diff options
author | alee <alee@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2010-03-10 03:13:21 +0000 |
---|---|---|
committer | alee <alee@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2010-03-10 03:13:21 +0000 |
commit | fd1be05b56c61642243aabfbf43875435f7bdf97 (patch) | |
tree | 28ad0b62bcc7d21721bc24259c31f0512e00342d | |
parent | b0bf36b86e3b9110abd45debe61f95b41a038181 (diff) | |
download | pki-fd1be05b56c61642243aabfbf43875435f7bdf97.tar.gz pki-fd1be05b56c61642243aabfbf43875435f7bdf97.tar.xz pki-fd1be05b56c61642243aabfbf43875435f7bdf97.zip |
BZ Bug 545935 - Add new client-auth ee port to address CVE-2009-3555
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1011 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
20 files changed, 281 insertions, 30 deletions
diff --git a/pki/base/ca/shared/conf/CS.cfg b/pki/base/ca/shared/conf/CS.cfg index b837e6cef..e970ae11d 100644 --- a/pki/base/ca/shared/conf/CS.cfg +++ b/pki/base/ca/shared/conf/CS.cfg @@ -7,6 +7,7 @@ pkicreate.pki_instance_name=[PKI_INSTANCE_ID] pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE] pkicreate.agent_secure_port=[PKI_AGENT_SECURE_PORT] pkicreate.ee_secure_port=[PKI_EE_SECURE_PORT] +pkicreate.ee_secure_client_auth_port=[PKI_EE_SECURE_CLIENT_AUTH_PORT] pkicreate.admin_secure_port=[PKI_ADMIN_SECURE_PORT] pkicreate.secure_port=[PKI_SECURE_PORT] pkicreate.unsecure_port=[PKI_UNSECURE_PORT] @@ -35,6 +36,7 @@ service.machineName=[PKI_MACHINE_NAME] service.instanceDir=[PKI_INSTANCE_ROOT] service.securePort=[PKI_AGENT_SECURE_PORT] service.non_clientauth_securePort=[PKI_EE_SECURE_PORT] +service.clientauth_securePort=[PKI_EE_SECURE_CLIENT_AUTH_PORT] service.unsecurePort=[PKI_UNSECURE_PORT] service.instanceID=[PKI_INSTANCE_ID] preop.admin.name=Certificate System Administrator diff --git a/pki/base/ca/shared/conf/schema.ldif b/pki/base/ca/shared/conf/schema.ldif index 4b9c1f65a..adb30a639 100644 --- a/pki/base/ca/shared/conf/schema.ldif +++ b/pki/base/ca/shared/conf/schema.ldif @@ -391,6 +391,11 @@ attributeTypes: ( SecureAdminPort-oid NAME 'SecureAdminPort' SYNTAX 1.3.6.1.4.1 dn: cn=schema changetype: modify add: attributeTypes +attributeTypes: ( SecureEEClientAuthPort-oid NAME 'SecureEEClientAuthPort' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes attributeTypes: ( UnSecurePort-oid NAME 'UnSecurePort' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) dn: cn=schema @@ -456,7 +461,7 @@ objectClasses: ( pkiSecurityGroup-oid NAME 'pkiSecurityGroup' DESC 'CMS defined dn: cn=schema changetype: modify add: objectClasses -objectClasses: ( pkiSubsystem-oid NAME 'pkiSubsystem' DESC 'CMS defined class' SUP top STRUCTURAL MUST ( cn $ Host $ SecurePort $ SubsystemName $ Clone ) MAY ( DomainManager $ SecureAgentPort $ SecureAdminPort $ UnSecurePort ) X-ORIGIN 'user defined' ) +objectClasses: ( pkiSubsystem-oid NAME 'pkiSubsystem' DESC 'CMS defined class' SUP top STRUCTURAL MUST ( cn $ Host $ SecurePort $ SubsystemName $ Clone ) MAY ( DomainManager $ SecureAgentPort $ SecureAdminPort $SecureEEClientAuthPort $ UnSecurePort ) X-ORIGIN 'user defined' ) dn: cn=schema changetype: modify diff --git a/pki/base/ca/shared/conf/server.xml b/pki/base/ca/shared/conf/server.xml index 873b69adf..1851ffda0 100644 --- a/pki/base/ca/shared/conf/server.xml +++ b/pki/base/ca/shared/conf/server.xml @@ -12,12 +12,13 @@ <!-- DO NOT REMOVE - Begin PKI Status Definitions --> <!-- -Unsecure Port = http://[PKI_MACHINE_NAME]:[PKI_UNSECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/ee/[PKI_SUBSYSTEM_TYPE] -Secure Agent Port = https://[PKI_MACHINE_NAME]:[PKI_AGENT_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/agent/[PKI_SUBSYSTEM_TYPE] -Secure EE Port = https://[PKI_MACHINE_NAME]:[PKI_EE_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/ee/[PKI_SUBSYSTEM_TYPE] -Secure Admin Port = https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/services -PKI Console Port = pkiconsole https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE] -Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) +Unsecure Port = http://[PKI_MACHINE_NAME]:[PKI_UNSECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/ee/[PKI_SUBSYSTEM_TYPE] +Secure