From b2b617c1372559d03de582c66687df248e77fa7b Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Thu, 8 Sep 2016 20:06:19 +0200
Subject: [PATCH] Removed support for creating system certificates in different
tokens.
The patch that added the support for creating system certificates
in different tokens causes issues in certain cases, so for now it
has been reverted.
https://fedorahosted.org/pki/ticket/2449
(cherry picked from commit b0a4981937abb1a3decad7decc0a788473464039)
(cherry picked from commit 744c506e41f33c7532c0ce8ab08f12bc75d79506)
---
.../cms/servlet/csadmin/ConfigurationUtils.java | 18 ++++-------
.../dogtagpki/server/rest/SystemConfigService.java | 9 ++++--
.../src/com/netscape/cmscore/apps/CMSEngine.java | 4 +--
.../server/deployment/scriptlets/configuration.py | 37 +++-------------------
4 files changed, 19 insertions(+), 49 deletions(-)
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
index 3e638ad..34500d0 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
@@ -2826,7 +2826,7 @@ public class ConfigurationUtils {
}
config.putString(subsystem + "." + certTag + ".nickname", nickname);
-
+ config.putString(subsystem + "." + certTag + ".tokenname", token);
if (certTag.equals("audit_signing")) {
if (!token.equals("Internal Key Storage Token") && !token.equals("")) {
config.putString("log.instance.SignedAudit.signedAuditCertNickname",
@@ -3325,15 +3325,14 @@ public class ConfigurationUtils {
return 0;
}
- public static void setCertPermissions(Cert cert) throws EBaseException, NotInitializedException,
+ public static void setCertPermissions(String tag) throws EBaseException, NotInitializedException,
ObjectNotFoundException, TokenException {
-
- String tag = cert.getCertTag();
if (tag.equals("signing") || tag.equals("external_signing"))
return;
- String nickname = cert.getNickname();
- String tokenname = cert.getTokenname();
+ IConfigStore cs = CMS.getConfigStore();
+ String nickname = cs.getString("preop.cert." + tag + ".nickname", "");
+ String tokenname = cs.getString("preop.module.token", "");
if (!tokenname.equals("Internal Key Storage Token"))
nickname = tokenname + ":" + nickname;
@@ -4555,11 +4554,9 @@ public class ConfigurationUtils {
public static String getSubsystemCert() throws EBaseException, NotInitializedException, ObjectNotFoundException,
TokenException, CertificateEncodingException, IOException {
-
IConfigStore cs = CMS.getConfigStore();
- String subsystem = cs.getString("cs.type").toLowerCase();
- String nickname = cs.getString(subsystem + ".subsystem.nickname", "");
- String tokenname = cs.getString(subsystem + ".subsystem.tokenname", "");
+ String nickname = cs.getString("preop.cert.subsystem.nickname", "");
+ String tokenname = cs.getString("preop.module.token", "");
if (!tokenname.equals("internal") && !tokenname.equals("Internal Key Storage Token")
&& !tokenname.equals("")) {
@@ -4574,7 +4571,6 @@ public class ConfigurationUtils {
CMS.debug("ConfigurationUtils: getSubsystemCert: subsystem cert is null");
return null;
}
-
byte[] bytes = cert.getEncoded();
String s = CryptoUtil.normalizeCertStr(CryptoUtil.base64Encode(bytes));
return s;
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
index 5cc6f63..9d7c176 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
@@ -199,7 +199,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
try {
CMS.debug("Processing '" + cert.getCertTag() + "' certificate:");
ret = ConfigurationUtils.handleCerts(cert);
- ConfigurationUtils.setCertPermissions(cert);
+ ConfigurationUtils.setCertPermissions(cert.getCertTag());
CMS.debug("Processed '" + cert.getCertTag() + "' certificate.");
} catch (Exception e) {
CMS.debug(e);
@@ -386,6 +386,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
processCert(
request,
+ token,
certList,
certs,
hasSigningCert,
@@ -414,6 +415,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
public void processCert(
ConfigurationRequest request,
+ String token,
Collection<String> certList,
Collection<Cert> certs,
MutableBoolean hasSigningCert,
@@ -458,13 +460,13 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
String curvename = certData.getKeyCurveName() != null ?
