Bug 666902 - TPS needs to call CERT_VerifyCertificate() correctly

git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1728 c9f7a03b-bd48-0410-a16d-cbbf54688b0b

3 files changed, 68 insertions, 34 deletions

diff --git a/pki/base/tps/doc/CS.cfg.in b/pki/base/tps/doc/CS.cfg.in
index 2c7ec6020..5ebc6fba6 100644
--- a/pki/base/tps/doc/CS.cfg.in
+++ b/pki/base/tps/doc/CS.cfg.in
@@ -374,6 +374,9 @@ preop.cert._000=#########################################
 preop.cert._001=# Installation configuration "preop" certs parameters
 preop.cert._002=#########################################
 preop.cert.list=sslserver,subsystem,audit_signing
+tps.cert.audit_signing.certusage=ObjectSigner
+tps.cert.sslserver.certusage=SSLServer
+tps.cert.subsystem.certusage=SSLClient
 preop.cert.sslserver.enable=true
 preop.cert.subsystem.enable=true
 preop.cert.audit_signing.enable=false
diff --git a/pki/base/tps/lib/perl/PKI/TPS/DonePanel.pm b/pki/base/tps/lib/perl/PKI/TPS/DonePanel.pm
index 9aca3b627..6166b54cc 100755
--- a/pki/base/tps/lib/perl/PKI/TPS/DonePanel.pm
+++ b/pki/base/tps/lib/perl/PKI/TPS/DonePanel.pm
@@ -113,6 +113,13 @@ sub register_tps
     my $tokenname = $::config->get("preop.module.token");
     &PKI::TPS::Wizard::debug_log("ReqCertInfo: update got token name = $tokenname");
 
+    my $token_pwd = $::pwdconf->get($tokenname);
+    open FILE, ">$instDir/conf/.pwfile";
+    system( "chmod 00660 $instDir/conf/.pwfile" );
+    $token_pwd  =~ s/\n//g;
+    print FILE $token_pwd;
+    close FILE;
+
     if (($tokenname eq "") || ($tokenname eq "NSS Certificate DB")) {
         $hw = "";
         $tk = "";
@@ -121,15 +128,10 @@ sub register_tps
         $tk = $tokenname.":";
     }
 
-    my $token_pwd = $::pwdconf->get($tokenname);
-    open FILE, ">$instDir/conf/.pwfile";
-    system( "chmod 00660 $instDir/conf/.pwfile" );
-    $token_pwd  =~ s/\n//g;
-    print FILE $token_pwd;
-    close FILE;
-
     my $subsystemNickname = $::config->get("preop.cert.subsystem.nickname");
+
     my $certificate = `/usr/bin/certutil -d "$instDir/alias" -L $hw -f "$instDir/conf/.pwfile" -n "$subsystemNickname" -a`;
+    my $tmp = `rm $instDir/conf/.pwfile`;
     $certificate =~ s/-----BEGIN CERTIFICATE-----//g;
     $certificate =~ s/-----END CERTIFICATE-----//g;
     $certificate =~ s/\n$//g;
@@ -171,7 +173,6 @@ sub register_tps
     } else {
        &PKI::TPS::Wizard::debug_log("DonePanel: result undefined");
     }
-    my $tmp = `rm $instDir/conf/.pwfile`;
 }
 
 sub get_kra_transport_cert
@@ -323,6 +324,22 @@ sub display
       &PKI::TPS::Wizard::debug_log("DonePanel: No KRA setup");
     }
 
+    # Give Object Signing capability to audit_signing cert
+    open FILE, ">$instDir/conf/.pwfile";
+    system( "chmod 00660 $instDir/conf/.pwfile" );
+    $token_pwd  =~ s/\n//g;
+    print FILE $token_pwd;
+    close FILE;
+    my $hw;
+    if (($tokenname eq "") || ($tokenname eq "NSS Certificate DB")) {
+        $hw = "";
+    } else {
+        $hw = "-h $tokenname";
+    }
+    my $auditSigningNickname = $::config->get("preop.cert.audit_signing.nickname");
+    my $tmp = `/usr/bin/certutil -d "$instDir/alias" -M $hw -f "$instDir/conf/.pwfile" -n "$auditSigningNickname" -t "u,u,Pu"`;
+    $tmp = `rm $instDir/conf/.pwfile`;
+
     $::config->put("preop.done.status", "done");
     $::config->put("tps.configured", "true");
     $::config->commit();
diff --git a/pki/base/tps/src/engine/RA.cpp b/pki/base/tps/src/engine/RA.cpp
index 332e94e40..b767cc3f0 100644
--- a/pki/base/tps/src/engine/RA.cpp
+++ b/pki/base/tps/src/engine/RA.cpp
@@ -3206,40 +3206,54 @@ TPS_PUBLIC bool RA::verifySystemCertByNickname(const char *nickname, const char
         RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "error: invalid certificate usage %s for cert %s", (certusage !=NULL)? certusage:"", nickname);
         return false;
     }
-    SECCertificateUsage usage;
+    SECCertificateUsage currUsage = 0;
 
