When importing certs from p12, we call ConfigurationUtils.deleteExistingCerts() This function looks at preop.cert.list and deletes any certs with the same nickname (except for the sslserver).
The problem is that some of the certs have the same nickname for different subsystems. For example, CA -> signing, ocsp_signing, audit_signing, sslserver, subsystem KRA -> storage, transport, audit_signing, sslserver, subsystem
In this case, audit_signing and subsystem certs are removed when a KRA clone is added to a CA.
This also begs the question - how is it all working in the first place for the CA/KRA in the same subsystem?
Ok -- the original problem identification here is wrong.
When we call deleteExistingCerts() , it looks to the preop.master.*.nickname to determine which cert to remove. In this case, as long as the nicknames are unique, there is no issue with the tags being the same. This is the reason we got logs indicating that the item is not found on the token.
The problem is actually further in the code. In importkeycert() we loop through the keys to be imported and then remove the cert associated with the key. We say that we are ignoring certs that are not in the master list, but dont actually continue the loop. Then we delete the cert associated with the key.
Later, we only import certs that are in the master list.
Here is some code to make it clearer.
for (int i = 0; i < pkeyinfo_collection.size(); i++) { Vector<Object> pkeyinfo_v = pkeyinfo_collection.elementAt(i); PrivateKeyInfo pkeyinfo = (PrivateKeyInfo) pkeyinfo_v.elementAt(0); String nickname = (String) pkeyinfo_v.elementAt(1); if (! masterList.contains(nickname)) { // TODO - fix this to only import the keys that we need. CMS.debug("Ignoring " + nickname); // only import the master's system keys // continue; } byte[] x509cert = getX509Cert(nickname, cert_collection); X509Certificate cert = cm.importCACertPackage(x509cert); ByteArrayOutputStream bos = new ByteArrayOutputStream(); pkeyinfo.encode(bos); byte[] pkey = bos.toByteArray(); PublicKey publickey = cert.getPublicKey(); CryptoToken token = cm.getInternalKeyStorageToken(); CryptoStore store = token.getCryptoStore(); try { store.deleteCert(cert); } catch (NoSuchItemOnTokenException e) { // this is OK } KeyGenerator kg = token.getKeyGenerator(KeyGenAlgorithm.DES3); SymmetricKey sk = kg.generate(); byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; IVParameterSpec param = new IVParameterSpec(iv); Cipher c = token.getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD); c.initEncrypt(sk, param); byte[] encpkey = c.doFinal(pkey); KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD); wrapper.initUnwrap(sk, param); wrapper.unwrapPrivate(encpkey, getPrivateKeyType(publickey), publickey); } for (int i = 0; i < cert_collection.size(); i++) { Vector<Object> cert_v = cert_collection.elementAt(i); byte[] cert = (byte[]) cert_v.elementAt(0); if (cert_v.size() > 1) { String name = (String) cert_v.elementAt(1); if (! masterList.contains(name)) { CMS.debug("Not importing " + name); // only import the master's system certs continue; } // we need to delete the trusted CA certificate if it is // the same as the ca signing certificate if (isCASigningCert(name)) { X509Certificate certchain = getX509CertFromToken(cert); if (certchain != null) { CryptoToken token = cm.getInternalKeyStorageToken(); CryptoStore store = token.getCryptoStore(); if (store instanceof PK11Store) { try { PK11Store pk11store = (PK11Store) store; pk11store.deleteCertOnly(certchain); } catch (Exception ee) { CMS.debug("importKeyCert: Exception=" + ee.toString()); } } } } X509Certificate xcert = cm.importUserCACertPackage(cert, name); if (isCASigningCert(name)) { // we need to change the trust attribute to CT InternalCertificate icert = (InternalCertificate) xcert; icert.setSSLTrust(InternalCertificate.TRUSTED_CA | InternalCertificate.TRUSTED_CLIENT_CA | InternalCertificate.VALID_CA); } else if (isAuditSigningCert(name)) { InternalCertificate icert = (InternalCertificate) xcert; icert.setObjectSigningTrust(InternalCertificate.USER | InternalCertificate.VALID_PEER | InternalCertificate.TRUSTED_PEER); } } else { cm.importCACertPackage(cert); } }
Fixed and pushed to master and 10.0.x
To ssh://vakwetu@git.fedorahosted.org/git/pki.git a80cb95..3e1d74f master -> master
To ssh://vakwetu@git.fedorahosted.org/git/pki.git 9a196d1..7ccb1d7 DOGTAG_10_0_BRANCH -> DOGTAG_10_0_BRANCH
Metadata Update from @vakwetu: - Issue set to the milestone: 10.0.4
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/1235
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.