From 313561ca3270d0f08da95d4ca3bf6782ed32159d Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Fri, 7 Jul 2017 07:06:40 +0200 Subject: Refactored SystemConfigService.processKeyPair(). The code in SystemConfigService.processCert() that loads or generates key pair has been moved into processKeyPair(). The code that sets key pair properties in createECCKeyPair() and createRSAKeyPair() has been replaced with storeKeyPair(). The processCert() has been modified to return a Cert object. Some debug messages have been added for clarity. https://pagure.io/dogtagpki/issue/2280 Change-Id: Ica16c7ce4f33fb23df2813a8b65d66fc2d4ea198 --- .../cms/servlet/csadmin/ConfigurationUtils.java | 34 ++++------- .../dogtagpki/server/rest/SystemConfigService.java | 70 +++++++++++++++------- 2 files changed, 59 insertions(+), 45 deletions(-) diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java index cca753404..68c3b8dac 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java @@ -2340,10 +2340,12 @@ public class ConfigurationUtils { setSigningAlgorithm(tag, keyAlgo, config); } - public static void createECCKeyPair(String token, String curveName, IConfigStore config, String ct) + public static KeyPair createECCKeyPair(String token, String curveName, IConfigStore config, String ct) throws NoSuchAlgorithmException, NoSuchTokenException, TokenException, CryptoManager.NotInitializedException, EPropertyNotFound, EBaseException { - CMS.debug("createECCKeyPair: Generating ECC key pair with curvename=" + curveName + ", token=" + token); + + CMS.debug("ConfigurationUtils.createECCKeyPair(" + token + ", " + curveName + ")"); + KeyPair pair = null; /* * default ssl server cert to ECDHE unless stated otherwise @@ -2392,7 +2394,6 @@ public class ConfigurationUtils { // XXX - store curve , w byte id[] = ((org.mozilla.jss.crypto.PrivateKey) pair.getPrivate()).getUniqueID(); String kid = CryptoUtil.byte2string(id); - config.putString(PCERT_PREFIX + ct + ".privkey.id", kid); // try to locate the private key org.mozilla.jss.crypto.PrivateKey privk = CryptoUtil.findPrivateKeyFromID(CryptoUtil.string2byte(kid)); @@ -2402,42 +2403,31 @@ public class ConfigurationUtils { } } while (pair == null); - CMS.debug("Public key class " + pair.getPublic().getClass().getName()); - byte encoded[] = pair.getPublic().getEncoded(); - config.putString(PCERT_PREFIX + ct + ".pubkey.encoded", CryptoUtil.byte2string(encoded)); - - String keyAlgo = config.getString(PCERT_PREFIX + ct + ".signingalgorithm"); - setSigningAlgorithm(ct, keyAlgo, config); + return pair; } - public static void createRSAKeyPair(String token, int keysize, IConfigStore config, String ct) + public static KeyPair createRSAKeyPair(String token, int keysize, IConfigStore config, String ct) throws Exception { - /* generate key pair */ + + CMS.debug("ConfigurationUtils.createRSAKeyPair(" + token + ")"); + KeyPair pair = null; do { pair = CryptoUtil.generateRSAKeyPair(token, keysize); byte id[] = ((org.mozilla.jss.crypto.PrivateKey) pair.getPrivate()).getUniqueID(); String kid = CryptoUtil.byte2string(id); - config.putString(PCERT_PREFIX + ct + ".privkey.id", kid); + // try to locate the private key org.mozilla.jss.crypto.PrivateKey privk = CryptoUtil.findPrivateKeyFromID(CryptoUtil.string2byte(kid)); + if (privk == null) { CMS.debug("Found bad RSA key id " + kid); pair = null; } } while (pair == null); - byte modulus[] = ((RSAPublicKey) pair.getPublic()).getModulus().toByteArray(); - byte exponent[] = ((RSAPublicKey) pair.getPublic()).getPublicExponent().toByteArray(); - - config.putString(PCERT_PREFIX + ct + ".pubkey.modulus", - CryptoUtil.byte2string(modulus)); - config.putString(PCERT_PREFIX + ct + ".pubkey.exponent", - CryptoUtil.byte2string(exponent)); - - String keyAlgo = config.getString(PCERT_PREFIX + ct + ".signingalgorithm"); - setSigningAlgorithm(ct, keyAlgo, config); + return pair; } public static void setSigningAlgorithm(String ct, String keyAlgo, IConfigStore config) throws EPropertyNotFound, diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java index 9f73a9ef1..b1dc22352 100644 --- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java +++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java @@ -368,14 +368,18 @@ public class SystemConfigService extends PKIService implements SystemConfigResou continue; } - processCert( + processKeyPair( request, token, - certList, - certs, + certData); + + Cert cert = processCert( + request, hasSigningCert, certData, tokenName); + + certs.add(cert); } // make sure to commit changes