Fixed bugzilla bugs: 621337, 621338.

git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1289 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
author: awnuk <awnuk@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> 2010-09-10 23:42:19 +0000
committer: awnuk <awnuk@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> 2010-09-10 23:42:19 +0000
commit: 576d5973725a23c43249e2cd38fef36861ccef80 (patch)
tree: 375c49e5f285349733d93be47ce4a7523f4f18ad
parent: 3899473d6039233167356933abd440c046af71a2 (diff)
download: pki-576d5973725a23c43249e2cd38fef36861ccef80.tar.gz
pki-576d5973725a23c43249e2cd38fef36861ccef80.tar.xz
pki-576d5973725a23c43249e2cd38fef36861ccef80.zip
3 files changed, 28 insertions, 5 deletions
diff --git a/pki/base/ca/shared/conf/CS.cfg b/pki/base/ca/shared/conf/CS.cfg
index d1fa13735..accb62ff0 100644
--- a/pki/base/ca/shared/conf/CS.cfg
+++ b/pki/base/ca/shared/conf/CS.cfg
@@ -201,6 +201,7 @@ ca.transitRecordPageSize=200
 ca.scep.enable=false
 ca.scep.hashAlgorithm=SHA1
 ca.scep.encryptionAlgorithm=DES3
+ca.scep.nonceSizeLimit=16
 ca.Policy._000=##
 ca.Policy._001=## Certificate Policy Framework (deprecated)
 ca.Policy._002=##
diff --git a/pki/base/common/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java b/pki/base/common/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java
index 683aadfae..470e020c3 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java
@@ -78,6 +78,8 @@ public class CRSEnrollment extends HttpServlet
   private   String                mHashAlgorithm = "SHA1";
   private   String                mmEncryptionAlgorithm = "DES3";
   private   String                mEncryptionAlgorithm = "DES3";
+  private   Random                mRandom = null;
+  private   int                   mNonceSizeLimit = 0;
   protected ILogger mLogger =      CMS.getLogger();
   private ICertificateAuthority ca;
 		/* for hashing challenge password */
@@ -149,11 +151,13 @@ public class CRSEnrollment extends HttpServlet
               mEnabled = scepConfig.getBoolean("enable", false);
               mHashAlgorithm = scepConfig.getString("hashAlgorithm", "SHA1");
               mEncryptionAlgorithm = scepConfig.getString("encryptionAlgorithm", "DES3");
+              mNonceSizeLimit = scepConfig.getInteger("nonceSizeLimit", 0);
           }
       } catch (EBaseException e) {
       } 
       mmEncryptionAlgorithm = mEncryptionAlgorithm;
       CMS.debug("CRSEnrollment: init: SCEP support is "+((mEnabled)?"enabled":"disabled")+".");
+      CMS.debug("CRSEnrollment: init: mNonceSizeLimit: "+mNonceSizeLimit);
 
       try {
 	      mProfileSubsystem = (IProfileSubsystem)CMS.getSubsystem("profile");
@@ -193,6 +197,7 @@ public class CRSEnrollment extends HttpServlet
     catch (NoSuchAlgorithmException e) {
       }
 
+      mRandom = new Random();
   }
 
 
@@ -724,8 +729,17 @@ public class CRSEnrollment extends HttpServlet
               throw new ServletException("Error: malformed PKIMessage - missing sendernonce");
           }
           else {
-              crsResp.setRecipientNonce(sn);
-              crsResp.setSenderNonce(new byte[] {0});
+              if (mNonceSizeLimit > 0 && sn.length > mNonceSizeLimit) {
+                  byte[] snLimited = (mNonceSizeLimit > 0)? new byte[mNonceSizeLimit]: null;
+                  System.arraycopy(sn, 0, snLimited, 0, mNonceSizeLimit);
+                  crsResp.setRecipientNonce(snLimited);
+              } else {
+                  crsResp.setRecipientNonce(sn);
+              }
+              byte[] serverNonce = new byte[16];
+              mRandom.nextBytes(serverNonce);
+              crsResp.setSenderNonce(serverNonce);
+              // crsResp.setSenderNonce(new byte[] {0});
           }
                 
           // Deal with message type
@@ -861,8 +875,9 @@ public class CRSEnrollment extends HttpServlet
   {
       IRequest foundRequest=null;
 
-      resp.setRecipientNonce(req.getSenderNonce());
-      resp.setSenderNonce(null);
+      // already done by handlePKIOperation
+      // resp.setRecipientNonce(req.getSenderNonce());
+      // resp.setSenderNonce(null);
 
 	  try {
 	  	foundRequest = findRequestByTransactionID(req.getTransactionID(),false);
@@ -1561,7 +1576,7 @@ throws EBaseException {
         Hashtable fingerprints = new Hashtable();
 
         MessageDigest md;
-        String[] hashes = new String[] {"MD2", "MD5", "SHA1"};
+        String[] hashes = new String[] {"MD2", "MD5", "SHA1", "SHA256", "SHA512"};
         PKCS10 p10 = (PKCS10)req.getP10();
 
         for (int i=0;i<hashes.length;i++) {
diff --git a/pki/base/util/src/com/netscape/cmsutil/scep/CRSPKIMessage.java b/pki/base/util/src/com/netscape/cmsutil/scep/CRSPKIMessage.java
index 3d360ce82..b45f50d59 100644
--- a/pki/base/util/src/com/netscape/cmsutil/scep/CRSPKIMessage.java
+++ b/pki/base/util/src/com/netscape/cmsutil/scep/CRSPKIMessage.java
@@ -330,6 +330,13 @@ public class CRSPKIMessage {
                 aa.addElement(new Attribute(CRS_FAILINFO, fiset)); 
             }
             
+            if (senderNonce != null) {
+                SET snset = new SET();
+
+                snset.addElement(new OCTET_STRING(senderNonce));
+                aa.addElement(new Attribute(CRS_SENDERNONCE, snset));
+            }
+
             if (recipientNonce != null) {
                 SET rnset = new SET();
author	awnuk <awnuk@c9f7a03b-bd48-0410-a16d-cbbf54688b0b>	2010-09-10 23:42:19 +0000
committer	awnuk <awnuk@c9f7a03b-bd48-0410-a16d-cbbf54688b0b>	2010-09-10 23:42:19 +0000
commit	576d5973725a23c43249e2cd38fef36861ccef80 (patch)
tree	375c49e5f285349733d93be47ce4a7523f4f18ad
parent	3899473d6039233167356933abd440c046af71a2 (diff)
download	pki-576d5973725a23c43249e2cd38fef36861ccef80.tar.gz pki-576d5973725a23c43249e2cd38fef36861ccef80.tar.xz pki-576d5973725a23c43249e2cd38fef36861ccef80.zip