From 81af8ae1230e8447e7cc0d24ea9a9b8dadf6c08d Mon Sep 17 00:00:00 2001
From: Matthew Harmsen <mharmsen@redhat.com>
Date: Wed, 19 Mar 2014 14:31:12 -0700
Subject: Sign CA clone sslserver certificate using CA master.

* Dogtag TRAC Ticket #816 - pki-tomcat cannot be started after installation of
                            ipa replica with ca
---
 .../cms/servlet/csadmin/ConfigurationUtils.java    | 66 +++++++++++++++++++++-
 1 file changed, 64 insertions(+), 2 deletions(-)

(limited to 'base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java')

diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
index 3019716db..5da4dddfe 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
@@ -2222,6 +2222,45 @@ public class ConfigurationUtils {
         String certTag = certObj.getCertTag();
 
         try {
+            String selection = config.getString("preop.subsystem.select");
+            String csType = config.getString("cs.type");
+            String preop_ca_type = null;
+            String preop_cert_signing_type = null;
+            String preop_cert_signing_profile = null;
+            String preop_cert_sslserver_type = null;
+            String preop_cert_sslserver_profile = null;
+            String original_caType = null;
+            boolean sign_clone_sslserver_cert_using_master = false;
+
+            if (selection.equals("clone") && csType.equals("CA") && certTag.equals("sslserver")) {
+                // retrieve and store original 'CS.cfg' entries
+                preop_ca_type = config.getString("preop.ca.type", "");
+                preop_cert_signing_type = config.getString("preop.cert.signing.type", "");
+                preop_cert_signing_profile = config.getString("preop.cert.signing.profile","");
+                preop_cert_sslserver_type = config.getString("preop.cert.sslserver.type", "");
+                preop_cert_sslserver_profile = config.getString("preop.cert.sslserver.profile","");
+
+                // add/modify 'CS.cfg' entries
+                config.putString("preop.ca.type", "sdca");
+                config.putString("preop.cert.signing.type", "remote");
+                config.putString("preop.cert.signing.profile","caInstallCACert");
+                config.putString("preop.cert.sslserver.type", "remote");
+                config.putString("preop.cert.sslserver.profile","caInternalAuthServerCert");
+
+                // store original caType
+                original_caType = caType;
+
+                // modify caType
+                certObj.setType("remote");
+
+                // fetch revised caType
+                caType = certObj.getType();
+                CMS.debug("configCert: caType is " + caType + " (revised)");
+
+                // set master/clone signature flag
+                sign_clone_sslserver_cert_using_master = true;
+            }
+
             updateConfig(config, certTag);
             if (caType.equals("remote")) {
                 String v = config.getString("preop.ca.type", "");
@@ -2266,8 +2305,16 @@ public class ConfigurationUtils {
                     String ca_hostname = "";
                     int ca_port = -1;
                     try {
-                        ca_hostname = config.getString("preop.ca.hostname", "");
-                        ca_port = config.getInteger("preop.ca.httpsport", -1);
+                        if (sign_clone_sslserver_cert_using_master) {
+                            CMS.debug("NamePanel: For this Cloned CA, always use its Master CA to generate " +
+                                      "the 'sslserver' certificate to avoid any changes which may have been " +
+                                      "made to the X500Name directory string encoding order.");
+                            ca_hostname = config.getString("preop.master.hostname", "");
+                            ca_port = config.getInteger("preop.master.httpsport", -1);
+                        } else {
+                            ca_hostname = config.getString("preop.ca.hostname", "");
+                            ca_port = config.getInteger("preop.ca.httpsport", -1);
+                        }
                     } catch (Exception ee) {
                     }
 
@@ -2281,6 +2328,21 @@ public class ConfigurationUtils {
                     if (cert == null) {
                         throw new IOException("Error: remote certificate is null");
                     }
+
+                    if (sign_clone_sslserver_cert_using_master) {
+                        // restore original 'CS.cfg' entries
+                        config.putString("preop.ca.type", preop_ca_type);
+                        config.putString("preop.cert.signing.type", preop_cert_signing_type);
+                        config.putString("preop.cert.signing.profile", preop_cert_signing_profile);
+                        config.putString("preop.cert.sslserver.type", preop_cert_sslserver_type);
+                        config.putString("preop.cert.sslserver.profile", preop_cert_sslserver_profile);
+
+                        // restore original 'caType'
+                        caType = original_caType;
+
+                        // reset master/clone signature flag
+                        sign_clone_sslserver_cert_using_master = false;
+                    }
                 } else if (v.equals("otherca")) {
                     config.putString(subsystem + "." + certTag + ".cert",
                             "...paste certificate here...");
-- 
cgit