diff options
Diffstat (limited to 'base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java')
-rw-r--r-- | base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java | 253 |
1 files changed, 134 insertions, 119 deletions
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java index afbb24a78..f726db6f1 100644 --- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java +++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java @@ -21,7 +21,6 @@ import java.math.BigInteger; import java.net.MalformedURLException; import java.net.URL; import java.security.KeyPair; -import java.security.NoSuchAlgorithmException; import java.security.PublicKey; import java.util.ArrayList; import java.util.Arrays; @@ -179,10 +178,10 @@ public class SystemConfigService extends PKIService implements SystemConfigResou for (Cert cert : certs) { try { - CMS.debug("Processing '" + cert.getCertTag() + "' certificate:"); - ConfigurationUtils.handleCerts(cert); + CMS.debug("=== Handling " + cert.getCertTag() + " cert ==="); + ConfigurationUtils.handleCert(cert); ConfigurationUtils.setCertPermissions(cert.getCertTag()); - CMS.debug("Processed '" + cert.getCertTag() + "' certificate."); + } catch (Exception e) { CMS.debug(e); throw new PKIException("Error in configuring system certificates: " + e, e); @@ -290,118 +289,118 @@ public class SystemConfigService extends PKIService implements SystemConfigResou return certList; } - public void processCerts(ConfigurationRequest request, String token, Collection<String> certList, - Collection<Cert> certs, MutableBoolean hasSigningCert) { + public void processCerts( + ConfigurationRequest request, + String token, + Collection<String> certList, + Collection<Cert> certs, + MutableBoolean hasSigningCert) throws Exception { - try { - boolean generateServerCert = !request.getGenerateServerCert().equalsIgnoreCase("false"); - boolean generateSubsystemCert = request.getGenerateSubsystemCert(); + boolean generateServerCert = !request.getGenerateServerCert().equalsIgnoreCase("false"); + boolean generateSubsystemCert = request.getGenerateSubsystemCert(); - hasSigningCert.setValue(false); + hasSigningCert.setValue(false); - for (String tag : certList) { - boolean enable = cs.getBoolean("preop.cert." + tag + ".enable", true); - if (!enable) continue; + for (String tag : certList) { - SystemCertData certData = null; + CMS.debug("=== Processing " + tag + " cert ==="); - for (SystemCertData systemCert : request.getSystemCerts()) { - if (systemCert.getTag().equals(tag)) { - certData = systemCert; - break; - } - } + boolean enable = cs.getBoolean("preop.cert." + tag + ".enable", true); + if (!enable) continue; - if (certData == null) { - CMS.debug("No data for '" + tag + "' was found!"); - throw new BadRequestException("No data for '" + tag + "' was found!"); + SystemCertData certData = null; + + for (SystemCertData systemCert : request.getSystemCerts()) { + if (systemCert.getTag().equals(tag)) { + certData = systemCert; + break; } + } - String tokenName = certData.getToken() != null ? certData.getToken() : token; - if (request.getStandAlone() && request.getStepTwo()) { - // Stand-alone PKI (Step 2) - if (tag.equals("external_signing")) { + if (certData == null) { + CMS.debug("No data for '" + tag + "' was found!"); + throw new BadRequestException("No data for '" + tag + "' was found!"); + } - String b64 = certData.getCert(); - if (b64 != null && b64.length() > 0 && !b64.startsWith("...")) { - hasSigningCert.setValue(true); + String tokenName = certData.getToken() != null ? certData.getToken() : token; + if (request.getStandAlone() && request.getStepTwo()) { + // Stand-alone PKI (Step 2) + if (tag.equals("external_signing")) { - if (request.getIssuingCA().equals("External CA")) { - String nickname = certData.getNickname() != null ? certData.getNickname() : "caSigningCert External CA"; - Cert cert = new Cert(tokenName, nickname, tag); - ConfigurationUtils.setExternalCACert(b64, csSubsystem, cs, cert); + String b64 = certData.getCert(); + if (b64 != null && b64.length() > 0 && !b64.startsWith("...")) { + hasSigningCert.setValue(true); - CMS.debug("Step 2: certStr for '" + tag + "' is " + b64); - String certChainStr = certData.getCertChain(); + if (request.getIssuingCA().equals("External CA")) { + String nickname = certData.getNickname() != null ? certData.getNickname() : "caSigningCert External CA"; + Cert cert = new Cert(tokenName, nickname, tag); + ConfigurationUtils.setExternalCACert(b64, csSubsystem, cs, cert); - if (certChainStr != null) { - ConfigurationUtils.setExternalCACertChain(certChainStr, csSubsystem, cs, cert); - CMS.debug("Step 