|
 |
981330 |
From d9c0460a85dab6249844f6f8a2fe4d45c11554e5 Mon Sep 17 00:00:00 2001
|
|
|
981330 |
From: "Endi S. Dewata" <edewata@redhat.com>
|
|
|
981330 |
Date: Wed, 31 Aug 2016 16:15:19 +0200
|
|
|
981330 |
Subject: [PATCH 1/9] Fixed debug log in UpdateNumberRange servlet.
|
|
|
981330 |
|
|
|
981330 |
To help troubleshooting the debug log in UpdateNumberRange servlet
|
|
|
981330 |
has been modified to show the exception stack trace.
|
|
|
981330 |
|
|
|
981330 |
https://fedorahosted.org/pki/ticket/2436
|
|
|
981330 |
(cherry picked from commit 1922f77e825c8c0ec742382b752b0a32afbff8a9)
|
|
|
981330 |
(cherry picked from commit a9db37c53fff88d0f00293df0fd29877bb797091)
|
|
|
981330 |
---
|
|
|
981330 |
.../cms/src/com/netscape/cms/servlet/csadmin/UpdateNumberRange.java | 3 ++-
|
|
|
981330 |
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
981330 |
|
|
|
981330 |
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateNumberRange.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateNumberRange.java
|
|
|
981330 |
index b99a298..e068bd4 100644
|
|
|
981330 |
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateNumberRange.java
|
|
|
981330 |
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateNumberRange.java
|
|
|
981330 |
@@ -247,7 +247,8 @@ public class UpdateNumberRange extends CMSServlet {
|
|
|
981330 |
audit(auditMessage);
|
|
|
981330 |
|
|
|
981330 |
} catch (Exception e) {
|
|
|
981330 |
- CMS.debug("UpdateNumberRange: Failed to update number range. Exception: " + e.toString());
|
|
|
981330 |
+ CMS.debug("UpdateNumberRange: Failed to update number range: " + e);
|
|
|
981330 |
+ CMS.debug(e);
|
|
|
981330 |
|
|
|
981330 |
auditMessage = CMS.getLogMessage(
|
|
|
981330 |
LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER,
|
|
|
981330 |
--
|
|
|
981330 |
1.8.3.1
|
|
|
981330 |
|
|
|
981330 |
|
|
|
981330 |
From d0f45bfb653636673300b169dfa8ffe90b63cb58 Mon Sep 17 00:00:00 2001
|
|
|
981330 |
From: Christina Fu <cfu@dhcp-16-189.sjc.redhat.com>
|
|
|
981330 |
Date: Wed, 31 Aug 2016 14:03:02 -0700
|
|
|
981330 |
Subject: [PATCH 2/9] Ticket #2446 pkispawn: make subject_dn defaults unique
|
|
|
981330 |
per instance name (for shared HSM) When installing multiple instances on the
|
|
|
981330 |
same host sharing the same HSM, if subject_dn's are not specifically spelled
|
|
|
981330 |
out with unique names for each instance, installation will fail with
|
|
|
981330 |
complaints that same subject name and serial number already exist. This
|
|
|
981330 |
happens in the scenario if you are creating a subordinate CA, for example,
|
|
|
981330 |
that's in the same domain name as the root CA. It is very inconvenient that
|
|
|
981330 |
you are expected to spell out subject dn's of all system certs in the
|
|
|
981330 |
pkispawn config file. This patch changes default.cfg so that the instance
|
|
|
981330 |
name is in the default subject dn, e.g. adding it as an "ou" component:
|
|
|
981330 |
ou=%(pki_instance_name)s
|
|
|
981330 |
|
|
|
981330 |
(cherry picked from commit 1195ee9d6e45783d238edc1799363c21590febce)
|
|
|
981330 |
(cherry picked from commit 1d1b3a705fdaca26d580566ff3fb1725334ff674)
|
|
|
981330 |
---
|
|
|
981330 |
base/server/etc/default.cfg | 34 +++++++++++++++++-----------------
|
|
|
981330 |
1 file changed, 17 insertions(+), 17 deletions(-)
|
|
|
981330 |
|
|
|
981330 |
diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg
|
|
|
981330 |
index 51357e6..6e9b074 100644
|
|
|
981330 |
--- a/base/server/etc/default.cfg
|
|
|
981330 |
+++ b/base/server/etc/default.cfg
|
|
|
981330 |
@@ -124,13 +124,13 @@ pki_ssl_server_key_algorithm=SHA256withRSA
|
|
|
981330 |
pki_ssl_server_key_size=2048
|
|
|
981330 |
pki_ssl_server_key_type=rsa
|
|
|
981330 |
pki_ssl_server_nickname=Server-Cert cert-%(pki_instance_name)s
|
|
|
981330 |
-pki_ssl_server_subject_dn=cn=%(pki_hostname)s,o=%(pki_security_domain_name)s
|
|
|
981330 |
+pki_ssl_server_subject_dn=cn=%(pki_hostname)s,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
|
|
|
981330 |
pki_ssl_server_token=
|
|
|
981330 |
pki_subsystem_key_algorithm=SHA256withRSA
|
|
|
981330 |
pki_subsystem_key_size=2048
|
|
|
981330 |
pki_subsystem_key_type=rsa
|
|
|
981330 |
pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s
|
|
|
981330 |
-pki_subsystem_subject_dn=cn=Subsystem Certificate,o=%(pki_security_domain_name)s
|
|
|
981330 |
+pki_subsystem_subject_dn=cn=Subsystem Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
|
|
|
981330 |
pki_subsystem_token=
|
|
|
981330 |
pki_theme_enable=True
|
|
|
981330 |
pki_theme_server_dir=/usr/share/pki/common-ui
|
|
|
981330 |
@@ -292,7 +292,7 @@ pki_ca_signing_key_size=2048
|
|
|
981330 |
pki_ca_signing_key_type=rsa
|
|
|
981330 |
pki_ca_signing_nickname=caSigningCert cert-%(pki_instance_name)s CA
|
|
|
981330 |
pki_ca_signing_signing_algorithm=SHA256withRSA
|
|
|
981330 |
-pki_ca_signing_subject_dn=cn=CA Signing Certificate,o=%(pki_security_domain_name)s
|
|
|
981330 |
+pki_ca_signing_subject_dn=cn=CA Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
|
|
|
981330 |
pki_ca_signing_token=
|
|
|
981330 |
pki_ca_signing_csr_path=
|
|
|
981330 |
pki_ca_signing_cert_path=
|
|
|
981330 |
@@ -316,7 +316,7 @@ pki_ocsp_signing_key_size=2048
|
|
|
981330 |
pki_ocsp_signing_key_type=rsa
|
|
|
981330 |
pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_name)s CA
|
|
|
981330 |
pki_ocsp_signing_signing_algorithm=SHA256withRSA
|
|
|
981330 |
-pki_ocsp_signing_subject_dn=cn=CA OCSP Signing Certificate,o=%(pki_security_domain_name)s
|
|
|
981330 |
+pki_ocsp_signing_subject_dn=cn=CA OCSP Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
|
|
|
981330 |
pki_ocsp_signing_token=
|
|
|
981330 |
pki_profiles_in_ldap=False
|
|
|
981330 |
pki_random_serial_numbers_enable=False
|
|
|
981330 |
@@ -326,10 +326,10 @@ pki_subordinate_security_domain_name=%(pki_dns_domainname)s Subordinate Security
|
|
|
981330 |
pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s
|
|
|
981330 |
pki_admin_name=%(pki_admin_uid)s
|
|
|
981330 |
pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
|
|
|
981330 |
-pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s
|
|
|
981330 |
+pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
|
|
|
981330 |
pki_admin_uid=caadmin
|
|
|
981330 |
pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s CA
|
|
|
981330 |
-pki_audit_signing_subject_dn=cn=CA Audit Signing Certificate,o=%(pki_security_domain_name)s
|
|
|
981330 |
+pki_audit_signing_subject_dn=cn=CA Audit Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
|
|
|
981330 |
pki_ds_base_dn=o=%(pki_instance_name)s-CA
|
|
|
981330 |
pki_ds_database=%(pki_instance_name)s-CA
|
|
|
981330 |
pki_ds_hostname=%(pki_hostname)s
|
|
|
981330 |
@@ -409,22 +409,22 @@ pki_storage_key_size=2048
|
|
|
981330 |
pki_storage_key_type=rsa
|
|
|
981330 |
pki_storage_nickname=storageCert cert-%(pki_instance_name)s KRA
|
|
|
981330 |
pki_storage_signing_algorithm=SHA256withRSA
|
|
|
981330 |
-pki_storage_subject_dn=cn=DRM Storage Certificate,o=%(pki_security_domain_name)s
|
|
|
981330 |
+pki_storage_subject_dn=cn=DRM Storage Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
|
|
|
981330 |
pki_storage_token=
|
|
|
981330 |
pki_transport_key_algorithm=SHA256withRSA
|
|
|
981330 |
pki_transport_key_size=2048
|
|
|
981330 |
pki_transport_key_type=rsa
|
|
|
981330 |
pki_transport_nickname=transportCert cert-%(pki_instance_name)s KRA
|
|
|
981330 |
pki_transport_signing_algorithm=SHA256withRSA
|
|
|
981330 |
-pki_transport_subject_dn=cn=DRM Transport Certificate,o=%(pki_security_domain_name)s
|
|
|
981330 |
+pki_transport_subject_dn=cn=DRM Transport Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
|
|
|
981330 |
pki_transport_token=
|
|
|
981330 |
pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s
|
|
|
981330 |
pki_admin_name=%(pki_admin_uid)s
|
|
|
981330 |
pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
|
|
|
981330 |
-pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s
|
|
|
981330 |
+pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
|
|
|
981330 |
pki_admin_uid=kraadmin
|
|
|
981330 |
pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s KRA
|
|
|
981330 |
-pki_audit_signing_subject_dn=cn=KRA Audit Signing Certificate,o=%(pki_security_domain_name)s
|
|
|
981330 |
+pki_audit_signing_subject_dn=cn=KRA Audit Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
|
|
|
981330 |
pki_ds_base_dn=o=%(pki_instance_name)s-KRA
|
|
|
981330 |
pki_ds_database=%(pki_instance_name)s-KRA
|
|
|
981330 |
pki_ds_hostname=%(pki_hostname)s
|
|
|
981330 |
@@ -478,15 +478,15 @@ pki_ocsp_signing_key_size=2048
|
|
|
981330 |
pki_ocsp_signing_key_type=rsa
|
|
|
981330 |
pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_name)s OCSP
|
|
|
981330 |
pki_ocsp_signing_signing_algorithm=SHA256withRSA
|
|
|
981330 |
-pki_ocsp_signing_subject_dn=cn=OCSP Signing Certificate,o=%(pki_security_domain_name)s
|
|
|
981330 |
+pki_ocsp_signing_subject_dn=cn=OCSP Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
|
|
|
981330 |
