Add option to remove signing cert entry
In the migration case, it is useful to delete the initially
created signing certificate database record and have that be
imported through the ldif data import instead.
Therefore, we add an option to remove this entry. The user
also needs to provide the serial number for the entry.
This resolves the following tickets/BZs:
BZ# 1409949/Trac 2573 - CA Certificate Issuance Date displayed
on CA website incorrect
BZ# 1409946/Trac 2571 - Request ID undefined for CA signing
certificate
Please review,
Ade
From 56dd82d41c4d8dbf8678cbc6dfc7c1c05978f874 Mon Sep 17 00:00:00 2001
From: Ade Lee <[email protected]>
Date: Fri, 20 Jan 2017 11:01:41 -0500
Subject: [PATCH] Add option to remove signing cert entry
In the migration case, it is useful to delete the initially
created signing certificate database record and have that be
imported through the ldif data import instead.
Therefore, we add an option to remove this entry. The user
also needs to provide the serial number for the entry.
This resolves the following tickets/BZs:
BZ# 1409949/Trac 2573 - CA Certificate Issuance Date displayed
on CA website incorrect
BZ# 1409946/Trac 2571 - Request ID undefined for CA signing
certificate
---
.../server/ca/rest/CAInstallerService.java | 47 ++++++++++++++++++++--
.../certsrv/system/ConfigurationRequest.java | 32 +++++++++++++++
base/server/etc/default.cfg | 2 +
.../python/pki/server/deployment/pkihelper.py | 5 +++
4 files changed, 83 insertions(+), 3 deletions(-)
diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/CAInstallerService.java b/base/ca/src/org/dogtagpki/server/ca/rest/CAInstallerService.java
index 3c7e4831968156cabea48437ab8ae88bf9464fda..b7a41e73eafa2c5390605017f21703968c32d7f9 100644
--- a/base/ca/src/org/dogtagpki/server/ca/rest/CAInstallerService.java
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/CAInstallerService.java
@@ -24,8 +24,7 @@ import java.net.MalformedURLException;
import java.net.URL;
import java.util.StringTokenizer;
-import netscape.ldap.LDAPAttribute;
-
+import org.apache.commons.lang.StringUtils;
import org.dogtagpki.server.rest.SystemConfigService;
import com.netscape.certsrv.apps.CMS;
@@ -41,6 +40,10 @@ import com.netscape.cms.servlet.csadmin.ConfigurationUtils;
import com.netscape.cmscore.base.LDAPConfigStore;
import com.netscape.cmscore.profile.LDAPProfileSubsystem;
+import netscape.ldap.LDAPAttribute;
+import netscape.ldap.LDAPConnection;
+import netscape.ldap.LDAPException;
+
/**
* @author alee
*
@@ -93,6 +96,16 @@ public class CAInstallerService extends SystemConfigService {
CMS.debug(e);
throw new PKIException("Error enabling profile subsystem");
}
+
+ if (request.deleteSigningCertRecord()) {
+ try {
+ String serialNumber = request.getSigningCertSerialNumber();
+ deleteSigningRecord(serialNumber);
+ } catch (Exception e) {
+ CMS.debug(e);
+ throw new PKIException("Error deleting signing cert record:" + e, e);
+ }
+ }
}
@Override
@@ -189,9 +202,37 @@ public class CAInstallerService extends SystemConfigService {
configStore.commit(false /* no backup */);
}
+ private void deleteSigningRecord(String serialNumber) throws EBaseException, LDAPException {
+
+ if (StringUtils.isEmpty(serialNumber)) {
+ throw new PKIException("signing certificate serial number not specified in configuration request");
+ }
+
+ LDAPConnection conn = null;
+ try {
+ IConfigStore dbCfg = cs.getSubStore("internaldb");
+ ILdapConnFactory dbFactory = CMS.getLdapBoundConnFactory("CAInstallerService");
+ dbFactory.init(dbCfg);
+ conn = dbFactory.getConn();
+
+ String basedn = dbCfg.getString("basedn", "");
