From cb9eb967b5e24f5fde8bbf8ae87aa615b7033db7 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 13 May 2016 09:00:44 +1000 Subject: Lightweight CAs: add method to renew certificate Add the CertificateAuthority.renewAuthority() method that creates and processes a renewal request for the lightweight CA's signing cert. The new certificate replaces the old certificate in the NSSDB and the serial number is stored in the 'authoritySerial' attribute. Clones observe when the 'authoritySerial' attribute has changed and update the certificate in their NSSDB, too. The renewal behaviour is available in the REST API as a POST to /ca/rest/authorities//renew. Fixes: https://fedorahosted.org/pki/ticket/2327 --- .../cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'base/server/cms/src/com') diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java index 8efa9162a..206d23a5d 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java +++ b/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java @@ -19,6 +19,7 @@ package com.netscape.cms.servlet.cert; import java.math.BigInteger; import java.security.cert.X509Certificate; +import java.security.Principal; import java.util.ArrayList; import java.util.Date; import java.util.Enumeration; @@ -51,6 +52,7 @@ import com.netscape.certsrv.registry.IPluginInfo; import com.netscape.certsrv.registry.IPluginRegistry; import com.netscape.certsrv.request.IRequest; import com.netscape.cms.profile.input.SerialNumRenewInput; +import com.netscape.cms.realm.PKIPrincipal; import com.netscape.cms.servlet.common.AuthCredentials; import com.netscape.cms.servlet.common.CMSTemplate; import com.netscape.cms.servlet.profile.SSLClientCertProvider; @@ -265,7 +267,12 @@ public class RenewalProcessor extends CertProcessor { context.put("origSubjectDN", origSubjectDN); // before creating the request, authenticate the request - IAuthToken authToken = authenticate(request, origReq, authenticator, context, true, credentials); + IAuthToken authToken = null; + Principal principal = request.getUserPrincipal(); + if (principal instanceof PKIPrincipal) + authToken = ((PKIPrincipal) principal).getAuthToken(); + if (authToken == null) + authToken = authenticate(request, origReq, authenticator, context, true, credentials); // authentication success, now authorize authorize(profileId, renewProfile, authToken); -- cgit