From c4f6b7c6d4a0d8130c46cd1f820f8980b7f314e2 Mon Sep 17 00:00:00 2001
From: Christina Fu <cfu@redhat.com>
Date: Mon, 16 Apr 2018 14:28:39 -0700
Subject: [PATCH 1/7] Ticket #2940 post-ticket simple typo fix.
Change-Id: I98558f607cb611981bcafd42d6500fd26a9664be
(cherry picked from commit 2e299050016094c4ab9b739bc68a27787d8aadb4)
(cherry picked from commit 7ed0b12aa3bc9a04acd417fc0757500d585c57e8)
---
base/java-tools/man/man1/CMCSharedToken.1 | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/base/java-tools/man/man1/CMCSharedToken.1 b/base/java-tools/man/man1/CMCSharedToken.1
index e4a26f0..64c97f8 100644
--- a/base/java-tools/man/man1/CMCSharedToken.1
+++ b/base/java-tools/man/man1/CMCSharedToken.1
@@ -48,7 +48,7 @@ Security token name (default: internal)
Security token password.
.TP
-.B -p <passphrase>
+.B -s <passphrase>
CMC enrollment passphrase (shared secret) (put in "" if containing spaces)
.TP
@@ -56,7 +56,7 @@ CMC enrollment passphrase (shared secret) (put in "" if containing spaces)
PEM issuance protection certificate. Note: only one of the -b or -n options should be used.
.TP
-.B -n <issuance protection cer nicknamet>
+.B -n <issuance protection cert nickname>
PEM issuance protection certificate on token. Note: only one of the -b or -n options should be used.
.TP
--
1.8.3.1
From b189ac5a9fe0eee529893ca1b3616a12fd1d0631 Mon Sep 17 00:00:00 2001
From: Christina Fu <cfu@redhat.com>
Date: Thu, 19 Apr 2018 17:11:34 -0700
Subject: [PATCH 2/7] Ticket #2992 servlet profileSubmitCMCSimple throws NPE
This patch addresses the issue that when auth.instance_id is not specified in
the profile, NPE is thrown.
Alternative is to add auth.instance_id value, but it's better to leave this
as manual approval only without changing the functionality.
fixes https://pagure.io/dogtagpki/issue/2992
Change-Id: I0a3afca1c66af96917a81c94b088d792f0332a4d
(cherry picked from commit 203db212a3dce216687dd2aac349fe37d2e92a96)
---
.../com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
index 91a26b1..a0bcfb5 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
@@ -509,7 +509,10 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
CMS.debug("ProfileSubmitCMCServlet: null it out");
ctx.set(IAuthManager.CRED_CMC_SIGNING_CERT, "");
}
- String signingCertSerialS = (String) authToken.get(IAuthManager.CRED_CMC_SIGNING_CERT);
+ String signingCertSerialS = null;
+ if (authToken != null) {
+ signingCertSerialS = (String) authToken.get(IAuthManager.CRED_CMC_SIGNING_CERT);
+ }
if (signingCertSerialS != null) {
CMS.debug("ProfileSubmitCMCServlet: setting CRED_CMC_SIGNING_CERT in ctx for CMCUserSignedAuth");
ctx.set(IAuthManager.CRED_CMC_SIGNING_CERT, signingCertSerialS);
--
1.8.3.1
From ff37277ba6ee49e92f9bad078f23e66b79315535 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Tue, 24 Apr 2018 02:44:15 +0200
Subject: [PATCH 3/7] Fixed token name normalization in pki-server
subsystem-cert-validate
The pki-server subsystem-cert-validate has been modified to
normalize cert token name before calling pki client-cert-validate.
This way "Internal Key Storage Token" will be considered as an
internal token and no longer specified as a parameter.
https://pagure.io/dogtagpki/issue/2997
Change-Id: I452d8e4b404086c3add6b52a9aa2acd2993d7e97
(cherry picked from commit d61f9729dcc102c9acbbaa8129fffb6c30fb7116)
---
base/common/python/pki/nssdb.py | 27 +++++++++++++++++++++-----
base/server/python/pki/server/__init__.py | 7 +++++++
base/server/python/pki/server/cli/subsystem.py | 3 +++
base/server/sbin/pkidestroy | 13 +++++++++++--
base/server/sbin/pkispawn | 10 ++++++++++
5 files changed, 53 insertions(+), 7 deletions(-)
diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py
index 934fe8b..0f3c97a 100644
--- a/base/common/python/pki/nssdb.py
+++ b/base/common/python/pki/nssdb.py
@@ -43,6 +43,9 @@ CERT_FOOTER = '-----END CERTIFICATE-----'
PKCS7_HEADER = '-----BEGIN PKCS7-----'
PKCS7_FOOTER = '-----END PKCS7-----'
+INTERNAL_TOKEN_NAME = 'internal'
+INTERNAL_TOKEN_FULL_NAME = 'Internal Key Storage Token'
+
logger = logging.LoggerAdapter(
logging.getLogger(__name__),
extra={'indent': ''})
@@ -112,6 +115,24 @@ def get_file_type(filename):
return None
+def normalize_token(token):
+ """
+ Normalize internal token name (e.g. empty string, 'internal',
+ 'Internal Key Storage Token') into None. Other token names
+ will be unchanged.