pki_ocsp_signing_token=
|
|
|
981330 |
pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s
|
|
|
981330 |
pki_admin_name=%(pki_admin_uid)s
|
|
|
981330 |
pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
|
|
|
981330 |
-pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s
|
|
|
981330 |
+pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
|
|
|
981330 |
pki_admin_uid=ocspadmin
|
|
|
981330 |
pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s OCSP
|
|
|
981330 |
-pki_audit_signing_subject_dn=cn=OCSP Audit Signing Certificate,o=%(pki_security_domain_name)s
|
|
|
981330 |
+pki_audit_signing_subject_dn=cn=OCSP Audit Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
|
|
|
981330 |
pki_ds_base_dn=o=%(pki_instance_name)s-OCSP
|
|
|
981330 |
pki_ds_database=%(pki_instance_name)s-OCSP
|
|
|
981330 |
pki_ds_hostname=%(pki_hostname)s
|
|
|
981330 |
@@ -515,10 +515,10 @@ pki_import_admin_cert=True
|
|
|
981330 |
pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s
|
|
|
981330 |
pki_admin_name=%(pki_admin_uid)s
|
|
|
981330 |
pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
|
|
|
981330 |
-pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s
|
|
|
981330 |
+pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
|
|
|
981330 |
pki_admin_uid=tksadmin
|
|
|
981330 |
pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s TKS
|
|
|
981330 |
-pki_audit_signing_subject_dn=cn=TKS Audit Signing Certificate,o=%(pki_security_domain_name)s
|
|
|
981330 |
+pki_audit_signing_subject_dn=cn=TKS Audit Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
|
|
|
981330 |
pki_ds_base_dn=o=%(pki_instance_name)s-TKS
|
|
|
981330 |
pki_ds_database=%(pki_instance_name)s-TKS
|
|
|
981330 |
pki_ds_hostname=%(pki_hostname)s
|
|
|
981330 |
@@ -537,10 +537,10 @@ pki_import_admin_cert=True
|
|
|
981330 |
pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s
|
|
|
981330 |
pki_admin_name=%(pki_admin_uid)s
|
|
|
981330 |
pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
|
|
|
981330 |
-pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s
|
|
|
981330 |
+pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
|
|
|
981330 |
pki_admin_uid=tpsadmin
|
|
|
981330 |
pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s TPS
|
|
|
981330 |
-pki_audit_signing_subject_dn=cn=TPS Audit Signing Certificate,o=%(pki_security_domain_name)s
|
|
|
981330 |
+pki_audit_signing_subject_dn=cn=TPS Audit Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
|
|
|
981330 |
pki_ds_base_dn=o=%(pki_instance_name)s-TPS
|
|
|
981330 |
pki_ds_database=%(pki_instance_name)s-TPS
|
|
|
981330 |
pki_ds_hostname=%(pki_hostname)s
|
|
|
981330 |
--
|
|
|
981330 |
1.8.3.1
|
|
|
981330 |
|
|
|
981330 |
|
|
|
981330 |
From f142e739d0296e29914a39c1591a5f1681f0ac31 Mon Sep 17 00:00:00 2001
|
|
|
981330 |
From: "Endi S. Dewata" <edewata@redhat.com>
|
|
|
981330 |
Date: Mon, 29 Aug 2016 08:33:05 +0200
|
|
|
981330 |
Subject: [PATCH 3/9] Added support to create system certificates in different
|
|
|
981330 |
tokens.
|
|
|
981330 |
|
|
|
981330 |
Previously all system certificates were always created in the same
|
|
|
981330 |
token specified in the pki_token_name parameter.
|
|
|
981330 |
|
|
|
981330 |
To allow creating system certificates in different tokens, the
|
|
|
981330 |
configuration.py has been modified to store the system certificate
|
|
|
981330 |
token names specified in pki_<cert>_token parameters into the
|
|
|
981330 |
CS.cfg before the server is started.
|
|
|
981330 |
|
|
|
981330 |
After the server is started, the configuration servlet will read
|
|
|
981330 |
the token names from the CS.cfg and create the certificates in the
|
|
|
981330 |
appropriate token.
|
|
|
981330 |
|
|
|
981330 |
https://fedorahosted.org/pki/ticket/2449
|
|
|
981330 |
(cherry picked from commit bc65e12500cbc3381b4e755a4a50214f43049ad3)
|
|
|
981330 |
(cherry picked from commit 261e550a25ced3c61fc0c3afeb910d17b7472a3c)
|
|
|
981330 |
---
|
|
|
981330 |
.../cms/servlet/csadmin/ConfigurationUtils.java | 18 +++++++----
|
|
|
981330 |
.../dogtagpki/server/rest/SystemConfigService.java | 9 ++----
|
|
|
981330 |
.../src/com/netscape/cmscore/apps/CMSEngine.java | 4 +--
|
|
|
981330 |
.../server/deployment/scriptlets/configuration.py | 37 +++++++++++++++++++---
|
|
|
981330 |
4 files changed, 49 insertions(+), 19 deletions(-)
|
|
|
981330 |
|
|
|
981330 |
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
|
|
|
981330 |
index 34500d0..3e638ad 100644
|
|
|
981330 |
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
|
|
|
981330 |
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
|
|
|
981330 |
@@ -2826,7 +2826,7 @@ public class ConfigurationUtils {
|
|
|
981330 |
}
|
|
|
981330 |
|
|
|
981330 |
config.putString(subsystem + "." + certTag + ".nickname", nickname);
|
|
|
981330 |
- config.putString(subsystem + "." + certTag + ".tokenname", token);
|
|
|
981330 |
+
|
|
|
981330 |
if (certTag.equals("audit_signing")) {
|
|
|
981330 |
if (!token.equals("Internal Key Storage Token") && !token.equals("")) {
|
|
|
981330 |
config.putString("log.instance.SignedAudit.signedAuditCertNickname",
|
|
|
981330 |
@@ -3325,14 +3325,15 @@ public class ConfigurationUtils {
|
|
|
981330 |
return 0;
|
|
|
981330 |
}
|
|
|
981330 |
|
|
|
981330 |
- public static void setCertPermissions(String tag) throws EBaseException, NotInitializedException,
|
|
|
981330 |
+ public static void setCertPermissions(Cert cert) throws EBaseException, NotInitializedException,
|
|
|
981330 |
ObjectNotFoundException, TokenException {
|
|
|
981330 |
+
|
|
|
981330 |
+ String tag = cert.getCertTag();
|
|
|
981330 |
if (tag.equals("signing") || tag.equals("external_signing"))
|
|
|
981330 |
return;
|
|
|
981330 |
|
|
|
981330 |
- IConfigStore cs = CMS.getConfigStore();
|
|
|
981330 |
- String nickname = cs.getString("preop.cert." + tag + ".nickname", "");
|
|
|
981330 |
- String tokenname = cs.getString("preop.module.token", "");
|
|
|
981330 |
+ String nickname = cert.getNickname();
|
|
|
981330 |
+ String tokenname = cert.getTokenname();
|
|
|
981330 |
if (!tokenname.equals("Internal Key Storage Token"))
|
|
|
981330 |
nickname = tokenname + ":" + nickname;
|
|
|
981330 |
|
|
|
981330 |
@@ -4554,9 +4555,11 @@ public class ConfigurationUtils {
|
|
|
981330 |
|
|
|
981330 |
public static String getSubsystemCert() throws EBaseException, NotInitializedException, ObjectNotFoundException,
|
|
|
981330 |
TokenException, CertificateEncodingException, IOException {
|
|
|
981330 |
+
|
|
|
981330 |
IConfigStore cs = CMS.getConfigStore();
|
|
|
981330 |
- String nickname = cs.getString("preop.cert.subsystem.nickname", "");
|
|
|
981330 |
- String tokenname = cs.getString("preop.module.token", "");
|
|
|
981330 |
+ String subsystem = cs.getString("cs.type").toLowerCase();
|
|
|
981330 |
+ String nickname = cs.getString(subsystem + ".subsystem.nickname", "");
|
|
|
981330 |
+ String tokenname = cs.getString(subsystem + ".subsystem.tokenname", "");
|
|
|
981330 |
|
|
|
981330 |
if (!tokenname.equals("internal") && !tokenname.equals("Internal Key Storage Token")
|
|
|
981330 |
&& !tokenname.equals("")) {
|
|
|
981330 |
@@ -4571,6 +4574,7 @@ public class ConfigurationUtils {
|
|
|
981330 |
CMS.debug("ConfigurationUtils: getSubsystemCert: subsystem cert is null");
|
|
|
981330 |
return null;
|
|
|
981330 |
}
|
|
|
981330 |
+
|
|
|
981330 |
byte[] bytes = cert.getEncoded();
|
|
|
981330 |
String s = CryptoUtil.normalizeCertStr(CryptoUtil.base64Encode(bytes));
|
|
|
981330 |
return s;
|
|
|
981330 |
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
|
|
|
981330 |
index 9d7c176..5cc6f63 100644
|
|
|
981330 |
--- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
|
|
|
981330 |
+++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
|
|
|
981330 |
@@ -199,7 +199,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
|
|
|
981330 |
try {
|
|
|
981330 |
CMS.debug("Processing '" + cert.getCertTag() + "' certificate:");
|
|
|
981330 |
ret = ConfigurationUtils.handleCerts(cert);
|
|
|
981330 |
- ConfigurationUtils.setCertPermissions(cert.getCertTag());
|
|
|
981330 |
+ ConfigurationUtils.setCertPermissions(cert);
|
|
|
981330 |
CMS.debug("Processed '" + cert.getCertTag() + "' certificate.");
|
|
|
981330 |
} catch (Exception e) {
|
|
|
981330 |
CMS.debug(e);
|
|
|
981330 |
@@ -386,7 +386,6 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
|
|
|
981330 |
|
|
|
981330 |
processCert(
|
|
|
981330 |
request,
|
|
|
981330 |
- token,
|
|
|
981330 |
certList,
|
|
|
981330 |
certs,
|
|
|
981330 |
hasSigningCert,
|
|
|
981330 |
@@ -415,7 +414,6 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
|
|
|
981330 |
|
|
|
981330 |
public void processCert(
|
|
|
981330 |
ConfigurationRequest request,
|
|
|
981330 |
- String token,
|
|
|
981330 |
Collection<String> certList,
|
|
|
981330 |
Collection<Cert> certs,
|
|
|
981330 |
MutableBoolean hasSigningCert,
|
|
|
981330 |
@@ -460,13 +458,13 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
|
|
|
981330 |
String curvename = certData.getKeyCurveName() != null ?
