Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refactor CAEngine.addAuthorityEntry() #4583

Merged
merged 1 commit into from
Oct 9, 2023
Merged

Refactor CAEngine.addAuthorityEntry() #4583

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions base/ca/src/main/java/org/dogtagpki/server/ca/AuthorityRecord.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,14 @@ public void setKeyHosts(Collection<String> keyHosts) {
this.keyHosts.addAll(keyHosts);
}

public void addKeyHost(String keyHost) {
keyHosts.add(keyHost);
}

public void removeKeyHost(String keyHost) {
keyHosts.remove(keyHost);
}

public String getNSUniqueID() {
return nsUniqueID;
}
Expand Down
160 changes: 89 additions & 71 deletions base/ca/src/main/java/org/dogtagpki/server/ca/CAEngine.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@

package org.dogtagpki.server.ca;

import java.io.IOException;
import java.math.BigInteger;
import java.security.PublicKey;
import java.security.SecureRandom;
Expand Down Expand Up @@ -1120,47 +1119,27 @@ public CertificateAuthority createCA(
"DN '" + subjectX500Name + "' is used by an existing authority");
}

// generate authority ID and nickname
AuthorityID aid = new AuthorityID();
String aidString = aid.toString();
logger.info("CAEngine: Creating authority " + aidString);

CertificateAuthority hostCA = getCA();
String nickname = hostCA.getNickname() + " " + aidString;
logger.info("CAEngine: - nickname: " + nickname);
AuthorityRecord record = new AuthorityRecord();

// build database entry
String dn = "cn=" + aidString + "," + getAuthorityBaseDN();
logger.info("CAEngine: - authority record: " + dn);
// generate authority ID
AuthorityID authorityID = new AuthorityID();
record.setAuthorityID(authorityID);
record.setAuthorityDN(subjectX500Name);

String parentDNString = parentCA.getX500Name().toLdapDNString();
record.setParentID(parentCA.getAuthorityID());
record.setParentDN(parentCA.getX500Name());

String keyHost = mConfig.getHostname() + ":" + getEESSLPort();
logger.info("CAEngine: - key host: " + keyHost);
record.setDescription(description);
record.setEnabled(true);

LDAPAttribute[] attrs = {
new LDAPAttribute("objectclass", "authority"),
new LDAPAttribute("cn", aidString),
new LDAPAttribute("authorityID", aidString),
new LDAPAttribute("authorityKeyNickname", nickname),
new LDAPAttribute("authorityKeyHost", keyHost),
new LDAPAttribute("authorityEnabled", "TRUE"),
new LDAPAttribute("authorityDN", subjectDN),
new LDAPAttribute("authorityParentDN", parentDNString)
};
CertificateAuthority hostCA = getCA();

LDAPAttributeSet attrSet = new LDAPAttributeSet(attrs);
if (parentCA.getAuthorityID() != null) {
attrSet.add(new LDAPAttribute("authorityParentID", parentCA.getAuthorityID().toString()));
}
String keyNickname = hostCA.getNickname() + " " + authorityID;
record.setKeyNickname(keyNickname);

if (description != null) {
logger.info("CAEngine: - description: " + description);
attrSet.add(new LDAPAttribute("description", description));
}
record.addKeyHost(mConfig.getHostname() + ":" + getEESSLPort());

LDAPEntry ldapEntry = new LDAPEntry(dn, attrSet);
addAuthorityEntry(aid, ldapEntry);
addAuthorityRecord(record);

X509CertImpl cert = null;

Expand All @@ -1170,24 +1149,24 @@ public CertificateAuthority createCA(

logger.info("CAEngine: Importing signing certificate into NSS database");
CryptoManager cryptoManager = CryptoManager.getInstance();
cryptoManager.importCertPackage(cert.getEncoded(), nickname);
cryptoManager.importCertPackage(cert.getEncoded(), keyNickname);

} catch (Exception e) {
logger.error("Unable to generate signing certificate: " + e.getMessage(), e);

// something went wrong; delete just-added entry
deleteAuthorityEntry(aid);
deleteAuthorityEntry(authorityID);

throw e;
}

ca = new CertificateAuthority(
subjectX500Name,
aid,
authorityID,
parentCA.getAuthorityID(),
cert.getSerialNumber(),
nickname,
Collections.singleton(keyHost),
keyNickname,
record.getKeyHosts(),
description,
true);

Expand All @@ -1196,7 +1175,7 @@ public CertificateAuthority createCA(
ca.setCMSEngine(this);
ca.init(caConfig);

updateAuthoritySerialNumber(aid, cert.getSerialNumber());
updateAuthoritySerialNumber(authorityID, cert.getSerialNumber());

return ca;
}
Expand Down Expand Up @@ -1344,7 +1323,62 @@ public LDAPConstraints getUpdateConstraints() {
return cons;
}

public synchronized void addAuthorityEntry(AuthorityID aid, LDAPEntry entry) throws EBaseException {
public synchronized void addAuthorityRecord(AuthorityRecord record) throws Exception {

