-
Notifications
You must be signed in to change notification settings - Fork 139
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Modified HttpClient.java to pick token details correctly if admin/age… #223
base: DOGTAG_10_5_BRANCH
Are you sure you want to change the base?
Modified HttpClient.java to pick token details correctly if admin/age… #223
Conversation
…nt certificates reside in HSM Signed-off-by: gkapoor <[email protected]>
@@ -152,7 +153,8 @@ public void send(String ifilename, String ofilename, String tokenName, String db | |||
else | |||
System.out.println("client cert is not null"); | |||
sslSocket.setUseClientMode(true); | |||
sslSocket.setClientCertNickname(nickname); | |||
String certnick = certname.toString(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
functionally looks good, but for cleanliness, see how "certname.toString()" is used at line 148 too? How about move this (line 156) up above that (line 148) and change the reference of "certname.toString()" to "certnick" as well?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @ladycfu .
How about this:
sslSocket.setUseClientMode(true);
sslSocket.setClientCertNickname(certname.toString());
X509Certificate cert =
cm.findCertByNickname(certname.toString());
if (cert == null)
System.out.println("client cert is null");
else
System.out.println("client cert is not null");
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What I meant was:
String certnick = certname.toString();
X509Certificate cert =
cm.findCertByNickname(certnick);
if (cert == null)
System.out.println("client cert is null");
else
System.out.println("client cert is not null");
sslSocket.setUseClientMode(true);
sslSocket.setClientCertNickname(certnick);
Signed-off-by: gkapoor <[email protected]>
Bumping the stale PR. I see that this PR is already approved for 10.5. If we are ok, we can go ahead and merge these changes. Also consider forward porting the changes to the required branches! Thanks! :-) |
…nt certificates reside in HSM
Signed-off-by: gkapoor [email protected]
Problem:
java.lang.RuntimeException: org.mozilla.jss.crypto.ObjectNotFoundException: Certificate not found: subsystemCert cert-rhel77 at org.mozilla.jss.ssl.SocketBase.setClientCertNickname(SocketBase.java:410) at org.mozilla.jss.ssl.SSLSocket.setClientCertNickname(SSLSocket.java:1283) at com.netscape.cmstools.HttpClient.send(HttpClient.java:155) at com.netscape.cmstools.HttpClient.main(HttpClient.java:395) Caused by: org.mozilla.jss.crypto.ObjectNotFoundException: Certificate not found: subsystemCert cert-rhel77 at org.mozilla.jss.CryptoManager.findCertByNicknameNative(Native Method) at org.mozilla.jss.CryptoManager.findCertByNickname(CryptoManager.java:1309) at org.mozilla.jss.ssl.SocketBase.setClientCertNickname(SocketBase.java:403) ... 3 moreThis fix basically get us rid of exception if admin/agent cert is in HSM or any external token.
This will fix exception --
</error snip>
Christina..could you please review it. I don't have a ticket for this fix. Please have a look.
With the fix ,I have performed a basic sanity test for HSM and Internal.
Below is the test report:
Test Case 1: Token :Internal
Total number of bytes read = 1438
after SSLSocket created, thread token is NSS FIPS 140-2 User Private Key
Certificate Nickname: subsystemCert cert-pki-tomcat
client cert is not null
handshake happened
writing to socket
Total number of bytes read = 2647
The response in binary format is stored in cmc.role_crmf.resp
Certificates:
Certificate:
Data:
Version: v3
Serial Number: 0xB
Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
Issuer: CN=CA Signing Certificate,OU=pki-tomcat,O=idmqe.lab.eng.bos.redhat.com Security Domain
Validity:
Not Before: Saturday, June 22, 2019 4:15:12 PM EDT America/New_York
Not After: Thursday, December 19, 2019 4:15:12 PM EST America/New_York
Subject: UID=user2,OU=People,DC=example,DC=org
...........
Certificate:
Data:
Version: v3
Serial Number: 0x1
Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
Issuer: CN=CA Signing Certificate,OU=pki-tomcat,O=idmqe.lab.eng.bos.redhat.com Security Domain
Validity:
Not Before: Friday, June 21, 2019 1:45:35 PM EDT America/New_York
Not After: Tuesday, June 21, 2039 1:45:35 PM EDT America/New_York
Subject: CN=CA Signing Certificate,OU=pki-tomcat,O=idmqe.lab.eng.bos.redhat.com Security Domain
..................................
Number of controls is 1
Control #0: CMCStatusInfoV2
OID: {1 3 6 1 5 5 7 7 25}
BodyList: 1
Status: SUCCESS
CMC Full Response.
=================================================
Test case 2: With HSM Token :
Total number of bytes read = 1428
after SSLSocket created, thread token is NHSM6000-OCS
Certificate Nickname: NHSM6000-OCS:subsystemCert cert-rhel77_ca_gkapoor1
client cert is not null
handshake happened
writing to socket
Total number of bytes read = 2535
...................
The response in binary format is stored in cmc.role_crmf.resp
Certificates:
Certificate:
Data:
Version: v3
Serial Number: 0xFCA64BB
Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
Issuer: CN=CA Signing Certificate,OU=rhel77_ca_gkapoor1,O=Example-rhcs10-CA
Validity:
Not Before: Saturday, June 22, 2019 4:40:45 PM EDT America/New_York
Not After: Thursday, December 19, 2019 4:40:45 PM EST America/New_York
Subject: UID=user1a,OU=People,DC=example,DC=org
........................
Certificate:
Data:
Version: v3
Serial Number: 0x7561F89
Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
Issuer: CN=CA Signing Certificate,OU=rhel77_ca_gkapoor1,O=Example-rhcs10-CA
Validity:
Not Before: Friday, June 21, 2019 7:33:28 AM EDT America/New_York
Not After: Tuesday, June 21, 2039 7:33:28 AM EDT America/New_York
Subject: CN=CA Signing Certificate,OU=rhel77_ca_gkapoor1,O=Example-rhcs10-CA
......................................
Number of controls is 1
Control #0: CMCStatusInfoV2
OID: {1 3 6 1 5 5 7 7 25}
BodyList: 1
Status: SUCCESS
CMC Full Response.