Agent Port = https://[PKI_MACHINE_NAME]:[PKI_AGENT_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/agent/[PKI_SUBSYSTEM_TYPE] +Secure EE Port = https://[PKI_MACHINE_NAME]:[PKI_EE_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/ee/[PKI_SUBSYSTEM_TYPE] +Secure Admin Port = https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/services +EE Client Auth Port = https://[PKI_MACHINE_NAME]:[PKI_EE_SECURE_CLIENT_AUTH_PORT]/[PKI_SUBSYSTEM_TYPE]/eeca/[PKI_SUBSYSTEM_TYPE] +PKI Console Port = pkiconsole https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE] +Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) --> <!-- DO NOT REMOVE - End PKI Status Definitions --> @@ -144,6 +145,23 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) certdbDir="[PKI_INSTANCE_PATH]/alias"/> [PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] +[PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_EE_SECURE_CLIENT_AUTH_PORT_SERVER_COMMENT] +<Connector name="[PKI_EE_SECURE_CLIENT_AUTH_PORT_CONNECTOR_NAME]" port="[PKI_EE_SECURE_CLIENT_AUTH_PORT]" maxHttpHeaderSize="8192" + maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" disableUploadTimeout="true" + acceptCount="100" scheme="https" secure="true" + clientAuth="true" sslProtocol="SSL" + sslOptions="ssl2=true,ssl3=true,tls=true" + ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5" + ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" + tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" + SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" + serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" + passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" + passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" + certdbDir="[PKI_INSTANCE_PATH]/alias"/> +[PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] + <!-- Note : To disable connection timeouts, set connectionTimeout value to 0 --> diff --git a/pki/base/ca/shared/etc/init.d/pki-cad b/pki/base/ca/shared/etc/init.d/pki-cad index be68eed2e..fe7386866 100755 --- a/pki/base/ca/shared/etc/init.d/pki-cad +++ b/pki/base/ca/shared/etc/init.d/pki-cad @@ -395,12 +395,13 @@ get_pki_status_definitions() begin_pki_status_comment="<!-- DO NOT REMOVE - Begin PKI Status Definitions -->" end_pki_status_comment="<!-- DO NOT REMOVE - End PKI Status Definitions -->" total_ports=0 - unsecure_port_statement="Unsecure Port = " - secure_agent_port_statement="Secure Agent Port = " - secure_ee_port_statement="Secure EE Port = " - secure_admin_port_statement="Secure Admin Port = " - pki_console_port_statement="PKI Console Port = " - tomcat_port_statement="Tomcat Port = " + unsecure_port_statement="Unsecure Port = " + secure_agent_port_statement="Secure Agent Port = " + secure_ee_port_statement="Secure EE Port = " + secure_ee_client_auth_port_statement="EE Client Auth Port = " + secure_admin_port_statement="Secure Admin Port = " + pki_console_port_statement="PKI Console Port = " + tomcat_port_statement="Tomcat Port = " # initialize looping variables pki_status_comment_found=0 @@ -432,10 +433,11 @@ get_pki_status_definitions() # begin processing to obtain all of the PKI Status Definitions if [ $pki_status_comment_found -eq 1 ] ; then # look for a PKI Status Definition and print it - head=`echo "$line" | cut -b1-20` + head=`echo "$line" | cut -b1-22` if [ "$head" == "$unsecure_port_statement" ] || [ "$head" == "$secure_agent_port_statement" ] || [ "$head" == "$secure_ee_port_statement" ] || + [ "$head" == "$secure_ee_client_auth_port_statement" ] || [ "$head" == "$secure_admin_port_statement" ] || [ "$head" == "$pki_console_port_statement" ] || [ "$head" == "$tomcat_port_statement" ] ; then @@ -445,7 +447,7 @@ get_pki_status_definitions() fi done - if [ ${total_ports} -eq 6 ] ; then + if [ ${total_ports} -eq 7 ] ; then return 0 else return ${default_error} diff --git a/pki/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg b/pki/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg index 449941a96..b214c80d5 100644 --- a/pki/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg +++ b/pki/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg @@ -1,5 +1,5 @@ desc=This certificate profile