+ """
+ if not token:
+ return None
+
+ if token.lower() == INTERNAL_TOKEN_NAME:
+ return None
+
+ if token.lower() == INTERNAL_TOKEN_FULL_NAME.lower():
+ return None
+
+ return token
+
+
class NSSDatabase(object):
def __init__(self, directory=None, token=None, password=None,
@@ -123,11 +144,7 @@ class NSSDatabase(object):
os.path.expanduser("~"), '.dogtag', 'nssdb')
self.directory = directory
-
- if token == 'internal' or token == 'Internal Key Storage Token':
- self.token = None
- else:
- self.token = token
+ self.token = normalize_token(token)
self.tmpdir = tempfile.mkdtemp()
diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py
index 65aee2f..b5180f0 100644
--- a/base/server/python/pki/server/__init__.py
+++ b/base/server/python/pki/server/__init__.py
@@ -28,6 +28,7 @@ import grp
import io
import ldap
import ldap.filter
+import logging
import operator
import os
import pwd
@@ -50,6 +51,10 @@ SUBSYSTEM_CLASSES = {}
SELFTEST_CRITICAL = 'critical'
+logger = logging.LoggerAdapter(
+ logging.getLogger(__name__),
+ extra={'indent': ''})
+
class PKIServer(object):
@@ -206,6 +211,8 @@ class PKISubsystem(object):
if cert_id:
cmd.append(cert_id)
+ logger.debug('Command: %s', ' '.join(cmd))
+
subprocess.check_output(
cmd,
stderr=subprocess.STDOUT)
diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py
index 0abf90a..57093d4 100644
--- a/base/server/python/pki/server/cli/subsystem.py
+++ b/base/server/python/pki/server/cli/subsystem.py
@@ -1000,6 +1000,9 @@ class SubsystemCertValidateCLI(pki.cli.CLI):
token = cert.get('token', '')
print(' Token: %s' % token)
+ # normalize internal token into None
+ token = pki.nssdb.normalize_token(token)
+
# get token password and store in temporary file
passwd = instance.get_token_password(token)
diff --git a/base/server/sbin/pkidestroy b/base/server/sbin/pkidestroy
index 4df74a4..58f0541 100755
--- a/base/server/sbin/pkidestroy
+++ b/base/server/sbin/pkidestroy
@@ -24,6 +24,7 @@ from __future__ import absolute_import
from __future__ import print_function
import sys
import signal
+import subprocess
if not hasattr(sys, "hexversion") or sys.hexversion < 0x020700f0:
print("Python version %s.%s.%s is too old." % sys.version_info[:3])
@@ -235,8 +236,16 @@ def main(argv):
scriptlet.destroy(deployer)
- # pylint: disable=W0703
- except Exception as e:
+ except subprocess.CalledProcessError as e:
+ log_error_details()
+ print()
+ print("Uninstallation failed: Command failed: %s" % ' '.join(e.cmd))
+ if e.output:
+ print(e.output)
+ print()
+ sys.exit(1)
+
+ except Exception as e: # pylint: disable=broad-except
log_error_details()
print()
print("Uninstallation failed: %s" % e)
diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn
index b2ac8b4..ab94b8b 100755
--- a/base/server/sbin/pkispawn
+++ b/base/server/sbin/pkispawn
@@ -24,6 +24,7 @@ from __future__ import absolute_import
from __future__ import print_function
import sys
import signal
+import subprocess
if not hasattr(sys, "hexversion") or sys.hexversion < 0x020700f0:
print("Python version %s.%s.%s is too old." % sys.version_info[:3])
@@ -549,6 +550,15 @@ def main(argv):
sys.exit(1)
+ except subprocess.CalledProcessError as e:
+ log_error_details()
+ print()
+ print("Installation failed: Command failed: %s" % ' '.join(e.cmd))
+ if e.output:
+ print(e.output)
+ print()
+ sys.exit(1)
+
except Exception as e: # pylint: disable=broad-except
log_error_details()
print()
--
1.8.3.1
From 5df4e1a9418a9d276170c0c9c8bdec2f0de0d759 Mon Sep 17 00:00:00 2001
From: Christina Fu <cfu@redhat.com>
Date: Tue, 15 May 2018 19:06:48 -0700
Subject: [PATCH 4/7] Ticket 1741 ECDSA Signature Algorithm encoding
This patch addresses part of the issue where params were in the AlgorithmIdentifier of the ECDSA signature algorithm. The JSS portion is addressed by https://pagure.io/jss/issue/3
Fixes https://pagure.io/dogtagpki/issue/1741
Change-Id: I5dfea6eb2ca4711da2a983382c3f6607d95f3e0d
(cherry picked from commit 01dcdee01ab9c231e89169e422e452ce5ef22257)
---
base/util/src/netscape/security/x509/AlgorithmId.java | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/base/util/src/netscape/security/x509/AlgorithmId.java b/base/util/src/netscape/security/x509/AlgorithmId.java
index a89843e..ae5975a 100644
--- a/base/util/src/netscape/security/x509/AlgorithmId.java
+++ b/base/util/src/netscape/security/x509/AlgorithmId.java
@@ -142,7 +142,16 @@ public class AlgorithmId implements Serializable, DerEncoder {
* Figure out what class (if any) knows about this oid's
* parameters. Make one, and give it the data to decode.
