diff options
author | alee <alee@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2010-07-27 19:03:40 +0000 |
---|---|---|
committer | alee <alee@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2010-07-27 19:03:40 +0000 |
commit | 2eb3243de06f1589991da47bfde6271e0d80abe6 (patch) | |
tree | 8168ed24525ffd35989d54bd6dd81471d5df0b08 /pki/base/common/src/com/netscape/cms/servlet/csadmin | |
parent | 9f8b12b0400f654f8b3f10ddbd731735c1d45607 (diff) | |
download | pki-2eb3243de06f1589991da47bfde6271e0d80abe6.tar.gz pki-2eb3243de06f1589991da47bfde6271e0d80abe6.tar.xz pki-2eb3243de06f1589991da47bfde6271e0d80abe6.zip |
merge 8.1 -> tip, multiple bugs (base)
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1134 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/servlet/csadmin')
7 files changed, 204 insertions, 63 deletions
diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/AdminAuthenticatePanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/AdminAuthenticatePanel.java index d94bb4c1..129bc0bf 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/AdminAuthenticatePanel.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/AdminAuthenticatePanel.java @@ -221,6 +221,9 @@ public class AdminAuthenticatePanel extends WizardPanelBase { c1.append(".keytype,"); c1.append("cloning."); c1.append(t1); + c1.append(".keyalgorithm,"); + c1.append("cloning."); + c1.append(t1); c1.append(".privkey.id,"); c1.append("cloning."); c1.append(t1); diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java index 8cedeb24..0e1c20d2 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java @@ -312,6 +312,8 @@ public class CertRequestPanel extends WizardPanelBase { // get public key String pubKeyType = config.getString( PCERT_PREFIX + certTag + ".keytype"); + String algorithm = config.getString( + PCERT_PREFIX + certTag + ".keyalgorithm"); X509Key pubk = null; if (pubKeyType.equals("rsa")) { pubk = getRSAX509Key(config, certTag); @@ -350,7 +352,7 @@ public class CertRequestPanel extends WizardPanelBase { cert.setDN(caDN); PKCS10 certReq = CryptoUtil.createCertificationRequest(caDN, pubk, - privk); + privk, algorithm); CMS.debug("CertRequestPanel: created cert request"); byte[] certReqb = certReq.toByteArray(); diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java index 258c36b6..59231208 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java @@ -128,6 +128,8 @@ public class CertUtil { try { String pubKeyType = config.getString( prefix + certTag + ".keytype"); + String algorithm = config.getString( + prefix + certTag + ".keyalgorithm"); if (pubKeyType.equals("rsa")) { String pubKeyModulus = config.getString( prefix + certTag + ".pubkey.modulus"); @@ -170,7 +172,7 @@ public class CertUtil { PKCS10 certReq = null; certReq = CryptoUtil.createCertificationRequest(dn, pubk, - privk); + privk, algorithm); byte[] certReqb = certReq.toByteArray(); String certReqs = CryptoUtil.base64Encode(certReqb); @@ -250,7 +252,53 @@ public class CertUtil { CMS.debug("CertUtil:updateLocalRequest - Exception:" + e.toString()); } } - + +/** + * reads from the admin cert profile caAdminCert.profile and takes the first + * entry in the list of allowed algorithms. Users that wish a different algorithm + * can specify it in the profile using default.params.signingAlg + */ + + public static String getAdminProfileAlgorithm(IConfigStore config) { + String algorithm = "SHA1withRSA"; + try { + String caSigningKeyType = config.getString("preop.cert.signing.keytype","rsa"); + String pfile = config.getString("profile.caAdminCert.config"); + FileInputStream fis = new FileInputStream(pfile); + DataInputStream in = new DataInputStream(fis); + BufferedReader