From d9c0460a85dab6249844f6f8a2fe4d45c11554e5 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Wed, 31 Aug 2016 16:15:19 +0200
Subject: [PATCH 1/9] Fixed debug log in UpdateNumberRange servlet.
To help troubleshooting the debug log in UpdateNumberRange servlet
has been modified to show the exception stack trace.
https://fedorahosted.org/pki/ticket/2436
(cherry picked from commit 1922f77e825c8c0ec742382b752b0a32afbff8a9)
(cherry picked from commit a9db37c53fff88d0f00293df0fd29877bb797091)
---
.../cms/src/com/netscape/cms/servlet/csadmin/UpdateNumberRange.java | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateNumberRange.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateNumberRange.java
index b99a298..e068bd4 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateNumberRange.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateNumberRange.java
@@ -247,7 +247,8 @@ public class UpdateNumberRange extends CMSServlet {
audit(auditMessage);
} catch (Exception e) {
- CMS.debug("UpdateNumberRange: Failed to update number range. Exception: " + e.toString());
+ CMS.debug("UpdateNumberRange: Failed to update number range: " + e);
+ CMS.debug(e);
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER,
--
1.8.3.1
From d0f45bfb653636673300b169dfa8ffe90b63cb58 Mon Sep 17 00:00:00 2001
From: Christina Fu <cfu@dhcp-16-189.sjc.redhat.com>
Date: Wed, 31 Aug 2016 14:03:02 -0700
Subject: [PATCH 2/9] Ticket #2446 pkispawn: make subject_dn defaults unique
per instance name (for shared HSM) When installing multiple instances on the
same host sharing the same HSM, if subject_dn's are not specifically spelled
out with unique names for each instance, installation will fail with
complaints that same subject name and serial number already exist. This
happens in the scenario if you are creating a subordinate CA, for example,
that's in the same domain name as the root CA. It is very inconvenient that
you are expected to spell out subject dn's of all system certs in the
pkispawn config file. This patch changes default.cfg so that the instance
name is in the default subject dn, e.g. adding it as an "ou" component:
ou=%(pki_instance_name)s
(cherry picked from commit 1195ee9d6e45783d238edc1799363c21590febce)
(cherry picked from commit 1d1b3a705fdaca26d580566ff3fb1725334ff674)
---
base/server/etc/default.cfg | 34 +++++++++++++++++-----------------
1 file changed, 17 insertions(+), 17 deletions(-)
diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg
index 51357e6..6e9b074 100644
--- a/base/server/etc/default.cfg
+++ b/base/server/etc/default.cfg
@@ -124,13 +124,13 @@ pki_ssl_server_key_algorithm=SHA256withRSA
pki_ssl_server_key_size=2048
pki_ssl_server_key_type=rsa
pki_ssl_server_nickname=Server-Cert cert-%(pki_instance_name)s
-pki_ssl_server_subject_dn=cn=%(pki_hostname)s,o=%(pki_security_domain_name)s
+pki_ssl_server_subject_dn=cn=%(pki_hostname)s,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
pki_ssl_server_token=
pki_subsystem_key_algorithm=SHA256withRSA
pki_subsystem_key_size=2048
pki_subsystem_key_type=rsa
pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s
-pki_subsystem_subject_dn=cn=Subsystem Certificate,o=%(pki_security_domain_name)s
+pki_subsystem_subject_dn=cn=Subsystem Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
pki_subsystem_token=
pki_theme_enable=True
pki_theme_server_dir=/usr/share/pki/common-ui
@@ -292,7 +292,7 @@ pki_ca_signing_key_size=2048
pki_ca_signing_key_type=rsa
pki_ca_signing_nickname=caSigningCert cert-%(pki_instance_name)s CA
pki_ca_signing_signing_algorithm=SHA256withRSA
-pki_ca_signing_subject_dn=cn=CA Signing Certificate,o=%(pki_security_domain_name)s
+pki_ca_signing_subject_dn=cn=CA Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
pki_ca_signing_token=
pki_ca_signing_csr_path=
pki_ca_signing_cert_path=
@@ -316,7 +316,7 @@ pki_ocsp_signing_key_size=2048
pki_ocsp_signing_key_type=rsa
pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_name)s CA
pki_ocsp_signing_signing_algorithm=SHA256withRSA
-pki_ocsp_signing_subject_dn=cn=CA OCSP Signing Certificate,o=%(pki_security_domain_name)s
+pki_ocsp_signing_subject_dn=cn=CA OCSP Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
pki_ocsp_signing_token=
pki_profiles_in_ldap=False
pki_random_serial_numbers_enable=False
@@ -326,10 +326,10 @@ pki_subordinate_security_domain_name=%(pki_dns_domainname)s Subordinate Security
pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s
pki_admin_name=%(pki_admin_uid)s
pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
-pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s
+pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
pki_admin_uid=caadmin
pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s CA
-pki_audit_signing_subject_dn=cn=CA Audit Signing Certificate,o=%(pki_security_domain_name)s
+pki_audit_signing_subject_dn=cn=CA Audit Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
pki_ds_base_dn=o=%(pki_instance_name)s-CA
pki_ds_database=%(pki_instance_name)s-CA
pki_ds_hostname=%(pki_hostname)s
@@ -409,22 +409,22 @@ pki_storage_key_size=2048
pki_storage_key_type=rsa
pki_storage_nickname=storageCert cert-%(pki_instance_name)s KRA
pki_storage_signing_algorithm=SHA256withRSA
-pki_storage_subject_dn=cn=DRM Storage Certificate,o=%(pki_security_domain_name)s
+pki_storage_subject_dn=cn=DRM Storage Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
pki_storage_token=
pki_transport_key_algorithm=SHA256withRSA
pki_transport_key_size=2048
pki_transport_key_type=rsa
pki_transport_nickname=transportCert cert-%(pki_instance_name)s KRA
pki_transport_signing_algorithm=SHA256withRSA
-pki_transport_subject_dn=cn=DRM Transport Certificate,o=%(pki_security_domain_name)s
+pki_transport_subject_dn=cn=DRM Transport Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
pki_transport_token=
pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s
pki_admin_name=%(pki_admin_uid)s
pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
-pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s
+pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
pki_admin_uid=kraadmin
pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s KRA
-pki_audit_signing_subject_dn=cn=KRA Audit Signing Certificate,o=%(pki_security_domain_name)s
+pki_audit_signing_subject_dn=cn=KRA Audit Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
pki_ds_base_dn=o=%(pki_instance_name)s-KRA
pki_ds_database=%(pki_instance_name)s-KRA
pki_ds_hostname=%(pki_hostname)s
@@ -478,15 +478,15 @@ pki_ocsp_signing_key_size=2048
pki_ocsp_signing_key_type=rsa
pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_name)s OCSP
pki_ocsp_signing_signing_algorithm=SHA256withRSA
