From 0bf9c6bc326de463f7ec35efb0ae448419ec579a Mon Sep 17 00:00:00 2001 From: Matthew Harmsen Date: Fri, 22 May 2015 18:15:31 -0600 Subject: disable backup keys and share master keys when using an HSM - PKI TRAC Ticket #1371 - pkispawn: need to disable backup_keys when using an HSM (and provide recommendation); allow clones to share keys --- .../src/org/dogtagpki/server/rest/SystemConfigService.java | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'base/server/cms/src/org') diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java index c341d14f7..3e7ea5b75 100644 --- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java +++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java @@ -1116,6 +1116,14 @@ public class SystemConfigService extends PKIService implements SystemConfigResou if (data.getP12Password() == null) { throw new BadRequestException("P12 password not provided"); } + } else { + if (data.getP12File() != null) { + throw new BadRequestException("P12 filename should not be provided since HSM clones must share their HSM master's private keys"); + } + + if (data.getP12Password() != null) { + throw new BadRequestException("P12 password should not be provided since HSM clones must share their HSM master's private keys"); + } } } else { data.setClone("false"); @@ -1177,6 +1185,10 @@ public class SystemConfigService extends PKIService implements SystemConfigResou } if ((data.getBackupKeys() != null) && data.getBackupKeys().equals("true")) { + if (! data.getToken().equals(ConfigurationRequest.TOKEN_DEFAULT)) { + throw new BadRequestException("HSMs cannot publish private keys to PKCS #12 files"); + } + if ((data.getBackupFile() == null) || (data.getBackupFile().length()<=0)) { //TODO: also check for valid path, perhaps by touching file there throw new BadRequestException("Invalid key backup file name"); -- cgit