diff options
author | Ade Lee <alee@redhat.com> | 2012-04-26 23:48:43 -0400 |
---|---|---|
committer | Ade Lee <alee@redhat.com> | 2012-05-02 16:47:27 -0400 |
commit | 9aea1e939f6357eadf777c72ae3ef43275829427 (patch) | |
tree | 07cfa655fcfd462c5217df8c8fe19cccc7e2e97f | |
parent | fbf472de7a4eb3d141c32821a417ec5331b53c97 (diff) | |
download | pki-9aea1e939f6357eadf777c72ae3ef43275829427.tar.gz pki-9aea1e939f6357eadf777c72ae3ef43275829427.tar.xz pki-9aea1e939f6357eadf777c72ae3ef43275829427.zip |
Refactor installation servlets to use common code in ConfigurationUtils
Ticket #156
19 files changed, 771 insertions, 5604 deletions
diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/AdminAuthenticatePanel.java b/base/common/src/com/netscape/cms/servlet/csadmin/AdminAuthenticatePanel.java index 585d444d4..7921fc114 100644 --- a/base/common/src/com/netscape/cms/servlet/csadmin/AdminAuthenticatePanel.java +++ b/base/common/src/com/netscape/cms/servlet/csadmin/AdminAuthenticatePanel.java @@ -167,7 +167,7 @@ public class AdminAuthenticatePanel extends WizardPanelBase { cstype = config.getString("cs.type", ""); } catch (Exception e) { } - cstype = toLowerCaseSubsystemType(cstype); + cstype = cstype.toLowerCase(); if (subsystemtype.equals("clone")) { CMS.debug("AdminAuthenticatePanel: this is the clone subsystem"); diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/AdminPanel.java b/base/common/src/com/netscape/cms/servlet/csadmin/AdminPanel.java index cc9d5f35a..579c54df0 100644 --- a/base/common/src/com/netscape/cms/servlet/csadmin/AdminPanel.java +++ b/base/common/src/com/netscape/cms/servlet/csadmin/AdminPanel.java @@ -17,57 +17,29 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.csadmin; -import java.io.ByteArrayInputStream; -import java.io.ByteArrayOutputStream; -import java.io.File; -import java.io.FileOutputStream; import java.io.IOException; -import java.io.PrintStream; -import java.net.URLEncoder; -import java.security.cert.X509Certificate; import javax.servlet.ServletConfig; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import netscape.ldap.LDAPException; -import netscape.security.pkcs.ContentInfo; -import netscape.security.pkcs.PKCS10; -import netscape.security.pkcs.PKCS7; -import netscape.security.pkcs.SignerInfo; -import netscape.security.x509.AlgorithmId; -import netscape.security.x509.CertificateChain; -import netscape.security.x509.X509CertImpl; -import netscape.security.x509.X509Key; - import org.apache.velocity.context.Context; -import org.mozilla.jss.asn1.SEQUENCE; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.base.ISubsystem; -import com.netscape.certsrv.ca.ICertificateAuthority; import com.netscape.certsrv.property.Descriptor; import com.netscape.certsrv.property.IDescriptor; import com.netscape.certsrv.property.PropertySet; -import com.netscape.certsrv.usrgrp.IGroup; import com.netscape.certsrv.usrgrp.IUGSubsystem; -import com.netscape.certsrv.usrgrp.IUser; import com.netscape.certsrv.util.HttpInput; import com.netscape.cms.servlet.wizard.WizardServlet; -import com.netscape.cmsutil.crypto.CryptoUtil; -import com.netscape.cmsutil.http.HttpClient; -import com.netscape.cmsutil.http.HttpRequest; -import com.netscape.cmsutil.http.HttpResponse; -import com.netscape.cmsutil.http.JssSSLSocketFactory; -import com.netscape.cmsutil.xml.XMLObject; public class AdminPanel extends WizardPanelBase { private static final String ADMIN_UID = "admin"; - private final static String CERT_TAG = "admin"; public AdminPanel() { } @@ -243,383 +215,80 @@ public class AdminPanel extends WizardPanelBase { /** * Commit parameter changes */ - public void update(HttpServletRequest request, - HttpServletResponse response, - Context context) throws IOException { + public void update(HttpServletRequest request, HttpServletResponse response, Context context) throws IOException { IConfigStore config = CMS.getConfigStore(); context.put("info", ""); context.put("import", "true"); - String type = ""; - String subsystemtype = ""; - String selected_hierarchy = ""; - try { - type = config.getString(PRE_CA_TYPE, ""); - subsystemtype = config.getString("cs.type", ""); - selected_hierarchy = config.getString("preop.hierarchy.select", ""); - } catch (Exception e) { - } - - ISubsystem ca = CMS.getSubsystem("ca"); - - if (ca == null) { - context.put("ca", "false"); - } else { - context.put("ca", "true"); - } - context.put("caType", type); String uid = HttpInput.getUID(request, "uid"); String email = HttpInput.getEmail(request, "email"); String name = HttpInput.getName(request, "name"); + String pwd = HttpInput.getPassword(request, "__pwd"); + String cert_request_type = HttpInput.getID(request, "cert_request_type"); + String subject = request.getParameter("subject"); + String cert_request = HttpInput.getCertRequest(request, "cert_request"); + String profileId = HttpInput.getID(request, "profileId"); - CMS.debug("AdminPanel update: email address = " + email); - - config.putString("preop.admin.uid", uid); - config.putString("preop.admin.email", email); - config.putString("preop.admin.name", name); try { - createAdmin(request); - } catch (IOException e) { - context.put("errorString", "Failed to create administrator."); - context.put("updateStatus", "failure"); - throw e; - } + String type = config.getString(PRE_CA_TYPE, ""); + String subsystemtype = config.getString("cs.type", ""); + String selected_hierarchy = config.getString("preop.hierarchy.select", ""); + + ISubsystem ca = CMS.getSubsystem("ca"); - // REMINDER: This panel is NOT used by "clones" - if (ca != null) { - if (selected_hierarchy.equals("root")) { - CMS.debug("AdminPanel update: " - + "Root CA subsystem"); + if (ca == null) { + context.put("ca", "false"); } else { - CMS.debug("AdminPanel update: " - + "Subordinate CA subsystem"); + context.put("ca", "true"); } + context.put("caType", type); - try { - createAdminCertificate(request, response, context); - } catch (IOException e) { - CMS.debug("AdminPanel update: Exception: " + e.toString()); - context.put("errorString", - "Failed to create administrator certificate."); - context.put("updateStatus", "failure"); - throw e; - } - } else { - String ca_hostname = null; - int ca_port = -1; + config.putString("preop.admin.uid", uid); + config.putString("preop.admin.email", email); + config.putString("preop.admin.name", name); + ConfigurationUtils.createAdmin(uid, email, name, pwd); + + if (ca != null) { + if (selected_hierarchy.equals("root")) { + CMS.debug("AdminPanel update: " + "Root CA subsystem"); + } else { + CMS.debug("AdminPanel update: " + "Subordinate CA subsystem"); + } + + ConfigurationUtils.createAdminCertificate(cert_request, + cert_request_type, subject); + } else { + String ca_hostname = null; + int ca_port = -1; - // REMINDER: This panel is NOT used by "clones" - CMS.debug("AdminPanel update: " - + subsystemtype - + " subsystem"); + CMS.debug("AdminPanel update: " + subsystemtype + " subsystem"); - if (type.equals("sdca")) { - try { + if (type.equals("sdca")) { ca_hostname = config.getString("preop.ca.hostname"); ca_port = config.getInteger("preop.ca.httpsport"); - } catch (Exception e) { - } - } else { - try { + } else { ca_hostname = config.getString("securitydomain.host", ""); ca_port = config.getInteger("securitydomain.httpseeport"); - } catch (Exception e) { } - } - submitRequest(ca_hostname, ca_port, request, response, context); - } + ConfigurationUtils.submitAdminCertRequest(ca_hostname, ca_port, + profileId, cert_request_type, cert_request, subject); + } - try { CMS.reinit(IUGSubsystem.ID); - } catch (Exception e) { - CMS.debug("AdminPanel update: " + e.toString()); - } - - try { config.commit(false); } catch (Exception e) { + CMS.debug("AdminPanel update(): Exception thrown " + e); + e.printStackTrace(); + context.put("updateStatus", "failure"); + throw new IOException("Error when adding admin user" + e); } context.put("updateStatus", "success"); - - } - - private void createAdmin(HttpServletRequest request) throws IOException { - IUGSubsystem system = (IUGSubsystem) (CMS.getSubsystem(IUGSubsystem.ID)); - IConfigStore config = CMS.getConfigStore(); - String groupName = null; - - try { - groupName = config.getString(PRE_CONF_AGENT_GROUP, - "Certificate Manager Agents"); - } catch (Exception e) { - CMS.debug("AdminPanel createAdmin: " + e.toString()); - } - - IUser user = null; - String uid = HttpInput.getUID(request, "uid"); - - try { - user = system.createUser(uid); - String email = HttpInput.getEmail(request, "email"); - String name = HttpInput.getName(request, "name"); - String pwd = HttpInput.getPassword(request, "__pwd"); - - user.setEmail(email); - user.setPassword(pwd); - user.setFullName(name); - user.setUserType("adminType"); - user.setState("1"); - user.setPhone(""); - system.addUser(user); - } catch (LDAPException e) { - CMS.debug("AdminPanel createAdmin: addUser " + e.toString()); - if (e.getLDAPResultCode() != LDAPException.ENTRY_ALREADY_EXISTS) { - throw new IOException(e.toString()); - } - } catch (Exception e) { - CMS.debug("AdminPanel createAdmin: addUser " + e.toString()); - throw new IOException(e.toString()); - } - - IGroup group = null; - - try { - group = system.getGroupFromName(groupName); - if (!group.isMember(uid)) { - group.addMemberName(uid); - system.modifyGroup(group); - } - group = system.getGroupFromName("Administrators"); - if (!group.isMember(uid)) { - group.addMemberName(uid); - system.modifyGroup(group); - } - - String select = config.getString("securitydomain.select", ""); - if (select.equals("new")) { - group = system.getGroupFromName("Security Domain Administrators"); - if (!group.isMember(uid)) { - group.addMemberName(uid); - system.modifyGroup(group); - } - - group = system.getGroupFromName("Enterprise CA Administrators"); - if (!group.isMember(uid)) { - group.addMemberName(uid); - system.modifyGroup(group); - } - - group = system.getGroupFromName("Enterprise KRA Administrators"); - if (!group.isMember(uid)) { - group.addMemberName(uid); - system.modifyGroup(group); - } - - group = system.getGroupFromName("Enterprise RA Administrators"); - if (!group.isMember(uid)) { - group.addMemberName(uid); - system.modifyGroup(group); - } - - group = system.getGroupFromName("Enterprise TKS Administrators"); - if (!group.isMember(uid)) { - group.addMemberName(uid); - system.modifyGroup(group); - } - - group = system.getGroupFromName("Enterprise OCSP Administrators"); - if (!group.isMember(uid)) { - group.addMemberName(uid); - system.modifyGroup(group); - } - - group = system.getGroupFromName("Enterprise TPS Administrators"); - if (!group.isMember(uid)) { - group.addMemberName(uid); - system.modifyGroup(group); - } - } - } catch (Exception e) { - CMS.debug("AdminPanel createAdmin: modifyGroup " + e.toString()); - throw new IOException(e.toString()); - } - } - - private void submitRequest(String ca_hostname, int ca_port, HttpServletRequest request, - HttpServletResponse response, Context context) throws IOException { - IConfigStore config = CMS.getConfigStore(); - - String profileId = HttpInput.getID(request, "profileId"); - if (profileId == null) { - try { - profileId = config.getString("preop.admincert.profile", "caAdminCert"); - } catch (Exception e) { - } - } - - String cert_request_type = HttpInput.getID(request, "cert_request_type"); - String cert_request = HttpInput.getCertRequest(request, "cert_request"); - cert_request = URLEncoder.encode(cert_request, "UTF-8"); - String session_id = CMS.getConfigSDSessionId(); - String subjectDN = HttpInput.getString(request, "subject"); - - String content = - "profileId=" - + profileId + "&cert_request_type=" + cert_request_type + "&cert_request=" + cert_request - + "&xmlOutput=true&sessionID=" + session_id + "&subject=" + subjectDN; - - HttpClient httpclient = new HttpClient(); - String c = null; - - try { - JssSSLSocketFactory factory = new JssSSLSocketFactory(); - - httpclient = new HttpClient(factory); - httpclient.connect(ca_hostname, ca_port); - HttpRequest httprequest = new HttpRequest(); - httprequest.setMethod(HttpRequest.POST); - httprequest.setURI("/ca/ee/ca/profileSubmit"); - httprequest.setHeader("user-agent", "HTTPTool/1.0"); - - httprequest.setHeader("content-length", "" + content.length()); - httprequest.setHeader("content-type", - "application/x-www-form-urlencoded"); - httprequest.setContent(content); - HttpResponse httpresponse = httpclient.send(httprequest); - - c = httpresponse.getContent(); - CMS.debug("AdminPanel submitRequest: content=" + c); - - // retrieve the request Id ad admin certificate - if (c != null) { - try { - ByteArrayInputStream bis = new ByteArrayInputStream( - c.getBytes()); - XMLObject parser = null; - - try { - parser = new XMLObject(bis); - } catch (Exception e) { - CMS.debug("AdminPanel::submitRequest() - " - + "Exception=" + e.toString()); - throw new IOException(e.toString()); - } - String status = parser.getValue("Status"); - - CMS.debug("AdminPanel update: status=" + status); - if (status.equals("2")) { - //relogin to the security domain - reloginSecurityDomain(response); - return; - } else if (!status.equals("0")) { - String error = parser.getValue("Error"); - - context.put("errorString", error); - throw new IOException(error); - } - - IConfigStore cs = CMS.getConfigStore(); - String id = parser.getValue("Id"); - - cs.putString("preop.admincert.requestId.0", id); - String serial = parser.getValue("serialno"); - - cs.putString("preop.admincert.serialno.0", serial); - String b64 = parser.getValue("b64"); - String instanceRoot = cs.getString("instanceRoot", ""); - String dir = instanceRoot + File.separator + "conf" - + File.separator + "admin.b64"; - - cs.putString("preop.admincert.b64", dir); - PrintStream ps = new PrintStream(new FileOutputStream(dir)); - - ps.println(b64); - ps.flush(); - ps.close(); - } catch (IOException ee) { - context.put("errorString", ee.toString()); - throw ee; - } catch (Exception ee) { - context.put("errorString", ee.toString()); - throw new IOException(ee.toString()); - } - } - } catch (Exception e) { - CMS.debug("AdminPanel submitRequest: " + e.toString()); - } - } - - private void createAdminCertificate(HttpServletRequest request, - HttpServletResponse response, Context context) throws IOException { - String cert_request = HttpInput.getCertRequest(request, "cert_request"); - - String cert_request_type = HttpInput.getID(request, "cert_request_type"); - IConfigStore cs = CMS.getConfigStore(); - - if (cs == null) { - CMS.debug("AdminPanel::createAdminCertificate() - cs is null!"); - throw new IOException("cs is null"); - } - - String subject = ""; - X509Key x509key = null; - if (cert_request_type.equals("crmf")) { - try { - byte[] b = CMS.AtoB(cert_request); - SEQUENCE crmfMsgs = CryptoUtil.parseCRMFMsgs(b); - subject = CryptoUtil.getSubjectName(crmfMsgs); - x509key = CryptoUtil.getX509KeyFromCRMFMsgs(crmfMsgs); - } catch (Exception e) { - CMS.debug( - "AdminPanel createAdminCertificate: Exception=" - + e.toString()); - } - // this request is from IE. The VBScript has problem of generating - // certificate request if the subject name has E and UID components. - // For now, we always hardcoded the subject DN to be cn=NAME in - // the IE browser. - } else if (cert_request_type.equals("pkcs10")) { - try { - byte[] b = CMS.AtoB(cert_request); - PKCS10 pkcs10 = new PKCS10(b); - subject = request.getParameter("subject"); - x509key = pkcs10.getSubjectPublicKeyInfo(); - } catch (Exception e) { - CMS.debug("AdminPanel createAdminCertificate: Exception=" - + e.toString()); - } - } - - if (x509key == null) { - CMS.debug("AdminPanel::createAdminCertificate() - x509key is null!"); - throw new IOException("x509key is null"); - } - - try { - cs.putString(PCERT_PREFIX + CERT_TAG + ".dn", subject); - String caType = cs.getString(PCERT_PREFIX + CERT_TAG + ".type", "local"); - X509CertImpl impl = CertUtil.createLocalCert(cs, x509key, - PCERT_PREFIX, CERT_TAG, caType, context); - - // update the locally created request for renewal - CertUtil.updateLocalRequest(cs, CERT_TAG, cert_request, cert_request_type, subject); - - ISubsystem ca = CMS.getSubsystem("ca"); - if (ca != null) { - createPKCS7(impl); - } - cs.putString("preop.admincert.serialno.0", - impl.getSerialNumber().toString(16)); - } catch (Exception e) { - CMS.debug("AdminPanel createAdminCertificate: Exception=" - + e.toString()); - } } /** - * If validiate() returns false, this method will be called. + * If validate() returns false, this method will be called. */ public void displayError(HttpServletRequest request, HttpServletResponse response, @@ -660,31 +329,4 @@ public class AdminPanel extends WizardPanelBase { return false; } - - private void createPKCS7(X509CertImpl cert) { - try { - IConfigStore cs = CMS.getConfigStore(); - ICertificateAuthority ca = (ICertificateAuthority) CMS.getSubsystem("ca"); - CertificateChain cachain = ca.getCACertChain(); - X509Certificate[] cacerts = cachain.getChain(); - X509CertImpl[] userChain = new X509CertImpl[cacerts.length + 1]; - int m = 1, n = 0; - - for (; n < cacerts.length; m++, n++) { - userChain[m] = (X509CertImpl) cacerts[n]; - } - - userChain[0] = cert; - PKCS7 p7 = new PKCS7(new AlgorithmId[0], - new ContentInfo(new byte[0]), userChain, new SignerInfo[0]); - ByteArrayOutputStream bos = new ByteArrayOutputStream(); - - p7.encodeSignedData(bos); - byte[] p7Bytes = bos.toByteArray(); - String p7Str = CMS.BtoA(p7Bytes); - cs.putString("preop.admincert.pkcs7", CryptoUtil.normalizeCertStr(p7Str)); - } catch (Exception e) { - CMS.debug("AdminPanel createPKCS7: Failed to create pkcs7 file. Exception: " + e.toString()); - } - } } diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/BackupKeyCertPanel.java b/base/common/src/com/netscape/cms/servlet/csadmin/BackupKeyCertPanel.java index d216a9212..f29b22ae7 100644 --- a/base/common/src/com/netscape/cms/servlet/csadmin/BackupKeyCertPanel.java +++ b/base/common/src/com/netscape/cms/servlet/csadmin/BackupKeyCertPanel.java @@ -17,14 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.csadmin; -import java.io.ByteArrayOutputStream; -import java.io.CharConversionException; import java.io.IOException; -import java.security.MessageDigest; -import java.security.NoSuchAlgorithmException; -import java.security.SecureRandom; -import java.security.cert.CertificateEncodingException; -import java.util.StringTokenizer; import javax.servlet.ServletConfig; import javax.servlet.ServletException; @@ -32,33 +25,6 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.velocity.context.Context; -import org.mozilla.jss.CryptoManager; -import org.mozilla.jss.asn1.ASN1Util; -import org.mozilla.jss.asn1.ASN1Value; -import org.mozilla.jss.asn1.BMPString; -import org.mozilla.jss.asn1.OCTET_STRING; -import org.mozilla.jss.asn1.SEQUENCE; -import org.mozilla.jss.asn1.SET; -import org.mozilla.jss.crypto.Cipher; -import org.mozilla.jss.crypto.CryptoToken; -import org.mozilla.jss.crypto.EncryptionAlgorithm; -import org.mozilla.jss.crypto.IVParameterSpec; -import org.mozilla.jss.crypto.KeyGenAlgorithm; -import org.mozilla.jss.crypto.KeyGenerator; -import org.mozilla.jss.crypto.KeyWrapAlgorithm; -import org.mozilla.jss.crypto.KeyWrapper; -import org.mozilla.jss.crypto.PBEAlgorithm; -import org.mozilla.jss.crypto.PrivateKey; -import org.mozilla.jss.crypto.SymmetricKey; -import org.mozilla.jss.crypto.X509Certificate; -import org.mozilla.jss.pkcs12.AuthenticatedSafes; -import org.mozilla.jss.pkcs12.CertBag; -import org.mozilla.jss.pkcs12.PFX; -import org.mozilla.jss.pkcs12.PasswordConverter; -import org.mozilla.jss.pkcs12.SafeBag; -import org.mozilla.jss.pkix.primitive.EncryptedPrivateKeyInfo; -import org.mozilla.jss.pkix.primitive.PrivateKeyInfo; -import org.mozilla.jss.util.Password; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; @@ -66,7 +32,6 @@ import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.property.PropertySet; import com.netscape.certsrv.util.HttpInput; import com.netscape.cms.servlet.wizard.WizardServlet; -import com.netscape.cmsutil.crypto.CryptoUtil; public class BackupKeyCertPanel extends WizardPanelBase { @@ -199,20 +164,25 @@ public class BackupKeyCertPanel extends WizardPanelBase { Context context) throws IOException { IConfigStore config = CMS.getConfigStore(); - String select = HttpInput.getID(request, "choice"); - if (select.equals("backupkey")) { - CMS.debug("BackupKeyCertPanel update: backup"); - config.putBoolean("preop.backupkeys.enable", true); - backupKeysCerts(request); - } else { - CMS.debug("BackupKeyCertPanel update: no backup"); - config.putBoolean("preop.backupkeys.enable", false); - } - - config.putBoolean("preop.backupkeycert.done", true); try { - config.commit(false); - } catch (EBaseException e) { + String select = HttpInput.getID(request, "choice"); + String pwd = request.getParameter("__pwd"); + if (select.equals("backupkey")) { + CMS.debug("BackupKeyCertPanel update: backup"); + config.putBoolean("preop.backupkeys.enable", true); + ConfigurationUtils.backupKeys(pwd, null); + } else { + CMS.debug("BackupKeyCertPanel update: no backup"); + config.putBoolean("preop.backupkeys.enable", false); + } + + config.putBoolean("preop.backupkeycert.done", true); + config.commit(false); + } catch (Exception e) { + CMS.debug("BackupKeyertPanel: update(): Exception thrown " + e); + e.printStackTrace(); + context.put("updateStatus", "failure"); + throw new IOException(e); } context.put("updateStatus", "success"); } @@ -242,209 +212,4 @@ public class BackupKeyCertPanel extends WizardPanelBase { context.put("title", "Export Keys and Certificates"); context.put("panel", "admin/console/config/backupkeycertpanel.vm"); } - - public void backupKeysCerts(HttpServletRequest request) - throws IOException { - CMS.debug("BackupKeyCertPanel backupKeysCerts: start"); - IConfigStore cs = CMS.getConfigStore(); - String certlist = ""; - try { - certlist = cs.getString("preop.cert.list"); - } catch (Exception e) { - } - - StringTokenizer st = new StringTokenizer(certlist, ","); - CryptoManager cm = null; - try { - cm = CryptoManager.getInstance(); - } catch (Exception e) { - CMS.debug("BackupKeyCertPanel::backupKeysCerts() - " - + "Exception=" + e.toString()); - throw new IOException(e.toString()); - } - - String pwd = request.getParameter("__pwd"); - Password pass = new org.mozilla.jss.util.Password(pwd.toCharArray()); - SEQUENCE encSafeContents = new SEQUENCE(); - SEQUENCE safeContents = new SEQUENCE(); - while (st.hasMoreTokens()) { - String t = st.nextToken(); - if (t.equals("sslserver")) - continue; - String nickname = ""; - String modname = ""; - try { - nickname = cs.getString("preop.cert." + t + ".nickname"); - modname = cs.getString("preop.module.token"); - } catch (Exception e) { - } - if (!modname.equals("Internal Key Storage Token")) - nickname = modname + ":" + nickname; - - X509Certificate x509cert = null; - byte localKeyId[] = null; - try { - x509cert = cm.findCertByNickname(nickname); - localKeyId = addCertBag(x509cert, nickname, safeContents); - } catch (IOException e) { - throw e; - } catch (Exception e) { - CMS.debug("BackupKeyCertPanel: Exception=" + e.toString()); - throw new IOException("Failed to create pkcs12 file."); - } - - try { - PrivateKey pkey = cm.findPrivKeyByCert(x509cert); - addKeyBag(pkey, x509cert, pass, localKeyId, encSafeContents); - } catch (Exception e) { - CMS.debug("BackupKeyCertPanel: Exception=" + e.toString()); - throw new IOException("Failed to create pkcs12 file."); - } - } //while loop - - X509Certificate[] cacerts = cm.getCACerts(); - - for (int i = 0; i < cacerts.length; i++) { - //String nickname = cacerts[i].getSubjectDN().toString(); - String nickname = null; - try { - addCertBag(cacerts[i], nickname, safeContents); - } catch (IOException e) { - throw e; - } catch (Exception e) { - CMS.debug("BackupKeyCertPanel backKeysCerts: Exception=" + e.toString()); - throw new IOException("Failed to create pkcs12 file."); - } - } - - try { - AuthenticatedSafes authSafes = new AuthenticatedSafes(); - authSafes.addSafeContents(safeContents); - authSafes.addSafeContents(encSafeContents); - PFX pfx = new PFX(authSafes); - pfx.computeMacData(pass, null, 5); - ByteArrayOutputStream bos = new ByteArrayOutputStream(); - pfx.encode(bos); - byte[] output = bos.toByteArray(); - cs.putString("preop.pkcs12", CryptoUtil.byte2string(output)); - pass.clear(); - cs.commit(false); - } catch (Exception e) { - CMS.debug("BackupKeyCertPanel backupKeysCerts: Exception=" + e.toString()); - } - } - - private void addKeyBag(PrivateKey pkey, X509Certificate x509cert, - Password pass, byte[] localKeyId, SEQUENCE safeContents) - throws IOException { - try { - PasswordConverter passConverter = new PasswordConverter(); - - SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); - byte salt[] = random.generateSeed(4); // 4 bytes salt - byte[] priData = getEncodedKey(pkey); - - PrivateKeyInfo pki = (PrivateKeyInfo) - ASN1Util.decode(PrivateKeyInfo.getTemplate(), priData); - ASN1Value key = EncryptedPrivateKeyInfo.createPBE( - PBEAlgorithm.PBE_SHA1_DES3_CBC, - pass, salt, 1, passConverter, pki); - SET keyAttrs = createBagAttrs( - x509cert.getSubjectDN().toString(), localKeyId); - SafeBag keyBag = new SafeBag(SafeBag.PKCS8_SHROUDED_KEY_BAG, - key, keyAttrs); - safeContents.addElement(keyBag); - } catch (Exception e) { - CMS.debug("BackupKeyCertPanel getKeyBag: Exception=" + e.toString()); - throw new IOException("Failed to create pk12 file."); - } - } - - private byte[] addCertBag(X509Certificate x509cert, String nickname, - SEQUENCE safeContents) throws IOException { - byte[] localKeyId = null; - try { - ASN1Value cert = new OCTET_STRING(x509cert.getEncoded()); - localKeyId = createLocalKeyId(x509cert); - SET certAttrs = null; - if (nickname != null) - certAttrs = createBagAttrs(nickname, localKeyId); - SafeBag certBag = new SafeBag(SafeBag.CERT_BAG, - new CertBag(CertBag.X509_CERT_TYPE, cert), certAttrs); - safeContents.addElement(certBag); - } catch (Exception e) { - CMS.debug("BackupKeyCertPanel addCertBag: " + e.toString()); - throw new IOException("Failed to create pk12 file."); - } - - return localKeyId; - } - - private byte[] getEncodedKey(PrivateKey pkey) { - try { - CryptoManager cm = CryptoManager.getInstance(); - CryptoToken token = cm.getInternalKeyStorageToken(); - KeyGenerator kg = token.getKeyGenerator(KeyGenAlgorithm.DES3); - SymmetricKey sk = kg.generate(); - KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD); - byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; - IVParameterSpec param = new IVParameterSpec(iv); - wrapper.initWrap(sk, param); - byte[] enckey = wrapper.wrap(pkey); - Cipher c = token.getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD); - c.initDecrypt(sk, param); - byte[] recovered = c.doFinal(enckey); - return recovered; - } catch (Exception e) { - CMS.debug("BackupKeyCertPanel getEncodedKey: Exception=" + e.toString()); - } - - return null; - } - - private byte[] createLocalKeyId(X509Certificate cert) - throws IOException { - try { - // SHA1 hash of the X509Cert der encoding - byte certDer[] = cert.getEncoded(); - - MessageDigest md = MessageDigest.getInstance("SHA"); - - md.update(certDer); - return md.digest(); - } catch (CertificateEncodingException e) { - CMS.debug("BackupKeyCertPanel createLocalKeyId: Exception: " + e.toString()); - throw new IOException("Failed to encode certificate."); - } catch (NoSuchAlgorithmException e) { - CMS.debug("BackupKeyCertPanel createLocalKeyId: Exception: " + e.toString()); - throw new IOException("No such algorithm supported."); - } - } - - private SET createBagAttrs(String nickName, byte localKeyId[]) - throws IOException { - try { - SET attrs = new SET(); - SEQUENCE nickNameAttr = new SEQUENCE(); - - nickNameAttr.addElement(SafeBag.FRIENDLY_NAME); - SET nickNameSet = new SET(); - - nickNameSet.addElement(new BMPString(nickName)); - nickNameAttr.addElement(nickNameSet); - attrs.addElement(nickNameAttr); - SEQUENCE localKeyAttr = new SEQUENCE(); - - localKeyAttr.addElement(SafeBag.LOCAL_KEY_ID); - SET localKeySet = new SET(); - - localKeySet.addElement(new OCTET_STRING(localKeyId)); - localKeyAttr.addElement(localKeySet); - attrs.addElement(localKeyAttr); - return attrs; - } catch (CharConversionException e) { - CMS.debug("BackupKeyCertPanel createBagAttrs: Exception=" + e.toString()); - throw new IOException("Failed to create PKCS12 file."); - } - } } diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/CAInfoPanel.java b/base/common/src/com/netscape/cms/servlet/csadmin/CAInfoPanel.java index 827f0ce92..ab284f3c6 100644 --- a/base/common/src/com/netscape/cms/servlet/csadmin/CAInfoPanel.java +++ b/base/common/src/com/netscape/cms/servlet/csadmin/CAInfoPanel.java @@ -19,6 +19,7 @@ package com.netscape.cms.servlet.csadmin; import java.io.IOException; import java.net.URL; +import java.security.cert.CertificateEncodingException; import java.util.StringTokenizer; import java.util.Vector; @@ -30,6 +31,7 @@ import javax.servlet.http.HttpServletResponse; import org.apache.velocity.context.Context; import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.base.ISubsystem; import com.netscape.certsrv.ca.ICertificateAuthority; @@ -147,14 +149,18 @@ public class CAInfoPanel extends WizardPanelBase { String cstype = "CA"; String portType = "SecurePort"; - /* - try { - cstype = cs.getString("cs.type", ""); - } catch (EBaseException e) {} - */ - CMS.debug("CAInfoPanel: Ready to get url"); - Vector<String> v = getUrlListFromSecurityDomain(cs, cstype, portType); + Vector<String> v = null; + try { + v = ConfigurationUtils.getUrlListFromSecurityDomain(cs, cstype, portType); + } catch (Exception e) { + CMS.debug("CAInfoPanel display(): errors in getting URL list from security domain" + e); + e.printStackTrace(); + } + if (v == null) { + v = new Vector<String>(); + } + v.addElement("External CA"); StringBuffer list = new StringBuffer(); int size = v.size(); @@ -198,31 +204,20 @@ public class CAInfoPanel extends WizardPanelBase { public void update(HttpServletRequest request, HttpServletResponse response, Context context) throws IOException { - - /* - String select = request.getParameter("choice"); - if (select == null) { - CMS.debug("CAInfoPanel: choice not found"); - throw new IOException("choice not found"); - } - */ IConfigStore config = CMS.getConfigStore(); try { String subsystemselect = config.getString("preop.subsystem.select", ""); if (subsystemselect.equals("clone")) return; - } catch (Exception e) { - } - String select = null; - String index = request.getParameter("urls"); - String url = ""; - if (index.startsWith("http")) { - // user may submit url directlry - url = index; - } else { - try { + String select = null; + String index = request.getParameter("urls"); + String url = ""; + if (index.startsWith("http")) { + // user may submit url directly + url = index; + } else { int x = Integer.parseInt(index); String list = config.getString("preop.ca.list", ""); StringTokenizer tokenizer = new StringTokenizer(list, ","); @@ -235,54 +230,55 @@ public class CAInfoPanel extends WizardPanelBase { } counter++; } - } catch (Exception e) { } - } - URL urlx = null; + URL urlx = null; - if (url.equals("External CA")) { - select = "otherca"; - config.putString("preop.ca.pkcs7", ""); - config.putInteger("preop.ca.certchain.size", 0); - } else { - select = "sdca"; + if (url.equals("External CA")) { + select = "otherca"; + config.putString("preop.ca.pkcs7", ""); + config.putInteger("preop.ca.certchain.size", 0); + } else { + select = "sdca"; - // parse URL (CA1 - https://...) - url = url.substring(url.indexOf("https")); - urlx = new URL(url); - } + // parse URL (CA1 - https://...) + url = url.substring(url.indexOf("https")); + urlx = new URL(url); + } - ISubsystem subsystem = CMS.getSubsystem(ICertificateAuthority.ID); + ISubsystem subsystem = CMS.getSubsystem(ICertificateAuthority.ID); - if (select.equals("sdca")) { - config.putString("preop.ca.type", "sdca"); - CMS.debug("CAInfoPanel update: this is the CA in the security domain."); - context.put("check_sdca", "checked"); - sdca(request, context, urlx.getHost(), - Integer.toString(urlx.getPort())); - if (subsystem != null) { - config.putString(PCERT_PREFIX + "signing.type", "remote"); - config.putString(PCERT_PREFIX + "signing.profile", - "caInstallCACert"); - } - } else if (select.equals("otherca")) { - config.putString("preop.ca.type", "otherca"); - context.put("check_otherca", "checked"); - if (subsystem != null) { - config.putString(PCERT_PREFIX + "signing.type", "remote"); + if (select.equals("sdca")) { + config.putString("preop.ca.type", "sdca"); + CMS.debug("CAInfoPanel update: this is the CA in the security domain."); + context.put("check_sdca", "checked"); + sdca(request, context, urlx.getHost(), + Integer.toString(urlx.getPort())); + if (subsystem != null) { + config.putString(PCERT_PREFIX + "signing.type", "remote"); + config.putString(PCERT_PREFIX + "signing.profile", + "caInstallCACert"); + } + } else if (select.equals("otherca")) { + config.putString("preop.ca.type", "otherca"); + context.put("check_otherca", "checked"); + if (subsystem != null) { + config.putString(PCERT_PREFIX + "signing.type", "remote"); + } + CMS.debug("CAInfoPanel update: this is the other CA."); } - CMS.debug("CAInfoPanel update: this is the other CA."); - } - try { config.commit(false); } catch (Exception e) { + CMS.debug("CAInfoPanel update(): Exception thrown " + e); + e.printStackTrace(); + context.put("updateStatus", "failure"); } + context.put("updateStatus", "success"); } private void sdca(HttpServletRequest request, Context context, String hostname, String httpsPortStr) - throws IOException { + throws IOException, CertificateEncodingException, EBaseException { CMS.debug("CAInfoPanel update: this is the CA in the security domain."); IConfigStore config = CMS.getConfigStore(); @@ -295,13 +291,10 @@ public class CAInfoPanel extends WizardPanelBase { } int httpsport = -1; - try { httpsport = Integer.parseInt(httpsPortStr); } catch (Exception e) { - CMS.debug( - "CAInfoPanel update: Https port is not valid. Exception: " - + e.toString()); + CMS.debug("CAInfoPanel update: Https port is not valid. Exception: " + e.toString()); throw new IOException("Http Port is not valid."); } @@ -314,7 +307,7 @@ public class CAInfoPanel extends WizardPanelBase { } /** - * If validiate() returns false, this method will be called. + * If validate() returns false, this method will be called. */ public void displayError(HttpServletRequest request, HttpServletResponse response, diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java b/base/common/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java index 74d1069eb..4f9f1e905 100644 --- a/base/common/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java +++ b/base/common/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java @@ -19,7 +19,6 @@ package com.netscape.cms.servlet.csadmin; import java.io.IOException; import java.math.BigInteger; -import java.security.Principal; import java.util.Enumeration; import java.util.Locale; import java.util.StringTokenizer; @@ -30,16 +29,9 @@ import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import netscape.security.pkcs.PKCS10; import netscape.security.util.CertPrettyPrint; -import netscape.security.x509.X509CertImpl; -import netscape.security.x509.X509Key; import org.apache.velocity.context.Context; -import org.mozilla.jss.CryptoManager; -import org.mozilla.jss.crypto.InternalCertificate; -import org.mozilla.jss.crypto.PrivateKey; -import org.mozilla.jss.crypto.X509Certificate; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; @@ -102,49 +94,6 @@ public class CertRequestPanel extends WizardPanelBase { return true; } - private boolean findCertificate(String tokenname, String nickname) - throws IOException { - IConfigStore cs = CMS.getConfigStore(); - CryptoManager cm = null; - try { - cm = CryptoManager.getInstance(); - } catch (Exception e) { - } - - String fullnickname = nickname; - - boolean hardware = false; - if (!tokenname.equals("internal") && !tokenname.equals("Internal Key Storage Token")) { - hardware = true; - fullnickname = tokenname + ":" + nickname; - } - - try { - X509Certificate cert = cm.findCertByNickname(fullnickname); - if (cert == null) - return false; - try { - @SuppressWarnings("unused") - boolean done = cs.getBoolean("preop.CertRequestPanel.done"); // check for errors - return true; - } catch (Exception ee) { - if (hardware) { - CMS.debug("CertRequestPanel findCertificate: The certificate with the same nickname: " - + fullnickname + " has been found on HSM. Please remove it before proceeding."); - throw new IOException("The certificate with the same nickname: " - + fullnickname + " has been found on HSM. Please remove it before proceeding."); - } - return true; - } - } catch (IOException e) { - CMS.debug("CertRequestPanel findCertificate: throw exception:" + e.toString()); - throw e; - } catch (Exception e) { - CMS.debug("CertRequestPanel findCertificate: Exception=" + e.toString()); - return false; - } - } - public void cleanUp() throws IOException { IConfigStore cs = CMS.getConfigStore(); String list = ""; @@ -208,14 +157,14 @@ public class CertRequestPanel extends WizardPanelBase { if (t.equals("sslserver")) continue; - if (findCertificate(tokenname, nickname)) { - try { + try { + if (ConfigurationUtils.findCertificate(tokenname, nickname)) { CMS.debug("CertRequestPanel cleanup: deleting certificate (" + nickname + ")."); - deleteCert(tokenname, nickname); - } catch (Exception e) { - CMS.debug("CertRequestPanel cleanup: failed to delete certificate (" - + nickname + "). Exception: " + e.toString()); + ConfigurationUtils.deleteCert(tokenname, nickname); } + } catch (Exception e) { + CMS.debug("CertRequestPanel cleanup: failed to delete certificate (" + + nickname + "). Exception: " + e.toString()); } } @@ -249,17 +198,14 @@ public class CertRequestPanel extends WizardPanelBase { Context context, String certTag, Cert cert) { try { - String subsystem = config.getString( - PCERT_PREFIX + certTag + ".subsystem"); - + String subsystem = config.getString(PCERT_PREFIX + certTag + ".subsystem"); String certs = config.getString(subsystem + "." + certTag + ".cert", ""); if (cert != null) { String certf = certs; - CMS.debug( - "CertRequestPanel getCert: certTag=" + certTag - + " cert=" + certs); + CMS.debug("CertRequestPanel getCert: certTag=" + certTag + " cert=" + certs); + //get and set formated cert if (!certs.startsWith("...")) { certf = CryptoUtil.certFormat(certs); @@ -289,94 +235,6 @@ public class CertRequestPanel extends WizardPanelBase { } // try } - public X509Key getECCX509Key(IConfigStore config, String certTag) - throws Exception { - X509Key pubk = null; - String pubKeyEncoded = config.getString( - PCERT_PREFIX + certTag + ".pubkey.encoded"); - pubk = CryptoUtil.getPublicX509ECCKey(CryptoUtil.string2byte(pubKeyEncoded)); - return pubk; - } - - public X509Key getRSAX509Key(IConfigStore config, String certTag) - throws Exception { - X509Key pubk = null; - - String pubKeyModulus = config.getString( - PCERT_PREFIX + certTag + ".pubkey.modulus"); - String pubKeyPublicExponent = config.getString( - PCERT_PREFIX + certTag + ".pubkey.exponent"); - pubk = CryptoUtil.getPublicX509Key( - CryptoUtil.string2byte(pubKeyModulus), - CryptoUtil.string2byte(pubKeyPublicExponent)); - return pubk; - } - - public void handleCertRequest(IConfigStore config, - Context context, String certTag, Cert cert) { - try { - // get public key - String pubKeyType = config.getString( - PCERT_PREFIX + certTag + ".keytype"); - String algorithm = config.getString( - PCERT_PREFIX + certTag + ".keyalgorithm"); - X509Key pubk = null; - if (pubKeyType.equals("rsa")) { - pubk = getRSAX509Key(config, certTag); - } else if (pubKeyType.equals("ecc")) { - pubk = getECCX509Key(config, certTag); - } else { - CMS.debug("CertRequestPanel::handleCertRequest() - " - + "pubKeyType " + pubKeyType + " is unsupported!"); - return; - } - - CMS.debug("CertRequestPanel: tag=" + certTag); - if (pubk != null) { - CMS.debug("CertRequestPanel: got public key"); - } else { - CMS.debug("CertRequestPanel: error getting public key null"); - return; - } - - // get private key - String privKeyID = config.getString( - PCERT_PREFIX + certTag + ".privkey.id"); - CMS.debug("CertRequestPanel: privKeyID=" + privKeyID); - byte[] keyIDb = CryptoUtil.string2byte(privKeyID); - - PrivateKey privk = CryptoUtil.findPrivateKeyFromID(keyIDb); - - if (privk != null) { - CMS.debug("CertRequestPanel: got private key"); - } else { - CMS.debug("CertRequestPanel: error getting private key null"); - } - - // construct cert request - String caDN = config.getString(PCERT_PREFIX + certTag + ".dn"); - - cert.setDN(caDN); - PKCS10 certReq = CryptoUtil.createCertificationRequest(caDN, pubk, - privk, algorithm); - - CMS.debug("CertRequestPanel: created cert request"); - byte[] certReqb = certReq.toByteArray(); - String certReqs = CryptoUtil.base64Encode(certReqb); - String certReqf = CryptoUtil.reqFormat(certReqs); - - String subsystem = config.getString( - PCERT_PREFIX + certTag + ".subsystem"); - config.putString(subsystem + "." + certTag + ".certreq", certReqs); - config.commit(false); - cert.setRequest(certReqf); - } catch (Exception e) { - CMS.debug("CertRequestPanel::handleCertRequest" + e.toString()); - CMS.debug(e); - } // try - - } - /** * Display the panel. */ @@ -399,20 +257,16 @@ public class CertRequestPanel extends WizardPanelBase { String certTag = st.nextToken(); try { - String subsystem = config.getString( - PCERT_PREFIX + certTag + ".subsystem"); - String nickname = config.getString( - subsystem + "." + certTag + ".nickname"); - String tokenname = config.getString( - subsystem + "." + certTag + ".tokenname"); - Cert c = new Cert(tokenname, nickname, certTag); - - handleCertRequest(config, context, certTag, c); + String subsystem = config.getString(PCERT_PREFIX + certTag + ".subsystem"); + String nickname = config.getString(subsystem + "." + certTag + ".nickname"); + String tokenname = config.getString(subsystem + "." + certTag + ".tokenname"); - String type = config.getString( - PCERT_PREFIX + certTag + ".type"); + Cert c = new Cert(tokenname, nickname, certTag); + ConfigurationUtils.handleCertRequest(config, certTag, c); + String type = config.getString(PCERT_PREFIX + certTag + ".type"); c.setType(type); + boolean enable = config.getBoolean(PCERT_PREFIX + certTag + ".enable", true); c.setEnable(enable); getCert(config, context, certTag, c); @@ -420,15 +274,12 @@ public class CertRequestPanel extends WizardPanelBase { c.setSubsystem(subsystem); mCerts.addElement(c); } catch (Exception e) { - CMS.debug( - "CertRequestPanel:display() Exception caught: " - + e.toString() + " for certTag " + certTag); + CMS.debug("CertRequestPanel:display() Exception caught: " + e.toString() + + " for certTag " + certTag); } } } catch (Exception e) { - CMS.debug( - "CertRequestPanel:display() Exception caught: " - + e.toString()); + CMS.debug("CertRequestPanel:display() Exception caught: " + e.toString()); System.err.println("Exception caught: " + e.toString()); } // try @@ -448,37 +299,6 @@ public class CertRequestPanel extends WizardPanelBase { Context context) throws IOException { } - private boolean findBootstrapServerCert() { - IConfigStore cs = CMS.getConfigStore(); - try { - String instanceID = cs.getString("instanceId", ""); - String nickname = "Server-Cert cert-" + instanceID; - - CryptoManager cm = CryptoManager.getInstance(); - X509Certificate cert = cm.findCertByNickname(nickname); - Principal issuerDN = cert.getIssuerDN(); - Principal subjectDN = cert.getSubjectDN(); - if (issuerDN.equals(subjectDN)) - return true; - } catch (Exception e) { - CMS.debug("CertRequestPanel findBootstrapServerCert Exception=" + e.toString()); - } - - return false; - } - - private void deleteBootstrapServerCert() { - IConfigStore cs = CMS.getConfigStore(); - try { - String instanceID = cs.getString("instanceId", ""); - String nickname = "Server-Cert cert-" + instanceID; - - deleteCert("Internal Key Storage Token", nickname); - } catch (Exception e) { - CMS.debug("CertRequestPanel deleteBootstrapServerCert Exception=" + e.toString()); - } - } - /** * Commit parameter changes */ @@ -494,253 +314,37 @@ public class CertRequestPanel extends WizardPanelBase { return; } - try { - Enumeration<Cert> c = mCerts.elements(); + Enumeration<Cert> c = mCerts.elements(); + while (c.hasMoreElements()) { + Cert cert = c.nextElement(); + if (hasErr) continue; - String tokenname = ""; + int ret=0; try { - tokenname = config.getString("preop.module.token", ""); + cert.setCert(HttpInput.getCert(request, cert.getCertTag())); + cert.setCertChain(HttpInput.getCertChain(request, cert.getCertTag() + "_cc")); + + ret = ConfigurationUtils.handleCerts(cert); + ConfigurationUtils.setCertPermissions(cert.getCertTag()); } catch (Exception e) { + CMS.debug("Exception in configuring system certificate " + cert.getCertTag() + ": " + e); + e.printStackTrace(); + hasErr = true; } - - while (c.hasMoreElements()) { - Cert cert = c.nextElement(); - String certTag = cert.getCertTag(); - String subsystem = cert.getSubsystem(); - boolean enable = config.getBoolean(PCERT_PREFIX + certTag + ".enable", true); - if (!enable) - continue; - - if (hasErr) - continue; - - String nickname = cert.getNickname(); - - CMS.debug( - "CertRequestPanel: update() for cert tag " - + cert.getCertTag()); - // String b64 = config.getString(CERT_PREFIX+ certTag +".cert", ""); - String b64 = HttpInput.getCert(request, certTag); - - if (cert.getType().equals("local") - && b64.equals( - "...certificate be generated internally...")) { - - String pubKeyType = config.getString( - PCERT_PREFIX + certTag + ".keytype"); - X509Key x509key = null; - if (pubKeyType.equals("rsa")) { - x509key = getRSAX509Key(config, certTag); - } else if (pubKeyType.equals("ecc")) { - x509key = getECCX509Key(config, certTag); - } - - if (findCertificate(tokenname, nickname)) { - if (!certTag.equals("sslserver")) - continue; - } - X509CertImpl impl = CertUtil.createLocalCert(config, x509key, - PCERT_PREFIX, certTag, cert.getType(), context); - - if (impl != null) { - byte[] certb = impl.getEncoded(); - String certs = CryptoUtil.base64Encode(certb); - - cert.setCert(certs); - config.putString(subsystem + "." + certTag + ".cert", certs); - /* import certificate */ - CMS.debug( - "CertRequestPanel configCert: nickname=" - + nickname); - - try { - if (certTag.equals("sslserver") && findBootstrapServerCert()) - deleteBootstrapServerCert(); - if (findCertificate(tokenname, nickname)) - deleteCert(tokenname, nickname); - if (certTag.equals("signing") && subsystem.equals("ca")) - CryptoUtil.importUserCertificate(impl, nickname); - else - CryptoUtil.importUserCertificate(impl, nickname, false); - CMS.debug( - "CertRequestPanel configCert: cert imported for certTag " - + certTag); - } catch (Exception ee) { - CMS.debug( - "CertRequestPanel configCert: import certificate for certTag=" - + certTag + " Exception: " - + ee.toString()); - CMS.debug("ok"); - // hasErr = true; - } - } - } else if (cert.getType().equals("remote")) { - if (b64 != null && b64.length() > 0 - && !b64.startsWith("...")) { - String b64chain = HttpInput.getCertChain(request, certTag + "_cc"); - CMS.debug( - "CertRequestPanel: in update() process remote...import cert"); - - String