|
|
|
981330 |
certData.getKeyCurveName() : cs.getString("keys.ecc.curve.default");
|
|
|
981330 |
cs.putString("preop.cert." + tag + ".curvename.name", curvename);
|
|
|
981330 |
- ConfigurationUtils.createECCKeyPair(token, curvename, cs, tag);
|
|
|
981330 |
+ ConfigurationUtils.createECCKeyPair(tokenName, curvename, cs, tag);
|
|
|
981330 |
|
|
|
981330 |
} else {
|
|
|
981330 |
String keysize = certData.getKeySize() != null ? certData.getKeySize() : cs
|
|
|
981330 |
.getString("keys.rsa.keysize.default");
|
|
|
981330 |
cs.putString("preop.cert." + tag + ".keysize.size", keysize);
|
|
|
981330 |
- ConfigurationUtils.createRSAKeyPair(token, Integer.parseInt(keysize), cs, tag);
|
|
|
981330 |
+ ConfigurationUtils.createRSAKeyPair(tokenName, Integer.parseInt(keysize), cs, tag);
|
|
|
981330 |
}
|
|
|
981330 |
|
|
|
981330 |
} else {
|
|
|
981330 |
@@ -600,7 +598,6 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
|
|
|
981330 |
}
|
|
|
981330 |
|
|
|
981330 |
cs.putString(csSubsystem + "." + tag + ".nickname", cdata.getNickname());
|
|
|
981330 |
- cs.putString(csSubsystem + "." + tag + ".tokenname", cdata.getToken());
|
|
|
981330 |
cs.putString(csSubsystem + "." + tag + ".certreq", cdata.getRequest());
|
|
|
981330 |
cs.putString(csSubsystem + "." + tag + ".cert", cdata.getCert());
|
|
|
981330 |
cs.putString(csSubsystem + "." + tag + ".dn", cdata.getSubjectDN());
|
|
|
981330 |
diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
|
|
|
981330 |
index c62087e..a334824 100644
|
|
|
981330 |
--- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
|
|
|
981330 |
+++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
|
|
|
981330 |
@@ -1235,8 +1235,8 @@ public class CMSEngine implements ICMSEngine {
|
|
|
981330 |
// get SSL server nickname
|
|
|
981330 |
IConfigStore serverCertStore = mConfig.getSubStore(id + "." + "sslserver");
|
|
|
981330 |
if (serverCertStore != null && serverCertStore.size() > 0) {
|
|
|
981330 |
- String nickName = serverCertStore.getString("nickname");
|
|
|
981330 |
- String tokenName = serverCertStore.getString("tokenname");
|
|
|
981330 |
+ String nickName = serverCertStore.getString("nickname", null);
|
|
|
981330 |
+ String tokenName = serverCertStore.getString("tokenname", null);
|
|
|
981330 |
if (tokenName != null && tokenName.length() > 0 &&
|
|
|
981330 |
nickName != null && nickName.length() > 0) {
|
|
|
981330 |
CMS.setServerCertNickname(tokenName, nickName);
|
|
|
981330 |
diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py
|
|
|
981330 |
index 64ee4e5..97f6d3e 100644
|
|
|
981330 |
--- a/base/server/python/pki/server/deployment/scriptlets/configuration.py
|
|
|
981330 |
+++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py
|
|
|
981330 |
@@ -39,6 +39,31 @@ import pki.util
|
|
|
981330 |
# PKI Deployment Configuration Scriptlet
|
|
|
981330 |
class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
|
|
|
981330 |
|
|
|
981330 |
+ def store_cert_tokens(self, subsystem, deployer):
|
|
|
981330 |
+
|
|
|
981330 |
+ subsystem.config[subsystem.name + '.audit_signing.tokenname'] = (
|
|
|
981330 |
+ deployer.mdict['pki_audit_signing_token'])
|
|
|
981330 |
+ subsystem.config[subsystem.name + '.sslserver.tokenname'] = (
|
|
|
981330 |
+ deployer.mdict['pki_ssl_server_token'])
|
|
|
981330 |
+ subsystem.config[subsystem.name + '.subsystem.tokenname'] = (
|
|
|
981330 |
+ deployer.mdict['pki_subsystem_token'])
|
|
|
981330 |
+
|
|
|
981330 |
+ if subsystem.name == 'ca':
|
|
|
981330 |
+ subsystem.config['ca.signing.tokenname'] = (
|
|
|
981330 |
+ deployer.mdict['pki_ca_signing_token'])
|
|
|
981330 |
+ subsystem.config['ca.ocsp_signing.tokenname'] = (
|
|
|
981330 |
+ deployer.mdict['pki_ocsp_signing_token'])
|
|
|
981330 |
+
|
|
|
981330 |
+ elif subsystem.name == 'kra':
|
|
|
981330 |
+ subsystem.config['kra.storage.tokenname'] = (
|
|
|
981330 |
+ deployer.mdict['pki_storage_token'])
|
|
|
981330 |
+ subsystem.config['kra.transport.tokenname'] = (
|
|
|
981330 |
+ deployer.mdict['pki_transport_token'])
|
|
|
981330 |
+
|
|
|
981330 |
+ elif subsystem.name == 'ocsp':
|
|
|
981330 |
+ subsystem.config['ocsp.signing.tokenname'] = (
|
|
|
981330 |
+ deployer.mdict['pki_ocsp_signing_token'])
|
|
|
981330 |
+
|
|
|
981330 |
def spawn(self, deployer):
|
|
|
981330 |
|
|
|
981330 |
if config.str2bool(deployer.mdict['pki_skip_configuration']):
|
|
|
981330 |
@@ -265,13 +290,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
|
|
|
981330 |
nickname=signing_nickname,
|
|
|
981330 |
output_format='base64')
|
|
|
981330 |
subsystem.config['ca.signing.nickname'] = signing_nickname
|
|
|
981330 |
- subsystem.config['ca.signing.tokenname'] = (
|
|
|
981330 |
- deployer.mdict['pki_ca_signing_token'])
|
|
|
981330 |
subsystem.config['ca.signing.cert'] = signing_cert_data
|
|
|
981330 |
subsystem.config['ca.signing.cacertnickname'] = signing_nickname
|
|
|
981330 |
subsystem.config['ca.signing.defaultSigningAlgorithm'] = (
|
|
|
981330 |
deployer.mdict['pki_ca_signing_signing_algorithm'])
|
|
|
981330 |
|
|
|
981330 |
+ # Store cert tokens in CS.cfg.
|
|
|
981330 |
+ self.store_cert_tokens(subsystem, deployer)
|
|
|
981330 |
+
|
|
|
981330 |
subsystem.save()
|
|
|
981330 |
|
|
|
981330 |
# verify the signing certificate
|
|
|
981330 |
@@ -282,7 +308,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
|
|
|
981330 |
instance, 'ca')
|
|
|
981330 |
verifier.verify_certificate('signing')
|
|
|
981330 |
|
|
|
981330 |
- else: # self-signed CA
|
|
|
981330 |
+ else: # other installation types
|
|
|
981330 |
|
|
|
981330 |
# To be implemented in ticket #1692.
|
|
|
981330 |
|
|
|
981330 |
@@ -290,7 +316,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
|
|
|
981330 |
# Self sign CA cert.
|
|
|
981330 |
# Import self-signed CA cert into NSS database.
|
|
|
981330 |
|
|
|
981330 |
- pass
|
|
|
981330 |
+ # Store cert tokens in CS.cfg.
|
|
|
981330 |
+ self.store_cert_tokens(subsystem, deployer)
|
|
|
981330 |
+
|
|
|
981330 |
+ subsystem.save()
|
|
|
981330 |
|
|
|
981330 |
finally:
|
|
|
981330 |
nssdb.close()
|
|
|
981330 |
--
|
|
|
981330 |
1.8.3.1
|
|
|
981330 |
|
|
|
981330 |
|
|
|
981330 |
From 92d92c6ee2a0a531183a373cc1f3975662fdca40 Mon Sep 17 00:00:00 2001
|
|
|
981330 |
From: Ade Lee <alee@redhat.com>
|
|
|
981330 |
Date: Fri, 2 Sep 2016 16:08:02 -0400
|
|
|
981330 |
Subject: [PATCH 4/9] Fix CertRequestInfo URLs
|
|
|
981330 |
|
|
|
981330 |
The URLs were generated by a UriBuilder that referred to the resource's
|
|
|
981330 |
annotated path. This top-level path changed though, even if the underlying
|
|
|
981330 |
paths did not. Replace this with a reference to the getX methods instead.
|
|
|
981330 |
|
|
|
981330 |
Also fixed a few eclipse flagged warnings (unused imports etc).