-pki_ocsp_signing_subject_dn=cn=OCSP Signing Certificate,o=%(pki_security_domain_name)s
+pki_ocsp_signing_subject_dn=cn=OCSP Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
pki_ocsp_signing_token=
pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s
pki_admin_name=%(pki_admin_uid)s
pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
-pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s
+pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
pki_admin_uid=ocspadmin
pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s OCSP
-pki_audit_signing_subject_dn=cn=OCSP Audit Signing Certificate,o=%(pki_security_domain_name)s
+pki_audit_signing_subject_dn=cn=OCSP Audit Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
pki_ds_base_dn=o=%(pki_instance_name)s-OCSP
pki_ds_database=%(pki_instance_name)s-OCSP
pki_ds_hostname=%(pki_hostname)s
@@ -515,10 +515,10 @@ pki_import_admin_cert=True
pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s
pki_admin_name=%(pki_admin_uid)s
pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
-pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s
+pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
pki_admin_uid=tksadmin
pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s TKS
-pki_audit_signing_subject_dn=cn=TKS Audit Signing Certificate,o=%(pki_security_domain_name)s
+pki_audit_signing_subject_dn=cn=TKS Audit Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
pki_ds_base_dn=o=%(pki_instance_name)s-TKS
pki_ds_database=%(pki_instance_name)s-TKS
pki_ds_hostname=%(pki_hostname)s
@@ -537,10 +537,10 @@ pki_import_admin_cert=True
pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s
pki_admin_name=%(pki_admin_uid)s
pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
-pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s
+pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
pki_admin_uid=tpsadmin
pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s TPS
-pki_audit_signing_subject_dn=cn=TPS Audit Signing Certificate,o=%(pki_security_domain_name)s
+pki_audit_signing_subject_dn=cn=TPS Audit Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
pki_ds_base_dn=o=%(pki_instance_name)s-TPS
pki_ds_database=%(pki_instance_name)s-TPS
pki_ds_hostname=%(pki_hostname)s
--
1.8.3.1
From f142e739d0296e29914a39c1591a5f1681f0ac31 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Mon, 29 Aug 2016 08:33:05 +0200
Subject: [PATCH 3/9] Added support to create system certificates in different
tokens.
Previously all system certificates were always created in the same
token specified in the pki_token_name parameter.
To allow creating system certificates in different tokens, the
configuration.py has been modified to store the system certificate
token names specified in pki_<cert>_token parameters into the
CS.cfg before the server is started.
After the server is started, the configuration servlet will read
the token names from the CS.cfg and create the certificates in the
appropriate token.
https://fedorahosted.org/pki/ticket/2449
(cherry picked from commit bc65e12500cbc3381b4e755a4a50214f43049ad3)
(cherry picked from commit 261e550a25ced3c61fc0c3afeb910d17b7472a3c)
---
.../cms/servlet/csadmin/ConfigurationUtils.java | 18 +++++++----
.../dogtagpki/server/rest/SystemConfigService.java | 9 ++----
.../src/com/netscape/cmscore/apps/CMSEngine.java | 4 +--
.../server/deployment/scriptlets/configuration.py | 37 +++++++++++++++++++---
4 files changed, 49 insertions(+), 19 deletions(-)
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
index 34500d0..3e638ad 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
@@ -2826,7 +2826,7 @@ public class ConfigurationUtils {
}
config.putString(subsystem + "." + certTag + ".nickname", nickname);
- config.putString(subsystem + "." + certTag + ".tokenname", token);
+
if (certTag.equals("audit_signing")) {
if (!token.equals("Internal Key Storage Token") && !token.equals("")) {
config.putString("log.instance.SignedAudit.signedAuditCertNickname",
@@ -3325,14 +3325,15 @@ public class ConfigurationUtils {
return 0;
}
- public static void setCertPermissions(String tag) throws EBaseException, NotInitializedException,
+ public static void setCertPermissions(Cert cert) throws EBaseException, NotInitializedException,
ObjectNotFoundException, TokenException {
+
+ String tag = cert.getCertTag();
if (tag.equals("signing") || tag.equals("external_signing"))
return;
- IConfigStore cs = CMS.getConfigStore();
- String nickname = cs.getString("preop.cert." + tag + ".nickname", "");
- String tokenname = cs.getString("preop.module.token", "");
+ String nickname = cert.getNickname();
+ String tokenname = cert.getTokenname();
if (!tokenname.equals("Internal Key Storage Token"))
nickname = tokenname + ":" + nickname;
@@ -4554,9 +4555,11 @@ public class ConfigurationUtils {
public static String getSubsystemCert() throws EBaseException, NotInitializedException, ObjectNotFoundException,
TokenException, CertificateEncodingException, IOException {
+
IConfigStore cs = CMS.getConfigStore();
- String nickname = cs.getString("preop.cert.subsystem.nickname", "");
- String tokenname = cs.getString("preop.module.token", "");
+ String subsystem = cs.getString("cs.type").toLowerCase();
+ String nickname = cs.getString(subsystem + ".subsystem.nickname", "");
+ String tokenname = cs.getString(subsystem + ".subsystem.tokenname", "");
if (!tokenname.equals("internal") && !tokenname.equals("Internal Key Storage Token")
&& !tokenname.equals("")) {
@@ -4571,6 +4574,7 @@ public class ConfigurationUtils {
CMS.debug("ConfigurationUtils: getSubsystemCert: subsystem cert is null");
return null;
}
+
byte[] bytes = cert.getEncoded();
String s = CryptoUtil.normalizeCertStr(CryptoUtil.base64Encode(bytes));
return s;
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
index 9d7c176..5cc6f63 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
@@ -199,7 +199,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
try {
CMS.debug("Processing '" + cert.getCertTag() + "' certificate:");
ret = ConfigurationUtils.handleCerts(cert);
- ConfigurationUtils.setCertPermissions(cert.getCertTag());
+ ConfigurationUtils.setCertPermissions(cert);
CMS.debug("Processed '" + cert.getCertTag() + "' certificate.");
} catch (Exception e) {
CMS.debug(e);
@@ -386,7 +386,6 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
processCert(
request,
- token,
certList,
certs,
hasSigningCert,
@@ -415,7 +414,6 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
public void processCert(
ConfigurationRequest request,
- String token,
Collection<String> certList,
Collection<Cert> certs,
MutableBoolean hasSigningCert,
@@ -460,13 +458,13 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
String curvename = certData.getKeyCurveName() != null ?