AuthorityID authorityID = record.getAuthorityID();
String aidStr = authorityID.toString();
String dn = "cn=" + aidStr + "," + getAuthorityBaseDN();
logger.info("CAEngine: Creating " + dn);

LDAPAttributeSet attrSet = new LDAPAttributeSet();
attrSet.add(new LDAPAttribute("objectclass", "authority"));

logger.info("CAEngine: - authority ID: " + aidStr);
attrSet.add(new LDAPAttribute("cn", aidStr));
attrSet.add(new LDAPAttribute("authorityID", aidStr));

X500Name authorityDN = record.getAuthorityDN();
logger.info("CAEngine: - authority DN: " + authorityDN);
attrSet.add(new LDAPAttribute("authorityDN", authorityDN.toLdapDNString()));

AuthorityID parentID = record.getParentID();
if (parentID != null) {
logger.info("CAEngine: - parent ID: " + parentID);
attrSet.add(new LDAPAttribute("authorityParentID", parentID.toString()));
}

X500Name parentDN = record.getParentDN();
if (parentDN != null) {
logger.info("CAEngine: - parent DN: " + parentDN);
attrSet.add(new LDAPAttribute("authorityParentDN", parentDN.toLdapDNString()));
}

String description = record.getDescription();
if (description != null) {
logger.info("CAEngine: - description: " + description);
attrSet.add(new LDAPAttribute("description", description));
}

Boolean enabled = record.getEnabled();
if (enabled != null) {
logger.info("CAEngine: - enabled: " + description);
attrSet.add(new LDAPAttribute("authorityEnabled", enabled ? "TRUE" : "FALSE"));
}

String keyNickname = record.getKeyNickname();
if (keyNickname != null) {
logger.info("CAEngine: - key nickname: " + keyNickname);
attrSet.add(new LDAPAttribute("authorityKeyNickname", keyNickname));
}

Collection<String> keyHosts = record.getKeyHosts();
if (!keyHosts.isEmpty()) {
logger.info("CAEngine: - key hosts: " + keyHosts);
String[] values = keyHosts.toArray(new String[keyHosts.size()]);
attrSet.add(new LDAPAttribute("authorityKeyHost", values));
}

LDAPEntry entry = new LDAPEntry(dn, attrSet);

LDAPConnection conn = connectionFactory.getConn();
LDAPControl[] responseControls;
Expand All @@ -1360,7 +1394,7 @@ public synchronized void addAuthorityEntry(AuthorityID aid, LDAPEntry entry) thr
connectionFactory.returnConn(conn);
}

authorityMonitor.trackUpdate(aid, responseControls);
authorityMonitor.trackUpdate(authorityID, responseControls);
}

public synchronized void modifyAuthorityEntry(AuthorityID aid, LDAPModificationSet mods) throws EBaseException {
Expand Down Expand Up @@ -1415,43 +1449,27 @@ public synchronized void deleteAuthorityEntry(AuthorityID aid) throws EBaseExcep
* It is the caller's responsibility to add the returned
* AuthorityID to the CAEngine.
*/
public AuthorityID addHostAuthorityEntry() throws EBaseException {
public AuthorityID addHostAuthorityEntry() throws Exception {

CertificateAuthority hostCA = getCA();

// generate authority ID
AuthorityID aid = new AuthorityID();
String aidString = aid.toString();
AuthorityRecord record = new AuthorityRecord();

// build database entry
String dn = "cn=" + aidString + "," + getAuthorityBaseDN();
String dnString = null;
try {
dnString = hostCA.getX500Name().toLdapDNString();
// generate authority ID
record.setAuthorityID(new AuthorityID());
record.setAuthorityDN(hostCA.getX500Name());

} catch (IOException e) {
throw new EBaseException("Unable to convert issuer DN to string: " + e.getMessage(), e);
}
record.setDescription("Host authority");
record.setEnabled(true);

String desc = "Host authority";
LDAPAttribute[] attrs = {
new LDAPAttribute("objectclass", "authority"),
new LDAPAttribute("cn", aidString),
new LDAPAttribute("authorityID", aidString),
new LDAPAttribute("authorityKeyNickname", hostCA.getNickname()),
new LDAPAttribute("authorityEnabled", "TRUE"),
new LDAPAttribute("authorityDN", dnString),
new LDAPAttribute("description", desc)
};
LDAPAttributeSet attrSet = new LDAPAttributeSet(attrs);
LDAPEntry ldapEntry = new LDAPEntry(dn, attrSet);
record.setKeyNickname(hostCA.getNickname());

addAuthorityEntry(aid, ldapEntry);
addAuthorityRecord(record);

hostCA.setAuthorityID(aid);
hostCA.setAuthorityDescription(desc);
hostCA.setAuthorityID(record.getAuthorityID());
hostCA.setAuthorityDescription(record.getDescription());

return aid;
return record.getAuthorityID();
}

public void updateAuthoritySerialNumber(AuthorityID aid, BigInteger serialNumber) throws Exception {
Expand Down
Loading