|
|
|
981330 |
|
|
|
981330 |
Ticket 2447
|
|
|
981330 |
|
|
|
981330 |
(cherry picked from commit 7a93dbeae18407e28437f4affc31ddc24a2c42f2)
|
|
|
981330 |
(cherry picked from commit 7baa7e60b708c5b4c79d6dd963321d34958cc81b)
|
|
|
981330 |
---
|
|
|
981330 |
.../com/netscape/ca/ExternalProcessKeyRetriever.java | 7 +------
|
|
|
981330 |
.../src/com/netscape/cmstools/HttpClient.java | 2 --
|
|
|
981330 |
.../com/netscape/cms/servlet/cert/CertRequestDAO.java | 17 ++++++++++++++---
|
|
|
981330 |
.../cms/servlet/cert/CertRequestInfoFactory.java | 15 ++++++++-------
|
|
|
981330 |
.../src/com/netscape/cms/servlet/cert/DoRevokeTPS.java | 15 +++++++--------
|
|
|
981330 |
.../cms/servlet/profile/ProfileReviewServlet.java | 1 -
|
|
|
981330 |
.../dogtagpki/server/tps/rest/TPSInstallerService.java | 2 +-
|
|
|
981330 |
7 files changed, 31 insertions(+), 28 deletions(-)
|
|
|
981330 |
|
|
|
981330 |
diff --git a/base/ca/src/com/netscape/ca/ExternalProcessKeyRetriever.java b/base/ca/src/com/netscape/ca/ExternalProcessKeyRetriever.java
|
|
|
981330 |
index a1b7748..736d870 100644
|
|
|
981330 |
--- a/base/ca/src/com/netscape/ca/ExternalProcessKeyRetriever.java
|
|
|
981330 |
+++ b/base/ca/src/com/netscape/ca/ExternalProcessKeyRetriever.java
|
|
|
981330 |
@@ -20,16 +20,11 @@ package com.netscape.ca;
|
|
|
981330 |
|
|
|
981330 |
import java.io.IOException;
|
|
|
981330 |
import java.io.InputStream;
|
|
|
981330 |
-import java.lang.Process;
|
|
|
981330 |
-import java.lang.ProcessBuilder;
|
|
|
981330 |
import java.util.Collection;
|
|
|
981330 |
import java.util.Stack;
|
|
|
981330 |
|
|
|
981330 |
-import org.apache.commons.io.IOUtils;
|
|
|
981330 |
-import org.apache.commons.lang.ArrayUtils;
|
|
|
981330 |
-
|
|
|
981330 |
-import org.codehaus.jackson.map.ObjectMapper;
|
|
|
981330 |
import org.codehaus.jackson.JsonNode;
|
|
|
981330 |
+import org.codehaus.jackson.map.ObjectMapper;
|
|
|
981330 |
|
|
|
981330 |
import com.netscape.certsrv.apps.CMS;
|
|
|
981330 |
import com.netscape.certsrv.base.EBaseException;
|
|
|
981330 |
diff --git a/base/java-tools/src/com/netscape/cmstools/HttpClient.java b/base/java-tools/src/com/netscape/cmstools/HttpClient.java
|
|
|
981330 |
index 432be9c..594ec69 100644
|
|
|
981330 |
--- a/base/java-tools/src/com/netscape/cmstools/HttpClient.java
|
|
|
981330 |
+++ b/base/java-tools/src/com/netscape/cmstools/HttpClient.java
|
|
|
981330 |
@@ -126,8 +126,6 @@ public class HttpClient {
|
|
|
981330 |
Password pass = new Password(password.toCharArray());
|
|
|
981330 |
token.login(pass);
|
|
|
981330 |
|
|
|
981330 |
- int i;
|
|
|
981330 |
-
|
|
|
981330 |
SSLHandshakeCompletedListener listener = new ClientHandshakeCB(this);
|
|
|
981330 |
org.mozilla.jss.ssl.SSLSocket.SSLVersionRange stream_range =
|
|
|
981330 |
new org.mozilla.jss.ssl.SSLSocket.SSLVersionRange(
|
|
|
981330 |
diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestDAO.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestDAO.java
|
|
|
981330 |
index 6fbcd3c..306fbf5 100644
|
|
|
981330 |
--- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestDAO.java
|
|
|
981330 |
+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestDAO.java
|
|
|
981330 |
@@ -197,8 +197,13 @@ public class CertRequestDAO extends CMSRequestDAO {
|
|
|
981330 |
|
|
|
981330 |
IRequest reqs[] = (IRequest[]) results.get(CAProcessor.ARG_REQUESTS);
|
|
|
981330 |
for (IRequest req : reqs) {
|
|
|
981330 |
- CertRequestInfo info = CertRequestInfoFactory.create(req, uriInfo);
|
|
|
981330 |
- ret.addEntry(info);
|
|
|
981330 |
+ try {
|
|
|
981330 |
+ CertRequestInfo info = CertRequestInfoFactory.create(req, uriInfo);
|
|
|
981330 |
+ ret.addEntry(info);
|
|
|
981330 |
+ } catch (NoSuchMethodException e) {
|
|
|
981330 |
+ CMS.debug("Error in creating certrequestinfo - no such method");
|
|
|
981330 |
+ e.printStackTrace();
|
|
|
981330 |
+ }
|
|
|
981330 |
}
|
|
|
981330 |
|
|
|
981330 |
ret.setTotal(ret.getEntries().size());
|
|
|
981330 |
@@ -221,7 +226,13 @@ public class CertRequestDAO extends CMSRequestDAO {
|
|
|
981330 |
|
|
|
981330 |
@Override
|
|
|
981330 |
public CertRequestInfo createCMSRequestInfo(IRequest request, UriInfo uriInfo) {
|
|
|
981330 |
- return CertRequestInfoFactory.create(request, uriInfo);
|
|
|
981330 |
+ try {
|
|
|
981330 |
+ return CertRequestInfoFactory.create(request, uriInfo);
|
|
|
981330 |
+ } catch (NoSuchMethodException e) {
|
|
|
981330 |
+ CMS.debug("Error in creating certrequestinfo - no such method");
|
|
|
981330 |
+ e.printStackTrace();
|
|
|
981330 |
+ }
|
|
|
981330 |
+ return null;
|
|
|
981330 |
}
|
|
|
981330 |
|
|
|
981330 |
}
|
|
|
981330 |
diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestInfoFactory.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestInfoFactory.java
|
|
|
981330 |
index 68f65bc..e8c44b3 100644
|
|
|
981330 |
--- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestInfoFactory.java
|
|
|
981330 |
+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestInfoFactory.java
|
|
|
981330 |
@@ -37,7 +37,7 @@ import netscape.security.x509.X509CertImpl;
|
|
|
981330 |
|
|
|
981330 |
public class CertRequestInfoFactory {
|
|
|
981330 |
|
|
|
981330 |
- public static CertRequestInfo create(IRequest request, UriInfo uriInfo) {
|
|
|
981330 |
+ public static CertRequestInfo create(IRequest request, UriInfo uriInfo) throws SecurityException, NoSuchMethodException {
|
|
|
981330 |
|
|
|
981330 |
CertRequestInfo info = new CertRequestInfo();
|
|
|
981330 |
|
|
|
981330 |
@@ -49,12 +49,12 @@ public class CertRequestInfoFactory {
|
|
|
981330 |
|
|
|
981330 |
info.setCertRequestType(request.getExtDataInString("cert_request_type"));
|
|
|
981330 |
|
|
|
981330 |
- Path certRequestPath = CertRequestResource.class.getAnnotation(Path.class);
|
|
|
981330 |
+ Path certRequestPath = CertRequestResource.class.getMethod("getRequestInfo", RequestId.class ).getAnnotation(Path.class);
|
|
|
981330 |
RequestId requestId = request.getRequestId();
|
|
|
981330 |
|
|
|
981330 |
UriBuilder reqBuilder = uriInfo.getBaseUriBuilder();
|
|
|
981330 |
- reqBuilder.path(certRequestPath.value() + "/" + requestId);
|
|
|
981330 |
- info.setRequestURL(reqBuilder.build().toString());
|
|
|
981330 |
+ reqBuilder.path(certRequestPath.value());
|
|
|
981330 |
+ info.setRequestURL(reqBuilder.build(requestId).toString());
|
|
|
981330 |
|
|
|
981330 |
Integer result = request.getExtDataInInteger(IRequest.RESULT);
|
|
|
981330 |
if (result == null || result.equals(IRequest.RES_SUCCESS)) {
|
|
|
981330 |
@@ -84,11 +84,12 @@ public class CertRequestInfoFactory {
|
|
|
981330 |
BigInteger serialNo = impl.getSerialNumber();
|
|
|
981330 |
info.setCertId(new CertId(serialNo));
|
|
|
981330 |
|
|
|
981330 |
- Path certPath = CertResource.class.getAnnotation(Path.class);
|
|
|
981330 |
+
|
|
|
981330 |
+ Path certPath = CertResource.class.getMethod("getCert", CertId.class).getAnnotation(Path.class);
|
|
|
981330 |
UriBuilder certBuilder = uriInfo.getBaseUriBuilder();
|
|
|
981330 |
- certBuilder.path(certPath.value() + "/" + serialNo);
|
|
|
981330 |
+ certBuilder.path(certPath.value());
|
|
|
981330 |
|
|
|
981330 |
- info.setCertURL(certBuilder.build().toString());
|
|
|
981330 |
+ info.setCertURL(certBuilder.build(serialNo).toString());
|
|
|
981330 |
|
|
|
981330 |
return info;
|
|
|
981330 |
}
|
|
|
981330 |
diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java b/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java
|
|
|
981330 |
index 30bd2cd..79eba99 100644
|
|
|
981330 |
--- a/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java
|
|
|
981330 |
+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java
|
|
|
981330 |
@@ -30,12 +30,7 @@ import javax.servlet.ServletException;
|
|
|
981330 |
import javax.servlet.http.HttpServletRequest;
|
|
|
981330 |
import javax.servlet.http.HttpServletResponse;
|
|
|
981330 |
|
|
|
981330 |
-import netscape.security.x509.CRLExtensions;
|
|
|
981330 |
-import netscape.security.x509.CRLReasonExtension;
|
|
|
981330 |
-import netscape.security.x509.InvalidityDateExtension;
|
|
|
981330 |
-import netscape.security.x509.RevocationReason;
|
|
|
981330 |
-import netscape.security.x509.RevokedCertImpl;
|
|
|
981330 |
-import netscape.security.x509.X509CertImpl;
|
|
|
981330 |
+import org.dogtagpki.server.connector.IRemoteRequest;
|
|
|
981330 |
|
|
|
981330 |
import com.netscape.certsrv.apps.CMS;
|
|
|
981330 |
import com.netscape.certsrv.authentication.AuthToken;
|
|
|
981330 |
@@ -51,7 +46,6 @@ import com.netscape.certsrv.ca.ICertificateAuthority;
|
|
|
981330 |
import com.netscape.certsrv.common.ICMSRequest;
|
|
|
981330 |
import com.netscape.certsrv.dbs.certdb.ICertRecord;
|
|
|
981330 |
import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
|
|
|
981330 |
-import com.netscape.certsrv.dbs.certdb.IRevocationInfo;
|
|
|
981330 |
import com.netscape.certsrv.logging.AuditFormat;
|
|
|
981330 |
import com.netscape.certsrv.logging.ILogger;
|
|
|
981330 |
import com.netscape.certsrv.publish.IPublisherProcessor;
|
|
|
981330 |
@@ -64,7 +58,12 @@ import com.netscape.cms.servlet.common.CMSTemplate;
|
|
|
981330 |
import com.netscape.cms.servlet.common.CMSTemplateParams;
|
|
|
981330 |
import com.netscape.cms.servlet.common.ECMSGWException;
|
|
|
981330 |
|
|
|
981330 |
-import org.dogtagpki.server.connector.IRemoteRequest;
|
|
|
981330 |
+import netscape.security.x509.CRLExtensions;
|
|
|
981330 |
+import netscape.security.x509.CRLReasonExtension;
|
|
|
981330 |
+import netscape.security.x509.InvalidityDateExtension;
