Bug 744797 - KRA key recovery (retrieve pkcs#12) fails after the in-place upgrade( CS 8.0->8.1)

git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@2274 c9f7a03b-bd48-0410-a16d-cbbf54688b0b

3 files changed, 35 insertions, 16 deletions

diff --git a/pki/base/common/src/com/netscape/cms/profile/common/EnrollProfile.java b/pki/base/common/src/com/netscape/cms/profile/common/EnrollProfile.java
index b60b73c9a..cc8789390 100644
--- a/pki/base/common/src/com/netscape/cms/profile/common/EnrollProfile.java
+++ b/pki/base/common/src/com/netscape/cms/profile/common/EnrollProfile.java
@@ -937,10 +937,16 @@ public abstract class EnrollProfile extends BasicProfile
             sigver = CMS.getConfigStore().getBoolean("ca.requestVerify.enabled", true);
             if (sigver) {
                 CMS.debug("EnrollProfile: parsePKCS10: signature verification enabled");
-                String tokenName = CMS.getConfigStore().getString("ca.requestVerify.token",
-                   "Internal Key Storage Token");
+                String tokenName = CMS.getConfigStore().getString("ca.requestVerify.token", "internal");
                 savedToken = cm.getThreadToken();
-                CryptoToken signToken = cm.getTokenByName(tokenName);
+                CryptoToken signToken = null;
+                if (tokenName.equals("internal")) {
+                    CMS.debug("EnrollProfile: parsePKCS10: use internal token");
+                    signToken = cm.getInternalCryptoToken();
+                } else {
+                    CMS.debug("EnrollProfile: parsePKCS10: tokenName="+ tokenName);
+                    signToken = cm.getTokenByName(tokenName);
+                }
                 CMS.debug("EnrollProfile: parsePKCS10 setting thread token");
                 cm.setThreadToken(signToken);
                 pkcs10 = new PKCS10(data);
@@ -1365,15 +1371,14 @@ public abstract class EnrollProfile extends BasicProfile
 
         try {
             CryptoManager cm = CryptoManager.getInstance();
-            String tokenName = CMS.getConfigStore().getString("ca.requestVerify.token",
-                   "Internal Key Storage Token");
-            CryptoToken verifyToken = cm.getTokenByName(tokenName);
-            if (tokenName.equals("Internal Key Storage Token")) {
-                //use internal token
+            CryptoToken verifyToken = null;
+            String tokenName = CMS.getConfigStore().getString("ca.requestVerify.token", "internal");
+            if (tokenName.equals("internal")) {
                 CMS.debug("POP verification using internal token");
                 certReqMsg.verify();
             } else {
                 CMS.debug("POP verification using token:"+ tokenName);
+                verifyToken = cm.getTokenByName(tokenName);
                 certReqMsg.verify(verifyToken);
             }
 
diff --git a/pki/base/common/src/com/netscape/cms/profile/input/EnrollInput.java b/pki/base/common/src/com/netscape/cms/profile/input/EnrollInput.java
index 949e58b1a..f704a2297 100644
--- a/pki/base/common/src/com/netscape/cms/profile/input/EnrollInput.java
+++ b/pki/base/common/src/com/netscape/cms/profile/input/EnrollInput.java
@@ -198,15 +198,15 @@ public abstract class EnrollInput implements IProfileInput {
             }
             CMS.debug("POP verification begins:");
             CryptoManager cm = CryptoManager.getInstance();
-            String tokenName = CMS.getConfigStore().getString("ca.requestVerify.token",
-                   "Internal Key Storage Token");
-            CryptoToken verifyToken = cm.getTokenByName(tokenName);
-            if (tokenName.equals("Internal Key Storage Token")) {
-                //use internal token
+
+            CryptoToken verifyToken = null;
+            String tokenName = CMS.getConfigStore().getString("ca.requestVerify.token", "internal");
+            if (tokenName.equals("internal")) {
                 CMS.debug("POP verification using internal token");
                 certReqMsg.verify();
             } else {
                 CMS.debug("POP verification using token:"+ tokenName);
+                verifyToken = cm.getTokenByName(tokenName);
                 certReqMsg.verify(verifyToken);
             }
 
diff --git a/pki/base/kra/src/com/netscape/kra/RecoveryService.java b/pki/base/kra/src/com/netscape/kra/RecoveryService.java
index 5e0c77e25..da3c3a87c 100644
--- a/pki/base/kra/src/com/netscape/kra/RecoveryService.java
+++ b/pki/base/kra/src/com/netscape/kra/RecoveryService.java
@@ -126,11 +126,21 @@ public class RecoveryService implements IService {
             cm = CryptoManager.getInstance();
             config = CMS.getConfigStore();
             tokName = config.getString("kra.storageUnit.hardware", "internal");
-        CMS.debug("RecoveryService: tokenName="+tokName);
-            ct = cm.getTokenByName(tokName);
+            if (tokName.equals("internal")) {
+                CMS.debug("RecoveryService: serviceRequest: use internal token ");
+                ct = cm.getInternalCryptoToken();
+            } else {
+                CMS.debug("RecoveryService: serviceRequest: tokenName="+tokName);
+                ct = cm.getTokenByName(tokName);
+            }
             allowEncDecrypt_recovery = config.getBoolean("kra.allowEncDecrypt.recovery", false);
         } catch (Exception e) {
-            throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString()));
+            CMS.debug("RecoveryService exception: use internal token :"
+                 + e.toString());
+            ct = cm.getInternalCryptoToken();
+        }
+        if (ct == null) {
+            throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR"+ "cannot get crypto token")); 
         }
 
         IStatsSubsystem statsSub = (IStatsSubsystem)CMS.getSubsystem("stats");
@@ -413,6 +423,7 @@ public class RecoveryService implements IService {
      */
     public void createPFX(IRequest request, Hashtable params, 
         PrivateKey priKey, CryptoToken ct) throws EBaseException {
+        CMS.debug("RecoverService: createPFX() allowEncDecrypt_recovery=false");
         try {
             // create p12
             X509Certificate x509cert =
@@ -421,6 +432,7 @@ public class RecoveryService implements IService {
 
             // add certificate
             mKRA.log(ILogger.LL_INFO, "KRA adds certificate to P12");
+            CMS.debug("RecoverService: createPFX() adds certificate to P12");
             SEQUENCE encSafeContents = new SEQUENCE();
             ASN1Value cert = new OCTET_STRING(x509cert.getEncoded());
             String nickname = request.getExtDataInString(ATTR_NICKNAME);
@@ -440,6 +452,7 @@ public class RecoveryService implements IService {
 
             // add key
             mKRA.log(ILogger.LL_INFO, "KRA adds key to P12");
+            CMS.debug("RecoverService: createPFX() adds key to P12");
             org.mozilla.jss.util.Password pass = new 	
                 org.mozilla.jss.util.Password(
                     pwd.toCharArray());
@@ -536,6 +549,7 @@ public class RecoveryService implements IService {
      */
     public void createPFX(IRequest request, Hashtable params, 
         byte priData[]) throws EBaseException {
+        CMS.debug("RecoverService: createPFX() allowEncDecrypt_recovery=true");
         try {
             // create p12
             X509Certificate x509cert =