input = HttpInput.getCert(request, cert.getCertTag()); - - if (input != null) { - try { - if (certTag.equals("sslserver") && findBootstrapServerCert()) - deleteBootstrapServerCert(); - if (findCertificate(tokenname, nickname)) { - deleteCert(tokenname, nickname); - } - } catch (Exception e) { - CMS.debug("CertRequestPanel update (remote): deleteCert Exception=" + e.toString()); - } - input = CryptoUtil.stripCertBrackets(input.trim()); - String certs = CryptoUtil.normalizeCertStr(input); - byte[] certb = CryptoUtil.base64Decode(certs); - - config.putString(subsystem + "." + certTag + ".cert", - certs); - try { - CryptoManager cm = CryptoManager.getInstance(); - X509Certificate x509cert = cm.importCertPackage( - certb, nickname); - - CryptoUtil.trustCertByNickname(nickname); - X509Certificate[] certchains = cm.buildCertificateChain( - x509cert); - X509Certificate leaf = null; - - if (certchains != null) { - CMS.debug( - "CertRequestPanel certchains length=" - + certchains.length); - leaf = certchains[certchains.length - 1]; - } - - if (leaf == null) { - CMS.debug("CertRequestPanel::update() - " - + "leaf is null!"); - throw new IOException("leaf is null"); - } - - if (/*(certchains.length <= 1) &&*/ - (b64chain != null && b64chain.length() != 0)) { - CMS.debug("CertRequestPanel: cert might not have contained chain...calling importCertificateChain: " - + b64chain); - try { - CryptoUtil.importCertificateChain( - CryptoUtil.normalizeCertAndReq(b64chain)); - } catch (Exception e) { - CMS.debug("CertRequestPanel: importCertChain: Exception: " + e.toString()); - } - } - - InternalCertificate icert = (InternalCertificate) leaf; - - icert.setSSLTrust( - InternalCertificate.TRUSTED_CA - | InternalCertificate.TRUSTED_CLIENT_CA - | InternalCertificate.VALID_CA); - CMS.debug( - "CertRequestPanel configCert: import certificate successfully, certTag=" - + certTag); - } catch (Exception ee) { - CMS.debug( - "CertRequestPanel configCert: import certificate for certTag=" - + certTag + " Exception: " - + ee.toString()); - CMS.debug("ok"); - // hasErr=true; - } - } else { - CMS.debug("CertRequestPanel: in update() input null"); - hasErr = true; - } - } else { - CMS.debug("CertRequestPanel: in update() b64 not set"); - hasErr = true; - } - - } else { - b64 = CryptoUtil.stripCertBrackets(b64.trim()); - String certs = CryptoUtil.normalizeCertStr(b64); - byte[] certb = CryptoUtil.base64Decode(certs); - X509CertImpl impl = new X509CertImpl(certb); - try { - if (certTag.equals("sslserver") && findBootstrapServerCert()) - deleteBootstrapServerCert(); - if (findCertificate(tokenname, nickname)) { - deleteCert(tokenname, nickname); - } - } catch (Exception ee) { - CMS.debug("CertRequestPanel update: deleteCert Exception=" + ee.toString()); - } - - try { - if (certTag.equals("signing") && subsystem.equals("ca")) - CryptoUtil.importUserCertificate(impl, nickname); - else - CryptoUtil.importUserCertificate(impl, nickname, false); - } catch (Exception ee) { - CMS.debug("CertRequestPanel: Failed to import user certificate." + ee.toString()); - hasErr = true; - } - } - - //update requests in request queue for local certs to allow renewal - if ((cert.getType().equals("local")) || (cert.getType().equals("selfsign"))) { - CertUtil.updateLocalRequest(config, certTag, cert.getRequest(), "pkcs10", null); - } - - if (certTag.equals("signing") && subsystem.equals("ca")) { - String NickName = nickname; - if (!tokenname.equals("internal") && !tokenname.equals("Internal Key Storage Token")) - NickName = tokenname + ":" + nickname; - - CMS.debug("CertRequestPanel update: set trust on CA signing cert " + NickName); - CryptoUtil.trustCertByNickname(NickName); - CMS.reinit(ICertificateAuthority.ID); - } - } //while loop - - if (hasErr == false) { - config.putBoolean("preop.CertRequestPanel.done", true); + if (ret != 0) { + CMS.debug("System certificates not configured " + cert.getCertTag()); } - config.commit(false); - } catch (Exception e) { - CMS.debug("CertRequestPanel: Exception caught: " + e.toString()); - System.err.println("Exception caught: " + e.toString()); } + // end new - //reset the attribute of the user certificate to u,u,u - String certlist = ""; - try { - certlist = config.getString("preop.cert.list", ""); - StringTokenizer tokenizer = new StringTokenizer(certlist, ","); - CryptoManager cm = CryptoManager.getInstance(); - while (tokenizer.hasMoreTokens()) { - String tag = tokenizer.nextToken(); - if (tag.equals("signing")) - continue; - String nickname = config.getString("preop.cert." + tag + ".nickname", ""); - String tokenname = config.getString("preop.module.token", ""); - if (!tokenname.equals("Internal Key Storage Token")) - nickname = tokenname + ":" + nickname; - X509Certificate c = cm.findCertByNickname(nickname); - if (c instanceof InternalCertificate) { - InternalCertificate ic = (InternalCertificate) c; - ic.setSSLTrust(InternalCertificate.USER); - ic.setEmailTrust(InternalCertificate.USER); - if (tag.equals("audit_signing")) { - ic.setObjectSigningTrust(InternalCertificate.USER - | InternalCertificate.VALID_PEER | InternalCertificate.TRUSTED_PEER); - } else { - ic.setObjectSigningTrust(InternalCertificate.USER); - } - } - } - } catch (Exception e) { - } if (!hasErr) { + try { + config.putBoolean("preop.CertRequestPanel.done", true); + config.commit(false); + } catch (EBaseException e) { + e.printStackTrace(); + CMS.debug("Unable to commit changes to CS,cfg: " +e); + } context.put("updateStatus", "success"); } else { context.put("updateStatus", "failure"); @@ -748,7 +352,7 @@ public class CertRequestPanel extends WizardPanelBase { } /** - * If validiate() returns false, this method will be called. + * If validate() returns false, this method will be called. */ public void displayError(HttpServletRequest request, HttpServletResponse response, diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationRESTClient.java b/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationRESTClient.java index 330cdf19d..59bb1caf9 100644 --- a/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationRESTClient.java +++ b/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationRESTClient.java @@ -25,6 +25,7 @@ import java.net.URI; import java.net.URISyntaxException; import java.net.UnknownHostException; import java.util.Enumeration; + import org.apache.http.client.HttpClient; import org.apache.http.conn.scheme.LayeredSchemeSocketFactory; import org.apache.http.conn.scheme.Scheme; @@ -94,7 +95,7 @@ public class ConfigurationRESTClient { return false; } } - + private class JSSProtocolSocketFactory implements SchemeSocketFactory, LayeredSchemeSocketFactory { @Override public Socket createSocket(HttpParams params) @@ -158,32 +159,32 @@ public class ConfigurationRESTClient { URI uri = new URI(baseUri); - + String protocol = uri.getScheme(); int port = uri.getPort(); - + clientCertNickname = null; HttpClient httpclient = new DefaultHttpClient(); if(protocol != null && protocol.equals("https")) { if (clientCertNick != null) { clientCertNickname = clientCertNick; } - + Scheme scheme = new Scheme("https",port, new JSSProtocolSocketFactory()); - + // Register for port 443 our SSLSocketFactory to the ConnectionManager httpclient.getConnectionManager().getSchemeRegistry().register(scheme); - + } - - + + ClientExecutor executor = new ApacheHttpClient4Executor(httpclient); - + ResteasyProviderFactory providerFactory = ResteasyProviderFactory.getInstance(); providerFactory.addClientErrorInterceptor(new ConfigurationErrorInterceptor()); configClient = ProxyFactory.create(SystemConfigurationResource.class, uri, executor, providerFactory); } - + public ConfigurationResponseData configure(ConfigurationData data) { ConfigurationResponseData response = configClient.configure(data); return response; diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java index d4bcfd661..490911353 100644 --- a/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +++ b/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java @@ -14,7 +14,7 @@ // // (C) 2012 Red Hat, Inc. // All rights reserved. -// --- END COPYRIGHT BLOCK --- +// --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.csadmin; import java.io.BufferedReader; @@ -142,6 +142,8 @@ import com.netscape.certsrv.ocsp.IOCSPAuthority; import com.netscape.certsrv.usrgrp.IGroup; import com.netscape.certsrv.usrgrp.IUGSubsystem; import com.netscape.certsrv.usrgrp.IUser; +import com.netscape.cms.servlet.csadmin.model.InstallToken; +import com.netscape.cms.servlet.csadmin.model.InstallTokenRequest; import com.netscape.cmsutil.crypto.CryptoUtil; import com.netscape.cmsutil.http.HttpClient; import com.netscape.cmsutil.http.HttpRequest; @@ -150,25 +152,22 @@ import com.netscape.cmsutil.http.JssSSLSocketFactory; import com.netscape.cmsutil.ldap.LDAPUtil; import com.netscape.cmsutil.xml.XMLObject; -import com.netscape.cms.servlet.csadmin.model.InstallToken; -import com.netscape.cms.servlet.csadmin.model.InstallTokenRequest; - /** * Utility class for functions to be used both by the RESTful installer * and the UI Panels. - * + * * @author alee * */ public class ConfigurationUtils { - + private static final String PCERT_PREFIX = "preop.cert."; public static String SUCCESS = "0"; public static String FAILURE = "1"; public static String AUTH_FAILURE = "2"; public static final BigInteger BIG_ZERO = new BigInteger("0"); public static final Long MINUS_ONE = Long.valueOf(-1); - + public static boolean loginToken(CryptoToken token, String tokPwd) throws TokenException, IncorrectPasswordException { boolean rv = true; @@ -190,6 +189,11 @@ public class ConfigurationUtils { return rv; } + public static String getHttpResponse(String hostname, int port, boolean secure, + String uri, String content, String clientnickname) throws IOException { + return getHttpResponse(hostname, port, secure, uri, content, clientnickname, null); + } + //TODO - replace with Jack's connector code // or as we replace calls with restful calls, remove altogether public static String getHttpResponse(String hostname, int port, boolean secure, @@ -241,10 +245,10 @@ public class ConfigurationUtils { return c; } - + public static void importCertChain(String host, int port, String serverPath, String tag) throws IOException, SAXException, ParserConfigurationException, CertificateEncodingException, - CertificateException, NotInitializedException, TokenException { + CertificateException, NotInitializedException, TokenException, EBaseException { IConfigStore cs = CMS.getConfigStore(); ConfigCertApprovalCallback certApprovalCallback = new ConfigCertApprovalCallback(); XMLObject parser = null; @@ -255,7 +259,25 @@ public class ConfigurationUtils { parser = new XMLObject(bis); String certchain = parser.getValue("ChainBase64"); if ((certchain != null) && (certchain.length() > 0)) { + certchain = CryptoUtil.normalizeCertStr(certchain); cs.putString("preop." + tag + ".pkcs7", certchain); + + // separate individual certs in chain for display + byte[] decoded = CryptoUtil.base64Decode(certchain); + java.security.cert.X509Certificate[] b_certchain = CryptoUtil.getX509CertificateFromPKCS7(decoded); + int size = 0; + + if (b_certchain != null) { + size = b_certchain.length; + } + cs.putInteger("preop." + tag + ".certchain.size", size); + for (int i = 0; i < size; i++) { + byte[] bb = b_certchain[i].getEncoded(); + cs.putString("preop." + tag + ".certchain." + i, + CryptoUtil.normalizeCertStr(CryptoUtil.base64Encode(bb))); + } + + cs.commit(false); CryptoUtil.importCertificateChain(certchain); } else { throw new IOException("importCertChain: Security Domain response does not contain certificate chain"); @@ -264,7 +286,7 @@ public class ConfigurationUtils { throw new IOException("importCertChain: Failed to get response from security domain"); } } - + public static String getInstallToken(String sdhost, int sdport, String user, String passwd) throws EPropertyNotFound, EBaseException, URISyntaxException { IConfigStore cs = CMS.getConfigStore(); @@ -278,7 +300,7 @@ public class ConfigurationUtils { return token.getToken(); } - + public static String getGroupName(String uid, String subsystemname) { IUGSubsystem subsystem = (IUGSubsystem) (CMS.getSubsystem(IUGSubsystem.ID)); if (subsystem.isMemberOf(uid, "Enterprise CA Administrators") && subsystemname.equals("CA")) { @@ -296,7 +318,7 @@ public class ConfigurationUtils { } return null; } - + public static String getDomainXML(String hostname, int https_admin_port, boolean https) throws IOException, SAXException, ParserConfigurationException { CMS.debug("getDomainXML start"); @@ -304,7 +326,7 @@ public class ConfigurationUtils { if (c != null) { ByteArrayInputStream bis = new ByteArrayInputStream(c.getBytes()); XMLObject parser = null; - + parser = new XMLObject(bis); String status = parser.getValue("Status"); CMS.debug("getDomainXML: status=" + status); @@ -321,7 +343,7 @@ public class ConfigurationUtils { } return null; } - + public static void getSecurityDomainPorts(String domainXML, String host, int port) throws SAXException, IOException, ParserConfigurationException { ByteArrayInputStream bis = new ByteArrayInputStream(domainXML.getBytes()); @@ -351,7 +373,7 @@ public class ConfigurationUtils { } } } - + public static Vector<String> getUrlListFromSecurityDomain(IConfigStore config, String type, String portType) throws EPropertyNotFound, EBaseException, IOException, SAXException, ParserConfigurationException { @@ -401,7 +423,7 @@ public class ConfigurationUtils { return v; } - + public static boolean isValidCloneURI(String domainXML, String cloneHost, int clonePort) throws EPropertyNotFound, EBaseException, SAXException, IOException, ParserConfigurationException { IConfigStore cs = CMS.getConfigStore(); @@ -514,7 +536,7 @@ public class ConfigurationUtils { config.commit(false); } - + public static void updateNumberRange(String hostname, int port, boolean https, String content, String type) throws IOException, EBaseException, SAXException, ParserConfigurationException { CMS.debug("updateNumberRange start host=" + hostname + " port=" + port); @@ -562,9 +584,9 @@ public class ConfigurationUtils { } } } - + public static boolean updateConfigEntries(String hostname, int port, boolean https, - String servlet, String uri, IConfigStore config) + String servlet, String uri, IConfigStore config) throws IOException, EBaseException, SAXException, ParserConfigurationException { CMS.debug("updateConfigEntries start"); String c = getHttpResponse(hostname, port, https, servlet, uri, null, null); @@ -682,7 +704,7 @@ public class ConfigurationUtils { return false; } - + public static void restoreCertsFromP12(String p12File, String p12Pass) throws EPropertyNotFound, EBaseException, InvalidKeyException, CertificateException, NoSuchAlgorithmException, InvalidAlgorithmParameterException, IllegalStateException, TokenException, IllegalBlockSizeException, @@ -769,7 +791,7 @@ public class ConfigurationUtils { } } - + public static boolean isCertdbCloned() { IConfigStore cs = CMS.getConfigStore(); try { @@ -790,11 +812,11 @@ public class ConfigurationUtils { nickname = tokenname + ":" + nickname; CMS.debug("isCertdbCloned: " + nickname); - + // TODO : remove this when we eliminate the extraneous nicknames - // needed for self tests + // needed for self tests cs.putString(cstype + ".cert." + tag + ".nickname", nickname); - + X509Certificate cert = cm.findCertByNickname(nickname); if (cert == null) return false; @@ -805,14 +827,14 @@ public class ConfigurationUtils { return true; } - + public static void importkeycert(Vector<Vector<Object>> pkeyinfo_collection, Vector<Vector<Object>> cert_collection) throws IOException, CertificateException, TokenException, NoSuchAlgorithmException, InvalidKeyException, InvalidAlgorithmParameterException, IllegalStateException, IllegalBlockSizeException, BadPaddingException, NotInitializedException, NicknameConflictException, UserCertConflictException, NoSuchItemOnTokenException, EPropertyNotFound, EBaseException { CryptoManager cm = CryptoManager.getInstance(); - + // delete all existing certificates first deleteExistingCerts(); @@ -909,7 +931,7 @@ public class ConfigurationUtils { } return null; } - + public static org.mozilla.jss.crypto.PrivateKey.Type getPrivateKeyType(PublicKey pubkey) { CMS.debug("Key Algorithm '" + pubkey.getAlgorithm() + "'"); if (pubkey.getAlgorithm().equals("EC")) { @@ -917,7 +939,7 @@ public class ConfigurationUtils { } return org.mozilla.jss.crypto.PrivateKey.Type.RSA; } - + public static boolean isCASigningCert(String name) { IConfigStore cs = CMS.getConfigStore(); try { @@ -926,17 +948,17 @@ public class ConfigurationUtils { } catch(Exception e) { // nickname may not exist if this is not cloning a CA }; - + return false; } - + public static boolean isAuditSigningCert(String name) throws EPropertyNotFound, EBaseException { IConfigStore cs = CMS.getConfigStore(); String nickname = cs.getString("preop.master.audit_signing.nickname"); if (nickname.equals(name)) return true; return false; } - + public static void deleteExistingCerts() { IConfigStore cs = CMS.getConfigStore(); try { @@ -967,7 +989,7 @@ public class ConfigurationUtils { CMS.debug("deleteExistingCerts: Exception=" + e.toString()); } } - + public static byte[] getX509Cert(String nickname, Vector<Vector<Object>> cert_collection) throws CertificateException { for (int i = 0; i < cert_collection.size(); i++) { @@ -980,7 +1002,7 @@ public class ConfigurationUtils { } return null; } - + public static void releaseConnection(LDAPConnection conn) { try { if (conn != null) conn.disconnect(); @@ -989,14 +1011,14 @@ public class ConfigurationUtils { CMS.debug("releaseConnection: " + e); } } - + public static void populateDB() throws IOException, EBaseException { IConfigStore cs = CMS.getConfigStore(); - + String baseDN = cs.getString("internaldb.basedn"); String database = cs.getString("internaldb.database", ""); String remove = cs.getString("preop.database.removeData", "false"); - + IConfigStore dbCfg = cs.getSubStore("internaldb"); ILdapConnFactory dbFactory = CMS.getLdapBoundConnFactory(); dbFactory.init(dbCfg); @@ -1159,7 +1181,7 @@ public class ConfigurationUtils { releaseConnection(conn); throw new IOException("Failed to import ldif files"); } - + releaseConnection(conn); } @@ -1246,7 +1268,7 @@ public class ConfigurationUtils { } } } - + public static void cleanupDB(LDAPConnection conn, String baseDN, String database) { String[] entries = {}; String filter = "objectclass=*"; @@ -1301,7 +1323,7 @@ public class ConfigurationUtils { CMS.debug("cleanupDB: ldapexception thrown" + e); } } - + public static void deleteEntries(LDAPSearchResults res, LDAPConnection conn, String dn, String[] entries) { String[] attrs = null; @@ -1340,13 +1362,13 @@ public class ConfigurationUtils { CMS.debug("deleteEntry: Exception=" + e.toString()); } } - + public static String getInstanceDir(LDAPConnection conn) throws LDAPException { String instancedir = ""; String filter = "(objectclass=*)"; String[] attrs = { "nsslapd-directory" }; - LDAPSearchResults results = conn.search("cn=config,cn=ldbm database,cn=plugins,cn=config", + LDAPSearchResults results = conn.search("cn=config,cn=ldbm database,cn=plugins,cn=config", LDAPv3.SCOPE_SUB, filter, attrs, false); while (results.hasMoreElements()) { @@ -1354,7 +1376,7 @@ public class ConfigurationUtils { String dn = entry.getDN(); CMS.debug("getInstanceDir: DN for storing nsslapd-directory: " + dn); LDAPAttributeSet entryAttrs = entry.getAttributeSet(); - + @SuppressWarnings("unchecked") Enumeration<LDAPAttribute> attrsInSet = entryAttrs.getAttributes(); while (attrsInSet.hasMoreElements()) { @@ -1375,7 +1397,7 @@ public class ConfigurationUtils { return instancedir; } - + public static boolean deleteDir(File dir) { if (dir.isDirectory()) { String[] children = dir.list(); @@ -1388,7 +1410,7 @@ public class ConfigurationUtils { } return dir.delete(); } - + public static void populateIndexes() throws EPropertyNotFound, EBaseException, IOException, LDAPException { CMS.debug("populateIndexes(): start"); IConfigStore cs = CMS.getConfigStore(); @@ -1401,7 +1423,7 @@ public class ConfigurationUtils { try { importLDIFS("preop.internaldb.post_ldif", conn); - /* For vlvtask, we need to check if the task has + /* For vlvtask, we need to check if the task has been completed or not. Presence of nsTaskExitCode means task is complete */ String wait_dn = cs.getString("preop.internaldb.wait_dn", ""); @@ -1416,7 +1438,7 @@ public class ConfigurationUtils { // restore the interrupted status Thread.currentThread().interrupt(); } - + try { task = conn.read(wait_dn, (String[]) null); if (task != null) { @@ -1431,8 +1453,8 @@ public class ConfigurationUtils { } } catch (Exception le) { CMS.debug("Still checking wait_dn '" + wait_dn + "' (" + le.toString() + ")"); - } - } while (!taskComplete); + } + } while (!taskComplete); } } catch (Exception e) { CMS.debug("populateIndexes(): Exception thrown: " + e); @@ -1441,7 +1463,7 @@ public class ConfigurationUtils { releaseConnection(conn); } } - + public static void setupReplication() throws EBaseException, IOException { IConfigStore cs = CMS.getConfigStore(); @@ -1451,7 +1473,7 @@ public class ConfigurationUtils { String replicationSecurity = cs.getString("internaldb.ldapconn.replicationSecurity"); int masterReplicationPort = cs.getInteger("internaldb.ldapconn.masterReplicationPort"); int cloneReplicationPort = cs.getInteger("internaldb.ldapconn.cloneReplicationPort"); - + //setup replication agreement String masterAgreementName = "masterAgreement1-" + machinename + "-" + instanceId; cs.putString("internaldb.replication.master", masterAgreementName); @@ -1496,9 +1518,9 @@ public class ConfigurationUtils { String master_replicationpwd = cs.getString("preop.internaldb.master.replication.password", ""); String replica_hostname = cs.getString("internaldb.ldapconn.host", ""); String replica_replicationpwd = cs.getString("preop.internaldb.replicationpwd", ""); - String basedn = cs.getString("internaldb.basedn"); + String basedn = cs.getString("internaldb.basedn"); String suffix = cs.getString("internaldb.basedn", ""); - + String replicadn = "cn=replica,cn=\"" + suffix + "\",cn=mapping tree,cn=config"; CMS.debug("DatabasePanel setupReplication: replicadn=" + replicadn); @@ -1563,7 +1585,7 @@ public class ConfigurationUtils { releaseConnection(replicaConn); } } - + public static void createReplicationManager(LDAPConnection conn, String bindUser, String pwd) throws LDAPException { LDAPAttributeSet attrs = null; @@ -1646,7 +1668,7 @@ public class ConfigurationUtils { conn.add(entry); } catch (LDAPException e) { if (e.getLDAPResultCode() == LDAPException.ENTRY_ALREADY_EXISTS) { - /* BZ 470918 -we cant just add the new dn. We need to do a replace instead + /* BZ 470918 -we cant just add the new dn. We need to do a replace instead * until the DS code is fixed */ CMS.debug("enableReplication: " + replicadn + " has already been used"); @@ -1672,8 +1694,8 @@ public class ConfigurationUtils { return id + 1; } - public static void createReplicationAgreement(String replicadn, LDAPConnection conn, String name, - String replicahost, int replicaport, String replicapwd, String basedn, String bindUser, + public static void createReplicationAgreement(String replicadn, LDAPConnection conn, String name, + String replicahost, int replicaport, String replicapwd, String basedn, String bindUser, String secure, String replicationSecurity) throws LDAPException { String dn = "cn=" + name + "," + replicadn; CMS.debug("createReplicationAgreement: dn: " + dn); @@ -1794,7 +1816,7 @@ public class ConfigurationUtils { throw new IOException("nsDS5ReplicaLastInitStatus is