This patch is for https://pagure.io/dogtagpki/issue/2618 allow CA to
process pre-signed CMC renewal cert requests
Ticket#2618 feature: pre-signed CMC renewal request
This patch provides the feature implementation to allow CA to
process pre-signed CMC renewal requests. In the world of CMC, renewal
request are full CMC requests that are signed by previously issued
signing certificate.
The implementation approach is to use the caFullCMCUserSignedCert
with the enhanced profile constraint: UniqueKeyConstraint.
UniqueKeyConstraint has been updated to disallow renewal of same
key shared by a revoked certificate. It also saves the origNotAfter of
the newest certificate sharing the same key in the request to be used by
the RenewGracePeriodConstraint.
The profile caFullCMCUserSignedCert.cfg has been updated to have
both UniqueKeyConstraint and RenewGracePeriodConstraint. They must be
placed in the correct order. By default in the UniqueKeyConstraint the
constraint parameter allowSameKeyRenewal=true.
Thanks,
Christina
>From 63af93d4b7ba2bdda405bb585ed1e4c096e7ceb2 Mon Sep 17 00:00:00 2001
From: Christina Fu
Date: Fri, 19 May 2017 11:55:14 -0700
Subject: [PATCH] Ticket#2618 feature: pre-signed CMC renewal request
This patch provides the feature implementation to allow CA to process pre-signed CMC renewal requests. In the world of CMC, renewal request are full CMC requests that are signed by previously issued signing certificate.
The implementation approach is to use the caFullCMCUserSignedCert with the enhanced profile constraint: UniqueKeyConstraint.
UniqueKeyConstraint has been updated to disallow renewal of same key shared by a revoked certificate. It also saves the origNotAfter of the newest certificate sharing the same key in the request to be used by the RenewGracePeriodConstraint.
The profile caFullCMCUserSignedCert.cfg has been updated to have both UniqueKeyConstraint and RenewGracePeriodConstraint. They must be placed in the correct order. By default in the UniqueKeyConstraint the constraint parameter allowSameKeyRenewal=true.
---
.../shared/profiles/ca/caFullCMCUserSignedCert.cfg | 13 ++-
.../src/com/netscape/cmstools/CMCRequest.java | 14 +--
.../constraint/RenewGracePeriodConstraint.java | 23 ++--
.../profile/constraint/UniqueKeyConstraint.java| 116 -
4 files changed, 124 insertions(+), 42 deletions(-)
diff --git a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg
index 229a3cd..63a4bca 100644
--- a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg
+++ b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg
@@ -10,12 +10,23 @@ input.i2.class_id=submitterInfoInputImpl
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=cmcUserCertSet
-policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8
+policyset.cmcUserCertSet.list=1,9,10,2,3,4,5,6,7,8
policyset.cmcUserCertSet.1.constraint.class_id=cmcUserSignedSubjectNameConstraintImpl
policyset.cmcUserCertSet.1.constraint.name=CMC User Signed Subject Name Constraint
policyset.cmcUserCertSet.1.default.class_id=cmcUserSignedSubjectNameDefaultImpl
policyset.cmcUserCertSet.1.default.name=User Signed Subject Name Default
policyset.cmcUserCertSet.1.default.params.name=
+policyset.cmcUserCertSet.9.constraint.class_id=uniqueKeyConstraintImpl
+policyset.cmcUserCertSet.9.constraint.name=Unique Key Constraint
+policyset.cmcUserCertSet.9.constraint.params.allowSameKeyRenewal=true
+policyset.cmcUserCertSet.9.default.class_id=noDefaultImpl
+policyset.cmcUserCertSet.9.default.name=No Default
+policyset.cmcUserCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl
+policyset.cmcUserCertSet.10.constraint.name=Renewal Grace Period Constraint
+policyset.cmcUserCertSet.10.constraint.params.renewal.graceBefore=30
+policyset.cmcUserCertSet.10.constraint.params.renewal.graceAfter=30
+policyset.cmcUserCertSet.10.default.class_id=noDefaultImpl
+policyset.cmcUserCertSet.10.default.name=No Default
policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl
policyset.cmcUserCertSet.2.constraint.name=Validity Constraint
policyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false
diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
index 6e27cb1..9c41403 100644
--- a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
+++ b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
@@ -2014,10 +2014,12 @@ public class CMCRequest {
certname.append(tokenName);
certname.append(":");
}
-certname.append(nickname);
-signerCert = cm.findCertByNickname(certname.toString());
-if (signerCert != null) {
-System.out.println("got signerCert: "+ certname.toString());
+if (!selfSign.equals("true") && nickname != null)