*/
- AlgorithmId alg = new AlgorithmId(algid, params);
+ AlgorithmId alg = null;
+ // omit parameter field for ECDSA
+ if (!algid.equals(sha224WithEC_oid) &&
+ !algid.equals(sha256WithEC_oid) &&
+ !algid.equals(sha384WithEC_oid) &&
+ !algid.equals(sha512WithEC_oid)) {
+ alg = new AlgorithmId(algid, params);
+ } else {
+ alg = new AlgorithmId(algid);
+ }
if (params != null)
alg.decodeParams();
--
1.8.3.1
From e4324c4fe54c8b139fbb522c1ad899579ce0aaec Mon Sep 17 00:00:00 2001
From: Christina Fu <cfu@redhat.com>
Date: Wed, 16 May 2018 14:52:21 -0700
Subject: [PATCH 5/7] Ticket 3018 CMC profiles: Some CMC profiles have wrong
input class_id
This patch fixes the profile input area where
cmcCertReqInputImpl should replace certReqInputImpl
and submitterInfoInputImpl should not be present
fixes https://pagure.io/dogtagpki/issue/3018
Change-Id: Id4e03961110b19b2c73ebd9def89919d5dd3b0ad
(cherry picked from commit ac8c853ed9b06f4dfdbeb4d00f3f425f5d479824)
---
base/ca/shared/profiles/ca/caCMCECUserCert.cfg | 3 +--
base/ca/shared/profiles/ca/caCMCECserverCert.cfg | 5 ++---
base/ca/shared/profiles/ca/caCMCECsubsystemCert.cfg | 5 ++---
base/ca/shared/profiles/ca/caCMCUserCert.cfg | 3 +--
base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg | 5 ++---
base/ca/shared/profiles/ca/caCMCcaCert.cfg | 5 ++---
base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg | 5 ++---
base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg | 5 ++---
base/ca/shared/profiles/ca/caCMCocspCert.cfg | 5 ++---
base/ca/shared/profiles/ca/caCMCserverCert.cfg | 5 ++---
base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg | 5 ++---
base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg | 3 +--
base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg | 3 +--
base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg | 3 +--
base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg | 2 +-
base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg | 3 +--
base/ca/shared/profiles/ca/caFullCMCUserCert.cfg | 3 +--
base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg | 3 +--
base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg | 2 +-
19 files changed, 28 insertions(+), 45 deletions(-)
diff --git a/base/ca/shared/profiles/ca/caCMCECUserCert.cfg b/base/ca/shared/profiles/ca/caCMCECUserCert.cfg
index 5185891..b7b4881 100644
--- a/base/ca/shared/profiles/ca/caCMCECUserCert.cfg
+++ b/base/ca/shared/profiles/ca/caCMCECUserCert.cfg
@@ -5,9 +5,8 @@ enableBy=admin
auth.instance_id=CMCAuth
authz.acl=group="Certificate Manager Agents"
name=Signed CMC-Authenticated User Certificate wth ECC keys Enrollment
-input.list=i1,i2
+input.list=i1
input.i1.class_id=cmcCertReqInputImpl
-input.i2.class_id=submitterInfoInputImpl
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=cmcUserCertSet
diff --git a/base/ca/shared/profiles/ca/caCMCECserverCert.cfg b/base/ca/shared/profiles/ca/caCMCECserverCert.cfg
index 158d9fe..53b0c4d 100644
--- a/base/ca/shared/profiles/ca/caCMCECserverCert.cfg
+++ b/base/ca/shared/profiles/ca/caCMCECserverCert.cfg
@@ -5,9 +5,8 @@ enableBy=admin
auth.instance_id=CMCAuth
authz.acl=group="Certificate Manager Agents"
name=Server Certificate wth ECC keys Enrollment using CMC
-input.list=i1,i2
-input.i1.class_id=certReqInputImpl
-input.i2.class_id=submitterInfoInputImpl
+input.list=i1
+input.i1.class_id=cmcCertReqInputImpl
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=serverCertSet
diff --git a/base/ca/shared/profiles/ca/caCMCECsubsystemCert.cfg b/base/ca/shared/profiles/ca/caCMCECsubsystemCert.cfg
index f755243..6e41e06 100644
--- a/base/ca/shared/profiles/ca/caCMCECsubsystemCert.cfg
+++ b/base/ca/shared/profiles/ca/caCMCECsubsystemCert.cfg
@@ -5,9 +5,8 @@ enableBy=admin
auth.instance_id=CMCAuth
authz.acl=group="Certificate Manager Agents"
name=Subsystem Certificate Enrollment with ECC keys using CMC
-input.list=i1,i2
-input.i1.class_id=certReqInputImpl
-input.i2.class_id=submitterInfoInputImpl
+input.list=i1
+input.i1.class_id=cmcCertReqInputImpl
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=serverCertSet
diff --git a/base/ca/shared/profiles/ca/caCMCUserCert.cfg b/base/ca/shared/profiles/ca/caCMCUserCert.cfg
index fe2a8b3..df47758 100644
--- a/base/ca/shared/profiles/ca/caCMCUserCert.cfg
+++ b/base/ca/shared/profiles/ca/caCMCUserCert.cfg
@@ -5,9 +5,8 @@ enableBy=admin
auth.instance_id=CMCAuth
authz.acl=group="Certificate Manager Agents"
name=Signed CMC-Authenticated User Certificate Enrollment
-input.list=i1,i2
+input.list=i1
input.i1.class_id=cmcCertReqInputImpl
-input.i2.class_id=submitterInfoInputImpl
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=cmcUserCertSet
diff --git a/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg b/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg
index 967d6ef..ff4856c 100644
--- a/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg
+++ b/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg
@@ -5,9 +5,8 @@ enableBy=admin
auth.instance_id=CMCAuth
authz.acl=group="Certificate Manager Agents"
name=Audit Signing Certificate Enrollment using CMC
-input.list=i1,i2
-input.i1.class_id=certReqInputImpl
-input.i2.class_id=submitterInfoInputImpl
+input.list=i1
+input.i1.class_id=cmcCertReqInputImpl
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=auditSigningCertSet
diff --git a/base/ca/shared/profiles/ca/caCMCcaCert.cfg b/base/ca/shared/profiles/ca/caCMCcaCert.cfg
index 49a356d..bf6c59a 100644
--- a/base/ca/shared/profiles/ca/caCMCcaCert.cfg
+++ b/base/ca/shared/profiles/ca/caCMCcaCert.cfg
@@ -5,9 +5,8 @@ enableBy=admin
auth.instance_id=CMCAuth
authz.acl=group="Certificate Manager Agents"
name=Certificate Manager Signing Certificate Enrollment using CMC
-input.list=i1,i2
-input.i1.class_id=certReqInputImpl
-input.i2.class_id=submitterInfoInputImpl
+input.list=i1
+input.i1.class_id=cmcCertReqInputImpl
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=caCertSet
diff --git a/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg b/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg
index bbe733a..1c2630d 100644
--- a/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg
+++ b/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg
@@ -5,9 +5,8 @@ enableBy=admin
auth.instance_id=CMCAuth
authz.acl=group="Certificate Manager Agents"
name=KRA storage Certificate Enrollment using CMC
-input.list=i1,i2
-input.i1.class_id=certReqInputImpl
-input.i2.class_id=submitterInfoInputImpl
+input.list=i1
+input.i1.class_id=cmcCertReqInputImpl
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=drmStorageCertSet
diff --git a/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg b/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg
index 60b19bf..3d00408 100644
--- a/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg
+++ b/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg
@@ -5,9 +5,8 @@ enableBy=admin
auth.instance_id=CMCAuth
