diff --git a/base/ca/src/main/java/com/netscape/ca/CertificateAuthority.java b/base/ca/src/main/java/com/netscape/ca/CertificateAuthority.java index e63780b54ee..1e4c1028922 100644 --- a/base/ca/src/main/java/com/netscape/ca/CertificateAuthority.java +++ b/base/ca/src/main/java/com/netscape/ca/CertificateAuthority.java @@ -106,7 +106,6 @@ import com.netscape.cms.profile.common.Profile; import com.netscape.cms.servlet.cert.CertEnrollmentRequestFactory; import com.netscape.cms.servlet.cert.EnrollmentProcessor; -import com.netscape.cms.servlet.cert.RenewalProcessor; import com.netscape.cms.servlet.cert.RevocationProcessor; import com.netscape.cms.servlet.processors.CAProcessor; import com.netscape.cmscore.apps.CMS; @@ -374,7 +373,7 @@ public void init(ConfigStore config) throws Exception { } } - private void checkForNewerCert() throws EBaseException { + public void checkForNewerCert() throws EBaseException { logger.info("CertificateAuthority: Checking for newer CA cert"); logger.info("CertificateAuthority: serial number: " + authoritySerial); @@ -1683,6 +1682,14 @@ public AuthorityID getAuthorityParentID() { return authorityParentID; } + public BigInteger getAuthoritySerial() { + return authoritySerial; + } + + public void setAuthoritySerial(BigInteger serial) { + authoritySerial = serial; + } + /** * Return CA description. May be null. */ @@ -1779,62 +1786,6 @@ public X509CertImpl generateSigningCert( return request.getExtDataInCert(com.netscape.cmscore.request.Request.REQUEST_ISSUED_CERT); } - /** - * Renew certificate of this CA. - */ - public void renewAuthority(HttpServletRequest httpReq) throws Exception { - - CAEngine engine = CAEngine.getInstance(); - - if ( - authorityParentID != null - && !authorityParentID.equals(authorityID) - ) { - CertificateAuthority issuer = engine.getCA(authorityParentID); - issuer.ensureReady(); - } - - ProfileSubsystem ps = engine.getProfileSubsystem(); - /* NOTE: hard-coding the profile to use for Lightweight CA renewal - * might be OK, but caManualRenewal was not the right one to use. - * As a consequence, we have an undesirable special case in - * RenewalProcessor.processRenewal(). - * - * We should introduce a new profile specifically for LWCA renewal, - * with an authenticator and ACLs to match the authz requirements - * for the renewAuthority REST resource itself. Then we can use - * it here, and remove the workaround from RenewalProcessor. - */ - Profile profile = ps.getProfile("caManualRenewal"); - CertEnrollmentRequest req = CertEnrollmentRequestFactory.create( - new ArgBlock(), profile, httpReq.getLocale()); - - X509CertImpl caCertImpl = mSigningUnit.getCertImpl(); - req.setSerialNum(new CertId(caCertImpl.getSerialNumber())); - - RenewalProcessor processor = new RenewalProcessor("renewAuthority", httpReq.getLocale()); - processor.setCMSEngine(engine); - processor.init(); - - Map resultMap = - processor.processRenewal(req, httpReq, null); - com.netscape.cmscore.request.Request requests[] = (com.netscape.cmscore.request.Request[]) resultMap.get(CAProcessor.ARG_REQUESTS); - com.netscape.cmscore.request.Request request = requests[0]; - Integer result = request.getExtDataInInteger(com.netscape.cmscore.request.Request.RESULT); - if (result != null && !result.equals(com.netscape.cmscore.request.Request.RES_SUCCESS)) - throw new EBaseException("renewAuthority: certificate renewal submission resulted in error: " + result); - RequestStatus requestStatus = request.getRequestStatus(); - if (requestStatus != RequestStatus.COMPLETE) - throw new EBaseException("renewAuthority: certificate renewal did not complete; status: " + requestStatus); - X509CertImpl cert = request.getExtDataInCert(com.netscape.cmscore.request.Request.REQUEST_ISSUED_CERT); - authoritySerial = cert.getSerialNumber(); - - engine.updateAuthoritySerialNumber(authorityID, authoritySerial); - - // update cert in NSSDB - checkForNewerCert(); - } - /** Revoke the authority's certificate * * TODO: revocation reason, invalidity date parameters diff --git a/base/ca/src/main/java/org/dogtagpki/server/ca/CAEngine.java b/base/ca/src/main/java/org/dogtagpki/server/ca/CAEngine.java index 87a2327fc80..dd87fb0f932 100644 --- a/base/ca/src/main/java/org/dogtagpki/server/ca/CAEngine.java +++ b/base/ca/src/main/java/org/dogtagpki/server/ca/CAEngine.java @@ -59,6 +59,7 @@ import com.netscape.ca.AuthorityMonitor; import com.netscape.ca.CANotify; import com.netscape.ca.CAService; +import com.netscape.ca.CASigningUnit; import com.netscape.ca.CRLConfig; import com.netscape.ca.CRLIssuingPoint; import com.netscape.ca.CRLIssuingPointConfig; @@ -77,6 +78,7 @@ import com.netscape.certsrv.ca.CATypeException; import com.netscape.certsrv.ca.ECAException; import