +8.default.params.subjAltExtPattern_1=myhost.example.com +8.default.params.subjAltExtGNEnable_1=true +8.default.params.subjAltNameNumGNs=2 diff --git a/base/common/src/com/netscape/certsrv/profile/CertInfoProfile.java b/base/common/src/com/netscape/certsrv/profile/CertInfoProfile.java index 38379c283..907d8d631 100644 --- a/base/common/src/com/netscape/certsrv/profile/CertInfoProfile.java +++ b/base/common/src/com/netscape/certsrv/profile/CertInfoProfile.java @@ -25,6 +25,7 @@ import netscape.security.x509.X509CertInfo; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.request.IRequest; public class CertInfoProfile { private Vector<ICertInfoPolicyDefault> mDefaults = new Vector<ICertInfoPolicyDefault>(); @@ -87,11 +88,15 @@ public class CertInfoProfile { } public void populate(X509CertInfo info) { + populate( null /* request */, info); + } + + public void populate(IRequest request, X509CertInfo info) { Enumeration<ICertInfoPolicyDefault> e1 = mDefaults.elements(); while (e1.hasMoreElements()) { ICertInfoPolicyDefault def = e1.nextElement(); try { - def.populate(null /* request */, info); + def.populate( request, info); } catch (Exception e) { CMS.debug(e); CMS.debug("CertInfoProfile.populate: " + e.toString()); diff --git a/base/common/src/com/netscape/cms/profile/def/SubjectAltNameExtDefault.java b/base/common/src/com/netscape/cms/profile/def/SubjectAltNameExtDefault.java index 4bb1d0309..61c200a96 100644 --- a/base/common/src/com/netscape/cms/profile/def/SubjectAltNameExtDefault.java +++ b/base/common/src/com/netscape/cms/profile/def/SubjectAltNameExtDefault.java @@ -462,7 +462,9 @@ public class SubjectAltNameExtDefault extends EnrollExtDefault { // call the mapPattern that does server-side gen // request is not used, but needed for the substitute // function - gname = mapPattern(randUUID.toString(), request, pattern); + if (request != null) { + gname = mapPattern(randUUID.toString(), request, pattern); + } } else { //expand more server-gen types here CMS.debug("SubjectAltNameExtDefault: createExtension - unsupported server-generated type: " + source + ". Supported: UUID4"); diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java b/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java index d94091210..789c0aab5 100644 --- a/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java +++ b/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java @@ -406,7 +406,7 @@ public class CertUtil { CMS.debug("Creating local request exception:" + e.toString()); } - processor.populate(info); + processor.populate(req, info); String caPriKeyID = config.getString( prefix + "signing" + ".privkey.id"); diff --git a/base/kra/shared/conf/CS.cfg.in b/base/kra/shared/conf/CS.cfg.in index 126ea3684..564368413 100644 --- a/base/kra/shared/conf/CS.cfg.in +++ b/base/kra/shared/conf/CS.cfg.in @@ -84,7 +84,7 @@ preop.cert.transport.keysize.custom_size=2048 preop.cert.transport.keysize.size=2048 preop.cert.transport.nickname=transportCert cert-[PKI_INSTANCE_ID] preop.cert.transport.profile=caInternalAuthTransportCert -preop.cert.transport.signing.required=true +preop.cert.transport.signing.required=false preop.cert.transport.subsystem=kra preop.cert.transport.type=remote preop.cert.transport.userfriendlyname=Transport Certificate |