summaryrefslogtreecommitdiffstats
path: root/base/server/cms
diff options
context:
space:
mode:
Diffstat (limited to 'base/server/cms')
-rw-r--r--base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java101
-rw-r--r--base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java38
2 files changed, 135 insertions, 4 deletions
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
index 88118adf8..91dad159b 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
@@ -126,6 +126,7 @@ import com.netscape.certsrv.base.EBaseException;
import com.netscape.certsrv.base.EPropertyNotFound;
import com.netscape.certsrv.base.IConfigStore;
import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.base.MetaInfo;
import com.netscape.certsrv.base.PKIException;
import com.netscape.certsrv.base.ResourceNotFoundException;
import com.netscape.certsrv.ca.ICertificateAuthority;
@@ -133,6 +134,8 @@ import com.netscape.certsrv.client.ClientConfig;
import com.netscape.certsrv.client.PKIClient;
import com.netscape.certsrv.client.PKIConnection;
import com.netscape.certsrv.dbs.IDBSubsystem;
+import com.netscape.certsrv.dbs.certdb.ICertRecord;
+import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
import com.netscape.certsrv.dbs.crldb.ICRLIssuingPointRecord;
import com.netscape.certsrv.key.KeyData;
import com.netscape.certsrv.ldap.ILdapConnFactory;
@@ -2248,6 +2251,54 @@ public class ConfigurationUtils {
certObj.setCertChain(certChainStr);
}
+ public static KeyPair loadKeyPair(String nickname) throws Exception {
+
+ CMS.debug("ConfigurationUtils: loadKeyPair(" + nickname + ")");
+
+ CryptoManager cm = CryptoManager.getInstance();
+
+ X509Certificate cert = cm.findCertByNickname(nickname);
+ PublicKey publicKey = cert.getPublicKey();
+ PrivateKey privateKey = cm.findPrivKeyByCert(cert);
+
+ return new KeyPair(publicKey, privateKey);
+ }
+
+ public static void storeKeyPair(IConfigStore config, String tag, KeyPair pair)
+ throws TokenException, EBaseException {
+
+ CMS.debug("ConfigurationUtils: storeKeyPair(" + tag + ")");
+
+ PublicKey publicKey = pair.getPublic();
+
+ if (publicKey instanceof RSAPublicKey) {
+
+ RSAPublicKey rsaPublicKey = (RSAPublicKey) publicKey;
+
+ byte modulus[] = rsaPublicKey.getModulus().toByteArray();
+ config.putString(PCERT_PREFIX + tag + ".pubkey.modulus",
+ CryptoUtil.byte2string(modulus));
+
+ byte exponent[] = rsaPublicKey.getPublicExponent().toByteArray();
+ config.putString(PCERT_PREFIX + tag + ".pubkey.exponent",
+ CryptoUtil.byte2string(exponent));
+
+ } else { // ECC
+
+ CMS.debug("ConfigurationUtils: Public key class: " + publicKey.getClass().getName());
+ byte encoded[] = publicKey.getEncoded();
+ config.putString(PCERT_PREFIX + tag + ".pubkey.encoded", CryptoUtil.byte2string(encoded));
+ }
+
+ PrivateKey privateKey = (PrivateKey) pair.getPrivate();
+ byte id[] = privateKey.getUniqueID();
+ String kid = CryptoUtil.byte2string(id);
+ config.putString(PCERT_PREFIX + tag + ".privkey.id", kid);
+
+ String keyAlgo = config.getString(PCERT_PREFIX + tag + ".signingalgorithm");
+ setSigningAlgorithm(tag, keyAlgo, config);
+ }
+
public static void createECCKeyPair(String token, String curveName, IConfigStore config, String ct)
throws NoSuchAlgorithmException, NoSuchTokenException, TokenException,
CryptoManager.NotInitializedException, EPropertyNotFound, EBaseException {
@@ -2812,6 +2863,20 @@ public class ConfigurationUtils {
}
}
+ public static void loadCertRequest(IConfigStore config, String tag, Cert cert) throws Exception {
+
+ CMS.debug("ConfigurationUtils.loadCertRequest(" + tag + ")");
+
+ String subjectDN = config.getString(PCERT_PREFIX + tag + ".dn");
+ cert.setDN(subjectDN);
+
+ String subsystem = config.getString(PCERT_PREFIX + tag + ".subsystem");
+ String certreq = config.getString(subsystem + "." + tag + ".certreq");
+ String formattedCertreq = CryptoUtil.reqFormat(certreq);
+
+ cert.setRequest(formattedCertreq);
+ }
+
public static void handleCertRequest(IConfigStore config, String certTag, Cert cert) throws EPropertyNotFound,
EBaseException, InvalidKeyException, NotInitializedException, TokenException, NoSuchAlgorithmException,
NoSuchProviderException, CertificateException, SignatureException, IOException {
@@ -2953,6 +3018,42 @@ public class ConfigurationUtils {
return pubk;
}
+ public static void loadCert(IConfigStore config, Cert cert) throws Exception {
+
+ String tag = cert.getCertTag();
+ CMS.debug("ConfigurationUtils: loadCert(" + tag + ")");
+
+ CryptoManager cm = CryptoManager.getInstance();
+ X509Certificate x509Cert = cm.findCertByNickname(cert.getNickname());
+
+ if (!x509Cert.getSubjectDN().equals(x509Cert.getIssuerDN())) {
+ CMS.debug("ConfigurationUtils: " + tag + " cert is not self-signed");
+
+ String subsystem = config.getString(PCERT_PREFIX + tag + ".subsystem");
+ String certChain = config.getString(subsystem + ".external_ca_chain.cert");
+ cert.setCertChain(certChain);
+
+ return;
+ }
+
+ CMS.debug("ConfigurationUtils: " + tag + " cert is self-signed");
+
+ // When importing existing self-signed CA certificate, create a
+ // certificate record to reserve the serial number. Otherwise it
+ // might conflict with system certificates to be created later.
