diff options
Diffstat (limited to 'base/server')
7 files changed, 135 insertions, 10 deletions
diff --git a/base/server/cms/src/com/netscape/cms/profile/def/SubjectAltNameExtDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/SubjectAltNameExtDefault.java index 240f86a13..ca3d05f25 100644 --- a/base/server/cms/src/com/netscape/cms/profile/def/SubjectAltNameExtDefault.java +++ b/base/server/cms/src/com/netscape/cms/profile/def/SubjectAltNameExtDefault.java @@ -450,6 +450,7 @@ public class SubjectAltNameExtDefault extends EnrollExtDefault { if (!pattern.equals("")) { CMS.debug("SubjectAltNameExtDefault: createExtension() pattern="+ pattern); String gname = ""; + String gtype = ""; // cfu - see if this is server-generated (e.g. UUID4) // to use this feature, use $server.source$ in pattern @@ -479,16 +480,18 @@ public class SubjectAltNameExtDefault extends EnrollExtDefault { } else { if (request != null) { gname = mapPattern(request, pattern); + gtype = mapPattern(request, type); } } - if (gname.equals("") || gname.contains("$")) { - CMS.debug("ubjectAltNameExtDefault: mapPattern()failed. Not added. gname="+ gname); + if (gname.equals("") || + gname.startsWith(CONFIG_SAN_REQ_PATTERN_PREFIX)) { + CMS.debug("SubjectAltNameExtDefault: gname is empty,not added."); continue; } - CMS.debug("SubjectAltNameExtDefault: createExtension got gname=" + gname); + CMS.debug("SubjectAltNameExtDefault: createExtension got gname=" +gname + " with type=" + gtype); - GeneralNameInterface n = parseGeneralName(type + ":" + gname); + GeneralNameInterface n = parseGeneralName(gtype + ":" + gname); CMS.debug("adding gname: " + gname); if (n != null) { diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java index 22f092973..36b0e4d0d 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java @@ -206,6 +206,85 @@ public class CertUtil { } } + + // Dynamically inject the SubjectAlternativeName extension to a + // local/self-signed master CA's request for its SSL Server Certificate. + // + // Since this information may vary from instance to + // instance, obtain the necessary information from the + // 'service.sslserver.san' value(s) in the instance's + // CS.cfg, process these values converting each item into + // its individual SubjectAlternativeName components, and + // inject these values into the local request. + // + public static void injectSANextensionIntoRequest(IConfigStore config, + IRequest req) throws Exception { + CMS.debug("CertUtil::injectSANextensionIntoRequest() - injecting SAN " + + "entries into request . . ."); + int i = 0; + if (config == null || req == null) { + throw new EBaseException("injectSANextensionIntoRequest: parameters config and req cannot be null"); + } + String sanHostnames = config.getString("service.sslserver.san"); + String sans[] = StringUtils.split(sanHostnames, ","); + for (String san : sans) { + CMS.debug("CertUtil: injectSANextensionIntoRequest() injecting " + + "SAN hostname: " + san); + req.setExtData("req_san_pattern_" + i, san); + i++; + } + CMS.debug("CertUtil: injectSANextensionIntoRequest() " + "injected " + + i + " SAN entries into request."); + } + + // Dynamically apply the SubjectAlternativeName extension to a + // remote PKI instance's request for its SSL Server Certificate. + // + // Since this information may vary from instance to + // instance, obtain the necessary information from the + // 'service.sslserver.san' value(s) in the instance's + // CS.cfg, process these values converting each item into + // its individual SubjectAlternativeName components, and + // build an SSL Server Certificate URL extension consisting + // of this information. + // + // 03/27/2013 - Should consider removing this + // "buildSANSSLserverURLExtension()" + // method if it becomes possible to + // embed a certificate extension into + // a PKCS #10 certificate request. + // + public static String buildSANSSLserverURLExtension(IConfigStore config) + throws Exception { + String url = ""; + String entries = ""; + + CMS.debug("CertUtil: buildSANSSLserverURLExtension() " + + "building SAN SSL Server Certificate URL extension . . ."); + int i = 0; + if (config == null) { + throw new EBaseException("injectSANextensionIntoRequest: parameter config cannot be null"); + } + String sanHostnames = config.getString("service.sslserver.san"); + String sans[] = StringUtils.split(sanHostnames, ","); + for (String san : sans) { + CMS.debug("CertUtil: buildSANSSLserverURLExtension() processing " + + "SAN hostname: " + san); + // Add the DNSName for all SANs + entries = entries + + "&req_san_pattern_" + i + "=" + san; + i++; + } + + url = "&req_san_entries=" + i + entries; + + CMS.debug("CertUtil: buildSANSSLserverURLExtension() " + "placed " + + i + " SAN entries into SSL Server Certificate URL."); + + return url; + } + + /* * create requests so renewal can work on these initial certs */ @@ -375,6 +454,9 @@ public class CertUtil { IRequest req = null; try { + Boolean injectSAN = config.getBoolean( + "service.injectSAN", false); + CMS.debug("createLocalCert: injectSAN=" + injectSAN); String dn = config.getString(prefix + certTag + ".dn"); String keyAlgorithm = null; Date date = new Date(); @@ -426,6 +508,10 @@ public class CertUtil { queue = ca.getRequestQueue(); if (queue != null) { req = createLocalRequest(queue, serialNo.toString(), info); + if (certTag.equals("sslserver") && + injectSAN == true) { + injectSANextensionIntoRequest(config, req); + } CMS.debug("CertUtil profile name= " + profile); req.setExtData("req_key", x509key.toString()); @@ -498,7 +584,7 @@ public class CertUtil { } } catch (Exception