From 882216d262924a36d7f9b0d77a001472f1d3b39e Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 31 Mar 2016 12:46:03 +1100 Subject: [PATCH 87/96] Lightweight CAs: add CAMissingKeyException class Add the CAMissingKeyException class and throw this exception when signing unit initialisation fails due to missing key. Also add the private 'hasKeys' field for internal use. Part of: https://fedorahosted.org/pki/ticket/1625 --- base/ca/src/com/netscape/ca/CertificateAuthority.java | 10 +++++++++- base/ca/src/com/netscape/ca/SigningUnit.java | 3 ++- .../com/netscape/certsrv/ca/CAMissingKeyException.java | 15 +++++++++++++++ 3 files changed, 26 insertions(+), 2 deletions(-) create mode 100644 base/common/src/com/netscape/certsrv/ca/CAMissingKeyException.java diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java index 63c7ca4e4a8083dc58b54196af89cc7629e9fd97..06920ead002b14f0438b4031fa71875b46e291f5 100644 --- a/base/ca/src/com/netscape/ca/CertificateAuthority.java +++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java @@ -101,6 +101,7 @@ import com.netscape.certsrv.base.PKIException; import com.netscape.certsrv.ca.AuthorityID; import com.netscape.certsrv.ca.CADisabledException; import com.netscape.certsrv.ca.CAEnabledException; +import com.netscape.certsrv.ca.CAMissingKeyException; import com.netscape.certsrv.ca.CANotFoundException; import com.netscape.certsrv.ca.CANotLeafException; import com.netscape.certsrv.ca.CATypeException; @@ -188,6 +189,7 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori protected AuthorityID authorityParentID = null; protected String authorityDescription = null; protected boolean authorityEnabled = true; + private boolean hasKeys = false; protected ISubsystem mOwner = null; protected IConfigStore mConfig = null; @@ -1354,7 +1356,13 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori mIssuerObj = new CertificateIssuerName((X500Name)mSubjectObj.get(CertificateIssuerName.DN_NAME)); } - mSigningUnit.init(this, caSigningCfg, mNickname); + try { + mSigningUnit.init(this, caSigningCfg, mNickname); + hasKeys = true; + } catch (CAMissingKeyException e) { + CMS.debug("CA signing key not (yet) present in NSSDB"); + return; + } CMS.debug("CA signing unit inited"); // for identrus diff --git a/base/ca/src/com/netscape/ca/SigningUnit.java b/base/ca/src/com/netscape/ca/SigningUnit.java index 0ac4b7a1cc640310a4fa06f5eb562218408abfa7..692842a76b9f1669385678c3143c042a58b30499 100644 --- a/base/ca/src/com/netscape/ca/SigningUnit.java +++ b/base/ca/src/com/netscape/ca/SigningUnit.java @@ -43,6 +43,7 @@ import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.base.ISubsystem; import com.netscape.certsrv.ca.ECAException; +import com.netscape.certsrv.ca.CAMissingKeyException; import com.netscape.certsrv.common.Constants; import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.security.ISigningUnit; @@ -203,7 +204,7 @@ public final class SigningUnit implements ISigningUnit { } catch (ObjectNotFoundException e) { CMS.debug("SigningUnit init: debug " + e.toString()); log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_CERT_NOT_FOUND", e.toString())); - throw new ECAException(CMS.getUserMessage("CMS_CA_CERT_OBJECT_NOT_FOUND")); + throw new CAMissingKeyException(CMS.getUserMessage("CMS_CA_CERT_OBJECT_NOT_FOUND")); } catch (TokenException e) { CMS.debug("SigningUnit init: debug " + e.toString()); log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString())); diff --git a/base/common/src/com/netscape/certsrv/ca/CAMissingKeyException.java b/base/common/src/com/netscape/certsrv/ca/CAMissingKeyException.java new file mode 100644 index 0000000000000000000000000000000000000000..8f5e1e72a3cdb31b1f12985d9e52371277901ae1 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/ca/CAMissingKeyException.java @@ -0,0 +1,15 @@ +package com.netscape.certsrv.ca; + +/** + * Exception to throw when a (sub-)CA's signing key is not (yet) + * present in the local NSSDB. + */ +public class CAMissingKeyException extends ECAException { + + private static final long serialVersionUID = -364157165997677925L; + + public CAMissingKeyException(String msgFormat) { + super(msgFormat); + } + +} -- 2.5.5