diff options
Diffstat (limited to 'base/server/cms')
4 files changed, 120 insertions, 10 deletions
diff --git a/base/server/cms/src/com/netscape/cms/profile/def/SubjectAltNameExtDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/SubjectAltNameExtDefault.java index 240f86a13..ca3d05f25 100644 --- a/base/server/cms/src/com/netscape/cms/profile/def/SubjectAltNameExtDefault.java +++ b/base/server/cms/src/com/netscape/cms/profile/def/SubjectAltNameExtDefault.java @@ -450,6 +450,7 @@ public class SubjectAltNameExtDefault extends EnrollExtDefault { if (!pattern.equals("")) { CMS.debug("SubjectAltNameExtDefault: createExtension() pattern="+ pattern); String gname = ""; + String gtype = ""; // cfu - see if this is server-generated (e.g. UUID4) // to use this feature, use $server.source$ in pattern @@ -479,16 +480,18 @@ public class SubjectAltNameExtDefault extends EnrollExtDefault { } else { if (request != null) { gname = mapPattern(request, pattern); + gtype = mapPattern(request, type); } } - if (gname.equals("") || gname.contains("$")) { - CMS.debug("ubjectAltNameExtDefault: mapPattern()failed. Not added. gname="+ gname); + if (gname.equals("") || + gname.startsWith(CONFIG_SAN_REQ_PATTERN_PREFIX)) { + CMS.debug("SubjectAltNameExtDefault: gname is empty,not added."); continue; } - CMS.debug("SubjectAltNameExtDefault: createExtension got gname=" + gname); + CMS.debug("SubjectAltNameExtDefault: createExtension got gname=" +gname + " with type=" + gtype); - GeneralNameInterface n = parseGeneralName(type + ":" + gname); + GeneralNameInterface n = parseGeneralName(gtype + ":" + gname); CMS.debug("adding gname: " + gname); if (n != null) { diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java index 22f092973..36b0e4d0d 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java @@ -206,6 +206,85 @@ public class CertUtil { } } + + // Dynamically inject the SubjectAlternativeName extension to a + // local/self-signed master CA's request for its SSL Server Certificate. + // + // Since this information may vary from instance to + // instance, obtain the necessary information from the + // 'service.sslserver.san' value(s) in the instance's + // CS.cfg, process these values converting each item into + // its individual SubjectAlternativeName components, and + // inject these values into the local request. + // + public static void injectSANextensionIntoRequest(IConfigStore config, + IRequest req) throws Exception { + CMS.debug("CertUtil::injectSANextensionIntoRequest() - injecting SAN " + + "entries into request . . ."); + int i = 0; + if (config == null || req == null) { + throw new EBaseException("injectSANextensionIntoRequest: parameters config and req cannot be null"); + } + String sanHostnames = config.getString("service.sslserver.san"); + String sans[] = StringUtils.split(sanHostnames, ","); + for (String san : sans) { + CMS.debug("CertUtil: injectSANextensionIntoRequest() injecting " + + "SAN hostname: " + san); + req.setExtData("req_san_pattern_" + i, san); + i++; + } + CMS.debug("CertUtil: injectSANextensionIntoRequest() " + "injected " + + i + " SAN entries into request."); + } + + // Dynamically apply the SubjectAlternativeName extension to a + // remote PKI instance's request for its SSL Server Certificate. + // + // Since this information may vary from instance to + // instance, obtain the necessary information from the + // 'service.sslserver.san' value(s) in the instance's + // CS.cfg, process these values converting each item into + // its individual SubjectAlternativeName components, and + // build an SSL Server Certificate URL extension consisting + // of this information. + // + // 03/27/2013 - Should consider removing this + // "buildSANSSLserverURLExtension()" + // method if it becomes possible to + // embed a certificate extension into + // a PKCS #10 certificate request. + // + public static String buildSANSSLserverURLExtension(IConfigStore config) + throws Exception { + String url = ""; + String entries = ""; + + CMS.debug("CertUtil: buildSANSSLserverURLExtension() " + + "building SAN SSL Server Certificate URL extension . . ."); + int i = 0; + if (config == null) { + throw new EBaseException("injectSANextensionIntoRequest: parameter config cannot be null"); + } + String sanHostnames = config.getString("service.sslserver.san"); + String