2: certChainStr for '" + tag + "' is " + certChainStr); - certs.add(cert); + CMS.debug("Step 2: certStr for '" + tag + "' is " + b64); + String certChainStr = certData.getCertChain(); - } else { - throw new BadRequestException("CertChain not provided"); - } - } + if (certChainStr != null) { + ConfigurationUtils.setExternalCACertChain(certChainStr, csSubsystem, cs, cert); + CMS.debug("Step 2: certChainStr for '" + tag + "' is " + certChainStr); + certs.add(cert); - continue; + } else { + throw new BadRequestException("CertChain not provided"); + } } - } - } - if (!generateServerCert && tag.equals("sslserver")) { - updateConfiguration(request, certData, "sslserver"); - continue; + continue; + } } + } - if (!generateSubsystemCert && tag.equals("subsystem")) { - // update the details for the shared subsystem cert here. - updateConfiguration(request, certData, "subsystem"); + if (!generateServerCert && tag.equals("sslserver")) { + updateConfiguration(request, certData, "sslserver"); + continue; + } - // get parameters needed for cloning - updateCloneConfiguration(certData, "subsystem", tokenName); - continue; - } + if (!generateSubsystemCert && tag.equals("subsystem")) { + // update the details for the shared subsystem cert here. + updateConfiguration(request, certData, "subsystem"); - processCert( - request, - token, - certList, - certs, - hasSigningCert, - certData, - tokenName); + // get parameters needed for cloning + updateCloneConfiguration(certData, "subsystem", tokenName); + continue; } - // make sure to commit changes here for step 1 - cs.commit(false); + processKeyPair( + request, + token, + certData); - } catch (NumberFormatException e) { - // move these validations to validate()? - throw new BadRequestException("Non-integer value for key size"); + Cert cert = processCert( + request, + hasSigningCert, + certData, + tokenName); - } catch (NoSuchAlgorithmException e) { - throw new BadRequestException("Invalid algorithm " + e); + certs.add(cert); + } - } catch (PKIException e) { - throw e; + // make sure to commit changes here for step 1 + cs.commit(false); - } catch (Exception e) { - CMS.debug(e); - throw new PKIException("Error in setting certificate names and key sizes: " + e); + ConfigurationUtils.updateServerCertNickConf(); + + if (request.isClone()) { + ConfigurationUtils.updateCloneConfig(); } } - public void processCert( + public void processKeyPair( ConfigurationRequest request, String token, - Collection<String> certList, - Collection<Cert> certs, - MutableBoolean hasSigningCert, - SystemCertData certData, - String tokenName) throws Exception { + SystemCertData certData + ) throws Exception { String tag = certData.getTag(); + CMS.debug("SystemConfigService.processKeyPair(" + tag + ")"); + String keytype = certData.getKeyType() != null ? certData.getKeyType() : "rsa"; String keyalgorithm = certData.getKeyAlgorithm(); @@ -410,47 +409,69 @@ public class SystemConfigService extends PKIService implements SystemConfigResou } String signingalgorithm = certData.getSigningAlgorithm() != null ? certData.getSigningAlgorithm() : keyalgorithm; - String nickname = cs.getString("preop.cert." + tag + ".nickname"); - String dn = cs.getString("preop.cert." + tag + ".dn"); cs.putString("preop.cert." + tag + ".keytype", keytype); cs.putString("preop.cert." + tag + ".keyalgorithm", keyalgorithm); cs.putString("preop.cert." + tag + ".signingalgorithm", signingalgorithm); // support injecting SAN into server cert - if ( tag.equals("sslserver") && certData.getServerCertSAN() != null) { - CMS.debug("updateConfiguration(): san_server_cert found"); + if (tag.equals("sslserver") && certData.getServerCertSAN() != null) { + CMS.debug("SystemConfigService: san_server_cert found"); cs.putString("service.injectSAN", "true"); cs.putString("service.sslserver.san", certData.getServerCertSAN()); + } else { - if ( tag.equals("sslserver")) - CMS.debug("SystemConfigService:processCerts(): san_server_cert not found for tag sslserver"); + if (tag.equals("sslserver")) { + CMS.debug("SystemConfigService: san_server_cert not found"); + } } cs.commit(false); if (request.isExternal() && tag.equals("signing")) { // external/existing CA - // load key pair for existing and externally-signed signing cert - CMS.debug("SystemConfigService: loading signing cert key pair"); + + CMS.debug("SystemConfigService: loading existing key pair from NSS database"); KeyPair pair = ConfigurationUtils.loadKeyPair(certData.getNickname(), certData.getToken()); + + CMS.debug("SystemConfigService: storing