summaryrefslogtreecommitdiffstats
path: root/pki/base/common/src/com/netscape/cms/servlet/csadmin
diff options
context:
space:
mode:
authoralee <alee@c9f7a03b-bd48-0410-a16d-cbbf54688b0b>2010-07-27 19:03:40 +0000
committeralee <alee@c9f7a03b-bd48-0410-a16d-cbbf54688b0b>2010-07-27 19:03:40 +0000
commit2eb3243de06f1589991da47bfde6271e0d80abe6 (patch)
tree8168ed24525ffd35989d54bd6dd81471d5df0b08 /pki/base/common/src/com/netscape/cms/servlet/csadmin
parent9f8b12b0400f654f8b3f10ddbd731735c1d45607 (diff)
downloadpki-2eb3243de06f1589991da47bfde6271e0d80abe6.tar.gz
pki-2eb3243de06f1589991da47bfde6271e0d80abe6.tar.xz
pki-2eb3243de06f1589991da47bfde6271e0d80abe6.zip
merge 8.1 -> tip, multiple bugs (base)
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1134 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/servlet/csadmin')
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/csadmin/AdminAuthenticatePanel.java3
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java4
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java68
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java99
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java3
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/csadmin/SizePanel.java70
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateOCSPConfig.java20
7 files changed, 204 insertions, 63 deletions
diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/AdminAuthenticatePanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/AdminAuthenticatePanel.java
index d94bb4c15..129bc0bf6 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/AdminAuthenticatePanel.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/AdminAuthenticatePanel.java
@@ -221,6 +221,9 @@ public class AdminAuthenticatePanel extends WizardPanelBase {
c1.append(".keytype,");
c1.append("cloning.");
c1.append(t1);
+ c1.append(".keyalgorithm,");
+ c1.append("cloning.");
+ c1.append(t1);
c1.append(".privkey.id,");
c1.append("cloning.");
c1.append(t1);
diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java
index 8cedeb247..0e1c20d2c 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java
@@ -312,6 +312,8 @@ public class CertRequestPanel extends WizardPanelBase {
// get public key
String pubKeyType = config.getString(
PCERT_PREFIX + certTag + ".keytype");
+ String algorithm = config.getString(
+ PCERT_PREFIX + certTag + ".keyalgorithm");
X509Key pubk = null;
if (pubKeyType.equals("rsa")) {
pubk = getRSAX509Key(config, certTag);
@@ -350,7 +352,7 @@ public class CertRequestPanel extends WizardPanelBase {
cert.setDN(caDN);
PKCS10 certReq = CryptoUtil.createCertificationRequest(caDN, pubk,
- privk);
+ privk, algorithm);
CMS.debug("CertRequestPanel: created cert request");
byte[] certReqb = certReq.toByteArray();
diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java
index 258c36b62..592312084 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java
@@ -128,6 +128,8 @@ public class CertUtil {
try {
String pubKeyType = config.getString(
prefix + certTag + ".keytype");
+ String algorithm = config.getString(
+ prefix + certTag + ".keyalgorithm");
if (pubKeyType.equals("rsa")) {
String pubKeyModulus = config.getString(
prefix + certTag + ".pubkey.modulus");
@@ -170,7 +172,7 @@ public class CertUtil {
PKCS10 certReq = null;
certReq = CryptoUtil.createCertificationRequest(dn, pubk,
- privk);
+ privk, algorithm);
byte[] certReqb = certReq.toByteArray();
String certReqs = CryptoUtil.base64Encode(certReqb);
@@ -250,7 +252,53 @@ public class CertUtil {
CMS.debug("CertUtil:updateLocalRequest - Exception:" + e.toString());
}
}
-
+
+/**
+ * reads from the admin cert profile caAdminCert.profile and takes the first
+ * entry in the list of allowed algorithms. Users that wish a different algorithm