sans[] = StringUtils.split(sanHostnames, ","); + for (String san : sans) { + CMS.debug("CertUtil: buildSANSSLserverURLExtension() processing " + + "SAN hostname: " + san); + // Add the DNSName for all SANs + entries = entries + + "&req_san_pattern_" + i + "=" + san; + i++; + } + + url = "&req_san_entries=" + i + entries; + + CMS.debug("CertUtil: buildSANSSLserverURLExtension() " + "placed " + + i + " SAN entries into SSL Server Certificate URL."); + + return url; + } + + /* * create requests so renewal can work on these initial certs */ @@ -375,6 +454,9 @@ public class CertUtil { IRequest req = null; try { + Boolean injectSAN = config.getBoolean( + "service.injectSAN", false); + CMS.debug("createLocalCert: injectSAN=" + injectSAN); String dn = config.getString(prefix + certTag + ".dn"); String keyAlgorithm = null; Date date = new Date(); @@ -426,6 +508,10 @@ public class CertUtil { queue = ca.getRequestQueue(); if (queue != null) { req = createLocalRequest(queue, serialNo.toString(), info); + if (certTag.equals("sslserver") && + injectSAN == true) { + injectSANextensionIntoRequest(config, req); + } CMS.debug("CertUtil profile name= " + profile); req.setExtData("req_key", x509key.toString()); @@ -498,7 +584,7 @@ public class CertUtil { } } catch (Exception e) { CMS.debug(e); - CMS.debug("NamePanel configCert() exception caught:" + e.toString()); + CMS.debug("CertUtil createLocalCert() exception caught:" + e.toString()); } if (cr == null) { @@ -520,22 +606,22 @@ public class CertUtil { cert.getSerialNumber(), cert, meta); } catch (Exception e) { CMS.debug( - "NamePanel configCert: failed to add metainfo. Exception: " + e.toString()); + "CertUtil createLocalCert: failed to add metainfo. Exception: " + e.toString()); } try { cr.addCertificateRecord(record); CMS.debug( - "NamePanel configCert: finished adding certificate record."); + "CertUtil createLocalCert: finished adding certificate record."); } catch (Exception e) { CMS.debug( - "NamePanel configCert: failed to add certificate record. Exception: " + "CertUtil createLocalCert: failed to add certificate record. Exception: " + e.toString()); try { cr.deleteCertificateRecord(record.getSerialNumber()); cr.addCertificateRecord(record); } catch (Exception ee) { - CMS.debug("NamePanel update: Exception: " + ee.toString()); + CMS.debug("CertUtil createLocalCert: Exception: " + ee.toString()); } } diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java index 21aaf203b..1765ba7a6 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java @@ -2492,11 +2492,22 @@ public class ConfigurationUtils { } catch (Exception ee) { } + String sslserver_extension = ""; + Boolean injectSAN = config.getBoolean( + "service.injectSAN", false); + CMS.debug("ConfigurationUtils: injectSAN="+injectSAN); + if (certTag.equals("sslserver") && + injectSAN == true) { + sslserver_extension = + CertUtil.buildSANSSLserverURLExtension(config); + } + String content = "requestor_name=" + sysType + "-" + machineName + "-" + securePort + "&profileId=" + profileId + "&cert_request_type=pkcs10&cert_request=" + URLEncoder.encode(pkcs10, "UTF-8") - + "&xmlOutput=true&sessionID=" + session_id; + + "&xmlOutput=true&sessionID=" + session_id + + sslserver_extension; cert = CertUtil.createRemoteCert(ca_hostname, ca_port, content, response, panel); if (cert == null) { diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java index 7067c24ec..12dd54dac 100644 --- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java +++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java @@ -410,6 +410,16 @@ public class SystemConfigService extends PKIService implements SystemConfigResou cs.putString("preop.cert." + tag + ".signingalgorithm", signingalgorithm); cs.putString("preop.cert." + tag + ".nickname", nickname); cs.putString("preop.cert." + tag + ".dn", dn); + + // support injecting SAN into server cert + if ( tag.equals("sslserver") && certData.getServerCertSAN() != null) { + CMS.debug("updateConfiguration(): san_server_cert found"); + cs.putString("service.injectSAN", "true"); + cs.putString("service.sslserver.san", certData.getServerCertSAN()); + } else { + if ( tag.equals("sslserver")) + CMS.debug("SystemConfigService:processCerts(): san_server_cert not found for tag sslserver"); + } cs.commit(false); if (!request.getStepTwo()) { |