null."); } } - + public static void reInitSubsystem(String csType) throws EBaseException { CMS.reinit(IDBSubsystem.SUB_ID); if (csType.equals("CA")) @@ -1803,7 +1825,7 @@ public class ConfigurationUtils { CMS.reinit(IAuthzSubsystem.ID); CMS.reinit(IUGSubsystem.ID); } - + public static void createECCKeyPair(String token, String curveName, IConfigStore config, String ct) throws NoSuchAlgorithmException, NoSuchTokenException, TokenException, CryptoManager.NotInitializedException, EPropertyNotFound, EBaseException { @@ -1839,7 +1861,7 @@ public class ConfigurationUtils { do { if (ct.equals("sslserver") && sslType.equalsIgnoreCase("ECDH")) { - CMS.debug("SizePanel: createECCKeypair: sslserver cert for ECDH. Make sure server.xml is set " + + CMS.debug("SizePanel: createECCKeypair: sslserver cert for ECDH. Make sure server.xml is set " + "properly with -TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"); pair = CryptoUtil.generateECCKeyPair(token, curveName, null, ECDH_usages_mask); } else { @@ -1903,7 +1925,7 @@ public class ConfigurationUtils { } public static void setSigningAlgorithm(String ct, String keyAlgo, IConfigStore config) throws EPropertyNotFound, EBaseException { - String systemType = config.getString("cs.type"); + String systemType = config.getString("cs.type"); if (systemType.equalsIgnoreCase("CA")) { if (ct.equals("signing")) { config.putString("ca.signing.defaultSigningAlgorithm", keyAlgo); @@ -1921,7 +1943,7 @@ public class ConfigurationUtils { } } } - + public static void configCert(HttpServletRequest request, HttpServletResponse response, Context context, Cert certObj, WizardPanelBase panel) throws IOException { @@ -2091,7 +2113,7 @@ public class ConfigurationUtils { CMS.debug("configCert() exception caught:" + e.toString()); } } - + public static void updateConfig(IConfigStore config, String certTag) throws EBaseException, IOException { String token = config.getString("preop.module.token"); @@ -2147,7 +2169,7 @@ public class ConfigurationUtils { nickname); } } - + // for system certs verification if (!token.equals("Internal Key Storage Token") && !token.equals("")) { config.putString(subsystem + ".cert." + certTag + ".nickname", @@ -2159,17 +2181,17 @@ public class ConfigurationUtils { config.commit(false); CMS.debug("updateConfig() done"); } - + public static String getNickname(IConfigStore config, String certTag) throws EBaseException { String instanceID = config.getString("instanceId", ""); - + String nickname = certTag + "Cert cert-" + instanceID; String preferredNickname = null; try { preferredNickname = config.getString(PCERT_PREFIX + certTag + ".nickname", null); } catch (EBaseException e) { } - + if (preferredNickname != null) { return preferredNickname; } @@ -2203,7 +2225,7 @@ public class ConfigurationUtils { return 0; } - + public static void updateCloneConfig() throws EBaseException, IOException { IConfigStore config = CMS.getConfigStore(); @@ -2237,7 +2259,7 @@ public class ConfigurationUtils { audit_nn); } } - + public static void handleCertRequest(IConfigStore config, String certTag, Cert cert) throws EPropertyNotFound, EBaseException, InvalidKeyException, NotInitializedException, TokenException, NoSuchAlgorithmException, NoSuchProviderException, CertificateException, SignatureException, IOException { @@ -2288,7 +2310,7 @@ public class ConfigurationUtils { cert.setRequest(certReqf); } - + public static X509Key getECCX509Key(IConfigStore config, String certTag) throws EPropertyNotFound, EBaseException, InvalidKeyException { X509Key pubk = null; @@ -2357,6 +2379,7 @@ public class ConfigurationUtils { CryptoUtil.importUserCertificate(impl, nickname, false); CMS.debug("handleCerts(): cert imported for certTag " + certTag); } catch (Exception ee) { + ee.printStackTrace(); CMS.debug("handleCerts(): import certificate for certTag=" + certTag + " Exception: " + ee.toString()); } } @@ -2364,7 +2387,7 @@ public class ConfigurationUtils { if (b64 != null && b64.length() > 0 && !b64.startsWith("...")) { CMS.debug("handleCert(): process remote...import cert"); String b64chain = cert.getCertChain(); - + try { if (certTag.equals("sslserver") && findBootstrapServerCert()) deleteBootstrapServerCert(); @@ -2374,14 +2397,17 @@ public class ConfigurationUtils { } catch (Exception e) { CMS.debug("CertRequestPanel update (remote): deleteCert Exception=" + e.toString()); } - byte[] certb = CryptoUtil.base64Decode(b64); - config.putString(subsystem + "." + certTag + ".cert", b64); + b64 = CryptoUtil.stripCertBrackets(b64.trim()); + String certs = CryptoUtil.normalizeCertStr(b64); + byte[] certb = CryptoUtil.base64Decode(certs); + + config.putString(subsystem + "." + certTag + ".cert", certs); try { CryptoManager cm = CryptoManager.getInstance(); X509Certificate x509cert = cm.importCertPackage(certb, nickname); CryptoUtil.trustCertByNickname(nickname); - + X509Certificate[] certchains = cm.buildCertificateChain(x509cert); X509Certificate leaf = null; @@ -2413,6 +2439,7 @@ public class ConfigurationUtils { | InternalCertificate.VALID_CA); CMS.debug("handleCerts(): import certificate successfully, certTag=" + certTag); } catch (Exception ee) { + ee.printStackTrace(); CMS.debug("handleCerts: import certificate for certTag=" + certTag + " Exception: "+ ee.toString()); } @@ -2462,7 +2489,7 @@ public class ConfigurationUtils { } return 0; } - + public static void setCertPermissions(String tag) throws EBaseException, NotInitializedException, ObjectNotFoundException, TokenException { if (tag.equals("signing")) return; @@ -2488,7 +2515,7 @@ public class ConfigurationUtils { } } } - + public static boolean findCertificate(String tokenname, String nickname) throws NotInitializedException, TokenException, IOException { IConfigStore cs = CMS.getConfigStore(); @@ -2552,7 +2579,7 @@ public class ConfigurationUtils { String nickname = "Server-Cert cert-" + instanceID; deleteCert("Internal Key Storage Token", nickname); } - + public static void deleteCert(String tokenname, String nickname) throws NotInitializedException, NoSuchTokenException, TokenException { @@ -2583,7 +2610,7 @@ public class ConfigurationUtils { CMS.debug("deleteCert: cert deleted successfully"); } } - + public static void backupKeys(String pwd, String fname) throws EPropertyNotFound, EBaseException, NotInitializedException, ObjectNotFoundException, TokenException, DigestException, InvalidKeyException, NoSuchAlgorithmException, InvalidAlgorithmParameterException, InvalidBERException, @@ -2743,7 +2770,7 @@ public class ConfigurationUtils { return attrs; } - + public static void createAdminCertificate(String certRequest, String certRequestType, String subject) throws InvalidBERException, IOException, InvalidKeyException, InvalidKeyFormatException, NoSuchAlgorithmException, SignatureException, NoSuchProviderException, EBaseException { @@ -2778,7 +2805,7 @@ public class ConfigurationUtils { } cs.putString("preop.admincert.serialno.0", impl.getSerialNumber().toString(16)); } - + public static void createPKCS7(X509CertImpl cert) throws IOException { IConfigStore cs = CMS.getConfigStore(); ICertificateAuthority ca = (ICertificateAuthority) CMS.getSubsystem("ca"); @@ -2801,7 +2828,7 @@ public class ConfigurationUtils { String p7Str = CMS.BtoA(p7Bytes); cs.putString("preop.admincert.pkcs7", CryptoUtil.normalizeCertStr(p7Str)); } - + public static void createAdmin(String uid, String email, String name, String pwd) throws IOException, EBaseException { IUGSubsystem system = (IUGSubsystem) (CMS.getSubsystem(IUGSubsystem.ID)); @@ -2887,7 +2914,7 @@ public class ConfigurationUtils { } } } - + public static String submitAdminCertRequest(String ca_hostname, int ca_port, String profileId, String certRequestType, String certRequest, String subjectDN) throws IOException, EBaseException, SAXException, ParserConfigurationException { @@ -2925,23 +2952,23 @@ public class ConfigurationUtils { cs.putString("preop.admincert.serialno.0", serial); String b64 = parser.getValue("b64"); - + // save in a file for access by ImportAdminCertPanel String instanceRoot = cs.getString("instanceRoot", ""); String dir = instanceRoot + File.separator + "conf" + File.separator + "admin.b64"; cs.putString("preop.admincert.b64", dir); - + PrintStream ps = new PrintStream(new FileOutputStream(dir)); ps.println(b64); ps.flush(); ps.close(); - + return b64; } else { throw new IOException("submitAdminCertRequest: Failed to get response from ca"); } } - + public static void createSecurityDomain() throws EBaseException, LDAPException, NumberFormatException, IOException, SAXException, ParserConfigurationException { IConfigStore cs = CMS.getConfigStore(); @@ -3007,7 +3034,7 @@ public class ConfigurationUtils { // @SuppressWarnings("unused") // String c = getDomainXML(CMS.getEESSLHost(), Integer.parseInt(CMS.getAdminPort()), true); } - + public static void updateSecurityDomain() throws IOException, SAXException, ParserConfigurationException, EPropertyNotFound, EBaseException { IConfigStore cs = CMS.getConfigStore(); @@ -3050,7 +3077,7 @@ public class ConfigurationUtils { @SuppressWarnings("unused") String c = getDomainXML(sd_host, sd_admin_port, true); } - + public static boolean isSDHostDomainMaster(IConfigStore config) throws EPropertyNotFound, EBaseException, IOException, SAXException, ParserConfigurationException { String dm = "false"; @@ -3080,7 +3107,7 @@ public class ConfigurationUtils { } return dm.equalsIgnoreCase("true"); } - + public static void updateDomainXML(String hostname, int port, boolean https, String servlet, String uri) throws IOException, EBaseException, SAXException, ParserConfigurationException { CMS.debug("WizardPanelBase updateDomainXML start hostname=" + hostname + " port=" + port); @@ -3110,7 +3137,7 @@ public class ConfigurationUtils { } } } - + public static void updateConnectorInfo(String ownagenthost, String ownagentsport) throws IOException, EBaseException, SAXException, ParserConfigurationException { IConfigStore cs = CMS.getConfigStore(); @@ -3157,7 +3184,7 @@ public class ConfigurationUtils { } } } - + public static void setupClientAuthUser() throws EBaseException, CertificateException, IOException, SAXException, ParserConfigurationException, LDAPException { IConfigStore cs = CMS.getConfigStore(); @@ -3208,7 +3235,7 @@ public class ConfigurationUtils { } } - + public static String getSubsystemCert(String host, int port, boolean https) throws IOException, SAXException, ParserConfigurationException { CMS.debug("getSubsystemCert() start"); @@ -3227,7 +3254,7 @@ public class ConfigurationUtils { } return null; } - + public static void importCACertToOCSP() throws IOException, EBaseException, CertificateEncodingException { IConfigStore config = CMS.getConfigStore(); @@ -3264,7 +3291,7 @@ public class ConfigurationUtils { CMS.debug("importCACertToOCSP(): Added CA certificate."); } } - + public static void updateOCSPConfig() throws IOException, EBaseException, SAXException, ParserConfigurationException { IConfigStore config = CMS.getConfigStore(); @@ -3282,7 +3309,7 @@ public class ConfigurationUtils { } else { ByteArrayInputStream bis = new ByteArrayInputStream(c.getBytes()); XMLObject parser = new XMLObject(bis); - + String status = parser.getValue("Status"); CMS.debug("WizardPanelBase updateOCSPConfig: status=" + status); @@ -3296,7 +3323,7 @@ public class ConfigurationUtils { } } } - + public static void setupDBUser(String dbuser) throws CertificateException, LDAPException, EBaseException, NotInitializedException, ObjectNotFoundException, TokenException, IOException { IUGSubsystem system = @@ -3347,15 +3374,15 @@ public class ConfigurationUtils { String s = CryptoUtil.normalizeCertStr(CryptoUtil.base64Encode(bytes)); return s; } - + public static void updateNextRanges() throws EBaseException, LDAPException { IConfigStore cs = CMS.getConfigStore(); - + String endRequestNumStr = cs.getString("dbs.endRequestNumber", ""); String endSerialNumStr = cs.getString("dbs.endSerialNumber", ""); String type = cs.getString("cs.type"); String basedn = cs.getString("internaldb.basedn"); - + BigInteger endRequestNum = new BigInteger(endRequestNumStr); BigInteger endSerialNum = new BigInteger(endSerialNumStr); BigInteger oneNum = new BigInteger("1"); @@ -3385,10 +3412,10 @@ public class ConfigurationUtils { conn.disconnect(); } - + /** * save variables needed for cloning and remove preops - * @throws EBaseException + * @throws EBaseException */ public static void removePreopConfigEntries() throws EBaseException { IConfigStore cs = CMS.getConfigStore(); diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java b/base/common/src/com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java index 9e430e2fd..7ecbb0c8c 100644 --- a/base/common/src/com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java +++ b/base/common/src/com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java @@ -93,18 +93,16 @@ public class CreateSubsystemPanel extends WizardPanelBase { Context context) { context.put("title", "Subsystem Type"); IConfigStore config = CMS.getConfigStore(); - String session_id = request.getParameter("session_id"); - if (session_id != null) { - CMS.debug("CreateSubsystemPanel setting session id."); - CMS.setConfigSDSessionId(session_id); - } - String errorString = ""; + try { + String session_id = request.getParameter("session_id"); + if (session_id != null) { + CMS.debug("CreateSubsystemPanel setting session id."); + CMS.setConfigSDSessionId(session_id); + } - if (isPanelDone()) { - try { + if (isPanelDone()) { String s = config.getString("preop.subsystem.select"); - if (s.equals("new")) { context.put("check_newsubsystem", "checked"); context.put("check_clonesubsystem", ""); @@ -112,26 +110,14 @@ public class CreateSubsystemPanel extends WizardPanelBase { context.put("check_newsubsystem", ""); context.put("check_clonesubsystem", "checked"); } - context.put("subsystemName", - config.getString("preop.subsystem.name")); - } catch (Exception e) { - CMS.debug(e.toString()); - } - } else { - context.put("check_newsubsystem", "checked"); - context.put("check_clonesubsystem", ""); - try { - context.put("subsystemName", - config.getString("preop.system.fullname")); - } catch (Exception e) { - CMS.debug(e.toString()); + context.put("subsystemName", config.getString("preop.subsystem.name")); + } else { + context.put("check_newsubsystem", "checked"); + context.put("check_clonesubsystem", ""); + context.put("subsystemName", config.getString("preop.system.fullname")); } - } - - String cstype = ""; - try { - cstype = config.getString("cs.type", ""); + String cstype = config.getString("cs.type", ""); context.put("cstype", cstype); context.put("wizardname", config.getString("preop.wizard.name")); context.put("systemname", config.getString("preop.system.name")); @@ -141,35 +127,48 @@ public class CreateSubsystemPanel extends WizardPanelBase { context.put("https_agent_port", CMS.getAgentPort()); context.put("https_ee_port", CMS.getEESSLPort()); context.put("https_admin_port", CMS.getAdminPort()); - } catch (EBaseException e) { - } - Vector<String> v = getUrlListFromSecurityDomain(config, cstype, "SecurePort"); + String domainType = config.getString("preop.securitydomain.select"); + Vector<String> v = null; + if (!domainType.equals("new")) { + try { + v = ConfigurationUtils.getUrlListFromSecurityDomain(config, cstype, "SecurePort"); + } catch (Exception e) { + // note: this is OK for a new master ca in a new domain + CMS.debug("Exception thrown when obtaining URL List from security domain:" + e); + e.printStackTrace(); + } + } - StringBuffer list = new StringBuffer(); - int size = v.size(); - for (int i = 0; i < size; i++) { - if (i == size - 1) { - list.append(v.elementAt(i)); - } else { - list.append(v.elementAt(i)); - list.append(","); + if (v == null) { + v = new Vector<String>(); + } + + StringBuffer list = new StringBuffer(); + int size = v.size(); + for (int i = 0; i < size; i++) { + if (i == size - 1) { + list.append(v.elementAt(i)); + } else { + list.append(v.elementAt(i)); + list.append(","); + } } - } - try { config.putString("preop.master.list", list.toString()); config.commit(false); - } catch (Exception e) { - errorString = "Internal error, cs.type is missing from CS.cfg"; - } - if (list.length() == 0) - context.put("disableClone", "true"); + if (list.length() == 0) + context.put("disableClone", "true"); - context.put("panel", "admin/console/config/createsubsystempanel.vm"); - context.put("errorString", errorString); - context.put("urls", v); + context.put("panel", "admin/console/config/createsubsystempanel.vm"); + context.put("urls", v); + context.put("errorString", ""); + } catch (Exception e) { + e.printStackTrace(); + context.put("errorString", e.toString()); + CMS.debug("CreateSubsystemPanel: Exception thrown: " + e); + } } /** @@ -186,7 +185,6 @@ public class CreateSubsystemPanel extends WizardPanelBase { public void update(HttpServletRequest request, HttpServletResponse response, Context context) throws IOException { - String errorString = ""; IConfigStore config = CMS.getConfigStore(); String select = HttpInput.getID(request, "choice"); @@ -196,43 +194,30 @@ public class CreateSubsystemPanel extends WizardPanelBase { throw new IOException("choice not found"); } - config.putString("preop.subsystem.name", - HttpInput.getName(request, "subsystemName")); - if (select.equals("newsubsystem")) { - config.putString("preop.subsystem.select", "new"); - config.putString("subsystem.select", "New"); - } else if (select.equals("clonesubsystem")) { - String cstype = ""; - try { - cstype = config.getString("cs.type", ""); - } catch (Exception e) { - } - - cstype = toLowerCaseSubsystemType(cstype); - - config.putString("preop.subsystem.select", "clone"); - config.putString("subsystem.select", "Clone"); - - String lists = ""; - try { - lists = config.getString("preop.cert.list", ""); - } catch (Exception ee) { - } - - StringTokenizer t = new StringTokenizer(lists, ","); - while (t.hasMoreTokens()) { - String tag = t.nextToken(); - if (tag.equals("sslserver")) - config.putBoolean(PCERT_PREFIX + tag + ".enable", true); - else - config.putBoolean(PCERT_PREFIX + tag + ".enable", false); - } + try { + config.putString("preop.subsystem.name", HttpInput.getName(request, "subsystemName")); + + if (select.equals("newsubsystem")) { + config.putString("preop.subsystem.select", "new"); + config.putString("subsystem.select", "New"); + } else if (select.equals("clonesubsystem")) { + config.putString("preop.subsystem.select", "clone"); + config.putString("subsystem.select", "Clone"); + + String lists = config.getString("preop.cert.list", ""); + StringTokenizer t = new StringTokenizer(lists, ","); + while (t.hasMoreTokens()) { + String tag = t.nextToken(); + if (tag.equals("sslserver")) + config.putBoolean(PCERT_PREFIX + tag + ".enable", true); + else + config.putBoolean(PCERT_PREFIX + tag + ".enable", false); + } - // get the master CA - String index = request.getParameter("urls"); - String url = ""; + // get the master CA + String index = request.getParameter("urls"); + String url = ""; - try { int x = Integer.parseInt(index); String list = config.getString("preop.master.list", ""); StringTokenizer tokenizer = new StringTokenizer(list, ","); @@ -240,55 +225,45 @@ public class CreateSubsystemPanel extends WizardPanelBase { while (tokenizer.hasMoreTokens()) { url = tokenizer.nextToken(); - if (counter == x) { - break; - } + if (counter == x) break; counter++; } - } catch (Exception e) { - } - url = url.substring(url.indexOf("http")); + url = url.substring(url.indexOf("http")); - URL u = new URL(url); - String host = u.getHost(); - int https_ee_port = u.getPort(); + URL u = new URL(url); + String host = u.getHost(); + int https_ee_port = u.getPort(); - String https_admin_port = getSecurityDomainAdminPort(config, - host, - String.valueOf(https_ee_port), - cstype); + String domainXML = config.getString("preop.domainXML"); - config.putString("preop.master.hostname", host); - config.putInteger("preop.master.httpsport", https_ee_port); - config.putString("preop.master.httpsadminport", https_admin_port); + // check URI and update preop.master port entries + boolean validUri = ConfigurationUtils.isValidCloneURI(domainXML, host, https_ee_port); + if (!validUri) { + throw new IOException("Invalid clone URI provided. Does not match the available subsystems in " + + "the security domain"); + } - ConfigCertApprovalCallback certApprovalCallback = new ConfigCertApprovalCallback(); - if (cstype.equals("ca")) { - updateCertChainUsingSecureEEPort(config, "clone", host, https_ee_port, - true, context, certApprovalCallback); + ConfigurationUtils.importCertChain(host, https_ee_port, "/ca/ee/ca/getCertChain", "clone"); + } else { + CMS.debug("CreateSubsystemPanel: invalid choice " + select); + context.put("updateStatus", "failure"); + throw new IOException("invalid choice " + select); } - getTokenInfo(config, cstype, host, https_ee_port, true, context, - certApprovalCallback); - } else { - CMS.debug("CreateSubsystemPanel: invalid choice " + select); - errorString = "Invalid choice"; - context.put("updateStatus", "failure"); - throw new IOException("invalid choice " + select); - } - - try { config.commit(false); - } catch (EBaseException e) { + } catch (Exception e) { + CMS.debug("CreateSubsystemPanel: Exception thrown : " + e); + context.put("errorString", e.toString()); + context.put("updateStatus", "failure"); + throw new IOException(e); } - context.put("errorString", errorString); context.put("updateStatus", "success"); } /** - * If validiate() returns false, this method will be called. + * If validate() returns false, this method will be called. */ public void displayError(HttpServletRequest request, HttpServletResponse response, diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java b/base/common/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java index ed2e4a22c..89f01e01c 100644 --- a/base/common/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java +++ b/base/common/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java @@ -17,50 +17,24 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.csadmin; -import java.io.BufferedReader; -import java.io.File; -import java.io.FileOutputStream; -import java.io.FileReader; import java.io.IOException; -import java.io.PrintStream; -import java.util.ArrayList; -import java.util.Enumeration; import java.util.Random; -import java.util.StringTokenizer; import javax.servlet.ServletConfig; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import netscape.ldap.LDAPAttribute; -import netscape.ldap.LDAPAttributeSet; -import netscape.ldap.LDAPConnection; -import netscape.ldap.LDAPDN; -import netscape.ldap.LDAPEntry; -import netscape.ldap.LDAPException; -import netscape.ldap.LDAPModification; -import netscape.ldap.LDAPSearchConstraints; -import netscape.ldap.LDAPSearchResults; -import netscape.ldap.LDAPv3; - import org.apache.velocity.context.Context; import com.netscape.certsrv.apps.CMS; -import com.netscape.certsrv.authentication.IAuthSubsystem; -import com.netscape.certsrv.authorization.IAuthzSubsystem; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; -import com.netscape.certsrv.ca.ICertificateAuthority; -import com.netscape.certsrv.dbs.IDBSubsystem; -import com.netscape.certsrv.ldap.ILdapConnFactory; import com.netscape.certsrv.property.Descriptor; import com.netscape.certsrv.property.IDescriptor; import com.netscape.certsrv.property.PropertySet; -import com.netscape.certsrv.usrgrp.IUGSubsystem; import com.netscape.certsrv.util.HttpInput; import com.netscape.cms.servlet.wizard.WizardServlet; -import com.netscape.cmsutil.ldap.LDAPUtil; public class DatabasePanel extends WizardPanelBase { @@ -115,34 +89,22 @@ public class DatabasePanel extends WizardPanelBase { public PropertySet getUsage() { PropertySet set = new PropertySet(); - Descriptor hostDesc = new Descriptor(IDescriptor.STRING, null, null, - "Host name"); - + Descriptor hostDesc = new Descriptor(IDescriptor.STRING, null, null, "Host name"); set.add("hostname", hostDesc); - Descriptor portDesc = new Descriptor(IDescriptor.INTEGER, null, null, - "Port"); - + Descriptor portDesc = new Descriptor(IDescriptor.INTEGER, null, null, "Port"); set.add("portStr", portDesc); - Descriptor basednDesc = new Descriptor(IDescriptor.STRING, null, null, - "Base DN"); - + Descriptor basednDesc = new Descriptor(IDescriptor.STRING, null, null, "Base DN"); set.add("basedn", basednDesc); - Descriptor binddnDesc = new Descriptor(IDescriptor.STRING, null, null, - "Bind DN"); - + Descriptor binddnDesc = new Descriptor(IDescriptor.STRING, null, null, "Bind DN"); set.add("binddn", binddnDesc); - Descriptor bindpwdDesc = new Descriptor(IDescriptor.PASSWORD, null, null, - "Bind Password"); - + Descriptor bindpwdDesc = new Descriptor(IDescriptor.PASSWORD, null, null, "Bind Password"); set.add("bindpwd", bindpwdDesc); - Descriptor databaseDesc = new Descriptor(IDescriptor.STRING, null, null, - "Database"); - + Descriptor databaseDesc = new Descriptor(IDescriptor.STRING, null, null, "Database"); set.add("database", databaseDesc); return set; @@ -408,495 +370,6 @@ public class DatabasePanel extends WizardPanelBase { cs.putString("preop.database.errorString", ""); } - private LDAPConnection getLocalLDAPConn(Context context, String secure) - throws IOException { - IConfigStore cs = CMS.getConfigStore(); - - String host = ""; - String port = ""; - String pwd = ""; - String binddn = ""; - String security = ""; - - try { - host = cs.getString("internaldb.ldapconn.host"); - port = cs.getString("internaldb.ldapconn.port"); - binddn = cs.getString("internaldb.ldapauth.bindDN"); - pwd = (String) context.get("bindpwd"); - security = cs.getString("internaldb.ldapconn.secureConn"); - } catch (Exception e) { - CMS.debug("DatabasePanel populateDB: " + e.toString()); - throw new IOException( - "Failed to retrieve LDAP information from CS.cfg."); - } - - int p = -1; - - try { - p = Integer.parseInt(port); - } catch (Exception e) { - CMS.debug("DatabasePanel populateDB: " + e.toString()); - throw new IOException("Port is not valid"); - } - - LDAPConnection conn = null; - if (security.equals("true")) { - CMS.debug("DatabasePanel populateDB: creating secure (SSL) connection for internal ldap"); - conn = new LDAPConnection(CMS.getLdapJssSSLSocketFactory()); - } else { - CMS.debug("DatabasePanel populateDB: creating non-secure (non-SSL) connection for internal ldap"); - conn = new LDAPConnection(); - } - - CMS.debug("DatabasePanel connecting to " + host + ":" + p); - try { - conn.connect(host, p, binddn, pwd); - } catch (LDAPException e) { - CMS.debug("DatabasePanel populateDB: " + e.toString()); - throw new IOException("Failed to connect to the internal database."); - } - - return conn; - } - - private boolean deleteDir(File dir) { - if (dir.isDirectory()) { - String[] children = dir.list(); - for (int i = 0; i < children.length; i++) { - boolean success = deleteDir(new File(dir, children[i])); - if (!success) { - return false; - } - } - } - - // The directory is now empty so delete it - return dir.delete(); - } - - private void cleanupDB(LDAPConnection conn, String baseDN, String database) { - String[] entries = {}; - String filter = "objectclass=*"; - LDAPSearchConstraints cons = null; - String[] attrs = null; - String dn = ""; - try { - CMS.debug("Deleting baseDN: " + baseDN); - LDAPSearchResults res = conn.search(baseDN, LDAPConnection.SCOPE_BASE, filter, - attrs, true, cons); - if (res != null) - deleteEntries(res, conn, baseDN, entries); - } catch (LDAPException e) { - } - - try { - dn = "cn=mapping tree, cn=config"; - filter = "nsslapd-backend=" + database; - LDAPSearchResults res = conn.search(dn, LDAPConnection.SCOPE_ONE, filter, - attrs, true, cons); - if (res != null) { - while (res.hasMoreElements()) { - dn = res.next().getDN(); - filter = "objectclass=*"; - LDAPSearchResults res2 = conn.search(dn, LDAPConnection.SCOPE_BASE, filter, - attrs, true, cons); - if (res2 != null) - deleteEntries(res2, conn, dn, entries); - } - } - } catch (LDAPException e) { - } - - try { - dn = "cn=" + database + ",cn=ldbm database, cn=plugins, cn=config"; - LDAPSearchResults res = conn.search(dn, LDAPConnection.SCOPE_BASE, filter, - attrs, true, cons); - if (res != null) { - deleteEntries(res, conn, dn, entries); - String dbdir = getInstanceDir(conn) + "/db/" + database; - if (dbdir != null) { - CMS.debug(" Deleting dbdir " + dbdir); - boolean success = deleteDir(new File(dbdir)); - if (!success) { - CMS.debug("Unable to delete database directory " + dbdir); - } - } - } - } catch (LDAPException e) { - } - } - - private void populateDB(HttpServletRequest request, Context context, String secure) - throws IOException { - IConfigStore cs = CMS.getConfigStore(); - - String baseDN = ""; - String database = ""; - String dn = ""; - - try { - baseDN = cs.getString("internaldb.basedn"); - database = cs.getString("internaldb.database", ""); - } catch (Exception e) { - CMS.debug("DatabasePanel populateDB: " + e.toString()); - throw new IOException( - "Failed to retrieve LDAP information from CS.cfg."); - } - - String remove = HttpInput.getID(request, "removeData"); - LDAPConnection conn = getLocalLDAPConn(context, secure); - - // check that the database and baseDN do not exist - - boolean foundBaseDN = false; - boolean foundDatabase = false; - try { - LDAPEntry entry = conn.read(baseDN); - if (entry != null) - foundBaseDN = true; - } catch (LDAPException e) { - switch (e.getLDAPResultCode()) { - case LDAPException.NO_SUCH_OBJECT: - break; - default: - CMS.debug("DatabasePanel update: LDAPException " + e.toString()); - throw new IOException("Failed to create the database"); - } - } - - try { - dn = "cn=" + database + ",cn=ldbm database, cn=plugins, cn=config"; - LDAPEntry entry = conn.read(dn); - if (entry != null) - foundDatabase = true; - } catch (LDAPException e) { - switch (e.getLDAPResultCode()) { - case LDAPException.NO_SUCH_OBJECT: - break; - default: - CMS.debug("DatabasePanel update: LDAPException " + e.toString()); - throw new IOException("Failed to create the database"); - } - } - try { - dn = "cn=\"" + baseDN + "\",cn=mapping tree, cn=config"; - LDAPEntry entry = conn.read(dn); - if (entry != null) - foundDatabase = true; - } catch (LDAPException e) { - switch (e.getLDAPResultCode()) { - case LDAPException.NO_SUCH_OBJECT: - break; - default: - CMS.debug("DatabasePanel update: LDAPException " + e.toString()); - throw new IOException("Failed to create the database"); - } - } - - if (foundDatabase) { - CMS.debug("DatabasePanel update: This database has already been used."); - if (remove == null) { - throw new IOException( - "This database has already been used. Select the checkbox below to remove all data and reuse this database"); - } else { - CMS.debug("DatabasePanel update: Deleting existing DB and reusing base DN"); - cleanupDB(conn, baseDN, database); - foundBaseDN = false; - foundDatabase = false; - } - } - - if (foundBaseDN) { - CMS.debug("DatabasePanel update: This base DN has already been used."); - if (remove == null) { - throw new IOException( - "This base DN (" - + baseDN - + ") has already been used. Select the checkbox below to remove all data and reuse this base DN"); - } else { - CMS.debug("DatabasePanel update: Deleting existing DB and reusing base DN"); - cleanupDB(conn, baseDN, database); - foundBaseDN = false; - foundDatabase = false; - } - } - - // create database - try { - LDAPAttributeSet attrs = new LDAPAttributeSet(); - String oc[] = { "top", "extensibleObject", "nsBackendInstance" }; - attrs.add(new LDAPAttribute("objectClass", oc)); - attrs.add(new LDAPAttribute("cn", database)); - attrs.add(new LDAPAttribute("nsslapd-suffix", baseDN)); - dn = "cn=" + database + ",cn=ldbm database, cn=plugins, cn=config"; - LDAPEntry entry = new LDAPEntry(dn, attrs); - conn.add(entry); - } catch (Exception e) { - CMS.debug("Warning: database creation error - " + e.toString()); - throw new IOException("Failed to create the database."); - } - - try { - LDAPAttributeSet attrs = new LDAPAttributeSet(); - String oc2[] = { "top", "extensibleObject", "nsMappingTree" }; - attrs.add(new LDAPAttribute("objectClass", oc2)); - attrs.add(new LDAPAttribute("cn", baseDN)); - attrs.add(new LDAPAttribute("nsslapd-backend", database)); - attrs.add(new LDAPAttribute("nsslapd-state", "Backend")); - dn = "cn=\"" + baseDN + "\",cn=mapping tree, cn=config"; - LDAPEntry entry = new LDAPEntry(dn, attrs); - conn.add(entry); - } catch (Exception e) { - CMS.debug("Warning: database mapping tree creation error - " + e.toString()); - throw new IOException("Failed to create the database."); - } - - try { - // create base dn - CMS.debug("Creating base DN: " + baseDN); - String dns3[] = LDAPDN.explodeDN(baseDN, false); - StringTokenizer st = new StringTokenizer(dns3[0], "="); - String n = st.nextToken(); - String v = st.nextToken(); - LDAPAttributeSet attrs = new LDAPAttributeSet(); - String oc3[] = { "top", "domain" }; - if (n.equals("o")) { - oc3[1] = "organization"; - } else if (n.equals("ou")) { - oc3[1] = "organizationalUnit"; - } - attrs.add(new LDAPAttribute("objectClass", oc3)); - attrs.add(new LDAPAttribute(n, v)); - - LDAPEntry entry = new LDAPEntry(baseDN, attrs); - conn.add(entry); - } catch (Exception e) { - CMS.debug("Warning: suffix creation error - " + e.toString()); - throw new IOException("Failed to create the base DN: " + baseDN); - } - - // check to see if the base dn exists - CMS.debug("DatabasePanel checking existing " + baseDN); - - try { - LDAPEntry entry = conn.read(baseDN); - - if (entry != null) { - foundBaseDN = true; - } - } catch (LDAPException e) { - } - boolean createBaseDN = true; - - boolean testing = false; - try { - testing = cs.getBoolean("internaldb.multipleSuffix.enable", false); - } catch (Exception e) { - } - - if (!foundBaseDN) { - if (!testing) { - context.put("errorString", - "Base DN was not found. Please make sure to create the suffix in the internal database."); - throw new IOException("Base DN not found"); - } - - if (createBaseDN) { - // only auto create if it is an ou entry - String dns1[] = LDAPDN.explodeDN(baseDN, false); - - if (dns1 == null) { - throw new IOException("Invalid base DN"); - } - if (!dns1[0].startsWith("ou")) { - throw new IOException( - "Failed to find base DN, and failed to create non ou entry."); - } - String dns2[] = LDAPDN.explodeDN(baseDN, true); - // support only one level creation - create new entry - // right under the suffix - LDAPAttributeSet attrs = new LDAPAttributeSet(); - String oc[] = { "top", "organizationalUnit" }; - - attrs.add(new LDAPAttribute("objectClass", oc)); - attrs.add(new LDAPAttribute("ou", dns2[0])); - LDAPEntry entry = new LDAPEntry(baseDN, attrs); - - try { - conn.add(entry); - foundBaseDN = true; - CMS.debug("DatabasePanel added " + baseDN); - } catch (LDAPException e) { - throw new IOException("Failed to create " + baseDN); - } - } - } - if (!foundBaseDN) { - throw new IOException("Failed to find base DN"); - } - - String select = ""; - try { - select = cs.getString("preop.subsystem.select", ""); - } catch (Exception e) { - } - - if (select.equals("clone")) { - // if this is clone, add index before replication - // don't put in the schema or bad things will happen - importLDIFS("preop.internaldb.ldif", conn); - importLDIFS("preop.internaldb.index_ldif", conn); - importLDIFS("preop.internaldb.manager_ldif", conn); - } else { - // data will be replicated from the master to the clone - // so clone does not need the data - importLDIFS("preop.internaldb.schema.ldif", conn); - importLDIFS("preop.internaldb.ldif", conn); - importLDIFS("preop.internaldb.data_ldif", conn); - importLDIFS("preop.internaldb.index_ldif", conn); - importLDIFS("preop.internaldb.manager_ldif", conn); - } - - try { - conn.disconnect(); - } catch (LDAPException e) { - } - } - - private void importLDIFS(String param, LDAPConnection conn) throws IOException { - IConfigStore cs = CMS.getConfigStore(); - String v = null; - - CMS.debug("DatabasePanel populateDB param=" + param); - try { - v = cs.getString(param); - } catch (EBaseException e) { - CMS.debug("DatabasePanel populateDB: " + e.toString()); - throw new IOException("Cant find ldif files."); - } - - StringTokenizer tokenizer = new StringTokenizer(v, ","); - String baseDN = null; - String database = null; - - try { - baseDN = cs.getString("internaldb.basedn"); - } catch (EBaseException e) { - throw new IOException("internaldb.basedn is missing."); - } - - try { - database = cs.getString("internaldb.database"); - CMS.debug("DatabasePanel update: database=" + database); - } catch (EBaseException e) { - CMS.debug( - "DatabasePanel update: Failed to get database name. Exception: " - + e.toString()); - database = "userRoot"; - } - - String instancePath = null; - - try { - instancePath = cs.getString("instanceRoot"); - } catch (EBaseException e) { - throw new IOException("instanceRoot is missing"); - } - - String instanceId = null; - - try { - instanceId = cs.getString("instanceId"); - } catch (EBaseException e) { - throw new IOException("instanceId is missing"); - } - - String dbuser = null; - try { - dbuser = "uid=" + cs.getString("cs.type") + "-" + cs.getString("machineName") + "-" - + cs.getString("service.securePort") + ",ou=people," + baseDN; - } catch (EBaseException e) { - CMS.debug("Unable to construct dbuser" + e.toString()); - e.printStackTrace(); - throw new IOException("unable to construct dbuser"); - } - - String configDir = instancePath + File.separator + "conf"; - - while (tokenizer.hasMoreTokens()) { - String token = tokenizer.nextToken().trim(); - int index = token.lastIndexOf("/"); - String name = token; - - if (index != -1) { - name = token.substring(index + 1); - } - - CMS.debug("DatabasePanel importLDIFS: ldif file = " + token); - String filename = configDir + File.separator + name; - - CMS.debug("DatabasePanel importLDIFS: ldif file copy to " + filename); - PrintStream ps = null; - BufferedReader in = null; - - try { - in = new BufferedReader(new FileReader(token)); - ps = new PrintStream(new FileOutputStream(filename, false)); - while (in.ready()) { - String s = in.readLine(); - int n = s.indexOf("{"); - - if (n == -1) { - ps.println(s); - } else { - boolean endOfline = false; - - while (n != -1) { - ps.print(s.substring(0, n)); - int n1 = s.indexOf("}"); - String tok = s.substring(n + 1, n1); - - if (tok.equals("instanceId")) { - ps.print(instanceId); - } else if (tok.equals("rootSuffix")) { - ps.print(baseDN); - } else if (tok.equals("database")) { - ps.print(database); - } else if (tok.equals("dbuser")) { - ps.print(dbuser); - } - if ((s.length() + 1) == n1) { - endOfline = true; - break; - } - s = s.substring(n1 + 1); - n = s.indexOf("{"); - } - - if (!endOfline) { - ps.println(s); - } - } - } - in.close(); - ps.close(); - } catch (Exception e) { - CMS.debug("DBSubsystem popuateDB: " + e.toString()); - throw new IOException( - "Problem of copying ldif file: " + filename); - } - ArrayList<String> errors = new ArrayList<String>(); - LDAPUtil.importLDIF(conn, filename, errors); - if (! errors.isEmpty()) { - CMS.debug("DatabasePanel: importLDIFS: LDAP Errors in importing " + filename); - for (String error: errors) { - CMS.debug(error); - } - } - } - } - - /** * Commit parameter changes */ @@ -904,7 +377,6 @@ public class DatabasePanel extends WizardPanelBase { HttpServletResponse response, Context context) throws IOException { IConfigStore cs = CMS.getConfigStore(); - boolean hasErr = false; context.put("firsttime", "false"); try { @@ -918,12 +390,16 @@ public class DatabasePanel extends WizardPanelBase { String portStr1 = ""; String database1 = ""; String masterPortStr = ""; + String csType = ""; + String select = ""; try { hostname1 = cs.getString("internaldb.ldapconn.host", ""); portStr1 = cs.getString("internaldb.ldapconn.port", ""); database1 = cs.getString("internaldb.database", ""); masterPortStr = cs.getString("preop.internaldb.master.ldapconn.port", "0"); + csType = cs.getString("cs.type"); + select = cs.getString("preop.subsystem.select", ""); } catch (Exception e) { } @@ -952,11 +428,9 @@ public class DatabasePanel extends WizardPanelBase { cs.putString("internaldb.ldapauth.bindDN", binddn); cs.putString("internaldb.ldapconn.secureConn", (secure.equals("on") ? "true" : "false")); - int masterReplicationPort = 0; if ((masterReplicationPortStr == null) || (masterReplicationPortStr.length() == 0)) { masterReplicationPortStr = masterPortStr; } - masterReplicationPort = Integer.parseInt(masterReplicationPortStr); cs.putString("internaldb.ldapconn.masterReplicationPort", masterReplicationPortStr); int cloneReplicationPort = 0; @@ -976,6 +450,9 @@ public class DatabasePanel extends WizardPanelBase { cs.putString("internaldb.ldapconn.replicationSecurity", replicationSecurity); String remove = HttpInput.getID(request, "removeData"); + cs.putString("preop.database.removeData", ((remove != null) && (!remove.equals(""))) ? + "true" : "false"); + if (isPanelDone() && (remove == null || remove.equals(""))) { /* if user submits the same data, they just want to skip to the next panel, no database population is required. */ @@ -990,283 +467,47 @@ public class DatabasePanel extends WizardPanelBase { mServlet.cleanUpFromPanel(mServlet.getPanelNo(request)); try { - populateDB(request, context, (secure.equals("on") ? "true" : "false")); - } catch (IOException e) { - CMS.debug("DatabasePanel update: populateDB Exception: " + e.toString()); - context.put("updateStatus", "failure"); - throw e; - } catch (Exception e) { - CMS.debug("DatabasePanel update: populateDB Exception: " + e.toString()); - context.put("errorString", e.toString()); - cs.putString("preop.database.errorString", e.toString()); - context.put("updateStatus", "failure"); - throw new IOException(e.toString()); - } - - String bindpwd = HttpInput.getPassword(request, "__bindpwd"); - - /* BZ 430745 create password for replication manager */ - String replicationpwd = Integer.toString(new Random().nextInt()); + /* BZ 430745 create password for replication manager */ + String replicationpwd = Integer.toString(new Random().nextInt()); - IConfigStore psStore = null; - String passwordFile = null; - - try { + IConfigStore psStore = null; + String passwordFile = null; passwordFile = cs.getString("passwordFile"); psStore = CMS.createFileConfigStore(passwordFile); - } catch (Exception e) { - CMS.debug("ConfigDatabaseServlet update: " + e.toString()); - context.put("updateStatus", "failure"); - throw new IOException(e.toString()); - } - psStore.putString("internaldb", bindpwd); - psStore.putString("replicationdb", replicationpwd); - cs.putString("preop.internaldb.replicationpwd", replicationpwd); - cs.putString("preop.database.removeData", "false"); - - try { - cs.commit(false); + psStore.putString("internaldb", HttpInput.getPassword(request, "__bindpwd")); + psStore.putString("replicationdb", replicationpwd); psStore.commit(false); - CMS.reinit(IDBSubsystem.SUB_ID); - String type = cs.getString("cs.type", ""); - if (type.equals("CA")) - CMS.reinit(ICertificateAuthority.ID); - CMS.reinit(IAuthSubsystem.ID); - CMS.reinit(IAuthzSubsystem.ID); - CMS.reinit(IUGSubsystem.ID); - } catch (Exception e) { - CMS.debug("DatabasePanel update: " + e.toString()); - context.put("errorString", e.toString()); - cs.putString("preop.database.errorString", e.toString()); - context.put("updateStatus", "failure"); - throw new IOException(e.toString()); - } - String select = ""; - try { - select = cs.getString("preop.subsystem.select", ""); - } catch (Exception e) { - } + ConfigurationUtils.populateDB(); - // always populate the index the last - try { - CMS.debug("Populating local indexes"); - LDAPConnection conn = getLocalLDAPConn(context, - (secure.equals("on") ? "true" : "false")); - importLDIFS("preop.internaldb.post_ldif", conn); - - /* For vlvtask, we need to check if the task has - been completed or not. Presence of nsTaskExitCode means task is complete - */ - String wait_dn = cs.getString("preop.internaldb.wait_dn", ""); - if (!wait_dn.equals("")) { - int i = 0; - LDAPEntry task = null; - boolean taskComplete = false; - CMS.debug("Checking wait_dn " + wait_dn); - do { - Thread.sleep(1000); - try { - task = conn.read(wait_dn, (String[]) null); - if (task != null) { - LDAPAttribute attr = task.getAttribute("nsTaskExitCode"); - if (attr != null) { - taskComplete = true; - String val = (String) attr.getStringValues().nextElement(); - if (val.compareTo("0") != 0) { - CMS.debug("Error in populating local indexes: nsTaskExitCode=" + val); - } - } - } - } catch (LDAPException le) { - CMS.debug("Still checking wait_dn '" + wait_dn + "' (" + le.toString() + ")"); - } catch (Exception e) { - CMS.debug("Still checking wait_dn '" + wait_dn + "' (" + e.toString() + ")."); - } - } while ((!taskComplete) && (i < 20)); - if (i < 20) { - CMS.debug("Done checking wait_dn " + wait_dn); - } else { - CMS.debug("Done checking wait_dn " + wait_dn + " due to timeout."); - } - } + cs.putString("preop.internaldb.replicationpwd", replicationpwd); + cs.putString("preop.database.removeData", "false"); - conn.disconnect(); - CMS.debug("Done populating local indexes"); - } catch (Exception e) { - CMS.debug("Populating index failure - " + e); - } - - // setup replication after indexes have been created - if (select.equals("clone")) { - CMS.debug("Start setting up replication."); - setupReplication(request, context, (secure.equals("on") ? "true" : "false"), - replicationSecurity, masterReplicationPort, cloneReplicationPort); - CMS.debug("Finish setting up replication."); + ConfigurationUtils.reInitSubsystem(csType); + ConfigurationUtils.populateIndexes(); - try { - CMS.reinit(IDBSubsystem.SUB_ID); - String type = cs.getString("cs.type", ""); - if (type.equals("CA")) - CMS.reinit(ICertificateAuthority.ID); - CMS.reinit(IAuthSubsystem.ID); - CMS.reinit(IAuthzSubsystem.ID); - CMS.reinit(IUGSubsystem.ID); - } catch (Exception e) { + if (select.equals("clone")) { + CMS.debug("Start setting up replication."); + ConfigurationUtils.setupReplication(); + ConfigurationUtils.reInitSubsystem(csType); } - } - if (hasErr == false) { cs.putBoolean("preop.Database.done", true); - try { - cs.commit(false); - } catch (EBaseException e) { - CMS.debug( - "DatabasePanel: update() Exception caught at config commit: " - + e.toString()); - } - } - context.put("updateStatus", "success"); - } - - private void setupReplication(HttpServletRequest request, - Context context, String secure, String replicationSecurity, - int masterReplicationPort, int cloneReplicationPort) - throws IOException { - IConfigStore cs = CMS.getConfigStore(); - - String cstype = ""; - String machinename = ""; - String instanceId = ""; - try { - cstype = cs.getString("cs.type"); - cstype = toLowerCaseSubsystemType(cstype); - machinename = cs.getString("machineName", ""); - instanceId = cs.getString("instanceId", ""); - } catch (Exception e) { - } - - //setup replication agreement - String masterAgreementName = "masterAgreement1-" + machinename + "-" + instanceId; - cs.putString("internaldb.replication.master", masterAgreementName); - String cloneAgreementName = "cloneAgreement1-" + machinename + "-" + instanceId; - cs.putString("internaldb.replication.consumer", cloneAgreementName); - - try { cs.commit(false); } catch (Exception e) { - } - - // get connection to master - LDAPConnection masterConn = null; - ILdapConnFactory masterFactory = null; - try { - IConfigStore masterCfg = cs.getSubStore("preop.internaldb.master"); - masterFactory = CMS.getLdapBoundConnFactory(); - masterFactory.init(masterCfg); - masterConn = masterFactory.getConn(); - } catch (Exception e) { - CMS.debug("Failed to set up connection to master:" + e.toString()); - e.printStackTrace(); - throw new IOException("Failed to set up replication: No connection to master"); - } - - // get connection to replica - LDAPConnection replicaConn = null; - ILdapConnFactory replicaFactory = null; - try { - IConfigStore replicaCfg = cs.getSubStore("internaldb"); - replicaFactory = CMS.getLdapBoundConnFactory(); - replicaFactory.init(replicaCfg); - replicaConn = replicaFactory.getConn(); - } catch (Exception e) { - CMS.debug("Failed to set up connection to replica:" + e.toString()); e.printStackTrace(); - throw new IOException("Failed to set up replication: No connection to replica"); - } - - String master_hostname = ""; - String master_replicationpwd = ""; - String replica_hostname = ""; - String replica_replicationpwd = ""; - - try { - master_hostname = cs.getString("preop.internaldb.master.ldapconn.host", ""); - master_replicationpwd = cs.getString("preop.internaldb.master.replication.password", ""); - replica_hostname = cs.getString("internaldb.ldapconn.host", ""); - replica_replicationpwd = cs.getString("preop.internaldb.replicationpwd", ""); - } catch (Exception e) { - } - - String basedn = ""; - try { - basedn = cs.getString("internaldb.basedn"); - } catch (Exception e) { + CMS.debug("DatabasePanel update: error in populating database " + e.toString()); + context.put("errorString", e.toString()); + cs.putString("preop.database.errorString", e.toString()); + context.put("updateStatus", "failure"); + throw new IOException(e.toString()); } - try { - String suffix = cs.getString("internaldb.basedn", ""); - - String replicadn = "cn=replica,cn=\"" + suffix + "\",cn=mapping tree,cn=config"; - CMS.debug("DatabasePanel setupReplication: replicadn=" + replicadn); - - String masterBindUser = "Replication Manager " + masterAgreementName; - String cloneBindUser = "Replication Manager " + cloneAgreementName; - - createReplicationManager(masterConn, masterBindUser, master_replicationpwd); - createReplicationManager(replicaConn, cloneBindUser, replica_replicationpwd); - - String dir1 = getInstanceDir(masterConn); - createChangeLog(masterConn, dir1 + "/changelogs"); - - String dir2 = getInstanceDir(replicaConn); - createChangeLog(replicaConn, dir2 + "/changelogs"); - - int replicaId = cs.getInteger("dbs.beginReplicaNumber", 1); - - replicaId = enableReplication(replicadn, masterConn, masterBindUser, basedn, replicaId); - replicaId = enableReplication(replicadn, replicaConn, cloneBindUser, basedn, replicaId); - cs.putString("dbs.beginReplicaNumber", Integer.toString(replicaId)); - - CMS.debug("DatabasePanel setupReplication: Finished enabling replication"); - - createReplicationAgreement(replicadn, masterConn, masterAgreementName, - replica_hostname, cloneReplicationPort, replica_replicationpwd, basedn, - cloneBindUser, secure, replicationSecurity); - - createReplicationAgreement(replicadn, replicaConn, cloneAgreementName, - master_hostname, masterReplicationPort, master_replicationpwd, basedn, - masterBindUser, secure, replicationSecurity); - - // initialize consumer - initializeConsumer(replicadn, masterConn, masterAgreementName); - - while (!replicationDone(replicadn, masterConn, masterAgreementName)) { - CMS.debug("DatabasePanel setupReplication: Waiting for replication to complete"); - Thread.sleep(1000); - } - - String status = replicationStatus(replicadn, masterConn, masterAgreementName); - if (!status.startsWith("0 ")) { - CMS.debug("DatabasePanel setupReplication: consumer initialization failed. " + - status); - throw new IOException("consumer initialization failed. " + status); - } - - // remove master ldap password from password.conf (if present) - String passwordFile = cs.getString("passwordFile"); - IConfigStore psStore = CMS.createFileConfigStore(passwordFile); - psStore.remove("master_internaldb"); - psStore.commit(false); - - } catch (Exception e) { - CMS.debug("DatabasePanel setupReplication: " + e.toString()); - throw new IOException("Failed to setup the replication for cloning."); - } + context.put("updateStatus", "success"); } /** - * If validiate() returns false, this method will be called. + * If validate() returns false, this method will be called. */ public void displayError(HttpServletRequest request, HttpServletResponse response, @@ -1280,312 +521,4 @@ public class DatabasePanel extends WizardPanelBase { context.put("panel", "admin/console/config/databasepanel.vm"); } - private void createReplicationManager(LDAPConnection conn, String bindUser, String pwd) - throws LDAPException { - LDAPAttributeSet attrs = null; - LDAPEntry entry = null; - String dn = "cn=" + bindUser + ",ou=csusers,cn=config"; - try { - attrs = new LDAPAttributeSet(); - attrs.add(new LDAPAttribute("objectclass", "top")); - attrs.add(new LDAPAttribute("objectclass", "person")); - attrs.add(new LDAPAttribute("userpassword", pwd)); - attrs.add(new LDAPAttribute("cn", bindUser)); - attrs.add(new LDAPAttribute("sn", "manager")); - entry = new LDAPEntry(dn, attrs); - conn.add(entry); - } catch (LDAPException e) { - if (e.getLDAPResultCode() == LDAPException.ENTRY_ALREADY_EXISTS) { - CMS.debug("DatabasePanel createReplicationManager: Replication Manager has already used"); - try { - conn.delete(dn); - conn.add(entry); - } catch (LDAPException ee) { - CMS.debug("DatabasePanel createReplicationManager: " + ee.toString()); - } - return; - } else { - CMS.debug("DatabasePanel createReplicationManager: Failed to create replication manager. Exception: " - + e.toString()); - throw e; - } - } - - CMS.debug("DatabasePanel createReplicationManager: Successfully created Replication Manager"); - } - - private void createChangeLog(LDAPConnection conn, String dir) - throws LDAPException { - LDAPAttributeSet attrs = null; - LDAPEntry entry = null; - String dn = "cn=changelog5,cn=config"; - try { - attrs = new LDAPAttributeSet(); - attrs.add(new LDAPAttribute("objectclass", "top")); - attrs.add(new LDAPAttribute("objectclass", "extensibleObject")); - attrs.add(new LDAPAttribute("cn", "changelog5")); - attrs.add(new LDAPAttribute("nsslapd-changelogdir", dir)); - entry = new LDAPEntry(dn, attrs); - conn.add(entry); - } catch (LDAPException e) { - if (e.getLDAPResultCode() == LDAPException.ENTRY_ALREADY_EXISTS) { - CMS.debug("DatabasePanel createChangeLog: Changelog entry has already used"); - /* leave it, dont delete it because it will have operation error - try { - conn.delete(dn); - conn.add(entry); - } catch (LDAPException ee) { - CMS.debug("DatabasePanel createChangeLog: "+ee.toString()); - } - */ - return; - } else { - CMS.debug("DatabasePanel createChangeLog: Failed to create changelog entry. Exception: " + e.toString()); - throw e; - } - } - - CMS.debug("DatabasePanel createChangeLog: Successfully create change log entry"); - } - - private int enableReplication(String replicadn, LDAPConnection conn, String bindUser, String basedn, int id) - throws LDAPException { - CMS.debug("DatabasePanel enableReplication: replicadn: " + replicadn); - LDAPAttributeSet attrs = null; - LDAPEntry entry = null; - try { - attrs = new LDAPAttributeSet(); - attrs.add(new LDAPAttribute("objectclass", "top")); - attrs.add(new LDAPAttribute("objectclass", "nsDS5Replica")); - attrs.add(new LDAPAttribute("objectclass", "extensibleobject")); - attrs.add(new LDAPAttribute("nsDS5ReplicaRoot", basedn)); - attrs.add(new LDAPAttribute("nsDS5ReplicaType", "3")); - attrs.add(new LDAPAttribute("nsDS5ReplicaBindDN", - "cn=" + bindUser + ",ou=csusers,cn=config")); - attrs.add(new LDAPAttribute("cn", "replica")); - attrs.add(new LDAPAttribute("nsDS5ReplicaId", Integer.toString(id))); - attrs.add(new LDAPAttribute("nsds5flags", "1")); - entry = new LDAPEntry(replicadn, attrs); - conn.add(entry); - } catch (LDAPException e) { - if (e.getLDAPResultCode() == LDAPException.ENTRY_ALREADY_EXISTS) { - /* BZ 470918 -we cant just add the new dn. We need to do a replace instead - * until the DS code is fixed */ - CMS.debug("DatabasePanel enableReplication: " + replicadn + " has already been used"); - - try { - entry = conn.read(replicadn); - LDAPAttribute attr = entry.getAttribute("nsDS5ReplicaBindDN"); - attr.addValue("cn=" + bindUser + ",ou=csusers,cn=config"); - LDAPModification mod = new LDAPModification(LDAPModification.REPLACE, attr); - conn.modify(replicadn, mod); - } catch (LDAPException ee) { - CMS.debug("DatabasePanel enableReplication: Failed to modify " - + replicadn + " entry. Exception: " + e.toString()); - } - return id; - } else { - CMS.debug("DatabasePanel enableReplication: Failed to create " - + replicadn + " entry. Exception: " + e.toString()); - return id; - } - } - - CMS.debug("DatabasePanel enableReplication: Successfully create " + replicadn + " entry."); - return id + 1; - } - - private void createReplicationAgreement(String replicadn, - LDAPConnection conn, String name, String replicahost, int replicaport, - String replicapwd, String basedn, String bindUser, String secure, String replicationSecurity) - throws LDAPException { - String dn = "cn=" + name + "," + replicadn; - CMS.debug("DatabasePanel createReplicationAgreement: dn: " + dn); - LDAPEntry entry = null; - LDAPAttributeSet attrs = null; - try { - attrs = new LDAPAttributeSet(); - attrs.add(new LDAPAttribute("objectclass", "top")); - attrs.add(new LDAPAttribute("objectclass", - "nsds5replicationagreement")); - attrs.add(new LDAPAttribute("cn", name)); - attrs.add(new LDAPAttribute("nsDS5ReplicaRoot", basedn)); - attrs.add(new LDAPAttribute("nsDS5ReplicaHost", replicahost)); - - attrs.add(new LDAPAttribute("nsDS5ReplicaPort", "" + replicaport)); - attrs.add(new LDAPAttribute("nsDS5ReplicaBindDN", - "cn=" + bindUser + ",ou=csusers,cn=config")); - attrs.add(new LDAPAttribute("nsDS5ReplicaBindMethod", "Simple")); - attrs.add(new LDAPAttribute("nsds5replicacredentials", replicapwd)); - - if (replicationSecurity.equals("SSL")) { - attrs.add(new LDAPAttribute("nsDS5ReplicaTransportInfo", "SSL")); - } else if (replicationSecurity.equals("TLS")) { - attrs.add(new LDAPAttribute("nsDS5ReplicaTransportInfo", "TLS")); - } - - CMS.debug("About to set description attr to " + name); - attrs.add(new LDAPAttribute("description", name)); - - entry = new LDAPEntry(dn, attrs); - conn.add(entry); - } catch (LDAPException e) { - if (e.getLDAPResultCode() == LDAPException.ENTRY_ALREADY_EXISTS) { - CMS.debug("DatabasePanel createReplicationAgreement: " + dn + " has already used"); - try { - conn.delete(dn); - } catch (LDAPException ee) { - CMS.debug("DatabasePanel createReplicationAgreement: " + ee.toString()); - throw ee; - } - - try { - conn.add(entry); - } catch (LDAPException ee) { - CMS.debug("DatabasePanel createReplicationAgreement: " + ee.toString()); - throw ee; - } - } else { - CMS.debug("DatabasePanel createReplicationAgreement: Failed to create " - + dn + " entry. Exception: " + e.toString()); - throw e; - } - } - - CMS.debug("DatabasePanel createReplicationAgreement: Successfully create replication agreement " + name); - } - - private void initializeConsumer(String replicadn, LDAPConnection conn, - String name) { - String dn = "cn=" + name + "," + replicadn; - CMS.debug("DatabasePanel initializeConsumer: initializeConsumer dn: " + dn); - CMS.debug("DatabasePanel initializeConsumer: initializeConsumer host: " - + conn.getHost() + " port: " + conn.getPort()); - try { - LDAPAttribute attr = new LDAPAttribute("nsds5beginreplicarefresh", - "start"); - LDAPModification mod = new LDAPModification( - LDAPModification.REPLACE, attr); - CMS.debug("DatabasePanel initializeConsumer: start modifying"); - conn.modify(dn, mod); - CMS.debug("DatabasePanel initializeConsumer: Finish modification."); - } catch (LDAPException e) { - CMS.debug("DatabasePanel initializeConsumer: Failed to modify " + dn + " entry. Exception: " + e.toString()); - return; - } catch (Exception e) { - CMS.debug("DatabasePanel initializeConsumer: exception " + e); - } - - try { - CMS.debug("DatabasePanel initializeConsumer: thread sleeping for 5 seconds."); - Thread.sleep(5000); - CMS.debug("DatabasePanel initializeConsumer: finish sleeping."); - } catch (InterruptedException ee) { - CMS.debug("DatabasePanel initializeConsumer: exception: " + ee.toString()); - } - - CMS.debug("DatabasePanel initializeConsumer: Successfully initialize consumer"); - } - - private boolean replicationDone(String replicadn, LDAPConnection conn, String name) - throws IOException { - String dn = "cn=" + name + "," + replicadn; - String filter = "(objectclass=*)"; - String[] attrs = { "nsds5beginreplicarefresh" }; - - CMS.debug("DatabasePanel replicationDone: dn: " + dn); - try { - LDAPSearchResults results = conn.search(dn, LDAPConnection.SCOPE_BASE, filter, - attrs, true); - - int count = results.getCount(); - if (count < 1) { - throw new IOException("Replication entry not found"); - } - - LDAPEntry entry = results.next(); - LDAPAttribute refresh = entry.getAttribute("nsds5beginreplicarefresh"); - if (refresh == null) { - return true; - } - return false; - } catch (Exception e) { - CMS.debug("DatabasePanel replicationDone: exception " + e); - throw new IOException("Exception in replicationDone: " + e); - } - } - - private String replicationStatus(String replicadn, LDAPConnection conn, String name) - throws IOException { - String dn = "cn=" + name + "," + replicadn; - String filter = "(objectclass=*)"; - String[] attrs = { "nsds5replicalastinitstatus" }; - - CMS.debug("DatabasePanel replicationStatus: dn: " + dn); - try { - LDAPSearchResults results = conn.search(dn, LDAPConnection.SCOPE_BASE, filter, - attrs, false); - - int count = results.getCount(); - if (count < 1) { - throw new IOException("Replication entry not found"); - } - - LDAPEntry entry = results.next(); - LDAPAttribute attr = entry.getAttribute("nsds5replicalastinitstatus"); - if (attr != null) { - @SuppressWarnings("unchecked") - Enumeration<String> valsInAttr = attr.getStringValues(); - if (valsInAttr.hasMoreElements()) { - return valsInAttr.nextElement(); - } else { - throw new IOException("No value returned for nsds5replicalastinitstatus"); - } - } else { - throw new IOException("nsDS5ReplicaLastInitStatus is null."); - } - } catch (Exception e) { - CMS.debug("DatabasePanel replicationStatus: exception " + e); - throw new IOException("Exception in replicationStatus: " + e); - } - } - - private String getInstanceDir(LDAPConnection conn) { - String instancedir = ""; - try { - String filter = "(objectclass=*)"; - String[] attrs = { "nsslapd-directory" }; - LDAPSearchResults results = - conn.search("cn=config,cn=ldbm database,cn=plugins,cn=config", LDAPv3.SCOPE_SUB, - filter, attrs, false); - - while (results.hasMoreElements()) { - LDAPEntry entry = results.next(); - String dn = entry.getDN(); - CMS.debug("DatabasePanel getInstanceDir: DN for storing nsslapd-directory: " + dn); - LDAPAttributeSet entryAttrs = entry.getAttributeSet(); - @SuppressWarnings("unchecked") - Enumeration<LDAPAttribute> attrsInSet = entryAttrs.getAttributes(); - while (attrsInSet.hasMoreElements()) { - LDAPAttribute nextAttr = attrsInSet.nextElement(); - String attrName = nextAttr.getName(); - CMS.debug("DatabasePanel getInstanceDir: attribute name: " + attrName); - @SuppressWarnings("unchecked") - Enumeration<String> valsInAttr = nextAttr.getStringValues(); - while (valsInAttr.hasMoreElements()) { - String nextValue = valsInAttr.nextElement(); - if (attrName.equalsIgnoreCase("nsslapd-directory")) { - CMS.debug("DatabasePanel getInstanceDir: instanceDir=" + nextValue); - return nextValue.substring(0, nextValue.lastIndexOf("/db")); - } - } - } - } - } catch (LDAPException e) { - CMS.debug("DatabasePanel getInstanceDir: Error in retrieving the instance directory. Exception: " - + e.toString()); - } - - return instancedir; - } } diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/DisplayCertChainPanel.java b/base/common/src/com/netscape/cms/servlet/csadmin/DisplayCertChainPanel.java index 19edff7ba..702c5aa92 100644 --- a/base/common/src/com/netscape/cms/servlet/csadmin/DisplayCertChainPanel.java +++ b/base/common/src/com/netscape/cms/servlet/csadmin/DisplayCertChainPanel.java @@ -115,59 +115,51 @@ public class DisplayCertChainPanel extends WizardPanelBase { public void display(HttpServletRequest request, HttpServletResponse response, Context context) { - CMS.debug("DisplayCertChainPanel: display"); - - // update session id - String session_id = request.getParameter("session_id"); - if (session_id != null) { - CMS.debug("DisplayCertChainPanel setting session id."); - CMS.setConfigSDSessionId(session_id); - } - - String type = getId(); - - IConfigStore cs = CMS.getConfigStore(); - String certChainConfigName = "preop." + type + ".certchain.size"; - String certchain_size = ""; - try { - certchain_size = cs.getString(certChainConfigName, ""); - } catch (Exception e) { - } + CMS.debug("DisplayCertChainPanel: display"); - int size = 0; - Vector<String> v = new Vector<String>(); + // update session id + String session_id = request.getParameter("session_id"); + if (session_id != null) { + CMS.debug("DisplayCertChainPanel setting session id."); + CMS.setConfigSDSessionId(session_id); + } - if (!certchain_size.equals("")) { - try { + String type = getId(); + IConfigStore cs = CMS.getConfigStore(); + String certChainConfigName = "preop." + type + ".certchain.size"; + String certchain_size = cs.getString(certChainConfigName, ""); + int size = 0; + Vector<String> v = new Vector<String>(); + + if (!certchain_size.equals("")) { size = Integer.parseInt(certchain_size); - } catch (Exception e) { - } - for (int i = 0; i < size; i++) { - certChainConfigName = "preop." + type + ".certchain." + i; - try { + for (int i = 0; i < size; i++) { + certChainConfigName = "preop." + type + ".certchain." + i; String c = cs.getString(certChainConfigName, ""); byte[] b_c = CryptoUtil.base64Decode(c); - CertPrettyPrint pp = new CertPrettyPrint( - new X509CertImpl(b_c)); + CertPrettyPrint pp = new CertPrettyPrint(new X509CertImpl(b_c)); v.addElement(pp.toString(Locale.getDefault())); - } catch (Exception e) { } } - } - if (getId().equals("securitydomain")) { - context.put("panelid", "securitydomain"); - context.put("panelname", "Security Domain Trust Verification"); - } else { - context.put("panelid", "other"); - context.put("panelname", "Subsystem Trust Verification"); + if (getId().equals("securitydomain")) { + context.put("panelid", "securitydomain"); + context.put("panelname", "Security Domain Trust Verification"); + } else { + context.put("panelid", "other"); + context.put("panelname", "Subsystem Trust Verification"); + } + context.put("title", "Display Certificate Chain"); + context.put("panel", "admin/console/config/displaycertchainpanel.vm"); + context.put("errorString", ""); + context.put("certchain", v); + } catch (Exception e) { + CMS.debug("DisplayCertPanel: Exception thrown: " + e.toString()); + e.printStackTrace(); + context.put("errorString", e.toString()); } - context.put("title", "Display Certificate Chain"); - context.put("panel", "admin/console/config/displaycertchainpanel.vm"); - context.put("errorString", ""); - context.put("certchain", v); } /** @@ -184,7 +176,6 @@ public class DisplayCertChainPanel extends WizardPanelBase { public void update(HttpServletRequest request, HttpServletResponse response, Context context) throws IOException { - importCertChain(getId()); if (getId().equals("securitydomain")) { int panel = getPanelNo() + 1; @@ -195,35 +186,34 @@ public class DisplayCertChainPanel extends WizardPanelBase { String cs_hostname = cs.getString("machineName", ""); int cs_port = cs.getInteger("pkicreate.admin_secure_port", -1); String subsystem = cs.getString("cs.type", ""); - String urlVal = - "https://" - + cs_hostname + ":" + cs_port + "/" + toLowerCaseSubsystemType(subsystem) - + "/admin/console/config/wizard?p=" + panel + "&subsystem=" + subsystem; + String urlVal = "https://" + cs_hostname + ":" + cs_port + "/" + subsystem.toLowerCase() + + "/admin/console/config/wizard?p=" + panel + "&subsystem=" + subsystem; String encodedValue = URLEncoder.encode(urlVal, "UTF-8"); - String sdurl = - "https://" - + sd_hostname + ":" + sd_port + "/ca/admin/ca/securityDomainLogin?url=" + encodedValue; + String sdurl = "https://" + sd_hostname + ":" + sd_port + "/ca/admin/ca/securityDomainLogin?url=" + + encodedValue; response.sendRedirect(sdurl); // The user previously specified the CA Security Domain's // SSL Admin port in the "Security Domain Panel"; // now retrieve this specified CA Security Domain's // non-SSL EE, SSL Agent, and SSL EE ports: - cs.putString("securitydomain.httpport", - getSecurityDomainPort(cs, "UnSecurePort")); - cs.putString("securitydomain.httpsagentport", - getSecurityDomainPort(cs, "SecureAgentPort")); - cs.putString("securitydomain.httpseeport", - getSecurityDomainPort(cs, "SecurePort")); - } catch (Exception ee) { - CMS.debug("DisplayCertChainPanel Exception=" + ee.toString()); + String domainXML = ConfigurationUtils.getDomainXML(sd_hostname, sd_port, true); + ConfigurationUtils.getSecurityDomainPorts(domainXML, sd_hostname, sd_port); + cs.putString("preop.domainXML", domainXML); + cs.commit(false); + } catch (Exception e) { + CMS.debug("DisplayCertChainPanel Exception=" + e.toString()); + e.printStackTrace(); + context.put("errorString", e.toString()); + context.put("updateStatus", "failure"); + throw new IOException(e); } } context.put("updateStatus", "success"); } /** - * If validiate() returns false, this method will be called. + * If validate() returns false, this method will be called. */ public void displayError(HttpServletRequest request, HttpServletResponse response, diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java b/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java index 7729ea40e..f514a59f0 100644 --- a/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java +++ b/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java @@ -19,41 +19,21 @@ package com.netscape.cms.servlet.csadmin; import java.io.IOException; import java.math.BigInteger; -import java.net.URLEncoder; -import java.security.cert.CertificateException; -import java.security.cert.X509Certificate; -import java.util.StringTokenizer; import javax.servlet.ServletConfig; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import netscape.ldap.LDAPAttribute; -import netscape.ldap.LDAPAttributeSet; -import netscape.ldap.LDAPConnection; -import netscape.ldap.LDAPEntry; -import netscape.ldap.LDAPException; -import netscape.ldap.LDAPModification; -import netscape.security.x509.X509CertImpl; - import org.apache.velocity.context.Context; -import org.mozilla.jss.CryptoManager; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.IConfigStore; -import com.netscape.certsrv.dbs.crldb.ICRLIssuingPointRecord; -import com.netscape.certsrv.ocsp.IDefStore; import com.netscape.certsrv.ocsp.IOCSPAuthority; import com.netscape.certsrv.property.PropertySet; -import com.netscape.certsrv.usrgrp.EUsrGrpException; -import com.netscape.certsrv.usrgrp.IGroup; import com.netscape.certsrv.usrgrp.IUGSubsystem; import com.netscape.certsrv.usrgrp.IUser; import com.netscape.cms.servlet.wizard.WizardServlet; -import com.netscape.cmsutil.crypto.CryptoUtil; -import com.netscape.cmsutil.password.IPasswordStore; -import com.netscape.cmsutil.util.Cert; import com.netscape.cmsutil.util.Utils; public class DonePanel extends