Move CertificateAuthority.renewAuthority() to CAEngine

base/ca/src/main/java/com/netscape/ca/CertificateAuthority.java

@@ -106,7 +106,6 @@
 import com.netscape.cms.profile.common.Profile;
 import com.netscape.cms.servlet.cert.CertEnrollmentRequestFactory;
 import com.netscape.cms.servlet.cert.EnrollmentProcessor;
-import com.netscape.cms.servlet.cert.RenewalProcessor;
 import com.netscape.cms.servlet.cert.RevocationProcessor;
 import com.netscape.cms.servlet.processors.CAProcessor;
 import com.netscape.cmscore.apps.CMS;
@@ -374,7 +373,7 @@ public void init(ConfigStore config) throws Exception {
         }
     }
 
-    private void checkForNewerCert() throws EBaseException {
+    public void checkForNewerCert() throws EBaseException {
 
         logger.info("CertificateAuthority: Checking for newer CA cert");
         logger.info("CertificateAuthority: serial number: " + authoritySerial);
@@ -1683,6 +1682,14 @@ public AuthorityID getAuthorityParentID() {
         return authorityParentID;
     }
 
+    public BigInteger getAuthoritySerial() {
+        return authoritySerial;
+    }
+
+    public void setAuthoritySerial(BigInteger serial) {
+        authoritySerial = serial;
+    }
+
     /**
      * Return CA description.  May be null.
      */
@@ -1779,62 +1786,6 @@ public X509CertImpl generateSigningCert(
         return request.getExtDataInCert(com.netscape.cmscore.request.Request.REQUEST_ISSUED_CERT);
     }
 
-    /**
-     * Renew certificate of this CA.
-     */
-    public void renewAuthority(HttpServletRequest httpReq) throws Exception {
-
-        CAEngine engine = CAEngine.getInstance();
-
-        if (
-            authorityParentID != null
-            && !authorityParentID.equals(authorityID)
-        ) {
-            CertificateAuthority issuer = engine.getCA(authorityParentID);
-            issuer.ensureReady();
-        }
-
-        ProfileSubsystem ps = engine.getProfileSubsystem();
-        /* NOTE: hard-coding the profile to use for Lightweight CA renewal
-         * might be OK, but caManualRenewal was not the right one to use.
-         * As a consequence, we have an undesirable special case in
-         * RenewalProcessor.processRenewal().
-         *
-         * We should introduce a new profile specifically for LWCA renewal,
-         * with an authenticator and ACLs to match the authz requirements
-         * for the renewAuthority REST resource itself.  Then we can use
-         * it here, and remove the workaround from RenewalProcessor.
-         */
-        Profile profile = ps.getProfile("caManualRenewal");
-        CertEnrollmentRequest req = CertEnrollmentRequestFactory.create(
-            new ArgBlock(), profile, httpReq.getLocale());
-
-        X509CertImpl caCertImpl = mSigningUnit.getCertImpl();
-        req.setSerialNum(new CertId(caCertImpl.getSerialNumber()));
-
-        RenewalProcessor processor = new RenewalProcessor("renewAuthority", httpReq.getLocale());
-        processor.setCMSEngine(engine);
-        processor.init();
-
-        Map<String, Object> resultMap =
-            processor.processRenewal(req, httpReq, null);
-        com.netscape.cmscore.request.Request requests[] = (com.netscape.cmscore.request.Request[]) resultMap.get(CAProcessor.ARG_REQUESTS);
-        com.netscape.cmscore.request.Request request = requests[0];
-        Integer result = request.getExtDataInInteger(com.netscape.cmscore.request.Request.RESULT);
-        if (result != null && !result.equals(com.netscape.cmscore.request.Request.RES_SUCCESS))
-            throw new EBaseException("renewAuthority: certificate renewal submission resulted in error: " + result);
-        RequestStatus requestStatus = request.getRequestStatus();
-        if (requestStatus != RequestStatus.COMPLETE)
-            throw new EBaseException("renewAuthority: certificate renewal did not complete; status: " + requestStatus);
-        X509CertImpl cert = request.getExtDataInCert(com.netscape.cmscore.request.Request.REQUEST_ISSUED_CERT);
-        authoritySerial = cert.getSerialNumber();
-
-        engine.updateAuthoritySerialNumber(authorityID, authoritySerial);
-
-        // update cert in NSSDB
-        checkForNewerCert();
-    }
-
     /** Revoke the authority's certificate
      *
      * TODO: revocation reason, invalidity date parameters

