diff options
8 files changed, 114 insertions, 9 deletions
diff --git a/base/ca/src/com/netscape/ca/CAService.java b/base/ca/src/com/netscape/ca/CAService.java index 19778505e..6edaf2ade 100644 --- a/base/ca/src/com/netscape/ca/CAService.java +++ b/base/ca/src/com/netscape/ca/CAService.java @@ -821,8 +821,17 @@ public class CAService implements ICAService, IService { } try { - certi.set(X509CertInfo.ISSUER, - new CertificateIssuerName(mCA.getX500Name())); + if (mCA.getIssuerObj() != null) { + // this ensures the isserDN has the same encoding as the + // subjectDN of the CA signing cert + CMS.debug("CAService: issueX509Cert: setting issuerDN using exact CA signing cert subjectDN encoding"); + certi.set(X509CertInfo.ISSUER, + mCA.getIssuerObj()); + } else { + CMS.debug("CAService: issueX509Cert: mCA.getIssuerObj() is null, creating new CertificateIssuerName"); + certi.set(X509CertInfo.ISSUER, + new CertificateIssuerName(mCA.getX500Name())); + } } catch (CertificateException e) { mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SET_ISSUER", e.toString())); throw new ECAException(CMS.getUserMessage("CMS_CA_SET_ISSUER_FAILED", rid)); diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java index 73ce6dfe4..65296113e 100644 --- a/base/ca/src/com/netscape/ca/CertificateAuthority.java +++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java @@ -43,6 +43,8 @@ import netscape.security.util.DerOutputStream; import netscape.security.util.DerValue; import netscape.security.x509.AlgorithmId; import netscape.security.x509.CertificateChain; +import netscape.security.x509.CertificateIssuerName; +import netscape.security.x509.CertificateSubjectName; import netscape.security.x509.CertificateVersion; import netscape.security.x509.X500Name; import netscape.security.x509.X509CRLImpl; @@ -143,6 +145,8 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori protected SigningUnit mOCSPSigningUnit; protected SigningUnit mCRLSigningUnit; + protected CertificateIssuerName mIssuerObj = null; + protected CertificateSubjectName mSubjectObj = null; protected X500Name mName = null; protected X500Name mCRLName = null; protected X500Name mOCSPName = null; @@ -888,6 +892,14 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori return mName; } + public CertificateIssuerName getIssuerObj() { + return mIssuerObj; + } + + public CertificateSubjectName getSubjectObj() { + return mSubjectObj; + } + public X500Name getCRLX500Name() { return mCRLName; } @@ -1199,6 +1211,21 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori IConfigStore caSigningCfg = mConfig.getSubStore(PROP_SIGNING_SUBSTORE); + String caSigningCertStr = caSigningCfg.getString("cert", ""); + if (caSigningCertStr.equals("")) { + CMS.debug("CertificateAuthority:initSigUnit: ca.signing.cert not found"); + } else { //ca cert found + CMS.debug("CertificateAuthority:initSigUnit: ca cert found"); + mCaCert = new X509CertImpl(CMS.AtoB(caSigningCertStr)); + // this ensures the isserDN and subjectDN have the same encoding + // as that of the CA signing cert + CMS.debug("CertificateAuthority: initSigUnit 1- setting mIssuerObj and mSubjectObj"); + mSubjectObj = mCaCert.getSubjectObj(); + // this mIssuerObj is the "issuerDN" obj for the certs this CA + // issues, NOT necessarily the isserDN obj of the CA signing cert + mIssuerObj = new CertificateIssuerName((X500Name)mSubjectObj.get(CertificateIssuerName.DN_NAME)); + } + mSigningUnit.init(this, caSigningCfg); CMS.debug("CA signing unit inited"); @@ -1295,11 +1322,21 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori } mOCSPCertChain = new CertificateChain(ocspImplchain); CMS.debug("in init - got OCSP chain from JSS."); - // init issuer name - take name from the cert. mCaX509Cert = mSigningUnit.getCert(); mCaCert = new X509CertImpl(mCaX509Cert.getEncoded()); getCASigningAlgorithms(); + mSubjectObj = mCaCert.getSubjectObj(); + if (mSubjectObj != null) { + // this ensures the isserDN and subjectDN have the same encoding + // as that of the CA signing cert + CMS.debug("CertificateAuthority: initSigUnit - setting mIssuerObj and mSubjectObj"); + // this mIssuerObj is the "issuerDN" obj for the certs this CA + // issues, NOT necessarily the isserDN obj of the CA signing cert + // unless the CA is self-signed + mIssuerObj = + new CertificateIssuerName((X500Name)mSubjectObj.get(CertificateIssuerName.DN_NAME)); + } mName = (X500Name) mCaCert.getSubjectDN(); mCRLX509Cert = mCRLSigningUnit.getCert(); diff --git a/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java b/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java index 39f336b5f..f87f15420 100644 --- a/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java +++ b/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java @@ -23,6 +23,8 @@ import java.util.Map; import javax.servlet.http.HttpServletRequest; import netscape.security.x509.CertificateChain; +import netscape.security.x509.CertificateIssuerName; +import netscape.security.x509.CertificateSubjectName; import netscape.security.x509.CertificateVersion; import netscape.security.x509.X500Name; import netscape.security.x509.X509CRLImpl; @@ -510,4 +512,7 @@ public interface ICertificateAuthority extends ISubsystem { * @return processed times for OCSP requests */ public long getOCSPTotalData(); + + public CertificateIssuerName getIssuerObj(); + public CertificateSubjectName getSubjectObj(); } diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java index ca665baf1..9e89e693f 100644 --- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java +++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java @@ -88,6 +88,7 @@ import com.netscape.certsrv.authority.IAuthority; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.EPropertyNotFound; import com.netscape.certsrv.base.SessionContext; +import com.netscape.certsrv.ca.ICertificateAuthority; import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.profile.EDeferException; import com.netscape.certsrv.profile.EProfileException; @@ -220,8 +221,19 @@ public abstract class EnrollProfile extends BasicProfile new CertificateVersion(CertificateVersion.V3)); info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(new BigInteger("0"))); - info.set(X509CertInfo.ISSUER, - new CertificateIssuerName(issuerName)); + ICertificateAuthority authority = + (ICertificateAuthority) getAuthority(); + if (authority.getIssuerObj() != null) { + // this ensures the isserDN has the same encoding as the + // subjectDN of the CA signing cert + CMS.debug("EnrollProfile: setDefaultCertInfo: setting issuerDN using exact CA signing cert subjectDN encoding"); + info.set(X509CertInfo.ISSUER, + authority.getIssuerObj()); + } else { + CMS.debug("EnrollProfile: setDefaultCertInfo: authority.getIssuerObj() is null, creating new CertificateIssuerName"); + info.set(X509CertInfo.ISSUER, + new CertificateIssuerName(issuerName)); + } info.set(X509CertInfo.KEY, new CertificateX509Key(X509Key.parse(new DerValue(dummykey)))); info.set(X509CertInfo.SUBJECT, diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java index ede632ee5..22f092973 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java @@ -31,6 +31,7 @@ import javax.servlet.http.HttpServletResponse; import netscape.security.pkcs.PKCS10; import netscape.security.x509.CertificateExtensions; +import netscape.security.x509.CertificateIssuerName; import netscape.security.x509.X500Name; import netscape.security.x509.X509CertImpl; import netscape.security.x509.X509CertInfo; @@ -390,6 +391,7 @@ public class CertUtil { cr = ca.getCertificateRepository(); BigInteger serialNo = cr.getNextSerialNumber(); if (type.equals("selfsign")) { + CMS.debug("Creating local certificate... selfsign cert"); CMS.debug("Creating local certificate... issuerdn=" + dn); CMS.debug("Creating