diff options
author | cfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2011-01-12 22:48:13 +0000 |
---|---|---|
committer | cfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2011-01-12 22:48:13 +0000 |
commit | d44d27b338f6a980c5d5879a919ee9eb6d84a20e (patch) | |
tree | 01ef7175354f8749a666127bdc9b7eb269baf6aa /pki/base | |
parent | 8de8a1ad60d7a5942c618c604e05c3b68e8af3af (diff) | |
download | pki-d44d27b338f6a980c5d5879a919ee9eb6d84a20e.tar.gz pki-d44d27b338f6a980c5d5879a919ee9eb6d84a20e.tar.xz pki-d44d27b338f6a980c5d5879a919ee9eb6d84a20e.zip |
Bug 666902 - TPS needs to call CERT_VerifyCertificate() correctly
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1728 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat (limited to 'pki/base')
-rw-r--r-- | pki/base/tps/doc/CS.cfg.in | 3 | ||||
-rwxr-xr-x | pki/base/tps/lib/perl/PKI/TPS/DonePanel.pm | 33 | ||||
-rw-r--r-- | pki/base/tps/src/engine/RA.cpp | 66 |
3 files changed, 68 insertions, 34 deletions
diff --git a/pki/base/tps/doc/CS.cfg.in b/pki/base/tps/doc/CS.cfg.in index 2c7ec6020..5ebc6fba6 100644 --- a/pki/base/tps/doc/CS.cfg.in +++ b/pki/base/tps/doc/CS.cfg.in @@ -374,6 +374,9 @@ preop.cert._000=######################################### preop.cert._001=# Installation configuration "preop" certs parameters preop.cert._002=######################################### preop.cert.list=sslserver,subsystem,audit_signing +tps.cert.audit_signing.certusage=ObjectSigner +tps.cert.sslserver.certusage=SSLServer +tps.cert.subsystem.certusage=SSLClient preop.cert.sslserver.enable=true preop.cert.subsystem.enable=true preop.cert.audit_signing.enable=false diff --git a/pki/base/tps/lib/perl/PKI/TPS/DonePanel.pm b/pki/base/tps/lib/perl/PKI/TPS/DonePanel.pm index 9aca3b627..6166b54cc 100755 --- a/pki/base/tps/lib/perl/PKI/TPS/DonePanel.pm +++ b/pki/base/tps/lib/perl/PKI/TPS/DonePanel.pm @@ -113,6 +113,13 @@ sub register_tps my $tokenname = $::config->get("preop.module.token"); &PKI::TPS::Wizard::debug_log("ReqCertInfo: update got token name = $tokenname"); + my $token_pwd = $::pwdconf->get($tokenname); + open FILE, ">$instDir/conf/.pwfile"; + system( "chmod 00660 $instDir/conf/.pwfile" ); + $token_pwd =~ s/\n//g; + print FILE $token_pwd; + close FILE; + if (($tokenname eq "") || ($tokenname eq "NSS Certificate DB")) { $hw = ""; $tk = ""; @@ -121,15 +128,10 @@ sub register_tps $tk = $tokenname.":"; } - my $token_pwd = $::pwdconf->get($tokenname); - open FILE, ">$instDir/conf/.pwfile"; - system( "chmod 00660 $instDir/conf/.pwfile" ); - $token_pwd =~ s/\n//g; - print FILE $token_pwd; - close FILE; - my $subsystemNickname = $::config->get("preop.cert.subsystem.nickname"); + my $certificate = `/usr/bin/certutil -d "$instDir/alias" -L $hw -f "$instDir/conf/.pwfile" -n "$subsystemNickname" -a`; + my $tmp = `rm $instDir/conf/.pwfile`; $certificate =~ s/-----BEGIN CERTIFICATE-----//g; $certificate =~ s/-----END CERTIFICATE-----//g; $certificate =~ s/\n$//g; @@ -171,7 +173,6 @@ sub register_tps } else { &PKI::TPS::Wizard::debug_log("DonePanel: result undefined"); } - my $tmp = `rm $instDir/conf/.pwfile`; } sub get_kra_transport_cert @@ -323,6 +324,22 @@ sub display &PKI::TPS::Wizard::debug_log("DonePanel: No KRA setup"); } + # Give Object Signing capability to audit_signing cert + open FILE, ">$instDir/conf/.pwfile"; + system( "chmod 00660 $instDir/conf/.pwfile" ); + $token_pwd =~ s/\n//g; + print FILE $token_pwd; + close FILE; + my $hw; + if (($tokenname eq "") || ($tokenname eq "NSS Certificate DB")) { + $hw = ""; + } else { + $hw = "-h $tokenname"; + } + my $auditSigningNickname = $::config->get("preop.cert.audit_signing.nickname"); + my $tmp = `/usr/bin/certutil -d "$instDir/alias" -M $hw -f "$instDir/conf/.pwfile" -n "$auditSigningNickname" -t "u,u,Pu"`; + $tmp = `rm $instDir/conf/.pwfile`; + $::config->put("preop.done.status", "done"); $::config->put("tps.configured", "true"); $::config->commit(); diff --git a/pki/base/tps/src/engine/RA.cpp b/pki/base/tps/src/engine/RA.cpp index 332e94e40..b767cc3f0 100644 --- a/pki/base/tps/src/engine/RA.cpp +++ b/pki/base/tps/src/engine/RA.cpp @@ -3206,40 +3206,54 @@ TPS_PUBLIC bool RA::verifySystemCertByNickname(const char *nickname, const char RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "error: invalid certificate usage %s for cert %s", (certusage !