From c4f6b7c6d4a0d8130c46cd1f820f8980b7f314e2 Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Mon, 16 Apr 2018 14:28:39 -0700 Subject: [PATCH 1/7] Ticket #2940 post-ticket simple typo fix. Change-Id: I98558f607cb611981bcafd42d6500fd26a9664be (cherry picked from commit 2e299050016094c4ab9b739bc68a27787d8aadb4) (cherry picked from commit 7ed0b12aa3bc9a04acd417fc0757500d585c57e8) --- base/java-tools/man/man1/CMCSharedToken.1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/base/java-tools/man/man1/CMCSharedToken.1 b/base/java-tools/man/man1/CMCSharedToken.1 index e4a26f0..64c97f8 100644 --- a/base/java-tools/man/man1/CMCSharedToken.1 +++ b/base/java-tools/man/man1/CMCSharedToken.1 @@ -48,7 +48,7 @@ Security token name (default: internal) Security token password. .TP -.B -p +.B -s CMC enrollment passphrase (shared secret) (put in "" if containing spaces) .TP @@ -56,7 +56,7 @@ CMC enrollment passphrase (shared secret) (put in "" if containing spaces) PEM issuance protection certificate. Note: only one of the -b or -n options should be used. .TP -.B -n +.B -n PEM issuance protection certificate on token. Note: only one of the -b or -n options should be used. .TP -- 1.8.3.1 From b189ac5a9fe0eee529893ca1b3616a12fd1d0631 Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Thu, 19 Apr 2018 17:11:34 -0700 Subject: [PATCH 2/7] Ticket #2992 servlet profileSubmitCMCSimple throws NPE This patch addresses the issue that when auth.instance_id is not specified in the profile, NPE is thrown. Alternative is to add auth.instance_id value, but it's better to leave this as manual approval only without changing the functionality. fixes https://pagure.io/dogtagpki/issue/2992 Change-Id: I0a3afca1c66af96917a81c94b088d792f0332a4d (cherry picked from commit 203db212a3dce216687dd2aac349fe37d2e92a96) --- .../com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java index 91a26b1..a0bcfb5 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java @@ -509,7 +509,10 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { CMS.debug("ProfileSubmitCMCServlet: null it out"); ctx.set(IAuthManager.CRED_CMC_SIGNING_CERT, ""); } - String signingCertSerialS = (String) authToken.get(IAuthManager.CRED_CMC_SIGNING_CERT); + String signingCertSerialS = null; + if (authToken != null) { + signingCertSerialS = (String) authToken.get(IAuthManager.CRED_CMC_SIGNING_CERT); + } if (signingCertSerialS != null) { CMS.debug("ProfileSubmitCMCServlet: setting CRED_CMC_SIGNING_CERT in ctx for CMCUserSignedAuth"); ctx.set(IAuthManager.CRED_CMC_SIGNING_CERT, signingCertSerialS); -- 1.8.3.1 From ff37277ba6ee49e92f9bad078f23e66b79315535 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Tue, 24 Apr 2018 02:44:15 +0200 Subject: [PATCH 3/7] Fixed token name normalization in pki-server subsystem-cert-validate The pki-server subsystem-cert-validate has been modified to normalize cert token name before calling pki client-cert-validate. This way "Internal Key Storage Token" will be considered as an internal token and no longer specified as a parameter. https://pagure.io/dogtagpki/issue/2997 Change-Id: I452d8e4b404086c3add6b52a9aa2acd2993d7e97 (cherry picked from commit d61f9729dcc102c9acbbaa8129fffb6c30fb7116) --- base/common/python/pki/nssdb.py | 27 +++++++++++++++++++++----- base/server/python/pki/server/__init__.py | 7 +++++++ base/server/python/pki/server/cli/subsystem.py | 3 +++ base/server/sbin/pkidestroy | 13 +++++++++++-- base/server/sbin/pkispawn | 10 ++++++++++ 5 files changed, 53 insertions(+), 7 deletions(-) diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py index 934fe8b..0f3c97a 100644 --- a/base/common/python/pki/nssdb.py +++ b/base/common/python/pki/nssdb.py @@ -43,6 +43,9 @@ CERT_FOOTER = '-----END CERTIFICATE-----' PKCS7_HEADER = '-----BEGIN PKCS7-----' PKCS7_FOOTER = '-----END PKCS7-----' +INTERNAL_TOKEN_NAME = 'internal' +INTERNAL_TOKEN_FULL_NAME = 'Internal Key Storage Token' + logger = logging.LoggerAdapter( logging.getLogger(__name__), extra={'indent': ''}) @@ -112,6 +115,24 @@ def get_file_type(filename): return None +def normalize_token(token): + """ + Normalize internal token name (e.g. empty string, 'internal', + 'Internal Key Storage Token') into None. Other token names + will be unchanged. + """ + if not token: + return None + + if token.lower() == INTERNAL_TOKEN_NAME: + return None + + if token.lower() == INTERNAL_TOKEN_FULL_NAME.lower(): + return None + + return token + + class NSSDatabase(object): def __init__(self, directory=None, token=None, password=None, @@ -123,11 +144,7 @@ class NSSDatabase(object): os.path.expanduser("~"), '.dogtag', 'nssdb') self.directory = directory - - if token == 'internal' or token == 'Internal Key Storage Token': - self.token = None - else: - self.token = token + self.token = normalize_token(token) self.tmpdir = tempfile.mkdtemp() diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py index 65aee2f..b5180f0 100644 --- a/base/server/python/pki/server/__init__.py +++ b/base/server/python/pki/server/__init__.py @@ -28,6 +28,7 @@ import grp import io import ldap import ldap.filter +import logging import operator import os import pwd @@ -50,6 +51,10 @@ SUBSYSTEM_CLASSES = {} SELFTEST_CRITICAL = 'critical' +logger = logging.LoggerAdapter( + logging.getLogger(__name__), + extra={'indent': ''}) + class PKIServer(object): @@ -206,6 +211,8 @@ class PKISubsystem(object): if cert_id: cmd.append(cert_id) + logger.debug('Command: %s', ' '.join(cmd)) + subprocess.check_output( cmd, stderr=subprocess.STDOUT) diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py index 0abf90a..57093d4 100644 --- a/base/server/python/pki/server/cli/subsystem.py +++ b/base/server/python/pki/server/cli/subsystem.py @@ -1000,6 +1000,9 @@ class SubsystemCertValidateCLI(pki.cli.CLI): token = cert.get('token', '') print(' Token: %s' % token) + # normalize internal token into None + token = pki.nssdb.normalize_token(token) + # get token password and store in temporary file passwd = instance.get_token_password(token) diff --git a/base/server/sbin/pkidestroy b/base/server/sbin/pkidestroy index 4df74a4..58f0541 100755 --- a/base/server/sbin/pkidestroy +++ b/base/server/sbin/pkidestroy @@ -24,6 +24,7 @@ from __future__ import absolute_import from __future__ import print_function import sys import signal +import subprocess if not hasattr(sys, "hexversion") or sys.hexversion < 0x020700f0: print("Python version %s.%s.%s is too old." % sys.version_info[:3]) @@ -235,8 +236,16 @@ def main(argv): scriptlet.destroy(deployer) - # pylint: disable=W0703 - except Exception as e: + except subprocess.CalledProcessError as e: + log_error_details() + print() + print("Uninstallation failed: Command failed: %s" % ' '.join(e.cmd)) + if e.output: + print(e.output) + print() + sys.exit(1) + + except Exception as e: # pylint: disable=broad-except log_error_details() print() print("Uninstallation failed: %s" % e) diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn index b2ac8b4..ab94b8b 100755 --- a/base/server/sbin/pkispawn +++ b/base/server/sbin/pkispawn @@ -24,6 +24,7 @@ from __future__ import absolute_import from __future__ import print_function import sys import signal +import subprocess if not hasattr(sys, "hexversion") or sys.hexversion < 0x020700f0: print("Python version %s.%s.%s is too old." % sys.version_info[:3]) @@ -549,6 +550,15 @@ def main(argv): sys.exit(1) + except subprocess.CalledProcessError as e: + log_error_details() + print() + print("Installation failed: Command failed: %s" % ' '.join(e.cmd)) + if e.output: + print(e.output) + print() + sys.exit(1) + except Exception as e: # pylint: disable=broad-except log_error_details() print() -- 1.8.3.1 From 5df4e1a9418a9d276170c0c9c8bdec2f0de0d759 Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Tue, 15 May 2018 19:06:48 -0700 Subject: [PATCH 4/7] Ticket 1741 ECDSA Signature Algorithm encoding This patch addresses part of the issue where params were in the AlgorithmIdentifier of the ECDSA signature algorithm. The JSS portion is addressed by https://pagure.io/jss/issue/3 Fixes https://pagure.io/dogtagpki/issue/1741 Change-Id: I5dfea6eb2ca4711da2a983382c3f6607d95f3e0d (cherry picked from commit 01dcdee01ab9c231e89169e422e452ce5ef22257) --- base/util/src/netscape/security/x509/AlgorithmId.java | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/base/util/src/netscape/security/x509/AlgorithmId.java b/base/util/src/netscape/security/x509/AlgorithmId.java index a89843e..ae5975a 100644 --- a/base/util/src/netscape/security/x509/AlgorithmId.java +++ b/base/util/src/netscape/security/x509/AlgorithmId.java @@ -142,7 +142,16 @@ public class AlgorithmId implements Serializable, DerEncoder { * Figure out what class (if any) knows about this oid's * parameters. Make one, and give it the data to decode. */ - AlgorithmId alg = new AlgorithmId(algid, params); + AlgorithmId alg = null; + // omit parameter field for ECDSA + if (!algid.equals(sha224WithEC_oid) && + !algid.equals(sha256WithEC_oid) && + !algid.equals(sha384WithEC_oid) && + !algid.equals(sha512WithEC_oid)) { + alg = new AlgorithmId(algid, params); + } else { + alg = new AlgorithmId(algid); + } if (params != null) alg.decodeParams(); -- 1.8.3.1 From e4324c4fe54c8b139fbb522c1ad899579ce0aaec Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Wed, 16 May 2018 14:52:21 -0700 Subject: [PATCH 5/7] Ticket 3018 CMC profiles: Some CMC profiles have wrong input class_id This patch fixes the profile input area where cmcCertReqInputImpl should replace certReqInputImpl and submitterInfoInputImpl should not be present fixes https://pagure.io/dogtagpki/issue/3018 Change-Id: Id4e03961110b19b2c73ebd9def89919d5dd3b0ad (cherry picked from commit ac8c853ed9b06f4dfdbeb4d00f3f425f5d479824) --- base/ca/shared/profiles/ca/caCMCECUserCert.cfg | 3 +-- base/ca/shared/profiles/ca/caCMCECserverCert.cfg | 5 ++--- base/ca/shared/profiles/ca/caCMCECsubsystemCert.cfg | 5 ++--- base/ca/shared/profiles/ca/caCMCUserCert.cfg | 3 +-- base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg | 5 ++--- base/ca/shared/profiles/ca/caCMCcaCert.cfg | 5 ++--- base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg | 5 ++--- base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg | 5 ++--- base/ca/shared/profiles/ca/caCMCocspCert.cfg | 5 ++--- base/ca/shared/profiles/ca/caCMCserverCert.cfg | 5 ++--- base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg | 5 ++--- base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg | 3 +-- base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg | 3 +-- base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg | 3 +-- base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg | 2 +- base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg | 3 +-- base/ca/shared/profiles/ca/caFullCMCUserCert.cfg | 3 +-- base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg | 3 +-- base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg | 2 +- 19 files changed, 28 insertions(+), 45 deletions(-) diff --git a/base/ca/shared/profiles/ca/caCMCECUserCert.cfg b/base/ca/shared/profiles/ca/caCMCECUserCert.cfg index 5185891..b7b4881 100644 --- a/base/ca/shared/profiles/ca/caCMCECUserCert.cfg +++ b/base/ca/shared/profiles/ca/caCMCECUserCert.cfg @@ -5,9 +5,8 @@ enableBy=admin auth.instance_id=CMCAuth authz.acl=group="Certificate Manager Agents" name=Signed CMC-Authenticated User Certificate wth ECC keys Enrollment -input.list=i1,i2 +input.list=i1 input.i1.class_id=cmcCertReqInputImpl -input.i2.class_id=submitterInfoInputImpl output.list=o1 output.o1.class_id=certOutputImpl policyset.list=cmcUserCertSet diff --git a/base/ca/shared/profiles/ca/caCMCECserverCert.cfg b/base/ca/shared/profiles/ca/caCMCECserverCert.cfg index 158d9fe..53b0c4d 100644 --- a/base/ca/shared/profiles/ca/caCMCECserverCert.cfg +++ b/base/ca/shared/profiles/ca/caCMCECserverCert.cfg @@ -5,9 +5,8 @@ enableBy=admin auth.instance_id=CMCAuth authz.acl=group="Certificate Manager Agents" name=Server Certificate wth ECC keys Enrollment using CMC -input.list=i1,i2 -input.i1.class_id=certReqInputImpl -input.i2.class_id=submitterInfoInputImpl +input.list=i1 +input.i1.class_id=cmcCertReqInputImpl output.list=o1 output.o1.class_id=certOutputImpl policyset.list=serverCertSet diff --git a/base/ca/shared/profiles/ca/caCMCECsubsystemCert.cfg b/base/ca/shared/profiles/ca/caCMCECsubsystemCert.cfg index f755243..6e41e06 100644 --- a/base/ca/shared/profiles/ca/caCMCECsubsystemCert.cfg +++ b/base/ca/shared/profiles/ca/caCMCECsubsystemCert.cfg @@ -5,9 +5,8 @@ enableBy=admin auth.instance_id=CMCAuth authz.acl=group="Certificate Manager Agents" name=Subsystem Certificate Enrollment with ECC keys using CMC -input.list=i1,i2 -input.i1.class_id=certReqInputImpl -input.i2.class_id=submitterInfoInputImpl +input.list=i1 +input.i1.class_id=cmcCertReqInputImpl output.list=o1 output.o1.class_id=certOutputImpl policyset.list=serverCertSet diff --git a/base/ca/shared/profiles/ca/caCMCUserCert.cfg b/base/ca/shared/profiles/ca/caCMCUserCert.cfg index fe2a8b3..df47758 100644 --- a/base/ca/shared/profiles/ca/caCMCUserCert.cfg +++ b/base/ca/shared/profiles/ca/caCMCUserCert.cfg @@ -5,9 +5,8 @@ enableBy=admin auth.instance_id=CMCAuth authz.acl=group="Certificate Manager Agents" name=Signed CMC-Authenticated User Certificate Enrollment -input.list=i1,i2 +input.list=i1 input.i1.class_id=cmcCertReqInputImpl -input.i2.class_id=submitterInfoInputImpl output.list=o1 output.o1.class_id=certOutputImpl policyset.list=cmcUserCertSet diff --git a/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg b/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg index 967d6ef..ff4856c 100644 --- a/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg +++ b/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg @@ -5,9 +5,8 @@ enableBy=admin auth.instance_id=CMCAuth authz.acl=group="Certificate Manager Agents" name=Audit Signing Certificate Enrollment using CMC -input.list=i1,i2 -input.i1.class_id=certReqInputImpl -input.i2.class_id=submitterInfoInputImpl +input.list=i1 +input.i1.class_id=cmcCertReqInputImpl output.list=o1 output.o1.class_id=certOutputImpl policyset.list=auditSigningCertSet diff --git a/base/ca/shared/profiles/ca/caCMCcaCert.cfg b/base/ca/shared/profiles/ca/caCMCcaCert.cfg index 49a356d..bf6c59a 100644 --- a/base/ca/shared/profiles/ca/caCMCcaCert.cfg +++ b/base/ca/shared/profiles/ca/caCMCcaCert.cfg @@ -5,9 +5,8 @@ enableBy=admin auth.instance_id=CMCAuth authz.acl=group="Certificate Manager Agents" name=Certificate Manager Signing Certificate Enrollment using CMC -input.list=i1,i2 -input.i1.class_id=certReqInputImpl -input.i2.class_id=submitterInfoInputImpl +input.list=i1 +input.i1.class_id=cmcCertReqInputImpl output.list=o1 output.o1.class_id=certOutputImpl policyset.list=caCertSet diff --git a/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg b/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg index bbe733a..1c2630d 100644 --- a/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg +++ b/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg @@ -5,9 +5,8 @@ enableBy=admin auth.instance_id=CMCAuth authz.acl=group="Certificate Manager Agents" name=KRA storage Certificate Enrollment using CMC -input.list=i1,i2 -input.i1.class_id=certReqInputImpl -input.i2.class_id=submitterInfoInputImpl +input.list=i1 +input.i1.class_id=cmcCertReqInputImpl output.list=o1 output.o1.class_id=certOutputImpl policyset.list=drmStorageCertSet diff --git a/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg b/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg index 60b19bf..3d00408 100644 --- a/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg +++ b/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg @@ -5,9 +5,8 @@ enableBy=admin auth.instance_id=CMCAuth authz.acl=group="Certificate Manager Agents" name=Key Archival Authority Transport Certificate Enrollment using CMC -input.list=i1,i2 -input.i1.class_id=certReqInputImpl -input.i2.class_id=submitterInfoInputImpl +input.list=i1 +input.i1.class_id=cmcCertReqInputImpl output.list=o1 output.o1.class_id=certOutputImpl policyset.list=transportCertSet diff --git a/base/ca/shared/profiles/ca/caCMCocspCert.cfg b/base/ca/shared/profiles/ca/caCMCocspCert.cfg index cd60562..14464bf 100644 --- a/base/ca/shared/profiles/ca/caCMCocspCert.cfg +++ b/base/ca/shared/profiles/ca/caCMCocspCert.cfg @@ -5,9 +5,8 @@ enableBy=admin auth.instance_id=CMCAuth authz.acl=group="Certificate Manager Agents" name=OCSP Responder Signing Certificate Enrollment using CMC -input.list=i1,i2 -input.i1.class_id=certReqInputImpl -input.i2.class_id=submitterInfoInputImpl +input.list=i1 +input.i1.class_id=cmcCertReqInputImpl output.list=o1 output.o1.class_id=certOutputImpl policyset.list=ocspCertSet diff --git a/base/ca/shared/profiles/ca/caCMCserverCert.cfg b/base/ca/shared/profiles/ca/caCMCserverCert.cfg index 89bbbea..9ad9fac 100644 --- a/base/ca/shared/profiles/ca/caCMCserverCert.cfg +++ b/base/ca/shared/profiles/ca/caCMCserverCert.cfg @@ -5,9 +5,8 @@ enableBy=admin auth.instance_id=CMCAuth authz.acl=group="Certificate Manager Agents" name=Server Certificate Enrollment using CMC -input.list=i1,i2 -input.i1.class_id=certReqInputImpl -input.i2.class_id=submitterInfoInputImpl +input.list=i1 +input.i1.class_id=cmcCertReqInputImpl output.list=o1 output.o1.class_id=certOutputImpl policyset.list=serverCertSet diff --git a/base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg b/base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg index 4a922fc..c25ed79 100644 --- a/base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg +++ b/base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg @@ -5,9 +5,8 @@ enableBy=admin auth.instance_id=CMCAuth authz.acl=group="Certificate Manager Agents" name=Subsystem Certificate Enrollment using CMC -input.list=i1,i2 -input.i1.class_id=certReqInputImpl -input.i2.class_id=submitterInfoInputImpl +input.list=i1 +input.i1.class_id=cmcCertReqInputImpl output.list=o1 output.o1.class_id=certOutputImpl policyset.list=serverCertSet diff --git a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg index 816a1f8..d0a3c25 100644 --- a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg +++ b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg @@ -4,9 +4,8 @@ enableBy=admin name=Self-Signed CMC User Certificate Enrollment visible=false auth.instance_id=CMCUserSignedAuth -input.list=i1,i2 +input.list=i1 input.i1.class_id=cmcCertReqInputImpl -input.i2.class_id=submitterInfoInputImpl output.list=o1 output.o1.class_id=certOutputImpl policyset.list=cmcUserCertSet diff --git a/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg index 0116053..469dbb0 100644 --- a/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg +++ b/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg @@ -4,9 +4,8 @@ enableBy=admin name=Agent-Signed CMC-Authenticated User Certificate Enrollment visible=false auth.instance_id=CMCAuth -input.list=i1,i2 +input.list=i1 input.i1.class_id=cmcCertReqInputImpl -input.i2.class_id=submitterInfoInputImpl output.list=o1 output.o1.class_id=certOutputImpl policyset.list=cmcUserCertSet diff --git a/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg index a15aa53..d2286de 100644 --- a/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg +++ b/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg @@ -4,9 +4,8 @@ enableBy=admin name=User-Signed CMC-Authenticated User Certificate Enrollment visible=false auth.instance_id=CMCUserSignedAuth -input.list=i1,i2 +input.list=i1 input.i1.class_id=cmcCertReqInputImpl -input.i2.class_id=submitterInfoInputImpl output.list=o1 output.o1.class_id=certOutputImpl policyset.list=cmcUserCertSet diff --git a/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg b/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg index 14d610c..64a6ad9 100644 --- a/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg +++ b/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg @@ -5,7 +5,7 @@ name=Simple CMC Enrollment Request for User Certificate visible=false auth.instance_id= input.list=i1 -input.i1.class_id=certReqInputImpl +input.i1.class_id=cmcCertReqInputImpl output.list=o1 output.o1.class_id=certOutputImpl policyset.list=cmcUserCertSet diff --git a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg index 1a7c22d..6b2da33 100644 --- a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg +++ b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg @@ -4,9 +4,8 @@ enableBy=admin name=Self-Signed CMC User Certificate Enrollment visible=false auth.instance_id=CMCUserSignedAuth -input.list=i1,i2 +input.list=i1 input.i1.class_id=cmcCertReqInputImpl -input.i2.class_id=submitterInfoInputImpl output.list=o1 output.o1.class_id=certOutputImpl policyset.list=cmcUserCertSet diff --git a/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg b/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg index b06f35d..dd336ad 100644 --- a/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg +++ b/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg @@ -4,9 +4,8 @@ enableBy=admin name=Agent-Signed CMC-Authenticated User Certificate Enrollment visible=false auth.instance_id=CMCAuth -input.list=i1,i2 +input.list=i1 input.i1.class_id=cmcCertReqInputImpl -input.i2.class_id=submitterInfoInputImpl output.list=o1 output.o1.class_id=certOutputImpl policyset.list=cmcUserCertSet diff --git a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg index 0c2b97b..9b5d3e9 100644 --- a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg +++ b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg @@ -4,9 +4,8 @@ enableBy=admin name=User-Signed CMC-Authenticated User Certificate Enrollment visible=false auth.instance_id=CMCUserSignedAuth -input.list=i1,i2 +input.list=i1 input.i1.class_id=cmcCertReqInputImpl -input.i2.class_id=submitterInfoInputImpl output.list=o1 output.o1.class_id=certOutputImpl policyset.list=cmcUserCertSet diff --git a/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg b/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg index a9c2b0c..0628a36 100644 --- a/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg +++ b/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg @@ -5,7 +5,7 @@ name=Simple CMC Enrollment Request for User Certificate visible=false auth.instance_id= input.list=i1 -input.i1.class_id=certReqInputImpl +input.i1.class_id=cmcCertReqInputImpl output.list=o1 output.o1.class_id=certOutputImpl policyset.list=cmcUserCertSet -- 1.8.3.1 From b66e3a729b0413d8851b6d5a875c6f6542823463 Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Thu, 17 May 2018 19:36:10 -0700 Subject: [PATCH 6/7] Ticket #2995 SAN in internal SSL server certificate in pkispawn configuration step This patch adds CommonNameToSANDefault to all server profiles so that SAN will be placed in server certs by default. For more flexible SAN or multi-value SAN, SubjectAltNameExtDefault will have to be used instead. fixes: https://pagure.io/dogtagpki/issue/2995 Change-Id: I66556f2cb8ed4e1cbe2d0949c5848c6978ea9641 (cherry picked from commit 7eae0d840c1b7494db2cea67744366fe409eafea) --- base/ca/shared/conf/serverCert.profile | 4 +++- base/ca/shared/profiles/ca/caAgentServerCert.cfg | 6 +++++- base/ca/shared/profiles/ca/caECAgentServerCert.cfg | 6 +++++- .../shared/profiles/ca/caECInternalAuthServerCert.cfg | 18 +++++++++++++++++- base/ca/shared/profiles/ca/caECServerCert.cfg | 6 +++++- .../ca/shared/profiles/ca/caInternalAuthServerCert.cfg | 18 +++++++++++++++++- base/ca/shared/profiles/ca/caServerCert.cfg | 6 +++++- 7 files changed, 57 insertions(+), 7 deletions(-) diff --git a/base/ca/shared/conf/serverCert.profile b/base/ca/shared/conf/serverCert.profile index 3674cbc..e740760 100644 --- a/base/ca/shared/conf/serverCert.profile +++ b/base/ca/shared/conf/serverCert.profile @@ -6,7 +6,7 @@ name=All Purpose SSL server cert Profile description=This profile creates an SSL server certificate that is valid for SSL servers profileIDMapping=caServerCert profileSetIDMapping=serverCertSet -list=2,4,5,6,7 +list=2,4,5,6,7,8 2.default.class=com.netscape.cms.profile.def.ValidityDefault 2.default.name=Validity Default 2.default.params.range=720 @@ -37,3 +37,5 @@ list=2,4,5,6,7 7.default.name=Extended Key Usage Extension Default 7.default.params.exKeyUsageCritical=false 7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 +8.default.class=com.netscape.cms.profile.def.CommonNameToSANDefault +8.default.name=Copy Common Name to Subjec Alternative Name Extension diff --git a/base/ca/shared/profiles/ca/caAgentServerCert.cfg b/base/ca/shared/profiles/ca/caAgentServerCert.cfg index c4d109f..0662b0a 100644 --- a/base/ca/shared/profiles/ca/caAgentServerCert.cfg +++ b/base/ca/shared/profiles/ca/caAgentServerCert.cfg @@ -10,7 +10,7 @@ input.i2.class_id=submitterInfoInputImpl output.list=o1 output.o1.class_id=certOutputImpl policyset.list=serverCertSet -policyset.serverCertSet.list=1,2,3,4,5,6,7,8 +policyset.serverCertSet.list=1,2,3,4,5,6,7,8,12 policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl policyset.serverCertSet.1.constraint.name=Subject Name Constraint policyset.serverCertSet.1.constraint.params.pattern=CN=.* @@ -83,3 +83,7 @@ policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl policyset.serverCertSet.8.default.name=Signing Alg policyset.serverCertSet.8.default.params.signingAlg=- +policyset.serverCertSet.12.constraint.class_id=noConstraintImpl +policyset.serverCertSet.12.constraint.name=No Constraint +policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl +policyset.serverCertSet.12.default.name=Copy Common Name to Subject Alternative Name Extension diff --git a/base/ca/shared/profiles/ca/caECAgentServerCert.cfg b/base/ca/shared/profiles/ca/caECAgentServerCert.cfg index c56b6de..da4811e 100644 --- a/base/ca/shared/profiles/ca/caECAgentServerCert.cfg +++ b/base/ca/shared/profiles/ca/caECAgentServerCert.cfg @@ -10,7 +10,7 @@ input.i2.class_id=submitterInfoInputImpl output.list=o1 output.o1.class_id=certOutputImpl policyset.list=serverCertSet -policyset.serverCertSet.list=1,2,3,4,5,6,7,8 +policyset.serverCertSet.list=1,2,3,4,5,6,7,8,12 policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl policyset.serverCertSet.1.constraint.name=Subject Name Constraint policyset.serverCertSet.1.constraint.params.pattern=CN=.* @@ -83,3 +83,7 @@ policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl policyset.serverCertSet.8.default.name=Signing Alg policyset.serverCertSet.8.default.params.signingAlg=- +policyset.serverCertSet.12.constraint.class_id=noConstraintImpl +policyset.serverCertSet.12.constraint.name=No Constraint +policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl +policyset.serverCertSet.12.default.name=Copy Common Name to Subject Alternative Name Extension diff --git a/base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg b/base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg index 4fc8a9c..8580544 100644 --- a/base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg +++ b/base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg @@ -12,7 +12,7 @@ input.i3.class_id=subjectAltNameExtInputImpl output.list=o1 output.o1.class_id=certOutputImpl policyset.list=serverCertSet -policyset.serverCertSet.list=1,2,3,4,5,6,7,8 +policyset.serverCertSet.list=1,2,3,4,5,6,7,8,12 policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl policyset.serverCertSet.1.constraint.name=Subject Name Constraint policyset.serverCertSet.1.constraint.params.pattern=CN=.