diff options
Diffstat (limited to 'base/server/cms')
7 files changed, 574 insertions, 461 deletions
diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java index 66a356965..97d51715d 100644 --- a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java +++ b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java @@ -29,6 +29,7 @@ import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.math.BigInteger; +import java.security.cert.X509Certificate; import java.security.MessageDigest; import java.security.PublicKey; import java.util.Enumeration; @@ -247,6 +248,10 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, String auditCertSubject = ILogger.UNIDENTIFIED; String auditSignerInfo = ILogger.UNIDENTIFIED; + SessionContext auditContext = SessionContext.getExistingContext(); + X509Certificate clientCert = + (X509Certificate) auditContext.get(SessionContext.SSL_CLIENT_CERT); + // ensure that any low-level exceptions are reported // to the signed audit log and stored as failures try { @@ -362,7 +367,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, String userid = "defUser"; String uid = "defUser"; if (checkSignerInfo) { - IAuthToken agentToken = verifySignerInfo(authToken, cmcFullReq); + IAuthToken agentToken = verifySignerInfo(auditContext, authToken, cmcFullReq); if (agentToken == null) { CMS.debug(method + "agentToken null"); throw new EBaseException("CMCAuth: agent verifySignerInfo failure"); @@ -813,8 +818,12 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, level, "CMC Authentication: " + msg); } - protected IAuthToken verifySignerInfo(AuthToken authToken, SignedData cmcFullReq) throws EBaseException { - + protected IAuthToken verifySignerInfo( + SessionContext auditContext, + AuthToken authToken, + SignedData cmcFullReq) throws EBaseException { + String method = "CMCAuth: verifySignerInfo: "; + String msg = ""; EncapsulatedContentInfo ci = cmcFullReq.getContentInfo(); OBJECT_IDENTIFIER id = ci.getContentType(); OCTET_STRING content = ci.getContent(); @@ -823,6 +832,11 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, CryptoToken signToken = null; CryptoToken savedToken = null; CryptoManager cm = null; + + if (auditContext == null) { + CMS.debug(method + " auditConext can't be null"); + return null; + } try { cm = CryptoManager.getInstance(); ByteArrayInputStream s = new ByteArrayInputStream(content.toByteArray()); @@ -910,6 +924,34 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, si.verify(digest, id); } else { CMS.debug("CMCAuth: found signing cert... verifying"); + + X509Certificate clientCert = + (X509Certificate) auditContext.get(SessionContext.SSL_CLIENT_CERT); + if (clientCert == null) { + // createAuditSubjectFromCert(auditContext, x509Certs[0]); + msg = "missing SSL client authentication certificate;"; + CMS.debug(method + msg); + s.close(); + throw new EMissingCredential( + CMS.getUserMessage("CMS_AUTHENTICATION_NO_CERT")); + } + netscape.security.x509.X500Name clientPrincipal = + (X500Name) clientCert.getSubjectDN(); + + netscape.security.x509.X500Name cmcPrincipal = + (X500Name) x509Certs[0].getSubjectDN(); + + // check ssl client cert against cmc signer + if (!clientPrincipal.equals(cmcPrincipal)) { + msg = "SSL client authentication certificate and CMC signer do not match"; + CMS.debug(method + msg); + s.close(); + throw new EInvalidCredentials( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + ":" + msg); + } else { + CMS.debug(method + "ssl client cert principal and cmc signer principal match"); + } + PublicKey signKey = cert.getPublicKey(); PrivateKey.Type keyType = null; String alg = signKey.getAlgorithm(); diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java index ab9a94ab8..ff82ade9c 100644 --- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java +++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java @@ -1078,6 +1078,8 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, s.close(); throw new EInvalidCredentials( CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + ":" + msg); + } else { + CMS.debug(method + "ssl client cert principal and cmc signer principal match"); } PublicKey signKey = cert.getPublicKey(); diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java index 7dfaddac4..93d0a74ae 100644 --- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java +++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java @@ -198,6 +198,7 @@ public abstract class EnrollProfile extends BasicProfile if (signingUserSerial != null) { donePOI = true; } + // catch for invalid request cmc_msgs = parseCMC(locale, cert_request, donePOI); if (cmc_msgs == null) { @@ -723,6 +724,17 @@ public abstract class EnrollProfile extends BasicProfile byte randomSeed[] = null; UTF8String ident_s = null; SessionContext context = SessionContext.getContext(); + String authManagerId = (String) context.get(SessionContext.AUTH_MANAGER_ID); + if (authManagerId == null) { + CMS.debug(method + "authManagerId null.????"); + //unlikely, but... + authManagerId = "none"; + } else { + CMS.debug(method + "authManagerId =" + authManagerId); + } + if(authManagerId.equals("CMCAuth")) { + donePOI = true; + } boolean id_cmc_revokeRequest = false; if (!context.containsKey("numOfControls")) { diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java index 28f4d33ff..c047aac24 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java @@ -22,6 +22,7 @@ import java.io.FileInputStream; import java.io.FileNotFoundException; import java.io.IOException; import java.math.BigInteger; +import java.security.Principal; import java.util.Date; import java.util.Iterator; import java.util.Properties; @@ -34,13 +35,18 @@ import org.apache.commons.lang.ArrayUtils; import org.apache.commons.lang.StringUtils; import org.apache.velocity.context.Context; import org.mozilla.jss.CryptoManager; +import org.mozilla.jss.crypto.CryptoStore; +import org.mozilla.jss.crypto.CryptoToken; +import org.mozilla.jss.crypto.ObjectNotFoundException; import org.mozilla.jss.crypto.PrivateKey; import org.mozilla.jss.crypto.X509Certificate; +import org.mozilla.jss.pkcs11.PK11Store; import org.xml.sax.SAXException; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.ConflictingOperationException; import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.EPropertyNotFound; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.base.MetaInfo; import