authz.acl=group="Certificate Manager Agents"
name=Key Archival Authority Transport Certificate Enrollment using CMC
-input.list=i1,i2
-input.i1.class_id=certReqInputImpl
-input.i2.class_id=submitterInfoInputImpl
+input.list=i1
+input.i1.class_id=cmcCertReqInputImpl
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=transportCertSet
diff --git a/base/ca/shared/profiles/ca/caCMCocspCert.cfg b/base/ca/shared/profiles/ca/caCMCocspCert.cfg
index cd60562..14464bf 100644
--- a/base/ca/shared/profiles/ca/caCMCocspCert.cfg
+++ b/base/ca/shared/profiles/ca/caCMCocspCert.cfg
@@ -5,9 +5,8 @@ enableBy=admin
auth.instance_id=CMCAuth
authz.acl=group="Certificate Manager Agents"
name=OCSP Responder Signing Certificate Enrollment using CMC
-input.list=i1,i2
-input.i1.class_id=certReqInputImpl
-input.i2.class_id=submitterInfoInputImpl
+input.list=i1
+input.i1.class_id=cmcCertReqInputImpl
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=ocspCertSet
diff --git a/base/ca/shared/profiles/ca/caCMCserverCert.cfg b/base/ca/shared/profiles/ca/caCMCserverCert.cfg
index 89bbbea..9ad9fac 100644
--- a/base/ca/shared/profiles/ca/caCMCserverCert.cfg
+++ b/base/ca/shared/profiles/ca/caCMCserverCert.cfg
@@ -5,9 +5,8 @@ enableBy=admin
auth.instance_id=CMCAuth
authz.acl=group="Certificate Manager Agents"
name=Server Certificate Enrollment using CMC
-input.list=i1,i2
-input.i1.class_id=certReqInputImpl
-input.i2.class_id=submitterInfoInputImpl
+input.list=i1
+input.i1.class_id=cmcCertReqInputImpl
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=serverCertSet
diff --git a/base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg b/base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg
index 4a922fc..c25ed79 100644
--- a/base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg
+++ b/base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg
@@ -5,9 +5,8 @@ enableBy=admin
auth.instance_id=CMCAuth
authz.acl=group="Certificate Manager Agents"
name=Subsystem Certificate Enrollment using CMC
-input.list=i1,i2
-input.i1.class_id=certReqInputImpl
-input.i2.class_id=submitterInfoInputImpl
+input.list=i1
+input.i1.class_id=cmcCertReqInputImpl
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=serverCertSet
diff --git a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg
index 816a1f8..d0a3c25 100644
--- a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg
+++ b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg
@@ -4,9 +4,8 @@ enableBy=admin
name=Self-Signed CMC User Certificate Enrollment
visible=false
auth.instance_id=CMCUserSignedAuth
-input.list=i1,i2
+input.list=i1
input.i1.class_id=cmcCertReqInputImpl
-input.i2.class_id=submitterInfoInputImpl
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=cmcUserCertSet
diff --git a/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg
index 0116053..469dbb0 100644
--- a/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg
+++ b/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg
@@ -4,9 +4,8 @@ enableBy=admin
name=Agent-Signed CMC-Authenticated User Certificate Enrollment
visible=false
auth.instance_id=CMCAuth
-input.list=i1,i2
+input.list=i1
input.i1.class_id=cmcCertReqInputImpl
-input.i2.class_id=submitterInfoInputImpl
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=cmcUserCertSet
diff --git a/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg
index a15aa53..d2286de 100644
--- a/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg
+++ b/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg
@@ -4,9 +4,8 @@ enableBy=admin
name=User-Signed CMC-Authenticated User Certificate Enrollment
visible=false
auth.instance_id=CMCUserSignedAuth
-input.list=i1,i2
+input.list=i1
input.i1.class_id=cmcCertReqInputImpl
-input.i2.class_id=submitterInfoInputImpl
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=cmcUserCertSet
diff --git a/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg b/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg
index 14d610c..64a6ad9 100644
--- a/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg
+++ b/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg
@@ -5,7 +5,7 @@ name=Simple CMC Enrollment Request for User Certificate
visible=false
auth.instance_id=
input.list=i1
-input.i1.class_id=certReqInputImpl
+input.i1.class_id=cmcCertReqInputImpl
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=cmcUserCertSet
diff --git a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg
index 1a7c22d..6b2da33 100644
--- a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg
+++ b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg
@@ -4,9 +4,8 @@ enableBy=admin
name=Self-Signed CMC User Certificate Enrollment
visible=false
auth.instance_id=CMCUserSignedAuth
-input.list=i1,i2
+input.list=i1
input.i1.class_id=cmcCertReqInputImpl
-input.i2.class_id=submitterInfoInputImpl
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=cmcUserCertSet
diff --git a/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg b/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg
index b06f35d..dd336ad 100644
--- a/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg
+++ b/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg
@@ -4,9 +4,8 @@ enableBy=admin
name=Agent-Signed CMC-Authenticated User Certificate Enrollment
visible=false
auth.instance_id=CMCAuth
-input.list=i1,i2
+input.list=i1
input.i1.class_id=cmcCertReqInputImpl
-input.i2.class_id=submitterInfoInputImpl
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=cmcUserCertSet
diff --git a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg
index 0c2b97b..9b5d3e9 100644
--- a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg
+++ b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg
@@ -4,9 +4,8 @@ enableBy=admin
name=User-Signed CMC-Authenticated User Certificate Enrollment
visible=false
auth.instance_id=CMCUserSignedAuth
-input.list=i1,i2
+input.list=i1
input.i1.class_id=cmcCertReqInputImpl
-input.i2.class_id=submitterInfoInputImpl
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=cmcUserCertSet
diff --git a/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg b/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg
index a9c2b0c..0628a36 100644
--- a/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg
+++ b/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg
@@ -5,7 +5,7 @@ name=Simple CMC Enrollment Request for User Certificate
visible=false
auth.instance_id=
input.list=i1
-input.i1.class_id=certReqInputImpl
+input.i1.class_id=cmcCertReqInputImpl
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=cmcUserCertSet
--
1.8.3.1
From b66e3a729b0413d8851b6d5a875c6f6542823463 Mon Sep 17 00:00:00 2001
From: Christina Fu <cfu@redhat.com>
Date: Thu, 17 May 2018 19:36:10 -0700
Subject: [PATCH 6/7] Ticket #2995 SAN in internal SSL server certificate in
pkispawn configuration step
This patch adds CommonNameToSANDefault to all server profiles so that
SAN will be placed in server certs by default.