WizardPanelBase { @@ -98,73 +78,10 @@ public class DonePanel extends WizardPanelBase { return set; } - private LDAPConnection getLDAPConn(Context context) - throws IOException { - IConfigStore cs = CMS.getConfigStore(); - - String host = ""; - String port = ""; - String pwd = null; - String binddn = ""; - String security = ""; - - IPasswordStore pwdStore = CMS.getPasswordStore(); - - if (pwdStore != null) { - CMS.debug("DonePanel: getLDAPConn: password store available"); - pwd = pwdStore.getPassword("internaldb"); - } - - if (pwd == null) { - throw new IOException("DonePanel: Failed to obtain password from password store"); - } - - try { - host = cs.getString("internaldb.ldapconn.host"); - port = cs.getString("internaldb.ldapconn.port"); - binddn = cs.getString("internaldb.ldapauth.bindDN"); - security = cs.getString("internaldb.ldapconn.secureConn"); - } catch (Exception e) { - CMS.debug("DonePanel: getLDAPConn" + e.toString()); - throw new IOException( - "Failed to retrieve LDAP information from CS.cfg."); - } - - int p = -1; - - try { - p = Integer.parseInt(port); - } catch (Exception e) { - CMS.debug("DonePanel getLDAPConn: " + e.toString()); - throw new IOException("Port is not valid"); - } - - LDAPConnection conn = null; - if (security.equals("true")) { - CMS.debug("DonePanel getLDAPConn: creating secure (SSL) connection for internal ldap"); - conn = new LDAPConnection(CMS.getLdapJssSSLSocketFactory()); - } else { - CMS.debug("DonePanel getLDAPConn: creating non-secure (non-SSL) connection for internal ldap"); - conn = new LDAPConnection(); - } - - CMS.debug("DonePanel connecting to " + host + ":" + p); - try { - conn.connect(host, p, binddn, pwd); - } catch (LDAPException e) { - CMS.debug("DonePanel getLDAPConn: " + e.toString()); - throw new IOException("Failed to connect to the internal database."); - } - - return conn; - } - /** * Display the panel. */ - public void display(HttpServletRequest request, - HttpServletResponse response, - Context context) { + public void display(HttpServletRequest request, HttpServletResponse response, Context context) { CMS.debug("DonePanel: display()"); // update session id @@ -175,26 +92,24 @@ public class DonePanel extends WizardPanelBase { } IConfigStore cs = CMS.getConfigStore(); - String ownport = CMS.getEENonSSLPort(); - String ownsport = CMS.getEESSLPort(); - String owneeclientauthsport = CMS.getEEClientAuthSSLPort(); - String ownhost = CMS.getEESSLHost(); - String ownagentsport = CMS.getAgentPort(); - String ownagenthost = CMS.getAgentHost(); - String ownadminsport = CMS.getAdminPort(); - String ownadminhost = CMS.getAdminHost(); - String select = ""; + String select = ""; String type = ""; String instanceId = ""; String instanceRoot = ""; String systemdService = ""; + String ca_host = ""; + String sdtype = ""; + int state = 0; try { type = cs.getString("cs.type", ""); instanceId = cs.getString("instanceId"); instanceRoot = cs.getString("instanceRoot"); select = cs.getString("preop.subsystem.select", ""); systemdService = cs.getString("pkicreate.systemd.servicename", ""); + ca_host = cs.getString("preop.ca.hostname", ""); + sdtype = cs.getString("securitydomain.select", ""); + state = cs.getInteger("cs.state"); } catch (Exception e) { } @@ -224,651 +139,124 @@ public class DonePanel extends WizardPanelBase { } context.put("title", "Done"); context.put("panel", "admin/console/config/donepanel.vm"); - context.put("host", ownadminhost); - context.put("port", ownadminsport); - String subsystemType = toLowerCaseSubsystemType(type); - context.put("systemType", subsystemType); - - try { - int state = cs.getInteger("cs.state"); - if (state == 1) { - context.put("csstate", "1"); - return; - } else - context.put("csstate", "0"); + context.put("host", CMS.getAdminHost()); + context.put("port", CMS.getAdminPort()); + context.put("systemType", type.toLowerCase()); - } catch (Exception e) { - } - - String sd_agent_port = ""; - String sd_admin_port = ""; - String sd_host = ""; - String ca_host = ""; - try { - sd_host = cs.getString("securitydomain.host", ""); - sd_agent_port = cs.getString("securitydomain.httpsagentport", ""); - sd_admin_port = cs.getString("securitydomain.httpsadminport", ""); - ca_host = cs.getString("preop.ca.hostname", ""); - } catch (Exception e) { - } + if (state == 1) { + context.put("csstate", "1"); + return; + } else + context.put("csstate", "0"); if (ca_host.equals("")) context.put("externalCA", "true"); else context.put("externalCA", "false"); - // update security domain - String sdtype = ""; - String subsystemName = ""; - try { - sdtype = cs.getString("securitydomain.select", ""); - subsystemName = cs.getString("preop.subsystem.name", ""); - } catch (Exception e) { - } - - boolean cloneMaster = false; - - if (select.equals("clone") && type.equalsIgnoreCase("CA") && isSDHostDomainMaster(cs)) { - cloneMaster = true; - CMS.debug("Cloning a domain master"); - } - - String s = getSubsystemNodeName(type); - if (sdtype.equals("new")) { - try { - LDAPConnection conn = getLDAPConn(context); - - String basedn = cs.getString("internaldb.basedn"); - String secdomain = cs.getString("securitydomain.name"); - - try { - // Create security domain ldap entry - String dn = "ou=Security Domain," + basedn; - CMS.debug("DonePanel: creating ldap entry : " + dn); - - LDAPEntry entry = null; - LDAPAttributeSet attrs = null; - attrs = new LDAPAttributeSet(); - attrs.add(new LDAPAttribute("objectclass", "top")); - attrs.add(new LDAPAttribute("objectclass", "pkiSecurityDomain")); - if (secdomain.equals("")) { - // this should not happen - just in case - CMS.debug("DonePanel display(): Security domain is an empty string!"); - throw new IOException("Security domain is an empty string!"); - } else { - attrs.add(new LDAPAttribute("name", secdomain)); - } - attrs.add(new LDAPAttribute("ou", "Security Domain")); - entry = new LDAPEntry(dn, attrs); - conn.add(entry); - } catch (Exception e) { - CMS.debug("Unable to create security domain"); - throw e; - } - - try { - // create list containers - String clist[] = { "CAList", "OCSPList", "KRAList", "RAList", "TKSList", "TPSList" }; - for (int i = 0; i < clist.length; i++) { - LDAPEntry entry = null; - LDAPAttributeSet attrs = null; - String dn = "cn=" + clist[i] + ",ou=Security Domain," + basedn; - attrs = new LDAPAttributeSet(); - attrs.add(new LDAPAttribute("objectclass", "top")); - attrs.add(new LDAPAttribute("objectclass", "pkiSecurityGroup")); - attrs.add(new LDAPAttribute("cn", clist[i])); - entry = new LDAPEntry(dn, attrs); - conn.add(entry); - } - } catch (Exception e) { - CMS.debug("Unable to create security domain list groups"); - throw e; - } + // Create or update security domain - try { - // Add this host (only CA can create new domain) - String cn = ownhost + ":" + ownadminsport; - String dn = "cn=" + cn + ",cn=CAList,ou=Security Domain," + basedn; - LDAPEntry entry = null; - LDAPAttributeSet attrs = null; - attrs = new LDAPAttributeSet(); - attrs.add(new LDAPAttribute("objectclass", "top")); - attrs.add(new LDAPAttribute("objectclass", "pkiSubsystem")); - attrs.add(new LDAPAttribute("Host", ownhost)); - attrs.add(new LDAPAttribute("SecurePort", ownsport)); - attrs.add(new LDAPAttribute("SecureAgentPort", - ownagentsport)); - attrs.add(new LDAPAttribute("SecureAdminPort", - ownadminsport)); - if (owneeclientauthsport != null) { - attrs.add(new LDAPAttribute("SecureEEClientAuthPort", - owneeclientauthsport)); - } - attrs.add(new LDAPAttribute("UnSecurePort", ownport)); - attrs.add(new LDAPAttribute("Clone", "FALSE")); - attrs.add(new LDAPAttribute("SubsystemName", subsystemName)); - attrs.add(new LDAPAttribute("cn", cn)); - attrs.add(new LDAPAttribute("DomainManager", "TRUE")); - entry = new LDAPEntry(dn, attrs); - conn.add(entry); - } catch (Exception e) { - CMS.debug("Unable to create host entry in security domain"); - throw e; - } - CMS.debug("DonePanel display: finish updating domain info"); - conn.disconnect(); - } catch (Exception e) { - CMS.debug("DonePanel display: " + e.toString()); - } - - int sd_admin_port_int = -1; - try { - sd_admin_port_int = Integer.parseInt(sd_admin_port); - } catch (Exception e) { - } - - try { - // Fetch the "new" security domain and display it - CMS.debug("Dump contents of new Security Domain . . ."); - @SuppressWarnings("unused") - String c = getDomainXML(sd_host, sd_admin_port_int, true); - } catch (Exception e) { - } - - // Since this instance is a new Security Domain, - // create an empty file to designate this fact. - String security_domain = instanceRoot + "/conf/" - + PKI_SECURITY_DOMAIN; - if (!Utils.isNT()) { - Utils.exec("touch " + security_domain); - Utils.exec("chmod 00660 " + security_domain); - } - - } else { //existing domain - int sd_agent_port_int = -1; - int sd_admin_port_int = -1; - try { - sd_agent_port_int = Integer.parseInt(sd_agent_port); - sd_admin_port_int = Integer.parseInt(sd_admin_port); - } catch (Exception e) { - } - - try { - String cloneStr = ""; - if (select.equals("clone")) - cloneStr = "&clone=true"; - else - cloneStr = "&clone=false"; - - String domainMasterStr = ""; - if (cloneMaster) - domainMasterStr = "&dm=true"; - else - domainMasterStr = "&dm=false"; - String eecaStr = ""; - if (owneeclientauthsport != null) - eecaStr = "&eeclientauthsport=" + owneeclientauthsport; - - updateDomainXML(sd_host, sd_agent_port_int, true, - "/ca/agent/ca/updateDomainXML", - "list=" + s - + "&type=" + type - + "&host=" + ownhost - + "&name=" + subsystemName - + "&sport=" + ownsport - + domainMasterStr - + cloneStr - + "&agentsport=" + ownagentsport - + "&adminsport=" + ownadminsport - + eecaStr - + "&httpport=" + ownport); - - // Fetch the "updated" security domain and display it - CMS.debug("Dump contents of updated Security Domain . . ."); - @SuppressWarnings("unused") - String c = getDomainXML(sd_host, sd_admin_port_int, true); - } catch (Exception e) { - context.put("errorString", "Failed to update the security domain on the domain master."); - //return; + try { + if (sdtype.equals("new")) { + ConfigurationUtils.createSecurityDomain(); + } else { //existing domain + ConfigurationUtils.updateSecurityDomain(); } - } - // add service.securityDomainPort to CS.cfg in case pkiremove - // needs to remove system reference from the security domain - try { - cs.putString("service.securityDomainPort", ownagentsport); + cs.putString("service.securityDomainPort", CMS.getAgentPort()); cs.putString("securitydomain.store", "ldap"); cs.commit(false); } catch (Exception e) { - CMS.debug("DonePanel: exception in adding service.securityDomainPort to CS.cfg" + e); - } - - // need to push connector information to the CA - if (type.equals("KRA") && !ca_host.equals("")) { - try { - updateConnectorInfo(ownagenthost, ownagentsport); - } catch (IOException e) { - context.put("errorString", "Failed to update connector information."); - return; - } - setupClientAuthUser(); - } // if KRA - - // import the CA certificate into the OCSP - // configure the CRL Publishing to OCSP in CA - if (type.equals("OCSP") && !ca_host.equals("")) { - try { - CMS.reinit(IOCSPAuthority.ID); - importCACertToOCSP(); - } catch (Exception e) { - CMS.debug("DonePanel display: Failed to import the CA certificate into OCSP."); - } - - try { - updateOCSPConfig(response); - } catch (Exception e) { - CMS.debug("DonePanel display: Failed to update OCSP information in CA."); - } - - setupClientAuthUser(); - } - - if (!select.equals("clone")) { - if (type.equals("CA") || type.equals("KRA")) { - String endRequestNumStr = ""; - String endSerialNumStr = ""; - - try { - endRequestNumStr = cs.getString("dbs.endRequestNumber", ""); - endSerialNumStr = cs.getString("dbs.endSerialNumber", ""); - BigInteger endRequestNum = new BigInteger(endRequestNumStr); - BigInteger endSerialNum = new BigInteger(endSerialNumStr); - BigInteger oneNum = new BigInteger("1"); - - // update global next range entries - LDAPConnection conn = getLDAPConn(context); - String basedn = cs.getString("internaldb.basedn"); - - String serialdn = ""; - if (type.equals("CA")) { - serialdn = "ou=certificateRepository,ou=" + type.toLowerCase() + "," + basedn; - } else { - serialdn = "ou=keyRepository,ou=" + type.toLowerCase() + "," + basedn; - } - LDAPAttribute attrSerialNextRange = - new LDAPAttribute("nextRange", endSerialNum.add(oneNum).toString()); - LDAPModification serialmod = new LDAPModification(LDAPModification.REPLACE, attrSerialNextRange); - conn.modify(serialdn, serialmod); - - String requestdn = "ou=" + type.toLowerCase() + ",ou=requests," + basedn; - LDAPAttribute attrRequestNextRange = - new LDAPAttribute("nextRange", endRequestNum.add(oneNum).toString()); - LDAPModification requestmod = new LDAPModification(LDAPModification.REPLACE, attrRequestNextRange); - conn.modify(requestdn, requestmod); - - conn.disconnect(); - } catch (Exception e) { - CMS.debug("Unable to update global next range numbers: " + e); - } - } - } - - if (cloneMaster) { - // cloning a domain master CA, the clone is also master of its domain - try { - cs.putString("securitydomain.host", ownhost); - cs.putString("securitydomain.httpport", ownport); - cs.putString("securitydomain.httpsadminport", ownadminsport); - cs.putString("securitydomain.httpsagentport", ownagentsport); - cs.putString("securitydomain.httpseeport", ownsport); - cs.putString("securitydomain.select", "new"); - } catch (Exception e) { - CMS.debug("Caught exception trying to save security domain parameters for clone of a domain master"); - } + CMS.debug("DonePanel - update(): Error while updating security domain: " + e); + e.printStackTrace(); } - String dbuser = null; + // push connector information to the CA try { - dbuser = cs.getString("cs.type") + "-" + cs.getString("machineName") + "-" + cs.getString("service.securePort"); - if (! sdtype.equals("new")) { - setupDBUser(dbuser); + if (type.equals("KRA") && !ca_host.equals("")) { + ConfigurationUtils.updateConnectorInfo(CMS.getAgentHost(), CMS.getAgentPort()); + ConfigurationUtils.setupClientAuthUser(); } - IUGSubsystem system = (IUGSubsystem) (CMS.getSubsystem(IUGSubsystem.ID)); - IUser user = system.getUser(dbuser); - system.addCertSubjectDN(user); } catch (Exception e) { + CMS.debug("DonePanel - update(): Error while pushing KRA connectot information to the CA: " + e); e.printStackTrace(); - CMS.debug("Unable to create or update dbuser" + e); } - cs.putInteger("cs.state", 1); + // import the CA certificate into the OCSP + // configure the CRL Publishing to OCSP in CA try { - // save variables needed for cloning and remove preop - String list = cs.getString("preop.cert.list", ""); - StringTokenizer st = new StringTokenizer(list, ","); - - while (st.hasMoreTokens()) { - String ss = st.nextToken(); - if (ss.equals("sslserver")) - continue; - cs.putString("cloning." + ss + ".nickname", cs.getString("preop.cert." + ss + ".nickname", "")); - cs.putString("cloning." + ss + ".dn", cs.getString("preop.cert." + ss + ".dn", "")); - cs.putString("cloning." + ss + ".keytype", cs.getString("preop.cert." + ss + ".keytype", "")); - cs.putString("cloning." + ss + ".keyalgorithm", cs.getString("preop.cert." + ss + ".keyalgorithm", "")); - cs.putString("cloning." + ss + ".privkey.id", cs.getString("preop.cert." + ss + ".privkey.id", "")); - cs.putString("cloning." + ss + ".pubkey.exponent", - cs.getString("preop.cert." + ss + ".pubkey.exponent", "")); - cs.putString("cloning." + ss + ".pubkey.modulus", - cs.getString("preop.cert." + ss + ".pubkey.modulus", "")); - cs.putString("cloning." + ss + ".pubkey.encoded", - cs.getString("preop.cert." + ss + ".pubkey.encoded", "")); - } - cs.putString("cloning.module.token", cs.getString("preop.module.token", "")); - cs.putString("cloning.list", list); - - // more cloning variables needed for non-ca clones - - if (!type.equals("CA")) { - String val = cs.getString("preop.ca.hostname", ""); - if (val.compareTo("") != 0) - cs.putString("cloning.ca.hostname", val); - - val = cs.getString("preop.ca.httpport", ""); - if (val.compareTo("") != 0) - cs.putString("cloning.ca.httpport", val); - - val = cs.getString("preop.ca.httpsport", ""); - if (val.compareTo("") != 0) - cs.putString("cloning.ca.httpsport", val); - - val = cs.getString("preop.ca.list", ""); - if (val.compareTo("") != 0) - cs.putString("cloning.ca.list", val); - - val = cs.getString("preop.ca.pkcs7", ""); - if (val.compareTo("") != 0) - cs.putString("cloning.ca.pkcs7", val); - - val = cs.getString("preop.ca.type", ""); - if (val.compareTo("") != 0) - cs.putString("cloning.ca.type", val); - } - - // save EC type for sslserver cert (if present) - cs.putString("jss.ssl.sslserver.ectype", cs.getString("preop.cert.sslserver.ec.type", "ECDHE")); - - cs.removeSubStore("preop"); - cs.commit(false); - - // Create an empty file that designates the fact that although - // this server instance has been configured, it has NOT yet - // been restarted! - String restart_server = instanceRoot + "/conf/" - + RESTART_SERVER_AFTER_CONFIGURATION; - if (!Utils.isNT()) { - Utils.exec("touch " + restart_server); - Utils.exec("chmod 00660 " + restart_server); + if (type.equals("OCSP") && !ca_host.equals("")) { + CMS.reinit(IOCSPAuthority.ID); + ConfigurationUtils.importCACertToOCSP(); + ConfigurationUtils.updateOCSPConfig(); + ConfigurationUtils.setupClientAuthUser(); } - } catch (Exception e) { - CMS.debug("Caught exception saving preop variables: " + e); + CMS.debug("DonePanel - update(): Error while configuring OCSP publishing on the CA: " + e); + e.printStackTrace(); } - context.put("csstate", "1"); - } - - private void setupClientAuthUser() { - IConfigStore cs = CMS.getConfigStore(); - - // retrieve CA subsystem certificate from the CA - IUGSubsystem system = - (IUGSubsystem) (CMS.getSubsystem(IUGSubsystem.ID)); - String id = ""; try { - String b64 = getCASubsystemCert(); - if (b64 != null) { - int num = cs.getInteger("preop.subsystem.count", 0); - id = getCAUserId(); - num++; - cs.putInteger("preop.subsystem.count", num); - cs.putInteger("subsystem.count", num); - IUser user = system.createUser(id); - user.setFullName(id); - user.setEmail(""); - user.setPassword(""); - user.setUserType("agentType"); - user.setState("1"); - user.setPhone(""); - X509CertImpl[] certs = new X509CertImpl[1]; - certs[0] = new X509CertImpl(CMS.AtoB(b64)); - user.setX509Certificates(certs); - system.addUser(user); - CMS.debug("DonePanel display: successfully add the user"); - system.addUserCert(user); - CMS.debug("DonePanel display: successfully add the user certificate"); - cs.commit(false); - } - } catch (Exception e) { - } + if (!select.equals("clone")) { + if (type.equals("CA") || type.equals("KRA")) { + ConfigurationUtils.updateNextRanges(); - try { - String groupName = "Trusted Managers"; - IGroup group = system.getGroupFromName(groupName); - if (!group.isMember(id)) { - group.addMemberName(id); - system.modifyGroup(group); - CMS.debug("DonePanel display: successfully added the user to the group."); + } } } catch (Exception e) { - } - } - - private void setupDBUser(String dbuser) throws CertificateException, EUsrGrpException, LDAPException { - IUGSubsystem system = - (IUGSubsystem) (CMS.getSubsystem(IUGSubsystem.ID)); - - String b64 = getSubsystemCert(); - if (b64 == null) { - CMS.debug("DonePanel setupDBUser: failed to fetch subsystem cert"); - return; - } - - IUser user = system.createUser(dbuser); - user.setFullName(dbuser); - user.setEmail(""); - user.setPassword(""); - user.setUserType("agentType"); - user.setState("1"); - user.setPhone(""); - X509CertImpl[] certs = new X509CertImpl[1]; - certs[0] = new X509CertImpl(CMS.AtoB(b64)); - user.setX509Certificates(certs); - system.addUser(user); - CMS.debug("DonePanel setupDBUser: successfully add the user"); - system.addUserCert(user); - CMS.debug("DonePanel setupDBUser: successfully add the user certificate"); - } - - private String getSubsystemCert() { - IConfigStore cs = CMS.getConfigStore(); - String nickname = ""; - try { - nickname = cs.getString("preop.cert.subsystem.nickname", ""); - String tokenname = cs.getString("preop.module.token", ""); - if (!tokenname.equals("internal") && !tokenname.equals("Internal Key Storage Token") - && !tokenname.equals("")) - nickname = tokenname + ":" + nickname; - } catch (Exception e) { + CMS.debug("DonePanel - update(): Error while updating serial number next ranges: " + e); + e.printStackTrace(); } - CMS.debug("DonePanel getSubsystemCert: nickname=" + nickname); - String s = null; try { - CryptoManager cm = CryptoManager.getInstance(); - org.mozilla.jss.crypto.X509Certificate cert = cm.findCertByNickname(nickname); - - if (cert == null) { - CMS.debug("DonePanel getSubsystemCert: subsystem cert is null"); - return null; + if (select.equals("clone") && type.equalsIgnoreCase("CA") && ConfigurationUtils.isSDHostDomainMaster(cs)) { + // cloning a domain master CA, the clone is also master of its domain + CMS.debug("Cloning a domain master"); + cs.putString("securitydomain.host", CMS.getEESSLHost()); + cs.putString("securitydomain.httpport", CMS.getEENonSSLPort()); + cs.putString("securitydomain.httpsadminport", CMS.getAdminPort()); + cs.putString("securitydomain.httpsagentport", CMS.getAgentPort()); + cs.putString("securitydomain.httpseeport", CMS.getEESSLPort()); + cs.putString("securitydomain.select", "new"); } - - byte[] bytes = cert.getEncoded(); - s = CryptoUtil.normalizeCertStr(CryptoUtil.base64Encode(bytes)); - } catch (Exception e) { - CMS.debug("DonePanel getSubsystemCert: exception: " + e.toString()); - } - return s; - } - - private void updateOCSPConfig(HttpServletResponse response) - throws IOException { - IConfigStore config = CMS.getConfigStore(); - String cahost = ""; - int caport = -1; - - try { - cahost = config.getString("preop.ca.hostname", ""); - caport = config.getInteger("preop.ca.httpsport", -1); } catch (Exception e) { + CMS.debug("DonePanel - update(): Error in determining if security domain host is a master CA: " + e); + e.printStackTrace(); } - String ocsphost = CMS.getAgentHost(); - int ocspport = Integer.parseInt(CMS.getAgentPort()); - String session_id = CMS.getConfigSDSessionId(); - String content = "xmlOutput=true&sessionID=" + session_id + "&ocsp_host=" + ocsphost + "&ocsp_port=" + ocspport; - - updateOCSPConfig(cahost, caport, true, content, response); - } - - private void importCACertToOCSP() throws IOException { - IConfigStore config = CMS.getConfigStore(); - - // get certificate chain from CA + String dbuser = null; try { - String b64 = config.getString("preop.ca.pkcs7", ""); - - if (b64.equals("")) - throw new IOException("Failed to get certificate chain."); - - try { - // this could be a chain - X509Certificate[] certs = Cert.mapCertFromPKCS7(b64); - X509Certificate leafCert = null; - if (certs != null && certs.length > 0) { - if (certs[0].getSubjectDN().getName().equals(certs[0].getIssuerDN().getName())) { - leafCert = certs[certs.length - 1]; - } else { - leafCert = certs[0]; - } - - IOCSPAuthority ocsp = - (IOCSPAuthority) CMS.getSubsystem(IOCSPAuthority.ID); - IDefStore defStore = ocsp.getDefaultStore(); - - // (1) need to normalize (sort) the chain - - // (2) store certificate (and certificate chain) into - // database - ICRLIssuingPointRecord rec = defStore.createCRLIssuingPointRecord( - leafCert.getSubjectDN().getName(), - BIG_ZERO, - MINUS_ONE, null, null); - - try { - rec.set(ICRLIssuingPointRecord.ATTR_CA_CERT, leafCert.getEncoded()); - } catch (Exception e) { - // error - } - defStore.addCRLIssuingPoint(leafCert.getSubjectDN().getName(), rec); - //log(ILogger.EV_AUDIT, AuditFormat.LEVEL, "Added CA certificate " + leafCert.getSubjectDN().getName()); - - CMS.debug("DonePanel importCACertToOCSP: Added