certData.getKeyCurveName() : cs.getString("keys.ecc.curve.default");
cs.putString("preop.cert." + tag + ".curvename.name", curvename);
- ConfigurationUtils.createECCKeyPair(token, curvename, cs, tag);
+ ConfigurationUtils.createECCKeyPair(tokenName, curvename, cs, tag);
} else {
String keysize = certData.getKeySize() != null ? certData.getKeySize() : cs
.getString("keys.rsa.keysize.default");
cs.putString("preop.cert." + tag + ".keysize.size", keysize);
- ConfigurationUtils.createRSAKeyPair(token, Integer.parseInt(keysize), cs, tag);
+ ConfigurationUtils.createRSAKeyPair(tokenName, Integer.parseInt(keysize), cs, tag);
}
} else {
@@ -600,7 +598,6 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
}
cs.putString(csSubsystem + "." + tag + ".nickname", cdata.getNickname());
- cs.putString(csSubsystem + "." + tag + ".tokenname", cdata.getToken());
cs.putString(csSubsystem + "." + tag + ".certreq", cdata.getRequest());
cs.putString(csSubsystem + "." + tag + ".cert", cdata.getCert());
cs.putString(csSubsystem + "." + tag + ".dn", cdata.getSubjectDN());
diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
index c62087e..a334824 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
@@ -1235,8 +1235,8 @@ public class CMSEngine implements ICMSEngine {
// get SSL server nickname
IConfigStore serverCertStore = mConfig.getSubStore(id + "." + "sslserver");
if (serverCertStore != null && serverCertStore.size() > 0) {
- String nickName = serverCertStore.getString("nickname");
- String tokenName = serverCertStore.getString("tokenname");
+ String nickName = serverCertStore.getString("nickname", null);
+ String tokenName = serverCertStore.getString("tokenname", null);
if (tokenName != null && tokenName.length() > 0 &&
nickName != null && nickName.length() > 0) {
CMS.setServerCertNickname(tokenName, nickName);
diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py
index 64ee4e5..97f6d3e 100644
--- a/base/server/python/pki/server/deployment/scriptlets/configuration.py
+++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py
@@ -39,6 +39,31 @@ import pki.util
# PKI Deployment Configuration Scriptlet
class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
+ def store_cert_tokens(self, subsystem, deployer):
+
+ subsystem.config[subsystem.name + '.audit_signing.tokenname'] = (
+ deployer.mdict['pki_audit_signing_token'])
+ subsystem.config[subsystem.name + '.sslserver.tokenname'] = (
+ deployer.mdict['pki_ssl_server_token'])
+ subsystem.config[subsystem.name + '.subsystem.tokenname'] = (
+ deployer.mdict['pki_subsystem_token'])
+
+ if subsystem.name == 'ca':
+ subsystem.config['ca.signing.tokenname'] = (
+ deployer.mdict['pki_ca_signing_token'])
+ subsystem.config['ca.ocsp_signing.tokenname'] = (
+ deployer.mdict['pki_ocsp_signing_token'])
+
+ elif subsystem.name == 'kra':
+ subsystem.config['kra.storage.tokenname'] = (
+ deployer.mdict['pki_storage_token'])
+ subsystem.config['kra.transport.tokenname'] = (
+ deployer.mdict['pki_transport_token'])
+
+ elif subsystem.name == 'ocsp':
+ subsystem.config['ocsp.signing.tokenname'] = (
+ deployer.mdict['pki_ocsp_signing_token'])
+
def spawn(self, deployer):
if config.str2bool(deployer.mdict['pki_skip_configuration']):
@@ -265,13 +290,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
nickname=signing_nickname,
output_format='base64')
subsystem.config['ca.signing.nickname'] = signing_nickname
- subsystem.config['ca.signing.tokenname'] = (
- deployer.mdict['pki_ca_signing_token'])
subsystem.config['ca.signing.cert'] = signing_cert_data
subsystem.config['ca.signing.cacertnickname'] = signing_nickname
subsystem.config['ca.signing.defaultSigningAlgorithm'] = (
deployer.mdict['pki_ca_signing_signing_algorithm'])
+ # Store cert tokens in CS.cfg.
+ self.store_cert_tokens(subsystem, deployer)
+
subsystem.save()
# verify the signing certificate
@@ -282,7 +308,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
instance, 'ca')
verifier.verify_certificate('signing')
- else: # self-signed CA
+ else: # other installation types
# To be implemented in ticket #1692.
@@ -290,7 +316,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
# Self sign CA cert.
# Import self-signed CA cert into NSS database.
- pass
+ # Store cert tokens in CS.cfg.
+ self.store_cert_tokens(subsystem, deployer)
+
+ subsystem.save()
finally:
nssdb.close()
--
1.8.3.1
From 92d92c6ee2a0a531183a373cc1f3975662fdca40 Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Fri, 2 Sep 2016 16:08:02 -0400
Subject: [PATCH 4/9] Fix CertRequestInfo URLs
The URLs were generated by a UriBuilder that referred to the resource's
annotated path. This top-level path changed though, even if the underlying
paths did not. Replace this with a reference to the getX methods instead.
Also fixed a few eclipse flagged warnings (unused imports etc).
