diff options
12 files changed, 118 insertions, 19 deletions
diff --git a/pki/base/ca/shared/conf/adminCert.profile b/pki/base/ca/shared/conf/adminCert.profile index 30e01e46b..5e84d7492 100644 --- a/pki/base/ca/shared/conf/adminCert.profile +++ b/pki/base/ca/shared/conf/adminCert.profile @@ -4,6 +4,8 @@ id=adminCert.profile name=All Purpose admin server cert Profile description=This profile creates an administrator's certificate +profileIDMapping=caAdminCert +profileSetIDMapping=adminCertSet list=2,4,5,6,7 2.default.class=com.netscape.cms.profile.def.ValidityDefault 2.default.name=Validity Default diff --git a/pki/base/ca/shared/conf/caAuditSigningCert.profile b/pki/base/ca/shared/conf/caAuditSigningCert.profile index f1124e100..490759096 100644 --- a/pki/base/ca/shared/conf/caAuditSigningCert.profile +++ b/pki/base/ca/shared/conf/caAuditSigningCert.profile @@ -4,6 +4,8 @@ id=caAuditSigningCert.profile name=CA Audit Signing Certificate Profile description=This profile creates a CA Audit signing certificate that is valid for audit log signing purpose. +profileIDMapping=caSignedLogCert +profileSetIDMapping=caLogSigningSet list=2,4,6,8,9 2.default.class=com.netscape.cms.profile.def.ValidityDefault 2.default.name=Validity Default diff --git a/pki/base/ca/shared/conf/caCert.profile b/pki/base/ca/shared/conf/caCert.profile index eb721d5e4..e80afc1cc 100644 --- a/pki/base/ca/shared/conf/caCert.profile +++ b/pki/base/ca/shared/conf/caCert.profile @@ -4,6 +4,8 @@ id=caCert.profile name=All Purpose CA Profile description=This profile creates a CA certificate that is valid for all signing purposes. +profileIDMapping=caCACert +profileSetIDMapping=caCertSet list=2,4,5,6,7,8 2.default.class=com.netscape.cms.profile.def.ValidityDefault 2.default.name=Validity Default diff --git a/pki/base/ca/shared/conf/caOCSPCert.profile b/pki/base/ca/shared/conf/caOCSPCert.profile index 72d95bec4..b3c27c1b0 100644 --- a/pki/base/ca/shared/conf/caOCSPCert.profile +++ b/pki/base/ca/shared/conf/caOCSPCert.profile @@ -4,6 +4,8 @@ id=caOCSPCert.profile name=All Purpose CA OCSP Profile description=This profile creates a CA OCSP certificate that is valid for all signing purposes. +profileIDMapping=caOCSPCert +profileSetIDMapping=ocspCertSet list=2,4,6,8,9 2.default.class=com.netscape.cms.profile.def.ValidityDefault 2.default.name=Validity Default diff --git a/pki/base/ca/shared/conf/serverCert.profile b/pki/base/ca/shared/conf/serverCert.profile index adf6ee4ad..8b436b247 100644 --- a/pki/base/ca/shared/conf/serverCert.profile +++ b/pki/base/ca/shared/conf/serverCert.profile @@ -4,6 +4,8 @@ id=serverCert.profile name=All Purpose SSL server cert Profile description=This profile creates an SSL server certificate that is valid for SSL servers +profileIDMapping=caServerCert +profileSetIDMapping=serverCertSet list=2,4,5,6,7 2.default.class=com.netscape.cms.profile.def.ValidityDefault 2.default.name=Validity Default diff --git a/pki/base/ca/shared/conf/subsystemCert.profile b/pki/base/ca/shared/conf/subsystemCert.profile index 5b1a502df..658e69511 100644 --- a/pki/base/ca/shared/conf/subsystemCert.profile +++ b/pki/base/ca/shared/conf/subsystemCert.profile @@ -4,6 +4,8 @@ id=serverCert.profile name=All Purpose SSL server cert Profile description=This profile creates an SSL server certificate that is valid for SSL servers +profileIDMapping=caServerCert +profileSetIDMapping=serverCertSet list=2,4,5,6,7 2.default.class=com.netscape.cms.profile.def.ValidityDefault 2.default.name=Validity Default diff --git a/pki/base/common/src/com/netscape/certsrv/profile/CertInfoProfile.java b/pki/base/common/src/com/netscape/certsrv/profile/CertInfoProfile.java index 95ff4e49b..8593da163 100644 --- a/pki/base/common/src/com/netscape/certsrv/profile/CertInfoProfile.java +++ b/pki/base/common/src/com/netscape/certsrv/profile/CertInfoProfile.java @@ -33,6 +33,8 @@ public class CertInfoProfile private String mName = null; private String mID = null; private String mDescription = null; + private String mProfileIDMapping = null; + private String mProfileSetIDMapping = null; public CertInfoProfile(String cfg) throws Exception { @@ -40,6 +42,8 @@ public class CertInfoProfile mID = config.getString("id"); mName = config.getString("name"); mDescription = config.getString("description"); + mProfileIDMapping = config.getString("profileIDMapping"); + mProfileSetIDMapping = config.getString("profileSetIDMapping"); StringTokenizer st = new StringTokenizer(config.getString("list"), ","); while (st.hasMoreTokens()) { String id = (String)st.nextToken(); @@ -81,6 +85,16 @@ public class CertInfoProfile return mDescription; } + public String getProfileIDMapping() + { + return mProfileIDMapping; + } + + public String getProfileSetIDMapping() + { + return mProfileSetIDMapping; + } + public void populate(X509CertInfo info) { Enumeration e1 = mDefaults.elements(); diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/AdminPanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/AdminPanel.java index 0f6bccb9b..d2495c177 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/AdminPanel.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/AdminPanel.java @@ -571,6 +571,9 @@ public class AdminPanel extends WizardPanelBase { X509CertImpl impl = CertUtil.createLocalCert(cs, x509key, PCERT_PREFIX, CERT_TAG, caType, context); + // update the locally created request for renewal + CertUtil.updateLocalRequest(cs, CERT_TAG, cert_request,cert_request_type, subject); + ISubsystem ca = (ISubsystem) CMS.getSubsystem("ca"); if (ca != null) { createPKCS7(impl); diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java index 427a662f3..654c2f8db 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java @@ -679,6 +679,11 @@ public class CertRequestPanel extends WizardPanelBase { } } + //update requests in request queue for local certs to allow renewal + if ((cert.getType().equals("local")) || (cert.getType().equals("selfsign"))) { + CertUtil.updateLocalRequest(config, certTag, cert.getRequest(), "pkcs10", null); + } + if (certTag.equals("signing") && subsystem.equals("ca")) { String NickName = nickname; if (!tokenname.equals("internal") && !tokenname.equals("Internal Key Storage Token")) diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java index 7d15badd1..fd12de3b1 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java @@ -200,9 +200,13 @@ public class CertUtil { req.setExtData(IEnrollProfile.REQUEST_CERTINFO, info); req.setExtData(IEnrollProfile.REQUEST_EXTENSIONS, new CertificateExtensions()); - req.setExtData("cert_request_type", "pkcs10"); req.setExtData("requesttype", "enrollment"); - // note: more info needed... TBD + req.setExtData("requestor_name", ""); + req.setExtData("requestor_email", ""); + req.setExtData("requestor_phone", ""); + req.setExtData("requestnotes",""); + req.setExtData("isencryptioncert", "false"); + // mark request as complete CMS.debug("certUtil: calling setRequestStatus"); req.setRequestStatus(RequestStatus.COMPLETE); @@ -210,6 +214,41 @@ public class CertUtil { return req; } +/** + * update local cert request with the actual request + * called from CertRequestPanel.java + */ + public static void updateLocalRequest(IConfigStore config, String certTag, String certReq, String reqType, String subjectName) + { + try { + CMS.debug("Updating local request... certTag=" + certTag); + RequestId rid = new RequestId(config.getString("preop.cert." + certTag + ".reqId")); + + ICertificateAuthority ca = (ICertificateAuthority) CMS.getSubsystem( + ICertificateAuthority.ID); + + IRequestQueue queue = ca.getRequestQueue(); + if (queue != null) { + IRequest req = queue.findRequest(rid); + if (req != null) { + if (!certReq.equals("")) + req.setExtData("cert_request", certReq); + req.setExtData("cert_request_type", reqType); + if (subjectName != null) { + req.setExtData("subject", subjectName); + X500Name x5Name = new X500Name(subjectName); + } + } + queue.updateRequest(req); + } else { + CMS.debug("CertUtil:updateLocalRequest - request queue = null"); + } + } catch (Exception e) { + CMS.debug("CertUtil:updateLocalRequest - Exception:" + e.toString()); + } + } + + public static X509CertImpl createLocalCert(IConfigStore config, X509Key x509key, String prefix, String certTag, String type, Context context) throws IOException { @@ -223,6 +262,8 @@ public class CertUtil { X509CertImpl cert = null; ICertificateAuthority ca = null; ICertificateRepository cr = null; + RequestId reqId = null; + String profileId = null; try { String dn = config.getString(prefix + certTag + ".dn"); @@ -249,25 +290,37 @@ public class CertUtil { } CMS.debug("Cert Template: " + info.toString()); + String instanceRoot = config.getString("instanceRoot"); + + CertInfoProfile processor = new CertInfoProfile( + instanceRoot + "/conf/" + profile); + // cfu - create request to enable renewal + IRequest req = null; try { IRequestQueue queue = ca.getRequestQueue(); if (queue != null) { - IRequest req = createLocalRequest(queue, serialNo.toString(), info); - // set profileId - diff place than regular place - // consider stuffing a regular one here + req = createLocalRequest(queue, serialNo.toString(), info); CMS.debug("CertUtil profile name= "+profile); + req.setExtData("req_key", x509key.toString()); + + // store original profile id in cert request int idx = profile.lastIndexOf('.'); -// String[] profileName = profile.split("."); -// if (profileName.length == 0) { if (idx == -1) { CMS.debug("CertUtil profileName contains no ."); - req.setExtData("profileid", profile); + req.setExtData("origprofileid", profile); } else { String name = profile.substring(0, idx); - req.setExtData("profileid", name); + req.setExtData("origprofileid", name); } - req.setExtData("req_key", x509key.toString()); + + // store mapped profile ID for use in renewal + profileId = processor.getProfileIDMapping(); + req.setExtData("profileid", profileId); + req.setExtData("profilesetid", processor.getProfileSetIDMapping()); + + reqId = req.getRequestId(); + config.putString("preop.cert." + certTag + ".reqId", reqId.toString()); CMS.debug("certUtil: before updateRequest"); @@ -280,11 +333,6 @@ public class CertUtil { CMS.debug("Creating local request exception:"+e.toString()); } - String instanceRoot = config.getString("instanceRoot"); - - CertInfoProfile processor = new CertInfoProfile( - instanceRoot + "/conf/" + profile); - processor.populate(info); String caPriKeyID = config.getString( @@ -327,8 +375,21 @@ public class CertUtil { "Ceritifcate Authority is not ready to serve."); throw new IOException("Ceritifcate Authority is not ready to serve."); } - ICertRecord record = (ICertRecord) cr.createCertRecord( - cert.getSerialNumber(), cert, null); + + ICertRecord record = null; + try { + MetaInfo meta = new MetaInfo(); + if (reqId != null) { + meta.set(ICertRecord.META_REQUEST_ID, reqId.toString()); + } + + meta.set(ICertRecord.META_PROFILE_ID, profileId); + record = (ICertRecord) cr.createCertRecord( + cert.getSerialNumber(), cert, meta); + } catch (Exception e) { + CMS.debug( + "NamePanel configCert: failed to add metainfo. Exception: " + e.toString()); + } try { cr.addCertificateRecord(record); diff --git a/pki/dogtag/ca/pki-ca.spec b/pki/dogtag/ca/pki-ca.spec index 0ef31a530..0420a332d 100644 --- a/pki/dogtag/ca/pki-ca.spec +++ b/pki/dogtag/ca/pki-ca.spec @@ -34,7 +34,7 @@ ## Package Header Definitions %define base_name %{base_prefix}-%{base_component} %define base_version 1.0.0 -%define base_release 36 +%define base_release 37 %define base_group System Environment/Daemons %define base_vendor Red Hat, Inc. %define base_license GPLv2 with exceptions @@ -281,6 +281,8 @@ fi ############################################################################### %changelog +* Fri Mar 27 2009 Ade Lee <alee@redhat.com> 1.0.0-37 +- Bugzilla Bug: 472916 - Renewal: certs created during post-installation can not be renewed via profile framework * Thu Mar 26 2009 Matthew Harmsen <mharmsen@redhat.com> 1.0.0-36 - Bugzilla Bug #470175 - RFE: Directory Listing Enabled * Fri Mar 20 2009 Matthew Harmsen <mharmsen@redhat.com> 1.0.0-35 diff --git a/pki/dogtag/common/pki-common.spec b/pki/dogtag/common/pki-common.spec index 02964eb55..4595ee206 100644 --- a/pki/dogtag/common/pki-common.spec +++ b/pki/dogtag/common/pki-common.spec @@ -34,7 +34,7 @@ ## Package Header Definitions %define base_name %{base_prefix}-%{base_component} %define base_version 1.0.0 -%define base_release 58 +%define base_release 59 %define base_group System Environment/Base %define base_vendor Red Hat, Inc. %define base_license GPLv2 with exceptions @@ -285,6 +285,8 @@ chmod 00755 %{_datadir}/%{base_prefix}/setup/postinstall ############################################################################### %changelog +* Mon Mar 30 2009 Ade Lee <alee@redhat.com> 1.0.0-59 +- Bugzilla Bug: 472916 - Renewal: certs created during post-installation can not be renewed via profile framework * Mon Mar 30 2009 Ade Lee <alee@redhat.com> 1.0.0-58 - Bugzilla Bug 475566 - cannot tell renewals from enrollment requests * Thu Mar 26 2009 Andrew Wnuk <awnuk@redhat.com> 1.0.0-57 |