is for enrolling audit signing certificates. -visible=true +visible=false enable=true enableBy=admin auth.instance_id=TokenAuth diff --git a/pki/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg b/pki/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg index 89d89ea60..abd207f79 100644 --- a/pki/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg +++ b/pki/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg @@ -1,5 +1,5 @@ desc=This certificate profile is for enrolling Security Domain DRM storage certificates -visible=true +visible=false enable=true enableBy=admin auth.instance_id=TokenAuth diff --git a/pki/base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg b/pki/base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg index 373cffa7d..f56831d6e 100644 --- a/pki/base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg +++ b/pki/base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg @@ -1,5 +1,5 @@ desc=This certificate profile is for enrolling Security Domain OCSP Manager certificates. -visible=true +visible=false enable=true enableBy=admin auth.instance_id=TokenAuth diff --git a/pki/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg b/pki/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg index 9481e35c8..1e8d5d4c3 100644 --- a/pki/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg +++ b/pki/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg @@ -1,5 +1,5 @@ desc=This certificate profile is for enrolling Security Domain server certificates. -visible=true +visible=false enable=true enableBy=admin auth.instance_id=TokenAuth diff --git a/pki/base/ca/shared/profiles/ca/caInternalAuthSubsystemCert.cfg b/pki/base/ca/shared/profiles/ca/caInternalAuthSubsystemCert.cfg index 6adbac8ef..ed65549fc 100644 --- a/pki/base/ca/shared/profiles/ca/caInternalAuthSubsystemCert.cfg +++ b/pki/base/ca/shared/profiles/ca/caInternalAuthSubsystemCert.cfg @@ -1,5 +1,5 @@ desc=This certificate profile is for enrolling Security Domain subsystem certificates. -visible=true +visible=false enable=true enableBy=admin auth.instance_id=TokenAuth diff --git a/pki/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg b/pki/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg index a8dd95b7b..d622854c2 100644 --- a/pki/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg +++ b/pki/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg @@ -1,5 +1,5 @@ desc=This certificate profile is for enrolling Security Domain Data Recovery Manager transport certificates. -visible=true +visible=false enable=true enableBy=admin auth.instance_id=TokenAuth diff --git a/pki/base/ca/shared/webapps/ca/WEB-INF/web.xml b/pki/base/ca/shared/webapps/ca/WEB-INF/web.xml index 7b71684f6..d827ddd65 100644 --- a/pki/base/ca/shared/webapps/ca/WEB-INF/web.xml +++ b/pki/base/ca/shared/webapps/ca/WEB-INF/web.xml @@ -39,6 +39,15 @@ </init-param> </filter> + <filter> + <filter-name>EEClientAuthRequestFilter</filter-name> + <filter-class>com.netscape.cms.servlet.filter.EEClientAuthRequestFilter</filter-class> + <init-param> + <param-name>https_port</param-name> + <param-value>[PKI_EE_SECURE_CLIENT_AUTH_PORT]</param-value> + </init-param> + </filter> + <servlet> <servlet-name>csadmin-wizard</servlet-name> <servlet-class>com.netscape.cms.servlet.wizard.WizardServlet</servlet-class> @@ -2084,6 +2093,11 @@ <url-pattern> /auths </url-pattern> </filter-mapping> + <filter-mapping> + <filter-name> EEClientAuthRequestFilter </filter-name> + <url-pattern> /eeca/* </url-pattern> + </filter-mapping> + <filter-mapping> <filter-name> EERequestFilter </filter-name> <url-pattern> /ee/* </url-pattern> @@ -2487,6 +2501,11 @@ <servlet-mapping> <servlet-name> caProfileSubmitSSLClient </servlet-name> + <url-pattern> /eeca/ca/profileSubmitSSLClient </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caProfileSubmitSSLClient </servlet-name> <url-pattern> /ee/ca/profileSubmitSSLClient </url-pattern> </servlet-mapping> diff --git a/pki/base/common/src/com/netscape/certsrv/apps/CMS.java b/pki/base/common/src/com/netscape/certsrv/apps/CMS.java index 4685a4651..b39f08729 100644 --- a/pki/base/common/src/com/netscape/certsrv/apps/CMS.java +++ b/pki/base/common/src/com/netscape/certsrv/apps/CMS.java @@ -893,6 +893,15 @@ public final class CMS { } /** + * Retrieves the host name of the server's secure end entity service. + * + * @return port of end-entity secure service + */ + public static String getEEClientAuthSSLPort() { + return _engine.getEEClientAuthSSLPort(); + } + + /** * Retrieves the IP address of the server's secure end entity service. * * @return ip address of end-entity secure service diff --git a/pki/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java b/pki/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java index e78fda7f3..60eb6aec8 100644 --- a/pki/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java +++ b/pki/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java @@ -696,6 +696,13 @@ public interface ICMSEngine extends ISubsystem { public String getEESSLPort(); /** + * Retrieves the port number of the server's client auth secure end entity service. + * + * @return port of end-entity client auth secure service + */ + public String getEEClientAuthSSLPort(); + + /** * Retrieves the host name of the server's agent service. * * @return host name of agent service diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java index 10d52410b..e665925b9 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java @@ -169,6 +169,7 @@ public class DonePanel extends WizardPanelBase { IConfigStore cs = CMS.getConfigStore(); String ownport = CMS.getEENonSSLPort(); String ownsport = CMS.getEESSLPort(); + String owneeclientauthsport = CMS.getEEClientAuthSSLPort(); String ownhost = CMS.getEESSLHost(); String ownagentsport = CMS.getAgentPort(); String ownagenthost = CMS.getAgentHost(); @@ -306,6 +307,10 @@ public class DonePanel extends WizardPanelBase { ownagentsport)); attrs.add(new LDAPAttribute("SecureAdminPort", ownadminsport)); + if (owneeclientauthsport != null) { + attrs.add(new LDAPAttribute("SecureEEClientAuthPort", + owneeclientauthsport)); + } attrs.add(new LDAPAttribute("UnSecurePort", ownport)); attrs.add(new LDAPAttribute("Clone", "FALSE")); attrs.add(new LDAPAttribute("SubsystemName", subsystemName)); @@ -360,6 +365,11 @@ public class DonePanel extends WizardPanelBase { cloneStr = "&clone=true"; else cloneStr = "&clone=false"; + + String eecaStr = ""; + if (owneeclientauthsport != null) + eecaStr="&eeclientauthsport=" + owneeclientauthsport; + updateDomainXML( sd_host, sd_agent_port_int, true, "/ca/agent/ca/updateDomainXML", "list=" + s @@ -370,6 +380,7 @@ public class DonePanel extends WizardPanelBase { + "&dm=false" + cloneStr + "&agentsport=" + ownagentsport + "&adminsport=" + ownadminsport + + eecaStr + "&httpport=" + ownport ); // Fetch the "updated" security domain and display it diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java index 923c1e797..f5b0afb8d 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java @@ -246,6 +246,7 @@ public class UpdateDomainXML extends CMSServlet { String sport = httpReq.getParameter("sport"); String agentsport = httpReq.getParameter("agentsport"); String adminsport = httpReq.getParameter("adminsport"); + String eecaport = httpReq.getParameter("eeclientauthsport"); String httpport = httpReq.getParameter("httpport"); String domainmgr = httpReq.getParameter("dm"); String clone = httpReq.getParameter("clone"); @@ -314,6 +315,9 @@ public class UpdateDomainXML extends CMSServlet { if ((httpport != null) && (!httpport.equals(""))) { attrs.add(new LDAPAttribute("UnSecurePort", httpport)); } + if ((eecaport != null) && (!eecaport.equals(""))) { + attrs.add(new LDAPAttribute("SecureEEClientAuthPort", eecaport)); + } if ((domainmgr != null) && (!domainmgr.equals(""))) { attrs.add(new LDAPAttribute("DomainManager", domainmgr.toUpperCase())); } @@ -381,6 +385,7 @@ public class UpdateDomainXML extends CMSServlet { parser.addItemToContainer(parent, "SecurePort", sport); parser.addItemToContainer(parent, "SecureAgentPort", agentsport); parser.addItemToContainer(parent, "SecureAdminPort", adminsport); + parser.addItemToContainer(parent, "SecureEEClientAuthPort", eecaport); parser.addItemToContainer(parent, "UnSecurePort", httpport); parser.addItemToContainer(parent, "DomainManager", domainmgr.toUpperCase()); parser.addItemToContainer(parent, "Clone", clone.toUpperCase()); diff --git a/pki/base/common/src/com/netscape/cms/servlet/filter/EEClientAuthRequestFilter.java b/pki/base/common/src/com/netscape/cms/servlet/filter/EEClientAuthRequestFilter.java new file mode 100644 index 000000000..9a63e1a58 --- /dev/null +++ b/pki/base/common/src/com/netscape/cms/servlet/filter/EEClientAuthRequestFilter.java @@ -0,0 +1,101 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2010 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.servlet.filter; + +import javax.servlet.http.