e) { CMS.debug(e); - CMS.debug("NamePanel configCert() exception caught:" + e.toString()); + CMS.debug("CertUtil createLocalCert() exception caught:" + e.toString()); } if (cr == null) { @@ -520,22 +606,22 @@ public class CertUtil { cert.getSerialNumber(), cert, meta); } catch (Exception e) { CMS.debug( - "NamePanel configCert: failed to add metainfo. Exception: " + e.toString()); + "CertUtil createLocalCert: failed to add metainfo. Exception: " + e.toString()); } try { cr.addCertificateRecord(record); CMS.debug( - "NamePanel configCert: finished adding certificate record."); + "CertUtil createLocalCert: finished adding certificate record."); } catch (Exception e) { CMS.debug( - "NamePanel configCert: failed to add certificate record. Exception: " + "CertUtil createLocalCert: failed to add certificate record. Exception: " + e.toString()); try { cr.deleteCertificateRecord(record.getSerialNumber()); cr.addCertificateRecord(record); } catch (Exception ee) { - CMS.debug("NamePanel update: Exception: " + ee.toString()); + CMS.debug("CertUtil createLocalCert: Exception: " + ee.toString()); } } diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java index 21aaf203b..1765ba7a6 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java @@ -2492,11 +2492,22 @@ public class ConfigurationUtils { } catch (Exception ee) { } + String sslserver_extension = ""; + Boolean injectSAN = config.getBoolean( + "service.injectSAN", false); + CMS.debug("ConfigurationUtils: injectSAN="+injectSAN); + if (certTag.equals("sslserver") && + injectSAN == true) { + sslserver_extension = + CertUtil.buildSANSSLserverURLExtension(config); + } + String content = "requestor_name=" + sysType + "-" + machineName + "-" + securePort + "&profileId=" + profileId + "&cert_request_type=pkcs10&cert_request=" + URLEncoder.encode(pkcs10, "UTF-8") - + "&xmlOutput=true&sessionID=" + session_id; + + "&xmlOutput=true&sessionID=" + session_id + + sslserver_extension; cert = CertUtil.createRemoteCert(ca_hostname, ca_port, content, response, panel); if (cert == null) { diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java index 7067c24ec..12dd54dac 100644 --- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java +++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java @@ -410,6 +410,16 @@ public class SystemConfigService extends PKIService implements SystemConfigResou cs.putString("preop.cert." + tag + ".signingalgorithm", signingalgorithm); cs.putString("preop.cert." + tag + ".nickname", nickname); cs.putString("preop.cert." + tag + ".dn", dn); + + // support injecting SAN into server cert + if ( tag.equals("sslserver") && certData.getServerCertSAN() != null) { + CMS.debug("updateConfiguration(): san_server_cert found"); + cs.putString("service.injectSAN", "true"); + cs.putString("service.sslserver.san", certData.getServerCertSAN()); + } else { + if ( tag.equals("sslserver")) + CMS.debug("SystemConfigService:processCerts(): san_server_cert not found for tag sslserver"); + } cs.commit(false); if (!request.getStepTwo()) { diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg index 50117a20e..3f7af5ebd 100644 --- a/base/server/etc/default.cfg +++ b/base/server/etc/default.cfg @@ -104,6 +104,9 @@ pki_security_domain_https_port=8443 pki_security_domain_name=%(pki_dns_domainname)s Security Domain pki_security_domain_password= pki_security_domain_user=caadmin +#for supporting server cert SAN injection +pki_san_inject=False +pki_san_for_server_cert= pki_skip_configuration=False pki_skip_installation=False pki_ssl_server_key_algorithm=SHA256withRSA diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py index 7f46c1f8b..884215e85 100644 --- a/base/server/python/pki/server/deployment/pkihelper.py +++ b/base/server/python/pki/server/deployment/pkihelper.py @@ -463,6 +463,11 @@ class ConfigurationFile: self.mdict['pki_skip_configuration']) self.standalone = config.str2bool(self.mdict['pki_standalone']) self.subordinate = config.str2bool(self.mdict['pki_subordinate']) + # server cert san injection support + self.san_inject = config.str2bool(self.mdict['pki_san_inject']) + if self.san_inject: + self.confirm_data_exists('pki_san_for_server_cert') + self.san_for_server_cert = self.mdict['pki_san_for_server_cert'] # set useful 'string' object variables for this class self.subsystem = self.mdict['pki_subsystem'] @@ -3637,6 +3642,7 @@ class ConfigClient: self.add_req_ext = config.str2bool( self.mdict['pki_req_ext_add']) self.security_domain_type = self.mdict['pki_security_domain_type'] + self.san_inject = config.str2bool(self.mdict['pki_san_inject']) def configure_pki_data(self, data): config.pki_log.info( @@ -4335,6 +4341,9 @@ class ConfigClient: cert.nickname = self.mdict["pki_%s_nickname" % tag] cert.subjectDN = self.mdict["pki_%s_subject_dn" % tag] cert.token = self.mdict["pki_%s_token" % tag] + if tag == 'ssl_server' and self.san_inject: + cert.san_for_server_cert = \ + self.mdict['pki_san_for_server_cert'] return cert def retrieve_existing_server_cert(self, cfg_file): diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py index e37b0e4a5..e93f1717e 100644 --- a/base/server/python/pki/server/deployment/pkiparser.py +++ b/base/server/python/pki/server/deployment/pkiparser.py @@ -588,6 +588,9 @@ class PKIConfigParser: if not 'pki_subordinate' in self.mdict or\ not len(self.mdict['pki_subordinate']): self.mdict['pki_subordinate'] = "false" + if not 'pki_san_inject' in self.mdict or\ + not len(self.mdict['pki_san_inject']): + self.mdict['pki_san_inject'] = "false" # PKI Target (slot substitution) name/value pairs self.mdict['pki_target_cs_cfg'] = \ |