+ * can specify it in the profile using default.params.signingAlg
+ */
+
+ public static String getAdminProfileAlgorithm(IConfigStore config) {
+ String algorithm = "SHA1withRSA";
+ try {
+ String caSigningKeyType = config.getString("preop.cert.signing.keytype","rsa");
+ String pfile = config.getString("profile.caAdminCert.config");
+ FileInputStream fis = new FileInputStream(pfile);
+ DataInputStream in = new DataInputStream(fis);
+ BufferedReader br = new BufferedReader(new InputStreamReader(in));
+
+ String strLine;
+ while ((strLine = br.readLine()) != null) {
+ String marker2 = "default.params.signingAlg=";
+ int indx = strLine.indexOf(marker2);
+ if (indx != -1) {
+ String alg = strLine.substring(indx + marker2.length());
+ if ((alg.length() > 0) && (!alg.equals("-"))) {
+ algorithm = alg;
+ break;
+ };
+ };
+
+ String marker = "signingAlgsAllowed=";
+ indx = strLine.indexOf(marker);
+ if (indx != -1) {
+ String[] algs = strLine.substring(indx + marker.length()).split(",");
+ for (int i=0; i<algs.length; i++) {
+ if ((caSigningKeyType.equals("rsa") && (algs[i].indexOf("RSA") != -1)) ||
+ (caSigningKeyType.equals("ecc") && (algs[i].indexOf("EC" ) != -1)) ) {
+ algorithm = algs[i];
+ break;
+ }
+ }
+ }
+ }
+ in.close();
+ } catch (Exception e) {
+ CMS.debug("getAdminProfleAlgorithm: exception: " + e);
+ }
+ return algorithm;
+ }
public static X509CertImpl createLocalCert(IConfigStore config, X509Key x509key,
String prefix, String certTag, String type, Context context) throws IOException {
@@ -272,10 +320,16 @@ public class CertUtil {
try {
String dn = config.getString(prefix + certTag + ".dn");
+ String keyAlgorithm = null;
Date date = new Date();
X509CertInfo info = null;
+ if (certTag.equals("admin")) {
+ keyAlgorithm = getAdminProfileAlgorithm(config);
+ } else {
+ keyAlgorithm = config.getString(prefix + certTag + ".keyalgorithm");
+ }
ca = (ICertificateAuthority) CMS.getSubsystem(
ICertificateAuthority.ID);
cr = (ICertificateRepository) ca.getCertificateRepository();
@@ -284,14 +338,14 @@ public class CertUtil {
CMS.debug("Creating local certificate... issuerdn=" + dn);
CMS.debug("Creating local certificate... dn=" + dn);
info = CryptoUtil.createX509CertInfo(x509key, serialNo.intValue(), dn, dn, date,
- date);
+ date, keyAlgorithm);
} else {
String issuerdn = config.getString("preop.cert.signing.dn", "");
CMS.debug("Creating local certificate... issuerdn=" + issuerdn);
CMS.debug("Creating local certificate... dn=" + dn);
info = CryptoUtil.createX509CertInfo(x509key,
- serialNo.intValue(), issuerdn, dn, date, date);
+ serialNo.intValue(), issuerdn, dn, date, date, keyAlgorithm);
}
CMS.debug("Cert Template: " + info.toString());
@@ -352,13 +406,13 @@ public class CertUtil {
String caSigningKeyType =
config.getString("preop.cert.signing.keytype","rsa");
CMS.debug("CA Signing Key type " + caSigningKeyType);
+
if (caSigningKeyType.equals("ecc")) {
CMS.debug("Signing ECC certificate");
- cert = CryptoUtil.signECCCert(caPrik, info);
+ cert = CryptoUtil.signECCCert(caPrik, info, keyAlgorithm);
} else {
CMS.debug("Signing RSA certificate");
- cert = CryptoUtil.signCert(caPrik, info,
- SignatureAlgorithm.RSASignatureWithSHA1Digest);
+ cert = CryptoUtil.signCert(caPrik, info, keyAlgorithm);
}
if (cert != null) {
diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java
index ae9acf9fe..843616822 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java
@@ -435,48 +435,7 @@ public class DonePanel extends WizardPanelBase {
context.put("errorString", "Failed to update connector information.");
return;
}
-
- // retrieve CA subsystem certificate from the CA
- IUGSubsystem system =
- (IUGSubsystem) (CMS.getSubsystem(IUGSubsystem.ID));
- String id = "";
- try {
- String b64 = getCASubsystemCert();
- if (b64 != null) {