=NULL)? certusage:"", nickname); return false; } - SECCertificateUsage usage; + SECCertificateUsage currUsage = 0; cert = CERT_FindCertByNickname(certdb, nickname); if (cert == NULL) { RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "nickname not found:%s", nickname); } else { - rv = CERT_VerifyCertificateNow(certdb, cert, true, cu , NULL, &usage); + rv = CERT_VerifyCertificateNow(certdb, cert, true, cu , NULL, &currUsage); /* * to find actual certificate usage, pass 0 as cu in above call */ if (cu == certificateUsageCheckAllUsages) { - if (usage & certificateUsageSSLServer) - RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is SSLServer"); - if (usage & certificateUsageSSLServerWithStepUp) - RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is SSLServerWithStepUp"); - if (usage & certificateUsageSSLClient) - RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is SSLClient"); - if (usage & certificateUsageAnyCA) - RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is AnyCA"); - if (usage & certificateUsageSSLCA) - RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is SSLCA"); - if (usage & certificateUsageEmailSigner) - RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is EmailSigner"); - if (usage & certificateUsageStatusResponder) - RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is StatusResponder"); - if (usage & certificateUsageObjectSigner) - RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is ObjectSigner"); - if (usage & certificateUsageUserCertImport) - RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is UserCertImport"); - if (usage & certificateUsageProtectedObjectSigner) - RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is ProtectedObjectSigner"); - if (usage & certificateUsageVerifyCA) - RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is VerifyCA"); + if (currUsage & certificateUsageSSLServer) + RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is SSLServer"); + if (currUsage & certificateUsageSSLServerWithStepUp) + RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is SSLServerWithStepUp"); + if (currUsage & certificateUsageSSLClient) + RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is SSLClient"); + if (currUsage & certificateUsageAnyCA) + RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is AnyCA"); + if (currUsage & certificateUsageSSLCA) + RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is SSLCA"); + if (currUsage & certificateUsageEmailSigner) + RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is EmailSigner"); + if (currUsage & certificateUsageStatusResponder) + RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is StatusResponder"); + if (currUsage & certificateUsageObjectSigner) + RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is ObjectSigner"); + if (currUsage & certificateUsageUserCertImport) + RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is UserCertImport"); + if (currUsage & certificateUsageProtectedObjectSigner) + RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is ProtectedObjectSigner"); + if (currUsage & certificateUsageVerifyCA) + RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is VerifyCA"); + + if (currUsage == + /* 0x0b80 */ + ( certUsageUserCertImport | + certUsageVerifyCA | + certUsageProtectedObjectSigner | + certUsageAnyCA )) { /* cert is good for nothing */ + + RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname() failed:", "cert is good for nothing: %d %s", currUsage, nickname); + rv = SECFailure; + } else { + RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname() passed:", "%s", nickname); + rv = SECSuccess; + } } } @@ -3259,7 +3273,7 @@ TPS_PUBLIC bool RA::verifySystemCertByNickname(const char *nickname, const char * tps.cert.subsystem.nickname=xxx * tps.cert.subsystem.certusage=SSLClient * tps.cert.audit_signing.nickname=xxx - * tps.cert.audit_signing.certusage=EmailSigner + * tps.cert.audit_signing.certusage=ObjectSigner */ TPS_PUBLIC bool RA::verifySystemCerts() { bool rv = false; @@ -3305,7 +3319,7 @@ TPS_PUBLIC bool RA::verifySystemCerts() { cu = store->GetConfigAsString(configname_cu, NULL); if ((cu == NULL) || *cu==0) { RA::Debug(LL_PER_SERVER, "RA::verifySystemCerts", - "certificate usage not found for cert tag:%s not checking certificate usage", sresult); + "certificate usage not found for cert tag:%s. Getting current certificate usage", sresult); } else { RA::Debug(LL_PER_SERVER, "RA::verifySystemCerts", "found certificate usage:%s", cu); |