com.netscape.certsrv.ca.ICertificateAuthority; @@ -261,20 +267,30 @@ public class CertUtil { /* * create requests so renewal can work on these initial certs */ - public static IRequest createLocalRequest(IRequestQueue queue, String serialNum, X509CertInfo info) - throws EBaseException { + public static IRequest createLocalRequest( + IConfigStore cs, + IRequestQueue queue, + String tag, + CertInfoProfile profile, + X509CertInfo info, + X509Key x509key) + throws Exception { + // RequestId rid = new RequestId(serialNum); // just need a request, no need to get into a queue // IRequest r = new EnrollmentRequest(rid); - CMS.debug("CertUtil: createLocalRequest for serial: " + serialNum); + + CMS.debug("CertUtil.createLocalRequest(" + tag + ")"); + IRequest req = queue.newRequest("enrollment"); - CMS.debug("certUtil: newRequest called"); + req.setExtData("profile", "true"); req.setExtData("requestversion", "1.0.0"); req.setExtData("req_seq_num", "0"); + req.setExtData(IEnrollProfile.REQUEST_CERTINFO, info); - req.setExtData(IEnrollProfile.REQUEST_EXTENSIONS, - new CertificateExtensions()); + req.setExtData(IEnrollProfile.REQUEST_EXTENSIONS, new CertificateExtensions()); + req.setExtData("requesttype", "enrollment"); req.setExtData("requestor_name", ""); req.setExtData("requestor_email", ""); @@ -285,6 +301,37 @@ public class CertUtil { req.setExtData("isencryptioncert", "false"); req.setExtData("profileapprovedby", "system"); + Boolean injectSAN = cs.getBoolean("service.injectSAN", false); + CMS.debug("createLocalCert: inject SAN: " + injectSAN); + + if (tag.equals("sslserver") && injectSAN) { + injectSANextensionIntoRequest(cs, req); + } + + req.setExtData("req_key", x509key.toString()); + + String origProfileID = profile.getID(); + int idx = origProfileID.lastIndexOf('.'); + if (idx > 0) { + origProfileID = origProfileID.substring(0, idx); + } + + // store original profile id in cert request + req.setExtData("origprofileid", origProfileID); + + // store mapped profile ID for use in renewal + req.setExtData("profileid", profile.getProfileIDMapping()); + req.setExtData("profilesetid", profile.getProfileSetIDMapping()); + + if (!tag.equals("signing")) { + /* + * (applies to non-CA-signing cert only) + * installAdjustValidity tells ValidityDefault to adjust the + * notAfter value to that of the CA's signing cert if needed + */ + req.setExtData("installAdjustValidity", "true"); + } + // mark request as complete CMS.debug("certUtil: calling setRequestStatus"); req.setRequestStatus(RequestStatus.COMPLETE); @@ -295,35 +342,39 @@ public class CertUtil { /** * update local cert request with the actual request * called from CertRequestPanel.java + * @throws EBaseException + * @throws EPropertyNotFound */ - public static void updateLocalRequest(IConfigStore config, String certTag, String certReq, String reqType, - String subjectName) { - try { - CMS.debug("Updating local request... certTag=" + certTag); - RequestId rid = new RequestId(config.getString("preop.cert." + certTag + ".reqId")); - - ICertificateAuthority ca = (ICertificateAuthority) CMS.getSubsystem( - ICertificateAuthority.ID); - - IRequestQueue queue = ca.getRequestQueue(); - if (queue != null) { - IRequest req = queue.findRequest(rid); - if (req != null) { - if (!certReq.equals("")) - req.setExtData("cert_request", certReq); - req.setExtData("cert_request_type", reqType); - if (subjectName != null) { - req.setExtData("subject", subjectName); - new X500Name(subjectName); // check for errors - } - } - queue.updateRequest(req); - } else { - CMS.debug("CertUtil:updateLocalRequest - request queue = null"); - } - } catch (Exception e) { - CMS.debug("CertUtil:updateLocalRequest - Exception:" + e.toString()); + public static void updateLocalRequest( + IConfigStore config, + String certTag, + String certReq, + String reqType, + String subjectName + ) throws Exception { + + CMS.debug("CertUtil.updateLocalRequest(" + certTag + ")"); + + ICertificateAuthority ca = (ICertificateAuthority) CMS.getSubsystem(ICertificateAuthority.ID); + IRequestQueue queue = ca.getRequestQueue(); + + RequestId rid = new RequestId(config.getString("preop.cert." + certTag + ".reqId")); + IRequest req = queue.findRequest(rid); + + if (!certReq.equals("")) { + CMS.debug("CertUtil: updating cert request"); + req.setExtData("cert_request", certReq); + } + + req.setExtData("cert_request_type", reqType); + + if (subjectName != null) { + CMS.debug("CertUtil: updating request subject: " + subjectName); + req.setExtData("subject", subjectName); + new X500Name(subjectName); // check for errors } + + queue.updateRequest(req); } /** @@ -416,11 +467,6 @@ public class CertUtil { CMS.debug("CertUtil.createLocalCert(" + certTag + ")"); - String profile = config.getString(prefix + certTag + ".profile"); - - Boolean injectSAN = config.getBoolean("service.injectSAN", false); - CMS.debug("createLocalCert: injectSAN: " + injectSAN); - String dn = config.getString(prefix + certTag + ".dn"); String keyAlgorithm = null; Date date = new Date(); @@ -466,50 +512,29 @@ public class CertUtil { CMS.debug("Cert Template: " + info); - String instanceRoot = CMS.getConfigStore().getString("instanceRoot"); - String configurationRoot = CMS.getConfigStore().getString("configurationRoot"); + String instanceRoot = config.getString("instanceRoot"); + String configurationRoot = config.getString("configurationRoot"); + + String profileName = config.getString(prefix + certTag + ".profile"); + CMS.debug("CertUtil: profile: " + profileName); - CertInfoProfile processor = new CertInfoProfile(instanceRoot + configurationRoot + profile); + CertInfoProfile profile = new CertInfoProfile(instanceRoot + configurationRoot + profileName); // cfu - create request to enable renewal IRequestQueue queue = ca.getRequestQueue(); - IRequest req = createLocalRequest(queue, serialNo.toString(), info); - if (certTag.equals("sslserver") && injectSAN) { - injectSANextensionIntoRequest(config, req); - } - - CMS.debug("CertUtil profile: " + profile); - req.setExtData("req_key", x509key.toString()); - - // store original profile id in cert request - int idx = profile.lastIndexOf('.'); - if (idx == -1) { - CMS.debug("CertUtil profileName contains no ."); - req.setExtData("origprofileid", profile); - } else { - String name = profile.substring(0, idx); - req.setExtData("origprofileid", name); - } - - // store mapped