Ticket 2447
(cherry picked from commit 7a93dbeae18407e28437f4affc31ddc24a2c42f2)
(cherry picked from commit 7baa7e60b708c5b4c79d6dd963321d34958cc81b)
---
.../com/netscape/ca/ExternalProcessKeyRetriever.java | 7 +------
.../src/com/netscape/cmstools/HttpClient.java | 2 --
.../com/netscape/cms/servlet/cert/CertRequestDAO.java | 17 ++++++++++++++---
.../cms/servlet/cert/CertRequestInfoFactory.java | 15 ++++++++-------
.../src/com/netscape/cms/servlet/cert/DoRevokeTPS.java | 15 +++++++--------
.../cms/servlet/profile/ProfileReviewServlet.java | 1 -
.../dogtagpki/server/tps/rest/TPSInstallerService.java | 2 +-
7 files changed, 31 insertions(+), 28 deletions(-)
diff --git a/base/ca/src/com/netscape/ca/ExternalProcessKeyRetriever.java b/base/ca/src/com/netscape/ca/ExternalProcessKeyRetriever.java
index a1b7748..736d870 100644
--- a/base/ca/src/com/netscape/ca/ExternalProcessKeyRetriever.java
+++ b/base/ca/src/com/netscape/ca/ExternalProcessKeyRetriever.java
@@ -20,16 +20,11 @@ package com.netscape.ca;
import java.io.IOException;
import java.io.InputStream;
-import java.lang.Process;
-import java.lang.ProcessBuilder;
import java.util.Collection;
import java.util.Stack;
-import org.apache.commons.io.IOUtils;
-import org.apache.commons.lang.ArrayUtils;
-
-import org.codehaus.jackson.map.ObjectMapper;
import org.codehaus.jackson.JsonNode;
+import org.codehaus.jackson.map.ObjectMapper;
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.base.EBaseException;
diff --git a/base/java-tools/src/com/netscape/cmstools/HttpClient.java b/base/java-tools/src/com/netscape/cmstools/HttpClient.java
index 432be9c..594ec69 100644
--- a/base/java-tools/src/com/netscape/cmstools/HttpClient.java
+++ b/base/java-tools/src/com/netscape/cmstools/HttpClient.java
@@ -126,8 +126,6 @@ public class HttpClient {
Password pass = new Password(password.toCharArray());
token.login(pass);
- int i;
-
SSLHandshakeCompletedListener listener = new ClientHandshakeCB(this);
org.mozilla.jss.ssl.SSLSocket.SSLVersionRange stream_range =
new org.mozilla.jss.ssl.SSLSocket.SSLVersionRange(
diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestDAO.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestDAO.java
index 6fbcd3c..306fbf5 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestDAO.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestDAO.java
@@ -197,8 +197,13 @@ public class CertRequestDAO extends CMSRequestDAO {
IRequest reqs[] = (IRequest[]) results.get(CAProcessor.ARG_REQUESTS);
for (IRequest req : reqs) {
- CertRequestInfo info = CertRequestInfoFactory.create(req, uriInfo);
- ret.addEntry(info);
+ try {
+ CertRequestInfo info = CertRequestInfoFactory.create(req, uriInfo);
+ ret.addEntry(info);
+ } catch (NoSuchMethodException e) {
+ CMS.debug("Error in creating certrequestinfo - no such method");
+ e.printStackTrace();
+ }
}
ret.setTotal(ret.getEntries().size());
@@ -221,7 +226,13 @@ public class CertRequestDAO extends CMSRequestDAO {
@Override
public CertRequestInfo createCMSRequestInfo(IRequest request, UriInfo uriInfo) {
- return CertRequestInfoFactory.create(request, uriInfo);
+ try {
+ return CertRequestInfoFactory.create(request, uriInfo);
+ } catch (NoSuchMethodException e) {
+ CMS.debug("Error in creating certrequestinfo - no such method");
+ e.printStackTrace();
+ }
+ return null;
}
}
diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestInfoFactory.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestInfoFactory.java
index 68f65bc..e8c44b3 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestInfoFactory.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestInfoFactory.java
@@ -37,7 +37,7 @@ import netscape.security.x509.X509CertImpl;
public class CertRequestInfoFactory {
- public static CertRequestInfo create(IRequest request, UriInfo uriInfo) {
+ public static CertRequestInfo create(IRequest request, UriInfo uriInfo) throws SecurityException, NoSuchMethodException {
CertRequestInfo info = new CertRequestInfo();
@@ -49,12 +49,12 @@ public class CertRequestInfoFactory {
info.setCertRequestType(request.getExtDataInString("cert_request_type"));
- Path certRequestPath = CertRequestResource.class.getAnnotation(Path.class);
+ Path certRequestPath = CertRequestResource.class.getMethod("getRequestInfo", RequestId.class ).getAnnotation(Path.class);
RequestId requestId = request.getRequestId();
UriBuilder reqBuilder = uriInfo.getBaseUriBuilder();
- reqBuilder.path(certRequestPath.value() + "/" + requestId);
- info.setRequestURL(reqBuilder.build().toString());
+ reqBuilder.path(certRequestPath.value());
+ info.setRequestURL(reqBuilder.build(requestId).toString());
Integer result = request.getExtDataInInteger(IRequest.RESULT);
if (result == null || result.equals(IRequest.RES_SUCCESS)) {
@@ -84,11 +84,12 @@ public class CertRequestInfoFactory {
BigInteger serialNo = impl.getSerialNumber();
info.setCertId(new CertId(serialNo));
- Path certPath = CertResource.class.getAnnotation(Path.class);
+
+ Path certPath = CertResource.class.getMethod("getCert", CertId.class).getAnnotation(Path.class);
UriBuilder certBuilder = uriInfo.getBaseUriBuilder();
- certBuilder.path(certPath.value() + "/" + serialNo);
+ certBuilder.path(certPath.value());
- info.setCertURL(certBuilder.build().toString());
+ info.setCertURL(certBuilder.build(serialNo).toString());
return info;
}
diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java b/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java
index 30bd2cd..79eba99 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java
@@ -30,12 +30,7 @@ import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-import netscape.security.x509.CRLExtensions;
-import netscape.security.x509.CRLReasonExtension;
-import netscape.security.x509.InvalidityDateExtension;
-import netscape.security.x509.RevocationReason;
-import netscape.security.x509.RevokedCertImpl;
-import netscape.security.x509.X509CertImpl;
