diff options
| author | Fraser Tweedale <ftweedal@redhat.com> | 2016-06-27 15:04:44 +1000 |
|---|---|---|
| committer | Fraser Tweedale <ftweedal@redhat.com> | 2016-07-01 10:50:15 +1000 |
| commit | ca8edcd504ab81dbc30547c3c59a51fe98ff21cf (patch) | |
| tree | acfbb5124f608d668268d3a8f85b23349dbf1f78 /base | |
| parent | c7f9e6c4e0711dfafc81d201dcfadee3e0efa335 (diff) | |
| download | pki-ca8edcd504ab81dbc30547c3c59a51fe98ff21cf.tar.gz pki-ca8edcd504ab81dbc30547c3c59a51fe98ff21cf.tar.xz pki-ca8edcd504ab81dbc30547c3c59a51fe98ff21cf.zip | |
AuthInfoAccess: use default OCSP URI if configured
The AuthInfoAccessExtDefault profile component constructs an OCSP
URI based on the current host and port, if no URI is explicitly
configured in the profile.
Update the component to look in CS.cfg for the "ca.defaultOcspUri"
config, and use its value if present. If not present, the old
behaviour prevails.
Also add the 'pki_default_ocsp_uri' pkispawn config to add the
config during instance creation, so that the value will be used for
the CA and system certificates.
Fixes: https://fedorahosted.org/pki/ticket/2387
Diffstat (limited to 'base')
3 files changed, 13 insertions, 2 deletions
diff --git a/base/server/cms/src/com/netscape/cms/profile/def/AuthInfoAccessExtDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/AuthInfoAccessExtDefault.java index 36818a907..1190f28a3 100644 --- a/base/server/cms/src/com/netscape/cms/profile/def/AuthInfoAccessExtDefault.java +++ b/base/server/cms/src/com/netscape/cms/profile/def/AuthInfoAccessExtDefault.java @@ -430,9 +430,10 @@ public class AuthInfoAccessExtDefault extends EnrollExtDefault { if (method.equals("1.3.6.1.5.5.7.48.1")) { String hostname = CMS.getEENonSSLHost(); String port = CMS.getEENonSSLPort(); + String uri = ""; if (hostname != null && port != null) - // location = "http://"+hostname+":"+port+"/ocsp/ee/ocsp"; - location = "http://" + hostname + ":" + port + "/ca/ocsp"; + uri = "http://" + hostname + ":" + port + "/ca/ocsp"; + location = CMS.getConfigStore().getString("ca.defaultOcspUri", uri); } } diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg index aa97e1fe6..edd263220 100644 --- a/base/server/etc/default.cfg +++ b/base/server/etc/default.cfg @@ -417,6 +417,11 @@ pki_ds_hostname=%(pki_hostname)s pki_subsystem_name=CA %(pki_hostname)s %(pki_https_port)s pki_share_db=False +# Default OCSP URI added by AuthInfoAccessExtDefault if the profile +# config is blank. If both are blank, the value is constructed +# based on the CMS hostname and port. +pki_default_ocsp_uri= + # Paths # These are used in the processing of pkispawn and are not supposed # to be overwritten by user configuration files. diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py index b8505dd9b..64ee4e5f6 100644 --- a/base/server/python/pki/server/deployment/scriptlets/configuration.py +++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py @@ -87,6 +87,11 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): subsystem = instance.get_subsystem( deployer.mdict['pki_subsystem'].lower()) + ocsp_uri = deployer.mdict.get('pki_default_ocsp_uri') + if ocsp_uri: + subsystem.config['ca.defaultOcspUri'] = ocsp_uri + subsystem.save() + token = deployer.mdict['pki_token_name'] nssdb = instance.open_nssdb(token) |