summaryrefslogtreecommitdiffstats
path: root/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
diff options
context:
space:
mode:
Diffstat (limited to 'base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java')
-rw-r--r--base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java253
1 files changed, 134 insertions, 119 deletions
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
index afbb24a78..f726db6f1 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
@@ -21,7 +21,6 @@ import java.math.BigInteger;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.KeyPair;
-import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.util.ArrayList;
import java.util.Arrays;
@@ -179,10 +178,10 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
for (Cert cert : certs) {
try {
- CMS.debug("Processing '" + cert.getCertTag() + "' certificate:");
- ConfigurationUtils.handleCerts(cert);
+ CMS.debug("=== Handling " + cert.getCertTag() + " cert ===");
+ ConfigurationUtils.handleCert(cert);
ConfigurationUtils.setCertPermissions(cert.getCertTag());
- CMS.debug("Processed '" + cert.getCertTag() + "' certificate.");
+
} catch (Exception e) {
CMS.debug(e);
throw new PKIException("Error in configuring system certificates: " + e, e);
@@ -290,118 +289,118 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
return certList;
}
- public void processCerts(ConfigurationRequest request, String token, Collection<String> certList,
- Collection<Cert> certs, MutableBoolean hasSigningCert) {
+ public void processCerts(
+ ConfigurationRequest request,
+ String token,
+ Collection<String> certList,
+ Collection<Cert> certs,
+ MutableBoolean hasSigningCert) throws Exception {
- try {
- boolean generateServerCert = !request.getGenerateServerCert().equalsIgnoreCase("false");
- boolean generateSubsystemCert = request.getGenerateSubsystemCert();
+ boolean generateServerCert = !request.getGenerateServerCert().equalsIgnoreCase("false");
+ boolean generateSubsystemCert = request.getGenerateSubsystemCert();
- hasSigningCert.setValue(false);
+ hasSigningCert.setValue(false);
- for (String tag : certList) {
- boolean enable = cs.getBoolean("preop.cert." + tag + ".enable", true);
- if (!enable) continue;
+ for (String tag : certList) {
- SystemCertData certData = null;
+ CMS.debug("=== Processing " + tag + " cert ===");
- for (SystemCertData systemCert : request.getSystemCerts()) {
- if (systemCert.getTag().equals(tag)) {
- certData = systemCert;
- break;
- }
- }
+ boolean enable = cs.getBoolean("preop.cert." + tag + ".enable", true);
+ if (!enable) continue;
- if (certData == null) {
- CMS.debug("No data for '" + tag + "' was found!");
- throw new BadRequestException("No data for '" + tag + "' was found!");
+ SystemCertData certData = null;
+
+ for (SystemCertData systemCert : request.getSystemCerts()) {
+ if (systemCert.getTag().equals(tag)) {
+ certData = systemCert;
+ break;
}
+ }
- String tokenName = certData.getToken() != null ? certData.getToken() : token;
- if (request.getStandAlone() && request.getStepTwo()) {
- // Stand-alone PKI (Step 2)
- if (tag.equals("external_signing")) {
+ if (certData == null) {
+ CMS.debug("No data for '" + tag + "' was found!");
+ throw new BadRequestException("No data for '" + tag + "' was found!");
+ }
- String b64 = certData.getCert();
- if (b64 != null && b64.length() > 0 && !b64.startsWith("...")) {
- hasSigningCert.setValue(true);
+ String tokenName = certData.getToken() != null ? certData.getToken() : token;
+ if (request.getStandAlone() && request.getStepTwo()) {
+ // Stand-alone PKI (Step 2)
+ if (tag.equals("external_signing")) {
- if (request.getIssuingCA().equals("External CA")) {
- String nickname = certData.getNickname() != null ? certData.getNickname() : "caSigningCert External CA";
- Cert cert = new Cert(tokenName, nickname, tag);
- ConfigurationUtils.setExternalCACert(b64, csSubsystem, cs, cert);
+ String b64 = certData.getCert();
+ if (b64 != null && b64.length() > 0 && !b64.startsWith("...")) {
+ hasSigningCert.setValue(true);
- CMS.debug("Step 2: certStr for '" + tag + "' is " + b64);
- String certChainStr = certData.getCertChain();
+ if (request.getIssuingCA().equals("External CA")) {
+ String nickname = certData.getNickname() != null ? certData.getNickname() : "caSigningCert External CA";
+ Cert cert = new Cert(tokenName, nickname, tag);
+ ConfigurationUtils.setExternalCACert(b64, csSubsystem, cs, cert);
- if (certChainStr != null) {
- ConfigurationUtils.setExternalCACertChain(certChainStr, csSubsystem, cs, cert);
- CMS.debug("Step 2: certChainStr for '" + tag + "' is " + certChainStr);
- certs.add(cert);
+ CMS.debug("Step 2: certStr for '" + tag + "' is " + b64);
+ String certChainStr = certData.getCertChain();
- } else {
- throw new BadRequestException("CertChain not provided");
- }
- }
+ if (certChainStr != null) {
+ ConfigurationUtils.setExternalCACertChain(certChainStr, csSubsystem, cs, cert);
+ CMS.debug("Step 2: certChainStr for '" + tag + "' is " + certChainStr);
+ certs.add(cert);
- continue;
+ } else {
+ throw new BadRequestException("CertChain not provided");
+ }
}
- }
- }
- if (!generateServerCert && tag.equals("sslserver")) {
- updateConfiguration(request, certData, "sslserver");
- continue;
+ continue;
+ }
}
+ }
- if (!generateSubsystemCert && tag.equals("subsystem")) {
- // update the details for the shared subsystem cert here.