- int num = cs.getInteger("preop.subsystem.count", 0);
- id = getCAUserId();
- num++;
- cs.putInteger("preop.subsystem.count", num);
- cs.putInteger("subsystem.count", num);
- IUser user = system.createUser(id);
- user.setFullName(id);
- user.setEmail("");
- user.setPassword("");
- user.setUserType("agentType");
- user.setState("1");
- user.setPhone("");
- X509CertImpl[] certs = new X509CertImpl[1];
- certs[0] = new X509CertImpl(CMS.AtoB(b64));
- user.setX509Certificates(certs);
- system.addUser(user);
- CMS.debug("DonePanel display: successfully add the user");
- system.addUserCert(user);
- CMS.debug("DonePanel display: successfully add the user certificate");
- cs.commit(false);
- }
- } catch (Exception e) {
- }
-
- try {
- String groupName = "Trusted Managers";
- IGroup group = system.getGroupFromName(groupName);
- if (!group.isMember(id)) {
- group.addMemberName(id);
- system.modifyGroup(group);
- CMS.debug("DonePanel display: successfully added the user to the group.");
- }
- } catch (Exception e) {
- }
+ setupClientAuthUser();
} // if KRA
// import the CA certificate into the OCSP
@@ -494,6 +453,8 @@ public class DonePanel extends WizardPanelBase {
} catch (Exception e) {
CMS.debug("DonePanel display: Failed to update OCSP information in CA.");
}
+
+ setupClientAuthUser();
}
if (!select.equals("clone")) {
@@ -565,6 +526,7 @@ public class DonePanel extends WizardPanelBase {
cs.putString("cloning." + ss + ".nickname", cs.getString("preop.cert." + ss + ".nickname", ""));
cs.putString("cloning." + ss + ".dn", cs.getString("preop.cert." + ss + ".dn", ""));
cs.putString("cloning." + ss + ".keytype", cs.getString("preop.cert." + ss + ".keytype", ""));
+ cs.putString("cloning." + ss + ".keyalgorithm", cs.getString("preop.cert." + ss + ".keyalgorithm", ""));
cs.putString("cloning." + ss + ".privkey.id", cs.getString("preop.cert." + ss + ".privkey.id", ""));
cs.putString("cloning." + ss + ".pubkey.exponent", cs.getString("preop.cert." + ss + ".pubkey.exponent", ""));
cs.putString("cloning." + ss + ".pubkey.modulus", cs.getString("preop.cert." + ss + ".pubkey.modulus", ""));
@@ -613,6 +575,54 @@ public class DonePanel extends WizardPanelBase {
context.put("csstate", "1");
}
+ private void setupClientAuthUser()
+ {
+ IConfigStore cs = CMS.getConfigStore();
+
+ // retrieve CA subsystem certificate from the CA
+ IUGSubsystem system =
+ (IUGSubsystem) (CMS.getSubsystem(IUGSubsystem.ID));
+ String id = "";
+ try {
+ String b64 = getCASubsystemCert();
+ if (b64 != null) {
+ int num = cs.getInteger("preop.subsystem.count", 0);
+ id = getCAUserId();
+ num++;
+ cs.putInteger("preop.subsystem.count", num);
+ cs.putInteger("subsystem.count", num);
+ IUser user = system.createUser(id);
+ user.setFullName(id);
+ user.setEmail("");
+ user.setPassword("");
+ user.setUserType("agentType");
+ user.setState("1");
+ user.setPhone("");
+ X509CertImpl[] certs = new X509CertImpl[1];
+ certs[0] = new X509CertImpl(CMS.AtoB(b64));
+ user.setX509Certificates(certs);
+ system.addUser(user);
+ CMS.debug("DonePanel display: successfully add the user");
+ system.addUserCert(user);
+ CMS.debug("DonePanel display: successfully add the user certificate");
+ cs.commit(false);
+ }
+ } catch (Exception e) {
+ }
+
+ try {
+ String groupName = "Trusted Managers";
+ IGroup group = system.getGroupFromName(groupName);
+ if (!group.isMember(id)) {
+ group.addMemberName(id);
+ system.modifyGroup(group);
+ CMS.debug("DonePanel display: successfully added the user to the group.");
+ }
+ } catch (Exception e) {
+ }
+ }
+
+
private void updateOCSPConfig(HttpServletResponse response)
throws IOException {
IConfigStore config = CMS.getConfigStore();
@@ -629,8 +639,9 @@ public class DonePanel extends WizardPanelBase {
} catch (Exception e) {
}
- String ocsphost = CMS.getEESSLHost();