certData.getKeyCurveName() : cs.getString("keys.ecc.curve.default");
cs.putString("preop.cert." + tag + ".curvename.name", curvename);
- ConfigurationUtils.createECCKeyPair(tokenName, curvename, cs, tag);
+ ConfigurationUtils.createECCKeyPair(token, curvename, cs, tag);
} else {
String keysize = certData.getKeySize() != null ? certData.getKeySize() : cs
.getString("keys.rsa.keysize.default");
cs.putString("preop.cert." + tag + ".keysize.size", keysize);
- ConfigurationUtils.createRSAKeyPair(tokenName, Integer.parseInt(keysize), cs, tag);
+ ConfigurationUtils.createRSAKeyPair(token, Integer.parseInt(keysize), cs, tag);
}
} else {
@@ -598,6 +600,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
}
cs.putString(csSubsystem + "." + tag + ".nickname", cdata.getNickname());
+ cs.putString(csSubsystem + "." + tag + ".tokenname", cdata.getToken());
cs.putString(csSubsystem + "." + tag + ".certreq", cdata.getRequest());
cs.putString(csSubsystem + "." + tag + ".cert", cdata.getCert());
cs.putString(csSubsystem + "." + tag + ".dn", cdata.getSubjectDN());
diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
index a334824..c62087e 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
@@ -1235,8 +1235,8 @@ public class CMSEngine implements ICMSEngine {
// get SSL server nickname
IConfigStore serverCertStore = mConfig.getSubStore(id + "." + "sslserver");
if (serverCertStore != null && serverCertStore.size() > 0) {
- String nickName = serverCertStore.getString("nickname", null);
- String tokenName = serverCertStore.getString("tokenname", null);
+ String nickName = serverCertStore.getString("nickname");
+ String tokenName = serverCertStore.getString("tokenname");
if (tokenName != null && tokenName.length() > 0 &&
nickName != null && nickName.length() > 0) {
CMS.setServerCertNickname(tokenName, nickName);
diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py
index 97f6d3e..64ee4e5 100644
--- a/base/server/python/pki/server/deployment/scriptlets/configuration.py
+++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py
@@ -39,31 +39,6 @@ import pki.util
# PKI Deployment Configuration Scriptlet
class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
- def store_cert_tokens(self, subsystem, deployer):
-
- subsystem.config[subsystem.name + '.audit_signing.tokenname'] = (
- deployer.mdict['pki_audit_signing_token'])
- subsystem.config[subsystem.name + '.sslserver.tokenname'] = (
- deployer.mdict['pki_ssl_server_token'])
- subsystem.config[subsystem.name + '.subsystem.tokenname'] = (
- deployer.mdict['pki_subsystem_token'])
-
- if subsystem.name == 'ca':
- subsystem.config['ca.signing.tokenname'] = (
- deployer.mdict['pki_ca_signing_token'])
- subsystem.config['ca.ocsp_signing.tokenname'] = (
- deployer.mdict['pki_ocsp_signing_token'])
-
- elif subsystem.name == 'kra':
- subsystem.config['kra.storage.tokenname'] = (
- deployer.mdict['pki_storage_token'])
- subsystem.config['kra.transport.tokenname'] = (
- deployer.mdict['pki_transport_token'])
-
- elif subsystem.name == 'ocsp':
- subsystem.config['ocsp.signing.tokenname'] = (
- deployer.mdict['pki_ocsp_signing_token'])
-
def spawn(self, deployer):
if config.str2bool(deployer.mdict['pki_skip_configuration']):
@@ -290,14 +265,13 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
nickname=signing_nickname,
output_format='base64')
subsystem.config['ca.signing.nickname'] = signing_nickname
+ subsystem.config['ca.signing.tokenname'] = (
+ deployer.mdict['pki_ca_signing_token'])
subsystem.config['ca.signing.cert'] = signing_cert_data
subsystem.config['ca.signing.cacertnickname'] = signing_nickname
subsystem.config['ca.signing.defaultSigningAlgorithm'] = (
deployer.mdict['pki_ca_signing_signing_algorithm'])
- # Store cert tokens in CS.cfg.
- self.store_cert_tokens(subsystem, deployer)
-
subsystem.save()
# verify the signing certificate
@@ -308,7 +282,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
instance, 'ca')
verifier.verify_certificate('signing')
- else: # other installation types
+ else: # self-signed CA
# To be implemented in ticket #1692.
@@ -316,10 +290,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
# Self sign CA cert.
# Import self-signed CA cert into NSS database.
- # Store cert tokens in CS.cfg.
- self.store_cert_tokens(subsystem, deployer)
-
- subsystem.save()
+ pass
finally:
nssdb.close()
--
1.8.3.1