* @@ -92,6 +92,10 @@ policyset.serverCertSet.8.default.params.signingAlg=- # 3. change below to reflect the number of general names, and # turn each corresponding subjAltExtPattern_ to true # policyset.serverCertSet.9.default.params.subjAltNameNumGNs +# +# If the subjectAltNameExtDefaultImpl is on, then commonNameToSANDefault +# would "merge" into existing SAN. Keep commonNameToSANDefault as last entry +# policyset.serverCertSet.9.constraint.class_id=noConstraintImpl policyset.serverCertSet.9.constraint.name=No Constraint policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl @@ -107,3 +111,15 @@ policyset.serverCertSet.9.default.params.subjAltExtPattern_2=$request.req_san_pa policyset.serverCertSet.9.default.params.subjAltExtType_2=DNSName policyset.serverCertSet.9.default.params.subjAltNameExtCritical=false policyset.serverCertSet.9.default.params.subjAltNameNumGNs=1 +# +# While the subjectAltNameExtDefaultImpl above allows multiple SANs to be +# specified during installation, the commonNameToSANDefaultImpl adds a simple +# default single SAN from CN. +# +# If the subjectAltNameExtDefaultImpl is on, then commonNameToSANDefault +# would "merge" into existing SAN. Keep commonNameToSANDefault as last entry +# +policyset.serverCertSet.12.constraint.class_id=noConstraintImpl +policyset.serverCertSet.12.constraint.name=No Constraint +policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl +policyset.serverCertSet.12.default.name=Copy Common Name to Subject Alternative Name Extension diff --git a/base/ca/shared/profiles/ca/caECServerCert.cfg b/base/ca/shared/profiles/ca/caECServerCert.cfg index 0ae4371..7517a5f 100644 --- a/base/ca/shared/profiles/ca/caECServerCert.cfg +++ b/base/ca/shared/profiles/ca/caECServerCert.cfg @@ -10,7 +10,7 @@ input.i2.class_id=submitterInfoInputImpl output.list=o1 output.o1.class_id=certOutputImpl policyset.list=serverCertSet -policyset.serverCertSet.list=1,2,3,4,5,6,7,8 +policyset.serverCertSet.list=1,2,3,4,5,6,7,8,12 policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl policyset.serverCertSet.1.constraint.name=Subject Name Constraint policyset.serverCertSet.1.constraint.params.pattern=.*CN=.* @@ -83,3 +83,7 @@ policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl policyset.serverCertSet.8.default.name=Signing Alg policyset.serverCertSet.8.default.params.signingAlg=- +policyset.serverCertSet.12.constraint.class_id=noConstraintImpl +policyset.serverCertSet.12.constraint.name=No Constraint +policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl +policyset.serverCertSet.12.default.name=Copy Common Name to Subject Alternative Name Extension diff --git a/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg index dd10f6f..de3c2a5 100644 --- a/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg +++ b/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg @@ -12,7 +12,7 @@ input.i3.class_id=subjectAltNameExtInputImpl output.list=o1 output.o1.class_id=certOutputImpl policyset.list=serverCertSet -policyset.serverCertSet.list=1,2,3,4,5,6,7,8 +policyset.serverCertSet.list=1,2,3,4,5,6,7,8,12 policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl policyset.serverCertSet.1.constraint.name=Subject Name Constraint policyset.serverCertSet.1.constraint.params.pattern=CN=.* @@ -92,6 +92,10 @@ policyset.serverCertSet.8.default.params.signingAlg=- # 3. change below to reflect the number of general names, and # turn each corresponding subjAltExtPattern_ to true # policyset.serverCertSet.9.default.params.subjAltNameNumGNs +# +# If the subjectAltNameExtDefaultImpl is on, then commonNameToSANDefault +# would "merge" into existing SAN. Keep commonNameToSANDefault as last entry +# policyset.serverCertSet.9.constraint.class_id=noConstraintImpl policyset.serverCertSet.9.constraint.name=No Constraint policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl @@ -107,3 +111,15 @@ policyset.serverCertSet.9.default.params.subjAltExtPattern_2=$request.req_san_pa policyset.serverCertSet.9.default.params.subjAltExtType_2=DNSName policyset.serverCertSet.9.default.params.subjAltNameExtCritical=false policyset.serverCertSet.9.default.params.subjAltNameNumGNs=1 +# +# While the subjectAltNameExtDefaultImpl above allows multiple SANs to be +# specified during installation, the commonNameToSANDefaultImpl adds a simple +# default single SAN from CN. +# +# If the subjectAltNameExtDefaultImpl is on, then commonNameToSANDefault +# would "merge" into existing SAN. Keep commonNameToSANDefault as last entry +# +policyset.serverCertSet.12.constraint.class_id=noConstraintImpl +policyset.serverCertSet.12.constraint.name=No Constraint +policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl +policyset.serverCertSet.12.default.name=Copy Common Name to Subject Alternative Name Extension diff --git a/base/ca/shared/profiles/ca/caServerCert.cfg b/base/ca/shared/profiles/ca/caServerCert.cfg index 2f44c96..fdb08e4 100644 --- a/base/ca/shared/profiles/ca/caServerCert.cfg +++ b/base/ca/shared/profiles/ca/caServerCert.cfg @@ -10,7 +10,7 @@ input.i2.class_id=submitterInfoInputImpl output.list=o1 output.o1.class_id=certOutputImpl policyset.list=serverCertSet -policyset.serverCertSet.list=1,2,3,4,5,6,7,8 +policyset.serverCertSet.list=1,2,3,4,5,6,7,8,12 policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl policyset.serverCertSet.1.constraint.name=Subject Name Constraint policyset.serverCertSet.1.constraint.params.pattern=.