[Pki-devel] [PATCH] 599 Fixed key archival problem in CLI with separate KRA instance.
Endi Sukma Dewata
edewata at redhat.com
Fri May 22 04:12:04 UTC 2015
The CLI has been modified such that when enrolling a certificate
with key archival it will obtain the transport certificate from
the CA instead of KRA because the KRA may not reside on the same
instance. The CA REST service has been modified such that it will
obtain the transport certificate from the KRA connector.
https://fedorahosted.org/pki/ticket/1384
--
Endi S. Dewata
-------------- next part --------------
From 122772246786510495a930c4d7a6871cfd336a43 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata at redhat.com>
Date: Thu, 21 May 2015 23:48:41 -0400
Subject: [PATCH] Fixed key archival problem in CLI with separate KRA instance.
The CLI has been modified such that when enrolling a certificate
with key archival it will obtain the transport certificate from
the CA instead of KRA because the KRA may not reside on the same
instance. The CA REST service has been modified such that it will
obtain the transport certificate from the KRA connector.
https://fedorahosted.org/pki/ticket/1384
---
.../cmstools/client/ClientCertRequestCLI.java | 18 ++--
.../com/netscape/cms/servlet/base/PKIService.java | 37 +++----
.../dogtagpki/server/rest/SystemCertService.java | 117 +++++++++++++++------
3 files changed, 110 insertions(+), 62 deletions(-)
diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
index ebca55bc0bda2a9dce4b1ca3d9574e848ac698f8..e6bd0d98120295ef8e798925f4e9aceb3a0d43f6 100644
--- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
@@ -217,7 +217,7 @@ public class ClientCertRequestCLI extends CLI {
String encoded;
if (transportCertFilename == null) {
- SystemCertClient certClient = new SystemCertClient(client, "kra");
+ SystemCertClient certClient = new SystemCertClient(client, "ca");
encoded = certClient.getTransportCert().getEncoded();
} else {
@@ -251,13 +251,19 @@ public class ClientCertRequestCLI extends CLI {
CertEnrollmentRequest request = certClient.getEnrollmentTemplate(profileID);
- ProfileInput kg = request.getInput("Key Generation");
+ // Key Generation / Dual Key Generation
+ for (ProfileInput input : request.getInputs()) {
- ProfileAttribute typeAttr = kg.getAttribute("cert_request_type");
- typeAttr.setValue(requestType);
+ ProfileAttribute typeAttr = input.getAttribute("cert_request_type");
+ if (typeAttr != null) {
+ typeAttr.setValue(requestType);
+ }
- ProfileAttribute csrAttr = kg.getAttribute("cert_request");
- csrAttr.setValue(csr);
+ ProfileAttribute csrAttr = input.getAttribute("cert_request");
+ if (csrAttr != null) {
+ csrAttr.setValue(csr);
+ }
+ }
ProfileInput sn = request.getInput("Subject Name");
if (sn != null) {
diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java b/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java
index 2fe78bf2a272509641f26517479f82f4dead845d..11308a9f02ddc4d15db526c1cb80fb423f4c161c 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java
@@ -19,14 +19,13 @@ package com.netscape.cms.servlet.base;
import java.lang.reflect.Method;
import java.net.URI;
-import java.security.Principal;
-import java.security.cert.CertificateEncodingException;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Locale;
import java.util.Map;
+import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.FormParam;
import javax.ws.rs.core.CacheControl;
import javax.ws.rs.core.Context;
@@ -36,11 +35,10 @@ import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Request;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.Response.ResponseBuilder;
+import javax.ws.rs.core.UriInfo;
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.base.PKIException;
-import com.netscape.certsrv.cert.CertData;
-import com.netscape.certsrv.dbs.certdb.CertId;
import com.netscape.certsrv.logging.IAuditor;
import com.netscape.certsrv.logging.ILogger;
@@ -65,7 +63,17 @@ public class PKIService {
public final static int DEFAULT_SIZE = 20;
@Context
- private HttpHeaders headers;
+ public UriInfo uriInfo;
+
+ @Context
+ public HttpHeaders headers;
+
+ @Context
+ public Request request;
+
+ @Context
+ public HttpServletRequest servletRequest;
+
public ILogger logger = CMS.getLogger();
public IAuditor auditor = CMS.getAuditor();
@@ -169,25 +177,6 @@ public class PKIService {
return builder.build();
}
- public CertData createCertificateData(org.mozilla.jss.crypto.X509Certificate cert)
- throws CertificateEncodingException {
-
- CertData data = new CertData();
-
- data.setSerialNumber(new CertId(cert.getSerialNumber()));
-
- Principal issuerDN = cert.getIssuerDN();
- if (issuerDN != null) data.setIssuerDN(issuerDN.toString());
-
- Principal subjectDN = cert.getSubjectDN();
- if (subjectDN != null) data.setSubjectDN(subjectDN.toString());
-
- String b64 = CertData.HEADER + "\n" + CMS.BtoA(cert.getEncoded()) + CertData.FOOTER;
- data.setEncoded(b64);
-
- return data;
- }
-
public Locale getLocale(HttpHeaders headers) {
if (headers == null) return Locale.getDefault();
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemCertService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemCertService.java
index 02f9004ecf12f286fb6305cbb05be643cae7b405..1fa106abbb66adc412a78e725c793d40a9e9b869 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/SystemCertService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemCertService.java
@@ -19,25 +19,28 @@
package org.dogtagpki.server.rest;
import java.net.URI;
-import java.security.cert.CertificateEncodingException;
+import java.security.Principal;
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.core.Context;
-import javax.ws.rs.core.HttpHeaders;
-import javax.ws.rs.core.Request;
import javax.ws.rs.core.Response;
-import javax.ws.rs.core.UriInfo;
+
+import netscape.security.x509.X509CertImpl;
import org.jboss.resteasy.plugins.providers.atom.Link;
+import org.mozilla.jss.crypto.X509Certificate;
import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
import com.netscape.certsrv.base.PKIException;
import com.netscape.certsrv.base.ResourceNotFoundException;
import com.netscape.certsrv.cert.CertData;
+import com.netscape.certsrv.dbs.certdb.CertId;
import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
import com.netscape.certsrv.security.ITransportKeyUnit;
+import com.netscape.certsrv.system.KRAConnectorInfo;
import com.netscape.certsrv.system.SystemCertResource;
+import com.netscape.cms.servlet.admin.KRAConnectorProcessor;
import com.netscape.cms.servlet.base.PKIService;
+import com.netscape.cmsutil.util.Utils;
/**
* This is the class used to list, retrieve and modify system certificates for all Java subsystems.
