Refactored ConfigurationUtils.setCertPermissions() (part 2).

The code that sets the CA certificate trust flags have been moved
into ConfigurationUtils.setCertPermissions().

https://pagure.io/dogtagpki/issue/2654

Change-Id: I50bfc11bfdc5e6d9552db53581b34e0e1da7690d

base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java

@@ -3169,39 +3169,27 @@ public static void handleCert(Cert cert) throws Exception {
             CertUtil.updateLocalRequest(config, certTag, cert.getRequest(), "pkcs10", null);
         }
 
-        if (certTag.equals("signing") && subsystem.equals("ca")) {
-            String NickName = nickname;
-            if (!CryptoUtil.isInternalToken(tokenname))
-                NickName = tokenname + ":" + nickname;
-
-            CMS.debug("ConfigurationUtils: set trust on CA signing cert " + NickName);
-            CryptoUtil.trustCertByNickname(NickName);
-        }
-
-        ConfigurationUtils.setCertPermissions(certTag);
+        ConfigurationUtils.setCertPermissions(cert);
     }
 
-    public static void setCertPermissions(String tag) throws EBaseException, NotInitializedException,
+    public static void setCertPermissions(Cert cert) throws EBaseException, NotInitializedException,
             ObjectNotFoundException, TokenException {
 
-        CMS.debug("ConfigurationUtils.setCertPermissions(" + tag + ")");
-
-        if (tag.equals("signing") || tag.equals("sslserver")) {
-            return;
-        }
-
-        IConfigStore cs = CMS.getConfigStore();
-        String nickname = cs.getString("preop.cert." + tag + ".nickname", "");
-        String tokenname = cs.getString("preop.module.token", "");
+        String tag = cert.getCertTag();
+        String subsystem = cert.getSubsystem();
+        String nickname = cert.getNickname();
+        String tokenname = cert.getTokenname();
 
         if (!CryptoUtil.isInternalToken(tokenname))
             nickname = tokenname + ":" + nickname;
 
         CryptoManager cm = CryptoManager.getInstance();
-        CMS.debug("ConfigurationUtils: nickname: " + nickname);
         X509Certificate c = cm.findCertByNickname(nickname);
 
-        if (tag.equals("audit_signing")) { // set trust flags to u,u,Pu
+        if (tag.equals("signing") && subsystem.equals("ca")) { // set trust flags to CT,C,C
+            CryptoUtil.trustCACert(c);
+
+        } else if (tag.equals("audit_signing")) { // set trust flags to u,u,Pu
             CryptoUtil.trustAuditSigningCert(c);
 
         } // user certs will have u,u,u by default

base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java

@@ -1254,7 +1254,7 @@ public static void importCertificateChain(byte[] bytes)
         X509Certificate[] certs = manager.buildCertificateChain(cert);
         X509Certificate rootCert = certs[certs.length - 1];
 
-        trustRootCert(rootCert);
+        trustCACert(rootCert);
     }
 
     public static SEQUENCE parseCRMFMsgs(byte cert_request[])
@@ -1813,19 +1813,19 @@ public static void trustCert(InternalCertificate cert) {
         cert.setEmailTrust(flag);
     }
 
-    public static void trustRootCert(X509Certificate rootCert) {
+    public static void trustCACert(X509Certificate cert) {
 
         // set trust flags to CT,C,C
-        InternalCertificate cert = (InternalCertificate) rootCert;
+        InternalCertificate ic = (InternalCertificate) cert;
 
-        cert.setSSLTrust(InternalCertificate.TRUSTED_CA
+        ic.setSSLTrust(InternalCertificate.TRUSTED_CA
                 | InternalCertificate.TRUSTED_CLIENT_CA
                 | InternalCertificate.VALID_CA);
 
-        cert.setEmailTrust(InternalCertificate.TRUSTED_CA
+        ic.setEmailTrust(InternalCertificate.TRUSTED_CA
                 | InternalCertificate.VALID_CA);
 
-        cert.setObjectSigningTrust(InternalCertificate.TRUSTED_CA
+        ic.setObjectSigningTrust(InternalCertificate.TRUSTED_CA
                 | InternalCertificate.VALID_CA);
     }