+import org.dogtagpki.server.connector.IRemoteRequest;
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.authentication.AuthToken;
@@ -51,7 +46,6 @@ import com.netscape.certsrv.ca.ICertificateAuthority;
import com.netscape.certsrv.common.ICMSRequest;
import com.netscape.certsrv.dbs.certdb.ICertRecord;
import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
-import com.netscape.certsrv.dbs.certdb.IRevocationInfo;
import com.netscape.certsrv.logging.AuditFormat;
import com.netscape.certsrv.logging.ILogger;
import com.netscape.certsrv.publish.IPublisherProcessor;
@@ -64,7 +58,12 @@ import com.netscape.cms.servlet.common.CMSTemplate;
import com.netscape.cms.servlet.common.CMSTemplateParams;
import com.netscape.cms.servlet.common.ECMSGWException;
-import org.dogtagpki.server.connector.IRemoteRequest;
+import netscape.security.x509.CRLExtensions;
+import netscape.security.x509.CRLReasonExtension;
+import netscape.security.x509.InvalidityDateExtension;
+import netscape.security.x509.RevocationReason;
+import netscape.security.x509.RevokedCertImpl;
+import netscape.security.x509.X509CertImpl;
/**
* Revoke a Certificate
diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java
index 0073bd2..dc6560d 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java
@@ -43,7 +43,6 @@ import com.netscape.certsrv.profile.IProfileInput;
import com.netscape.certsrv.profile.IProfileOutput;
import com.netscape.certsrv.profile.IProfilePolicy;
import com.netscape.certsrv.profile.IProfileSubsystem;
-import com.netscape.certsrv.property.EPropertyException;
import com.netscape.certsrv.property.IDescriptor;
import com.netscape.certsrv.request.IRequest;
import com.netscape.certsrv.request.IRequestQueue;
diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/TPSInstallerService.java b/base/tps/src/org/dogtagpki/server/tps/rest/TPSInstallerService.java
index 068293e..8fd24c8 100644
--- a/base/tps/src/org/dogtagpki/server/tps/rest/TPSInstallerService.java
+++ b/base/tps/src/org/dogtagpki/server/tps/rest/TPSInstallerService.java
@@ -50,7 +50,7 @@ public class TPSInstallerService extends SystemConfigService {
// get token prefix, if applicable
String tokPrefix = "";
- if (!request.getToken().equals(request.TOKEN_DEFAULT) &&
+ if (!request.getToken().equals(ConfigurationRequest.TOKEN_DEFAULT) &&
!request.getToken().equals("internal")) {
tokPrefix = request.getToken() + ":";
}
--
1.8.3.1
From 647388e39ccb69e3d8cadcc1d0a21c4ac6d83363 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Thu, 25 Aug 2016 12:55:14 +1000
Subject: [PATCH 5/9] Revoke lightweight CA certificate on deletion
Fixes: https://fedorahosted.org/pki/ticket/1638
(cherry picked from commit af8ff4a7c36614c1b41338f9e32a83462d4163be)
(cherry picked from commit 71bd236572968bdb1b8cb0c4c9a370c689a64687)
---
.../src/com/netscape/ca/CertificateAuthority.java | 39 +++++++++++++++++++++-
.../dogtagpki/server/ca/rest/AuthorityService.java | 2 +-
.../netscape/certsrv/ca/ICertificateAuthority.java | 2 +-
3 files changed, 40 insertions(+), 3 deletions(-)
diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
index a5397da..ab48409 100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
@@ -124,6 +124,7 @@ import com.netscape.certsrv.util.IStatsSubsystem;
import com.netscape.cms.servlet.cert.CertEnrollmentRequestFactory;
import com.netscape.cms.servlet.cert.EnrollmentProcessor;
import com.netscape.cms.servlet.cert.RenewalProcessor;
+import com.netscape.cms.servlet.cert.RevocationProcessor;
import com.netscape.cms.servlet.processors.CAProcessor;
import com.netscape.cmscore.base.ArgBlock;
import com.netscape.cmscore.dbs.CRLRepository;
@@ -178,6 +179,7 @@ import netscape.security.x509.CertificateChain;
import netscape.security.x509.CertificateIssuerName;
import netscape.security.x509.CertificateSubjectName;
import netscape.security.x509.CertificateVersion;
+import netscape.security.x509.RevocationReason;
import netscape.security.x509.X500Name;
import netscape.security.x509.X500Signer;
import netscape.security.x509.X509CRLImpl;
@@ -2964,7 +2966,8 @@ public class CertificateAuthority
authorityKeyHosts.add(thisClone);
}
- public synchronized void deleteAuthority() throws EBaseException {
+ public synchronized void deleteAuthority(HttpServletRequest httpReq)
+ throws EBaseException {
if (isHostAuthority())
throw new CATypeException("Cannot delete the host CA");
@@ -2984,10 +2987,44 @@ public class CertificateAuthority
shutdown();
+ revokeAuthority(httpReq);
deleteAuthorityEntry(authorityID);
deleteAuthorityNSSDB();
}
+ /** Revoke the authority's certificate
+ *
+ * TODO: revocation reason, invalidity date parameters
+ */
+ private void revokeAuthority(HttpServletRequest httpReq)
+ throws EBaseException {
+ CMS.debug("revokeAuthority: checking serial " + authoritySerial);
+ ICertRecord certRecord = mCertRepot.readCertificateRecord(authoritySerial);
+ String curStatus = certRecord.getStatus();
+ CMS.debug("revokeAuthority: current cert status: " + curStatus);
+ if (curStatus.equals(CertRecord.STATUS_REVOKED)
+ || curStatus.equals(CertRecord.STATUS_REVOKED_EXPIRED)) {
+ return; // already revoked
+ }
+
+ CMS.debug("revokeAuthority: revoking cert");
+ RevocationProcessor processor = new RevocationProcessor(
+ "CertificateAuthority.revokeAuthority", httpReq.getLocale());
+ processor.setSerialNumber(new CertId(authoritySerial));
+ processor.setRevocationReason(RevocationReason.UNSPECIFIED);
+ processor.setAuthority(this);
+ try {
+ processor.createCRLExtension();
+ } catch (IOException e) {
+ throw new ECAException("Unable to create CRL extensions", e);
+ }
+ processor.addCertificateToRevoke(mCaCert);
+ processor.createRevocationRequest();
+ processor.auditChangeRequest(ILogger.SUCCESS);
+ processor.processRevocationRequest();
+ processor.auditChangeRequestProcessed(ILogger.SUCCESS);
+ }
+
/** Delete keys and certs of this authority from NSSDB.
