From 6d72a9c7fc067df42a3259fc5ea87b65e94f76ad Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Thu, 31 Mar 2016 12:46:03 +1100
Subject: [PATCH 87/96] Lightweight CAs: add exceptions for missing signing key
 or cert

Add the CAMissingCertException and CAMissingKeyException classes and
throw when signing unit initialisation fails due to a missing
object.  In CertificateAuthority, store the exception if it occurs
for possible re-throwing later.  Also add the private 'hasKeys'
field for internal use.

Part of: https://fedorahosted.org/pki/ticket/1625
---
 .../src/com/netscape/ca/CertificateAuthority.java  | 14 +++++++++++++-
 base/ca/src/com/netscape/ca/SigningUnit.java       | 22 ++++++++++++++++------
 .../certsrv/ca/CAMissingCertException.java         | 15 +++++++++++++++
 .../netscape/certsrv/ca/CAMissingKeyException.java | 15 +++++++++++++++
 4 files changed, 59 insertions(+), 7 deletions(-)
 create mode 100644 base/common/src/com/netscape/certsrv/ca/CAMissingCertException.java
 create mode 100644 base/common/src/com/netscape/certsrv/ca/CAMissingKeyException.java

diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
index 2e1f9d7c8f2202d1e755537caa3b10f3b8c6e014..b087f26b6a43c4806b826e368d14feffdea85e56 100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
@@ -77,6 +77,8 @@ import com.netscape.certsrv.base.PKIException;
 import com.netscape.certsrv.ca.AuthorityID;
 import com.netscape.certsrv.ca.CADisabledException;
 import com.netscape.certsrv.ca.CAEnabledException;
+import com.netscape.certsrv.ca.CAMissingCertException;
+import com.netscape.certsrv.ca.CAMissingKeyException;
 import com.netscape.certsrv.ca.CANotFoundException;
 import com.netscape.certsrv.ca.CANotLeafException;
 import com.netscape.certsrv.ca.CATypeException;
@@ -188,6 +190,8 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori
     protected AuthorityID authorityParentID = null;
     protected String authorityDescription = null;
     protected boolean authorityEnabled = true;
+    private boolean hasKeys = false;
+    private ECAException signingUnitException = null;
 
     protected ISubsystem mOwner = null;
     protected IConfigStore mConfig = null;
@@ -1358,7 +1362,15 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori
                 mIssuerObj = new CertificateIssuerName((X500Name)mSubjectObj.get(CertificateIssuerName.DN_NAME));
             }
 
-            mSigningUnit.init(this, caSigningCfg, mNickname);
+            try {
+                mSigningUnit.init(this, caSigningCfg, mNickname);
+                hasKeys = true;
+                signingUnitException = null;
+            } catch (CAMissingCertException | CAMissingKeyException e) {
+                CMS.debug("CA signing key and cert not (yet) present in NSSDB");
+                signingUnitException = e;
+                return;
+            }
             CMS.debug("CA signing unit inited");
 
             // for identrus
diff --git a/base/ca/src/com/netscape/ca/SigningUnit.java b/base/ca/src/com/netscape/ca/SigningUnit.java
index 0ac4b7a1cc640310a4fa06f5eb562218408abfa7..60bd84e3b365b8ea4db53314427bf525668597cb 100644
--- a/base/ca/src/com/netscape/ca/SigningUnit.java
+++ b/base/ca/src/com/netscape/ca/SigningUnit.java
@@ -43,6 +43,8 @@ import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.IConfigStore;
 import com.netscape.certsrv.base.ISubsystem;
 import com.netscape.certsrv.ca.ECAException;
+import com.netscape.certsrv.ca.CAMissingCertException;
+import com.netscape.certsrv.ca.CAMissingKeyException;
 import com.netscape.certsrv.common.Constants;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.security.ISigningUnit;
@@ -165,14 +167,22 @@ public final class SigningUnit implements ISigningUnit {
 
             mToken.login(cb); // ONE_TIME by default.
 
-            mCert = mManager.findCertByNickname(mNickname);
-            CMS.debug("Found cert by nickname: '" + mNickname + "' with serial number: " + mCert.getSerialNumber());
+            try {
+                mCert = mManager.findCertByNickname(mNickname);
+                CMS.debug("Found cert by nickname: '" + mNickname + "' with serial number: " + mCert.getSerialNumber());
+            } catch (ObjectNotFoundException e) {
+                throw new CAMissingCertException(CMS.getUserMessage("CMS_CA_CERT_OBJECT_NOT_FOUND"));
+            }
 
             mCertImpl = new X509CertImpl(mCert.getEncoded());
             CMS.debug("converted to x509CertImpl");
 
-            mPrivk = mManager.findPrivKeyByCert(mCert);
-            CMS.debug("Got private key from cert");
+            try {
+                mPrivk = mManager.findPrivKeyByCert(mCert);
+                CMS.debug("Got private key from cert");
+            } catch (ObjectNotFoundException e) {
+                throw new CAMissingKeyException(CMS.getUserMessage("CMS_CA_CERT_OBJECT_NOT_FOUND"));
+            }
 
             mPubk = mCert.getPublicKey();
             CMS.debug("Got public key from cert");
@@ -200,10 +210,10 @@ public final class SigningUnit implements ISigningUnit {
             CMS.debug("SigningUnit init: debug " + e.toString());
             log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_TOKEN_NOT_FOUND", tokenname, e.toString()));
             throw new ECAException(CMS.getUserMessage("CMS_CA_TOKEN_NOT_FOUND", tokenname));
-        } catch (ObjectNotFoundException e) {
+        } catch (CAMissingCertException | CAMissingKeyException e) {
             CMS.debug("SigningUnit init: debug " + e.toString());
             log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_CERT_NOT_FOUND", e.toString()));
-            throw new ECAException(CMS.getUserMessage("CMS_CA_CERT_OBJECT_NOT_FOUND"));
+            throw e;  // re-throw
         } catch (TokenException e) {
             CMS.debug("SigningUnit init: debug " + e.toString());
             log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString()));
diff --git a/base/common/src/com/netscape/certsrv/ca/CAMissingCertException.java b/base/common/src/com/netscape/certsrv/ca/CAMissingCertException.java
new file mode 100644
index 0000000000000000000000000000000000000000..49c5063f2a79a6fa2f977054dd2363e128c80d8f
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/ca/CAMissingCertException.java
@@ -0,0 +1,15 @@
+package com.netscape.certsrv.ca;
+
+/**
+ * Exception to throw when a (sub-)CA's signing certificate is not
+ * (yet) present in the local NSSDB.
+ */
+public class CAMissingCertException extends ECAException {
+
+    private static final long serialVersionUID = 7261805480088539689L;
+
+    public CAMissingCertException(String msgFormat) {
+        super(msgFormat);
+    }
+
+}
diff --git a/base/common/src/com/netscape/certsrv/ca/CAMissingKeyException.java b/base/common/src/com/netscape/certsrv/ca/CAMissingKeyException.java
new file mode 100644
index 0000000000000000000000000000000000000000..8f5e1e72a3cdb31b1f12985d9e52371277901ae1
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/ca/CAMissingKeyException.java
@@ -0,0 +1,15 @@
+package com.netscape.certsrv.ca;
+
+/**
+ * Exception to throw when a (sub-)CA's signing key is not (yet)
+ * present in the local NSSDB.
+ */
+public class CAMissingKeyException extends ECAException {
+
+    private static final long serialVersionUID = -364157165997677925L;
+
+    public CAMissingKeyException(String msgFormat) {
+        super(msgFormat);
+    }
+
+}
-- 
2.5.5