For more flexible SAN or multi-value SAN, SubjectAltNameExtDefault
will have to be used instead.
fixes: https://pagure.io/dogtagpki/issue/2995
Change-Id: I66556f2cb8ed4e1cbe2d0949c5848c6978ea9641
(cherry picked from commit 7eae0d840c1b7494db2cea67744366fe409eafea)
---
base/ca/shared/conf/serverCert.profile | 4 +++-
base/ca/shared/profiles/ca/caAgentServerCert.cfg | 6 +++++-
base/ca/shared/profiles/ca/caECAgentServerCert.cfg | 6 +++++-
.../shared/profiles/ca/caECInternalAuthServerCert.cfg | 18 +++++++++++++++++-
base/ca/shared/profiles/ca/caECServerCert.cfg | 6 +++++-
.../ca/shared/profiles/ca/caInternalAuthServerCert.cfg | 18 +++++++++++++++++-
base/ca/shared/profiles/ca/caServerCert.cfg | 6 +++++-
7 files changed, 57 insertions(+), 7 deletions(-)
diff --git a/base/ca/shared/conf/serverCert.profile b/base/ca/shared/conf/serverCert.profile
index 3674cbc..e740760 100644
--- a/base/ca/shared/conf/serverCert.profile
+++ b/base/ca/shared/conf/serverCert.profile
@@ -6,7 +6,7 @@ name=All Purpose SSL server cert Profile
description=This profile creates an SSL server certificate that is valid for SSL servers
profileIDMapping=caServerCert
profileSetIDMapping=serverCertSet
-list=2,4,5,6,7
+list=2,4,5,6,7,8
2.default.class=com.netscape.cms.profile.def.ValidityDefault
2.default.name=Validity Default
2.default.params.range=720
@@ -37,3 +37,5 @@ list=2,4,5,6,7
7.default.name=Extended Key Usage Extension Default
7.default.params.exKeyUsageCritical=false
7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1
+8.default.class=com.netscape.cms.profile.def.CommonNameToSANDefault
+8.default.name=Copy Common Name to Subjec Alternative Name Extension
diff --git a/base/ca/shared/profiles/ca/caAgentServerCert.cfg b/base/ca/shared/profiles/ca/caAgentServerCert.cfg
index c4d109f..0662b0a 100644
--- a/base/ca/shared/profiles/ca/caAgentServerCert.cfg
+++ b/base/ca/shared/profiles/ca/caAgentServerCert.cfg
@@ -10,7 +10,7 @@ input.i2.class_id=submitterInfoInputImpl
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=serverCertSet
-policyset.serverCertSet.list=1,2,3,4,5,6,7,8
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,12
policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
policyset.serverCertSet.1.constraint.name=Subject Name Constraint
policyset.serverCertSet.1.constraint.params.pattern=CN=.*
@@ -83,3 +83,7 @@ policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA
policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
policyset.serverCertSet.8.default.name=Signing Alg
policyset.serverCertSet.8.default.params.signingAlg=-
+policyset.serverCertSet.12.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.12.constraint.name=No Constraint
+policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl
+policyset.serverCertSet.12.default.name=Copy Common Name to Subject Alternative Name Extension
diff --git a/base/ca/shared/profiles/ca/caECAgentServerCert.cfg b/base/ca/shared/profiles/ca/caECAgentServerCert.cfg
index c56b6de..da4811e 100644
--- a/base/ca/shared/profiles/ca/caECAgentServerCert.cfg
+++ b/base/ca/shared/profiles/ca/caECAgentServerCert.cfg
@@ -10,7 +10,7 @@ input.i2.class_id=submitterInfoInputImpl
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=serverCertSet
-policyset.serverCertSet.list=1,2,3,4,5,6,7,8
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,12
policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
policyset.serverCertSet.1.constraint.name=Subject Name Constraint
policyset.serverCertSet.1.constraint.params.pattern=CN=.*
@@ -83,3 +83,7 @@ policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA
policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
policyset.serverCertSet.8.default.name=Signing Alg
policyset.serverCertSet.8.default.params.signingAlg=-
+policyset.serverCertSet.12.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.12.constraint.name=No Constraint
+policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl
+policyset.serverCertSet.12.default.name=Copy Common Name to Subject Alternative Name Extension
diff --git a/base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg b/base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg
index 4fc8a9c..8580544 100644
--- a/base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg
+++ b/base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg
@@ -12,7 +12,7 @@ input.i3.class_id=subjectAltNameExtInputImpl
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=serverCertSet
-policyset.serverCertSet.list=1,2,3,4,5,6,7,8
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,12
policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
policyset.serverCertSet.1.constraint.name=Subject Name Constraint
policyset.serverCertSet.1.constraint.params.pattern=CN=.*
@@ -92,6 +92,10 @@ policyset.serverCertSet.8.default.params.signingAlg=-
# 3. change below to reflect the number of general names, and
# turn each corresponding subjAltExtPattern_<num> to true
# policyset.serverCertSet.9.default.params.subjAltNameNumGNs
+#
+# If the subjectAltNameExtDefaultImpl is on, then commonNameToSANDefault
+# would "merge" into existing SAN. Keep commonNameToSANDefault as last entry
+#
policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
policyset.serverCertSet.9.constraint.name=No Constraint
policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl
@@ -107,3 +111,15 @@ policyset.serverCertSet.9.default.params.subjAltExtPattern_2=$request.req_san_pa
policyset.serverCertSet.9.default.params.subjAltExtType_2=DNSName