|
|
|
981330 |
+import netscape.security.x509.RevocationReason;
|
|
|
981330 |
+import netscape.security.x509.RevokedCertImpl;
|
|
|
981330 |
+import netscape.security.x509.X509CertImpl;
|
|
|
981330 |
|
|
|
981330 |
/**
|
|
|
981330 |
* Revoke a Certificate
|
|
|
981330 |
diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java
|
|
|
981330 |
index 0073bd2..dc6560d 100644
|
|
|
981330 |
--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java
|
|
|
981330 |
+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java
|
|
|
981330 |
@@ -43,7 +43,6 @@ import com.netscape.certsrv.profile.IProfileInput;
|
|
|
981330 |
import com.netscape.certsrv.profile.IProfileOutput;
|
|
|
981330 |
import com.netscape.certsrv.profile.IProfilePolicy;
|
|
|
981330 |
import com.netscape.certsrv.profile.IProfileSubsystem;
|
|
|
981330 |
-import com.netscape.certsrv.property.EPropertyException;
|
|
|
981330 |
import com.netscape.certsrv.property.IDescriptor;
|
|
|
981330 |
import com.netscape.certsrv.request.IRequest;
|
|
|
981330 |
import com.netscape.certsrv.request.IRequestQueue;
|
|
|
981330 |
diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/TPSInstallerService.java b/base/tps/src/org/dogtagpki/server/tps/rest/TPSInstallerService.java
|
|
|
981330 |
index 068293e..8fd24c8 100644
|
|
|
981330 |
--- a/base/tps/src/org/dogtagpki/server/tps/rest/TPSInstallerService.java
|
|
|
981330 |
+++ b/base/tps/src/org/dogtagpki/server/tps/rest/TPSInstallerService.java
|
|
|
981330 |
@@ -50,7 +50,7 @@ public class TPSInstallerService extends SystemConfigService {
|
|
|
981330 |
|
|
|
981330 |
// get token prefix, if applicable
|
|
|
981330 |
String tokPrefix = "";
|
|
|
981330 |
- if (!request.getToken().equals(request.TOKEN_DEFAULT) &&
|
|
|
981330 |
+ if (!request.getToken().equals(ConfigurationRequest.TOKEN_DEFAULT) &&
|
|
|
981330 |
!request.getToken().equals("internal")) {
|
|
|
981330 |
tokPrefix = request.getToken() + ":";
|
|
|
981330 |
}
|
|
|
981330 |
--
|
|
|
981330 |
1.8.3.1
|
|
|
981330 |
|
|
|
981330 |
|
|
|
981330 |
From 647388e39ccb69e3d8cadcc1d0a21c4ac6d83363 Mon Sep 17 00:00:00 2001
|
|
|
981330 |
From: Fraser Tweedale <ftweedal@redhat.com>
|
|
|
981330 |
Date: Thu, 25 Aug 2016 12:55:14 +1000
|
|
|
981330 |
Subject: [PATCH 5/9] Revoke lightweight CA certificate on deletion
|
|
|
981330 |
|
|
|
981330 |
Fixes: https://fedorahosted.org/pki/ticket/1638
|
|
|
981330 |
(cherry picked from commit af8ff4a7c36614c1b41338f9e32a83462d4163be)
|
|
|
981330 |
(cherry picked from commit 71bd236572968bdb1b8cb0c4c9a370c689a64687)
|
|
|
981330 |
---
|
|
|
981330 |
.../src/com/netscape/ca/CertificateAuthority.java | 39 +++++++++++++++++++++-
|
|
|
981330 |
.../dogtagpki/server/ca/rest/AuthorityService.java | 2 +-
|
|
|
981330 |
.../netscape/certsrv/ca/ICertificateAuthority.java | 2 +-
|
|
|
981330 |
3 files changed, 40 insertions(+), 3 deletions(-)
|
|
|
981330 |
|
|
|
981330 |
diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
|
|
|
981330 |
index a5397da..ab48409 100644
|
|
|
981330 |
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
|
|
|
981330 |
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
|
|
|
981330 |
@@ -124,6 +124,7 @@ import com.netscape.certsrv.util.IStatsSubsystem;
|
|
|
981330 |
import com.netscape.cms.servlet.cert.CertEnrollmentRequestFactory;
|
|
|
981330 |
import com.netscape.cms.servlet.cert.EnrollmentProcessor;
|
|
|
981330 |
import com.netscape.cms.servlet.cert.RenewalProcessor;
|
|
|
981330 |
+import com.netscape.cms.servlet.cert.RevocationProcessor;
|
|
|
981330 |
import com.netscape.cms.servlet.processors.CAProcessor;
|
|
|
981330 |
import com.netscape.cmscore.base.ArgBlock;
|
|
|
981330 |
import com.netscape.cmscore.dbs.CRLRepository;
|
|
|
981330 |
@@ -178,6 +179,7 @@ import netscape.security.x509.CertificateChain;
|
|
|
981330 |
import netscape.security.x509.CertificateIssuerName;
|
|
|
981330 |
import netscape.security.x509.CertificateSubjectName;
|
|
|
981330 |
import netscape.security.x509.CertificateVersion;
|
|
|
981330 |
+import netscape.security.x509.RevocationReason;
|
|
|
981330 |
import netscape.security.x509.X500Name;
|
|
|
981330 |
import netscape.security.x509.X500Signer;
|
|
|
981330 |
import netscape.security.x509.X509CRLImpl;
|
|
|
981330 |
@@ -2964,7 +2966,8 @@ public class CertificateAuthority
|
|
|
981330 |
authorityKeyHosts.add(thisClone);
|
|
|
981330 |
}
|
|
|
981330 |
|
|
|
981330 |
- public synchronized void deleteAuthority() throws EBaseException {
|
|
|
981330 |
+ public synchronized void deleteAuthority(HttpServletRequest httpReq)
|
|
|
981330 |
+ throws EBaseException {
|
|
|
981330 |
if (isHostAuthority())
|
|
|
981330 |
throw new CATypeException("Cannot delete the host CA");
|
|
|
981330 |
|
|
|
981330 |
@@ -2984,10 +2987,44 @@ public class CertificateAuthority
|
|
|
981330 |
|
|
|
981330 |
shutdown();
|
|
|
981330 |
|
|
|
981330 |
+ revokeAuthority(httpReq);
|
|
|
981330 |
deleteAuthorityEntry(authorityID);
|
|
|
981330 |
deleteAuthorityNSSDB();
|
|
|
981330 |
}
|
|
|
981330 |
|
|
|
981330 |
+ /** Revoke the authority's certificate
|
|
|
981330 |
+ *
|
|
|
981330 |
+ * TODO: revocation reason, invalidity date parameters
|
|
|
981330 |
+ */
|
|
|
981330 |
+ private void revokeAuthority(HttpServletRequest httpReq)
|
|
|
981330 |
+ throws EBaseException {
|
|
|
981330 |
+ CMS.debug("revokeAuthority: checking serial " + authoritySerial);
|
|
|
981330 |
+ ICertRecord certRecord = mCertRepot.readCertificateRecord(authoritySerial);
|
|
|
981330 |
+ String curStatus = certRecord.getStatus();
|
|
|
981330 |
+ CMS.debug("revokeAuthority: current cert status: " + curStatus);
|
|
|
981330 |
+ if (curStatus.equals(CertRecord.STATUS_REVOKED)
|
|
|
981330 |
+ || curStatus.equals(CertRecord.STATUS_REVOKED_EXPIRED)) {
|
|
|
981330 |
+ return; // already revoked
|
|
|
981330 |
+ }
|
|
|
981330 |
+
|
|
|
981330 |
+ CMS.debug("revokeAuthority: revoking cert");
|
|
|
981330 |
+ RevocationProcessor processor = new RevocationProcessor(
|
|
|
981330 |
+ "CertificateAuthority.revokeAuthority", httpReq.getLocale());
|
|
|
981330 |
+ processor.setSerialNumber(new CertId(authoritySerial));
|
|
|
981330 |
+ processor.setRevocationReason(RevocationReason.UNSPECIFIED);
|
|
|
981330 |
+ processor.setAuthority(this);
|
|
|
981330 |
+ try {
|
|
|
981330 |
+ processor.createCRLExtension();
|
|
|
981330 |
+ } catch (IOException e) {
|
|
|
981330 |
+ throw new ECAException("Unable to create CRL extensions", e);
|
|
|
981330 |
+ }
|
|
|
981330 |
+ processor.addCertificateToRevoke(mCaCert);
|
|
|
981330 |
+ processor.createRevocationRequest();
|
|
|
981330 |
+ processor.auditChangeRequest(ILogger.SUCCESS);
|
|
|
981330 |
+ processor.processRevocationRequest();
|
|
|
981330 |
+ processor.auditChangeRequestProcessed(ILogger.SUCCESS);
|
|
|
981330 |
+ }
|
|
|
981330 |
+
|
|
|
981330 |
/** Delete keys and certs of this authority from NSSDB.
|
|
|
981330 |
*/
|
|
|
981330 |
private void deleteAuthorityNSSDB() throws ECAException {
|
|
|
981330 |
diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
|
|
|
981330 |
index 246a3f0..584ab6e 100644
|
|
|
981330 |
--- a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
|
|
|
981330 |
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
|
|
|
981330 |
@@ -329,7 +329,7 @@ public class AuthorityService extends PKIService implements AuthorityResource {
|
|
|
981330 |
Map<String, String> auditParams = new LinkedHashMap<>();
|
|
|
981330 |
|
|
|
981330 |
try {
|
|
|
981330 |
- ca.deleteAuthority();
|
|
|
981330 |
+ ca.deleteAuthority(servletRequest);
|
|
|
981330 |
audit(ILogger.SUCCESS, OpDef.OP_DELETE, aidString, null);
|
|
|
981330 |
return createNoContentResponse();
|
|
|
981330 |
} catch (CATypeException e) {
|
|
|
981330 |
diff --git a/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java b/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java
|
|
|
981330 |
index 308bfba..5218a4c 100644
|
|
|
981330 |
--- a/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java
|
|
|
981330 |
+++ b/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java
|
|
|
981330 |
@@ -606,6 +606,6 @@ public interface ICertificateAuthority extends ISubsystem {
|
|
|
981330 |
/**
|
|
|
981330 |
* Delete this lightweight CA.
|
|
|
981330 |
*/
|
|
|
981330 |
- public void deleteAuthority()
|
|
|
981330 |
+ public void deleteAuthority(HttpServletRequest httpReq)
|
|
|
981330 |
throws EBaseException;
|
|
|
981330 |
}
|
|
|
981330 |
--
|
|
|
981330 |
1.8.3.1
|
|
|
981330 |
|
|
|
981330 |
|
|
|
981330 |
From 0dd6bf96dc2d711d59d5d7b34eba5953e69e5e4d Mon Sep 17 00:00:00 2001
|
|
|
981330 |
From: Fraser Tweedale <ftweedal@redhat.com>
|
|
|
981330 |
Date: Wed, 24 Aug 2016 14:40:46 +1000
|
|
|
981330 |
Subject: [PATCH 6/9] Prevent deletion of host CA cert and key from NSSDB
|
|
|
981330 |
|
|
|
981330 |
If authorityMonitor observes the deletion of the host CA's authority
|
|
|
981330 |
entry, it will treat it the same as any other lightweight CA and
|
|
|
981330 |
delete the signing cert AND KEY from the NSSDB. Because the database
|
|
|
981330 |
is replicated, the change would be observed and deletion immediately
|
|
|
981330 |
effected on all running clones. Unless the main CA private key is
|
|
|
981330 |
backed up somewhere there is no way to recover from this.
|
|
|
981330 |
|
|
|
981330 |
Although this scenario does not arise in normal operation, the
|
|
|
981330 |
impact is severe so add a check that prevents cert and key deletion
|
|
|
981330 |
for host authority.