+
+ X509CertImpl x509CertImpl = new X509CertImpl(x509Cert.getEncoded());
+
+ ICertificateAuthority ca = (ICertificateAuthority) CMS.getSubsystem(ICertificateAuthority.ID);
+ ICertificateRepository cr = ca.getCertificateRepository();
+
+ BigInteger serialNo = x509Cert.getSerialNumber();
+ MetaInfo meta = new MetaInfo();
+
+ ICertRecord record = cr.createCertRecord(serialNo, x509CertImpl, meta);
+ cr.addCertificateRecord(record);
+ }
+
public static int handleCerts(Cert cert) throws IOException, EBaseException, CertificateException,
NotInitializedException, TokenException, InvalidKeyException {
String certTag = cert.getCertTag();
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
index a0138681a..697196a6e 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
@@ -20,6 +20,7 @@ package org.dogtagpki.server.rest;
import java.math.BigInteger;
import java.net.MalformedURLException;
import java.net.URL;
+import java.security.KeyPair;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.util.ArrayList;
@@ -420,7 +421,13 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
}
cs.commit(false);
- if (!request.getStepTwo()) {
+ if (request.isExternal() && tag.equals("signing")) { // external/existing CA
+ // load key pair for existing and externally-signed signing cert
+ CMS.debug("SystemConfigService: loading signing cert key pair");
+ KeyPair pair = ConfigurationUtils.loadKeyPair(certData.getNickname());
+ ConfigurationUtils.storeKeyPair(cs, tag, pair);
+
+ } else if (!request.getStepTwo()) {
if (keytype.equals("ecc")) {
String curvename = certData.getKeyCurveName() != null ?
certData.getKeyCurveName() : cs.getString("keys.ecc.curve.default");
@@ -443,7 +450,15 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
cert.setSubsystem(cs.getString("preop.cert." + tag + ".subsystem"));
cert.setType(cs.getString("preop.cert." + tag + ".type"));
- if (!request.getStepTwo()) {
+ if (request.isExternal() && tag.equals("signing")) { // external/existing CA
+
+ // update configuration for existing or externally-signed signing certificate
+ String certStr = cs.getString("ca." + tag + ".cert" );
+ cert.setCert(certStr);
+ CMS.debug("SystemConfigService: certificate " + tag + ": " + certStr);
+ ConfigurationUtils.updateConfig(cs, tag);
+
+ } else if (!request.getStepTwo()) {
ConfigurationUtils.configCert(null, null, null, cert);
} else {
@@ -465,8 +480,16 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
CMS.debug("Step 2: certStr for '" + tag + "' is " + certStr);
}
- // Handle Cert Requests for everything EXCEPT Stand-alone PKI (Step 2)
- if (request.getStandAlone()) {
+ if (request.isExternal() && tag.equals("signing")) { // external/existing CA
+
+ CMS.debug("SystemConfigService: Loading cert request for " + tag + " cert");
+ ConfigurationUtils.loadCertRequest(cs, tag, cert);
+
+ CMS.debug("SystemConfigService: Loading cert " + tag);
+ ConfigurationUtils.loadCert(cs, cert);
+
+ } else if (request.getStandAlone()) {
+ // Handle Cert Requests for everything EXCEPT Stand-alone PKI (Step 2)
if (!request.getStepTwo()) {
// Stand-alone PKI (Step 1)
ConfigurationUtils.handleCertRequest(cs, tag, cert);
@@ -489,6 +512,13 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
ConfigurationUtils.updateCloneConfig();
}
+ if (request.isExternal() && tag.equals("signing")) { // external/existing CA
+ CMS.debug("SystemConfigService: External CA has signing cert");
+ hasSigningCert.setValue(true);
+ certs.add(cert);
+ continue;
+ }
+
// to determine if we have the signing cert when using an external ca
// this will only execute on a ca or stand-alone pki
String b64 = certData.getCert();
generated by cgit (git 2.34.1) at 2024-06-03 00:12:14 +0000