com.netscape.certsrv.ca.IssuerUnavailableException; +import com.netscape.certsrv.cert.CertEnrollmentRequest; import com.netscape.certsrv.client.ClientConfig; import com.netscape.certsrv.client.PKIClient; import com.netscape.certsrv.connector.ConnectorConfig; @@ -86,13 +88,19 @@ import com.netscape.certsrv.profile.EProfileException; import com.netscape.certsrv.publish.CRLPublisher; import com.netscape.certsrv.request.RequestListener; +import com.netscape.certsrv.request.RequestStatus; import com.netscape.certsrv.system.KRAConnectorInfo; import com.netscape.cms.authentication.CAAuthSubsystem; +import com.netscape.cms.profile.common.Profile; import com.netscape.cms.request.RequestScheduler; import com.netscape.cms.servlet.admin.KRAConnectorProcessor; +import com.netscape.cms.servlet.cert.CertEnrollmentRequestFactory; +import com.netscape.cms.servlet.cert.RenewalProcessor; +import com.netscape.cms.servlet.processors.CAProcessor; import com.netscape.cmscore.apps.CMS; import com.netscape.cmscore.apps.CMSEngine; import com.netscape.cmscore.authentication.VerifiedCert; +import com.netscape.cmscore.base.ArgBlock; import com.netscape.cmscore.base.ConfigStorage; import com.netscape.cmscore.base.ConfigStore; import com.netscape.cmscore.cert.CertUtils; @@ -1587,6 +1595,68 @@ public void addAuthorityKeyHost(CertificateAuthority ca, String host) throws Exc ca.getAuthorityKeyHosts().add(host); } + /** + * Renew certificate of this CA. + */ + public void renewAuthority( + HttpServletRequest httpReq, + CertificateAuthority ca) throws Exception { + + AuthorityID authorityID = ca.getAuthorityID(); + AuthorityID authorityParentID = ca.getAuthorityParentID(); + + if (authorityParentID != null + && !authorityParentID.equals(authorityID) + ) { + CertificateAuthority issuer = getCA(authorityParentID); + issuer.ensureReady(); + } + + ProfileSubsystem ps = getProfileSubsystem(); + /* NOTE: hard-coding the profile to use for Lightweight CA renewal + * might be OK, but caManualRenewal was not the right one to use. + * As a consequence, we have an undesirable special case in + * RenewalProcessor.processRenewal(). + * + * We should introduce a new profile specifically for LWCA renewal, + * with an authenticator and ACLs to match the authz requirements + * for the renewAuthority REST resource itself. Then we can use + * it here, and remove the workaround from RenewalProcessor. + */ + Profile profile = ps.getProfile("caManualRenewal"); + CertEnrollmentRequest req = CertEnrollmentRequestFactory.create( + new ArgBlock(), profile, httpReq.getLocale()); + + CASigningUnit signingUnit = ca.getSigningUnit(); + X509CertImpl caCertImpl = signingUnit.getCertImpl(); + req.setSerialNum(new CertId(caCertImpl.getSerialNumber())); + + RenewalProcessor processor = new RenewalProcessor("renewAuthority", httpReq.getLocale()); + processor.setCMSEngine(this); + processor.init(); + + Map resultMap = processor.processRenewal(req, httpReq, null); + com.netscape.cmscore.request.Request requests[] = (com.netscape.cmscore.request.Request[]) resultMap.get(CAProcessor.ARG_REQUESTS); + com.netscape.cmscore.request.Request request = requests[0]; + + Integer result = request.getExtDataInInteger(com.netscape.cmscore.request.Request.RESULT); + if (result != null && !result.equals(com.netscape.cmscore.request.Request.RES_SUCCESS)) + throw new EBaseException("Certificate renewal submission resulted in error: " + result); + + RequestStatus requestStatus = request.getRequestStatus(); + if (requestStatus != RequestStatus.COMPLETE) + throw new EBaseException("Certificate renewal did not complete; status: " + requestStatus); + + X509CertImpl cert = request.getExtDataInCert(com.netscape.cmscore.request.Request.REQUEST_ISSUED_CERT); + BigInteger authoritySerial = cert.getSerialNumber(); + + ca.setAuthoritySerial(authoritySerial); + updateAuthoritySerialNumber(authorityID, authoritySerial); + + // update cert in NSSDB + ca.checkForNewerCert(); + } + /** Delete keys and certs of this authority from NSSDB. */ public void deleteAuthorityNSSDB(CertificateAuthority ca) throws ECAException { diff --git a/base/ca/src/main/java/org/dogtagpki/server/ca/rest/AuthorityService.java b/base/ca/src/main/java/org/dogtagpki/server/ca/rest/AuthorityService.java index 41aba4fbb38..784b44e01a0 100644 --- a/base/ca/src/main/java/org/dogtagpki/server/ca/rest/AuthorityService.java +++ b/base/ca/src/main/java/org/dogtagpki/server/ca/rest/AuthorityService.java @@ -384,7 +384,7 @@ public Response renewCA(String aidString) { Map auditParams = new LinkedHashMap<>(); try { - ca.renewAuthority(servletRequest); + engine.renewAuthority(servletRequest, ca); audit(ILogger.SUCCESS, OpDef.OP_MODIFY, aidString, null); return createNoContentResponse(); } catch (CADisabledException e) {