- int ocspport = Integer.parseInt(CMS.getEESSLPort());
+ String ocsphost = CMS.getAgentHost();
+ int ocspport = Integer.parseInt(CMS.getAgentPort());
+ int ocspagentport = Integer.parseInt(CMS.getAgentPort());
String session_id = CMS.getConfigSDSessionId();
String content = "xmlOutput=true&sessionID="+session_id+"&ocsp_host="+ocsphost+"&ocsp_port="+ocspport;
diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java
index 167d9b818..475ac46d2 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java
@@ -391,6 +391,9 @@ public class RestoreKeyCertPanel extends WizardPanelBase {
c1.append(".keytype,");
c1.append("cloning.");
c1.append(t1);
+ c1.append(".keyalgorithm,");
+ c1.append("cloning.");
+ c1.append(t1);
c1.append(".privkey.id,");
c1.append("cloning.");
c1.append(t1);
diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/SizePanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/SizePanel.java
index 032724ebb..39cc2c211 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/SizePanel.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/SizePanel.java
@@ -130,6 +130,29 @@ public class SizePanel extends WizardPanelBase {
}
context.put("select", select);
+
+ String ecclist = "";
+ try {
+ ecclist = config.getString("preop.ecc.algorithm.list", "SHA256withEC,SHA1withEC,SHA384withEC,SHA512withEC");
+ } catch (Exception e) {
+ }
+ context.put("ecclist", ecclist);
+
+ String rsalist = "";
+ try {
+ rsalist = config.getString("preop.rsa.algorithm.list", "SHA256withRSA,SHA1withRSA,SHA512withRSA,MD5withRSA,MD2withRSA");
+ } catch (Exception e) {
+ }
+
+ context.put("rsalist", rsalist);
+
+ String subsystemType = "";
+ try {
+ subsystemType = config.getString("pkicreate.subsystem_type");
+ } catch (Exception e) {
+ }
+ context.put("subsystemtype", subsystemType);
+
try {
// same token for now
String token = config.getString(PRE_CONF_CA_TOKEN);
@@ -229,6 +252,15 @@ public class SizePanel extends WizardPanelBase {
continue;
String keytype = HttpInput.getKeyType(request, ct + "_keytype"); // rsa or ecc
+ String keyalgorithm = HttpInput.getString(request, ct + "_keyalgorithm");
+
+ if (keyalgorithm == null) {
+ if (keytype != null && keytype.equals("ecc")) {
+ keyalgorithm = "SHA256withEC";
+ } else {
+ keyalgorithm = "SHA256withRSA";
+ }
+ }
String select = HttpInput.getID(request, ct + "_choice");
@@ -243,6 +275,8 @@ public class SizePanel extends WizardPanelBase {
config.getString(PCERT_PREFIX+ct+".keysize.size", "");
String oldkeytype =
config.getString(PCERT_PREFIX + ct + ".keytype", "");
+ String oldkeyalgorithm =
+ config.getString(PCERT_PREFIX + ct + ".keyalgorithm", "");
if (select.equals("default")) {
// XXXrenaming these...keep for now just in case
@@ -258,6 +292,7 @@ public class SizePanel extends WizardPanelBase {
}
config.putString(PCERT_PREFIX + ct + ".keytype", keytype);
+ config.putString(PCERT_PREFIX + ct + ".keyalgorithm", keyalgorithm);
config.putString(PCERT_PREFIX + ct + ".keysize.select",
"default");
if (keytype != null && keytype.equals("ecc")) {
@@ -282,6 +317,7 @@ public class SizePanel extends WizardPanelBase {
HttpInput.getKeySize(request, ct + "_custom_size", keytype));
config.putString(PCERT_PREFIX + ct + ".keytype", keytype);
+ config.putString(PCERT_PREFIX + ct + ".keyalgorithm", keyalgorithm);
config.putString(PCERT_PREFIX + ct + ".keysize.select",
"custom");
config.putString(PCERT_PREFIX + ct + ".keysize.custom_size",
@@ -297,8 +333,11 @@ public class SizePanel extends WizardPanelBase {
config.getString(PCERT_PREFIX+ct+".keysize.size", "");
String newkeytype =
config.getString(PCERT_PREFIX + ct + ".keytype", "");
+ String newkeyalgorithm =
+ config.getString(PCERT_PREFIX + ct + ".keyalgorithm", "");
if (!oldkeysize.equals(newkeysize) ||
- !oldkeytype.equals(newkeytype))
