From c39cc840b5c2f322cee88ab94e53d20a8e3bfad0 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Thu, 29 Jun 2017 08:15:26 +0200 Subject: Refactored CertUtil.importExternalCert(). The code for importing external cert into NSS database has been moved into CertUtil.importExternalCert(). https://pagure.io/dogtagpki/issue/2280 Change-Id: Icb347943fc432ad97105229c14768822b070d99f --- .../com/netscape/cms/servlet/csadmin/CertUtil.java | 45 ++++++++++++ .../cms/servlet/csadmin/ConfigurationUtils.java | 80 +++++----------------- .../com/netscape/cmsutil/crypto/CryptoUtil.java | 70 ++++++++++--------- 3 files changed, 101 insertions(+), 94 deletions(-) diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java index c2f87bb83..827b71a2a 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java @@ -856,4 +856,49 @@ public class CertUtil { CryptoUtil.importUserCertificate(impl, nickname, false); } } + + public static void importExternalCert( + String tag, + String tokenname, + String nickname, + byte[] cert, + byte[] certChain + ) throws Exception { + + CMS.debug("CertUtil.importExternalCert(" + tag + ")"); + + if (tag.equals("sslserver") && findBootstrapServerCert()) { + CMS.debug("CertUtil: deleting temporary SSL server cert"); + deleteBootstrapServerCert(); + } + + if (findCertificate(tokenname, nickname)) { + CMS.debug("CertUtil: deleting existing " + tag + " cert"); + deleteCert(tokenname, nickname); + } + + if (certChain != null) { + CMS.debug("CertUtil: importing cert chain for " + tag + " cert"); + CryptoUtil.importCertificateChain(certChain); + } + + CMS.debug("CertUtil: importing " + tag + " cert"); + + CryptoManager cm = CryptoManager.getInstance(); + X509Certificate x509cert = cm.importCertPackage(cert, nickname); + + CMS.debug("CertUtil: trusting cert: " + x509cert.getSubjectDN()); + CryptoUtil.trustCertByNickname(nickname); + + X509Certificate[] certs = cm.buildCertificateChain(x509cert); + CMS.debug("CertUtil: cert chain:"); + for (X509Certificate c : certs) { + CMS.debug("ConfigurationUtils: - " + c.getSubjectDN()); + } + + X509Certificate rootCert = certs[certs.length - 1]; + CMS.debug("CertUtil: trusting root cert: " + rootCert.getSubjectDN()); + + CryptoUtil.trustRootCert(rootCert); + } } diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java index 97a4bc3a8..510518571 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java @@ -296,7 +296,9 @@ public class ConfigurationUtils { } cs.commit(false); - CryptoUtil.importCertificateChain(certchain); + + byte[] bytes = CryptoUtil.base64Decode(certchain); + CryptoUtil.importCertificateChain(bytes); } else { throw new IOException("importCertChain: Security Domain response does not contain certificate chain"); @@ -3241,74 +3243,26 @@ public class ConfigurationUtils { } else if (cert.getType().equals("remote")) { - CMS.debug("handleCerts(): processing remote cert"); - - if (b64 != null && b64.length() > 0 && !b64.startsWith("...")) { - - CMS.debug("handleCerts(): deleting existing cert"); - String b64chain = cert.getCertChain(); - - try { - if (certTag.equals("sslserver") && CertUtil.findBootstrapServerCert()) - CertUtil.deleteBootstrapServerCert(); - if (CertUtil.findCertificate(tokenname, nickname)) { - CertUtil.deleteCert(tokenname, nickname); - } - } catch (Exception e) { - CMS.debug(e); - } - - CMS.debug("handleCerts(): importing new cert"); - b64 = CryptoUtil.stripCertBrackets(b64.trim()); - String certs = CryptoUtil.normalizeCertStr(b64); - byte[] certb = CryptoUtil.base64Decode(certs); - - config.putString(subsystem + "." + certTag + ".cert", certs); - try { - CryptoManager cm = CryptoManager.getInstance(); - X509Certificate x509cert = cm.importCertPackage(certb, nickname); - CryptoUtil.trustCertByNickname(nickname); - - X509Certificate[] certchains = cm.buildCertificateChain(x509cert); - X509Certificate leaf = null; - - if (certchains != null) { - CMS.debug("handleCerts(): certchains length=" + certchains.length); - leaf = certchains[certchains.length - 1]; - } - - if (leaf == null) { - CMS.debug("handleCerts(): leaf is null!"); - throw new IOException("leaf is null"); - } + if (b64 == null || b64.length() == 0 || b64.startsWith("...")) { + throw new PKIException("Missing certificate data for " + certTag + " cert"); + } - if (b64chain != null && b64chain.length() != 0) { - CMS.debug("handlecerts: cert might not have contained chain...calling importCertificateChain: " - + b64chain); - try { - CryptoUtil.importCertificateChain(CryptoUtil.normalizeCertAndReq(b64chain)); - } catch (Exception