base/ca/src/main/java/org/dogtagpki/server/ca/CAEngine.java

@@ -59,6 +59,7 @@
 import com.netscape.ca.AuthorityMonitor;
 import com.netscape.ca.CANotify;
 import com.netscape.ca.CAService;
+import com.netscape.ca.CASigningUnit;
 import com.netscape.ca.CRLConfig;
 import com.netscape.ca.CRLIssuingPoint;
 import com.netscape.ca.CRLIssuingPointConfig;
@@ -77,6 +78,7 @@
 import com.netscape.certsrv.ca.CATypeException;
 import com.netscape.certsrv.ca.ECAException;
 import com.netscape.certsrv.ca.IssuerUnavailableException;
+import com.netscape.certsrv.cert.CertEnrollmentRequest;
 import com.netscape.certsrv.client.ClientConfig;
 import com.netscape.certsrv.client.PKIClient;
 import com.netscape.certsrv.connector.ConnectorConfig;
@@ -86,13 +88,19 @@
 import com.netscape.certsrv.profile.EProfileException;
 import com.netscape.certsrv.publish.CRLPublisher;
 import com.netscape.certsrv.request.RequestListener;
+import com.netscape.certsrv.request.RequestStatus;
 import com.netscape.certsrv.system.KRAConnectorInfo;
 import com.netscape.cms.authentication.CAAuthSubsystem;
+import com.netscape.cms.profile.common.Profile;
 import com.netscape.cms.request.RequestScheduler;
 import com.netscape.cms.servlet.admin.KRAConnectorProcessor;
+import com.netscape.cms.servlet.cert.CertEnrollmentRequestFactory;
+import com.netscape.cms.servlet.cert.RenewalProcessor;
+import com.netscape.cms.servlet.processors.CAProcessor;
 import com.netscape.cmscore.apps.CMS;
 import com.netscape.cmscore.apps.CMSEngine;
 import com.netscape.cmscore.authentication.VerifiedCert;
+import com.netscape.cmscore.base.ArgBlock;
 import com.netscape.cmscore.base.ConfigStorage;
 import com.netscape.cmscore.base.ConfigStore;
 import com.netscape.cmscore.cert.CertUtils;
@@ -1587,6 +1595,68 @@ public void addAuthorityKeyHost(CertificateAuthority ca, String host) throws Exc
         ca.getAuthorityKeyHosts().add(host);
     }
 
+    /**
+     * Renew certificate of this CA.
+     */
+    public void renewAuthority(
+            HttpServletRequest httpReq,
+            CertificateAuthority ca) throws Exception {
+
+        AuthorityID authorityID = ca.getAuthorityID();
+        AuthorityID authorityParentID = ca.getAuthorityParentID();
+
+        if (authorityParentID != null
+            && !authorityParentID.equals(authorityID)
+        ) {
+            CertificateAuthority issuer = getCA(authorityParentID);
+            issuer.ensureReady();
+        }
+
+        ProfileSubsystem ps = getProfileSubsystem();
+        /* NOTE: hard-coding the profile to use for Lightweight CA renewal
+         * might be OK, but caManualRenewal was not the right one to use.
+         * As a consequence, we have an undesirable special case in
+         * RenewalProcessor.processRenewal().
+         *
+         * We should introduce a new profile specifically for LWCA renewal,
+         * with an authenticator and ACLs to match the authz requirements
+         * for the renewAuthority REST resource itself.  Then we can use
+         * it here, and remove the workaround from RenewalProcessor.
+         */
+        Profile profile = ps.getProfile("caManualRenewal");
+        CertEnrollmentRequest req = CertEnrollmentRequestFactory.create(
+            new ArgBlock(), profile, httpReq.getLocale());
+
+        CASigningUnit signingUnit = ca.getSigningUnit();
+        X509CertImpl caCertImpl = signingUnit.getCertImpl();
+        req.setSerialNum(new CertId(caCertImpl.getSerialNumber()));
+
+        RenewalProcessor processor = new RenewalProcessor("renewAuthority", httpReq.getLocale());
+        processor.setCMSEngine(this);
+        processor.init();
+
+        Map<String, Object> resultMap = processor.processRenewal(req, httpReq, null);
+        com.netscape.cmscore.request.Request requests[] = (com.netscape.cmscore.request.Request[]) resultMap.get(CAProcessor.ARG_REQUESTS);
+        com.netscape.cmscore.request.Request request = requests[0];
+
+        Integer result = request.getExtDataInInteger(com.netscape.cmscore.request.Request.RESULT);
+        if (result != null && !result.equals(com.netscape.cmscore.request.Request.RES_SUCCESS))
+            throw new EBaseException("Certificate renewal submission resulted in error: " + result);
+
+        RequestStatus requestStatus = request.getRequestStatus();
+        if (requestStatus != RequestStatus.COMPLETE)
+            throw new EBaseException("Certificate renewal did not complete; status: " + requestStatus);
+
+        X509CertImpl cert = request.getExtDataInCert(com.netscape.cmscore.request.Request.REQUEST_ISSUED_CERT);
+        BigInteger authoritySerial = cert.getSerialNumber();
+
+        ca.setAuthoritySerial(authoritySerial);
+        updateAuthoritySerialNumber(authorityID, authoritySerial);
+
+        // update cert in NSSDB
+        ca.checkForNewerCert();
+    }
+
     /** Delete keys and certs of this authority from NSSDB.
      */
     public void deleteAuthorityNSSDB(CertificateAuthority ca) throws ECAException {

base/ca/src/main/java/org/dogtagpki/server/ca/rest/AuthorityService.java

@@ -384,7 +384,7 @@ public Response renewCA(String aidString) {
         Map<String, String> auditParams = new LinkedHashMap<>();
 
         try {
-            ca.renewAuthority(servletRequest);
+            engine.renewAuthority(servletRequest, ca);
             audit(ILogger.SUCCESS, OpDef.OP_MODIFY, aidString, null);
             return createNoContentResponse();
         } catch (CADisabledException e) {