Fixed CAInfoService.getKRAInfoClient()

The CAInfoService.getKRAInfoClient() and
CAService.getConnector() have been modified to use the
client certificate specified in the CA's KRA connector to
access KRA. If the client certificate is missing, it will
use the subsystem certificate instead.

The CAInfoService has also been modified to propagate
any exception during the above operation to the caller.

https://bugzilla.redhat.com/show_bug.cgi?id=1861911

base/ca/src/com/netscape/ca/CAService.java

@@ -19,7 +19,6 @@
 
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
-import java.lang.Integer;
 import java.math.BigInteger;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
@@ -39,7 +38,6 @@
 import org.dogtagpki.server.ca.ICertificateAuthority;
 import org.mozilla.jss.netscape.security.extensions.CertInfo;
 import org.mozilla.jss.netscape.security.util.BigInt;
-import org.mozilla.jss.netscape.security.util.Cert;
 import org.mozilla.jss.netscape.security.util.DerValue;
 import org.mozilla.jss.netscape.security.util.Utils;
 import org.mozilla.jss.netscape.security.x509.AlgorithmId;
@@ -92,6 +90,7 @@
 import com.netscape.cms.profile.common.Profile;
 import com.netscape.cmscore.apps.CMS;
 import com.netscape.cmscore.apps.CMSEngine;
+import com.netscape.cmscore.apps.EngineConfig;
 import com.netscape.cmscore.connector.HttpConnector;
 import com.netscape.cmscore.connector.LocalConnector;
 import com.netscape.cmscore.connector.RemoteAuthority;
@@ -101,6 +100,7 @@
 import com.netscape.cmscore.dbs.CertificateRepository;
 import com.netscape.cmscore.dbs.RevocationInfo;
 import com.netscape.cmscore.profile.ProfileSubsystem;
+import com.netscape.cmsutil.crypto.CryptoUtil;
 
 /**
  * Request Service for CertificateAuthority.
@@ -235,6 +235,8 @@ public IConnector getConnector(IConfigStore config)
             throws EBaseException {
 
         CMSEngine engine = CMS.getCMSEngine();
+        EngineConfig cs = engine.getConfig();
+
         IConnector connector = null;
 
         if (config == null || config.size() <= 0) {
@@ -277,7 +279,17 @@ public IConnector getConnector(IConfigStore config)
             String host = config.getString("host");
             int port = config.getInteger("port");
             String uri = config.getString("uri");
+
+            // Use client cert specified in KRA connector
             String nickname = config.getString("nickName", null);
+            if (nickname == null) {
+                // Use subsystem cert as client cert
+                nickname = cs.getString("ca.subsystem.nickname");
+
+                String tokenname = cs.getString("ca.subsystem.tokenname", "");
+                if (!CryptoUtil.isInternalToken(tokenname)) nickname = tokenname + ":" + nickname;
+            }
+
             int resendInterval = config.getInteger("resendInterval", -1);
             // Inserted by beomsuk
             int timeout = config.getInteger("timeout", 0);
@@ -288,9 +300,6 @@ public IConnector getConnector(IConfigStore config)
             RemoteAuthority remauthority =
                     new RemoteAuthority(host, port, uri, timeout);
 
-            // Change end
-            if (nickname == null)
-                nickname = mCA.getNickname();
             // Changed by beomsuk
             //connector =
             //	new HttpConnector(mCA, nickname, remauthority, resendInterval);

base/ca/src/org/dogtagpki/server/rest/CAInfoService.java

@@ -34,6 +34,7 @@
 import org.slf4j.LoggerFactory;
 
 import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
 import com.netscape.certsrv.base.PKIException;
 import com.netscape.certsrv.client.ClientConfig;
 import com.netscape.certsrv.client.PKIClient;
@@ -43,6 +44,7 @@
 import com.netscape.cmscore.apps.CMS;
 import com.netscape.cmscore.apps.CMSEngine;
 import com.netscape.cmscore.apps.EngineConfig;
+import com.netscape.cmsutil.crypto.CryptoUtil;
 
 /**
  * @author Ade Lee
@@ -99,7 +101,7 @@ public Response getInfo() throws Exception {
      * Apart from reading 'headers', this method doesn't access
      * any instance data.
      */
-    private void addKRAInfo(CAInfo info) {
+    private void addKRAInfo(CAInfo info) throws Exception {
         KRAConnectorInfo connInfo = null;
         try {
             KRAConnectorProcessor processor =
@@ -125,13 +127,15 @@ private void addKRAInfo(CAInfo info) {
         }
     }
 
-    private static void queryKRAInfo(KRAConnectorInfo connInfo) {
+    private static void queryKRAInfo(KRAConnectorInfo connInfo) throws Exception {
 
         CMSEngine engine = CMS.getCMSEngine();
         EngineConfig cs = engine.getConfig();
 
+        KRAInfoClient kraInfoClient = getKRAInfoClient(connInfo);
+
         try {
-            KRAInfo kraInfo = getKRAInfoClient(connInfo).getInfo();
+            KRAInfo kraInfo = kraInfoClient.getInfo();
 
             archivalMechanism = kraInfo.getArchivalMechanism();
             encryptAlgorithm = kraInfo.getEncryptAlgorithm();
@@ -179,12 +183,24 @@ private static KRAInfoClient getKRAInfoClient(KRAConnectorInfo connInfo)
 
         CMSEngine engine = CMS.getCMSEngine();
         EngineConfig cs = engine.getConfig();
+        IConfigStore kraConnectorConfig = cs.getSubStore(KRAConnectorProcessor.PREFIX);
 
         ClientConfig config = new ClientConfig();
         int port = Integer.parseInt(connInfo.getPort());
         config.setServerURL("https", connInfo.getHost(), port);
         config.setNSSDatabase(cs.getInstanceDir() + "/alias");
 
+        // Use client cert specified in KRA connector
+        String nickname = kraConnectorConfig.getString("nickName", null);
+        if (nickname == null) {
+            // Use subsystem cert as client cert
+            nickname = cs.getString("ca.subsystem.nickname");
+
+            String tokenname = cs.getString("ca.subsystem.tokenname", "");
+            if (!CryptoUtil.isInternalToken(tokenname)) nickname = tokenname + ":" + nickname;
+        }
+        config.setCertNickname(nickname);
+
         return new KRAInfoClient(new PKIClient(config), "kra");
     }