profile ID for use in renewal - String profileId = processor.getProfileIDMapping(); - req.setExtData("profileid", profileId); - req.setExtData("profilesetid", processor.getProfileSetIDMapping()); + IRequest req = createLocalRequest( + config, + queue, + certTag, + profile, + info, + x509key); RequestId reqId = req.getRequestId(); config.putString("preop.cert." + certTag + ".reqId", reqId.toString()); - if (!certTag.equals("signing")) { - /* - * (applies to non-CA-signing cert only) - * installAdjustValidity tells ValidityDefault to adjust the - * notAfter value to that of the CA's signing cert if needed - */ - req.setExtData("installAdjustValidity", "true"); - } - - processor.populate(req, info); + profile.populate(req, info); /* java.security.PrivateKey pk = ca.getSigningUnit().getPrivateKey(); @@ -555,7 +580,7 @@ public class CertUtil { MetaInfo meta = new MetaInfo(); meta.set(ICertRecord.META_REQUEST_ID, reqId.toString()); - meta.set(ICertRecord.META_PROFILE_ID, profileId); + meta.set(ICertRecord.META_PROFILE_ID, profile.getProfileIDMapping()); ICertRecord record = cr.createCertRecord(cert.getSerialNumber(), cert, meta); cr.addCertificateRecord(record); @@ -723,4 +748,177 @@ public class CertUtil { return false; } + + public static boolean findCertificate(String tokenname, String nickname) + throws Exception { + + CryptoManager cm = CryptoManager.getInstance(); + + String fullnickname = nickname; + if (!CryptoUtil.isInternalToken(tokenname)) { + fullnickname = tokenname + ":" + nickname; + } + + CMS.debug("CertUtil: searching for cert " + fullnickname); + + X509Certificate cert; + try { + cert = cm.findCertByNickname(fullnickname); + } catch (ObjectNotFoundException e) { + CMS.debug("CertUtil: cert not found: " + e); + return false; + } + + if (cert == null) { + CMS.debug("CertUtil: cert not found"); + return false; + } + + return true; + } + + public static boolean findBootstrapServerCert() + throws Exception { + + CryptoManager cm = CryptoManager.getInstance(); + + IConfigStore cs = CMS.getConfigStore(); + String nickname = cs.getString("preop.cert.sslserver.nickname"); + + CMS.debug("CertUtil: searching for cert " + nickname); + + X509Certificate cert; + try { + cert = cm.findCertByNickname(nickname); + } catch (ObjectNotFoundException e) { + CMS.debug("CertUtil: cert not found: " + e); + return false; + } + + Principal issuerDN = cert.getIssuerDN(); + Principal subjectDN = cert.getSubjectDN(); + + if (!issuerDN.equals(subjectDN)) { + CMS.debug("CertUtil: cert is not self-signed"); + return false; + } + + return true; + } + + public static void deleteCert(String tokenname, String nickname) + throws Exception { + + CryptoManager cm = CryptoManager.getInstance(); + + String fullnickname = nickname; + if (!CryptoUtil.isInternalToken(tokenname)) + fullnickname = tokenname + ":" + nickname; + + CMS.debug("CertUtil: deleting cert " + fullnickname); + + X509Certificate cert; + try { + cert = cm.findCertByNickname(fullnickname); + } catch (ObjectNotFoundException e) { + CMS.debug("CertUtil: cert not found: " + e); + return; + } + + CryptoToken tok = CryptoUtil.getKeyStorageToken(tokenname); + CryptoStore store = tok.getCryptoStore(); + + if (store instanceof PK11Store) { + PK11Store pk11store = (PK11Store) store; + pk11store.deleteCertOnly(cert); + CMS.debug("CertUtil: cert deleted successfully"); + + } else { + CMS.debug("CertUtil: unsupported crypto store: " + store.getClass().getName()); + } + } + + public static void deleteBootstrapServerCert() + throws Exception { + + IConfigStore cs = CMS.getConfigStore(); + String nickname = cs.getString("preop.cert.sslserver.nickname"); + + deleteCert(CryptoUtil.INTERNAL_TOKEN_FULL_NAME, nickname); + } + + public static void importCert( + String subsystem, + String tag, + String tokenname, + String nickname, + X509CertImpl impl + ) throws Exception { + + CMS.debug("CertUtil.importCert(" + tag + ")"); + + if (tag.equals("sslserver") && findBootstrapServerCert()) { + CMS.debug("CertUtil: deleting temporary SSL server cert"); + deleteBootstrapServerCert(); + } + + if (findCertificate(tokenname, nickname)) { + CMS.debug("CertUtil: deleting existing " + tag + " cert"); + deleteCert(tokenname, nickname); + } + + CMS.debug("CertUtil: importing " + tag + " cert"); + + if (subsystem.equals("ca") && tag.equals("signing") ) { + CryptoUtil.importUserCertificate(impl, nickname); + + } else { + CryptoUtil.importUserCertificate(impl, nickname, false); + } + } + + public static void importExternalCert( + String tag, + String tokenname, + String nickname, + byte[] cert, + byte[] certChain + ) throws Exception { + + CMS.debug("CertUtil.importExternalCert(" + tag + ")"); + + if (tag.equals("sslserver") && findBootstrapServerCert()) { + CMS.debug("CertUtil: deleting temporary SSL server cert"); + deleteBootstrapServerCert(); + } + + if (findCertificate(tokenname, nickname)) { + CMS.debug("CertUtil: deleting existing " + tag + " cert"); + deleteCert(tokenname, nickname); + } + + if (certChain != null) { + CMS.debug("CertUtil: importing cert chain for " + tag + " cert"); + CryptoUtil.importCertificateChain(certChain); + } + + CMS.debug("CertUtil: importing " + tag + " cert"); + + CryptoManager cm = CryptoManager.getInstance(); + X509Certificate x509cert = cm.importCertPackage(cert, nickname); + + CMS.debug("CertUtil: trusting cert: " + x509cert.getSubjectDN()); + CryptoUtil.trustCertByNickname(nickname); + + X509Certificate[] certs = cm.buildCertificateChain(x509cert); + CMS.debug("CertUtil: cert chain:"); + for (X509Certificate c : certs) { + CMS.debug("ConfigurationUtils: - " + c.getSubjectDN()); + } + + X509Certificate rootCert = certs[certs.length - 1]; + CMS.debug("CertUtil: trusting root cert: " + rootCert.getSubjectDN()); + + CryptoUtil.trustRootCert(rootCert); + } } diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java index 9b83830a2..68c3b8dac 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java @@ -296,7 +296,9 @@ public class ConfigurationUtils { } cs.commit(false); - CryptoUtil.importCertificateChain(certchain); + + byte[] bytes = CryptoUtil.base64Decode(certchain); + CryptoUtil.importCertificateChain(bytes); } else { throw new IOException("importCertChain: Security Domain response does not contain certificate chain"); @@ -2338,10 +2340,12 @@ public class ConfigurationUtils { setSigningAlgorithm(tag, keyAlgo, config); } - public