policyset.serverCertSet.9.default.params.subjAltNameExtCritical=false
policyset.serverCertSet.9.default.params.subjAltNameNumGNs=1
+#
+# While the subjectAltNameExtDefaultImpl above allows multiple SANs to be
+# specified during installation, the commonNameToSANDefaultImpl adds a simple
+# default single SAN from CN.
+#
+# If the subjectAltNameExtDefaultImpl is on, then commonNameToSANDefault
+# would "merge" into existing SAN. Keep commonNameToSANDefault as last entry
+#
+policyset.serverCertSet.12.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.12.constraint.name=No Constraint
+policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl
+policyset.serverCertSet.12.default.name=Copy Common Name to Subject Alternative Name Extension
diff --git a/base/ca/shared/profiles/ca/caECServerCert.cfg b/base/ca/shared/profiles/ca/caECServerCert.cfg
index 0ae4371..7517a5f 100644
--- a/base/ca/shared/profiles/ca/caECServerCert.cfg
+++ b/base/ca/shared/profiles/ca/caECServerCert.cfg
@@ -10,7 +10,7 @@ input.i2.class_id=submitterInfoInputImpl
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=serverCertSet
-policyset.serverCertSet.list=1,2,3,4,5,6,7,8
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,12
policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
policyset.serverCertSet.1.constraint.name=Subject Name Constraint
policyset.serverCertSet.1.constraint.params.pattern=.*CN=.*
@@ -83,3 +83,7 @@ policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA
policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
policyset.serverCertSet.8.default.name=Signing Alg
policyset.serverCertSet.8.default.params.signingAlg=-
+policyset.serverCertSet.12.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.12.constraint.name=No Constraint
+policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl
+policyset.serverCertSet.12.default.name=Copy Common Name to Subject Alternative Name Extension
diff --git a/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg
index dd10f6f..de3c2a5 100644
--- a/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg
+++ b/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg
@@ -12,7 +12,7 @@ input.i3.class_id=subjectAltNameExtInputImpl
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=serverCertSet
-policyset.serverCertSet.list=1,2,3,4,5,6,7,8
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,12
policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
policyset.serverCertSet.1.constraint.name=Subject Name Constraint
policyset.serverCertSet.1.constraint.params.pattern=CN=.*
@@ -92,6 +92,10 @@ policyset.serverCertSet.8.default.params.signingAlg=-
# 3. change below to reflect the number of general names, and
# turn each corresponding subjAltExtPattern_<num> to true
# policyset.serverCertSet.9.default.params.subjAltNameNumGNs
+#
+# If the subjectAltNameExtDefaultImpl is on, then commonNameToSANDefault
+# would "merge" into existing SAN. Keep commonNameToSANDefault as last entry
+#
policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
policyset.serverCertSet.9.constraint.name=No Constraint
policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl
@@ -107,3 +111,15 @@ policyset.serverCertSet.9.default.params.subjAltExtPattern_2=$request.req_san_pa
policyset.serverCertSet.9.default.params.subjAltExtType_2=DNSName
policyset.serverCertSet.9.default.params.subjAltNameExtCritical=false
policyset.serverCertSet.9.default.params.subjAltNameNumGNs=1
+#
+# While the subjectAltNameExtDefaultImpl above allows multiple SANs to be
+# specified during installation, the commonNameToSANDefaultImpl adds a simple
+# default single SAN from CN.
+#
+# If the subjectAltNameExtDefaultImpl is on, then commonNameToSANDefault
+# would "merge" into existing SAN. Keep commonNameToSANDefault as last entry
+#
+policyset.serverCertSet.12.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.12.constraint.name=No Constraint
+policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl
+policyset.serverCertSet.12.default.name=Copy Common Name to Subject Alternative Name Extension
diff --git a/base/ca/shared/profiles/ca/caServerCert.cfg b/base/ca/shared/profiles/ca/caServerCert.cfg
index 2f44c96..fdb08e4 100644
--- a/base/ca/shared/profiles/ca/caServerCert.cfg
+++ b/base/ca/shared/profiles/ca/caServerCert.cfg
@@ -10,7 +10,7 @@ input.i2.class_id=submitterInfoInputImpl
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=serverCertSet
-policyset.serverCertSet.list=1,2,3,4,5,6,7,8
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,12
policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
policyset.serverCertSet.1.constraint.name=Subject Name Constraint
policyset.serverCertSet.1.constraint.params.pattern=.*CN=.*
@@ -83,3 +83,7 @@ policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA
policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
policyset.serverCertSet.8.default.name=Signing Alg
policyset.serverCertSet.8.default.params.signingAlg=-
+policyset.serverCertSet.12.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.12.constraint.name=No Constraint
+policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl
+policyset.serverCertSet.12.default.name=Copy Common Name to Subject Alternative Name Extension
--
1.8.3.1
From 1d70d69cc5e17be566867dd2c9e5176be0802e93 Mon Sep 17 00:00:00 2001
From: Jack Magne <jmagne@redhat.com>
Date: Wed, 16 May 2018 15:28:38 -0700
Subject: [PATCH 7/7] Fix #2996 ECC installation for non CA subsystems needs
improvement.
