|
 |
981330 |
From b2b617c1372559d03de582c66687df248e77fa7b Mon Sep 17 00:00:00 2001
|
|
|
981330 |
From: "Endi S. Dewata" <edewata@redhat.com>
|
|
|
981330 |
Date: Thu, 8 Sep 2016 20:06:19 +0200
|
|
|
981330 |
Subject: [PATCH] Removed support for creating system certificates in different
|
|
|
981330 |
tokens.
|
|
|
981330 |
|
|
|
981330 |
The patch that added the support for creating system certificates
|
|
|
981330 |
in different tokens causes issues in certain cases, so for now it
|
|
|
981330 |
has been reverted.
|
|
|
981330 |
|
|
|
981330 |
https://fedorahosted.org/pki/ticket/2449
|
|
|
981330 |
(cherry picked from commit b0a4981937abb1a3decad7decc0a788473464039)
|
|
|
981330 |
(cherry picked from commit 744c506e41f33c7532c0ce8ab08f12bc75d79506)
|
|
|
981330 |
---
|
|
|
981330 |
.../cms/servlet/csadmin/ConfigurationUtils.java | 18 ++++-------
|
|
|
981330 |
.../dogtagpki/server/rest/SystemConfigService.java | 9 ++++--
|
|
|
981330 |
.../src/com/netscape/cmscore/apps/CMSEngine.java | 4 +--
|
|
|
981330 |
.../server/deployment/scriptlets/configuration.py | 37 +++-------------------
|
|
|
981330 |
4 files changed, 19 insertions(+), 49 deletions(-)
|
|
|
981330 |
|
|
|
981330 |
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
|
|
|
981330 |
index 3e638ad..34500d0 100644
|
|
|
981330 |
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
|
|
|
981330 |
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
|
|
|
981330 |
@@ -2826,7 +2826,7 @@ public class ConfigurationUtils {
|
|
|
981330 |
}
|
|
|
981330 |
|
|
|
981330 |
config.putString(subsystem + "." + certTag + ".nickname", nickname);
|
|
|
981330 |
-
|
|
|
981330 |
+ config.putString(subsystem + "." + certTag + ".tokenname", token);
|
|
|
981330 |
if (certTag.equals("audit_signing")) {
|
|
|
981330 |
if (!token.equals("Internal Key Storage Token") && !token.equals("")) {
|
|
|
981330 |
config.putString("log.instance.SignedAudit.signedAuditCertNickname",
|
|
|
981330 |
@@ -3325,15 +3325,14 @@ public class ConfigurationUtils {
|
|
|
981330 |
return 0;
|
|
|
981330 |
}
|
|
|
981330 |
|
|
|
981330 |
- public static void setCertPermissions(Cert cert) throws EBaseException, NotInitializedException,
|
|
|
981330 |
+ public static void setCertPermissions(String tag) throws EBaseException, NotInitializedException,
|
|
|
981330 |
ObjectNotFoundException, TokenException {
|
|
|
981330 |
-
|
|
|
981330 |
- String tag = cert.getCertTag();
|
|
|
981330 |
if (tag.equals("signing") || tag.equals("external_signing"))
|
|
|
981330 |
return;
|
|
|
981330 |
|
|
|
981330 |
- String nickname = cert.getNickname();
|
|
|
981330 |
- String tokenname = cert.getTokenname();
|
|
|
981330 |
+ IConfigStore cs = CMS.getConfigStore();
|
|
|
981330 |
+ String nickname = cs.getString("preop.cert." + tag + ".nickname", "");
|
|
|
981330 |
+ String tokenname = cs.getString("preop.module.token", "");
|
|
|
981330 |
if (!tokenname.equals("Internal Key Storage Token"))
|
|
|
981330 |
nickname = tokenname + ":" + nickname;
|
|
|
981330 |
|
|
|
981330 |
@@ -4555,11 +4554,9 @@ public class ConfigurationUtils {
|
|
|
981330 |
|
|
|
981330 |
public static String getSubsystemCert() throws EBaseException, NotInitializedException, ObjectNotFoundException,
|
|
|
981330 |
TokenException, CertificateEncodingException, IOException {
|
|
|
981330 |
-
|
|
|
981330 |
IConfigStore cs = CMS.getConfigStore();
|
|
|
981330 |
- String subsystem = cs.getString("cs.type").toLowerCase();
|
|
|
981330 |
- String nickname = cs.getString(subsystem + ".subsystem.nickname", "");
|
|
|
981330 |
- String tokenname = cs.getString(subsystem + ".subsystem.tokenname", "");
|
|
|
981330 |
+ String nickname = cs.getString("preop.cert.subsystem.nickname", "");
|
|
|
981330 |
+ String tokenname = cs.getString("preop.module.token", "");
|
|
|
981330 |
|
|
|
981330 |
if (!tokenname.equals("internal") && !tokenname.equals("Internal Key Storage Token")
|
|
|
981330 |
&& !tokenname.equals("")) {
|
|
|
981330 |
@@ -4574,7 +4571,6 @@ public class ConfigurationUtils {
|
|
|
981330 |
CMS.debug("ConfigurationUtils: getSubsystemCert: subsystem cert is null");
|
|
|
981330 |
return null;
|
|
|
981330 |
}
|
|
|
981330 |
-
|
|
|
981330 |
byte[] bytes = cert.getEncoded();
|
|
|
981330 |
String s = CryptoUtil.normalizeCertStr(CryptoUtil.base64Encode(bytes));
|
|
|
981330 |
return s;
|
|
|
981330 |
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
|
|
|
981330 |
index 5cc6f63..9d7c176 100644
|
|
|
981330 |
--- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
|
|
|
981330 |
+++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
|
|
|
981330 |
@@ -199,7 +199,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
|
|
|
981330 |
try {
|
|
|
981330 |
CMS.debug("Processing '" + cert.getCertTag() + "' certificate:");
|
|
|
981330 |
ret = ConfigurationUtils.handleCerts(cert);
|
|
|
981330 |
- ConfigurationUtils.setCertPermissions(cert);
|
|
|
981330 |
+ ConfigurationUtils.setCertPermissions(cert.getCertTag());
|
|
|
981330 |
CMS.debug("Processed '" + cert.getCertTag() + "' certificate.");
|
|
|
981330 |
} catch (Exception e) {
|
|
|
981330 |
CMS.debug(e);
|
|
|
981330 |
@@ -386,6 +386,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
|
|
|
981330 |
|
|
|
981330 |
processCert(
|
|
|
981330 |
request,
|
|
|
981330 |
+ token,
|
|
|
981330 |
certList,
|
|
|
981330 |
certs,
|
|
|
981330 |
hasSigningCert,
|
|
|
981330 |
@@ -414,6 +415,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
|
|
|
981330 |
|
|
|
981330 |
public void processCert(
|
|
|
981330 |
ConfigurationRequest request,
|
|
|
981330 |
+ String token,
|
|
|
981330 |
Collection<String> certList,
|
|
|
981330 |
Collection<Cert> certs,
|
|
|
981330 |
MutableBoolean hasSigningCert,
|
|
|
981330 |
@@ -458,13 +460,13 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
|
|
|
981330 |
String curvename = certData.getKeyCurveName() != null ?
|
|
|
981330 |
certData.getKeyCurveName() : cs.getString("keys.ecc.curve.default");
|
|
|
981330 |
cs.putString("preop.cert." + tag + ".curvename.name", curvename);
|
|
|
981330 |
- ConfigurationUtils.createECCKeyPair(tokenName, curvename, cs, tag);
|
|
|
981330 |
+ ConfigurationUtils.createECCKeyPair(token, curvename, cs, tag);
|
|
|
981330 |
|
|
|
981330 |
} else {
|
|
|
981330 |
String keysize = certData.getKeySize() != null ? certData.getKeySize() : cs
|
|
|
981330 |
.getString("keys.rsa.keysize.default");
|
|
|
981330 |
cs.putString("preop.cert." + tag + ".keysize.size", keysize);
|
|
|
981330 |
- ConfigurationUtils.createRSAKeyPair(tokenName, Integer.parseInt(keysize), cs, tag);
|
|
|
981330 |
+ ConfigurationUtils.createRSAKeyPair(token, Integer.parseInt(keysize), cs, tag);
|
|
|
981330 |
}
|
|
|
981330 |
|
|
|
981330 |
} else {
|
|
|
981330 |
@@ -598,6 +600,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
|
|
|
981330 |
}
|
|
|
981330 |
|
|
|
981330 |
cs.putString(csSubsystem + "." + tag + ".nickname", cdata.getNickname());
|
|
|
981330 |
+ cs.putString(csSubsystem + "." + tag + ".tokenname", cdata.getToken());
|
|
|
981330 |
cs.putString(csSubsystem + "." + tag + ".certreq", cdata.getRequest());
|
|
|
981330 |
cs.putString(csSubsystem + "." + tag + ".cert", cdata.getCert());
|
|
|
981330 |
cs.putString(csSubsystem + "." + tag + ".dn", cdata.getSubjectDN());
|
|
|
981330 |
diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
|
|
|
981330 |
index a334824..c62087e 100644
|
|
|
981330 |
--- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
|
|
|
981330 |
+++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
|
|
|
981330 |
@@ -1235,8 +1235,8 @@ public class CMSEngine implements ICMSEngine {
|
|
|
981330 |
// get SSL server nickname
|
|
|
981330 |
IConfigStore serverCertStore = mConfig.getSubStore(id + "." + "sslserver");
|
|
|
981330 |
if (serverCertStore != null && serverCertStore.size() > 0) {
|
|
|
981330 |
- String nickName = serverCertStore.getString("nickname", null);
|
|
|
981330 |
- String tokenName = serverCertStore.getString("tokenname", null);
|
|
|
981330 |
