diff options
4 files changed, 59 insertions, 7 deletions
diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java index 2e1f9d7c8..b087f26b6 100644 --- a/base/ca/src/com/netscape/ca/CertificateAuthority.java +++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java @@ -77,6 +77,8 @@ import com.netscape.certsrv.base.PKIException; import com.netscape.certsrv.ca.AuthorityID; import com.netscape.certsrv.ca.CADisabledException; import com.netscape.certsrv.ca.CAEnabledException; +import com.netscape.certsrv.ca.CAMissingCertException; +import com.netscape.certsrv.ca.CAMissingKeyException; import com.netscape.certsrv.ca.CANotFoundException; import com.netscape.certsrv.ca.CANotLeafException; import com.netscape.certsrv.ca.CATypeException; @@ -188,6 +190,8 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori protected AuthorityID authorityParentID = null; protected String authorityDescription = null; protected boolean authorityEnabled = true; + private boolean hasKeys = false; + private ECAException signingUnitException = null; protected ISubsystem mOwner = null; protected IConfigStore mConfig = null; @@ -1358,7 +1362,15 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori mIssuerObj = new CertificateIssuerName((X500Name)mSubjectObj.get(CertificateIssuerName.DN_NAME)); } - mSigningUnit.init(this, caSigningCfg, mNickname); + try { + mSigningUnit.init(this, caSigningCfg, mNickname); + hasKeys = true; + signingUnitException = null; + } catch (CAMissingCertException | CAMissingKeyException e) { + CMS.debug("CA signing key and cert not (yet) present in NSSDB"); + signingUnitException = e; + return; + } CMS.debug("CA signing unit inited"); // for identrus diff --git a/base/ca/src/com/netscape/ca/SigningUnit.java b/base/ca/src/com/netscape/ca/SigningUnit.java index 0ac4b7a1c..60bd84e3b 100644 --- a/base/ca/src/com/netscape/ca/SigningUnit.java +++ b/base/ca/src/com/netscape/ca/SigningUnit.java @@ -43,6 +43,8 @@ import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.base.ISubsystem; import com.netscape.certsrv.ca.ECAException; +import com.netscape.certsrv.ca.CAMissingCertException; +import com.netscape.certsrv.ca.CAMissingKeyException; import com.netscape.certsrv.common.Constants; import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.security.ISigningUnit; @@ -165,14 +167,22 @@ public final class SigningUnit implements ISigningUnit { mToken.login(cb); // ONE_TIME by default. - mCert = mManager.findCertByNickname(mNickname); - CMS.debug("Found cert by nickname: '" + mNickname + "' with serial number: " + mCert.getSerialNumber()); + try { + mCert = mManager.findCertByNickname(mNickname); + CMS.debug("Found cert by nickname: '" + mNickname + "' with serial number: " + mCert.getSerialNumber()); + } catch (ObjectNotFoundException e) { + throw new CAMissingCertException(CMS.getUserMessage("CMS_CA_CERT_OBJECT_NOT_FOUND")); + } mCertImpl = new X509CertImpl(mCert.getEncoded()); CMS.debug("converted to x509CertImpl"); - mPrivk = mManager.findPrivKeyByCert(mCert); - CMS.debug("Got private key from cert"); + try { + mPrivk = mManager.findPrivKeyByCert(mCert); + CMS.debug("Got private key from cert"); + } catch (ObjectNotFoundException e) { + throw new CAMissingKeyException(CMS.getUserMessage("CMS_CA_CERT_OBJECT_NOT_FOUND")); + } mPubk = mCert.getPublicKey(); CMS.debug("Got public key from cert"); @@ -200,10 +210,10 @@ public final class SigningUnit implements ISigningUnit { CMS.debug("SigningUnit init: debug " + e.toString()); log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_TOKEN_NOT_FOUND", tokenname, e.toString())); throw new ECAException(CMS.getUserMessage("CMS_CA_TOKEN_NOT_FOUND", tokenname)); - } catch (ObjectNotFoundException e) { + } catch (CAMissingCertException | CAMissingKeyException e) { CMS.debug("SigningUnit init: debug " + e.toString()); log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_CERT_NOT_FOUND", e.toString())); - throw new ECAException(CMS.getUserMessage("CMS_CA_CERT_OBJECT_NOT_FOUND")); + throw e; // re-throw } catch (TokenException e) { CMS.debug("SigningUnit init: debug " + e.toString()); log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString())); diff --git a/base/common/src/com/netscape/certsrv/ca/CAMissingCertException.java b/base/common/src/com/netscape/certsrv/ca/CAMissingCertException.java new file mode 100644 index 000000000..49c5063f2 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/ca/CAMissingCertException.java @@ -0,0 +1,15 @@ +package com.netscape.certsrv.ca; + +/** + * Exception to throw when a (sub-)CA's signing certificate is not + * (yet) present in the local NSSDB. + */ +public class CAMissingCertException extends ECAException { + + private static final long serialVersionUID = 7261805480088539689L; + + public CAMissingCertException(String msgFormat) { + super(msgFormat); + } + +} diff --git a/base/common/src/com/netscape/certsrv/ca/CAMissingKeyException.java b/base/common/src/com/netscape/certsrv/ca/CAMissingKeyException.java new file mode 100644 index 000000000..8f5e1e72a --- /dev/null +++ b/base/common/src/com/netscape/certsrv/ca/CAMissingKeyException.java @@ -0,0 +1,15 @@ +package com.netscape.certsrv.ca; + +/** + * Exception to throw when a (sub-)CA's signing key is not (yet) + * present in the local NSSDB. + */ +public class CAMissingKeyException extends ECAException { + + private static final long serialVersionUID = -364157165997677925L; + + public CAMissingKeyException(String msgFormat) { + super(msgFormat); + } + +} |