From 833c060b26756a17d0b85a19846888d71e4bdd5d Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Wed, 24 Jul 2019 17:46:30 -0500 Subject: [PATCH] Fixed missing SAN extension for CA clone The CertUtil.buildSANSSLserverURLExtension() has been modified to include SAN parameters in the request to generate the SSL server certificate for CA clone. https://bugzilla.redhat.com/show_bug.cgi?id=1732637 --- .../src/com/netscape/cms/servlet/csadmin/CertUtil.java | 16 +++++++--------- .../netscape/cms/servlet/csadmin/ConfigurationUtils.java | 16 ++++++++-------- 2 files changed, 15 insertions(+), 17 deletions(-) diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java index 12d4ac1..e77be32 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java @@ -228,34 +228,32 @@ public class CertUtil { // embed a certificate extension into // a PKCS #10 certificate request. // - public static String buildSANSSLserverURLExtension(IConfigStore config) + public static void buildSANSSLserverURLExtension(IConfigStore config, MultivaluedMap content) throws Exception { - String url = ""; - String entries = ""; CMS.debug("CertUtil: buildSANSSLserverURLExtension() " + "building SAN SSL Server Certificate URL extension . . ."); - int i = 0; + if (config == null) { throw new EBaseException("injectSANextensionIntoRequest: parameter config cannot be null"); } + String sanHostnames = config.getString("service.sslserver.san"); String sans[] = StringUtils.split(sanHostnames, ","); + + int i = 0; for (String san : sans) { CMS.debug("CertUtil: buildSANSSLserverURLExtension() processing " + "SAN hostname: " + san); // Add the DNSName for all SANs - entries = entries + - "&req_san_pattern_" + i + "=" + san; + content.putSingle("req_san_pattern_" + i, san); i++; } - url = "&req_san_entries=" + i + entries; + content.putSingle("req_san_entries", "" + i); CMS.debug("CertUtil: buildSANSSLserverURLExtension() " + "placed " + i + " SAN entries into SSL Server Certificate URL."); - - return url; } diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java index cc65c78..5395b06 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java @@ -2685,16 +2685,9 @@ public class ConfigurationUtils { } catch (Exception ee) { } - String sslserver_extension = ""; - Boolean injectSAN = config.getBoolean("service.injectSAN", false); - CMS.debug("ConfigurationUtils: injectSAN: " + injectSAN); - - if (certTag.equals("sslserver") && injectSAN == true) { - sslserver_extension = CertUtil.buildSANSSLserverURLExtension(config); - } - MultivaluedMap content = new MultivaluedHashMap(); content.putSingle("requestor_name", sysType + "-" + machineName + "-" + securePort); + //Get the correct profile id to send in case it's sslserver type: CMS.debug("configRemoteCert: tag: " + certTag + " : setting profileId to: " + profileId); String actualProfileId = request.getSystemCertProfileID(certTag, profileId); @@ -2706,6 +2699,13 @@ public class ConfigurationUtils { content.putSingle("xmlOutput", "true"); content.putSingle("sessionID", session_id); + Boolean injectSAN = config.getBoolean("service.injectSAN", false); + CMS.debug("ConfigurationUtils: injectSAN: " + injectSAN); + + if (certTag.equals("sslserver") && injectSAN) { + CertUtil.buildSANSSLserverURLExtension(config, content); + } + cert = CertUtil.createRemoteCert(ca_hostname, ca_port, content, response); if (cert == null) { -- 1.8.3.1