*; +import javax.servlet.*; +import com.netscape.certsrv.apps.*; + +public class EEClientAuthRequestFilter implements Filter +{ + private static final String HTTPS_SCHEME = "https"; + private static final String HTTPS_PORT = "https_port"; + private static final String HTTPS_ROLE = "EE Client Auth"; + + private FilterConfig config; + + /* Create a new EEClientAuthRequestFilter */ + public EEClientAuthRequestFilter() {} + + public void init( FilterConfig filterConfig ) + throws ServletException + { + this.config = filterConfig; + } + + public void doFilter( ServletRequest request, + ServletResponse response, + FilterChain chain ) + throws java.io.IOException, + ServletException + { + String filterName = getClass().getName(); + + String scheme = null; + int port = 0; + + String request_port = null; + String param_https_port = null; + String msg = null; + + if( request instanceof HttpServletRequest ) { + HttpServletResponse resp = ( HttpServletResponse ) response; + + // RFC 1738: verify that scheme is "https" + scheme = request.getScheme(); + if( ! scheme.equals( HTTPS_SCHEME ) ) { + msg = "The scheme MUST be '" + HTTPS_SCHEME + + "', NOT '" + scheme + "'!"; + CMS.debug( filterName + ": " + msg ); + resp.sendError( HttpServletResponse.SC_UNAUTHORIZED, msg ); + return; + } + + // Always obtain an "https" port from request + port = request.getServerPort(); + request_port = Integer.toString( port ); + + // Always obtain the "https" port passed in as a parameter + param_https_port = config.getInitParameter( HTTPS_PORT ); + if( param_https_port == null ) { + msg = "The <param-name> '" + HTTPS_PORT + + "' </param-name> " + "MUST be specified in 'web.xml'!"; + CMS.debug( filterName + ": " + msg ); + resp.sendError( HttpServletResponse.SC_NOT_IMPLEMENTED, msg ); + return; + } + + // Compare the request and param "https" ports + if( ! param_https_port.equals( request_port ) ) { + msg = "Use HTTPS port '" + param_https_port + + "' instead of '" + request_port + + "' when performing " + HTTPS_ROLE + " tasks!"; + CMS.debug( filterName + ": " + msg ); + resp.sendError( HttpServletResponse.SC_NOT_FOUND, msg ); + return; + } + } + + chain.doFilter( request, response ); + } + + public void destroy() + { + } +} + diff --git a/pki/base/common/src/com/netscape/cmscore/apps/CMSEngine.java b/pki/base/common/src/com/netscape/cmscore/apps/CMSEngine.java index f99cedb58..54684e1f1 100644 --- a/pki/base/common/src/com/netscape/cmscore/apps/CMSEngine.java +++ b/pki/base/common/src/com/netscape/cmscore/apps/CMSEngine.java @@ -176,11 +176,13 @@ public class CMSEngine implements ICMSEngine { private static final int ADMIN = 1; private static final int EE_SSL = 2; private static final int EE_NON_SSL = 3; + private static final int EE_CLIENT_AUTH_SSL = 4; private static String mServerCertNickname = null; private static String info[][] = { {null, null, null},//agent {null, null, null},//admin {null, null, null},//sslEE - {null, null, null} //non_sslEE + {null, null, null},//non_sslEE + {null, null, null} //ssl_clientauth_EE }; /** @@ -526,11 +528,15 @@ public class CMSEngine implements ICMSEngine { } else if( name.equals( "EE" ) ) { // Port Separation: EE Secure Port info[EE_SSL][PORT] = port; + } else if( name.equals( "EEClientAuth" ) ) { + // Port Separation: EE Client Auth Secure Port + info[EE_CLIENT_AUTH_SSL][PORT] = port; } else if( name.equals( "Secure" ) ) { // Shared Ports: Agent, EE, and Admin Secure Port info[AGENT][PORT] = port; info[ADMIN][PORT] = port; info[EE_SSL][PORT] = port; + info[EE_CLIENT_AUTH_SSL][PORT] = port; } } } @@ -651,6 +657,10 @@ public class CMSEngine implements ICMSEngine { return info[EE_SSL][PORT]; } + public String getEEClientAuthSSLPort() { + return info[EE_CLIENT_AUTH_SSL][PORT]; + } + public String getAgentHost() { String host = ""; try { diff --git a/pki/base/selinux/src/pki.if b/pki/base/selinux/src/pki.if index cbbdd4722..799785104 100644 --- a/pki/base/selinux/src/pki.if +++ b/pki/base/selinux/src/pki.if @@ -92,6 +92,9 @@ template(`pki_ca_template',` corenet_tcp_connect_ocsp_port($1_t) corenet_tcp_connect_generic_port($1_t) + # for file signing + corenet_tcp_connect_http_port($1_t) + # This is for /etc/$1/tomcat.conf: can_exec($1_t, $1_tomcat_exec_t) allow $1_t $1_tomcat_exec_t:file {getattr read}; diff --git a/pki/base/selinux/src/pki.te b/pki/base/selinux/src/pki.te index 6bd3d98b6..e6b7cf597 100644 --- a/pki/base/selinux/src/pki.te +++ b/pki/base/selinux/src/pki.te @@ -1,4 +1,4 @@ -policy_module(pki,1.0.17) +policy_module(pki,1.0.18) attribute pki_ca_config; attribute pki_ca_executable; diff --git a/pki/base/setup/pkicreate b/pki/base/setup/pkicreate index a0fe9c8da..8962843e2 100755 --- a/pki/base/setup/pkicreate +++ b/pki/base/setup/pkicreate @@ -30,6 +30,7 @@ # -subsystem_type=ca # -agent_secure_port=9443 # -ee_secure_port=9444 +# -ee_secure_client_auth_port=9446 # -admin_secure_port=9445 # -unsecure_port=9180 # -tomcat_server_port=9701 @@ -268,6 +269,7 @@ my $servercertnick_conf_base_name = "serverCertNick.conf"; # C my $tomcat5_conf_base_name = "tomcat5.conf"; # CA, KRA, OCSP, TKS my $velocity_prop_base_name = "velocity.properties"; # CA, KRA, OCSP, TKS my $web_xml_base_name = "web.xml"; # CA, KRA, OCSP, TKS +my $profile_select_base_name = "ProfileSelect.template"; #CA # Subdirectory names my $perl_base_instance_symlink = "perl"; # RA, TPS @@ -336,6 +338,7 @@ my $PKI_MACHINE_NAME_SLOT = "PKI_MACHINE_NAME"; my $PKI_RANDOM_NUMBER_SLOT = "PKI_RANDOM_NUMBER"; my $PKI_SECURE_PORT_SLOT = "PKI_SECURE_PORT"; my $PKI_EE_SECURE_PORT_SLOT = "PKI_EE_SECURE_PORT"; +my $PKI_EE_SECURE_CLIENT_AUTH_PORT_SLOT = "PKI_EE_SECURE_CLIENT_AUTH_PORT"; my $PKI_AGENT_SECURE_PORT_SLOT = "PKI_AGENT_SECURE_PORT"; my $PKI_ADMIN_SECURE_PORT_SLOT = "PKI_ADMIN_SECURE_PORT"; my $PKI_SERVER_XML_CONF = "PKI_SERVER_XML_CONF"; @@ -348,10 +351,12 @@ my $PKI_UNSECURE_PORT_CONNECTOR_NAME_SLOT = "PKI_UNSECURE_PORT_CONNECTOR_NAM my $PKI_SECURE_PORT_CONNECTOR_NAME_SLOT = "PKI_SECURE_PORT_CONNECTOR_NAME"; my $PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME_SLOT = "PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME"; my $PKI_EE_SECURE_PORT_CONNECTOR_NAME_SLOT = "PKI_EE_SECURE_PORT_CONNECTOR_NAME"; +my $PKI_EE_SECURE_CLIENT_AUTH_PORT_CONNECTOR_NAME_SLOT = "PKI_EE_SECURE_CLIENT_AUTH_PORT_CONNECTOR_NAME"; my $PKI_UNSECURE_PORT_COMMENT_SERVER_SLOT = "PKI_UNSECURE_PORT_SERVER_COMMENT"; my $PKI_SECURE_PORT_COMMENT_SERVER_SLOT = "PKI_SECURE_PORT_SERVER_COMMENT"; my $PKI_ADMIN_SECURE_PORT_COMMENT_SERVER_SLOT = "PKI_ADMIN_SECURE_PORT_SERVER_COMMENT"; my $PKI_EE_SECURE_PORT_COMMENT_SERVER_SLOT = "PKI_EE_SECURE_PORT_SERVER_COMMENT"; +my $PKI_EE_SECURE_CLIENT_AUTH_PORT_COMMENT_SERVER_SLOT = "PKI_EE_SECURE_CLIENT_AUTH_PORT_SERVER_COMMENT"; my $PKI_OPEN_SEPARATE_PORTS_COMMENT_SERVER_SLOT = "PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT"; my $PKI_CLOSE_SEPARATE_PORTS_COMMENT_SERVER_SLOT = "PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT"; my $PKI_OPEN_SEPARATE_PORTS_COMMENT_WEB_SLOT = "PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT"; @@ -360,12 +365,14 @@ my $PKI_UNSECURE_PORT_NAME = "Unsecure"; my $PKI_AGENT_SECURE_PORT_NAME = "Agent"; my $PKI_ADMIN_SECURE_PORT_NAME = "Admin"; my $PKI_EE_SECURE_PORT_NAME = "EE"; +my $PKI_EE_SECURE_CLIENT_AUTH_PORT_NAME = "EEClientAuth"; my $PKI_SECURE_PORT_NAME = "Secure"; my $PKI_UNUSED_SECURE_PORT_NAME = "Unused"; my $PKI_UNSECURE_SEPARATE_PORTS_COMMENT = "<!-- Port Separation: Unsecure Port Connector -->"; my $PKI_AGENT_SECURE_SEPARATE_PORTS_COMMENT = "<!-- Port Separation: Agent Secure Port Connector -->"; my $PKI_ADMIN_SECURE_SEPARATE_PORTS_COMMENT = "<!-- Port Separation: Admin Secure Port Connector -->"; my $PKI_EE_SECURE_SEPARATE_PORTS_COMMENT = "<!