*/
private void deleteAuthorityNSSDB() throws ECAException {
diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
index 246a3f0..584ab6e 100644
--- a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
@@ -329,7 +329,7 @@ public class AuthorityService extends PKIService implements AuthorityResource {
Map<String, String> auditParams = new LinkedHashMap<>();
try {
- ca.deleteAuthority();
+ ca.deleteAuthority(servletRequest);
audit(ILogger.SUCCESS, OpDef.OP_DELETE, aidString, null);
return createNoContentResponse();
} catch (CATypeException e) {
diff --git a/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java b/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java
index 308bfba..5218a4c 100644
--- a/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java
+++ b/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java
@@ -606,6 +606,6 @@ public interface ICertificateAuthority extends ISubsystem {
/**
* Delete this lightweight CA.
*/
- public void deleteAuthority()
+ public void deleteAuthority(HttpServletRequest httpReq)
throws EBaseException;
}
--
1.8.3.1
From 0dd6bf96dc2d711d59d5d7b34eba5953e69e5e4d Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Wed, 24 Aug 2016 14:40:46 +1000
Subject: [PATCH 6/9] Prevent deletion of host CA cert and key from NSSDB
If authorityMonitor observes the deletion of the host CA's authority
entry, it will treat it the same as any other lightweight CA and
delete the signing cert AND KEY from the NSSDB. Because the database
is replicated, the change would be observed and deletion immediately
effected on all running clones. Unless the main CA private key is
backed up somewhere there is no way to recover from this.
Although this scenario does not arise in normal operation, the
impact is severe so add a check that prevents cert and key deletion
for host authority.
Fixes: https://fedorahosted.org/pki/ticket/2443
(cherry picked from commit 68d98b63e18c5c952e0cdf3193b0ce1a5c55d5c1)
(cherry picked from commit a1f225e0034d89cc011b81604439111ed725961e)
---
base/ca/src/com/netscape/ca/CertificateAuthority.java | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
index ab48409..bea129d 100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
@@ -3028,6 +3028,13 @@ public class CertificateAuthority
/** Delete keys and certs of this authority from NSSDB.
*/
private void deleteAuthorityNSSDB() throws ECAException {
+ if (isHostAuthority()) {
+ String msg = "Attempt to delete host authority signing key; not proceeding";
+ log(ILogger.LL_WARN, msg);
+ CMS.debug(msg);
+ return;
+ }
+
CryptoManager cryptoManager;
try {
cryptoManager = CryptoManager.getInstance();
--
1.8.3.1
From 06a85c76938211d6ecf2b49ac72b168e9f6e7fdd Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <frase@frase.id.au>
Date: Tue, 23 Aug 2016 14:50:03 +1000
Subject: [PATCH 7/9] Accept LWCA entry with missing entryUSN if plugin enabled
Currently we abort adding a lightweight CA if its entry does not
have an 'entryUSN' attribute, and log a failure, even if the USN
plugin is enabled. But if the plugin is enabled, it's fine to
proceed.
Update the authority monitor to check if the USN plugin is enabled
and only log the failure if it is not. Clarify the log message
accordingly.
Part of: https://fedorahosted.org/pki/ticket/2444
(cherry picked from commit d1aa1ec049d7cb5beed9ba79b09930a90a3c51fe)
(cherry picked from commit 21e268ae6d5f9c2f93d4d80a6285e453974b5c07)
---
.../src/com/netscape/ca/CertificateAuthority.java | 46 ++++++++++++++++++----
1 file changed, 38 insertions(+), 8 deletions(-)
diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
index bea129d..aab9651 100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
@@ -679,6 +679,24 @@ public class CertificateAuthority
}
}
+ private boolean entryUSNPluginEnabled() {
+ try {
+ LDAPConnection conn = dbFactory.getConn();
+ try {
+ LDAPSearchResults results = conn.search(
+ "cn=usn,cn=plugins,cn=config", LDAPConnection.SCOPE_BASE,
+ "(nsslapd-pluginEnabled=on)", null, false);
+ return results != null && results.hasMoreElements();
+ } catch (LDAPException e) {
+ return false;
+ } finally {
+ dbFactory.returnConn(conn);
+ }
+ } catch (ELdapException e) {
+ return false; // oh well
+ }
+ }
+
private void initCRLPublisher() throws EBaseException {
// instantiate CRL publisher
if (!isHostAuthority()) {
@@ -3221,17 +3239,29 @@ public class CertificateAuthority
AuthorityID aid = new AuthorityID((String)
aidAttr.getStringValues().nextElement());
- LDAPAttribute entryUSN = entry.getAttribute("entryUSN");
- if (entryUSN == null) {
- log(ILogger.LL_FAILURE, "Authority entry has no entryUSN. " +
- "This is likely because the USN plugin is not enabled in the database");
- return;
+ Integer newEntryUSN = null;
+ LDAPAttribute entryUSNAttr = entry.getAttribute("entryUSN");
+ if (entryUSNAttr == null) {
+ CMS.debug("readAuthority: no entryUSN");
+ if (!entryUSNPluginEnabled()) {
+ CMS.debug("readAuthority: dirsrv USN plugin is not enabled; skipping entry");
+ log(ILogger.LL_FAILURE, "Lightweight authority entry has no"
+ + " entryUSN attribute and USN plugin not enabled;"
+ + " skipping. Enable dirsrv USN plugin.");
+ return;
+ } else {
+ CMS.debug("readAuthority: dirsrv USN plugin is enabled; continuing");
+ // entryUSN plugin is enabled, but no entryUSN attribute. We
+ // can proceed because future modifications will result in the
+ // entryUSN attribute being added.
+ }
+ } else {
+ newEntryUSN = new Integer(entryUSNAttr.getStringValueArray()[0]);
+ CMS.debug("readAuthority: new entryUSN = " + newEntryUSN);
}
- Integer newEntryUSN = new Integer(entryUSN.getStringValueArray()[0]);
- CMS.debug("readAuthority: new entryUSN = " + newEntryUSN);
Integer knownEntryUSN = entryUSNs.get(aid);
- if (knownEntryUSN != null) {
+ if (newEntryUSN != null && knownEntryUSN != null) {
CMS.debug("readAuthority: known entryUSN = " + knownEntryUSN);
if (newEntryUSN <= knownEntryUSN) {
CMS.debug("readAuthority: data is current");
--
1.8.3.1
From 8e0235adccb11868f0036d48d2b52230c82b3e6b Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Wed, 24 Aug 2016 14:10:55 +1000
Subject: [PATCH 8/9] Perform host authority check before entryUSN check
When processing lightweight CAs, currently we perform the entryUSN
check before the host authority check. If the entry does not have
an entryUSN attribute, and if the DS USN plugin is not enabled, the
entry gets skipped and we do not reach the host authority check.
