diff options
Diffstat (limited to 'base/server/cms/src')
-rw-r--r-- | base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java | 101 | ||||
-rw-r--r-- | base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java | 38 |
2 files changed, 135 insertions, 4 deletions
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java index 88118adf8..91dad159b 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java @@ -126,6 +126,7 @@ import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.EPropertyNotFound; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.base.ISubsystem; +import com.netscape.certsrv.base.MetaInfo; import com.netscape.certsrv.base.PKIException; import com.netscape.certsrv.base.ResourceNotFoundException; import com.netscape.certsrv.ca.ICertificateAuthority; @@ -133,6 +134,8 @@ import com.netscape.certsrv.client.ClientConfig; import com.netscape.certsrv.client.PKIClient; import com.netscape.certsrv.client.PKIConnection; import com.netscape.certsrv.dbs.IDBSubsystem; +import com.netscape.certsrv.dbs.certdb.ICertRecord; +import com.netscape.certsrv.dbs.certdb.ICertificateRepository; import com.netscape.certsrv.dbs.crldb.ICRLIssuingPointRecord; import com.netscape.certsrv.key.KeyData; import com.netscape.certsrv.ldap.ILdapConnFactory; @@ -2248,6 +2251,54 @@ public class ConfigurationUtils { certObj.setCertChain(certChainStr); } + public static KeyPair loadKeyPair(String nickname) throws Exception { + + CMS.debug("ConfigurationUtils: loadKeyPair(" + nickname + ")"); + + CryptoManager cm = CryptoManager.getInstance(); + + X509Certificate cert = cm.findCertByNickname(nickname); + PublicKey publicKey = cert.getPublicKey(); + PrivateKey privateKey = cm.findPrivKeyByCert(cert); + + return new KeyPair(publicKey, privateKey); + } + + public static void storeKeyPair(IConfigStore config, String tag, KeyPair pair) + throws TokenException, EBaseException { + + CMS.debug("ConfigurationUtils: storeKeyPair(" + tag + ")"); + + PublicKey publicKey = pair.getPublic(); + + if (publicKey instanceof RSAPublicKey) { + + RSAPublicKey rsaPublicKey = (RSAPublicKey) publicKey; + + byte modulus[] = rsaPublicKey.getModulus().toByteArray(); + config.putString(PCERT_PREFIX + tag + ".pubkey.modulus", + CryptoUtil.byte2string(modulus)); + + byte exponent[] = rsaPublicKey.getPublicExponent().toByteArray(); + config.putString(PCERT_PREFIX + tag + ".pubkey.exponent", + CryptoUtil.byte2string(exponent)); + + } else { // ECC + + CMS.debug("ConfigurationUtils: Public key class: " + publicKey.getClass().getName()); + byte encoded[] = publicKey.getEncoded(); + config.putString(PCERT_PREFIX + tag + ".pubkey.encoded", CryptoUtil.byte2string(encoded)); + } + + PrivateKey privateKey = (PrivateKey) pair.getPrivate(); + byte id[] = privateKey.getUniqueID(); + String kid = CryptoUtil.byte2string(id); + config.putString(PCERT_PREFIX + tag + ".privkey.id", kid); + + String keyAlgo = config.getString(PCERT_PREFIX + tag + ".signingalgorithm"); + setSigningAlgorithm(tag, keyAlgo, config); + } + public static void createECCKeyPair(String token, String curveName, IConfigStore config, String ct) throws NoSuchAlgorithmException, NoSuchTokenException, TokenException, CryptoManager.NotInitializedException, EPropertyNotFound, EBaseException { @@ -2812,6 +2863,20 @@ public class ConfigurationUtils { } } + public static void loadCertRequest(IConfigStore config, String tag, Cert cert) throws Exception { + + CMS.debug("ConfigurationUtils.loadCertRequest(" + tag + ")"); + + String subjectDN = config.getString(PCERT_PREFIX + tag + ".dn"); + cert.setDN(subjectDN); + + String subsystem = config.getString(PCERT_PREFIX + tag + ".subsystem"); + String certreq = config.getString(subsystem + "." + tag + ".certreq"); + String formattedCertreq = CryptoUtil.reqFormat(certreq); + + cert.setRequest(formattedCertreq); + } + public static void handleCertRequest(IConfigStore config, String certTag, Cert cert) throws EPropertyNotFound, EBaseException, InvalidKeyException, NotInitializedException, TokenException, NoSuchAlgorithmException, NoSuchProviderException, CertificateException, SignatureException, IOException { @@ -2953,6 +3018,42 @@ public class ConfigurationUtils { return pubk; } + public static void loadCert(IConfigStore config, Cert cert) throws Exception { + + String tag = cert.getCertTag(); + CMS.debug("ConfigurationUtils: loadCert(" + tag + ")"); + + CryptoManager cm = CryptoManager.getInstance(); + X509Certificate x509Cert = cm.findCertByNickname(cert.getNickname()); + + if (!x509Cert.getSubjectDN().equals(x509Cert.getIssuerDN())) { + CMS.debug("ConfigurationUtils: " + tag + " cert is not self-signed"); + + String subsystem = config.getString(PCERT_PREFIX + tag + ".subsystem"); + String certChain = config.getString(subsystem + ".external_ca_chain.cert"); + cert.setCertChain(certChain); + + return; + } + + CMS.debug("ConfigurationUtils: " + tag + " cert is self-signed"); + + // When importing existing self-signed CA certificate, create a + // certificate record to reserve the serial number. Otherwise it + // might conflict with system certificates to be created later. + + X509CertImpl x509CertImpl = new X509CertImpl(x509Cert.getEncoded()); + + ICertificateAuthority ca = (ICertificateAuthority) CMS.getSubsystem(ICertificateAuthority.ID); + ICertificateRepository cr = ca.getCertificateRepository(); + + BigInteger serialNo = x509Cert.getSerialNumber(); + MetaInfo meta = new MetaInfo(); + + ICertRecord record = cr.createCertRecord(serialNo, x509CertImpl, meta); + cr.addCertificateRecord(record); + } + public static int handleCerts(Cert cert) throws IOException, EBaseException, CertificateException, NotInitializedException, TokenException, InvalidKeyException { String certTag = cert.getCertTag(); diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java index a0138681a..697196a6e 100644 --- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java +++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java @@ -20,6 +20,7 @@ package org.dogtagpki.server.rest; import java.math.BigInteger; import java.net.MalformedURLException; import java.net.URL; +import java.security.KeyPair; import java.security.NoSuchAlgorithmException; import java.security.PublicKey; import java.util.ArrayList; @@ -420,7 +421,13 @@ public class SystemConfigService extends PKIService implements SystemConfigResou } cs.commit(false); - if (!request.getStepTwo()) { + if (request.isExternal() && tag.equals("signing")) { // external/existing CA + // load key pair for existing and externally-signed signing cert + CMS.debug("SystemConfigService: loading signing cert key pair"); + KeyPair pair = ConfigurationUtils.loadKeyPair(certData.getNickname()); + ConfigurationUtils.storeKeyPair(cs, tag, pair); + + } else if (!request.getStepTwo()) { if (keytype.equals("ecc")) { String curvename = certData.getKeyCurveName() != null ? certData.getKeyCurveName() : cs.getString("keys.ecc.curve.default"); @@ -443,7 +450,15 @@ public class SystemConfigService extends PKIService implements SystemConfigResou cert.setSubsystem(cs.getString("preop.cert." + tag + ".subsystem")); cert.setType(cs.getString("preop.cert." + tag + ".type")); - if (!request.getStepTwo()) { + if (request.isExternal() && tag.equals("signing")) { // external/existing CA + + // update configuration for existing or externally-signed signing certificate + String certStr = cs.getString("ca." + tag + ".cert" ); + cert.setCert(certStr); + CMS.debug("SystemConfigService: certificate " + tag + ": " + certStr); + ConfigurationUtils.updateConfig(cs, tag); + + } else if (!request.getStepTwo()) { ConfigurationUtils.configCert(null, null, null, cert); } else { @@ -465,8 +480,16 @@ public class SystemConfigService extends PKIService implements SystemConfigResou CMS.debug("Step 2: certStr for '" + tag + "' is " + certStr); } - // Handle Cert Requests for everything EXCEPT Stand-alone PKI (Step 2) - if (request.getStandAlone()) { + if (request.isExternal() && tag.equals("signing")) { // external/existing CA + + CMS.debug("SystemConfigService: Loading cert request for " + tag + " cert"); + ConfigurationUtils.loadCertRequest(cs, tag, cert); + + CMS.debug("SystemConfigService: Loading cert " + tag); + ConfigurationUtils.loadCert(cs, cert); + + } else if (request.getStandAlone()) { + // Handle Cert Requests for everything EXCEPT Stand-alone PKI (Step 2) if (!request.getStepTwo()) { // Stand-alone PKI (Step 1) ConfigurationUtils.handleCertRequest(cs, tag, cert); @@ -489,6 +512,13 @@ public class SystemConfigService extends PKIService implements SystemConfigResou ConfigurationUtils.updateCloneConfig(); } + if (request.isExternal() && tag.equals("signing")) { // external/existing CA + CMS.debug("SystemConfigService: External CA has signing cert"); + hasSigningCert.setValue(true); + certs.add(cert); + continue; + } + // to determine if we have the signing cert when using an external ca // this will only execute on a ca or stand-alone pki String b64 = certData.getCert(); |