key pair into CS.cfg"); ConfigurationUtils.storeKeyPair(cs, tag, pair); } else if (!request.getStepTwo()) { + + CMS.debug("SystemConfigService: generating key pair"); + + KeyPair pair; if (keytype.equals("ecc")) { String curvename = certData.getKeySize() != null ? certData.getKeySize() : cs.getString("keys.ecc.curve.default"); cs.putString("preop.cert." + tag + ".curvename.name", curvename); - ConfigurationUtils.createECCKeyPair(token, curvename, cs, tag); + pair = ConfigurationUtils.createECCKeyPair(token, curvename, cs, tag); } else { String keysize = certData.getKeySize() != null ? certData.getKeySize() : cs .getString("keys.rsa.keysize.default"); cs.putString("preop.cert." + tag + ".keysize.size", keysize); - ConfigurationUtils.createRSAKeyPair(token, Integer.parseInt(keysize), cs, tag); + pair = ConfigurationUtils.createRSAKeyPair(token, Integer.parseInt(keysize), cs, tag); } + CMS.debug("SystemConfigService: storing key pair into CS.cfg"); + ConfigurationUtils.storeKeyPair(cs, tag, pair); + } else { - CMS.debug("configure(): step two selected. keys will not be generated for '" + tag + "'"); + CMS.debug("SystemConfigService: key pair already generated in step one"); } + } + + public Cert processCert( + ConfigurationRequest request, + MutableBoolean hasSigningCert, + SystemCertData certData, + String tokenName) throws Exception { + + String tag = certData.getTag(); + CMS.debug("SystemConfigService.processCert(" + tag + ")"); + + String nickname = cs.getString("preop.cert." + tag + ".nickname"); + String dn = cs.getString("preop.cert." + tag + ".dn"); Cert cert = new Cert(tokenName, nickname, tag); cert.setDN(dn); @@ -462,13 +483,26 @@ public class SystemConfigService extends PKIService implements SystemConfigResou // update configuration for existing or externally-signed signing certificate String certStr = cs.getString("ca." + tag + ".cert" ); cert.setCert(certStr); - CMS.debug("SystemConfigService: certificate " + tag + ": " + certStr); + + CMS.debug("SystemConfigService: cert: " + certStr); ConfigurationUtils.updateConfig(cs, tag); - } else if (!request.getStepTwo()) { + CMS.debug("SystemConfigService: Loading cert request from CS.cfg"); + ConfigurationUtils.loadCertRequest(cs, tag, cert); + + CMS.debug("SystemConfigService: Loading cert " + tag); + ConfigurationUtils.loadCert(cs, cert); + + CMS.debug("SystemConfigService: External CA has signing cert"); + hasSigningCert.setValue(true); + return cert; + } + + if (!request.getStepTwo()) { ConfigurationUtils.configCert(null, null, null, cert); } else { + String subsystem = cs.getString("preop.cert." + tag + ".subsystem"); String certStr; @@ -484,24 +518,16 @@ public class SystemConfigService extends PKIService implements SystemConfigResou } cert.setCert(certStr); - CMS.debug("Step 2: certStr for '" + tag + "' is " + certStr); + CMS.debug("SystemConfigService: cert: " + certStr); } - if (request.isExternal() && tag.equals("signing")) { // external/existing CA - - CMS.debug("SystemConfigService: Loading cert request for " + tag + " cert"); - ConfigurationUtils.loadCertRequest(cs, tag, cert); - - CMS.debug("SystemConfigService: Loading cert " + tag); - ConfigurationUtils.loadCert(cs, cert); - - } else if (request.getStandAlone()) { + if (request.getStandAlone()) { // Handle Cert Requests for everything EXCEPT Stand-alone PKI (Step 2) if (!request.getStepTwo()) { // Stand-alone PKI (Step 1) ConfigurationUtils.generateCertRequest(cs, tag, cert); - CMS.debug("Stand-alone " + csType + " Admin CSR"); + CMS.debug("SystemConfigService: Standalone " + csType + " Admin CSR"); String adminSubjectDN = request.getAdminSubjectDN(); String certreqStr = request.getAdminCertRequest(); certreqStr = CryptoUtil.normalizeCertAndReq(certreqStr); @@ -515,17 +541,6 @@ public class SystemConfigService extends PKIService implements SystemConfigResou ConfigurationUtils.generateCertRequest(cs, tag, cert); } - if (request.isClone()) { - ConfigurationUtils.updateCloneConfig(); - } - - if (request.isExternal() && tag.equals("signing")) { // external/existing CA - CMS.debug("SystemConfigService: External CA has signing cert"); - hasSigningCert.setValue(true); - certs.add(cert); - return; - } - // to determine if we have the signing cert when using an external ca // this will only execute on a ca or stand-alone pki String b64 = certData.getCert(); @@ -545,7 +560,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou } } - certs.add(cert); + return cert; } private void updateCloneConfiguration(SystemCertData cdata, String tag, String tokenName) throws NotInitializedException, |