*CN=.* @@ -83,3 +83,7 @@ policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl policyset.serverCertSet.8.default.name=Signing Alg policyset.serverCertSet.8.default.params.signingAlg=- +policyset.serverCertSet.12.constraint.class_id=noConstraintImpl +policyset.serverCertSet.12.constraint.name=No Constraint +policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl +policyset.serverCertSet.12.default.name=Copy Common Name to Subject Alternative Name Extension -- 1.8.3.1 From 1d70d69cc5e17be566867dd2c9e5176be0802e93 Mon Sep 17 00:00:00 2001 From: Jack Magne Date: Wed, 16 May 2018 15:28:38 -0700 Subject: [PATCH 7/7] Fix #2996 ECC installation for non CA subsystems needs improvement. The problem is that the installation of say a KRA, which is ECC enabled fails out of the box. This is due to the fact that the internal cert profiles for the following certificates is incorrect: 1. sslserver cert 2. subsystem cert 3. admin cert In the ECC case there is some hard coding that references the well known cert profiles for RSA versions of the above certs. What we need in the ECC case is a way to correctly select the ECC versions of the above profiles. Therefore this fix does the following: 1. Makes the selection of either the ECC version or the RSA version of the above internal cert profiles based on the key type, ecc or rsa. This solution relies upon well known profile names, but can be modified in the future to be more customizable , should the need arise. 2. I found a related problem when trying to create a ECC enabled KRA in a SHARED instance scenario. There was some final cloning related config code that was grossly RSA specific and throws exceptions when ECC is involved. I altered this piece of code to skip over the bad things with ECC and let the RSA case run unimpeded. We may need further refinement for the ECC case, but I felt this was needed to allow something like an ECC kra to be installed in a shared instance scenario. Change-Id: I1493d63fd8ea0157adb8f47ec0d5aaadc2b88b26 (cherry picked from commit 530634991d553b25dfe8d4cd861b7f4412ad06ca) --- .../certsrv/system/ConfigurationRequest.java | 63 +++++++++++++++++++++- .../cms/servlet/csadmin/ConfigurationUtils.java | 18 +++++-- .../dogtagpki/server/rest/SystemConfigService.java | 25 +++++++-- 3 files changed, 97 insertions(+), 9 deletions(-) diff --git a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java index 5a65f3e..7ea24d2 100644 --- a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java +++ b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java @@ -43,6 +43,16 @@ public class ConfigurationRequest { public static final String EXISTING_DOMAIN = "existingdomain"; public static final String NEW_SUBDOMAIN = "newsubdomain"; + // Hard coded values for ECC and RSA internal cert profile names + public static final String ECC_INTERNAL_SERVER_CERT_PROFILE = "caECInternalAuthServerCert"; + public static final String RSA_INTERNAL_SERVER_CERT_PROFILE = "caInternalAuthServerCert"; + + public static final String ECC_INTERNAL_SUBSYSTEM_CERT_PROFILE= "caECInternalAuthSubsystemCert"; + public static final String RSA_INTERNAL_SUBSYSTEM_CERT_PROFILE= "caInternalAuthSubsystemCert"; + + public static final String ECC_INTERNAL_ADMIN_CERT_PROFILE="caECAdminCert"; + public static final String RSA_INTERNAL_ADMIN_CERT_PROFILE="caAdminCert"; + @XmlElement protected String pin; @@ -605,6 +615,42 @@ public class ConfigurationRequest { return null; } + public String getSystemCertKeyType(String tag) { + SystemCertData cert = getSystemCert(tag); + if(cert == null) + return null; + + return cert.getKeyType(); + } + + public String getSystemCertProfileID(String tag, String defaultName) { + String profileName = defaultName; + String keyType = getSystemCertKeyType(tag); + + System.out.println("getSystemCertProfileID tag: " + tag + " defaultName: " + defaultName + " keyType: " + keyType); + if (keyType == null) + return profileName; + + // Hard code for now based on key type. Method can be changed later to read pkispawn + // params sent over in the future. + if ("ecc".equalsIgnoreCase(keyType)) { + if ("sslserver".equalsIgnoreCase(tag)) { + profileName = ECC_INTERNAL_SERVER_CERT_PROFILE; + } else if ("subsystem".equalsIgnoreCase(tag)) { + profileName = ECC_INTERNAL_SUBSYSTEM_CERT_PROFILE; + } + } else if ("rsa".equalsIgnoreCase(keyType)) { + if ("sslserver".equalsIgnoreCase(tag)) { + profileName = RSA_INTERNAL_SERVER_CERT_PROFILE; + } else if ("subsystem".equalsIgnoreCase(tag)) { + profileName = RSA_INTERNAL_SUBSYSTEM_CERT_PROFILE; + } + } + + System.out.println("getSystemCertProfileID: returning: " + profileName); + return profileName; + } + /** * * @param systemCerts @@ -771,7 +817,22 @@ public class ConfigurationRequest { * @return the adminProfileID */ public String getAdminProfileID() { - return adminProfileID; + + // Modify the value returned based on key type of the + // subsystem cert. If keyType not found take the default + // sent over the server. In the future we can make sure + // the correct value is sent over the server. + String keyType = this.getSystemCertKeyType("subsystem"); + String actualAdminProfileID = adminProfileID; + if(keyType != null) { + if("ecc".equalsIgnoreCase(keyType)) { + actualAdminProfileID = ECC_INTERNAL_ADMIN_CERT_PROFILE; + } else if("rsa".equalsIgnoreCase(keyType)) { + actualAdminProfileID = RSA_INTERNAL_ADMIN_CERT_PROFILE; + } + } + + return actualAdminProfileID; } /** diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java index 0a5cd2e..7f5341a 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java @@ -2568,7 +2568,9 @@ public class ConfigurationUtils { config.putString("preop.cert.signing.type", "remote"); config.putString("preop.cert.signing.profile", "caInstallCACert"); config.putString("preop.cert.sslserver.type", "remote"); - config.putString("preop.cert.sslserver.profile", "caInternalAuthServerCert"); + + config.putString("preop.cert.sslserver.profile", + request.getSystemCertProfileID("sslserver", "caInternalAuthServerCert")); // store original caType original_caType = caType; @@ -2650,6 +2652,8 @@ public class ConfigurationUtils { String v = config.getString("preop.ca.type", ""); CMS.debug("configCert: remote CA"); + CMS.debug("confgCert: tag: " + certTag); + PKCS10 pkcs10 = CertUtil.getPKCS10(config, PCERT_PREFIX, certObj, context); byte[] binRequest = pkcs10.toByteArray(); String b64Request = CryptoUtil.base64Encode(binRequest); @@ -2671,7 +2675,10 @@ public class ConfigurationUtils { MultivaluedMap content = new MultivaluedHashMap(); content.putSingle("requestor_name", sysType + "-" + machineName + "-" + securePort); - content.putSingle("profileId", profileId); + CMS.debug("configRemoteCert: subsystemCert: setting profileId to: " + profileId); + String actualProfileId = request.getSystemCertProfileID(certTag, profileId); + CMS.debug("configRemoteCert: subsystemCert: calculated profileId: " + actualProfileId); + content.putSingle("profileId", actualProfileId); content.putSingle("cert_request_type", "pkcs10"); content.putSingle("cert_request", b64Request); content.putSingle("xmlOutput", "true"); @@ -2716,7 +2723,12 @@ public class ConfigurationUtils { MultivaluedMap content = new MultivaluedHashMap(); content.putSingle("requestor_name", sysType + "-" + machineName + "-" + securePort); - content.putSingle("profileId", profileId); + //Get the correct profile id to send in case it's sslserver type: + CMS.debug("configRemoteCert: tag: " + certTag + " : setting profileId to: " + profileId); + String actualProfileId = request.getSystemCertProfileID(certTag, profileId); + CMS.debug("configRemoteCert: tag: " + certTag + " calculated profileId: " + actualProfileId); + + content.putSingle("profileId", actualProfileId); content.putSingle("cert_request_type", "pkcs10"); content.putSingle("cert_request", b64Request); content.putSingle("xmlOutput", "true"); diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java index 5130a1a..fbfaed2 100644 --- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java +++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java @@ -524,14 +524,27 @@ public class SystemConfigService extends PKIService implements SystemConfigResou nickname = cdata.getNickname(); } + boolean isECC = false; + String keyType = cdata.getKeyType(); + + CMS.debug("SystemConfigService:updateCloneConfiguration: keyType: " + keyType); + if("ecc".equalsIgnoreCase(keyType)) { + isECC = true; + } X509Certificate cert = cryptoManager.findCertByNickname(nickname); PublicKey pubk = cert.getPublicKey(); - byte[] exponent = CryptoUtil.getPublicExponent(pubk); - byte[] modulus = CryptoUtil.getModulus(pubk); + byte[] exponent = null; + byte[] modulus = null; + + if (isECC == false) { + exponent = CryptoUtil.getPublicExponent(pubk); + modulus = CryptoUtil.getModulus(pubk); + cs.putString("preop.cert." + tag + ".pubkey.modulus", CryptoUtil.byte2string(modulus)); + cs.putString("preop.cert." + tag + ".pubkey.exponent", CryptoUtil.byte2string(exponent)); + } + PrivateKey privk = cryptoManager.findPrivKeyByCert(cert); - cs.putString("preop.cert." + tag + ".pubkey.modulus", CryptoUtil.byte2string(modulus)); - cs.putString("preop.cert." + tag + ".pubkey.exponent", CryptoUtil.byte2string(exponent)); cs.putString("preop.cert." + tag + ".privkey.id", CryptoUtil.encodeKeyID(privk.getUniqueID())); cs.putString("preop.cert." + tag + ".keyalgorithm", cdata.getKeyAlgorithm()); cs.putString("preop.cert." + tag + ".keytype", cdata.getKeyType()); @@ -606,6 +619,8 @@ public class SystemConfigService extends PKIService implements SystemConfigResou ca_hostname = cs.getString("securitydomain.host", ""); ca_port = cs.getInteger("securitydomain.httpseeport"); } + + CMS.debug("Calculated admin cert profile: " + data.getAdminProfileID()); String b64 = ConfigurationUtils.submitAdminCertRequest(ca_hostname, ca_port, data.getAdminProfileID(), data.getAdminCertRequestType(), data.getAdminCertRequest(), adminSubjectDN); @@ -859,7 +874,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou cs.putString("preop.securitydomain.select", "existing"); cs.putString("securitydomain.select", "existing"); cs.putString("preop.cert.subsystem.type", "remote"); - cs.putString("preop.cert.subsystem.profile", "caInternalAuthSubsystemCert"); + cs.putString("preop.cert.subsystem.profile", data.getSystemCertProfileID("subsystem", "caInternalAuthSubsystemCert")); String securityDomainURL = data.getSecurityDomainUri(); domainXML = logIntoSecurityDomain(data, securityDomainURL); } -- 1.8.3.1