static void createECCKeyPair(String token, String curveName, IConfigStore config, String ct) + public static KeyPair createECCKeyPair(String token, String curveName, IConfigStore config, String ct) throws NoSuchAlgorithmException, NoSuchTokenException, TokenException, CryptoManager.NotInitializedException, EPropertyNotFound, EBaseException { - CMS.debug("createECCKeyPair: Generating ECC key pair with curvename=" + curveName + ", token=" + token); + + CMS.debug("ConfigurationUtils.createECCKeyPair(" + token + ", " + curveName + ")"); + KeyPair pair = null; /* * default ssl server cert to ECDHE unless stated otherwise @@ -2390,7 +2394,6 @@ public class ConfigurationUtils { // XXX - store curve , w byte id[] = ((org.mozilla.jss.crypto.PrivateKey) pair.getPrivate()).getUniqueID(); String kid = CryptoUtil.byte2string(id); - config.putString(PCERT_PREFIX + ct + ".privkey.id", kid); // try to locate the private key org.mozilla.jss.crypto.PrivateKey privk = CryptoUtil.findPrivateKeyFromID(CryptoUtil.string2byte(kid)); @@ -2400,42 +2403,31 @@ public class ConfigurationUtils { } } while (pair == null); - CMS.debug("Public key class " + pair.getPublic().getClass().getName()); - byte encoded[] = pair.getPublic().getEncoded(); - config.putString(PCERT_PREFIX + ct + ".pubkey.encoded", CryptoUtil.byte2string(encoded)); - - String keyAlgo = config.getString(PCERT_PREFIX + ct + ".signingalgorithm"); - setSigningAlgorithm(ct, keyAlgo, config); + return pair; } - public static void createRSAKeyPair(String token, int keysize, IConfigStore config, String ct) + public static KeyPair createRSAKeyPair(String token, int keysize, IConfigStore config, String ct) throws Exception { - /* generate key pair */ + + CMS.debug("ConfigurationUtils.createRSAKeyPair(" + token + ")"); + KeyPair pair = null; do { pair = CryptoUtil.generateRSAKeyPair(token, keysize); byte id[] = ((org.mozilla.jss.crypto.PrivateKey) pair.getPrivate()).getUniqueID(); String kid = CryptoUtil.byte2string(id); - config.putString(PCERT_PREFIX + ct + ".privkey.id", kid); + // try to locate the private key org.mozilla.jss.crypto.PrivateKey privk = CryptoUtil.findPrivateKeyFromID(CryptoUtil.string2byte(kid)); + if (privk == null) { CMS.debug("Found bad RSA key id " + kid); pair = null; } } while (pair == null); - byte modulus[] = ((RSAPublicKey) pair.getPublic()).getModulus().toByteArray(); - byte exponent[] = ((RSAPublicKey) pair.getPublic()).getPublicExponent().toByteArray(); - - config.putString(PCERT_PREFIX + ct + ".pubkey.modulus", - CryptoUtil.byte2string(modulus)); - config.putString(PCERT_PREFIX + ct + ".pubkey.exponent", - CryptoUtil.byte2string(exponent)); - - String keyAlgo = config.getString(PCERT_PREFIX + ct + ".signingalgorithm"); - setSigningAlgorithm(ct, keyAlgo, config); + return pair; } public static void setSigningAlgorithm(String ct, String keyAlgo, IConfigStore config) throws EPropertyNotFound, @@ -2847,17 +2839,6 @@ public class ConfigurationUtils { } } - String serverCertNickname = nickname; - String path = CMS.getConfigStore().getString("instanceRoot", ""); - if (certTag.equals("sslserver")) { - if (!CryptoUtil.isInternalToken(token)) { - serverCertNickname = token + ":" + nickname; - } - PrintStream ps = new PrintStream(path + "/conf/serverCertNick.conf", "UTF-8"); - ps.println(serverCertNickname); - ps.close(); - } - config.putString(subsystem + "." + certTag + ".nickname", nickname); config.putString(subsystem + "." + certTag + ".tokenname", token); if (certTag.equals("audit_signing")) { @@ -2882,6 +2863,23 @@ public class ConfigurationUtils { CMS.debug("updateConfig() done"); } + public static void updateServerCertNickConf() throws Exception { + + IConfigStore cs = CMS.getConfigStore(); + String token = cs.getString("preop.module.token"); + String nickname = getNickname(cs, "sslserver"); + + String serverCertNickname = nickname; + if (!CryptoUtil.isInternalToken(token)) { + serverCertNickname = token + ":" + nickname; + } + + String path = cs.getString("instanceRoot", ""); + PrintStream ps = new PrintStream(path + "/conf/serverCertNick.conf", "UTF-8"); + ps.println(serverCertNickname); + ps.close(); + } + public static String getNickname(IConfigStore config, String certTag) throws EBaseException { String instanceID = config.getString("instanceId", ""); @@ -2938,15 +2936,20 @@ public class ConfigurationUtils { return 0; } - public static void updateCloneConfig() - throws EBaseException, IOException { + public static void updateCloneConfig() throws EBaseException, IOException { + IConfigStore config = CMS.getConfigStore(); String cstype = config.getString("cs.type", null); cstype = cstype.toLowerCase(); + if (cstype.equals("kra")) { + String token = config.getString("preop.module.token"); + if (!CryptoUtil.isInternalToken(token)) { + CMS.debug("ConfigurationUtils: updating configuration for KRA clone with hardware token"); + String subsystem = config.getString(PCERT_PREFIX + "storage.subsystem"); String storageNickname = getNickname(config, "storage"); String transportNickname = getNickname(config, "transport"); @@ -2954,22 +2957,23 @@ public class ConfigurationUtils { config.putString(subsystem + ".storageUnit.hardware", token); config.putString(subsystem + ".storageUnit.nickName", token + ":" + storageNickname); config.putString(subsystem + ".transportUnit.nickName", token + ":" + transportNickname); + config.commit(false); + } else { // software token // parameters already set } } // audit signing cert - String audit_nn = config.getString(cstype + ".audit_signing" + ".nickname", ""); - String audit_tk = config.getString(cstype + ".audit_signing" + ".tokenname", ""); - if (!CryptoUtil.isInternalToken(audit_tk)) { - config.putString("log.instance.SignedAudit.signedAuditCertNickname", - audit_tk + ":" + audit_nn); - } else { - config.putString("log.instance.SignedAudit.signedAuditCertNickname", - audit_nn); + String nickname = config.getString(cstype + ".audit_signing.nickname", ""); + String token = config.getString(cstype + ".audit_signing.tokenname", ""); + + if (!CryptoUtil.isInternalToken(token)) { + nickname = token + ":" + nickname; } + + config.putString("log.instance.SignedAudit.signedAuditCertNickname", nickname); } public static void loadCertRequest(IConfigStore config, String tag, Cert cert) throws Exception { @@ -3178,8 +3182,11 @@ public class