From ce50ced9c842f6232bf136ba77233f05e95c80b7 Mon Sep 17 00:00:00 2001 From: Matthew Harmsen Date: Wed, 17 Jun 2015 18:36:20 -0600 Subject: Fix for HSM cloning issue --- .../cms/servlet/csadmin/ConfigurationUtils.java | 39 ++++++++++++++++++++++ .../dogtagpki/server/rest/SystemConfigService.java | 8 +++++ 2 files changed, 47 insertions(+) (limited to 'base/server/cms/src') diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java index 5bad42d8e..ce9e3bf49 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java @@ -1155,6 +1155,45 @@ public class ConfigurationUtils { } } + /* We need to import the audit signing cert and CA signing cert to the soft token in order to + * correctly set the trust permissions. + */ + public static void importAndSetCertPermissionsFromHSM() throws EBaseException, NotInitializedException, + IOException, CertificateEncodingException, NicknameConflictException, UserCertConflictException, + NoSuchItemOnTokenException, TokenException { + + CryptoManager cm = CryptoManager.getInstance(); + IConfigStore cs = CMS.getConfigStore(); + + // nickname has no token prepended to it, so no need to strip + String nickname = cs.getString("preop.master.audit_signing.nickname"); + String cstype = cs.getString("cs.type", ""); + cstype = cstype.toLowerCase(); + + //audit signing cert + String certStr = cs.getString(cstype + ".audit_signing.cert"); + byte[] cert = CryptoUtil.base64Decode(certStr); + X509Certificate xcert = cm.importUserCACertPackage(cert, nickname); + + InternalCertificate icert = (InternalCertificate) xcert; + icert.setObjectSigningTrust(InternalCertificate.USER + | InternalCertificate.VALID_PEER + | InternalCertificate.TRUSTED_PEER); + + // ca signing cert + if (cstype.equals("ca")) { + // nickname has no token prepended to it, so no need to strip + nickname = cs.getString("preop.master.signing.nickname"); + certStr = cs.getString(cstype + ".signing.cert"); + cert = CryptoUtil.base64Decode(certStr); + xcert = cm.importUserCACertPackage(cert, nickname); + icert = (InternalCertificate) xcert; + icert.setSSLTrust(InternalCertificate.TRUSTED_CA + | InternalCertificate.TRUSTED_CLIENT_CA + | InternalCertificate.VALID_CA); + } + } + private static boolean importRequired(ArrayList masterList, String nickname) { if (masterList.contains(nickname)) return true; diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java index 3e7ea5b75..2de087bad 100644 --- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java +++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java @@ -852,6 +852,14 @@ public class SystemConfigService extends PKIService implements SystemConfigResou CMS.debug(e); throw new PKIException("Failed to restore certificates from p12 file" + e); } + } else { + CMS.debug("SystemConfigService.getCloningData(): set permissions for certs stored in hardware"); + try { + ConfigurationUtils.importAndSetCertPermissionsFromHSM(); + } catch (Exception e) { + CMS.debug(e); + throw new PKIException("Failed to import certs from HSM and set permissions:" + e); + } } CMS.debug("SystemConfigService.getCloningData(): verify certs"); -- cgit