From c12209783759a5098ad451c072bc0e28a5c6bd61 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Wed, 5 Jul 2017 20:26:54 +0200 Subject: Moved cert management methods into CertUtil. The following methods have been moved into CertUtil for clarity: * ConfigurationUtils.findCertificate() * ConfigurationUtils.findBootstrapServerCert() * ConfigurationUtils.deleteCert() * ConfigurationUtils.deleteBootstrapServerCert() https://pagure.io/dogtagpki/issue/2280 Change-Id: I860cacd3dd34144ce92c674e9ff08cb46ee2194b --- .../com/netscape/cms/servlet/csadmin/CertUtil.java | 103 ++++++++++++++++++ .../cms/servlet/csadmin/ConfigurationUtils.java | 117 +++------------------ 2 files changed, 116 insertions(+), 104 deletions(-) (limited to 'base') diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java index 28f4d33ff..5e181be6e 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java @@ -22,6 +22,7 @@ import java.io.FileInputStream; import java.io.FileNotFoundException; import java.io.IOException; import java.math.BigInteger; +import java.security.Principal; import java.util.Date; import java.util.Iterator; import java.util.Properties; @@ -34,8 +35,12 @@ import org.apache.commons.lang.ArrayUtils; import org.apache.commons.lang.StringUtils; import org.apache.velocity.context.Context; import org.mozilla.jss.CryptoManager; +import org.mozilla.jss.crypto.CryptoStore; +import org.mozilla.jss.crypto.CryptoToken; +import org.mozilla.jss.crypto.ObjectNotFoundException; import org.mozilla.jss.crypto.PrivateKey; import org.mozilla.jss.crypto.X509Certificate; +import org.mozilla.jss.pkcs11.PK11Store; import org.xml.sax.SAXException; import com.netscape.certsrv.apps.CMS; @@ -723,4 +728,102 @@ public class CertUtil { return false; } + + public static boolean findCertificate(String tokenname, String nickname) + throws Exception { + + CryptoManager cm = CryptoManager.getInstance(); + + String fullnickname = nickname; + if (!CryptoUtil.isInternalToken(tokenname)) { + fullnickname = tokenname + ":" + nickname; + } + + CMS.debug("CertUtil: searching for cert " + fullnickname); + + X509Certificate cert; + try { + cert = cm.findCertByNickname(fullnickname); + } catch (ObjectNotFoundException e) { + CMS.debug("CertUtil: cert not found: " + e); + return false; + } + + if (cert == null) { + CMS.debug("CertUtil: cert not found"); + return false; + } + + return true; + } + + public static boolean findBootstrapServerCert() + throws Exception { + + CryptoManager cm = CryptoManager.getInstance(); + + IConfigStore cs = CMS.getConfigStore(); + String nickname = cs.getString("preop.cert.sslserver.nickname"); + + CMS.debug("CertUtil: searching for cert " + nickname); + + X509Certificate cert; + try { + cert = cm.findCertByNickname(nickname); + } catch (ObjectNotFoundException e) { + CMS.debug("CertUtil: cert not found: " + e); + return false; + } + + Principal issuerDN = cert.getIssuerDN(); + Principal subjectDN = cert.getSubjectDN(); + + if (!issuerDN.equals(subjectDN)) { + CMS.debug("CertUtil: cert is not self-signed"); + return false; + } + + return true; + } + + public static void deleteCert(String tokenname, String nickname) + throws Exception { + + CryptoManager cm = CryptoManager.getInstance(); + + String fullnickname = nickname; + if (!CryptoUtil.isInternalToken(tokenname)) + fullnickname = tokenname + ":" + nickname; + + CMS.debug("CertUtil: deleting cert " + fullnickname); + + X509Certificate cert; + try { + cert = cm.findCertByNickname(fullnickname); + } catch (ObjectNotFoundException e) { + CMS.debug("CertUtil: cert not found: " + e); + return; + } + + CryptoToken tok = CryptoUtil.getKeyStorageToken(tokenname); + CryptoStore store = tok.getCryptoStore(); + + if (store instanceof PK11Store) { + PK11Store pk11store = (PK11Store) store; + pk11store.deleteCertOnly(cert); + CMS.debug("CertUtil: cert deleted successfully"); + + } else { + CMS.debug("CertUtil: unsupported crypto store: " + store.getClass().getName()); + } + } + + public static void deleteBootstrapServerCert() + throws Exception { + + IConfigStore cs = CMS.getConfigStore(); + String nickname = cs.getString("preop.cert.sslserver.nickname"); + + deleteCert(CryptoUtil.INTERNAL_TOKEN_FULL_NAME, nickname); + } } diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java index 9b83830a2..03e4915bf 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java @@ -3204,7 +3204,7 @@ public class ConfigurationUtils { x509key = getECCX509Key(config, certTag); } - if (findCertificate(tokenname, nickname)) { + if (CertUtil.findCertificate(tokenname, nickname)) { if (!certTag.equals("sslserver")) return; } @@ -3220,10 +3220,10 @@ public class ConfigurationUtils { try { CMS.debug("handleCerts(): deleting existing cert"); - if (certTag.equals("sslserver") && findBootstrapServerCert()) - deleteBootstrapServerCert(); - if (findCertificate(tokenname, nickname)) - deleteCert(tokenname, nickname); + if (certTag.equals("sslserver") && CertUtil.findBootstrapServerCert()) + CertUtil.deleteBootstrapServerCert(); + if (CertUtil.findCertificate(tokenname, nickname)) + CertUtil.deleteCert(tokenname, nickname); CMS.debug("handleCerts(): importing new cert"); if (certTag.equals("signing") && subsystem.equals("ca")) @@ -3249,10 +3249,10 @@ public class ConfigurationUtils { String b64chain = cert.getCertChain(); try { - if (certTag.equals("sslserver") && findBootstrapServerCert()) - deleteBootstrapServerCert(); - if (findCertificate(tokenname, nickname)) { - deleteCert(tokenname, nickname); + if (certTag.equals("sslserver") && CertUtil.findBootstrapServerCert()) + CertUtil.deleteBootstrapServerCert(); + if (CertUtil.findCertificate(tokenname, nickname)) { + CertUtil.deleteCert(tokenname, nickname); } } catch (Exception e) { CMS.debug(e); @@ -3319,10 +3319,10 @@ public class ConfigurationUtils { CMS.debug("handleCerts(): deleting existing cert"); try { - if (certTag.equals("sslserver") && findBootstrapServerCert()) - deleteBootstrapServerCert(); - if (findCertificate(tokenname, nickname)) { - deleteCert(tokenname, nickname); + if (certTag.equals("sslserver") && CertUtil.findBootstrapServerCert()) + CertUtil.deleteBootstrapServerCert(); + if (CertUtil.findCertificate(tokenname, nickname)) { + CertUtil.deleteCert(tokenname, nickname); } } catch (Exception e) { CMS.debug(e); @@ -3383,97 +3383,6 @@ public class ConfigurationUtils { } } - public static boolean findCertificate(String tokenname, String nickname) throws NotInitializedException, - TokenException, IOException { - IConfigStore cs = CMS.getConfigStore(); - CryptoManager cm = CryptoManager.getInstance(); - - String fullnickname = nickname; - boolean hardware = false; - if (!CryptoUtil.isInternalToken(tokenname)) { - hardware = true; - fullnickname = tokenname + ":" + nickname; - } - - X509Certificate cert = null; - try { - cert = cm.findCertByNickname(fullnickname); - } catch (ObjectNotFoundException e) { - return false; - } - - if (cert == null) - return false; - try { - @SuppressWarnings("unused") - boolean done = cs.getBoolean("preop.CertRequestPanel.done"); // check for errors - } catch (Exception e) { - if (hardware) { - CMS.debug("ConfigurationUtils: findCertificate: The certificate with the same nickname: " - + fullnickname + " has been found on HSM. Please remove it before proceeding."); - throw new IOException("The certificate with the same nickname: " - + fullnickname + " has been found on HSM. Please remove it before proceeding.", e); - } - } - return true; - } - - public static boolean findBootstrapServerCert() throws EBaseException, NotInitializedException, TokenException { - IConfigStore cs = CMS.getConfigStore(); - - String nickname = cs.getString("preop.cert.sslserver.nickname"); - - CryptoManager cm = CryptoManager.getInstance(); - X509Certificate cert; - try { - cert = cm.findCertByNickname(nickname); - } catch (ObjectNotFoundException e) { - return false; - } - Principal issuerDN = cert.getIssuerDN(); - Principal subjectDN = cert.getSubjectDN(); - if (issuerDN.equals(subjectDN)) - return true; - - return false; - } - - public static void deleteBootstrapServerCert() throws EBaseException, NotInitializedException, - NoSuchTokenException, TokenException { - IConfigStore cs = CMS.getConfigStore(); - String nickname = cs.getString("preop.cert.sslserver.nickname"); - deleteCert(CryptoUtil.INTERNAL_TOKEN_FULL_NAME, nickname); - } - - public static void deleteCert(String tokenname, String nickname) throws NotInitializedException, - NoSuchTokenException, TokenException { - - CryptoManager cm = CryptoManager.getInstance(); - CryptoToken tok = CryptoUtil.getKeyStorageToken(tokenname); - CryptoStore store = tok.getCryptoStore(); - String fullnickname = nickname; - if (!CryptoUtil.isInternalToken(tokenname)) - fullnickname = tokenname + ":" + nickname; - - CMS.debug("deleteCert: nickname=" + fullnickname); - X509Certificate cert; - try { - cert = cm.findCertByNickname(fullnickname); - } catch (ObjectNotFoundException e) { - CMS.debug("deleteCert: cert not found"); - return; - } - - if (store instanceof PK11Store) { - PK11Store pk11store = (PK11Store) store; - try { - pk11store.deleteCertOnly(cert); - } catch (NoSuchItemOnTokenException e) { - } - CMS.debug("deleteCert: cert deleted successfully"); - } - } - public static void backupKeys(String pwd, String fname) throws Exception { CMS.debug("backupKeys(): start"); -- cgit