     cert = CERT_FindCertByNickname(certdb, nickname);
     if (cert == NULL) {
         RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "nickname not found:%s", 
             nickname);
     } else {
-        rv = CERT_VerifyCertificateNow(certdb, cert, true, cu , NULL, &usage);
+        rv = CERT_VerifyCertificateNow(certdb, cert, true, cu , NULL, &currUsage);
         /*
          *  to find actual certificate usage, pass 0 as cu in above call
          */
         if (cu == certificateUsageCheckAllUsages) {
-          if (usage & certificateUsageSSLServer)
-            RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is SSLServer"); 
-          if (usage & certificateUsageSSLServerWithStepUp)
-            RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is SSLServerWithStepUp"); 
-          if (usage & certificateUsageSSLClient)
-            RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is SSLClient"); 
-          if (usage & certificateUsageAnyCA)
-            RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is AnyCA"); 
-          if (usage & certificateUsageSSLCA)
-            RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is SSLCA"); 
-          if (usage & certificateUsageEmailSigner)
-            RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is EmailSigner"); 
-          if (usage & certificateUsageStatusResponder)
-            RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is StatusResponder"); 
-          if (usage & certificateUsageObjectSigner)
-            RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is ObjectSigner"); 
-          if (usage & certificateUsageUserCertImport)
-            RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is UserCertImport"); 
-          if (usage & certificateUsageProtectedObjectSigner)
-            RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is ProtectedObjectSigner"); 
-          if (usage & certificateUsageVerifyCA)
-            RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is VerifyCA"); 
+            if (currUsage & certificateUsageSSLServer)
+                RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is SSLServer"); 
+            if (currUsage & certificateUsageSSLServerWithStepUp)
+                RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is SSLServerWithStepUp"); 
+            if (currUsage & certificateUsageSSLClient)
+                RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is SSLClient"); 
+            if (currUsage & certificateUsageAnyCA)
+                RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is AnyCA"); 
+            if (currUsage & certificateUsageSSLCA)
+                RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is SSLCA"); 
+            if (currUsage & certificateUsageEmailSigner)
+                RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is EmailSigner"); 
+            if (currUsage & certificateUsageStatusResponder)
+                RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is StatusResponder"); 
+            if (currUsage & certificateUsageObjectSigner)
+                RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is ObjectSigner"); 
+            if (currUsage & certificateUsageUserCertImport)
+                RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is UserCertImport"); 
+            if (currUsage & certificateUsageProtectedObjectSigner)
+                RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is ProtectedObjectSigner"); 
+            if (currUsage & certificateUsageVerifyCA)
+                RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is VerifyCA"); 
+
+            if (currUsage == 
+                /* 0x0b80 */
+                ( certUsageUserCertImport |
+                certUsageVerifyCA |
+                certUsageProtectedObjectSigner |
+                certUsageAnyCA )) { /* cert is good for nothing */
+
+                RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname() failed:", "cert is good for nothing: %d %s", currUsage, nickname); 
+                rv = SECFailure;
+            } else {
+                RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname() passed:", "%s", nickname); 
+                rv = SECSuccess;
+            }
         }
     }
 
@@ -3259,7 +3273,7 @@ TPS_PUBLIC bool RA::verifySystemCertByNickname(const char *nickname, const char
  * tps.cert.subsystem.nickname=xxx
  * tps.cert.subsystem.certusage=SSLClient
  * tps.cert.audit_signing.nickname=xxx
- * tps.cert.audit_signing.certusage=EmailSigner
+ * tps.cert.audit_signing.certusage=ObjectSigner
  */
 TPS_PUBLIC bool RA::verifySystemCerts() {
     bool rv = false;
@@ -3305,7 +3319,7 @@ TPS_PUBLIC bool RA::verifySystemCerts() {
             cu = store->GetConfigAsString(configname_cu, NULL);
             if ((cu == NULL) || *cu==0) {
                 RA::Debug(LL_PER_SERVER, "RA::verifySystemCerts", 
-                    "certificate usage not found for cert tag:%s not checking certificate usage", sresult);
+                    "certificate usage not found for cert tag:%s. Getting current certificate usage", sresult);
             } else {
                 RA::Debug(LL_PER_SERVER, "RA::verifySystemCerts", 
                     "found certificate usage:%s", cu);