This causes the CA to believe that it has not seen the host
authority entry, and results in additional entries being added.
Move the host authority check before the entryUSN check to avoid
this scenario.
Fixes: https://fedorahosted.org/pki/ticket/2444
(cherry picked from commit e457cb8367f39562a844229ddb9da9c3a46d9611)
(cherry picked from commit 3a97c5fc0df7015a7e19236778089c67441a1499)
---
.../src/com/netscape/ca/CertificateAuthority.java | 41 +++++++++++-----------
1 file changed, 21 insertions(+), 20 deletions(-)
diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
index aab9651..1f77fd8 100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
@@ -3239,6 +3239,27 @@ public class CertificateAuthority
AuthorityID aid = new AuthorityID((String)
aidAttr.getStringValues().nextElement());
+ X500Name dn = null;
+ try {
+ dn = new X500Name((String) dnAttr.getStringValues().nextElement());
+ } catch (IOException e) {
+ CMS.debug("Malformed authority object; invalid authorityDN: " + entry.getDN());
+ }
+
+ String desc = null;
+ LDAPAttribute descAttr = entry.getAttribute("description");
+ if (descAttr != null)
+ desc = (String) descAttr.getStringValues().nextElement();
+
+ if (dn.equals(mName)) {
+ CMS.debug("Found host authority");
+ foundHostAuthority = true;
+ this.authorityID = aid;
+ this.authorityDescription = desc;
+ caMap.put(aid, this);
+ return;
+ }
+
Integer newEntryUSN = null;
LDAPAttribute entryUSNAttr = entry.getAttribute("entryUSN");
if (entryUSNAttr == null) {
@@ -3269,26 +3290,6 @@ public class CertificateAuthority
}
}
- X500Name dn = null;
- try {
- dn = new X500Name((String) dnAttr.getStringValues().nextElement());
- } catch (IOException e) {
- CMS.debug("Malformed authority object; invalid authorityDN: " + entry.getDN());
- }
-
- String desc = null;
- LDAPAttribute descAttr = entry.getAttribute("description");
- if (descAttr != null)
- desc = (String) descAttr.getStringValues().nextElement();
-
- if (dn.equals(mName)) {
- foundHostAuthority = true;
- this.authorityID = aid;
- this.authorityDescription = desc;
- caMap.put(aid, this);
- return;
- }
-
@SuppressWarnings("unused")
X500Name parentDN = null;
if (parentDNAttr != null) {
--
1.8.3.1
From 6cfdd4a6434c8ca08cdbcd659d44a74f6bb6d123 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Wed, 7 Sep 2016 00:35:40 +0200
Subject: [PATCH 9/9] Removed FixSELinuxContexts upgrade script.
The FixSELinuxContexts upgrade script has been removed temporarily
due to a problem importing selinux library during RPM upgrade.
The FixDeploymentDescriptor script number has been changed
accordingly.
https://fedorahosted.org/pki/ticket/2452
(cherry picked from commit 76b3ae5062aef22eece89117a28bd9b86ddef92d)
(cherry picked from commit b3248175d261bc82d3d9c965f047ea9d0fa2bc9e)
---
.../upgrade/10.3.5/02-FixDeploymentDescriptor | 110 +++++++++++++++++++++
base/server/upgrade/10.3.5/02-FixSELinuxContexts | 36 -------
.../upgrade/10.3.5/03-FixDeploymentDescriptor | 110 ---------------------
3 files changed, 110 insertions(+), 146 deletions(-)
create mode 100644 base/server/upgrade/10.3.5/02-FixDeploymentDescriptor
delete mode 100644 base/server/upgrade/10.3.5/02-FixSELinuxContexts
delete mode 100644 base/server/upgrade/10.3.5/03-FixDeploymentDescriptor
diff --git a/base/server/upgrade/10.3.5/02-FixDeploymentDescriptor b/base/server/upgrade/10.3.5/02-FixDeploymentDescriptor
new file mode 100644
index 0000000..27c8959
--- /dev/null
+++ b/base/server/upgrade/10.3.5/02-FixDeploymentDescriptor
@@ -0,0 +1,110 @@
+#!/usr/bin/python
+# Authors:
+# Endi S. Dewata <edewata@redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2016 Red Hat, Inc.
+# All rights reserved.
+
+from __future__ import absolute_import
+from lxml import etree
+import os
+import shutil
+
+import pki.server.upgrade
+
+
+class FixDeploymentDescriptor(pki.server.upgrade.PKIServerUpgradeScriptlet):
+
+ def __init__(self):
+ super(FixDeploymentDescriptor, self).__init__()
+ self.message = 'Fix deployment descriptor'
+ self.parser = etree.XMLParser(remove_blank_text=True)
+
+ def upgrade_instance(self, instance):
+
+ self.fix_webapp(instance, 'ROOT.xml')
+ self.fix_webapp(instance, 'pki#admin.xml')
+ self.fix_webapp(instance, 'pki#js.xml')
+
+ self.fix_theme(instance, 'pki.xml')
+
+ def fix_webapp(self, instance, context_xml):
+
+ source_xml = pki.SHARE_DIR + '/server/conf/Catalina/localhost/' + context_xml
+ target_xml = instance.conf_dir + '/Catalina/localhost/' + context_xml
+
+ # if deployment descriptor doesn't exist, install the default
+ if not os.path.exists(target_xml):
+ self.copy_file(instance, source_xml, target_xml)
+ return
+
+ # get docBase from deployment descriptor
+ document = etree.parse(target_xml, self.parser)
+ context = document.getroot()
+ docBase = context.get('docBase')
+
+ # if docBase is absolute and pointing to non-empty folder, ignore
+ if docBase.startswith('/') and \
+ os.path.exists(docBase) and \
+ os.listdir(docBase):
+ return
+
+ # if docBase is relative and pointing to non-empty folder, ignore
+ if not docBase.startswith('/') and \
+ os.path.exists(instance.base_dir + '/webapps/' + docBase) and \
+ os.listdir(instance.base_dir + '/webapps/' + docBase):
+ return
+
+ # docBase is pointing to non-existent/empty folder, replace with default
+ self.copy_file(instance, source_xml, target_xml)
+
+ def fix_theme(self, instance, context_xml):
+
+ source_xml = pki.SHARE_DIR + '/server/conf/Catalina/localhost/' + context_xml
+ target_xml = instance.conf_dir + '/Catalina/localhost/' + context_xml