here for step 1 @@ -388,16 +392,15 @@ public class SystemConfigService extends PKIService implements SystemConfigResou } } - public void processCert( + public void processKeyPair( ConfigurationRequest request, String token, - Collection certList, - Collection certs, - MutableBoolean hasSigningCert, - SystemCertData certData, - String tokenName) throws Exception { + SystemCertData certData + ) throws Exception { String tag = certData.getTag(); + CMS.debug("SystemConfigService.processKeyPair(" + tag + ")"); + String keytype = certData.getKeyType() != null ? certData.getKeyType() : "rsa"; String keyalgorithm = certData.getKeyAlgorithm(); @@ -406,47 +409,69 @@ public class SystemConfigService extends PKIService implements SystemConfigResou } String signingalgorithm = certData.getSigningAlgorithm() != null ? certData.getSigningAlgorithm() : keyalgorithm; - String nickname = cs.getString("preop.cert." + tag + ".nickname"); - String dn = cs.getString("preop.cert." + tag + ".dn"); cs.putString("preop.cert." + tag + ".keytype", keytype); cs.putString("preop.cert." + tag + ".keyalgorithm", keyalgorithm); cs.putString("preop.cert." + tag + ".signingalgorithm", signingalgorithm); // support injecting SAN into server cert - if ( tag.equals("sslserver") && certData.getServerCertSAN() != null) { - CMS.debug("updateConfiguration(): san_server_cert found"); + if (tag.equals("sslserver") && certData.getServerCertSAN() != null) { + CMS.debug("SystemConfigService: san_server_cert found"); cs.putString("service.injectSAN", "true"); cs.putString("service.sslserver.san", certData.getServerCertSAN()); + } else { - if ( tag.equals("sslserver")) - CMS.debug("SystemConfigService:processCerts(): san_server_cert not found for tag sslserver"); + if (tag.equals("sslserver")) { + CMS.debug("SystemConfigService: san_server_cert not found"); + } } cs.commit(false); if (request.isExternal() && tag.equals("signing")) { // external/existing CA - // load key pair for existing and externally-signed signing cert - CMS.debug("SystemConfigService: loading signing cert key pair"); + + CMS.debug("SystemConfigService: loading existing key pair from NSS database"); KeyPair pair = ConfigurationUtils.loadKeyPair(certData.getNickname(), certData.getToken()); + + CMS.debug("SystemConfigService: storing key pair into CS.cfg"); ConfigurationUtils.storeKeyPair(cs, tag, pair); } else if (!request.getStepTwo()) { + + CMS.debug("SystemConfigService: generating key pair"); + + KeyPair pair; if (keytype.equals("ecc")) { String curvename = certData.getKeySize() != null ? certData.getKeySize() : cs.getString("keys.ecc.curve.default"); cs.putString("preop.cert." + tag + ".curvename.name", curvename); - ConfigurationUtils.createECCKeyPair(token, curvename, cs, tag); + pair = ConfigurationUtils.createECCKeyPair(token, curvename, cs, tag); } else { String keysize = certData.getKeySize() != null ? certData.getKeySize() : cs .getString("keys.rsa.keysize.default"); cs.putString("preop.cert." + tag + ".keysize.size", keysize); - ConfigurationUtils.createRSAKeyPair(token, Integer.parseInt(keysize), cs, tag); + pair = ConfigurationUtils.createRSAKeyPair(token, Integer.parseInt(keysize), cs, tag); } + CMS.debug("SystemConfigService: storing key pair into CS.cfg"); + ConfigurationUtils.storeKeyPair(cs, tag, pair); + } else { - CMS.debug("configure(): step two selected. keys will not be generated for '" + tag + "'"); + CMS.debug("SystemConfigService: key pair already generated in step one"); } + } + + public Cert processCert( + ConfigurationRequest request, + MutableBoolean hasSigningCert, + SystemCertData certData, + String tokenName) throws Exception { + + String tag = certData.getTag(); + CMS.debug("SystemConfigService.processCert(" + tag + ")"); + + String nickname = cs.getString("preop.cert." + tag + ".nickname"); + String dn = cs.getString("preop.cert." + tag + ".dn"); Cert cert = new Cert(tokenName, nickname, tag); cert.setDN(dn); @@ -514,8 +539,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou if (request.isExternal() && tag.equals("signing")) { // external/existing CA CMS.debug("SystemConfigService: External CA has signing cert"); hasSigningCert.setValue(true); - certs.add(cert); - return; + return cert; } // to determine if we have the signing cert when using an external ca @@ -537,7 +561,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou } } - certs.add(cert); + return cert; } private void updateCloneConfiguration(SystemCertData cdata, String tag, String tokenName) throws NotInitializedException, -- cgit