The problem is that the installation of say a KRA, which is ECC enabled fails out of the box.
This is due to the fact that the internal cert profiles for the following certificates is incorrect:
1. sslserver cert
2. subsystem cert
3. admin cert
In the ECC case there is some hard coding that references the well known cert profiles for RSA versions of the above certs.
What we need in the ECC case is a way to correctly select the ECC versions of the above profiles.
Therefore this fix does the following:
1. Makes the selection of either the ECC version or the RSA version of the above internal cert profiles based on the key type, ecc or rsa. This solution relies upon well known profile names, but can be modified in the future to be more customizable , should the need arise.
2. I found a related problem when trying to create a ECC enabled KRA in a SHARED instance scenario. There was some final cloning related config code that was grossly RSA specific and throws exceptions when ECC is involved. I altered this piece of code to skip over the bad things with ECC and let the RSA case run unimpeded. We may need further refinement for the ECC case, but I felt this was needed to allow something like an ECC kra to be installed in a shared instance scenario.
Change-Id: I1493d63fd8ea0157adb8f47ec0d5aaadc2b88b26
(cherry picked from commit 530634991d553b25dfe8d4cd861b7f4412ad06ca)
---
.../certsrv/system/ConfigurationRequest.java | 63 +++++++++++++++++++++-
.../cms/servlet/csadmin/ConfigurationUtils.java | 18 +++++--
.../dogtagpki/server/rest/SystemConfigService.java | 25 +++++++--
3 files changed, 97 insertions(+), 9 deletions(-)
diff --git a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java
index 5a65f3e..7ea24d2 100644
--- a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java
+++ b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java
@@ -43,6 +43,16 @@ public class ConfigurationRequest {
public static final String EXISTING_DOMAIN = "existingdomain";
public static final String NEW_SUBDOMAIN = "newsubdomain";
+ // Hard coded values for ECC and RSA internal cert profile names
+ public static final String ECC_INTERNAL_SERVER_CERT_PROFILE = "caECInternalAuthServerCert";
+ public static final String RSA_INTERNAL_SERVER_CERT_PROFILE = "caInternalAuthServerCert";
+
+ public static final String ECC_INTERNAL_SUBSYSTEM_CERT_PROFILE= "caECInternalAuthSubsystemCert";
+ public static final String RSA_INTERNAL_SUBSYSTEM_CERT_PROFILE= "caInternalAuthSubsystemCert";
+
+ public static final String ECC_INTERNAL_ADMIN_CERT_PROFILE="caECAdminCert";
+ public static final String RSA_INTERNAL_ADMIN_CERT_PROFILE="caAdminCert";
+
@XmlElement
protected String pin;
@@ -605,6 +615,42 @@ public class ConfigurationRequest {
return null;
}
+ public String getSystemCertKeyType(String tag) {
+ SystemCertData cert = getSystemCert(tag);
+ if(cert == null)
+ return null;
+
+ return cert.getKeyType();
+ }
+
+ public String getSystemCertProfileID(String tag, String defaultName) {
+ String profileName = defaultName;
+ String keyType = getSystemCertKeyType(tag);
+
+ System.out.println("getSystemCertProfileID tag: " + tag + " defaultName: " + defaultName + " keyType: " + keyType);
+ if (keyType == null)
+ return profileName;
+
+ // Hard code for now based on key type. Method can be changed later to read pkispawn
+ // params sent over in the future.
+ if ("ecc".equalsIgnoreCase(keyType)) {
+ if ("sslserver".equalsIgnoreCase(tag)) {
+ profileName = ECC_INTERNAL_SERVER_CERT_PROFILE;
+ } else if ("subsystem".equalsIgnoreCase(tag)) {
+ profileName = ECC_INTERNAL_SUBSYSTEM_CERT_PROFILE;
+ }
+ } else if ("rsa".equalsIgnoreCase(keyType)) {
+ if ("sslserver".equalsIgnoreCase(tag)) {
+ profileName = RSA_INTERNAL_SERVER_CERT_PROFILE;
+ } else if ("subsystem".equalsIgnoreCase(tag)) {
+ profileName = RSA_INTERNAL_SUBSYSTEM_CERT_PROFILE;
+ }
+ }
+
+ System.out.println("getSystemCertProfileID: returning: " + profileName);
+ return profileName;
+ }
+
/**
*
* @param systemCerts
@@ -771,7 +817,22 @@ public class ConfigurationRequest {
* @return the adminProfileID
*/
public String getAdminProfileID() {
- return adminProfileID;
+
+ // Modify the value returned based on key type of the
+ // subsystem cert. If keyType not found take the default
+ // sent over the server. In the future we can make sure
+ // the correct value is sent over the server.