+
+ # if deployment descriptor doesn't exist, ignore (no theme)
+ if not os.path.exists(target_xml):
+ return
+
+ # get docBase from deployment descriptor
+ document = etree.parse(target_xml, self.parser)
+ context = document.getroot()
+ docBase = context.get('docBase')
+
+ # if docBase is absolute and pointing to non-empty folder, ignore
+ if docBase.startswith('/') and \
+ os.path.exists(docBase) and \
+ os.listdir(docBase):
+ return
+
+ # if docBase is relative and pointing to non-empty folder, ignore
+ if not docBase.startswith('/') and \
+ os.path.exists(instance.base_dir + '/webapps/' + docBase) and \
+ os.listdir(instance.base_dir + '/webapps/' + docBase):
+ return
+
+ # docBase is pointing to non-existent/empty folder
+
+ # if theme package is installed, replace deployment descriptor
+ if os.path.exists(pki.SHARE_DIR + '/common-ui'):
+ self.copy_file(instance, source_xml, target_xml)
+
+ def copy_file(self, instance, source, target):
+
+ self.backup(target)
+ shutil.copyfile(source, target)
+ os.chown(target, instance.uid, instance.gid)
diff --git a/base/server/upgrade/10.3.5/02-FixSELinuxContexts b/base/server/upgrade/10.3.5/02-FixSELinuxContexts
deleted file mode 100644
index f3d981e..0000000
--- a/base/server/upgrade/10.3.5/02-FixSELinuxContexts
+++ /dev/null
@@ -1,36 +0,0 @@
-#!/usr/bin/python
-# Authors:
-# Endi S. Dewata <edewata@redhat.com>
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; version 2 of the License.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# Copyright (C) 2016 Red Hat, Inc.
-# All rights reserved.
-
-from __future__ import absolute_import
-import selinux
-import pki.server.upgrade
-
-
-class FixSELinuxContexts(pki.server.upgrade.PKIServerUpgradeScriptlet):
-
- def __init__(self):
- super(FixSELinuxContexts, self).__init__()
- self.message = 'Fix SELinux contexts'
-
- def upgrade_instance(self, instance):
-
- selinux.restorecon(instance.base_dir, True)
- selinux.restorecon(instance.conf_dir, True)
- selinux.restorecon(instance.log_dir, True)
diff --git a/base/server/upgrade/10.3.5/03-FixDeploymentDescriptor b/base/server/upgrade/10.3.5/03-FixDeploymentDescriptor
deleted file mode 100644
index 27c8959..0000000
--- a/base/server/upgrade/10.3.5/03-FixDeploymentDescriptor
+++ /dev/null
@@ -1,110 +0,0 @@
-#!/usr/bin/python
-# Authors:
-# Endi S. Dewata <edewata@redhat.com>
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; version 2 of the License.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# Copyright (C) 2016 Red Hat, Inc.
-# All rights reserved.
-
-from __future__ import absolute_import
-from lxml import etree
-import os
-import shutil
-
-import pki.server.upgrade
-
-
-class FixDeploymentDescriptor(pki.server.upgrade.PKIServerUpgradeScriptlet):
-
- def __init__(self):
- super(FixDeploymentDescriptor, self).__init__()
- self.message = 'Fix deployment descriptor'
- self.parser = etree.XMLParser(remove_blank_text=True)
-
- def upgrade_instance(self, instance):
-
- self.fix_webapp(instance, 'ROOT.xml')
- self.fix_webapp(instance, 'pki#admin.xml')
- self.fix_webapp(instance, 'pki#js.xml')
-
- self.fix_theme(instance, 'pki.xml')
-
- def fix_webapp(self, instance, context_xml):
-
- source_xml = pki.SHARE_DIR + '/server/conf/Catalina/localhost/' + context_xml
- target_xml = instance.conf_dir + '/Catalina/localhost/' + context_xml
-
- # if deployment descriptor doesn't exist, install the default
- if not os.path.exists(target_xml):
- self.copy_file(instance, source_xml, target_xml)
- return
-
- # get docBase from deployment descriptor
- document = etree.parse(target_xml, self.parser)
- context = document.getroot()
- docBase = context.get('docBase')
-
- # if docBase is absolute and pointing to non-empty folder, ignore
- if docBase.startswith('/') and \
- os.path.exists(docBase) and \
- os.listdir(docBase):
- return
-
- # if docBase is relative and pointing to non-empty folder, ignore
- if not docBase.startswith('/') and \
- os.path.exists(instance.base_dir + '/webapps/' + docBase) and \
- os.listdir(instance.base_dir + '/webapps/' + docBase):
- return
-
- # docBase is pointing to non-existent/empty folder, replace with default
- self.copy_file(instance, source_xml, target_xml)
-
- def fix_theme(self, instance, context_xml):
-
- source_xml = pki.SHARE_DIR + '/server/conf/Catalina/localhost/' + context_xml
- target_xml = instance.conf_dir + '/Catalina/localhost/' + context_xml
-
- # if deployment descriptor doesn't exist, ignore (no theme)
- if not os.path.exists(target_xml):
- return
-
- # get docBase from deployment descriptor
- document = etree.parse(target_xml, self.parser)
- context = document.getroot()
- docBase = context.get('docBase')
-
- # if docBase is absolute and pointing to non-empty folder, ignore
- if docBase.startswith('/') and \
- os.path.exists(docBase) and \
- os.listdir(docBase):
- return
-
- # if docBase is relative and pointing to non-empty folder, ignore
- if not docBase.startswith('/') and \
- os.path.exists(instance.base_dir + '/webapps/' + docBase) and \
- os.listdir(instance.base_dir + '/webapps/' + docBase):
- return
-
- # docBase is pointing to non-existent/empty folder
-
- # if theme package is installed, replace deployment descriptor
- if os.path.exists(pki.SHARE_DIR + '/common-ui'):
- self.copy_file(instance, source_xml, target_xml)
-
- def copy_file(self, instance, source, target):
-
- self.backup(target)
- shutil.copyfile(source, target)
- os.chown(target, instance.uid, instance.gid)
--
1.8.3.1