From 1d8ef47757a110b2d9413a08daf576184a7a7ac8 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 31 Mar 2016 12:46:03 +1100 Subject: [PATCH 87/97] Lightweight CAs: add CAMissingKeyOrCertException class Add the CAMissingKeyOrCertException class and throw this exception when signing unit initialisation fails due to missing object. Also add the private 'hasKeys' field for internal use. Part of: https://fedorahosted.org/pki/ticket/1625 --- base/ca/src/com/netscape/ca/CertificateAuthority.java | 10 +++++++++- base/ca/src/com/netscape/ca/SigningUnit.java | 3 ++- .../netscape/certsrv/ca/CAMissingKeyOrCertException.java | 15 +++++++++++++++ 3 files changed, 26 insertions(+), 2 deletions(-) create mode 100644 base/common/src/com/netscape/certsrv/ca/CAMissingKeyOrCertException.java diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java index 63c7ca4e4a8083dc58b54196af89cc7629e9fd97..5bad49d4b1688c4512a65d2b6b7209be045bbf5e 100644 --- a/base/ca/src/com/netscape/ca/CertificateAuthority.java +++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java @@ -101,6 +101,7 @@ import com.netscape.certsrv.base.PKIException; import com.netscape.certsrv.ca.AuthorityID; import com.netscape.certsrv.ca.CADisabledException; import com.netscape.certsrv.ca.CAEnabledException; +import com.netscape.certsrv.ca.CAMissingKeyOrCertException; import com.netscape.certsrv.ca.CANotFoundException; import com.netscape.certsrv.ca.CANotLeafException; import com.netscape.certsrv.ca.CATypeException; @@ -188,6 +189,7 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori protected AuthorityID authorityParentID = null; protected String authorityDescription = null; protected boolean authorityEnabled = true; + private boolean hasKeys = false; protected ISubsystem mOwner = null; protected IConfigStore mConfig = null; @@ -1354,7 +1356,13 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori mIssuerObj = new CertificateIssuerName((X500Name)mSubjectObj.get(CertificateIssuerName.DN_NAME)); } - mSigningUnit.init(this, caSigningCfg, mNickname); + try { + mSigningUnit.init(this, caSigningCfg, mNickname); + hasKeys = true; + } catch (CAMissingKeyOrCertException e) { + CMS.debug("CA signing key and cert not (yet) present in NSSDB"); + return; + } CMS.debug("CA signing unit inited"); // for identrus diff --git a/base/ca/src/com/netscape/ca/SigningUnit.java b/base/ca/src/com/netscape/ca/SigningUnit.java index 0ac4b7a1cc640310a4fa06f5eb562218408abfa7..cc97877643a5ec6e1dd32974e4b2fa52bcfd39b4 100644 --- a/base/ca/src/com/netscape/ca/SigningUnit.java +++ b/base/ca/src/com/netscape/ca/SigningUnit.java @@ -43,6 +43,7 @@ import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.base.ISubsystem; import com.netscape.certsrv.ca.ECAException; +import com.netscape.certsrv.ca.CAMissingKeyOrCertException; import com.netscape.certsrv.common.Constants; import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.security.ISigningUnit; @@ -203,7 +204,7 @@ public final class SigningUnit implements ISigningUnit { } catch (ObjectNotFoundException e) { CMS.debug("SigningUnit init: debug " + e.toString()); log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_CERT_NOT_FOUND", e.toString())); - throw new ECAException(CMS.getUserMessage("CMS_CA_CERT_OBJECT_NOT_FOUND")); + throw new CAMissingKeyOrCertException(CMS.getUserMessage("CMS_CA_CERT_OBJECT_NOT_FOUND")); } catch (TokenException e) { CMS.debug("SigningUnit init: debug " + e.toString()); log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString())); diff --git a/base/common/src/com/netscape/certsrv/ca/CAMissingKeyOrCertException.java b/base/common/src/com/netscape/certsrv/ca/CAMissingKeyOrCertException.java new file mode 100644 index 0000000000000000000000000000000000000000..45d4046cb1981111c05223c2efae498596a106f0 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/ca/CAMissingKeyOrCertException.java @@ -0,0 +1,15 @@ +package com.netscape.certsrv.ca; + +/** + * Exception to throw when a (sub-)CA's signing key is not (yet) + * present in the local NSSDB. + */ +public class CAMissingKeyOrCertException extends ECAException { + + private static final long serialVersionUID = -364157165997677925L; + + public CAMissingKeyOrCertException(String msgFormat) { + super(msgFormat); + } + +} -- 2.5.5