diff --git a/base/ca/src/main/java/com/netscape/cms/profile/common/CAEnrollProfile.java b/base/ca/src/main/java/com/netscape/cms/profile/common/CAEnrollProfile.java index b2e48c813bd..e48f09e7978 100644 --- a/base/ca/src/main/java/com/netscape/cms/profile/common/CAEnrollProfile.java +++ b/base/ca/src/main/java/com/netscape/cms/profile/common/CAEnrollProfile.java @@ -28,9 +28,14 @@ import org.dogtagpki.server.ca.ICertificateAuthority; import org.mozilla.jss.netscape.security.x509.CertificateSubjectName; import org.mozilla.jss.netscape.security.x509.CertificateX509Key; +import org.mozilla.jss.netscape.security.x509.Extension; +import org.mozilla.jss.netscape.security.x509.KeyIdentifier; +import org.mozilla.jss.netscape.security.x509.PKIXExtensions; +import org.mozilla.jss.netscape.security.x509.SubjectKeyIdentifierExtension; import org.mozilla.jss.netscape.security.x509.X500Name; import org.mozilla.jss.netscape.security.x509.X509CertImpl; import org.mozilla.jss.netscape.security.x509.X509CertInfo; +import org.mozilla.jss.netscape.security.x509.X509Key; import org.mozilla.jss.pkix.crmf.PKIArchiveOptions; import com.netscape.ca.CertificateAuthority; @@ -292,6 +297,7 @@ public void execute(IRequest request) // process certificate issuance X509CertInfo info = request.getExtDataInCertInfo(REQUEST_CERTINFO); + logger.debug(method + "cfu before: X509CertInfo info = " + info.toString()); if (isSSKeygen) { try { @@ -299,24 +305,60 @@ public void execute(IRequest request) if (pubKeyStr == null) { throw new EProfileException("Server-Side Keygen enrollment failed to retrieve public_key from KRA"); } - //logger.debug(method + "pubKeyStr = " + pubKeyStr); + logger.debug(method + "pubKeyStr = " + pubKeyStr); byte[] pubKeyB = CryptoUtil.base64Decode(pubKeyStr); CertificateX509Key certKey = new CertificateX509Key( new ByteArrayInputStream(pubKeyB)); - Object oj = info.get(X509CertInfo.KEY); - if (oj != null) { + + // replace fake key in info + CertificateX509Key infokey = (CertificateX509Key) + info.get(X509CertInfo.KEY); + if (infokey != null) { + X509Key key = (X509Key) + infokey.get(CertificateX509Key.KEY); + logger.debug(method + "key = " + key.toString()); // a placeholder temporary fake key was put in // ServerKeygenUserKeyDefault info.delete(X509CertInfo.KEY); - //logger.debug(method + " fake key deleted"); + logger.debug(method + "key deleted"); } + + // adding real key info.set(X509CertInfo.KEY, certKey); + + // fake key relaced; + // need to compute/replace SKI as well if present + + Extension ext = CertUtils.getExtension(PKIXExtensions.SubjectKey_Id.toString(), info); + if (ext != null) { + logger.debug(method + "found SubjectKey_Id extension"); + // compute keyId + X509Key realkey = (X509Key) + certKey.get(CertificateX509Key.KEY); + byte[] hash = CryptoUtil.generateKeyIdentifier(realkey.getKey()); + KeyIdentifier id = new KeyIdentifier(hash); + SubjectKeyIdentifierExtension skiExt = + new SubjectKeyIdentifierExtension(id.getIdentifier()); + + // replace it + CertUtils.replaceExtension(PKIXExtensions.SubjectKey_Id.toString(), skiExt, info); + logger.debug(method + " SubjectKey_Id replaced"); + + logger.debug(method + " after replacement: X509CertInfo info = " + info.toString()); + }/* else + Not every cert needs an SKI + logger.debug(method + "did not find SubjectKey_Id"); + */ + } catch (IOException e) { logger.debug(method + e); throw new EProfileException(e); } catch (CertificateException e) { logger.debug(method + e); throw new EProfileException(e); + } catch (Exception e) { + logger.debug(method + e); + throw new EProfileException(e); } } diff --git a/base/ca/src/main/java/com/netscape/cms/profile/def/ServerKeygenUserKeyDefault.java b/base/ca/src/main/java/com/netscape/cms/profile/def/ServerKeygenUserKeyDefault.java index 5d905bee8d6..21c3f5f533d 100644 --- a/base/ca/src/main/java/com/netscape/cms/profile/def/ServerKeygenUserKeyDefault.java +++ b/base/ca/src/main/java/com/netscape/cms/profile/def/ServerKeygenUserKeyDefault.java @@ -491,6 +491,7 @@ else if (keyType.contentEquals("EC")) { request.setExtData(IRequest.SERVER_SIDE_KEYGEN_ENROLL_ENABLE_ARCHIVAL, enableArchival? "true":"false"); info.set(X509CertInfo.KEY, certKey); + logger.debug(method + "fake key injected for SSK."); } catch (Exception e) { logger.debug("ServerKeygenUserKeyDefault: populate " + e.toString()); throw new EProfileException(e.getMessage()); diff --git a/base/server/src/main/java/com/netscape/cmscore/cert/CertUtils.java b/base/server/src/main/java/com/netscape/cmscore/cert/CertUtils.java index 4a82eb92f83..63758526002 100644 --- a/base/server/src/main/java/com/netscape/cmscore/cert/CertUtils.java +++ b/base/server/src/main/java/com/netscape/cmscore/cert/CertUtils.java @@ -33,6 +33,8 @@ import java.security.cert.X509CRL; import java.security.cert.X509Certificate; import java.util.Arrays; +import java.util.ArrayList; +import java.util.Collection; import java.util.Enumeration; import java.util.Iterator; import java.util.Locale; @@ -569,6 +571,124 @@ public static String getCertType(X509CertImpl cert) throws CertificateParsingExc return (sb.length() > 0) ? sb.toString() : null; } + public static void addExtension(String name, Extension ext, X509CertInfo info) + throws EProfileException { + if (ext == null) { + throw new EProfileException("addExtension: extension '" + name + "' is null"); + } + CertificateExtensions exts = null; + + Extension alreadyPresentExtension = getExtension(name, info); + + if (alreadyPresentExtension != null) { + String eName = ext.toString(); + logger.error("Duplicate extension: " + eName); + throw new EProfileException(CMS.getUserMessage("CMS_PROFILE_DUPLICATE_EXTENSION", eName)); + } + + try { + exts = (CertificateExtensions) + info.get(X509CertInfo.EXTENSIONS); + } catch (Exception e) { + logger.warn("EnrollDefault: " + e.getMessage(), e); + } + if (exts == null) { + throw new EProfileException("extensions not found"); + } + try { + exts.set(name, ext); + } catch (IOException e) { + logger.warn("EnrollDefault: " + e.getMessage(), e); + } + } + + public static void deleteExtension(String extID, X509CertInfo info) throws Exception { + + CertificateExtensions exts = (CertificateExtensions) info.get(X509CertInfo.EXTENSIONS); + + if (exts == null) { + return; + } + + Collection names = new ArrayList<>(); + Enumeration e = exts.getNames(); + + // get names of extensions to remove + while (e.hasMoreElements()) { + String name = e.nextElement(); + Extension ext = (Extension) exts.get(name); + + if (ext.getExtensionId().toString().equals(extID)) { + names.add(name); + } + } + + // remove extensions in separate loop to avoid ConcurrentModificationException + for (String name : names) { + exts.delete(name); + } + } + + public static void replaceExtension(String name, Extension ext, X509CertInfo info) + throws EProfileException { + try { + deleteExtension(name, info); + } catch (Exception e) { + throw new EProfileException(e); + } + + addExtension(name, ext, info); + } + + public static Extension getExtension(String name, X509CertInfo info) { + + if (info == null) { + logger.error("Missing certificate info"); + return null; + } + + CertificateExtensions exts = null; + + try { + exts = (CertificateExtensions) info.get(X509CertInfo.EXTENSIONS); + } catch (Exception e) { + logger.warn("EnrollDefault: getExtension " + e.getMessage(), e); + } + + if (exts == null) { + logger.debug("EnrollDefault: Unable to find extensions"); + return null; + } + + return getExtension(name, exts); + } + + public static Extension getExtension(String name, CertificateExtensions exts) { + + logger.debug("EnrollDefault: Searching for " + name + " extension"); + + if (exts == null) { + logger.error("Missing certificate extensions"); + return null; + } + + Enumeration e = exts.getAttributes(); + + logger.debug("EnrollDefault: Extensions:"); + while (e.hasMoreElements()) { + Extension ext = e.nextElement(); + logger.debug("EnrollDefault: - " + ext.getExtensionId()); + + if (ext.getExtensionId().toString().equals(name)) { + logger.debug("EnrollDefault: Found extension " + name); + return ext; + } + } + + logger.debug("EnrollDefault: Extension " + name + " not found"); + return null; + } + public static String getNSExtensionInfo(NSCertTypeExtension nsExtn) { StringBuffer sb = new StringBuffer();