+ !oldkeytype.equals(newkeytype) ||
+ !oldkeyalgorithm.equals(newkeyalgorithm))
hasChanged = true;
}// while
@@ -342,9 +381,10 @@ public class SizePanel extends WizardPanelBase {
try {
String keytype = config.getString(PCERT_PREFIX + ct + ".keytype");
+ String keyalgorithm = config.getString(PCERT_PREFIX + ct + ".keyalgorithm");
int keysize = config.getInteger(
PCERT_PREFIX + ct + ".keysize.size");
-
+
if (keytype.equals("rsa")) {
createRSAKeyPair(token, keysize, config, ct);
@@ -442,6 +482,12 @@ public class SizePanel extends WizardPanelBase {
config.putString(PCERT_PREFIX + ct + ".pubkey.encoded",
CryptoUtil.byte2string(encoded));
+ String keyAlgo = "";
+ try {
+ keyAlgo = config.getString(PCERT_PREFIX + ct + ".keyalgorithm");
+ } catch (Exception e1) {
+ }
+
// set default signing algorithm for CA
String systemType = "";
try {
@@ -452,20 +498,20 @@ public class SizePanel extends WizardPanelBase {
if (systemType.equals("OCSP")) {
if (ct.equals("signing")) {
config.putString("ocsp.signing.defaultSigningAlgorithm",
- "SHA1withEC");
+ keyAlgo);
}
}
if (systemType.equals("CA")) {
if (ct.equals("signing")) {
config.putString("ca.signing.defaultSigningAlgorithm",
- "SHA1withEC");
+ keyAlgo);
config.putString("ca.crl.MasterCRL.signingAlgorithm",
- "SHA1withEC");
+ keyAlgo);
}
if (ct.equals("ocsp_signing")) {
config.putString("ca.ocsp_signing.defaultSigningAlgorithm",
- "SHA1withEC");
+ keyAlgo);
}
}
@@ -498,15 +544,21 @@ public class SizePanel extends WizardPanelBase {
config.putString(PCERT_PREFIX + ct + ".pubkey.exponent",
CryptoUtil.byte2string(exponent));
+ String keyAlgo = "";
+ try {
+ keyAlgo = config.getString(PCERT_PREFIX + ct + ".keyalgorithm");
+ } catch (Exception e1) {
+ }
+
if (ct.equals("signing")) {
config.putString("ca.signing.defaultSigningAlgorithm",
- "SHA1withRSA");
+ keyAlgo);
config.putString("ca.crl.MasterCRL.signingAlgorithm",
- "SHA1withRSA");
+ keyAlgo);
}
if (ct.equals("ocsp_signing")) {
config.putString("ca.ocsp_signing.defaultSigningAlgorithm",
- "SHA1withRSA");
+ keyAlgo);
}
}
diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateOCSPConfig.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateOCSPConfig.java
index f105ea95b..b2b8b5d28 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateOCSPConfig.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateOCSPConfig.java
@@ -99,18 +99,34 @@ public class UpdateOCSPConfig extends CMSServlet {
return;
}
+ IConfigStore cs = CMS.getConfigStore();
+ String nickname = "";
+
+ // get nickname
+ try {
+ nickname = cs.getString("ca.subsystem.nickname", "");
+ String tokenname = cs.getString("ca.subsystem.tokenname", "");
+ if (!tokenname.equals("internal") && !tokenname.equals("Internal Key Storage Token"))
+ nickname = tokenname+":"+nickname;
+ } catch (Exception e) {
+ }
+
+ CMS.debug("UpdateOCSPConfig process: nickname="+nickname);
+
String ocsphost = httpReq.getParameter("ocsp_host");
String ocspport = httpReq.getParameter("ocsp_port");
try {
- IConfigStore cs = CMS.getConfigStore();
cs.putString("ca.publish.enable", "true");
cs.putString("ca.publish.publisher.instance.OCSPPublisher.host",
ocsphost);
cs.putString("ca.publish.publisher.instance.OCSPPublisher.port",
ocspport);
+ cs.putString("ca.publish.publisher.instance.OCSPPublisher.nickName",
+ nickname);
cs.putString("ca.publish.publisher.instance.OCSPPublisher.path",
- "/ocsp/ee/ocsp/addCRL");
+ "/ocsp/agent/ocsp/addCRL");
cs.putString("ca.publish.publisher.instance.OCSPPublisher.pluginName", "OCSPPublisher");
+ cs.putString("ca.publish.publisher.instance.OCSPPublisher.enableClientAuth", "true");
cs.putString("ca.publish.rule.instance.ocsprule.enable", "true");
cs.putString("ca.publish.rule.instance.ocsprule.mapper", "NoMap");
cs.putString("ca.publish.rule.instance.ocsprule.pluginName", "Rule");