summaryrefslogtreecommitdiffstats
path: root/pki
diff options
context:
space:
mode:
authorcfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b>2011-10-22 19:09:25 +0000
committercfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b>2011-10-22 19:09:25 +0000
commit0acd942a0ff6558eb2b34b97188c7f80603911df (patch)
treebe52dd916c8ac91c9bccf82b2209436570306eba /pki
parent93a2f2630e5c10b3e1744df4daf8f0291203b17b (diff)
downloadpki-0acd942a0ff6558eb2b34b97188c7f80603911df.tar.gz
pki-0acd942a0ff6558eb2b34b97188c7f80603911df.tar.xz
pki-0acd942a0ff6558eb2b34b97188c7f80603911df.zip
Bug 744797 - KRA key recovery (retrieve pkcs#12) fails after the in-place upgrade( CS 8.0->8.1)
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@2274 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat (limited to 'pki')
-rw-r--r--pki/base/common/src/com/netscape/cms/profile/common/EnrollProfile.java21
-rw-r--r--pki/base/common/src/com/netscape/cms/profile/input/EnrollInput.java10
-rw-r--r--pki/base/kra/src/com/netscape/kra/RecoveryService.java20
3 files changed, 35 insertions, 16 deletions
diff --git a/pki/base/common/src/com/netscape/cms/profile/common/EnrollProfile.java b/pki/base/common/src/com/netscape/cms/profile/common/EnrollProfile.java
index b60b73c9a..cc8789390 100644
--- a/pki/base/common/src/com/netscape/cms/profile/common/EnrollProfile.java
+++ b/pki/base/common/src/com/netscape/cms/profile/common/EnrollProfile.java
@@ -937,10 +937,16 @@ public abstract class EnrollProfile extends BasicProfile
sigver = CMS.getConfigStore().getBoolean("ca.requestVerify.enabled", true);
if (sigver) {
CMS.debug("EnrollProfile: parsePKCS10: signature verification enabled");
- String tokenName = CMS.getConfigStore().getString("ca.requestVerify.token",
- "Internal Key Storage Token");
+ String tokenName = CMS.getConfigStore().getString("ca.requestVerify.token", "internal");
savedToken = cm.getThreadToken();
- CryptoToken signToken = cm.getTokenByName(tokenName);
+ CryptoToken signToken = null;
+ if (tokenName.equals("internal")) {
+ CMS.debug("EnrollProfile: parsePKCS10: use internal token");
+ signToken = cm.getInternalCryptoToken();
+ } else {
+ CMS.debug("EnrollProfile: parsePKCS10: tokenName="+ tokenName);
+ signToken = cm.getTokenByName(tokenName);
+ }
CMS.debug("EnrollProfile: parsePKCS10 setting thread token");
cm.setThreadToken(signToken);
pkcs10 = new PKCS10(data);
@@ -1365,15 +1371,14 @@ public abstract class EnrollProfile extends BasicProfile
try {
CryptoManager cm = CryptoManager.getInstance();
- String tokenName = CMS.getConfigStore().getString("ca.requestVerify.token",
- "Internal Key Storage Token");
- CryptoToken verifyToken = cm.getTokenByName(tokenName);
- if (tokenName.equals("Internal Key Storage Token")) {
- //use internal token
+ CryptoToken verifyToken = null;
+ String tokenName = CMS.getConfigStore().getString("ca.requestVerify.token", "internal");
+ if (tokenName.equals("internal")) {
CMS.debug("POP verification using internal token");
certReqMsg.verify();
} else {
CMS.debug("POP verification using token:"+ tokenName);
+ verifyToken = cm.getTokenByName(tokenName);
certReqMsg.verify(verifyToken);
}
diff --git a/pki/base/common/src/com/netscape/cms/profile/input/EnrollInput.java b/pki/base/common/src/com/netscape/cms/profile/input/EnrollInput.java
index 949e58b1a..f704a2297 100644
--- a/pki/base/common/src/com/netscape/cms/profile/input/EnrollInput.java