+ String nickName = serverCertStore.getString("nickname");
|
|
|
981330 |
+ String tokenName = serverCertStore.getString("tokenname");
|
|
|
981330 |
if (tokenName != null && tokenName.length() > 0 &&
|
|
|
981330 |
nickName != null && nickName.length() > 0) {
|
|
|
981330 |
CMS.setServerCertNickname(tokenName, nickName);
|
|
|
981330 |
diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py
|
|
|
981330 |
index 97f6d3e..64ee4e5 100644
|
|
|
981330 |
--- a/base/server/python/pki/server/deployment/scriptlets/configuration.py
|
|
|
981330 |
+++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py
|
|
|
981330 |
@@ -39,31 +39,6 @@ import pki.util
|
|
|
981330 |
# PKI Deployment Configuration Scriptlet
|
|
|
981330 |
class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
|
|
|
981330 |
|
|
|
981330 |
- def store_cert_tokens(self, subsystem, deployer):
|
|
|
981330 |
-
|
|
|
981330 |
- subsystem.config[subsystem.name + '.audit_signing.tokenname'] = (
|
|
|
981330 |
- deployer.mdict['pki_audit_signing_token'])
|
|
|
981330 |
- subsystem.config[subsystem.name + '.sslserver.tokenname'] = (
|
|
|
981330 |
- deployer.mdict['pki_ssl_server_token'])
|
|
|
981330 |
- subsystem.config[subsystem.name + '.subsystem.tokenname'] = (
|
|
|
981330 |
- deployer.mdict['pki_subsystem_token'])
|
|
|
981330 |
-
|
|
|
981330 |
- if subsystem.name == 'ca':
|
|
|
981330 |
- subsystem.config['ca.signing.tokenname'] = (
|
|
|
981330 |
- deployer.mdict['pki_ca_signing_token'])
|
|
|
981330 |
- subsystem.config['ca.ocsp_signing.tokenname'] = (
|
|
|
981330 |
- deployer.mdict['pki_ocsp_signing_token'])
|
|
|
981330 |
-
|
|
|
981330 |
- elif subsystem.name == 'kra':
|
|
|
981330 |
- subsystem.config['kra.storage.tokenname'] = (
|
|
|
981330 |
- deployer.mdict['pki_storage_token'])
|
|
|
981330 |
- subsystem.config['kra.transport.tokenname'] = (
|
|
|
981330 |
- deployer.mdict['pki_transport_token'])
|
|
|
981330 |
-
|
|
|
981330 |
- elif subsystem.name == 'ocsp':
|
|
|
981330 |
- subsystem.config['ocsp.signing.tokenname'] = (
|
|
|
981330 |
- deployer.mdict['pki_ocsp_signing_token'])
|
|
|
981330 |
-
|
|
|
981330 |
def spawn(self, deployer):
|
|
|
981330 |
|
|
|
981330 |
if config.str2bool(deployer.mdict['pki_skip_configuration']):
|
|
|
981330 |
@@ -290,14 +265,13 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
|
|
|
981330 |
nickname=signing_nickname,
|
|
|
981330 |
output_format='base64')
|
|
|
981330 |
subsystem.config['ca.signing.nickname'] = signing_nickname
|
|
|
981330 |
+ subsystem.config['ca.signing.tokenname'] = (
|
|
|
981330 |
+ deployer.mdict['pki_ca_signing_token'])
|
|
|
981330 |
subsystem.config['ca.signing.cert'] = signing_cert_data
|
|
|
981330 |
subsystem.config['ca.signing.cacertnickname'] = signing_nickname
|
|
|
981330 |
subsystem.config['ca.signing.defaultSigningAlgorithm'] = (
|
|
|
981330 |
deployer.mdict['pki_ca_signing_signing_algorithm'])
|
|
|
981330 |
|
|
|
981330 |
- # Store cert tokens in CS.cfg.
|
|
|
981330 |
- self.store_cert_tokens(subsystem, deployer)
|
|
|
981330 |
-
|
|
|
981330 |
subsystem.save()
|
|
|
981330 |
|
|
|
981330 |
# verify the signing certificate
|
|
|
981330 |
@@ -308,7 +282,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
|
|
|
981330 |
instance, 'ca')
|
|
|
981330 |
verifier.verify_certificate('signing')
|
|
|
981330 |
|
|
|
981330 |
- else: # other installation types
|
|
|
981330 |
+ else: # self-signed CA
|
|
|
981330 |
|
|
|
981330 |
# To be implemented in ticket #1692.
|
|
|
981330 |
|
|
|
981330 |
@@ -316,10 +290,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
|
|
|
981330 |
# Self sign CA cert.
|
|
|
981330 |
# Import self-signed CA cert into NSS database.
|
|
|
981330 |
|
|
|
981330 |
- # Store cert tokens in CS.cfg.
|
|
|
981330 |
- self.store_cert_tokens(subsystem, deployer)
|
|
|
981330 |
-
|
|
|
981330 |
- subsystem.save()
|
|
|
981330 |
+ pass
|
|
|
981330 |
|
|
|
981330 |
finally:
|
|
|
981330 |
nssdb.close()
|
|
|
981330 |
--
|
|
|
981330 |
1.8.3.1
|
|
|
981330 |
|