br = new BufferedReader(new InputStreamReader(in)); + + String strLine; + while ((strLine = br.readLine()) != null) { + String marker2 = "default.params.signingAlg="; + int indx = strLine.indexOf(marker2); + if (indx != -1) { + String alg = strLine.substring(indx + marker2.length()); + if ((alg.length() > 0) && (!alg.equals("-"))) { + algorithm = alg; + break; + }; + }; + + String marker = "signingAlgsAllowed="; + indx = strLine.indexOf(marker); + if (indx != -1) { + String[] algs = strLine.substring(indx + marker.length()).split(","); + for (int i=0; i<algs.length; i++) { + if ((caSigningKeyType.equals("rsa") && (algs[i].indexOf("RSA") != -1)) || + (caSigningKeyType.equals("ecc") && (algs[i].indexOf("EC" ) != -1)) ) { + algorithm = algs[i]; + break; + } + } + } + } + in.close(); + } catch (Exception e) { + CMS.debug("getAdminProfleAlgorithm: exception: " + e); + } + return algorithm; + } public static X509CertImpl createLocalCert(IConfigStore config, X509Key x509key, String prefix, String certTag, String type, Context context) throws IOException { @@ -272,10 +320,16 @@ public class CertUtil { try { String dn = config.getString(prefix + certTag + ".dn"); + String keyAlgorithm = null; Date date = new Date(); X509CertInfo info = null; + if (certTag.equals("admin")) { + keyAlgorithm = getAdminProfileAlgorithm(config); + } else { + keyAlgorithm = config.getString(prefix + certTag + ".keyalgorithm"); + } ca = (ICertificateAuthority) CMS.getSubsystem( ICertificateAuthority.ID); cr = (ICertificateRepository) ca.getCertificateRepository(); @@ -284,14 +338,14 @@ public class CertUtil { CMS.debug("Creating local certificate... issuerdn=" + dn); CMS.debug("Creating local certificate... dn=" + dn); info = CryptoUtil.createX509CertInfo(x509key, serialNo.intValue(), dn, dn, date, - date); + date, keyAlgorithm); } else { String issuerdn = config.getString("preop.cert.signing.dn", ""); CMS.debug("Creating local certificate... issuerdn=" + issuerdn); CMS.debug("Creating local certificate... dn=" + dn); info = CryptoUtil.createX509CertInfo(x509key, - serialNo.intValue(), issuerdn, dn, date, date); + serialNo.intValue(), issuerdn, dn, date, date, keyAlgorithm); } CMS.debug("Cert Template: " + info.toString()); @@ -352,13 +406,13 @@ public class CertUtil { String caSigningKeyType = config.getString("preop.cert.signing.keytype","rsa"); CMS.debug("CA Signing Key type " + caSigningKeyType); + if (caSigningKeyType.equals("ecc")) { CMS.debug("Signing ECC certificate"); - cert = CryptoUtil.signECCCert(caPrik, info); + cert = CryptoUtil.signECCCert(caPrik, info, keyAlgorithm); } else { CMS.debug("Signing RSA certificate"); - cert = CryptoUtil.signCert(caPrik, info, - SignatureAlgorithm.RSASignatureWithSHA1Digest); + cert = CryptoUtil.signCert(caPrik, info, keyAlgorithm); } if (cert != null) { diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java index ae9acf9f..84361682 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java @@ -435,48 +435,7 @@ public class DonePanel extends WizardPanelBase { context.put("errorString", "Failed to update connector information."); return; } - - // retrieve CA subsystem certificate from the CA - IUGSubsystem system = - (IUGSubsystem) (CMS.getSubsystem(IUGSubsystem.ID)); - String id = ""; - try { - String b64 = getCASubsystemCert(); - if (b64 != null) { - int num = cs.getInteger("preop.subsystem.count", 0); - id = getCAUserId(); - num++; - cs.putInteger("preop.subsystem.count", num); - cs.putInteger("subsystem.count", num); - IUser user = system.createUser(id); - user.setFullName(id); - user.setEmail(""); - user.setPassword(""); - user.setUserType("agentType"); - user.setState("1"); - user.setPhone(""); - X509CertImpl[] certs = new X509CertImpl[1]; - certs[0] = new X509CertImpl(CMS.AtoB(b64)); - user.setX509Certificates(certs); - system.addUser(user); - CMS.debug("DonePanel display: successfully add the user"); - system.addUserCert(user); - CMS.debug("DonePanel display: successfully add the user certificate"); - cs.commit(false); - } - } catch (Exception e) { - } - - try { - String groupName = "Trusted Managers"; - IGroup group = system.getGroupFromName(groupName); - if (!group.isMember(id)) { - group.addMemberName(id); - system.modifyGroup(group); - CMS.debug("DonePanel display: successfully added the user to the group."); - } - } catch (Exception e) { - } + setupClientAuthUser(); } // if KRA // import the CA certificate into the OCSP @@ -494,6 +453,8 @@ public class DonePanel extends WizardPanelBase { } catch (Exception e) { CMS.debug("DonePanel display: Failed to update OCSP information in CA."); } + + setupClientAuthUser(); } if (!select.equals("clone")) { @@ -565,6 +526,7 @@ public class DonePanel extends WizardPanelBase { cs.putString("cloning." + ss + ".nickname", cs.getString("preop.cert." + ss + ".nickname", "")); cs.putString("cloning." + ss + ".dn", cs.getString("preop.cert." + ss + ".dn", "")); cs.putString("cloning." + ss + ".keytype", cs.getString("preop.cert." + ss + ".keytype", "")); + cs.putString("cloning." + ss + ".keyalgorithm", cs.getString("preop.cert." + ss + ".keyalgorithm", "")); cs.putString("cloning." + ss + ".privkey.id", cs.getString("preop.cert." + ss + ".privkey.id", "")); cs.putString("cloning." + ss + ".pubkey.exponent", cs.getString("preop.cert." + ss + ".pubkey.exponent", "")); cs.putString("cloning." + ss + ".pubkey.modulus", cs.getString("preop.cert." + ss + ".pubkey.modulus", "")); @@ -613,6 +575,54 @@ public class DonePanel extends WizardPanelBase { context.put("csstate", "1"); } + private void setupClientAuthUser() + { + IConfigStore cs = CMS.getConfigStore(); + + // retrieve CA subsystem certificate from the CA + IUGSubsystem system = + (IUGSubsystem) (CMS.getSubsystem(IUGSubsystem.ID)); + String id = ""; + try { + String b64 = getCASubsystemCert(); + if (b64 != null) { + int num = cs.getInteger("preop.subsystem.count", 0); + id = getCAUserId(); + num++; + cs.putInteger("preop.subsystem.count", num); + cs.putInteger("subsystem.count", num); + IUser user = system.createUser(id); + user.setFullName(id); + user.setEmail(""); + user.setPassword(""); + user.setUserType("agentType"); + user.setState("1"); + user.setPhone(""); + X509CertImpl[] certs = new X509CertImpl[1]; + certs[0] = new X509CertImpl(CMS.AtoB(b64)); + user.setX509Certificates(certs); + system.addUser(user); + CMS.debug("DonePanel display: successfully add the user"); + system.addUserCert(user); + CMS.debug("DonePanel display: successfully add the user certificate"); + cs.commit(false); + } + } catch (Exception e) { + } + + try { + String groupName = "Trusted Managers"; + IGroup group = system.getGroupFromName(groupName); + if (!group.isMember(id)) { + group.addMemberName(id); + system.modifyGroup(group); + CMS.debug("DonePanel display: successfully added the user to the group."); + } + } catch (Exception e) { + } + } + + private void updateOCSPConfig(HttpServletResponse response) throws IOException { IConfigStore config = CMS.getConfigStore(); @@ -629,8 +639,9 @@ public class DonePanel extends WizardPanelBase { } catch (Exception e) { } - String ocsphost = CMS.getEESSLHost(); - int ocspport = Integer.parseInt(CMS.getEESSLPort()); + String ocsphost = CMS.getAgentHost(); + int ocspport = Integer.parseInt(CMS.getAgentPort()); + int ocspagentport = Integer.parseInt(CMS.getAgentPort()); String