ConfigurationUtils { cr.addCertificateRecord(record); } - public static void handleCerts(Cert cert) throws Exception { + public static void handleCert(Cert cert) throws Exception { + String certTag = cert.getCertTag(); + CMS.debug("ConfigurationUtils.handleCert(" + certTag + ")"); + String subsystem = cert.getSubsystem(); String nickname = cert.getNickname(); IConfigStore config = CMS.getConfigStore(); @@ -3188,156 +3195,50 @@ public class ConfigurationUtils { if (!enable) return; - CMS.debug("handleCerts(): for cert tag '" + cert.getCertTag() + "' using cert type '" + cert.getType() + "'"); + CMS.debug("ConfigurationUtils: cert type: " + cert.getType()); + String b64 = cert.getCert(); String tokenname = config.getString("preop.module.token", ""); if (cert.getType().equals("local") && b64.equals("...certificate be generated internally...")) { - CMS.debug("handleCerts(): processing local cert"); - - String pubKeyType = config.getString(PCERT_PREFIX + certTag + ".keytype"); - X509Key x509key = null; - if (pubKeyType.equals("rsa")) { - x509key = getRSAX509Key(config, certTag); - } else if (pubKeyType.equals("ecc")) { - x509key = getECCX509Key(config, certTag); - } - - if (findCertificate(tokenname, nickname)) { - if (!certTag.equals("sslserver")) - return; + if (CertUtil.findCertificate(tokenname, nickname) && !certTag.equals("sslserver")) { + // if cert already exists (except SSL server cert), skip creation + return; } - X509CertImpl impl = CertUtil.createLocalCert(config, x509key, PCERT_PREFIX, certTag, cert.getType()); - if (impl != null) { - byte[] certb = impl.getEncoded(); - String certs = CryptoUtil.base64Encode(certb); - - cert.setCert(certs); - config.putString(subsystem + "." + certTag + ".cert", certs); - CMS.debug("handleCerts(): nickname=" + nickname); - - try { - CMS.debug("handleCerts(): deleting existing cert"); - if (certTag.equals("sslserver") && findBootstrapServerCert()) - deleteBootstrapServerCert(); - if (findCertificate(tokenname, nickname)) - deleteCert(tokenname, nickname); - - CMS.debug("handleCerts(): importing new cert"); - if (certTag.equals("signing") && subsystem.equals("ca")) - CryptoUtil.importUserCertificate(impl, nickname); - else - CryptoUtil.importUserCertificate(impl, nickname, false); - CMS.debug("handleCerts(): cert imported for certTag '" + certTag + "'"); - - } catch (Exception ee) { - CMS.debug(ee); - CMS.debug("handleCerts(): import certificate for certTag=" + certTag + " Exception: " - + ee.toString()); - } - } + handleLocalCert(config, cert, tokenname); } else if (cert.getType().equals("remote")) { - CMS.debug("handleCerts(): processing remote cert"); - - if (b64 != null && b64.length() > 0 && !b64.startsWith("...")) { - - CMS.debug("handleCerts(): deleting existing cert"); - String b64chain = cert.getCertChain(); - - try { - if (certTag.equals("sslserver") && findBootstrapServerCert()) - deleteBootstrapServerCert(); - if (findCertificate(tokenname, nickname)) { - deleteCert(tokenname, nickname); - } - } catch (Exception e) { - CMS.debug(e); - } - - CMS.debug("handleCerts(): importing new cert"); - b64 = CryptoUtil.stripCertBrackets(b64.trim()); - String certs = CryptoUtil.normalizeCertStr(b64); - byte[] certb = CryptoUtil.base64Decode(certs); - - config.putString(subsystem + "." + certTag + ".cert", certs); - try { - CryptoManager cm = CryptoManager.getInstance(); - X509Certificate x509cert = cm.importCertPackage(certb, nickname); - CryptoUtil.trustCertByNickname(nickname); - - X509Certificate[] certchains = cm.buildCertificateChain(x509cert); - X509Certificate leaf = null; - - if (certchains != null) { - CMS.debug("handleCerts(): certchains length=" + certchains.length); - leaf = certchains[certchains.length - 1]; - } - - if (leaf == null) { - CMS.debug("handleCerts(): leaf is null!"); - throw new IOException("leaf is null"); - } + if (b64 == null || b64.length() == 0 || b64.startsWith("...")) { + throw new PKIException("Missing certificate data for " + certTag + " cert"); + } - if (b64chain != null && b64chain.length() != 0) { - CMS.debug("handlecerts: cert might not have contained chain...calling importCertificateChain: " - + b64chain); - try { - CryptoUtil.importCertificateChain(CryptoUtil.normalizeCertAndReq(b64chain)); - } catch (Exception e) { - CMS.debug("handleCerts(): importCertChain: Exception: " + e.toString()); - } - } + b64 = CryptoUtil.stripCertBrackets(b64.trim()); + String strCert = CryptoUtil.normalizeCertStr(b64); + byte[] binCert = CryptoUtil.base64Decode(strCert); - InternalCertificate icert = (InternalCertificate) leaf; + config.putString(subsystem + "." + certTag + ".cert", strCert); - icert.setSSLTrust( - InternalCertificate.TRUSTED_CA - | InternalCertificate.TRUSTED_CLIENT_CA - | InternalCertificate.VALID_CA); - CMS.debug("handleCerts(): import certificate successfully, certTag=" + certTag); - } catch (Exception ee) { - ee.printStackTrace(); - CMS.debug("handleCerts: import certificate for certTag=" + certTag + " Exception: " + ee.toString()); - } + String strStrChain = cert.getCertChain(); + byte[] binCertChain = null; - } else { - CMS.debug("handleCerts(): b64 not set"); - throw new PKIException("Missing " + certTag + " certificate to import"); + if (strStrChain != null && strStrChain.length() != 0) { + strStrChain = CryptoUtil.normalizeCertAndReq(strStrChain); + binCertChain = CryptoUtil.base64Decode(strStrChain); } + CertUtil.importExternalCert(certTag, tokenname, nickname, binCert, binCertChain); + } else { - CMS.debug("handleCerts(): processing " + cert.getType() + " cert"); b64 = CryptoUtil.stripCertBrackets(b64.trim()); String certs = CryptoUtil.normalizeCertStr(b64); byte[] certb = CryptoUtil.base64Decode(certs); X509CertImpl impl = new X509CertImpl(certb); - CMS.debug("handleCerts(): deleting existing cert"); - try { - if (certTag.equals("sslserver") && findBootstrapServerCert()) - deleteBootstrapServerCert(); - if (findCertificate(tokenname, nickname)) { - deleteCert(tokenname, nickname); - } - } catch (Exception e) { - CMS.debug(e); - } - - CMS.debug("handleCerts(): importing new cert"); - try { - if (certTag.equals("signing") && subsystem.equals("ca")) - CryptoUtil.importUserCertificate(impl, nickname); - else - CryptoUtil.importUserCertificate(impl, nickname, false); - } catch (Exception ee) { - CMS.debug("handleCerts(): Failed to import user certificate." + ee.toString()); - throw