local certificate... dn=" + dn); info = CryptoUtil.createX509CertInfo(x509key, serialNo, dn, dn, date, date, keyAlgorithm); @@ -397,8 +399,18 @@ public class CertUtil { String issuerdn = config.getString("preop.cert.signing.dn", ""); CMS.debug("Creating local certificate... issuerdn=" + issuerdn); CMS.debug("Creating local certificate... dn=" + dn); - - info = CryptoUtil.createX509CertInfo(x509key, serialNo, issuerdn, dn, date, date, keyAlgorithm); + if (ca.getIssuerObj() != null) { + // this ensures the isserDN has the same encoding as the + // subjectDN of the CA signing cert + CMS.debug("Creating local certificate... setting issuerDN using exact CA signing cert subjectDN encoding"); + CertificateIssuerName issuerdnObj = + ca.getIssuerObj(); + + info = CryptoUtil.createX509CertInfo(x509key, serialNo, issuerdnObj, dn, date, date, keyAlgorithm); + } else { + CMS.debug("Creating local certificate... ca.getIssuerObj() is null, creating new CertificateIssuerName"); + info = CryptoUtil.createX509CertInfo(x509key, serialNo, issuerdn, dn, date, date, keyAlgorithm); + } } CMS.debug("Cert Template: " + info.toString()); diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java index cf2bafac1..3b1041a74 100644 --- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java @@ -1055,14 +1055,28 @@ public class CryptoUtil { CertificateException, InvalidKeyException, NoSuchAlgorithmException { + CertificateIssuerName issuernameObj = + new CertificateIssuerName(new X500Name(issuername)); + return createX509CertInfo(x509key, serialno, issuernameObj, subjname, notBefore, notAfter, alg); + } + + public static X509CertInfo createX509CertInfo(X509Key x509key, + BigInteger serialno, CertificateIssuerName issuernameObj, String subjname, + Date notBefore, Date notAfter, String alg) + throws IOException, + CertificateException, + InvalidKeyException, + NoSuchAlgorithmException { X509CertInfo info = new X509CertInfo(); info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3)); info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(serialno)); - info.set(X509CertInfo.ISSUER, new - CertificateIssuerName(new X500Name(issuername))); + if (issuernameObj != null) { + info.set(X509CertInfo.ISSUER, + issuernameObj); + } info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(new X500Name(subjname))); info.set(X509CertInfo.VALIDITY, new diff --git a/base/util/src/netscape/security/x509/X509CertImpl.java b/base/util/src/netscape/security/x509/X509CertImpl.java index 657e4d224..0ad7724ee 100755 --- a/base/util/src/netscape/security/x509/X509CertImpl.java +++ b/base/util/src/netscape/security/x509/X509CertImpl.java @@ -725,6 +725,10 @@ public class X509CertImpl extends X509Certificate } } + public CertificateSubjectName getSubjectObj() { + return info.getSubjectObj(); + } + /** * Gets the issuer distinguished name from the certificate. * @@ -743,6 +747,10 @@ public class X509CertImpl extends X509Certificate } } + public CertificateIssuerName getIssuerObj() { + return info.getIssuerObj(); + } + /** * Gets the notBefore date from the validity period of the certificate. * diff --git a/base/util/src/netscape/security/x509/X509CertInfo.java b/base/util/src/netscape/security/x509/X509CertInfo.java index 2ad17ebc0..29757ec8a 100644 --- a/base/util/src/netscape/security/x509/X509CertInfo.java +++ b/base/util/src/netscape/security/x509/X509CertInfo.java @@ -873,6 +873,10 @@ public class X509CertInfo implements CertAttrSet, Serializable { issuer = (CertificateIssuerName) val; } + public CertificateIssuerName getIssuerObj() { + return issuer; + } + /** * Set the validity interval of the certificate. * @@ -901,6 +905,10 @@ public class X509CertInfo implements CertAttrSet, Serializable { subject = (CertificateSubjectName) val; } + public CertificateSubjectName getSubjectObj() { + return subject; + } + /** * Set the public key in the certificate. * |