-- Port Separation: EE Secure Port Connector -->"; +my $PKI_EE_SECURE_CLIENT_AUTH_SEPARATE_PORTS_COMMENT = "<!-- Port Separation: EE Secure Client Auth Port Connector -->"; my $PKI_UNSECURE_SHARED_PORTS_COMMENT = "<!-- Shared Ports: Unsecure Port Connector -->"; my $PKI_SECURE_SHARED_PORTS_COMMENT = "<!-- Shared Ports: Agent, EE, and Admin Secure Port Connector -->"; my $PKI_OPEN_COMMENT = "<!--"; @@ -413,6 +420,7 @@ my $tomcat_server_port = -1; # Command-line variables (optional) my $agent_secure_port = -1; my $ee_secure_port = -1; +my $ee_secure_client_auth_port = -1; my $admin_secure_port = -1; my $username = ""; my $groupname = ""; @@ -553,6 +561,8 @@ my $webapps_subsystem_instance_path = ""; # CA, KRA, OCSP, TKS my $webinf_instance_path = ""; # CA, KRA, OCSP, TKS my $webinf_lib_instance_path = ""; # CA, KRA, OCSP, TKS my $webinf_subsystem_path = ""; # CA, KRA, OCSP, TKS +my $profile_select_template_subsystem_file_path = ""; #CA +my $profile_select_template_instance_file_path = ""; #CA # PKI init script variables my $default_init_scripts_path = ""; # CA, KRA, OCSP, TKS @@ -776,7 +786,12 @@ sub usage() . " -admin_secure_port=<admin_secure_port> " . "# Admin secure port\n\n" . " #####################################################################\n" - . " ### OR a single secure port shared by AGENT, EE, and ADMIN: ###\n" + . " ### ... and a client auth EE port, required for CAs only ###\n" + . " #####################################################################\n\n" + . " -ee_secure_client_auth_port=<ee_secure_client_auth_port>\n" + . " # EE secure client authentication port\n\n" + . " #####################################################################\n" + . " ### OR SELECT a single secure port shared by AGENT,EE and ADMIN ###\n" . " #####################################################################\n\n" . " -secure_port=<secure_port> " . "# Secure port\n" @@ -913,6 +928,7 @@ sub usage() . " -subsystem_type=ca \\\n" . " -agent_secure_port=9443 \\\n" . " -ee_secure_port=9444 \\\n" + . " -ee_secure_client_auth_port=9446 \\\n" . " -admin_secure_port=9445 \\\n" . " -unsecure_port=9180 \\\n" . " -tomcat_server_port=9701 \\\n" @@ -926,6 +942,7 @@ sub usage() . " -subsystem_type=ca \\\n" . " -agent_secure_port=9543 \\\n" . " -ee_secure_port=9544 \\\n" + . " -ee_secure_client_auth_port=9546 \\\n" . " -admin_secure_port=9545 \\\n" . " -unsecure_port=9580 \\\n" . " -tomcat_server_port=9801 \\\n" @@ -1046,6 +1063,7 @@ sub parse_arguments() my $l_tomcat_server_port = -1; my $l_agent_secure_port = -1; my $l_ee_secure_port = -1; + my $l_ee_secure_client_auth_port = -1; my $l_admin_secure_port = -1; my $show_help = 0; @@ -1058,6 +1076,7 @@ sub parse_arguments() "unsecure_port:i" => \$l_unsecure_port, "agent_secure_port:i" => \$l_agent_secure_port, "ee_secure_port:i" => \$l_ee_secure_port, + "ee_secure_client_auth_port:i" => \$l_ee_secure_client_auth_port, "admin_secure_port:i" => \$l_admin_secure_port, "tomcat_server_port:i" => \$l_tomcat_server_port, "user=s" => \$username, @@ -1209,6 +1228,7 @@ sub parse_arguments() if( $l_agent_secure_port > 0 || $l_ee_secure_port > 0 || + $l_ee_secure_client_auth_port > 0 || $l_admin_secure_port > 0) { usage(); emit( "Must NOT include values for any agent|admin|ee ports!\n", @@ -1278,6 +1298,21 @@ sub parse_arguments() } } + ## Mandatory ee_secure_client_auth_port if "-agent_secure_port" is given, and CA subsystem + + if( $l_ee_secure_client_auth_port >= 0 ) { + $ee_secure_client_auth_port = $l_ee_secure_client_auth_port; + + emit( " ee_secure_client_auth_port $ee_secure_client_auth_port\n"); + + } else { + if (($agent_secure_port >= 0) && ($subsystem_type eq $CA)) { + usage(); + emit( "For CAs, must include value for ee_secure_client_auth_port if agent_secure_port is given!\n"); + return 0; + } + } + ## Mandatory admin_secure_port if "-agent_secure_port" is given if( $l_admin_secure_port >= 0 ) { @@ -1292,7 +1327,7 @@ sub parse_arguments() } if (!AreConnectorPortsValid($secure_port,$unsecure_port,$agent_secure_port, - $ee_secure_port,$admin_secure_port ) ) + $ee_secure_port,$ee_secure_client_auth_port, $admin_secure_port ) ) { usage(); emit( "Invalid port numbers submitted!\n","error" ); @@ -1645,9 +1680,16 @@ sub initialize_subdirectory_paths() } ## Initialize subdirectory paths (CA subsystems) - # if( $subsystem_type eq $CA ) { - # } - + if( $subsystem_type eq $CA ) { + $profile_select_template_subsystem_file_path = $ui_subsystem_path + . "/" . $webapps_base_subsystem_dir + . "/" . $subsystem_type + . "/ee/" . $subsystem_type + . "/" . $profile_select_base_name; + $profile_select_template_instance_file_path = $webapps_subsystem_instance_path + . "/ee/". $subsystem_type + . "/" . $profile_select_base_name; + } ## Initialize subdirectory paths (RA, TPS subsystems) if( $subsystem_type eq $RA || $subsystem_type eq $TPS ) { @@ -2459,11 +2501,13 @@ LoadModule nss_module /opt/fortitude/modules.local/libmodnss.so $slot_hash{$PKI_SECURE_PORT_CONNECTOR_NAME_SLOT} = $PKI_AGENT_SECURE_PORT_NAME; $slot_hash{$PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME_SLOT} = $PKI_ADMIN_SECURE_PORT_NAME; $slot_hash{$PKI_EE_SECURE_PORT_CONNECTOR_NAME_SLOT} = $PKI_EE_SECURE_PORT_NAME; + $slot_hash{$PKI_EE_SECURE_CLIENT_AUTH_PORT_CONNECTOR_NAME_SLOT} = $PKI_EE_SECURE_CLIENT_AUTH_PORT_NAME; # Establish "Port Separation" Connector Ports $slot_hash{$PKI_SECURE_PORT_SLOT} = $agent_secure_port; $slot_hash{$PKI_AGENT_SECURE_PORT_SLOT} = $agent_secure_port; $slot_hash{$PKI_EE_SECURE_PORT_SLOT} = $ee_secure_port; + $slot_hash{$PKI_EE_SECURE_CLIENT_AUTH_PORT_SLOT} = $ee_secure_client_auth_port; $slot_hash{$PKI_ADMIN_SECURE_PORT_SLOT} = $admin_secure_port; # Comment "Port Separation" appropriately @@ -2471,6 +2515,7 @@ LoadModule nss_module /opt/fortitude/modules.local/libmodnss.so $slot_hash{$PKI_SECURE_PORT_COMMENT_SERVER_SLOT} = $PKI_AGENT_SECURE_SEPARATE_PORTS_COMMENT; $slot_hash{$PKI_ADMIN_SECURE_PORT_COMMENT_SERVER_SLOT} = $PKI_ADMIN_SECURE_SEPARATE_PORTS_COMMENT; $slot_hash{$PKI_EE_SECURE_PORT_COMMENT_SERVER_SLOT} = $PKI_EE_SECURE_SEPARATE_PORTS_COMMENT; + $slot_hash{$PKI_EE_SECURE_CLIENT_AUTH_PORT_COMMENT_SERVER_SLOT} = $PKI_EE_SECURE_CLIENT_AUTH_SEPARATE_PORTS_COMMENT; # Set appropriate "clientAuth" parameter for "Port Separation" $slot_hash{$PKI_AGENT_CLIENTAUTH_SLOT} = "true"; @@ -2489,11 +2534,13 @@ LoadModule nss_module /opt/fortitude/modules.local/libmodnss.so $slot_hash{$PKI_SECURE_PORT_CONNECTOR_NAME_SLOT} = $PKI_SECURE_PORT_NAME; $slot_hash{$PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME_SLOT} = $PKI_UNUSED_SECURE_PORT_NAME; $slot_hash{$PKI_EE_SECURE_PORT_CONNECTOR_NAME_SLOT} = $PKI_UNUSED_SECURE_PORT_NAME; + $slot_hash{$PKI_EE_SECURE_CLIENT_AUTH_PORT_CONNECTOR_NAME_SLOT} = $PKI_UNUSED_SECURE_PORT_NAME; # Establish "Shared Ports" Connector Ports $slot_hash{$PKI_SECURE_PORT_SLOT} = $secure_port; $slot_hash{$PKI_AGENT_SECURE_PORT_SLOT} = $secure_port; $slot_hash{$PKI_EE_SECURE_PORT_SLOT} = $secure_port; + $slot_hash{$PKI_EE_SECURE_CLIENT_AUTH_PORT_SLOT} = $secure_port; $slot_hash{$PKI_ADMIN_SECURE_PORT_SLOT} = $secure_port; # Comment "Shared Ports" appropriately @@ -2501,6 +2548,7 @@ LoadModule nss_module /opt/fortitude/modules.local/libmodnss.so $slot_hash{$PKI_SECURE_PORT_COMMENT_SERVER_SLOT} = $PKI_SECURE_SHARED_PORTS_COMMENT; $slot_hash{$PKI_ADMIN_SECURE_PORT_COMMENT_SERVER_SLOT} = ""; $slot_hash{$PKI_EE_SECURE_PORT_COMMENT_SERVER_SLOT} = ""; + $slot_hash{$PKI_EE_SECURE_CLIENT_AUTH_PORT_COMMENT_SERVER_SLOT} = ""; # Set appropriate "clientAuth" parameter for "Shared Ports" $slot_hash{$PKI_AGENT_CLIENTAUTH_SLOT} = "agent"; @@ -2562,8 +2610,16 @@ LoadModule nss_module /opt/fortitude/modules.local/libmodnss.so ## Process templates (CA instances) - # if( $subsystem_type eq $CA ) { - # } + if( $subsystem_type eq $CA ) { + # process ProfileSelect.template + $result = process_file_template( $profile_select_template_subsystem_file_path, + $profile_select_template_instance_file_path, + \%slot_hash ); + if( ! $result ) { + return 0; + } + + } ## Process templates (RA, TPS instances) @@ -3828,6 +3884,9 @@ sub process_pki_selinux_setup() if ($ee_secure_port != -1) { &add_selinux_port($setype_p, $ee_secure_port); } + if ($ee_secure_client_auth_port != -1) { + &add_selinux_port($setype_p, $ee_secure_client_auth_port); + } if ($admin_secure_port != -1) { &add_selinux_port($setype_p, $admin_secure_port); } |