The patch that added the support for creating system certificates in different tokens causes issues in certain cases, so for now it has been reverted.
https://fedorahosted.org/pki/ticket/2449 -- Endi S. Dewata
>From 962ca82b97a1d2440569d1d70984a5765191ba59 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" <[email protected]> Date: Thu, 8 Sep 2016 20:06:19 +0200 Subject: [PATCH] Removed support for creating system certificates in different tokens. The patch that added the support for creating system certificates in different tokens causes issues in certain cases, so for now it has been reverted. https://fedorahosted.org/pki/ticket/2449 --- .../cms/servlet/csadmin/ConfigurationUtils.java | 18 ++++------- .../dogtagpki/server/rest/SystemConfigService.java | 9 ++++-- .../src/com/netscape/cmscore/apps/CMSEngine.java | 4 +-- .../server/deployment/scriptlets/configuration.py | 37 +++------------------- 4 files changed, 19 insertions(+), 49 deletions(-) diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java index f6e125c4fe5d3c6b4492fa9f0fd8bd8e84b8de24..cdb2844953e788abaed3acb70793a4fe857303e7 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java @@ -2826,7 +2826,7 @@ public class ConfigurationUtils { } config.putString(subsystem + "." + certTag + ".nickname", nickname); - + config.putString(subsystem + "." + certTag + ".tokenname", token); if (certTag.equals("audit_signing")) { if (!token.equals("Internal Key Storage Token") && !token.equals("")) { config.putString("log.instance.SignedAudit.signedAuditCertNickname", @@ -3325,15 +3325,14 @@ public class ConfigurationUtils { return 0; } - public static void setCertPermissions(Cert cert) throws EBaseException, NotInitializedException, + public static void setCertPermissions(String tag) throws EBaseException, NotInitializedException, ObjectNotFoundException, TokenException { - - String tag = cert.getCertTag(); if (tag.equals("signing") || tag.equals("external_signing")) return; - String nickname = cert.getNickname(); - String tokenname = cert.getTokenname(); + IConfigStore cs = CMS.getConfigStore(); + String nickname = cs.getString("preop.cert." + tag + ".nickname", ""); + String tokenname = cs.getString("preop.module.token", ""); if (!tokenname.equals("Internal Key Storage Token")) nickname = tokenname + ":" + nickname; @@ -4555,11 +4554,9 @@ public class ConfigurationUtils { public static String getSubsystemCert() throws EBaseException, NotInitializedException, ObjectNotFoundException, TokenException, CertificateEncodingException, IOException { - IConfigStore cs = CMS.getConfigStore(); - String subsystem = cs.getString("cs.type").toLowerCase(); - String nickname = cs.getString(subsystem + ".subsystem.nickname", ""); - String tokenname = cs.getString(subsystem + ".subsystem.tokenname", ""); + String nickname = cs.getString("preop.cert.subsystem.nickname", ""); + String tokenname = cs.getString("preop.module.token", ""); if (!tokenname.equals("internal") && !tokenname.equals("Internal Key Storage Token") && !tokenname.equals("")) { @@ -4574,7 +4571,6 @@ public class ConfigurationUtils { CMS.debug("ConfigurationUtils: getSubsystemCert: subsystem cert is null"); return null; } - byte[] bytes = cert.getEncoded(); String s = CryptoUtil.normalizeCertStr(CryptoUtil.base64Encode(bytes)); return s; diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java index 5cc6f63dc7f455bedbf06ac94f72ee982dd38e12..9d7c176ecdbf2c87cb961fa3f6eb74fb41eb8ef5 100644 --- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java +++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java @@ -199,7 +199,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou try { CMS.debug("Processing '" + cert.getCertTag() + "' certificate:"); ret = ConfigurationUtils.handleCerts(cert); - ConfigurationUtils.setCertPermissions(cert); + ConfigurationUtils.setCertPermissions(cert.getCertTag()); CMS.debug("Processed '" + cert.getCertTag() + "' certificate."); } catch (Exception e) { CMS.debug(e); @@ -386,6 +386,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou processCert( request, + token, certList, certs, hasSigningCert, @@ -414,6 +415,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou public void processCert( ConfigurationRequest request, + String token, Collection<String> certList, Collection<Cert> certs, MutableBoolean hasSigningCert, @@ -458,13 +460,13 @@ public class SystemConfigService extends PKIService implements SystemConfigResou String curvename = certData.getKeyCurveName() != null ? certData.getKeyCurveName() : cs.getString("keys.ecc.curve.default"); cs.putString("preop.cert." + tag + ".curvename.name", curvename); - ConfigurationUtils.createECCKeyPair(tokenName, curvename, cs, tag); + ConfigurationUtils.createECCKeyPair(token, curvename, cs, tag); } else { String keysize = certData.getKeySize() != null ? certData.getKeySize() : cs .getString("keys.rsa.keysize.default"); cs.putString("preop.cert." + tag + ".keysize.size", keysize); - ConfigurationUtils.createRSAKeyPair(tokenName, Integer.parseInt(keysize), cs, tag); + ConfigurationUtils.createRSAKeyPair(token, Integer.parseInt(keysize), cs, tag); } } else { @@ -598,6 +600,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou } cs.putString(csSubsystem + "." + tag + ".nickname", cdata.getNickname()); + cs.putString(csSubsystem + "." + tag + ".tokenname", cdata.getToken()); cs.putString(csSubsystem + "." + tag + ".certreq", cdata.getRequest()); cs.putString(csSubsystem + "." + tag + ".cert", cdata.getCert()); cs.putString(csSubsystem + "." + tag + ".dn", cdata.getSubjectDN()); diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java index a334824d368cbd7c8031a6236a687e6391cdb7eb..c62087e92198d5319d195395a5e2310442780a40 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java +++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java @@ -1235,8 +1235,8 @@ public class CMSEngine implements ICMSEngine { // get SSL server nickname IConfigStore serverCertStore = mConfig.getSubStore(id + "." + "sslserver"); if (serverCertStore != null && serverCertStore.size() > 0) { - String nickName = serverCertStore.getString("nickname", null); - String tokenName = serverCertStore.getString("tokenname", null); + String nickName = serverCertStore.getString("nickname"); + String tokenName = serverCertStore.getString("tokenname"); if (tokenName != null && tokenName.length() > 0 && nickName != null && nickName.length() > 0) { CMS.setServerCertNickname(tokenName, nickName); diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py index 97f6d3e601d77712c49fc7a4b19286554e77660f..64ee4e5f6f5cbc920c7ac5a27ab995d7155cf1cc 100644 --- a/base/server/python/pki/server/deployment/scriptlets/configuration.py +++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py @@ -39,31 +39,6 @@ import pki.util # PKI Deployment Configuration Scriptlet class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - def store_cert_tokens(self, subsystem, deployer): - - subsystem.config[subsystem.name + '.audit_signing.tokenname'] = ( - deployer.mdict['pki_audit_signing_token']) - subsystem.config[subsystem.name + '.sslserver.tokenname'] = ( - deployer.mdict['pki_ssl_server_token']) - subsystem.config[subsystem.name + '.subsystem.tokenname'] = ( - deployer.mdict['pki_subsystem_token']) - - if subsystem.name == 'ca': - subsystem.config['ca.signing.tokenname'] = ( - deployer.mdict['pki_ca_signing_token']) - subsystem.config['ca.ocsp_signing.tokenname'] = ( - deployer.mdict['pki_ocsp_signing_token']) - - elif subsystem.name == 'kra': - subsystem.config['kra.storage.tokenname'] = ( - deployer.mdict['pki_storage_token']) - subsystem.config['kra.transport.tokenname'] = ( - deployer.mdict['pki_transport_token']) - - elif subsystem.name == 'ocsp': - subsystem.config['ocsp.signing.tokenname'] = ( - deployer.mdict['pki_ocsp_signing_token']) - def spawn(self, deployer): if config.str2bool(deployer.mdict['pki_skip_configuration']): @@ -290,14 +265,13 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): nickname=signing_nickname, output_format='base64') subsystem.config['ca.signing.nickname'] = signing_nickname + subsystem.config['ca.signing.tokenname'] = ( + deployer.mdict['pki_ca_signing_token']) subsystem.config['ca.signing.cert'] = signing_cert_data subsystem.config['ca.signing.cacertnickname'] = signing_nickname subsystem.config['ca.signing.defaultSigningAlgorithm'] = ( deployer.mdict['pki_ca_signing_signing_algorithm']) - # Store cert tokens in CS.cfg. - self.store_cert_tokens(subsystem, deployer) - subsystem.save() # verify the signing certificate @@ -308,7 +282,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): instance, 'ca') verifier.verify_certificate('signing') - else: # other installation types + else: # self-signed CA # To be implemented in ticket #1692. @@ -316,10 +290,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # Self sign CA cert. # Import self-signed CA cert into NSS database. - # Store cert tokens in CS.cfg. - self.store_cert_tokens(subsystem, deployer) - - subsystem.save() + pass finally: nssdb.close() -- 2.5.5
_______________________________________________ Pki-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/pki-devel