session_id = CMS.getConfigSDSessionId(); String content = "xmlOutput=true&sessionID="+session_id+"&ocsp_host="+ocsphost+"&ocsp_port="+ocspport; diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java index 167d9b81..475ac46d 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java @@ -391,6 +391,9 @@ public class RestoreKeyCertPanel extends WizardPanelBase { c1.append(".keytype,"); c1.append("cloning."); c1.append(t1); + c1.append(".keyalgorithm,"); + c1.append("cloning."); + c1.append(t1); c1.append(".privkey.id,"); c1.append("cloning."); c1.append(t1); diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/SizePanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/SizePanel.java index 032724eb..39cc2c21 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/SizePanel.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/SizePanel.java @@ -130,6 +130,29 @@ public class SizePanel extends WizardPanelBase { } context.put("select", select); + + String ecclist = ""; + try { + ecclist = config.getString("preop.ecc.algorithm.list", "SHA256withEC,SHA1withEC,SHA384withEC,SHA512withEC"); + } catch (Exception e) { + } + context.put("ecclist", ecclist); + + String rsalist = ""; + try { + rsalist = config.getString("preop.rsa.algorithm.list", "SHA256withRSA,SHA1withRSA,SHA512withRSA,MD5withRSA,MD2withRSA"); + } catch (Exception e) { + } + + context.put("rsalist", rsalist); + + String subsystemType = ""; + try { + subsystemType = config.getString("pkicreate.subsystem_type"); + } catch (Exception e) { + } + context.put("subsystemtype", subsystemType); + try { // same token for now String token = config.getString(PRE_CONF_CA_TOKEN); @@ -229,6 +252,15 @@ public class SizePanel extends WizardPanelBase { continue; String keytype = HttpInput.getKeyType(request, ct + "_keytype"); // rsa or ecc + String keyalgorithm = HttpInput.getString(request, ct + "_keyalgorithm"); + + if (keyalgorithm == null) { + if (keytype != null && keytype.equals("ecc")) { + keyalgorithm = "SHA256withEC"; + } else { + keyalgorithm = "SHA256withRSA"; + } + } String select = HttpInput.getID(request, ct + "_choice"); @@ -243,6 +275,8 @@ public class SizePanel extends WizardPanelBase { config.getString(PCERT_PREFIX+ct+".keysize.size", ""); String oldkeytype = config.getString(PCERT_PREFIX + ct + ".keytype", ""); + String oldkeyalgorithm = + config.getString(PCERT_PREFIX + ct + ".keyalgorithm", ""); if (select.equals("default")) { // XXXrenaming these...keep for now just in case @@ -258,6 +292,7 @@ public class SizePanel extends WizardPanelBase { } config.putString(PCERT_PREFIX + ct + ".keytype", keytype); + config.putString(PCERT_PREFIX + ct + ".keyalgorithm", keyalgorithm); config.putString(PCERT_PREFIX + ct + ".keysize.select", "default"); if (keytype != null && keytype.equals("ecc")) { @@ -282,6 +317,7 @@ public class SizePanel extends WizardPanelBase { HttpInput.getKeySize(request, ct + "_custom_size", keytype)); config.putString(PCERT_PREFIX + ct + ".keytype", keytype); + config.putString(PCERT_PREFIX + ct + ".keyalgorithm", keyalgorithm); config.putString(PCERT_PREFIX + ct + ".keysize.select", "custom"); config.putString(PCERT_PREFIX + ct + ".keysize.custom_size", @@ -297,8 +333,11 @@ public class SizePanel extends WizardPanelBase { config.getString(PCERT_PREFIX+ct+".keysize.size", ""); String newkeytype = config.getString(PCERT_PREFIX + ct + ".keytype", ""); + String newkeyalgorithm = + config.getString(PCERT_PREFIX + ct + ".keyalgorithm", ""); if (!oldkeysize.equals(newkeysize) || - !oldkeytype.equals(newkeytype)) + !oldkeytype.equals(newkeytype) || + !oldkeyalgorithm.equals(newkeyalgorithm)) hasChanged = true; }// while @@ -342,9 +381,10 @@ public class SizePanel extends WizardPanelBase { try { String keytype = config.getString(PCERT_PREFIX + ct + ".keytype"); + String keyalgorithm = config.getString(PCERT_PREFIX + ct + ".keyalgorithm"); int keysize = config.getInteger( PCERT_PREFIX + ct + ".keysize.size"); - + if (keytype.equals("rsa")) { createRSAKeyPair(token, keysize, config, ct); @@ -442,6 +482,12 @@ public class SizePanel extends WizardPanelBase { config.putString(PCERT_PREFIX + ct + ".pubkey.encoded", CryptoUtil.byte2string(encoded)); + String keyAlgo = ""; + try { + keyAlgo = config.getString(PCERT_PREFIX + ct + ".keyalgorithm"); + } catch (Exception e1) { + } + // set default signing algorithm for CA String systemType = ""; try { @@ -452,20 +498,20 @@ public class SizePanel extends WizardPanelBase { if (systemType.equals("OCSP")) { if (ct.equals("signing")) { config.putString("ocsp.signing.defaultSigningAlgorithm", - "SHA1withEC"); + keyAlgo); } } if (systemType.equals("CA")) { if (ct.equals("signing")) { config.putString("ca.signing.defaultSigningAlgorithm", - "SHA1withEC"); + keyAlgo); config.putString("ca.crl.MasterCRL.signingAlgorithm", - "SHA1withEC"); + keyAlgo); } if (ct.equals("ocsp_signing")) { config.putString("ca.ocsp_signing.defaultSigningAlgorithm", - "SHA1withEC"); + keyAlgo); } } @@ -498,15 +544,21 @@ public class SizePanel extends WizardPanelBase { config.putString(PCERT_PREFIX + ct + ".pubkey.exponent", CryptoUtil.byte2string(exponent)); + String keyAlgo = ""; + try { + keyAlgo = config.getString(PCERT_PREFIX + ct + ".keyalgorithm"); + } catch (Exception e1) { + } + if (ct.equals("signing")) { config.putString("ca.signing.defaultSigningAlgorithm", - "SHA1withRSA"); + keyAlgo); config.putString("ca.crl.MasterCRL.signingAlgorithm", - "SHA1withRSA"); + keyAlgo); } if (ct.equals("ocsp_signing")) { config.putString("ca.ocsp_signing.defaultSigningAlgorithm", - "SHA1withRSA"); + keyAlgo); } } diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateOCSPConfig.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateOCSPConfig.java index f105ea95..b2b8b5d2 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateOCSPConfig.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateOCSPConfig.java @@ -99,18 +99,34 @@ public class UpdateOCSPConfig extends CMSServlet { return; } + IConfigStore cs = CMS.getConfigStore(); + String nickname = ""; + + // get nickname + try { + nickname = cs.getString("ca.subsystem.nickname", ""); + String tokenname = cs.getString("ca.subsystem.tokenname", ""); + if (!tokenname.equals("internal") && !tokenname.equals("Internal Key Storage Token")) + nickname = tokenname+":"+nickname; + } catch (Exception e) { + } + + CMS.debug("UpdateOCSPConfig process: nickname="+nickname); + String ocsphost = httpReq.getParameter("ocsp_host"); String ocspport = httpReq.getParameter("ocsp_port"); try { - IConfigStore cs = CMS.getConfigStore(); cs.putString("ca.publish.enable", "true"); cs.putString("ca.publish.publisher.instance.OCSPPublisher.host", ocsphost); cs.putString("ca.publish.publisher.instance.OCSPPublisher.port", ocspport); + cs.putString("ca.publish.publisher.instance.OCSPPublisher.nickName", + nickname); cs.putString("ca.publish.publisher.instance.OCSPPublisher.path", - "/ocsp/ee/ocsp/addCRL"); + "/ocsp/agent/ocsp/addCRL"); cs.putString("ca.publish.publisher.instance.OCSPPublisher.pluginName", "OCSPPublisher"); + cs.putString("ca.publish.publisher.instance.OCSPPublisher.enableClientAuth", "true"); cs.putString("ca.publish.rule.instance.ocsprule.enable", "true"); cs.putString("ca.publish.rule.instance.ocsprule.mapper", "NoMap"); cs.putString("ca.publish.rule.instance.ocsprule.pluginName", "Rule"); |