e) { - CMS.debug("handleCerts(): importCertChain: Exception: " + e.toString()); - } - } + b64 = CryptoUtil.stripCertBrackets(b64.trim()); + String strCert = CryptoUtil.normalizeCertStr(b64); + byte[] binCert = CryptoUtil.base64Decode(strCert); - InternalCertificate icert = (InternalCertificate) leaf; + config.putString(subsystem + "." + certTag + ".cert", strCert); - icert.setSSLTrust( - InternalCertificate.TRUSTED_CA - | InternalCertificate.TRUSTED_CLIENT_CA - | InternalCertificate.VALID_CA); - CMS.debug("handleCerts(): import certificate successfully, certTag=" + certTag); - } catch (Exception ee) { - ee.printStackTrace(); - CMS.debug("handleCerts: import certificate for certTag=" + certTag + " Exception: " + ee.toString()); - } + String strStrChain = cert.getCertChain(); + byte[] binCertChain = null; - } else { - CMS.debug("handleCerts(): b64 not set"); - throw new PKIException("Missing " + certTag + " certificate to import"); + if (strStrChain != null && strStrChain.length() != 0) { + strStrChain = CryptoUtil.normalizeCertAndReq(strStrChain); + binCertChain = CryptoUtil.base64Decode(strStrChain); } + CertUtil.importExternalCert(certTag, tokenname, nickname, binCert, binCertChain); + } else { b64 = CryptoUtil.stripCertBrackets(b64.trim()); diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java index 707a12388..6da8d950d 100644 --- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java @@ -121,6 +121,7 @@ import netscape.security.pkcs.PKCS10Attribute; import netscape.security.pkcs.PKCS10Attributes; import netscape.security.pkcs.PKCS7; import netscape.security.pkcs.PKCS9Attribute; +import netscape.security.pkcs.ParsingException; import netscape.security.util.BigInt; import netscape.security.util.DerInputStream; import netscape.security.util.DerOutputStream; @@ -1217,51 +1218,42 @@ public class CryptoUtil { return val.toString(); } - public static void importCertificateChain(String certchain) + public static void importCertificateChain(byte[] bytes) throws IOException, CryptoManager.NotInitializedException, TokenException, CertificateEncodingException, CertificateException { - byte[] blah = base64Decode(certchain); + CryptoManager manager = CryptoManager.getInstance(); - PKCS7 pkcs7 = null; + + X509Certificate cert = null; + try { // try PKCS7 first - pkcs7 = new PKCS7(blah); - } catch (Exception e) { - } - X509Certificate cert = null; - if (pkcs7 == null) { - cert = manager.importCACertPackage(blah); - } else { - java.security.cert.X509Certificate certsInP7[] = - pkcs7.getCertificates(); - if (certsInP7 == null) { - cert = manager.importCACertPackage(blah); - } else { - for (int i = 0; i < certsInP7.length; i++) { - // import P7 one by one - cert = manager.importCACertPackage(certsInP7[i].getEncoded()); + PKCS7 pkcs7 = new PKCS7(bytes); + + java.security.cert.X509Certificate[] certs = pkcs7.getCertificates(); + + if (certs != null) { + // import PKCS7 certs one by one + for (int i = 0; i < certs.length; i++) { + cert = manager.importCACertPackage(certs[i].getEncoded()); } } + + } catch (ParsingException e) { + // not PKCS7 } - X509Certificate[] certchains = - CryptoManager.getInstance().buildCertificateChain(cert); - if (certchains != null) { - cert = certchains[certchains.length - 1]; + if (cert == null) { + cert = manager.importCACertPackage(bytes); } - // set trust flags to CT,C,C - InternalCertificate icert = (InternalCertificate) cert; - icert.setSSLTrust(InternalCertificate.TRUSTED_CA - | InternalCertificate.TRUSTED_CLIENT_CA - | InternalCertificate.VALID_CA); - icert.setEmailTrust(InternalCertificate.TRUSTED_CA - | InternalCertificate.VALID_CA); - icert.setObjectSigningTrust(InternalCertificate.TRUSTED_CA - | InternalCertificate.VALID_CA); + X509Certificate[] certs = manager.buildCertificateChain(cert); + X509Certificate rootCert = certs[certs.length - 1]; + + trustRootCert(rootCert); } public static SEQUENCE parseCRMFMsgs(byte cert_request[]) @@ -1820,6 +1812,22 @@ public class CryptoUtil { cert.setEmailTrust(flag); } + public static void trustRootCert(X509Certificate rootCert) { + + // set trust flags to CT,C,C + InternalCertificate cert = (InternalCertificate) rootCert; + + cert.setSSLTrust(InternalCertificate.TRUSTED_CA + | InternalCertificate.TRUSTED_CLIENT_CA + | InternalCertificate.VALID_CA); + + cert.setEmailTrust(InternalCertificate.TRUSTED_CA + | InternalCertificate.VALID_CA); + + cert.setObjectSigningTrust(InternalCertificate.TRUSTED_CA + | InternalCertificate.VALID_CA); + } + /** * To certificate server point of view, SSL trust is * what we referring. -- cgit