new Exception("Unable to import " + certTag + " certificate: " + ee, ee); - } + CertUtil.importCert(subsystem, certTag, tokenname, nickname, impl); } //update requests in request queue for local certs to allow renewal @@ -3350,12 +3251,46 @@ public class ConfigurationUtils { if (!CryptoUtil.isInternalToken(tokenname)) NickName = tokenname + ":" + nickname; - CMS.debug("handleCerts(): set trust on CA signing cert " + NickName); + CMS.debug("ConfigurationUtils: set trust on CA signing cert " + NickName); CryptoUtil.trustCertByNickname(NickName); CMS.reinit(ICertificateAuthority.ID); } } + private static void handleLocalCert( + IConfigStore config, + Cert cert, + String tokenname) + throws Exception { + + String certTag = cert.getCertTag(); + CMS.debug("ConfigurationUtils.handleLocalCert(" + certTag + ")"); + + String pubKeyType = config.getString(PCERT_PREFIX + certTag + ".keytype"); + + X509Key x509key = null; + if (pubKeyType.equals("rsa")) { + x509key = getRSAX509Key(config, certTag); + } else if (pubKeyType.equals("ecc")) { + x509key = getECCX509Key(config, certTag); + } + + CMS.debug("ConfigurationUtils: creating local cert"); + + X509CertImpl impl = CertUtil.createLocalCert(config, x509key, PCERT_PREFIX, certTag, cert.getType()); + + byte[] binCert = impl.getEncoded(); + String strCert = CryptoUtil.base64Encode(binCert); + cert.setCert(strCert); + + String subsystem = cert.getSubsystem(); + config.putString(subsystem + "." + certTag + ".cert", strCert); + + CMS.debug("ConfigurationUtils: importing local cert"); + + CertUtil.importCert(subsystem, certTag, tokenname, cert.getNickname(), impl); + } + public static void setCertPermissions(String tag) throws EBaseException, NotInitializedException, ObjectNotFoundException, TokenException { if (tag.equals("signing") || tag.equals("external_signing")) @@ -3383,97 +3318,6 @@ public class ConfigurationUtils { } } - public static boolean findCertificate(String tokenname, String nickname) throws NotInitializedException, - TokenException, IOException { - IConfigStore cs = CMS.getConfigStore(); - CryptoManager cm = CryptoManager.getInstance(); - - String fullnickname = nickname; - boolean hardware = false; - if (!CryptoUtil.isInternalToken(tokenname)) { - hardware = true; - fullnickname = tokenname + ":" + nickname; - } - - X509Certificate cert = null; - try { - cert = cm.findCertByNickname(fullnickname); - } catch (ObjectNotFoundException e) { - return false; - } - - if (cert == null) - return false; - try { - @SuppressWarnings("unused") - boolean done = cs.getBoolean("preop.CertRequestPanel.done"); // check for errors - } catch (Exception e) { - if (hardware) { - CMS.debug("ConfigurationUtils: findCertificate: The certificate with the same nickname: " - + fullnickname + " has been found on HSM. Please remove it before proceeding."); - throw new IOException("The certificate with the same nickname: " - + fullnickname + " has been found on HSM. Please remove it before proceeding.", e); - } - } - return true; - } - - public static boolean findBootstrapServerCert() throws EBaseException, NotInitializedException, TokenException { - IConfigStore cs = CMS.getConfigStore(); - - String nickname = cs.getString("preop.cert.sslserver.nickname"); - - CryptoManager cm = CryptoManager.getInstance(); - X509Certificate cert; - try { - cert = cm.findCertByNickname(nickname); - } catch (ObjectNotFoundException e) { - return false; - } - Principal issuerDN = cert.getIssuerDN(); - Principal subjectDN = cert.getSubjectDN(); - if (issuerDN.equals(subjectDN)) - return true; - - return false; - } - - public static void deleteBootstrapServerCert() throws EBaseException, NotInitializedException, - NoSuchTokenException, TokenException { - IConfigStore cs = CMS.getConfigStore(); - String nickname = cs.getString("preop.cert.sslserver.nickname"); - deleteCert(CryptoUtil.INTERNAL_TOKEN_FULL_NAME, nickname); - } - - public static void deleteCert(String tokenname, String nickname) throws NotInitializedException, - NoSuchTokenException, TokenException { - - CryptoManager cm = CryptoManager.getInstance(); - CryptoToken tok = CryptoUtil.getKeyStorageToken(tokenname); - CryptoStore store = tok.getCryptoStore(); - String fullnickname = nickname; - if (!CryptoUtil.isInternalToken(tokenname)) - fullnickname = tokenname + ":" + nickname; - - CMS.debug("deleteCert: nickname=" + fullnickname); - X509Certificate cert; - try { - cert = cm.findCertByNickname(fullnickname); - } catch (ObjectNotFoundException e) { - CMS.debug("deleteCert: cert not found"); - return; - } - - if (store instanceof PK11Store) { - PK11Store pk11store = (PK11Store) store; - try { - pk11store.deleteCertOnly(cert); - } catch (NoSuchItemOnTokenException e) { - } - CMS.debug("deleteCert: cert deleted successfully"); - } - } - public static void backupKeys(String pwd, String fname) throws Exception { CMS.debug("backupKeys(): start"); diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java index ded237b8d..63c9b82d2 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java @@ -494,7 +494,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { /////////////////////////////////////////////// String tmpCertSerialS = ctx.get(IAuthManager.CRED_CMC_SIGNING_CERT); if (tmpCertSerialS != null) { - // unlikely to happenm, but do this just in case + // unlikely to happen, but do this just in case CMS.debug("ProfileSubmitCMCServlet: found existing CRED_CMC_SIGNING_CERT in ctx for CMCUserSignedAuth:" + tmpCertSerialS); CMS.debug("ProfileSubmitCMCServlet: null it out"); ctx.set(IAuthManager.CRED_CMC_SIGNING_CERT, ""); diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java index afbb24a78..f726db6f1 100644 --- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java +++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java @@ -21,7 +21,6 @@ import java.math.BigInteger; import java.net.MalformedURLException; import java.net.URL; import java.security.KeyPair; -import java.security.NoSuchAlgorithmException; import java.security.PublicKey; import java.util.ArrayList; import java.util.Arrays; @@ -179,10 +178,10 @@ public class SystemConfigService extends PKIService implements SystemConfigResou for (Cert cert : certs) { try { - CMS.debug("Processing '" + cert.getCertTag() + "' certificate:"); - ConfigurationUtils.handleCerts(cert); + CMS.debug("=== Handling " + cert.getCertTag() + " cert ==="); + ConfigurationUtils.handleCert(cert); ConfigurationUtils.setCertPermissions(cert.getCertTag()); - CMS.debug("Processed '" + cert.getCertTag() + "' certificate."); + } catch (Exception e) { CMS.debug(e); throw new PKIException("Error in configuring system certificates: " + e, e); @@ -290,118 +289,118 @@ public class SystemConfigService extends PKIService implements SystemConfigResou return certList; } - public void processCerts(ConfigurationRequest request, String token, Collection<String> certList, - Collection<Cert> certs, MutableBoolean hasSigningCert) { + public void processCerts( + ConfigurationRequest request, + String token, + Collection<String> certList, + Collection<Cert> certs, + MutableBoolean hasSigningCert) throws Exception { - try { - boolean generateServerCert = !request.getGenerateServerCert().equalsIgnoreCase("false"); - boolean generateSubsystemCert = request.getGenerateSubsystemCert(); + boolean generateServerCert = !request.getGenerateServerCert().equalsIgnoreCase("false"); + boolean generateSubsystemCert = request.getGenerateSubsystemCert(); - hasSigningCert.setValue(false); + hasSigningCert.setValue(false); - for (String tag : certList) { - boolean enable = cs.getBoolean("preop.cert." + tag + ".enable", true); - if (!enable) continue; + for (String tag : certList) { - SystemCertData certData = null; + CMS.debug("=== Processing " + tag + " cert ==="); - for (SystemCertData systemCert : request.getSystemCerts()) { - if (systemCert.getTag().equals(tag)) { - certData = systemCert; - break; - } - } + boolean enable = cs.getBoolean("preop.cert." + tag + ".enable", true); + if (!enable) continue; - if (certData == null) { - CMS.debug("No data for '" + tag + "' was found!"); - throw new BadRequestException("No data for '" + tag + "' was found!"); + SystemCertData certData = null; + + for (SystemCertData systemCert : request.getSystemCerts()) { + if (systemCert.getTag().equals(tag)) { + certData = systemCert; + break; } + } - String tokenName = certData.getToken() != null ? certData.getToken() : token; - if (request.getStandAlone() && request.getStepTwo()) { - // Stand-alone PKI (Step 2) - if (tag.equals("external_signing")) { + if (certData == null) { + CMS.debug("No data for '" + tag + "' was found!"); + throw new BadRequestException("No data for '" + tag + "' was found!"); + } - String b64 = certData.getCert(); - if (b64 != null && b64.length() > 0 && !b64.startsWith("...")) { - hasSigningCert.setValue(true); + String tokenName = certData.getToken() != null ? certData.getToken() : token; + if (request.getStandAlone() && request.getStepTwo()) { + // Stand-alone PKI (Step 2) + if (tag.equals("external_signing")) { - if (request.getIssuingCA().equals("External CA")) { - String nickname = certData.getNickname() != null ? certData.getNickname() : "caSigningCert External CA"; - Cert cert = new Cert(tokenName, nickname, tag); - ConfigurationUtils.setExternalCACert(b64, csSubsystem, cs, cert); + String b64 = certData.getCert(); + if (b64 != null && b64.length() > 0 && !b64.startsWith("...")) { + hasSigningCert.setValue(true); - CMS.debug("Step 2: certStr for '" + tag + "' is " + b64); - String certChainStr = certData.getCertChain(); + if (request.getIssuingCA().equals("External CA")) { + String nickname = certData.getNickname() != null ? certData.getNickname() : "caSigningCert External CA"; + Cert cert = new Cert(tokenName, nickname, tag); + ConfigurationUtils.setExternalCACert(b64, csSubsystem, cs, cert); - if (certChainStr != null) { - ConfigurationUtils.setExternalCACertChain(certChainStr, csSubsystem, cs, cert); - CMS.debug("Step 2: certChainStr for '" + tag + "' is " + certChainStr); - certs.add(cert); + CMS.debug("Step 2: certStr for '" + tag + "' is " + b64); + String certChainStr = certData.getCertChain(); - } else { - throw new BadRequestException("CertChain not provided"); - } - } + if (certChainStr != null) { + ConfigurationUtils.setExternalCACertChain(certChainStr, csSubsystem, cs, cert); + CMS.debug("Step 2: certChainStr for '" + tag + "' is " + certChainStr); + certs.add(cert); - continue; + } else { + throw new BadRequestException("CertChain not provided"); + } } - } - } - if (!generateServerCert && tag.equals("sslserver")) { - updateConfiguration(request, certData, "sslserver"); - continue; + continue; + } } + } - if (!generateSubsystemCert && tag.equals("subsystem")) { - // update the details for the shared subsystem cert here. - updateConfiguration(request, certData, "subsystem"); + if (!generateServerCert && tag.equals("sslserver")) { + updateConfiguration(request, certData, "sslserver"); + continue; + } - // get parameters needed for cloning - updateCloneConfiguration(certData, "subsystem", tokenName); - continue; - } + if (!generateSubsystemCert && tag.equals("subsystem")) { + // update the details for the shared subsystem cert here. + updateConfiguration(request, certData, "subsystem"); - processCert( - request, - token, - certList, - certs, - hasSigningCert, - certData, - tokenName); + // get parameters needed for cloning + updateCloneConfiguration(certData, "subsystem", tokenName); + continue; } - // make sure to commit changes here for step 1 - cs.commit(false); + processKeyPair( + request, + token, + certData); - } catch (NumberFormatException e) { - // move these validations to validate()? - throw new BadRequestException("Non-integer value for key size"); + Cert cert = processCert( + request, + hasSigningCert, + certData, + tokenName); - } catch (NoSuchAlgorithmException e) { - throw new BadRequestException("Invalid algorithm " + e); + certs.add(cert); + } - } catch (PKIException e) { - throw e; + // make sure to commit changes here for step 1 + cs.commit(false); - } catch (Exception e) { - CMS.debug(e); - throw new PKIException("Error in setting certificate names and key sizes: " + e); + ConfigurationUtils.updateServerCertNickConf(); + + if (request.isClone()) { + ConfigurationUtils.updateCloneConfig(); } } - public void processCert( + public void processKeyPair( ConfigurationRequest request, String token, - Collection<String> certList, - Collection<Cert> certs, - MutableBoolean hasSigningCert, - SystemCertData certData, - String tokenName) throws Exception { + SystemCertData certData + ) throws Exception { String tag = certData.getTag(); + CMS.debug("SystemConfigService.processKeyPair(" + tag + ")"); + String keytype = certData.getKeyType() != null ? certData.getKeyType() : "rsa"; String keyalgorithm = certData.getKeyAlgorithm(); @@ -410,47 +409,69 @@ public class SystemConfigService extends PKIService implements SystemConfigResou } String signingalgorithm = certData.getSigningAlgorithm() != null ? certData.getSigningAlgorithm() : keyalgorithm; - String nickname = cs.getString("preop.cert." + tag + ".nickname"); - String dn = cs.getString("preop.cert." + tag + ".dn"); cs.putString("preop.cert." + tag + ".keytype", keytype); cs.putString("preop.cert." + tag + ".keyalgorithm", keyalgorithm); cs.putString("preop.cert." + tag + ".signingalgorithm", signingalgorithm); // support injecting SAN into server cert - if ( tag.equals("sslserver") && certData.getServerCertSAN() != null) { - CMS.debug("updateConfiguration(): san_server_cert found"); + if (tag.equals("sslserver") && certData.getServerCertSAN() != null) { + CMS.debug("SystemConfigService: san_server_cert found"); cs.putString("service.injectSAN", "true"); cs.putString("service.sslserver.san", certData.getServerCertSAN()); + } else { - if ( tag.equals("sslserver")) - CMS.debug("SystemConfigService:processCerts(): san_server_cert not found for tag sslserver"); + if (tag.equals("sslserver")) { + CMS.debug("SystemConfigService: san_server_cert not found"); + } } cs.commit(false); if (request.isExternal() && tag.equals("signing")) { // external/existing CA - // load key pair for existing and externally-signed signing cert - CMS.debug("SystemConfigService: loading signing cert key pair"); + + CMS.debug("SystemConfigService: loading existing key pair from NSS database"); KeyPair pair = ConfigurationUtils.loadKeyPair(certData.getNickname(), certData.getToken()); + + CMS.debug("SystemConfigService: storing key pair into CS.cfg"); ConfigurationUtils.storeKeyPair(cs, tag, pair); } else if (!request.getStepTwo()) { + + CMS.debug("SystemConfigService: generating key pair"); + + KeyPair pair; if (keytype.equals("ecc")) { String curvename = certData.getKeySize() != null ? certData.getKeySize() : cs.getString("keys.ecc.curve.default"); cs.putString("preop.cert." + tag + ".curvename.name", curvename); - ConfigurationUtils.createECCKeyPair(token, curvename, cs, tag); + pair = ConfigurationUtils.createECCKeyPair(token, curvename, cs, tag); } else { String keysize = certData.getKeySize() != null ? certData.getKeySize() : cs .getString("keys.rsa.keysize.default"); cs.putString("preop.cert." + tag + ".keysize.size", keysize); - ConfigurationUtils.createRSAKeyPair(token, Integer.parseInt(keysize), cs, tag); + pair = ConfigurationUtils.createRSAKeyPair(token, Integer.parseInt(keysize), cs, tag); } + CMS.debug("SystemConfigService: storing key pair into CS.cfg"); + ConfigurationUtils.storeKeyPair(cs, tag, pair); + } else { - CMS.debug("configure(): step two selected. keys will not be generated for '" + tag + "'"); + CMS.debug("SystemConfigService: key pair already generated in step one"); } + } + + public Cert processCert( + ConfigurationRequest request, + MutableBoolean hasSigningCert, + SystemCertData certData, + String tokenName) throws Exception { + + String tag = certData.getTag(); + CMS.debug("SystemConfigService.processCert(" + tag + ")"); + + String nickname = cs.getString("preop.cert." + tag + ".nickname"); + String dn = cs.getString("preop.cert." + tag + ".dn"); Cert cert = new Cert(tokenName, nickname, tag); cert.setDN(dn); @@ -462,13 +483,26 @@ public class SystemConfigService extends PKIService implements SystemConfigResou // update configuration for existing or externally-signed signing certificate String certStr = cs.getString("ca." + tag + ".cert" ); cert.setCert(certStr); - CMS.debug("SystemConfigService: certificate " + tag + ": " + certStr); + + CMS.debug("SystemConfigService: cert: " + certStr); ConfigurationUtils.updateConfig(cs, tag); - } else if (!request.getStepTwo()) { + CMS.debug("SystemConfigService: Loading cert request from CS.cfg"); + ConfigurationUtils.loadCertRequest(cs, tag, cert); + + CMS.debug("SystemConfigService: Loading cert " + tag); + ConfigurationUtils.loadCert(cs, cert); + + CMS.debug("SystemConfigService: External CA has signing cert"); + hasSigningCert.setValue(true); + return cert; + } + + if (!request.getStepTwo()) { ConfigurationUtils.configCert(null, null, null, cert); } else { + String subsystem = cs.getString("preop.cert." + tag + ".subsystem"); String certStr; @@ -484,24 +518,16 @@ public class SystemConfigService extends PKIService implements SystemConfigResou } cert.setCert(certStr); - CMS.debug("Step 2: certStr for '" + tag + "' is " + certStr); + CMS.debug("SystemConfigService: cert: " + certStr); } - if (request.isExternal() && tag.equals("signing")) { // external/existing CA - - CMS.debug("SystemConfigService: Loading cert request for " + tag + " cert"); - ConfigurationUtils.loadCertRequest(cs, tag, cert); - - CMS.debug("SystemConfigService: Loading cert " + tag); - ConfigurationUtils.loadCert(cs, cert); - - } else if (request.getStandAlone()) { + if (request.getStandAlone()) { // Handle Cert Requests for everything EXCEPT Stand-alone PKI (Step 2) if (!request.getStepTwo()) { // Stand-alone PKI (Step 1) ConfigurationUtils.generateCertRequest(cs, tag, cert); - CMS.debug("Stand-alone " + csType + " Admin CSR"); + CMS.debug("SystemConfigService: Standalone " + csType + " Admin CSR"); String adminSubjectDN = request.getAdminSubjectDN(); String certreqStr = request.getAdminCertRequest(); certreqStr = CryptoUtil.normalizeCertAndReq(certreqStr); @@ -515,17 +541,6 @@ public class SystemConfigService extends PKIService implements SystemConfigResou ConfigurationUtils.generateCertRequest(cs, tag, cert); } - if (request.isClone()) { - ConfigurationUtils.updateCloneConfig(); - } - - if (request.isExternal() && tag.equals("signing")) { // external/existing CA - CMS.debug("SystemConfigService: External CA has signing cert"); - hasSigningCert.setValue(true); - certs.add(cert); - return; - } - // to determine if we have the signing cert when using an external ca // this will only execute on a ca or stand-alone pki String b64 = certData.getCert(); @@ -545,7 +560,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou } } - certs.add(cert); + return cert; } private void updateCloneConfiguration(SystemCertData cdata, String tag, String tokenName) throws NotInitializedException, |