Hi,
Attached patch fixes https://fedorahosted.org/pki/ticket/2443.
Thanks,
Fraser
From e0a546113b65d57e4b00b495f4ef50616ad744c1 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale
Date: Wed, 24 Aug 2016 14:40:46 +1000
Subject: [PATCH] Prevent deletion of host CA cert and key from NSSDB
If authorityMonitor observes the deletion of the host CA's authority
entry, it will treat it the same as any other lightweight CA and
delete the signing cert AND KEY from the NSSDB. Because the database
is replicated, the change would be observed and deletion immediately
effected on all running clones. Unless the main CA private key is
backed up somewhere there is no way to recover from this.
Although this scenario does not arise in normal operation, the
impact is severe so add a check that prevents cert and key deletion
for host authority.
Fixes: https://fedorahosted.org/pki/ticket/2443
---
base/ca/src/com/netscape/ca/CertificateAuthority.java | 7 +++
1 file changed, 7 insertions(+)
diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java
b/base/ca/src/com/netscape/ca/CertificateAuthority.java
index
a5397da0c0dcea654a15f16e5becc5c430a1bb29..6276100a079ff32757bf2de8540f6e6efa1d1cae
100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
@@ -2991,6 +2991,13 @@ public class CertificateAuthority
/** Delete keys and certs of this authority from NSSDB.
*/
private void deleteAuthorityNSSDB() throws ECAException {
+if (isHostAuthority()) {
+String msg = "Attempt to delete host authority signing key; not
proceeding";
+log(ILogger.LL_WARN, msg);
+CMS.debug(msg);
+return;
+}
+
CryptoManager cryptoManager;
try {
cryptoManager = CryptoManager.getInstance();
--
2.5.5
___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel