diff options
| author | awnuk <awnuk@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2010-09-21 21:25:38 +0000 |
|---|---|---|
| committer | awnuk <awnuk@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2010-09-21 21:25:38 +0000 |
| commit | e9ee0936969731ecf60a29b3ca5b052ca033ab07 (patch) | |
| tree | fd4ca369ac603818136abc67a86c079d1aafe80c | |
| parent | 57f73adf3f5e8d638a496425334a544a284fd383 (diff) | |
| download | pki-e9ee0936969731ecf60a29b3ca5b052ca033ab07.tar.gz pki-e9ee0936969731ecf60a29b3ca5b052ca033ab07.tar.xz pki-e9ee0936969731ecf60a29b3ca5b052ca033ab07.zip | |
Fixed bugzilla bugs: 621327 and 621334.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1313 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
3 files changed, 124 insertions, 19 deletions
diff --git a/pki/base/ca/shared/conf/CS.cfg b/pki/base/ca/shared/conf/CS.cfg index eb47851c8..cfc157754 100644 --- a/pki/base/ca/shared/conf/CS.cfg +++ b/pki/base/ca/shared/conf/CS.cfg @@ -200,7 +200,9 @@ ca.transitRecordPageSize=200 # ca.maxSearchReturns=1000 ca.scep.enable=false ca.scep.hashAlgorithm=SHA1 +ca.scep.allowedHashAlgorithms=SHA1,SHA256,SHA512 ca.scep.encryptionAlgorithm=DES3 +ca.scep.allowedEncryptionAlgorithms=DES3 ca.scep.nonceSizeLimit=16 ca.Policy._000=## ca.Policy._001=## Certificate Policy Framework (deprecated) diff --git a/pki/base/common/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java b/pki/base/common/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java index 470e020c3..9b75d7bdb 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java +++ b/pki/base/common/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java @@ -76,8 +76,12 @@ public class CRSEnrollment extends HttpServlet private String mSubstoreName; private boolean mEnabled = false; private String mHashAlgorithm = "SHA1"; - private String mmEncryptionAlgorithm = "DES3"; + private String mHashAlgorithmList = null; + private String[] mAllowedHashAlgorithm; + private String mConfiguredEncryptionAlgorithm = "DES3"; private String mEncryptionAlgorithm = "DES3"; + private String mEncryptionAlgorithmList = null; + private String[] mAllowedEncryptionAlgorithm; private Random mRandom = null; private int mNonceSizeLimit = 0; protected ILogger mLogger = CMS.getLogger(); @@ -150,14 +154,30 @@ public class CRSEnrollment extends HttpServlet IConfigStore scepConfig = authorityConfig.getSubStore("scep"); mEnabled = scepConfig.getBoolean("enable", false); mHashAlgorithm = scepConfig.getString("hashAlgorithm", "SHA1"); - mEncryptionAlgorithm = scepConfig.getString("encryptionAlgorithm", "DES3"); + mConfiguredEncryptionAlgorithm = scepConfig.getString("encryptionAlgorithm", "DES3"); mNonceSizeLimit = scepConfig.getInteger("nonceSizeLimit", 0); + mHashAlgorithmList = scepConfig.getString("allowedHashAlgorithms", "SHA1,SHA256,SHA512"); + mAllowedHashAlgorithm = mHashAlgorithmList.split(","); + mEncryptionAlgorithmList = scepConfig.getString("allowedEncryptionAlgorithms", "DES3"); + mAllowedEncryptionAlgorithm = mEncryptionAlgorithmList.split(","); } } catch (EBaseException e) { } - mmEncryptionAlgorithm = mEncryptionAlgorithm; + mEncryptionAlgorithm = mConfiguredEncryptionAlgorithm; CMS.debug("CRSEnrollment: init: SCEP support is "+((mEnabled)?"enabled":"disabled")+"."); CMS.debug("CRSEnrollment: init: mNonceSizeLimit: "+mNonceSizeLimit); + CMS.debug("CRSEnrollment: init: mHashAlgorithm: "+mHashAlgorithm); + CMS.debug("CRSEnrollment: init: mHashAlgorithmList: "+mHashAlgorithmList); + for (int i = 0; i < mAllowedHashAlgorithm.length; i++) { + mAllowedHashAlgorithm[i] = mAllowedHashAlgorithm[i].trim(); + CMS.debug("CRSEnrollment: init: mAllowedHashAlgorithm["+i+"]="+mAllowedHashAlgorithm[i]); + } + CMS.debug("CRSEnrollment: init: mEncryptionAlgorithm: "+mEncryptionAlgorithm); + CMS.debug("CRSEnrollment: init: mEncryptionAlgorithmList: "+mEncryptionAlgorithmList); + for (int i = 0; i < mAllowedEncryptionAlgorithm.length; i++) { + mAllowedEncryptionAlgorithm[i] = mAllowedEncryptionAlgorithm[i].trim(); + CMS.debug("CRSEnrollment: init: mAllowedEncryptionAlgorithm["+i+"]="+mAllowedEncryptionAlgorithm[i]); + } try { mProfileSubsystem = (IProfileSubsystem)CMS.getSubsystem("profile"); @@ -221,7 +241,7 @@ public class CRSEnrollment extends HttpServlet String operation = null; String message = null; - mEncryptionAlgorithm = mmEncryptionAlgorithm; + mEncryptionAlgorithm = mConfiguredEncryptionAlgorithm; // Parse the URL from the HTTP Request. Split it up into @@ -267,6 +287,11 @@ public class CRSEnrollment extends HttpServlet } } + catch (ServletException e) + { + CMS.debug("ServletException " + e); + throw new ServletException(e.getMessage().toString()); + } catch (Exception e) { CMS.debug("Service exception " + e); @@ -286,6 +311,20 @@ public class CRSEnrollment extends HttpServlet level, "CEP Enrollment: "+msg); } + private boolean isAlgorithmAllowed (String[] allowedAlgorithm, String algorithm) { + boolean allowed = false; + + if (algorithm != null && algorithm.length() > 0) { + for (int i = 0; i < allowedAlgorithm.length; i++) { + if (algorithm.equalsIgnoreCase(allowedAlgorithm[i])) { + allowed = true; + } + } + } + + return allowed; + } + public IAuthToken authenticate(AuthCredentials credentials, IProfileAuthenticator authenticator, HttpServletRequest request) throws EBaseException { @@ -462,8 +501,21 @@ public class CRSEnrollment extends HttpServlet decodedPKIMessage.length+" bytes)"); } try { - req = new CRSPKIMessage(); - String ea = req.decodeCRSPKIMessage(is); + req = new CRSPKIMessage(is); + String ea = req.getEncryptionAlgorithm(); + if (!isAlgorithmAllowed (mAllowedEncryptionAlgorithm, ea)) { + CMS.debug("CRSEnrollment: decodePKIMessage: Encryption algorithm '"+ea+ + "' is not allowed ("+mEncryptionAlgorithmList+")."); + throw new ServletException("Encryption algorithm '"+ea+ + "' is not allowed ("+mEncryptionAlgorithmList+")."); + } + String da = req.getDigestAlgorithmName(); + if (!isAlgorithmAllowed (mAllowedHashAlgorithm, da)) { + CMS.debug("CRSEnrollment: decodePKIMessage: Hashing algorithm '"+da+ + "' is not allowed ("+mHashAlgorithmList+")."); + throw new ServletException("Hashing algorithm '"+da+ + "' is not allowed ("+mHashAlgorithmList+")."); + } if (ea != null) { mEncryptionAlgorithm = ea; } @@ -695,13 +747,29 @@ public class CRSEnrollment extends HttpServlet decodedPKIMessage.length+" bytes)"); } try { - req = new CRSPKIMessage(); - String ea = req.decodeCRSPKIMessage(is); + req = new CRSPKIMessage(is); + String ea = req.getEncryptionAlgorithm(); + if (!isAlgorithmAllowed (mAllowedEncryptionAlgorithm, ea)) { + CMS.debug("CRSEnrollment: handlePKIOperation: Encryption algorithm '"+ea+ + "' is not allowed ("+mEncryptionAlgorithmList+")."); + throw new ServletException("Encryption algorithm '"+ea+ + "' is not allowed ("+mEncryptionAlgorithmList+")."); + } + String da = req.getDigestAlgorithmName(); + if (!isAlgorithmAllowed (mAllowedHashAlgorithm, da)) { + CMS.debug("CRSEnrollment: handlePKIOperation: Hashing algorithm '"+da+ + "' is not allowed ("+mHashAlgorithmList+")."); + throw new ServletException("Hashing algorithm '"+da+ + "' is not allowed ("+mHashAlgorithmList+")."); + } if (ea != null) { mEncryptionAlgorithm = ea; } crsResp = new CRSPKIMessage(); } + catch (ServletException e) { + throw new ServletException(e.getMessage().toString()); + } catch (Exception e) { CMS.debug(e); throw new ServletException("Could not decode the request."); @@ -780,6 +848,9 @@ public class CRSEnrollment extends HttpServlet CMS.debug("Invalid request type " + mt); } } + catch (ServletException e) { + throw new ServletException(e.getMessage().toString()); + } catch (CRSInvalidSignatureException e) { CMS.debug("handlePKIMessage exception " + e); CMS.debug(e); diff --git a/pki/base/util/src/com/netscape/cmsutil/scep/CRSPKIMessage.java b/pki/base/util/src/com/netscape/cmsutil/scep/CRSPKIMessage.java index b45f50d59..6ffd58e33 100644 --- a/pki/base/util/src/com/netscape/cmsutil/scep/CRSPKIMessage.java +++ b/pki/base/util/src/com/netscape/cmsutil/scep/CRSPKIMessage.java @@ -142,6 +142,7 @@ public class CRSPKIMessage { private SET sis; // set of SignerInfos private SignerInfo si; // First SignerInfo + private AlgorithmIdentifier digestAlgorithmId = null; private int siv; // Version private SET aa; // Authenticated Attributes private SET aa_old; // Authenticated Attributes @@ -168,6 +169,7 @@ public class CRSPKIMessage { private byte[] iv; // initialization vector for above key private byte[] ec; // encrypted content (P10, in case of request) private byte[] cc; // * 'clear' content (not in ASN.1) * + private String encryptionAlgorithm = null; // For the CertRep, the enveloped content is another signed Data: private SignedData crsd; @@ -222,6 +224,25 @@ public class CRSPKIMessage { return oid; } + // getHashAlgorithm is added to work around issue 636217 + private String getHashAlgorithm (OBJECT_IDENTIFIER algorithmOID) + { + String hashAlgorithm = null; + OBJECT_IDENTIFIER oid = MD5_DIGEST; + if (algorithmOID != null) { + if (algorithmOID.equals(MD5_DIGEST)) { + hashAlgorithm = "MD5"; + } else if (algorithmOID.equals(SHA1_DIGEST)) { + hashAlgorithm = "SHA1"; + } else if (algorithmOID.equals(SHA256_DIGEST)) { + hashAlgorithm = "SHA256"; + } else if (algorithmOID.equals(SHA512_DIGEST)) { + hashAlgorithm = "SHA512"; + } + } + return hashAlgorithm; + } + // These functions are used to initialize the various blobs public void makeSignedData(int version, @@ -514,6 +535,18 @@ public class CRSPKIMessage { return iv; } + public String getEncryptionAlgorithm() { + return encryptionAlgorithm; + } + + public String getDigestAlgorithmName() { + String name = null; + if (digestAlgorithmId != null) { + name = getHashAlgorithm(digestAlgorithmId.getOID()); + } + return name; + } + public PublicKey getSignerPublicKey() { try { @@ -653,7 +686,7 @@ public class CRSPKIMessage { } - public String decodeCRSPKIMessage (ByteArrayInputStream bais) throws InvalidBERException, Exception { + private void decodeCRSPKIMessage (ByteArrayInputStream bais) throws InvalidBERException, Exception { org.mozilla.jss.pkcs7.ContentInfo.Template crscit; @@ -671,7 +704,7 @@ public class CRSPKIMessage { new ByteArrayInputStream( ((ANY) crsci.getContent()).getEncoded() )); - return this.decodeSD(); + this.decodeSD(); } public CRSPKIMessage() { @@ -683,7 +716,7 @@ public class CRSPKIMessage { decodeCRSPKIMessage(bais); } - private String decodeSD() throws Exception { + private void decodeSD() throws Exception { ContentInfo sdci; sis = sd.getSignerInfos(); @@ -715,8 +748,7 @@ public class CRSPKIMessage { sgnIASN = new IssuerAndSerialNumber(firstCertInfo.getIssuer(), firstCertInfo.getSerialNumber()); - return decodeED(); - + decodeED(); } private void decodeSI() throws Exception { @@ -724,13 +756,15 @@ public class CRSPKIMessage { throw new Exception("SignerInfos is empty"); } si = (SignerInfo) sis.elementAt(0); + + digestAlgorithmId = si.getDigestAlgorithmIdentifer(); + decodeAA(); aa_digest = new OCTET_STRING(si.getEncryptedDigest()); } - private String decodeED() throws Exception { - String encAlgorithm = null; + private void decodeED() throws Exception { SET ris; ris = (SET) sded.getRecipientInfos(); @@ -742,9 +776,9 @@ public class CRSPKIMessage { eci = sded.getEncryptedContentInfo(); if (eci.getContentEncryptionAlgorithm().getOID().equals(DES_EDE3_CBC_ENCRYPTION)) { - encAlgorithm = "DES3"; + encryptionAlgorithm = "DES3"; } else if (eci.getContentEncryptionAlgorithm().getOID().equals(DES_CBC_ENCRYPTION)) { - encAlgorithm = "DES"; + encryptionAlgorithm = "DES"; } else { throw new Exception("P10 encrypted alg is not supported (not DES): " + eci.getContentEncryptionAlgorithm().getOID()); } @@ -762,8 +796,6 @@ public class CRSPKIMessage { iv = os.toByteArray(); decodeRI(); - - return encAlgorithm; } /** |