|
|
|
981330 |
|
|
|
981330 |
Fixes: https://fedorahosted.org/pki/ticket/2443
|
|
|
981330 |
(cherry picked from commit 68d98b63e18c5c952e0cdf3193b0ce1a5c55d5c1)
|
|
|
981330 |
(cherry picked from commit a1f225e0034d89cc011b81604439111ed725961e)
|
|
|
981330 |
---
|
|
|
981330 |
base/ca/src/com/netscape/ca/CertificateAuthority.java | 7 +++++++
|
|
|
981330 |
1 file changed, 7 insertions(+)
|
|
|
981330 |
|
|
|
981330 |
diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
|
|
|
981330 |
index ab48409..bea129d 100644
|
|
|
981330 |
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
|
|
|
981330 |
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
|
|
|
981330 |
@@ -3028,6 +3028,13 @@ public class CertificateAuthority
|
|
|
981330 |
/** Delete keys and certs of this authority from NSSDB.
|
|
|
981330 |
*/
|
|
|
981330 |
private void deleteAuthorityNSSDB() throws ECAException {
|
|
|
981330 |
+ if (isHostAuthority()) {
|
|
|
981330 |
+ String msg = "Attempt to delete host authority signing key; not proceeding";
|
|
|
981330 |
+ log(ILogger.LL_WARN, msg);
|
|
|
981330 |
+ CMS.debug(msg);
|
|
|
981330 |
+ return;
|
|
|
981330 |
+ }
|
|
|
981330 |
+
|
|
|
981330 |
CryptoManager cryptoManager;
|
|
|
981330 |
try {
|
|
|
981330 |
cryptoManager = CryptoManager.getInstance();
|
|
|
981330 |
--
|
|
|
981330 |
1.8.3.1
|
|
|
981330 |
|
|
|
981330 |
|
|
|
981330 |
From 06a85c76938211d6ecf2b49ac72b168e9f6e7fdd Mon Sep 17 00:00:00 2001
|
|
|
981330 |
From: Fraser Tweedale <frase@frase.id.au>
|
|
|
981330 |
Date: Tue, 23 Aug 2016 14:50:03 +1000
|
|
|
981330 |
Subject: [PATCH 7/9] Accept LWCA entry with missing entryUSN if plugin enabled
|
|
|
981330 |
|
|
|
981330 |
Currently we abort adding a lightweight CA if its entry does not
|
|
|
981330 |
have an 'entryUSN' attribute, and log a failure, even if the USN
|
|
|
981330 |
plugin is enabled. But if the plugin is enabled, it's fine to
|
|
|
981330 |
proceed.
|
|
|
981330 |
|
|
|
981330 |
Update the authority monitor to check if the USN plugin is enabled
|
|
|
981330 |
and only log the failure if it is not. Clarify the log message
|
|
|
981330 |
accordingly.
|
|
|
981330 |
|
|
|
981330 |
Part of: https://fedorahosted.org/pki/ticket/2444
|
|
|
981330 |
|
|
|
981330 |
(cherry picked from commit d1aa1ec049d7cb5beed9ba79b09930a90a3c51fe)
|
|
|
981330 |
(cherry picked from commit 21e268ae6d5f9c2f93d4d80a6285e453974b5c07)
|
|
|
981330 |
---
|
|
|
981330 |
.../src/com/netscape/ca/CertificateAuthority.java | 46 ++++++++++++++++++----
|
|
|
981330 |
1 file changed, 38 insertions(+), 8 deletions(-)
|
|
|
981330 |
|
|
|
981330 |
diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
|
|
|
981330 |
index bea129d..aab9651 100644
|
|
|
981330 |
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
|
|
|
981330 |
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
|
|
|
981330 |
@@ -679,6 +679,24 @@ public class CertificateAuthority
|
|
|
981330 |
}
|
|
|
981330 |
}
|
|
|
981330 |
|
|
|
981330 |
+ private boolean entryUSNPluginEnabled() {
|
|
|
981330 |
+ try {
|
|
|
981330 |
+ LDAPConnection conn = dbFactory.getConn();
|
|
|
981330 |
+ try {
|
|
|
981330 |
+ LDAPSearchResults results = conn.search(
|
|
|
981330 |
+ "cn=usn,cn=plugins,cn=config", LDAPConnection.SCOPE_BASE,
|
|
|
981330 |
+ "(nsslapd-pluginEnabled=on)", null, false);
|
|
|
981330 |
+ return results != null && results.hasMoreElements();
|
|
|
981330 |
+ } catch (LDAPException e) {
|
|
|
981330 |
+ return false;
|
|
|
981330 |
+ } finally {
|
|
|
981330 |
+ dbFactory.returnConn(conn);
|
|
|
981330 |
+ }
|
|
|
981330 |
+ } catch (ELdapException e) {
|
|
|
981330 |
+ return false; // oh well
|
|
|
981330 |
+ }
|
|
|
981330 |
+ }
|
|
|
981330 |
+
|
|
|
981330 |
private void initCRLPublisher() throws EBaseException {
|
|
|
981330 |
// instantiate CRL publisher
|
|
|
981330 |
if (!isHostAuthority()) {
|
|
|
981330 |
@@ -3221,17 +3239,29 @@ public class CertificateAuthority
|
|
|
981330 |
AuthorityID aid = new AuthorityID((String)
|
|
|
981330 |
aidAttr.getStringValues().nextElement());
|
|
|
981330 |
|
|
|
981330 |
- LDAPAttribute entryUSN = entry.getAttribute("entryUSN");
|
|
|
981330 |
- if (entryUSN == null) {
|
|
|
981330 |
- log(ILogger.LL_FAILURE, "Authority entry has no entryUSN. " +
|
|
|
981330 |
- "This is likely because the USN plugin is not enabled in the database");
|
|
|
981330 |
- return;
|
|
|
981330 |
+ Integer newEntryUSN = null;
|
|
|
981330 |
+ LDAPAttribute entryUSNAttr = entry.getAttribute("entryUSN");
|
|
|
981330 |
+ if (entryUSNAttr == null) {
|
|
|
981330 |
+ CMS.debug("readAuthority: no entryUSN");
|
|
|
981330 |
+ if (!entryUSNPluginEnabled()) {
|
|
|
981330 |
+ CMS.debug("readAuthority: dirsrv USN plugin is not enabled; skipping entry");
|
|
|
981330 |
+ log(ILogger.LL_FAILURE, "Lightweight authority entry has no"
|
|
|
981330 |
+ + " entryUSN attribute and USN plugin not enabled;"
|
|
|
981330 |
+ + " skipping. Enable dirsrv USN plugin.");
|
|
|
981330 |
+ return;
|
|
|
981330 |
+ } else {
|
|
|
981330 |
+ CMS.debug("readAuthority: dirsrv USN plugin is enabled; continuing");
|
|
|
981330 |
+ // entryUSN plugin is enabled, but no entryUSN attribute. We
|
|
|
981330 |
+ // can proceed because future modifications will result in the
|
|
|
981330 |
+ // entryUSN attribute being added.
|
|
|
981330 |
+ }
|
|
|
981330 |
+ } else {
|
|
|
981330 |
+ newEntryUSN = new Integer(entryUSNAttr.getStringValueArray()[0]);
|
|
|
981330 |
+ CMS.debug("readAuthority: new entryUSN = " + newEntryUSN);
|
|
|
981330 |
}
|
|
|
981330 |
|
|
|
981330 |
- Integer newEntryUSN = new Integer(entryUSN.getStringValueArray()[0]);
|
|
|
981330 |
- CMS.debug("readAuthority: new entryUSN = " + newEntryUSN);
|
|
|
981330 |
Integer knownEntryUSN = entryUSNs.get(aid);
|
|
|
981330 |
- if (knownEntryUSN != null) {
|
|
|
981330 |
+ if (newEntryUSN != null && knownEntryUSN != null) {
|
|
|
981330 |
CMS.debug("readAuthority: known entryUSN = " + knownEntryUSN);
|
|
|
981330 |
if (newEntryUSN <= knownEntryUSN) {
|
|
|
981330 |
CMS.debug("readAuthority: data is current");
|
|
|
981330 |
--
|
|
|
981330 |
1.8.3.1
|
|
|
981330 |
|
|
|
981330 |
|
|
|
981330 |
From 8e0235adccb11868f0036d48d2b52230c82b3e6b Mon Sep 17 00:00:00 2001
|
|
|
981330 |
From: Fraser Tweedale <ftweedal@redhat.com>
|
|
|
981330 |
Date: Wed, 24 Aug 2016 14:10:55 +1000
|
|
|
981330 |
Subject: [PATCH 8/9] Perform host authority check before entryUSN check
|
|
|
981330 |
|
|
|
981330 |
When processing lightweight CAs, currently we perform the entryUSN
|
|
|
981330 |
check before the host authority check. If the entry does not have
|
|
|
981330 |
an entryUSN attribute, and if the DS USN plugin is not enabled, the
|
|
|
981330 |
entry gets skipped and we do not reach the host authority check.
|
|
|
981330 |
This causes the CA to believe that it has not seen the host
|
|
|
981330 |
authority entry, and results in additional entries being added.
|
|
|
981330 |
|
|
|
981330 |
Move the host authority check before the entryUSN check to avoid
|
|
|
981330 |
this scenario.
|
|
|
981330 |
|
|
|
981330 |
Fixes: https://fedorahosted.org/pki/ticket/2444
|
|
|
981330 |
(cherry picked from commit e457cb8367f39562a844229ddb9da9c3a46d9611)
|
|
|
981330 |
(cherry picked from commit 3a97c5fc0df7015a7e19236778089c67441a1499)
|
|
|
981330 |
---
|
|
|
981330 |
.../src/com/netscape/ca/CertificateAuthority.java | 41 +++++++++++-----------
|
|
|
981330 |
1 file changed, 21 insertions(+), 20 deletions(-)
|
|
|
981330 |
|
|
|
981330 |
diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
|
|
|
981330 |
index aab9651..1f77fd8 100644
|
|
|
981330 |
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
|
|
|
981330 |
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
|
|
|
981330 |
@@ -3239,6 +3239,27 @@ public class CertificateAuthority
|
|
|
981330 |
AuthorityID aid = new AuthorityID((String)
|
|
|
981330 |
aidAttr.getStringValues().nextElement());
|
|
|
981330 |
|
|
|
981330 |
+ X500Name dn = null;
|
|
|
981330 |
+ try {
|
|
|
981330 |
+ dn = new X500Name((String) dnAttr.getStringValues().nextElement());
|
|
|
981330 |
+ } catch (IOException e) {
|
|
|
981330 |
+ CMS.debug("Malformed authority object; invalid authorityDN: " + entry.getDN());
|
|
|
981330 |
+ }
|
|
|
981330 |
+
|
|
|
981330 |
+ String desc = null;
|
|
|
981330 |
+ LDAPAttribute descAttr = entry.getAttribute("description");
|
|
|
981330 |
+ if (descAttr != null)
|
|
|
981330 |
+ desc = (String) descAttr.getStringValues().nextElement();
|
|
|
981330 |
+
|
|
|
981330 |
+ if (dn.equals(mName)) {
|
|
|
981330 |
+ CMS.debug("Found host authority");
|
|
|
981330 |
+ foundHostAuthority = true;
|
|
|
981330 |
+ this.authorityID = aid;
|
|
|
981330 |
+ this.authorityDescription = desc;
|
|
|
981330 |
+ caMap.put(aid, this);
|
|
|
981330 |
+ return;
|
|
|
981330 |
+ }
|
|
|
981330 |
+
|
|
|
981330 |
Integer newEntryUSN = null;
|
|
|
981330 |
LDAPAttribute entryUSNAttr = entry.getAttribute("entryUSN");
|
|
|
981330 |
if (entryUSNAttr == null) {
|
|
|
981330 |
@@ -3269,26 +3290,6 @@ public class CertificateAuthority
|
|
|
981330 |
}
|
|
|
981330 |
}
|
|
|
981330 |
|
|
|
981330 |
- X500Name dn = null;
|
|
|
981330 |
- try {
|
|
|
981330 |
- dn = new X500Name((String) dnAttr.getStringValues().nextElement());
|
|
|
981330 |
- } catch (IOException e) {
|
|
|
981330 |
- CMS.debug("Malformed authority object; invalid authorityDN: " + entry.getDN());
|
|
|
981330 |
- }
|
|
|
981330 |
-
|
|
|
981330 |
- String desc = null;
|
|
|
981330 |
- LDAPAttribute descAttr = entry.getAttribute("description");
|
|
|
981330 |
- if (descAttr != null)
|
|
|
981330 |
- desc = (String) descAttr.getStringValues().nextElement();
|
|
|
981330 |
-
|
|
|
981330 |
- if (dn.equals(mName)) {
|
|
|
981330 |
- foundHostAuthority = true;
|
|
|
981330 |
- this.authorityID = aid;
|
|
|
981330 |
- this.authorityDescription = desc;
|
|
|
981330 |
- caMap.put(aid, this);
|
|
|
981330 |
- return;
|
|
|
981330 |
- }
|
|
|
981330 |
-
|
|
|
981330 |
@SuppressWarnings("unused")
|
|
|
981330 |
X500Name parentDN = null;
|
|
|
981330 |
if (parentDNAttr != null) {
|
|
|
981330 |
--
|
|
|
981330 |
1.8.3.1
|
|
|
981330 |
|
|
|
981330 |
|
|
|
981330 |
From 6cfdd4a6434c8ca08cdbcd659d44a74f6bb6d123 Mon Sep 17 00:00:00 2001
|
|
|
981330 |
From: "Endi S. Dewata" <edewata@redhat.com>
|
|
|
981330 |
Date: Wed, 7 Sep 2016 00:35:40 +0200
|
|
|
981330 |
Subject: [PATCH 9/9] Removed FixSELinuxContexts upgrade script.
|
|
|
981330 |
|
|
|
981330 |
The FixSELinuxContexts upgrade script has been removed temporarily
|
|
|
981330 |
due to a problem importing selinux library during RPM upgrade.
|
|
|
981330 |
|
|
|
981330 |
The FixDeploymentDescriptor script number has been changed
|
|
|
981330 |
accordingly.
|
|
|
981330 |
|
|
|
981330 |
https://fedorahosted.org/pki/ticket/2452
|
|
|
981330 |
(cherry picked from commit 76b3ae5062aef22eece89117a28bd9b86ddef92d)
|
|
|
981330 |
(cherry picked from commit b3248175d261bc82d3d9c965f047ea9d0fa2bc9e)
|
|
|
981330 |
---
|
|
|
981330 |
.../upgrade/10.3.5/02-FixDeploymentDescriptor | 110 +++++++++++++++++++++
|
|
|
981330 |
base/server/upgrade/10.3.5/02-FixSELinuxContexts | 36 -------
|
|
|
981330 |
.../upgrade/10.3.5/03-FixDeploymentDescriptor | 110 ---------------------
|
|
|
981330 |
3 files changed, 110 insertions(+), 146 deletions(-)
|
|
|
981330 |
create mode 100644 base/server/upgrade/10.3.5/02-FixDeploymentDescriptor
|
|
|
981330 |
delete mode 100644 base/server/upgrade/10.3.5/02-FixSELinuxContexts
|
|
|
981330 |
delete mode 100644 base/server/upgrade/10.3.5/03-FixDeploymentDescriptor
|
|
|
981330 |
|
|
|
981330 |
diff --git a/base/server/upgrade/10.3.5/02-FixDeploymentDescriptor b/base/server/upgrade/10.3.5/02-FixDeploymentDescriptor
|
|
|
981330 |
new file mode 100644
|
|
|
981330 |
index 0000000..27c8959
|
|
|
981330 |
--- /dev/null
|
|
|
981330 |
+++ b/base/server/upgrade/10.3.5/02-FixDeploymentDescriptor
|
|
|
981330 |
@@ -0,0 +1,110 @@
|
|
|
981330 |
+#!/usr/bin/python
|
|
|
981330 |
+# Authors:
|
|
|
981330 |
+# Endi S. Dewata <edewata@redhat.com>
|
|
|
981330 |
+#
|
|
|
981330 |
+# This program is free software; you can redistribute it and/or modify
|
|
|
981330 |
+# it under the terms of the GNU General Public License as published by
|
|
|
981330 |
+# the Free Software Foundation; version 2 of the License.
|
|
|
981330 |
+#
|
|
|
981330 |
+# This program is distributed in the hope that it will be useful,
|
|
|
981330 |
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
981330 |
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
981330 |
+# GNU General Public License for more details.
|
|
|
981330 |
+#
|
|
|
981330 |
+# You should have received a copy of the GNU General Public License along
|
|
|
981330 |
+# with this program; if not, write to the Free Software Foundation, Inc.,
|
|
|
981330 |
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
|
981330 |
+#
|
|
|
981330 |
+# Copyright (C) 2016 Red Hat, Inc.
|
|
|
981330 |
+# All rights reserved.
|
|
|
981330 |
+
|
|
|
981330 |
+from __future__ import absolute_import
|
|
|
981330 |
+from lxml import etree
|
|
|
981330 |
+import os
|
|
|
981330 |
+import shutil
|
|
|
981330 |
+
|
|
|
981330 |
+import pki.server.upgrade
|
|
|
981330 |
+
|
|
|
981330 |
+
|
|
|
981330 |
+class FixDeploymentDescriptor(pki.server.upgrade.PKIServerUpgradeScriptlet):
|
|
|
981330 |
+
|
|
|
981330 |
+ def __init__(self):
|
|
|
981330 |
+ super(FixDeploymentDescriptor, self).__init__()
|
|
|
981330 |
+ self.message = 'Fix deployment descriptor'
|
|
|
981330 |
+ self.parser = etree.XMLParser(remove_blank_text=True)
|
|
|
981330 |
+
|
|
|
981330 |
+ def upgrade_instance(self, instance):
|
|
|
981330 |
+
|
|
|
981330 |
+ self.fix_webapp(instance, 'ROOT.xml')
|
|
|
981330 |
+ self.fix_webapp(instance, 'pki#admin.xml')
|
|
|
981330 |
+ self.fix_webapp(instance, 'pki#js.xml')
|
|
|
981330 |
+
|
|
|
981330 |
+ self.fix_theme(instance, 'pki.xml')
|
|
|
981330 |
+
|
|
|
981330 |
+ def fix_webapp(self, instance, context_xml):
|
|
|
981330 |
+
|
|
|
981330 |
+ source_xml = pki.SHARE_DIR + '/server/conf/Catalina/localhost/' + context_xml
|
|
|
981330 |
+ target_xml = instance.conf_dir + '/Catalina/localhost/' + context_xml
|
|
|
981330 |
+
|
|
|
981330 |
+ # if deployment descriptor doesn't exist, install the default
|
|
|
981330 |
+ if not os.path.exists(target_xml):
|
|
|
981330 |
+ self.copy_file(instance, source_xml, target_xml)
|
|
|
981330 |
+ return
|
|
|
981330 |
+
|
|
|
981330 |
+ # get docBase from deployment descriptor
|
|
|
981330 |
+ document = etree.parse(target_xml, self.parser)
|
|
|
981330 |
+ context = document.getroot()
|
|
|
981330 |
+ docBase = context.get('docBase')
|
|
|
981330 |
+
|
|
|
981330 |
+ # if docBase is absolute and pointing to non-empty folder, ignore
|
|
|
981330 |
+ if docBase.startswith('/') and \
|
|
|
981330 |
+ os.path.exists(docBase) and \
|
|
|
981330 |
+ os.listdir(docBase):
|
|
|
981330 |
+ return
|
|
|
981330 |
+
|
|
|
981330 |
+ # if docBase is relative and pointing to non-empty folder, ignore
|
|
|
981330 |
+ if not docBase.startswith('/') and \
|
|
|
981330 |
+ os.path.exists(instance.base_dir + '/webapps/' + docBase) and \
|
|
|
981330 |
+ os.listdir(instance.base_dir + '/webapps/' + docBase):
|
|
|
981330 |
+ return
|
|
|
981330 |
+
|
|
|
981330 |
+ # docBase is pointing to non-existent/empty folder, replace with default
|
|
|
981330 |
+ self.copy_file(instance, source_xml, target_xml)
|
|
|
981330 |
+
|
|
|
981330 |
+ def fix_theme(self, instance, context_xml):
|
|
|
981330 |
+
|
|
|
981330 |
+ source_xml = pki.SHARE_DIR + '/server/conf/Catalina/localhost/' + context_xml
|
|
|
981330 |
+ target_xml = instance.conf_dir + '/Catalina/localhost/' + context_xml
|
|
|
981330 |
+
|
|
|
981330 |
+ # if deployment descriptor doesn't exist, ignore (no theme)
|
|
|
981330 |
+ if not os.path.exists(target_xml):
|
|
|
981330 |
+ return
|
|
|
981330 |
+
|
|
|
981330 |
+ # get docBase from deployment descriptor
|
|
|
981330 |
+ document = etree.parse(target_xml, self.parser)
|
|
|
981330 |
+ context = document.getroot()
|
|
|
981330 |
+ docBase = context.get('docBase')
|
|
|
981330 |
+
|
|
|
981330 |
+ # if docBase is absolute and pointing to non-empty folder, ignore
|
|
|
981330 |
+ if docBase.startswith('/') and \
|
|
|
981330 |
+ os.path.exists(docBase) and \
|
|
|
981330 |
+ os.listdir(docBase):
|
|
|
981330 |
+ return
|
|
|
981330 |
+
|
|
|
981330 |
+ # if docBase is relative and pointing to non-empty folder, ignore
|
|
|
981330 |
+ if not docBase.startswith('/') and \
|
|
|
981330 |
+ os.path.exists(instance.base_dir + '/webapps/' + docBase) and \
|
|
|
981330 |
+ os.listdir(instance.base_dir + '/webapps/' + docBase):
|
|
|
981330 |
+ return
|
|
|
981330 |
+
|
|
|
981330 |
+ # docBase is pointing to non-existent/empty folder
|
|
|
981330 |
+
|
|
|
981330 |
+ # if theme package is installed, replace deployment descriptor
|
|
|
981330 |
+ if os.path.exists(pki.SHARE_DIR + '/common-ui'):
|
|
|
981330 |
+ self.copy_file(instance, source_xml, target_xml)
|
|
|
981330 |
+
|
|
|
981330 |
+ def copy_file(self, instance, source, target):
|
|
|
981330 |
+
|
|
|
981330 |
+ self.backup(target)
|
|
|
981330 |
+ shutil.copyfile(source, target)
|
|
|
981330 |
+ os.chown(target, instance.uid, instance.gid)
|
|
|
981330 |
diff --git a/base/server/upgrade/10.3.5/02-FixSELinuxContexts b/base/server/upgrade/10.3.5/02-FixSELinuxContexts
|
|
|
981330 |
deleted file mode 100644
|
|
|
981330 |
index f3d981e..0000000
|
|
|
981330 |
--- a/base/server/upgrade/10.3.5/02-FixSELinuxContexts
|
|
|
981330 |
+++ /dev/null
|
|
|
981330 |
@@ -1,36 +0,0 @@
|
|
|
981330 |
-#!/usr/bin/python
|
|
|
981330 |
-# Authors:
|
|
|
981330 |
-# Endi S. Dewata <edewata@redhat.com>
|
|
|
981330 |
-#
|
|
|
981330 |
-# This program is free software; you can redistribute it and/or modify
|
|
|
981330 |
-# it under the terms of the GNU General Public License as published by
|
|
|
981330 |
-# the Free Software Foundation; version 2 of the License.