+ String dn = "cn=" + serialNumber + ",ou=certificateRepository,ou=ca," + basedn;
+
+ conn.delete(dn);
+ } finally {
+ try {
+ if (conn != null)
+ conn.disconnect();
+ } catch (LDAPException e) {
+ CMS.debug(e);
+ CMS.debug("releaseConnection: " + e);
+ }
+ }
+ }
+
private void configureStartingCRLNumber(ConfigurationRequest data) {
CMS.debug("CAInstallerService:configureStartingCRLNumber entering.");
- cs.putString("ca.crl.MasterCRL.startingCrlNumber",data.getStartingCRLNumber() );
+ cs.putString("ca.crl.MasterCRL.startingCrlNumber",data.getStartingCRLNumber());
}
private void disableCRLCachingAndGenerationForClone(ConfigurationRequest data) throws MalformedURLException {
diff --git a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java
index 2ac1f5a1547e10d7351975634c3d853af774c65d..fde8eb8a66297464ccc7efd9ab3664067a04867d 100644
--- a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java
+++ b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java
@@ -238,6 +238,12 @@ public class ConfigurationRequest {
@XmlElement
protected String startingCRLNumber;
+ @XmlElement
+ protected Boolean deleteSigningCertRecord;
+
+ @XmlElement
+ protected String signingCertSerialNumber;
+
public ConfigurationRequest() {
// required for JAXB
}
@@ -944,6 +950,30 @@ public class ConfigurationRequest {
this.startingCRLNumber = startingCRLNumber;
}
+ public String getIsClone() {
+ return isClone;
+ }
+
+ public void setIsClone(String isClone) {
+ this.isClone = isClone;
+ }
+
+ public Boolean deleteSigningCertRecord() {
+ return deleteSigningCertRecord;
+ }
+
+ public void setDeleteSigningCertRecord(Boolean deleteSigningCertRecord) {
+ this.deleteSigningCertRecord = deleteSigningCertRecord;
+ }
+
+ public String getSigningCertSerialNumber() {
+ return signingCertSerialNumber;
+ }
+
+ public void setSigningCertSerialNumber(String signingCertSerialNumber) {
+ this.signingCertSerialNumber = signingCertSerialNumber;
+ }
+
@Override
public String toString() {
return "ConfigurationRequest [pin=XXXX" +
@@ -1008,6 +1038,8 @@ public class ConfigurationRequest {
", subordinateSecurityDomainName=" + subordinateSecurityDomainName +
", reindexData=" + reindexData +
", startingCrlNumber=" + startingCRLNumber +
+ ", deleteSigningCertRecord=" + deleteSigningCertRecord +
+ ", signingCertSerialNumber=" + signingCertSerialNumber +
"]";
}
diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg
index f35b6a7d585f6cae3440fa489f37a30b9172226f..e502ca1cc7934a1639a6c27d24581dcc97d38b9b 100644
--- a/base/server/etc/default.cfg
+++ b/base/server/etc/default.cfg
@@ -336,6 +336,8 @@ pki_ds_hostname=%(pki_hostname)s
pki_subsystem_name=CA %(pki_hostname)s %(pki_https_port)s
pki_share_db=False
pki_master_crl_enable=True
+pki_ca_delete_signing_cert_record=False
+pki_ca_signing_cert_serial_number=1
# Default OCSP URI added by AuthInfoAccessExtDefault if the profile
# config is blank. If both are blank, the value is constructed
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
index c9fe50d96ce9c9cb3c1acfd39ee4af917a76c32a..9bf37640f65375cb36de09893ed2394086456f30 100644
--- a/base/server/python/pki/server/deployment/pkihelper.py
+++ b/base/server/python/pki/server/deployment/pkihelper.py
@@ -4020,6 +4020,11 @@ class ConfigClient:
# Misc CA parameters
if self.subsystem == "CA":
data.startingCRLNumber = self.mdict['pki_ca_starting_crl_number']
+ data.deleteSigningCertRecord = (
+ self.mdict['pki_ca_delete_signing_cert_record'])
+ data.signingCertSerialNumber = (
+ self.mdict['pki_ca_signing_cert_serial_number']
+ )
return data
--
2.7.4
_______________________________________________
Pki-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/pki-devel