@@ -47,27 +50,53 @@ import com.netscape.cms.servlet.base.PKIService;
*/
public class SystemCertService extends PKIService implements SystemCertResource {
- @Context
- private UriInfo uriInfo;
-
- @Context
- private HttpHeaders headers;
-
- @Context
- private Request request;
-
- @Context
- private HttpServletRequest servletRequest;
-
- public SystemCertService() {
- CMS.debug("SystemCertService.<init>()");
- }
-
/**
* Used to retrieve the transport certificate
*/
public Response getTransportCert() {
+ try {
+ IConfigStore cs = CMS.getConfigStore();
+ String type = cs.getString("cs.type");
+
+ CertData certData;
+ if ("CA".equals(type)) {
+ certData = getTransportCertFromCA();
+
+ } else if ("KRA".equals(type)) {
+ certData = getTransportCertFromKRA();
+
+ } else {
+ throw new ResourceNotFoundException("Transport certificate not available");
+ }
+
+ URI uri = uriInfo.getRequestUri();
+ certData.setLink(new Link("self", uri));
+
+ return sendConditionalGetResponse(DEFAULT_LONG_CACHE_LIFETIME, certData, request);
+
+ } catch (PKIException e) {
+ throw e;
+
+ } catch (Exception e) {
+ CMS.debug(e);
+ throw new PKIException(e);
+ }
+ }
+
+ public CertData getTransportCertFromCA() throws Exception {
+ KRAConnectorProcessor processor = new KRAConnectorProcessor(getLocale(headers));
+ KRAConnectorInfo info = processor.getConnectorInfo();
+ String encodedCert = info.getTransportCert();
+
+ byte[] bytes = Utils.base64decode(encodedCert);
+ X509CertImpl cert = new X509CertImpl(bytes);
+
+ return createCertificateData(cert);
+ }
+
+ public CertData getTransportCertFromKRA() throws Exception {
+
IKeyRecoveryAuthority kra = (IKeyRecoveryAuthority) CMS.getSubsystem("kra");
if (kra == null) {
// no KRA
@@ -80,24 +109,48 @@ public class SystemCertService extends PKIService implements SystemCertResource
throw new PKIException("No transport key unit.");
}
- org.mozilla.jss.crypto.X509Certificate transportCert = tu.getCertificate();
+ X509Certificate transportCert = tu.getCertificate();
if (transportCert == null) {
CMS.debug("getTransportCert: transport cert is null");
throw new PKIException("Transport cert not found.");
}
- try {
- CertData cert = createCertificateData(transportCert);
+ return createCertificateData(transportCert);
+ }
+
+ public CertData createCertificateData(X509CertImpl cert) throws Exception {
+
+ CertData data = new CertData();
- URI uri = uriInfo.getRequestUri();
- cert.setLink(new Link("self", uri));
+ data.setSerialNumber(new CertId(cert.getSerialNumber()));
- return sendConditionalGetResponse(DEFAULT_LONG_CACHE_LIFETIME, cert, request);
+ Principal issuerDN = cert.getIssuerDN();
+ if (issuerDN != null) data.setIssuerDN(issuerDN.toString());
- } catch (CertificateEncodingException e) {
- CMS.debug(e);
- throw new PKIException("Unable to encode transport cert");
- }
+ Principal subjectDN = cert.getSubjectDN();
+ if (subjectDN != null) data.setSubjectDN(subjectDN.toString());
+
+ String b64 = CertData.HEADER + "\n" + CMS.BtoA(cert.getEncoded()) + CertData.FOOTER;
+ data.setEncoded(b64);
+
+ return data;
}
+ public CertData createCertificateData(X509Certificate cert) throws Exception {
+
+ CertData data = new CertData();
+
+ data.setSerialNumber(new CertId(cert.getSerialNumber()));
+
+ Principal issuerDN = cert.getIssuerDN();
+ if (issuerDN != null) data.setIssuerDN(issuerDN.toString());
+
+ Principal subjectDN = cert.getSubjectDN();
+ if (subjectDN != null) data.setSubjectDN(subjectDN.toString());
+
+ String b64 = CertData.HEADER + "\n" + CMS.BtoA(cert.getEncoded()) + CertData.FOOTER;
+ data.setEncoded(b64);
+
+ return data;
+ }
}
--
1.9.3
More information about the Pki-devel
mailing list