+ String keyType = this.getSystemCertKeyType("subsystem");
+ String actualAdminProfileID = adminProfileID;
+ if(keyType != null) {
+ if("ecc".equalsIgnoreCase(keyType)) {
+ actualAdminProfileID = ECC_INTERNAL_ADMIN_CERT_PROFILE;
+ } else if("rsa".equalsIgnoreCase(keyType)) {
+ actualAdminProfileID = RSA_INTERNAL_ADMIN_CERT_PROFILE;
+ }
+ }
+
+ return actualAdminProfileID;
}
/**
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
index 0a5cd2e..7f5341a 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
@@ -2568,7 +2568,9 @@ public class ConfigurationUtils {
config.putString("preop.cert.signing.type", "remote");
config.putString("preop.cert.signing.profile", "caInstallCACert");
config.putString("preop.cert.sslserver.type", "remote");
- config.putString("preop.cert.sslserver.profile", "caInternalAuthServerCert");
+
+ config.putString("preop.cert.sslserver.profile",
+ request.getSystemCertProfileID("sslserver", "caInternalAuthServerCert"));
// store original caType
original_caType = caType;
@@ -2650,6 +2652,8 @@ public class ConfigurationUtils {
String v = config.getString("preop.ca.type", "");
CMS.debug("configCert: remote CA");
+ CMS.debug("confgCert: tag: " + certTag);
+
PKCS10 pkcs10 = CertUtil.getPKCS10(config, PCERT_PREFIX, certObj, context);
byte[] binRequest = pkcs10.toByteArray();
String b64Request = CryptoUtil.base64Encode(binRequest);
@@ -2671,7 +2675,10 @@ public class ConfigurationUtils {
MultivaluedMap<String, String> content = new MultivaluedHashMap<String, String>();
content.putSingle("requestor_name", sysType + "-" + machineName + "-" + securePort);
- content.putSingle("profileId", profileId);
+ CMS.debug("configRemoteCert: subsystemCert: setting profileId to: " + profileId);
+ String actualProfileId = request.getSystemCertProfileID(certTag, profileId);
+ CMS.debug("configRemoteCert: subsystemCert: calculated profileId: " + actualProfileId);
+ content.putSingle("profileId", actualProfileId);
content.putSingle("cert_request_type", "pkcs10");
content.putSingle("cert_request", b64Request);
content.putSingle("xmlOutput", "true");
@@ -2716,7 +2723,12 @@ public class ConfigurationUtils {
MultivaluedMap<String, String> content = new MultivaluedHashMap<String, String>();
content.putSingle("requestor_name", sysType + "-" + machineName + "-" + securePort);
- content.putSingle("profileId", profileId);
+ //Get the correct profile id to send in case it's sslserver type:
+ CMS.debug("configRemoteCert: tag: " + certTag + " : setting profileId to: " + profileId);
+ String actualProfileId = request.getSystemCertProfileID(certTag, profileId);
+ CMS.debug("configRemoteCert: tag: " + certTag + " calculated profileId: " + actualProfileId);
+
+ content.putSingle("profileId", actualProfileId);
content.putSingle("cert_request_type", "pkcs10");
content.putSingle("cert_request", b64Request);
content.putSingle("xmlOutput", "true");
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
index 5130a1a..fbfaed2 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
@@ -524,14 +524,27 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
nickname = cdata.getNickname();
}
+ boolean isECC = false;
+ String keyType = cdata.getKeyType();
+
+ CMS.debug("SystemConfigService:updateCloneConfiguration: keyType: " + keyType);
+ if("ecc".equalsIgnoreCase(keyType)) {
+ isECC = true;
+ }
X509Certificate cert = cryptoManager.findCertByNickname(nickname);
PublicKey pubk = cert.getPublicKey();
- byte[] exponent = CryptoUtil.getPublicExponent(pubk);
- byte[] modulus = CryptoUtil.getModulus(pubk);
+ byte[] exponent = null;
+ byte[] modulus = null;
+
+ if (isECC == false) {
+ exponent = CryptoUtil.getPublicExponent(pubk);
+ modulus = CryptoUtil.getModulus(pubk);
+ cs.putString("preop.cert." + tag + ".pubkey.modulus", CryptoUtil.byte2string(modulus));
+ cs.putString("preop.cert." + tag + ".pubkey.exponent", CryptoUtil.byte2string(exponent));
+ }
+
PrivateKey privk = cryptoManager.findPrivKeyByCert(cert);
- cs.putString("preop.cert." + tag + ".pubkey.modulus", CryptoUtil.byte2string(modulus));
- cs.putString("preop.cert." + tag + ".pubkey.exponent", CryptoUtil.byte2string(exponent));
cs.putString("preop.cert." + tag + ".privkey.id", CryptoUtil.encodeKeyID(privk.getUniqueID()));
cs.putString("preop.cert." + tag + ".keyalgorithm", cdata.getKeyAlgorithm());
cs.putString("preop.cert." + tag + ".keytype", cdata.getKeyType());
@@ -606,6 +619,8 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
ca_hostname = cs.getString("securitydomain.host", "");
ca_port = cs.getInteger("securitydomain.httpseeport");
}
+
+ CMS.debug("Calculated admin cert profile: " + data.getAdminProfileID());
String b64 = ConfigurationUtils.submitAdminCertRequest(ca_hostname, ca_port,
data.getAdminProfileID(), data.getAdminCertRequestType(),
data.getAdminCertRequest(), adminSubjectDN);
@@ -859,7 +874,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
cs.putString("preop.securitydomain.select", "existing");
cs.putString("securitydomain.select", "existing");
cs.putString("preop.cert.subsystem.type", "remote");
- cs.putString("preop.cert.subsystem.profile", "caInternalAuthSubsystemCert");
+ cs.putString("preop.cert.subsystem.profile", data.getSystemCertProfileID("subsystem", "caInternalAuthSubsystemCert"));
String securityDomainURL = data.getSecurityDomainUri();
domainXML = logIntoSecurityDomain(data, securityDomainURL);
}
--
1.8.3.1