+++ b/pki/base/common/src/com/netscape/cms/profile/input/EnrollInput.java
@@ -198,15 +198,15 @@ public abstract class EnrollInput implements IProfileInput {
}
CMS.debug("POP verification begins:");
CryptoManager cm = CryptoManager.getInstance();
- String tokenName = CMS.getConfigStore().getString("ca.requestVerify.token",
- "Internal Key Storage Token");
- CryptoToken verifyToken = cm.getTokenByName(tokenName);
- if (tokenName.equals("Internal Key Storage Token")) {
- //use internal token
+
+ CryptoToken verifyToken = null;
+ String tokenName = CMS.getConfigStore().getString("ca.requestVerify.token", "internal");
+ if (tokenName.equals("internal")) {
CMS.debug("POP verification using internal token");
certReqMsg.verify();
} else {
CMS.debug("POP verification using token:"+ tokenName);
+ verifyToken = cm.getTokenByName(tokenName);
certReqMsg.verify(verifyToken);
}
diff --git a/pki/base/kra/src/com/netscape/kra/RecoveryService.java b/pki/base/kra/src/com/netscape/kra/RecoveryService.java
index 5e0c77e25..da3c3a87c 100644
--- a/pki/base/kra/src/com/netscape/kra/RecoveryService.java
+++ b/pki/base/kra/src/com/netscape/kra/RecoveryService.java
@@ -126,11 +126,21 @@ public class RecoveryService implements IService {
cm = CryptoManager.getInstance();
config = CMS.getConfigStore();
tokName = config.getString("kra.storageUnit.hardware", "internal");
- CMS.debug("RecoveryService: tokenName="+tokName);
- ct = cm.getTokenByName(tokName);
+ if (tokName.equals("internal")) {
+ CMS.debug("RecoveryService: serviceRequest: use internal token ");
+ ct = cm.getInternalCryptoToken();
+ } else {
+ CMS.debug("RecoveryService: serviceRequest: tokenName="+tokName);
+ ct = cm.getTokenByName(tokName);
+ }
allowEncDecrypt_recovery = config.getBoolean("kra.allowEncDecrypt.recovery", false);
} catch (Exception e) {
- throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString()));
+ CMS.debug("RecoveryService exception: use internal token :"
+ + e.toString());
+ ct = cm.getInternalCryptoToken();
+ }
+ if (ct == null) {
+ throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR"+ "cannot get crypto token"));
}
IStatsSubsystem statsSub = (IStatsSubsystem)CMS.getSubsystem("stats");
@@ -413,6 +423,7 @@ public class RecoveryService implements IService {
*/
public void createPFX(IRequest request, Hashtable params,
PrivateKey priKey, CryptoToken ct) throws EBaseException {
+ CMS.debug("RecoverService: createPFX() allowEncDecrypt_recovery=false");
try {
// create p12
X509Certificate x509cert =
@@ -421,6 +432,7 @@ public class RecoveryService implements IService {
// add certificate
mKRA.log(ILogger.LL_INFO, "KRA adds certificate to P12");
+ CMS.debug("RecoverService: createPFX() adds certificate to P12");
SEQUENCE encSafeContents = new SEQUENCE();
ASN1Value cert = new OCTET_STRING(x509cert.getEncoded());
String nickname = request.getExtDataInString(ATTR_NICKNAME);
@@ -440,6 +452,7 @@ public class RecoveryService implements IService {
// add key
mKRA.log(ILogger.LL_INFO, "KRA adds key to P12");
+ CMS.debug("RecoverService: createPFX() adds key to P12");
org.mozilla.jss.util.Password pass = new
org.mozilla.jss.util.Password(
pwd.toCharArray());
@@ -536,6 +549,7 @@ public class RecoveryService implements IService {
*/
public void createPFX(IRequest request, Hashtable params,
byte priData[]) throws EBaseException {
+ CMS.debug("RecoverService: createPFX() allowEncDecrypt_recovery=true");
try {
// create p12
X509Certificate x509cert =