|
|
|
981330 |
-#
|
|
|
981330 |
-# This program is distributed in the hope that it will be useful,
|
|
|
981330 |
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
981330 |
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
981330 |
-# GNU General Public License for more details.
|
|
|
981330 |
-#
|
|
|
981330 |
-# You should have received a copy of the GNU General Public License along
|
|
|
981330 |
-# with this program; if not, write to the Free Software Foundation, Inc.,
|
|
|
981330 |
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
|
981330 |
-#
|
|
|
981330 |
-# Copyright (C) 2016 Red Hat, Inc.
|
|
|
981330 |
-# All rights reserved.
|
|
|
981330 |
-
|
|
|
981330 |
-from __future__ import absolute_import
|
|
|
981330 |
-import selinux
|
|
|
981330 |
-import pki.server.upgrade
|
|
|
981330 |
-
|
|
|
981330 |
-
|
|
|
981330 |
-class FixSELinuxContexts(pki.server.upgrade.PKIServerUpgradeScriptlet):
|
|
|
981330 |
-
|
|
|
981330 |
- def __init__(self):
|
|
|
981330 |
- super(FixSELinuxContexts, self).__init__()
|
|
|
981330 |
- self.message = 'Fix SELinux contexts'
|
|
|
981330 |
-
|
|
|
981330 |
- def upgrade_instance(self, instance):
|
|
|
981330 |
-
|
|
|
981330 |
- selinux.restorecon(instance.base_dir, True)
|
|
|
981330 |
- selinux.restorecon(instance.conf_dir, True)
|
|
|
981330 |
- selinux.restorecon(instance.log_dir, True)
|
|
|
981330 |
diff --git a/base/server/upgrade/10.3.5/03-FixDeploymentDescriptor b/base/server/upgrade/10.3.5/03-FixDeploymentDescriptor
|
|
|
981330 |
deleted file mode 100644
|
|
|
981330 |
index 27c8959..0000000
|
|
|
981330 |
--- a/base/server/upgrade/10.3.5/03-FixDeploymentDescriptor
|
|
|
981330 |
+++ /dev/null
|
|
|
981330 |
@@ -1,110 +0,0 @@
|
|
|
981330 |
-#!/usr/bin/python
|
|
|
981330 |
-# Authors:
|
|
|
981330 |
-# Endi S. Dewata <edewata@redhat.com>
|
|
|
981330 |
-#
|
|
|
981330 |
-# This program is free software; you can redistribute it and/or modify
|
|
|
981330 |
-# it under the terms of the GNU General Public License as published by
|
|
|
981330 |
-# the Free Software Foundation; version 2 of the License.
|
|
|
981330 |
-#
|
|
|
981330 |
-# This program is distributed in the hope that it will be useful,
|
|
|
981330 |
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
981330 |
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
981330 |
-# GNU General Public License for more details.
|
|
|
981330 |
-#
|
|
|
981330 |
-# You should have received a copy of the GNU General Public License along
|
|
|
981330 |
-# with this program; if not, write to the Free Software Foundation, Inc.,
|
|
|
981330 |
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
|
981330 |
-#
|
|
|
981330 |
-# Copyright (C) 2016 Red Hat, Inc.
|
|
|
981330 |
-# All rights reserved.
|
|
|
981330 |
-
|
|
|
981330 |
-from __future__ import absolute_import
|
|
|
981330 |
-from lxml import etree
|
|
|
981330 |
-import os
|
|
|
981330 |
-import shutil
|
|
|
981330 |
-
|
|
|
981330 |
-import pki.server.upgrade
|
|
|
981330 |
-
|
|
|
981330 |
-
|
|
|
981330 |
-class FixDeploymentDescriptor(pki.server.upgrade.PKIServerUpgradeScriptlet):
|
|
|
981330 |
-
|
|
|
981330 |
- def __init__(self):
|
|
|
981330 |
- super(FixDeploymentDescriptor, self).__init__()
|
|
|
981330 |
- self.message = 'Fix deployment descriptor'
|
|
|
981330 |
- self.parser = etree.XMLParser(remove_blank_text=True)
|
|
|
981330 |
-
|
|
|
981330 |
- def upgrade_instance(self, instance):
|
|
|
981330 |
-
|
|
|
981330 |
- self.fix_webapp(instance, 'ROOT.xml')
|
|
|
981330 |
- self.fix_webapp(instance, 'pki#admin.xml')
|
|
|
981330 |
- self.fix_webapp(instance, 'pki#js.xml')
|
|
|
981330 |
-
|
|
|
981330 |
- self.fix_theme(instance, 'pki.xml')
|
|
|
981330 |
-
|
|
|
981330 |
- def fix_webapp(self, instance, context_xml):
|
|
|
981330 |
-
|
|
|
981330 |
- source_xml = pki.SHARE_DIR + '/server/conf/Catalina/localhost/' + context_xml
|
|
|
981330 |
- target_xml = instance.conf_dir + '/Catalina/localhost/' + context_xml
|
|
|
981330 |
-
|
|
|
981330 |
- # if deployment descriptor doesn't exist, install the default
|
|
|
981330 |
- if not os.path.exists(target_xml):
|
|
|
981330 |
- self.copy_file(instance, source_xml, target_xml)
|
|
|
981330 |
- return
|
|
|
981330 |
-
|
|
|
981330 |
- # get docBase from deployment descriptor
|
|
|
981330 |
- document = etree.parse(target_xml, self.parser)
|
|
|
981330 |
- context = document.getroot()
|
|
|
981330 |
- docBase = context.get('docBase')
|
|
|
981330 |
-
|
|
|
981330 |
- # if docBase is absolute and pointing to non-empty folder, ignore
|
|
|
981330 |
- if docBase.startswith('/') and \
|
|
|
981330 |
- os.path.exists(docBase) and \
|
|
|
981330 |
- os.listdir(docBase):
|
|
|
981330 |
- return
|
|
|
981330 |
-
|
|
|
981330 |
- # if docBase is relative and pointing to non-empty folder, ignore
|
|
|
981330 |
- if not docBase.startswith('/') and \
|
|
|
981330 |
- os.path.exists(instance.base_dir + '/webapps/' + docBase) and \
|
|
|
981330 |
- os.listdir(instance.base_dir + '/webapps/' + docBase):
|
|
|
981330 |
- return
|
|
|
981330 |
-
|
|
|
981330 |
- # docBase is pointing to non-existent/empty folder, replace with default
|
|
|
981330 |
- self.copy_file(instance, source_xml, target_xml)
|
|
|
981330 |
-
|
|
|
981330 |
- def fix_theme(self, instance, context_xml):
|
|
|
981330 |
-
|
|
|
981330 |
- source_xml = pki.SHARE_DIR + '/server/conf/Catalina/localhost/' + context_xml
|
|
|
981330 |
- target_xml = instance.conf_dir + '/Catalina/localhost/' + context_xml
|
|
|
981330 |
-
|
|
|
981330 |
- # if deployment descriptor doesn't exist, ignore (no theme)
|
|
|
981330 |
- if not os.path.exists(target_xml):
|
|
|
981330 |
- return
|
|
|
981330 |
-
|
|
|
981330 |
- # get docBase from deployment descriptor
|
|
|
981330 |
- document = etree.parse(target_xml, self.parser)
|
|
|
981330 |
- context = document.getroot()
|
|
|
981330 |
- docBase = context.get('docBase')
|
|
|
981330 |
-
|
|
|
981330 |
- # if docBase is absolute and pointing to non-empty folder, ignore
|
|
|
981330 |
- if docBase.startswith('/') and \
|
|
|
981330 |
- os.path.exists(docBase) and \
|
|
|
981330 |
- os.listdir(docBase):
|
|
|
981330 |
- return
|
|
|
981330 |
-
|
|
|
981330 |
- # if docBase is relative and pointing to non-empty folder, ignore
|
|
|
981330 |
- if not docBase.startswith('/') and \
|
|
|
981330 |
- os.path.exists(instance.base_dir + '/webapps/' + docBase) and \
|
|
|
981330 |
- os.listdir(instance.base_dir + '/webapps/' + docBase):
|
|
|
981330 |
- return
|
|
|
981330 |
-
|
|
|
981330 |
- # docBase is pointing to non-existent/empty folder
|
|
|
981330 |
-
|
|
|
981330 |
- # if theme package is installed, replace deployment descriptor
|
|
|
981330 |
- if os.path.exists(pki.SHARE_DIR + '/common-ui'):
|
|
|
981330 |
- self.copy_file(instance, source_xml, target_xml)
|
|
|
981330 |
-
|
|
|
981330 |
- def copy_file(self, instance, source, target):
|
|
|
981330 |
-
|
|
|
981330 |
- self.backup(target)
|
|
|
981330 |
- shutil.copyfile(source, target)
|
|
|
981330 |
- os.chown(target, instance.uid, instance.gid)
|
|
|
981330 |
--
|
|
|
981330 |
1.8.3.1
|
|
|
981330 |
|