diff options
4 files changed, 43 insertions, 12 deletions
diff --git a/base/common/python/pki/cli/pkcs12.py b/base/common/python/pki/cli/pkcs12.py index dc999a120..a7c32cc2b 100644 --- a/base/common/python/pki/cli/pkcs12.py +++ b/base/common/python/pki/cli/pkcs12.py @@ -220,7 +220,12 @@ class PKCS12ImportCLI(pki.cli.CLI): cert_id = cert_info['id'] nickname = cert_info['nickname'] - trust_flags = cert_info['trust_flags'] + + if 'trust_flags' in cert_info: + trust_flags = cert_info['trust_flags'] + else: + # default trust flags for CA certificates + trust_flags = 'CT,c,c' if main_cli.verbose: print('Exporting %s (%s) from PKCS #12 file' % (nickname, cert_id)) diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java index 25838f1f3..7aeee7e9f 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java @@ -113,6 +113,7 @@ import org.w3c.dom.Element; import org.w3c.dom.Node; import org.w3c.dom.NodeList; import org.xml.sax.SAXException; +import org.xml.sax.SAXParseException; import com.netscape.certsrv.account.AccountClient; import com.netscape.certsrv.apps.CMS; @@ -3801,14 +3802,15 @@ public class ConfigurationUtils { content.putSingle("httpport", CMS.getEENonSSLPort()); try { + CMS.debug("Update security domain using admin interface"); String session_id = CMS.getConfigSDSessionId(); content.putSingle("sessionID", session_id); updateDomainXML(sd_host, sd_admin_port, true, url, content, false); } catch (Exception e) { - CMS.debug("updateSecurityDomain: failed to update security domain using admin port " - + sd_admin_port + ": " + e); - CMS.debug("updateSecurityDomain: now trying agent port with client auth"); + CMS.debug("Unable to access admin interface: " + e); + + CMS.debug("Update security domain using agent interface"); url = "/ca/agent/ca/updateDomainXML"; updateDomainXML(sd_host, sd_agent_port, true, url, content, true); } @@ -3873,7 +3875,12 @@ public class ConfigurationUtils { c = post(hostname, port, https, servlet, content, null, null); } - if (c != null && !c.equals("")) { + if (c == null || c.equals("")) { + CMS.debug("Unable to update security domain: empty response"); + throw new IOException("Unable to update security domain: empty response"); + } + + try { ByteArrayInputStream bis = new ByteArrayInputStream(c.getBytes()); XMLObject obj = new XMLObject(bis); String status = obj.getValue("Status"); @@ -3881,13 +3888,21 @@ public class ConfigurationUtils { if (status.equals(SUCCESS)) { return; + + } else if (status.equals(AUTH_FAILURE)) { + CMS.debug("Unable to update security domain: authentication failure"); + throw new IOException("Unable to update security domain: authentication failure"); + } else { String error = obj.getValue("Error"); - throw new IOException(error); + CMS.debug("Unable to update security domain: " + error); + throw new IOException("Unable to update security domain: " + error); } - } else { - throw new IOException("Failed to get response when updating security domain"); + } catch (SAXParseException e) { + CMS.debug("Unable to update security domain: " + e); + CMS.debug(c); + throw new IOException("Unable to update security domain: " + e, e); } } diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java index c56f33281..d3410bcb4 100644 --- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java +++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java @@ -282,7 +282,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou cs.putString("securitydomain.store", "ldap"); cs.commit(false); } catch (Exception e) { - e.printStackTrace(); + CMS.debug(e); throw new PKIException("Error while updating security domain: " + e); } } diff --git a/base/util/src/netscape/security/pkcs/PKCS12Util.java b/base/util/src/netscape/security/pkcs/PKCS12Util.java index 967479b69..43435c822 100644 --- a/base/util/src/netscape/security/pkcs/PKCS12Util.java +++ b/base/util/src/netscape/security/pkcs/PKCS12Util.java @@ -31,6 +31,7 @@ import java.security.cert.CertificateException; import java.util.Collection; import java.util.logging.Logger; +import org.apache.commons.lang.StringUtils; import org.mozilla.jss.CryptoManager; import org.mozilla.jss.asn1.ANY; import org.mozilla.jss.asn1.ASN1Util; @@ -67,6 +68,7 @@ import org.mozilla.jss.pkix.primitive.PrivateKeyInfo; import org.mozilla.jss.util.Password; import netscape.ldap.LDAPDN; +import netscape.ldap.util.DN; import netscape.security.x509.X509CertImpl; public class PKCS12Util { @@ -417,7 +419,8 @@ public class PKCS12Util { byte[] x509cert = certStr.toByteArray(); certInfo.cert = new X509CertImpl(x509cert); - logger.fine(" Subject DN: " + certInfo.cert.getSubjectDN()); + Principal subjectDN = certInfo.cert.getSubjectDN(); + logger.fine(" Subject DN: " + subjectDN); SET bagAttrs = bag.getBagAttributes(); @@ -468,6 +471,14 @@ public class PKCS12Util { logger.fine(" ID: " + certInfo.id.toString(16)); } + if (certInfo.nickname == null) { + logger.fine(" Nickname not specified, generating new nickname"); + DN dn = new DN(subjectDN.getName()); + String[] values = dn.explodeDN(true); + certInfo.nickname = StringUtils.join(values, " - "); + logger.fine(" Nickname: " + certInfo.nickname); + } + return certInfo; } @@ -580,9 +591,9 @@ public class PKCS12Util { privateKeyInfo.encode(bos); byte[] privateKey = bos.toByteArray(); - PKCS12CertInfo certInfo = getCertBySubjectDN(pkcs12, keyInfo.subjectDN); + PKCS12CertInfo certInfo = pkcs12.getCertInfoByID(keyInfo.getID()); if (certInfo == null) { - logger.fine("Private key nas no certificate, ignore"); + logger.fine("Private key has no certificate, ignore"); return; } |