- updateConfiguration(request, certData, "subsystem");
+ if (!generateServerCert && tag.equals("sslserver")) {
+ updateConfiguration(request, certData, "sslserver");
+ continue;
+ }
- // get parameters needed for cloning
- updateCloneConfiguration(certData, "subsystem", tokenName);
- continue;
- }
+ if (!generateSubsystemCert && tag.equals("subsystem")) {
+ // update the details for the shared subsystem cert here.
+ updateConfiguration(request, certData, "subsystem");
- processCert(
- request,
- token,
- certList,
- certs,
- hasSigningCert,
- certData,
- tokenName);
+ // get parameters needed for cloning
+ updateCloneConfiguration(certData, "subsystem", tokenName);
+ continue;
}
- // make sure to commit changes here for step 1
- cs.commit(false);
+ processKeyPair(
+ request,
+ token,
+ certData);
- } catch (NumberFormatException e) {
- // move these validations to validate()?
- throw new BadRequestException("Non-integer value for key size");
+ Cert cert = processCert(
+ request,
+ hasSigningCert,
+ certData,
+ tokenName);
- } catch (NoSuchAlgorithmException e) {
- throw new BadRequestException("Invalid algorithm " + e);
+ certs.add(cert);
+ }
- } catch (PKIException e) {
- throw e;
+ // make sure to commit changes here for step 1
+ cs.commit(false);
- } catch (Exception e) {
- CMS.debug(e);
- throw new PKIException("Error in setting certificate names and key sizes: " + e);
+ ConfigurationUtils.updateServerCertNickConf();
+
+ if (request.isClone()) {
+ ConfigurationUtils.updateCloneConfig();
}
}
- public void processCert(
+ public void processKeyPair(
ConfigurationRequest request,
String token,
- Collection<String> certList,
- Collection<Cert> certs,
- MutableBoolean hasSigningCert,
- SystemCertData certData,
- String tokenName) throws Exception {
+ SystemCertData certData
+ ) throws Exception {
String tag = certData.getTag();
+ CMS.debug("SystemConfigService.processKeyPair(" + tag + ")");
+
String keytype = certData.getKeyType() != null ? certData.getKeyType() : "rsa";
String keyalgorithm = certData.getKeyAlgorithm();
@@ -410,47 +409,69 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
}
String signingalgorithm = certData.getSigningAlgorithm() != null ? certData.getSigningAlgorithm() : keyalgorithm;
- String nickname = cs.getString("preop.cert." + tag + ".nickname");
- String dn = cs.getString("preop.cert." + tag + ".dn");
cs.putString("preop.cert." + tag + ".keytype", keytype);
cs.putString("preop.cert." + tag + ".keyalgorithm", keyalgorithm);
cs.putString("preop.cert." + tag + ".signingalgorithm", signingalgorithm);
// support injecting SAN into server cert
- if ( tag.equals("sslserver") && certData.getServerCertSAN() != null) {
- CMS.debug("updateConfiguration(): san_server_cert found");
+ if (tag.equals("sslserver") && certData.getServerCertSAN() != null) {
+ CMS.debug("SystemConfigService: san_server_cert found");
cs.putString("service.injectSAN", "true");
cs.putString("service.sslserver.san", certData.getServerCertSAN());
+
} else {
- if ( tag.equals("sslserver"))
- CMS.debug("SystemConfigService:processCerts(): san_server_cert not found for tag sslserver");
+ if (tag.equals("sslserver")) {
+ CMS.debug("SystemConfigService: san_server_cert not found");
+ }
}
cs.commit(false);
if (request.isExternal() && tag.equals("signing")) { // external/existing CA
- // load key pair for existing and externally-signed signing cert
- CMS.debug("SystemConfigService: loading signing cert key pair");
+
+ CMS.debug("SystemConfigService: loading existing key pair from NSS database");
KeyPair pair = ConfigurationUtils.loadKeyPair(certData.getNickname(), certData.getToken());
+
+ CMS.debug("SystemConfigService: storing key pair into CS.cfg");
ConfigurationUtils.storeKeyPair(cs, tag, pair);
} else if (!request.getStepTwo()) {
+
+ CMS.debug("SystemConfigService: generating key pair");
+
+ KeyPair pair;
if (keytype.equals("ecc")) {
String curvename = certData.getKeySize() != null ?
certData.getKeySize() : cs.getString("keys.ecc.curve.default");
cs.putString("preop.cert." + tag + ".curvename.name", curvename);
- ConfigurationUtils.createECCKeyPair(token, curvename, cs, tag);
+ pair = ConfigurationUtils.createECCKeyPair(token, curvename, cs, tag);
} else {
String keysize = certData.getKeySize() != null ? certData.getKeySize() : cs
.getString("keys.rsa.keysize.default");
cs.putString("preop.cert." + tag + ".keysize.size", keysize);
- ConfigurationUtils.createRSAKeyPair(token, Integer.parseInt(keysize), cs, tag);
+ pair = ConfigurationUtils.createRSAKeyPair(token, Integer.parseInt(keysize), cs, tag);
}
+ CMS.debug("SystemConfigService: storing key pair into CS.cfg");
+ ConfigurationUtils.storeKeyPair(cs, tag, pair);
+
} else {
- CMS.debug("configure(): step two selected. keys will not be generated for '" + tag + "'");
+ CMS.debug("SystemConfigService: key pair already generated in step one");
}
+ }
+
+ public Cert processCert(
+ ConfigurationRequest request,
+ MutableBoolean hasSigningCert,
+ SystemCertData certData,
+ String tokenName) throws Exception {
+
+ String tag = certData.getTag();
+ CMS.debug("SystemConfigService.processCert(" + tag + ")");
+
+ String nickname = cs.getString("preop.cert." + tag + ".nickname");
+ String dn = cs.getString("preop.cert." + tag + ".dn");
Cert cert = new Cert(tokenName, nickname, tag);
cert.setDN(dn);
@@ -462,13 +483,26 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
// update configuration for existing or externally-signed signing certificate
String certStr = cs.getString("ca." + tag + ".cert" );
cert.setCert(certStr);
- CMS.debug("SystemConfigService: certificate " + tag + ": " + certStr);
+
+ CMS.debug("SystemConfigService: cert: " + certStr);
ConfigurationUtils.updateConfig(cs, tag);
- } else if (!request.getStepTwo()) {
+ CMS.debug("SystemConfigService: Loading cert request from CS.cfg");
+ ConfigurationUtils.loadCertRequest(cs, tag, cert);
+
+ CMS.debug("SystemConfigService: Loading cert " + tag);
+ ConfigurationUtils.loadCert(cs, cert);
+
+ CMS.debug("SystemConfigService: External CA has signing cert");
+ hasSigningCert.setValue(true);
+ return cert;
+ }
+
+ if (!request.getStepTwo()) {
ConfigurationUtils.configCert(null, null, null, cert);
} else {
+
String subsystem = cs.getString("preop.cert." + tag + ".subsystem");
String certStr;
@@ -484,24 +518,16 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
}
cert.setCert(certStr);
- CMS.debug("Step 2: certStr for '" + tag + "' is " + certStr);
+ CMS.debug("SystemConfigService: cert: " + certStr);
}
- if (request.isExternal() && tag.equals("signing")) { // external/existing CA
-
- CMS.debug("SystemConfigService: Loading cert request for " + tag + " cert");
- ConfigurationUtils.loadCertRequest(cs, tag, cert);
-
- CMS.debug("SystemConfigService: Loading cert " + tag);
- ConfigurationUtils.loadCert(cs, cert);
-
- } else if (request.getStandAlone()) {
+ if (request.getStandAlone()) {
// Handle Cert Requests for everything EXCEPT Stand-alone PKI (Step 2)
if (!request.getStepTwo()) {
// Stand-alone PKI (Step 1)
ConfigurationUtils.generateCertRequest(cs, tag, cert);
- CMS.debug("Stand-alone " + csType + " Admin CSR");
+ CMS.debug("SystemConfigService: Standalone " + csType + " Admin CSR");
String adminSubjectDN = request.getAdminSubjectDN();
String certreqStr = request.getAdminCertRequest();
certreqStr = CryptoUtil.normalizeCertAndReq(certreqStr);
@@ -515,17 +541,6 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
ConfigurationUtils.generateCertRequest(cs, tag, cert);
}
- if (request.isClone()) {
- ConfigurationUtils.updateCloneConfig();
- }
-
- if (request.isExternal() && tag.equals("signing")) { // external/existing CA
- CMS.debug("SystemConfigService: External CA has signing cert");
- hasSigningCert.setValue(true);
- certs.add(cert);
- return;
- }
-
// to determine if we have the signing cert when using an external ca
// this will only execute on a ca or stand-alone pki
String b64 = certData.getCert();
@@ -545,7 +560,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
}
}
- certs.add(cert);
+ return cert;
}
private void updateCloneConfiguration(SystemCertData cdata, String tag, String tokenName) throws NotInitializedException,
generated by cgit (git 2.34.1) at 2024-05-22 00:22:04 +0000