CA certificate."); - } - } catch (Exception e) { - throw new IOException("Failed to encode the certificate chain"); + dbuser = cs.getString("cs.type") + "-" + cs.getString("machineName") + "-" + + cs.getString("service.securePort"); + if (!sdtype.equals("new")) { + ConfigurationUtils.setupDBUser(dbuser); } - } catch (IOException e) { - throw e; - } catch (Exception e) { - CMS.debug("DonePanel importCACertToOCSP: Failed to import the certificate chain into the OCSP"); - throw new IOException("Failed to import the certificate chain into the OCSP"); - } - } - - private String getCASubsystemCert() throws IOException { - IConfigStore cs = CMS.getConfigStore(); - String host = ""; - int port = -1; - try { - host = cs.getString("preop.ca.hostname", ""); - port = cs.getInteger("preop.ca.httpsadminport", -1); - } catch (Exception e) { - } - - return getSubsystemCert(host, port, true); - } - - private String getCAUserId() throws IOException { - IConfigStore cs = CMS.getConfigStore(); - String host = ""; - int port = -1; - try { - host = cs.getString("preop.ca.hostname", ""); - port = cs.getInteger("preop.ca.httpsport", -1); + IUGSubsystem system = (IUGSubsystem) (CMS.getSubsystem(IUGSubsystem.ID)); + IUser user = system.getUser(dbuser); + system.addCertSubjectDN(user); } catch (Exception e) { + e.printStackTrace(); + CMS.debug("DonePanel - update(): Unable to create or update dbuser" + e); } - return "CA-" + host + "-" + port; - } - - private void updateConnectorInfo(String ownagenthost, String ownagentsport) - throws IOException { - IConfigStore cs = CMS.getConfigStore(); - int port = -1; - String url = ""; - String host = null; - String transportCert = ""; + cs.putInteger("cs.state", 1); try { - url = cs.getString("preop.ca.url", ""); - if (!url.equals("")) { - host = cs.getString("preop.ca.hostname", ""); - port = cs.getInteger("preop.ca.httpsadminport", -1); - transportCert = cs.getString("kra.transport.cert", ""); - } + ConfigurationUtils.removePreopConfigEntries(); } catch (Exception e) { + CMS.debug("DonePanel - update(): Caught exception saving preop variables: " + e); } - if (host == null) { - CMS.debug("DonePanel: preop.ca.url is not defined. External CA selected. No transport certificate setup is required"); - } else { - CMS.debug("DonePanel: Transport certificate is being setup in " + url); - String session_id = CMS.getConfigSDSessionId(); - String content = - "ca.connector.KRA.enable=true&ca.connector.KRA.local=false&ca.connector.KRA.timeout=30&ca.connector.KRA.uri=/kra/agent/kra/connector&ca.connector.KRA.host=" - + ownagenthost - + "&ca.connector.KRA.port=" - + ownagentsport - + "&ca.connector.KRA.transportCert=" - + URLEncoder.encode(transportCert, "UTF-8") - + "&sessionID=" - + session_id; - - updateConnectorInfo(host, port, true, content); + // Create an empty file that designates the fact that although + // this server instance has been configured, it has NOT yet + // been restarted! + String restart_server = instanceRoot + "/conf/" + + RESTART_SERVER_AFTER_CONFIGURATION; + if (!Utils.isNT()) { + Utils.exec("touch " + restart_server); + Utils.exec("chmod 00660 " + restart_server); } - } - private String getSubsystemNodeName(String type) { - if (type.equals("CA")) { - return "CAList"; - } else if (type.equals("KRA")) { - return "KRAList"; - } else if (type.equals("TKS")) { - return "TKSList"; - } else if (type.equals("OCSP")) { - return "OCSPList"; - } - - return ""; + context.put("csstate", "1"); } /** diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/GetCookie.java b/base/common/src/com/netscape/cms/servlet/csadmin/GetCookie.java index c0a57c3d7..082c43b42 100644 --- a/base/common/src/com/netscape/cms/servlet/csadmin/GetCookie.java +++ b/base/common/src/com/netscape/cms/servlet/csadmin/GetCookie.java @@ -37,7 +37,6 @@ import com.netscape.certsrv.base.IArgBlock; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.base.ISecurityDomainSessionTable; import com.netscape.certsrv.logging.ILogger; -import com.netscape.certsrv.usrgrp.IUGSubsystem; import com.netscape.cms.servlet.base.CMSServlet; import com.netscape.cms.servlet.base.UserInfo; import com.netscape.cms.servlet.common.CMSRequest; @@ -177,7 +176,7 @@ public class GetCookie extends CMSServlet { if (authToken != null) { String uid = authToken.getInString("uid"); - String groupname = getGroupName(uid, subsystem); + String groupname = ConfigurationUtils.getGroupName(uid, subsystem); if (groupname != null) { @@ -269,32 +268,6 @@ public class GetCookie extends CMSServlet { } } - private String getGroupName(String uid, String subsystemname) { - IUGSubsystem subsystem = - (IUGSubsystem) (CMS.getSubsystem(IUGSubsystem.ID)); - if (subsystem.isMemberOf(uid, "Enterprise CA Administrators") && - subsystemname.equals("CA")) { - return "Enterprise CA Administrators"; - } else if (subsystem.isMemberOf(uid, "Enterprise KRA Administrators") && - subsystemname.equals("KRA")) { - return "Enterprise KRA Administrators"; - } else if (subsystem.isMemberOf(uid, "Enterprise OCSP Administrators") && - subsystemname.equals("OCSP")) { - return "Enterprise OCSP Administrators"; - } else if (subsystem.isMemberOf(uid, "Enterprise TKS Administrators") && - subsystemname.equals("TKS")) { - return "Enterprise TKS Administrators"; - } else if (subsystem.isMemberOf(uid, "Enterprise RA Administrators") && - subsystemname.equals("RA")) { - return "Enterprise RA Administrators"; - } else if (subsystem.isMemberOf(uid, "Enterprise TPS Administrators") && - subsystemname.equals("TPS")) { - return "Enterprise TPS Administrators"; - } - - return null; - } - /** * Retrieves locale based on the request. */ diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/NamePanel.java b/base/common/src/com/netscape/cms/servlet/csadmin/NamePanel.java index cb37ef76d..8d69997bb 100644 --- a/base/common/src/com/netscape/cms/servlet/csadmin/NamePanel.java +++ b/base/common/src/com/netscape/cms/servlet/csadmin/NamePanel.java @@ -17,11 +17,8 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.csadmin; -import java.io.FileOutputStream; import java.io.IOException; -import java.io.PrintStream; import java.net.URL; -import java.net.URLEncoder; import java.util.Enumeration; import java.util.StringTokenizer; import java.util.Vector; @@ -30,14 +27,14 @@ import javax.servlet.ServletConfig; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; - -import netscape.security.x509.X509CertImpl; -import netscape.security.x509.X509Key; +import javax.xml.parsers.ParserConfigurationException; import org.apache.velocity.context.Context; +import org.xml.sax.SAXException; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.EPropertyNotFound; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.base.ISubsystem; import com.netscape.certsrv.ca.ICertificateAuthority; @@ -46,7 +43,6 @@ import com.netscape.certsrv.property.IDescriptor; import com.netscape.certsrv.property.PropertySet; import com.netscape.certsrv.util.HttpInput; import com.netscape.cms.servlet.wizard.WizardServlet; -import com.netscape.cmsutil.crypto.CryptoUtil; public class NamePanel extends WizardPanelBase { private Vector<Cert> mCerts = null; @@ -148,14 +144,6 @@ public class NamePanel extends WizardPanelBase { return false; } - public String capitalize(String s) { - if (s.length() == 0) { - return s; - } else { - return s.substring(0, 1).toUpperCase() + s.substring(1); - } - } - /** * Display the panel. */ @@ -179,11 +167,13 @@ public class NamePanel extends WizardPanelBase { String select = ""; String hselect = ""; String cstype = ""; + String domainType = ""; try { //if CA, at the hierarchy panel, was it root or subord? hselect = config.getString("preop.hierarchy.select", ""); select = config.getString("preop.subsystem.select", ""); cstype = config.getString("cs.type", ""); + domainType = config.getString("preop.securitydomain.select", ""); context.put("select", select); if (cstype.equals("CA") && hselect.equals("root")) { CMS.debug("NamePanel ca is root"); @@ -287,8 +277,20 @@ public class NamePanel extends WizardPanelBase { } CMS.debug("NamePanel: Ready to get SSL EE HTTPS urls"); - Vector<String> v = getUrlListFromSecurityDomain(config, "CA", "SecurePort"); + Vector<String> v = null; + if (!domainType.equals("new")) { + try { + v = ConfigurationUtils.getUrlListFromSecurityDomain(config, "CA", "SecurePort"); + } catch (Exception e) { + CMS.debug("NamePanel: display(): Exception thrown in getUrlListFromSecurityDomain " + e); + e.printStackTrace(); + } + } + if (v == null) { + v = new Vector<String>(); + } v.addElement("External CA"); + StringBuffer list = new StringBuffer(); int size = v.size(); @@ -337,297 +339,6 @@ public class NamePanel extends WizardPanelBase { } // while } - /* - * update some parameters for clones - */ - public void updateCloneConfig(IConfigStore config) - throws EBaseException, IOException { - String cstype = config.getString("cs.type", null); - cstype = toLowerCaseSubsystemType(cstype); - if (cstype.equals("kra")) { - String token = config.getString(PRE_CONF_CA_TOKEN); - if (!token.equals("Internal Key Storage Token")) { - CMS.debug("NamePanel: updating configuration for KRA clone with hardware token"); - String subsystem = config.getString(PCERT_PREFIX + "storage.subsystem"); - String storageNickname = getNickname(config, "storage"); - String transportNickname = getNickname(config, "transport"); - - config.putString(subsystem + ".storageUnit.hardware", token); - config.putString(subsystem + ".storageUnit.nickName", token + ":" + storageNickname); - config.putString(subsystem + ".transportUnit.nickName", token + ":" + transportNickname); - config.commit(false); - } else { // software token - // parameters already set - } - } - - // audit signing cert - String audit_nn = config.getString(cstype + ".audit_signing" + ".nickname", ""); - String audit_tk = config.getString(cstype + ".audit_signing" + ".tokenname", ""); - if (!audit_tk.equals("Internal Key Storage Token") && !audit_tk.equals("")) { - config.putString("log.instance.SignedAudit.signedAuditCertNickname", - audit_tk + ":" + audit_nn); - } else { - config.putString("log.instance.SignedAudit.signedAuditCertNickname", - audit_nn); - } - } - - /* - * get some of the "preop" parameters to persisting parameters - */ - public void updateConfig(IConfigStore config, String certTag) - throws EBaseException, IOException { - String token = config.getString(PRE_CONF_CA_TOKEN); - String subsystem = config.getString(PCERT_PREFIX + certTag + ".subsystem"); - CMS.debug("NamePanel: subsystem " + subsystem); - String nickname = getNickname(config, certTag); - - CMS.debug("NamePanel: updateConfig() for certTag " + certTag); - // XXX these two are used throughout the CA so have to write them - // should change the entire system to use the uniformed names later - if (certTag.equals("signing") || certTag.equals("ocsp_signing")) { - CMS.debug("NamePanel: setting signing nickname=" + nickname); - config.putString(subsystem + "." + certTag + ".cacertnickname", nickname); - config.putString(subsystem + "." + certTag + ".certnickname", nickname); - } - - // if KRA, hardware token needs param "kra.storageUnit.hardware" in CS.cfg - String cstype = config.getString("cs.type", null); - cstype = toLowerCaseSubsystemType(cstype); - if (cstype.equals("kra")) { - if (!token.equals("Internal Key Storage Token")) { - if (certTag.equals("storage")) { - config.putString(subsystem + ".storageUnit.hardware", token); - config.putString(subsystem + ".storageUnit.nickName", token + ":" + nickname); - } else if (certTag.equals("transport")) { - config.putString(subsystem + ".transportUnit.nickName", token + ":" + nickname); - } - } else { // software token - if (certTag.equals("storage")) { - config.putString(subsystem + ".storageUnit.nickName", nickname); - } else if (certTag.equals("transport")) { - config.putString(subsystem + ".transportUnit.nickName", nickname); - } - } - } - - String serverCertNickname = nickname; - String path = CMS.getConfigStore().getString("instanceRoot", ""); - if (certTag.equals("sslserver")) { - if (!token.equals("Internal Key Storage Token")) { - serverCertNickname = token + ":" + nickname; - } - PrintStream ps = new PrintStream(new FileOutputStream(path + "/conf/serverCertNick.conf")); - ps.println(serverCertNickname); - ps.close(); - } - - config.putString(subsystem + "." + certTag + ".nickname", nickname); - config.putString(subsystem + "." + certTag + ".tokenname", token); - if (certTag.equals("audit_signing")) { - if (!token.equals("Internal Key Storage Token") && !token.equals("")) { - config.putString("log.instance.SignedAudit.signedAuditCertNickname", - token + ":" + nickname); - } else { - config.putString("log.instance.SignedAudit.signedAuditCertNickname", - nickname); - } - } - /* - config.putString(CERT_PREFIX + certTag + ".defaultSigningAlgorithm", - "SHA1withRSA"); - */ - - // for system certs verification - if (!token.equals("Internal Key Storage Token") && !token.equals("")) { - config.putString(subsystem + ".cert." + certTag + ".nickname", - token + ":" + nickname); - } else { - config.putString(subsystem + ".cert." + certTag + ".nickname", nickname); - } - - config.commit(false); - CMS.debug("NamePanel: updateConfig() done"); - } - - /** - * create and sign a cert locally (handles both "selfsign" and "local") - */ - public void configCert(HttpServletRequest request, - HttpServletResponse response, - Context context, Cert certObj) throws IOException { - CMS.debug("NamePanel: configCert called"); - - IConfigStore config = CMS.getConfigStore(); - String caType = certObj.getType(); - CMS.debug("NamePanel: in configCert caType is " + caType); - X509CertImpl cert = null; - String certTag = certObj.getCertTag(); - - try { - updateConfig(config, certTag); - if (caType.equals("remote")) { - String v = config.getString("preop.ca.type", ""); - - CMS.debug("NamePanel configCert: remote CA"); - String pkcs10 = CertUtil.getPKCS10(config, PCERT_PREFIX, - certObj, context); - certObj.setRequest(pkcs10); - String subsystem = config.getString( - PCERT_PREFIX + certTag + ".subsystem"); - config.putString(subsystem + "." + certTag + ".certreq", pkcs10); - String profileId = config.getString(PCERT_PREFIX + certTag + ".profile"); - String session_id = CMS.getConfigSDSessionId(); - String sd_hostname = ""; - int sd_ee_port = -1; - try { - sd_hostname = config.getString("securitydomain.host", ""); - sd_ee_port = config.getInteger("securitydomain.httpseeport", -1); - } catch (Exception ee) { - CMS.debug("NamePanel: configCert() exception caught:" + ee.toString()); - } - String sysType = config.getString("cs.type", ""); - String machineName = config.getString("machineName", ""); - String securePort = config.getString("service.securePort", ""); - if (certTag.equals("subsystem")) { - String content = - "requestor_name=" - + sysType + "-" + machineName + "-" + securePort + "&profileId=" + profileId - + "&cert_request_type=pkcs10&cert_request=" + URLEncoder.encode(pkcs10, "UTF-8") - + "&xmlOutput=true&sessionID=" + session_id; - cert = CertUtil.createRemoteCert(sd_hostname, sd_ee_port, - content, response, this); - if (cert == null) { - throw new IOException("Error: remote certificate is null"); - } - } else if (v.equals("sdca")) { - String ca_hostname = ""; - int ca_port = -1; - try { - ca_hostname = config.getString("preop.ca.hostname", ""); - ca_port = config.getInteger("preop.ca.httpsport", -1); - } catch (Exception ee) { - } - - String content = - "requestor_name=" - + sysType + "-" + machineName + "-" + securePort + "&profileId=" + profileId - + "&cert_request_type=pkcs10&cert_request=" + URLEncoder.encode(pkcs10, "UTF-8") - + "&xmlOutput=true&sessionID=" + session_id; - cert = CertUtil.createRemoteCert(ca_hostname, ca_port, - content, response, this); - if (cert == null) { - throw new IOException("Error: remote certificate is null"); - } - } else if (v.equals("otherca")) { - config.putString(subsystem + "." + certTag + ".cert", - "...paste certificate here..."); - } else { - CMS.debug("NamePanel: no preop.ca.type is provided"); - } - } else { // not remote CA, ie, self-signed or local - ISubsystem ca = CMS.getSubsystem(ICertificateAuthority.ID); - - if (ca == null) { - String s = PCERT_PREFIX + certTag + ".type"; - - CMS.debug( - "The value for " + s - + " should be remote, nothing else."); - throw new IOException( - "The value for " + s + " should be remote"); - } - - String pubKeyType = config.getString( - PCERT_PREFIX + certTag + ".keytype"); - if (pubKeyType.equals("rsa")) { - - String pubKeyModulus = config.getString( - PCERT_PREFIX + certTag + ".pubkey.modulus"); - String pubKeyPublicExponent = config.getString( - PCERT_PREFIX + certTag + ".pubkey.exponent"); - String subsystem = config.getString( - PCERT_PREFIX + certTag + ".subsystem"); - - if (certTag.equals("signing")) { - X509Key x509key = CryptoUtil.getPublicX509Key( - CryptoUtil.string2byte(pubKeyModulus), - CryptoUtil.string2byte(pubKeyPublicExponent)); - - cert = CertUtil.createLocalCert(config, x509key, - PCERT_PREFIX, certTag, caType, context); - } else { - String cacert = config.getString("ca.signing.cert", ""); - - if (cacert.equals("") || cacert.startsWith("...")) { - certObj.setCert( - "...certificate be generated internally..."); - config.putString(subsystem + "." + certTag + ".cert", - "...certificate be generated internally..."); - } else { - X509Key x509key = CryptoUtil.getPublicX509Key( - CryptoUtil.string2byte(pubKeyModulus), - CryptoUtil.string2byte(pubKeyPublicExponent)); - - cert = CertUtil.createLocalCert(config, x509key, - PCERT_PREFIX, certTag, caType, context); - } - } - } else if (pubKeyType.equals("ecc")) { - String pubKeyEncoded = config.getString( - PCERT_PREFIX + certTag + ".pubkey.encoded"); - String subsystem = config.getString( - PCERT_PREFIX + certTag + ".subsystem"); - - if (certTag.equals("signing")) { - - X509Key x509key = CryptoUtil.getPublicX509ECCKey(CryptoUtil.string2byte(pubKeyEncoded)); - cert = CertUtil.createLocalCert(config, x509key, - PCERT_PREFIX, certTag, caType, context); - } else { - String cacert = config.getString("ca.signing.cert", ""); - - if (cacert.equals("") || cacert.startsWith("...")) { - certObj.setCert( - "...certificate be generated internally..."); - config.putString(subsystem + "." + certTag + ".cert", - "...certificate be generated internally..."); - } else { - X509Key x509key = CryptoUtil.getPublicX509ECCKey( - CryptoUtil.string2byte(pubKeyEncoded)); - - cert = CertUtil.createLocalCert(config, x509key, - PCERT_PREFIX, certTag, caType, context); - } - } - } else { - // invalid key type - CMS.debug("Invalid key type " + pubKeyType); - } - if (cert != null) { - if (certTag.equals("subsystem")) - CertUtil.addUserCertificate(cert); - } - } // done self-signed or local - - if (cert != null) { - byte[] certb = cert.getEncoded(); - String certs = CryptoUtil.base64Encode(certb); - - // certObj.setCert(certs); - String subsystem = config.getString( - PCERT_PREFIX + certTag + ".subsystem"); - config.putString(subsystem + "." + certTag + ".cert", certs); - } - config.commit(false); - } catch (IOException e) { - throw e; - } catch (Exception e) { - CMS.debug("NamePanel configCert() exception caught:" + e.toString()); - } - } - public void configCertWithTag(HttpServletRequest request, HttpServletResponse response, Context context, String tag) throws IOException { @@ -638,8 +349,7 @@ public class NamePanel extends WizardPanelBase { while (c.hasMoreElements()) { Cert cert = c.nextElement(); String ct = cert.getCertTag(); - CMS.debug("NamePanel: configCertWithTag ct=" + ct + - " tag=" + tag); + CMS.debug("NamePanel: configCertWithTag ct=" + ct + " tag=" + tag); if (ct.equals(tag)) { try { String nickname = HttpInput.getNickname(request, ct + "_nick"); @@ -659,7 +369,7 @@ public class NamePanel extends WizardPanelBase { + ct + ": " + e.toString()); } - configCert(request, response, context, cert); + ConfigurationUtils.configCert(request, response, context, cert, this); CMS.debug("NamePanel: configCertWithTag done with tag=" + tag); return; } @@ -737,7 +447,6 @@ public class NamePanel extends WizardPanelBase { HttpServletResponse response, Context context) throws IOException { CMS.debug("NamePanel: in update()"); - boolean hasErr = false; if (inputChanged(request)) { mServlet.cleanUpFromPanel(mServlet.getPanelNo(request)); @@ -747,12 +456,11 @@ public class NamePanel extends WizardPanelBase { } IConfigStore config = CMS.getConfigStore(); - - String hselect = ""; ISubsystem subsystem = CMS.getSubsystem(ICertificateAuthority.ID); + try { //if CA, at the hierarchy panel, was it root or subord? - hselect = config.getString("preop.hierarchy.select", ""); + String hselect = config.getString("preop.hierarchy.select", ""); String cstype = config.getString("preop.subsystem.select", ""); if (cstype.equals("clone")) { CMS.debug("NamePanel: clone configuration detected"); @@ -765,65 +473,63 @@ public class NamePanel extends WizardPanelBase { config.putString("preop.ca.url", url); URL urlx = new URL(url); - updateCloneSDCAInfo(request, context, urlx.getHost(), - Integer.toString(urlx.getPort())); + updateCloneSDCAInfo(request, context, urlx.getHost(), urlx.getPort()); } - updateCloneConfig(config); + ConfigurationUtils.updateCloneConfig(); CMS.debug("NamePanel: clone configuration done"); context.put("updateStatus", "success"); return; } - } catch (Exception e) { - CMS.debug("NamePanel: configCertWithTag failure - " + e); - context.put("updateStatus", "failure"); - return; - } - //if no hselect, then not CA - if (hselect.equals("") || hselect.equals("join")) { - String url = getURL(request, config); + //if no hselect, then not CA + if (hselect.equals("") || hselect.equals("join")) { + String url = getURL(request, config); - URL urlx = null; + URL urlx = null; - if (url.equals("External CA")) { - CMS.debug("NamePanel: external CA selected"); - config.putString("preop.ca.type", "otherca"); - if (subsystem != null) { - config.putString(PCERT_PREFIX + "signing.type", "remote"); - } + if (url.equals("External CA")) { + CMS.debug("NamePanel: external CA selected"); + config.putString("preop.ca.type", "otherca"); + if (subsystem != null) { + config.putString(PCERT_PREFIX + "signing.type", "remote"); + } - config.putString("preop.ca.pkcs7", ""); - config.putInteger("preop.ca.certchain.size", 0); - context.put("check_otherca", "checked"); - CMS.debug("NamePanel: update: this is the external CA."); - } else { - CMS.debug("NamePanel: local CA selected"); - // parse URL (CA1 - https://...) - url = url.substring(url.indexOf("https")); - config.putString("preop.ca.url", url); - - urlx = new URL(url); - config.putString("preop.ca.type", "sdca"); - CMS.debug("NamePanel: update: this is a CA in the security domain."); - context.put("check_sdca", "checked"); - sdca(request, context, urlx.getHost(), - Integer.toString(urlx.getPort())); - if (subsystem != null) { - config.putString(PCERT_PREFIX + "signing.type", "remote"); - config.putString(PCERT_PREFIX + "signing.profile", - "caInstallCACert"); - } - } + config.putString("preop.ca.pkcs7", ""); + config.putInteger("preop.ca.certchain.size", 0); + context.put("check_otherca", "checked"); + CMS.debug("NamePanel: update: this is the external CA."); + } else { + CMS.debug("NamePanel: local CA selected"); + url = url.substring(url.indexOf("https")); + config.putString("preop.ca.url", url); - try { - config.commit(false); - } catch (Exception e) { - } + urlx = new URL(url); + String host = urlx.getHost(); + int port = urlx.getPort(); + String domainXML = config.getString("preop.domainXML"); + int admin_port = ConfigurationUtils.getPortFromSecurityDomain(domainXML, + host, port, "CA", "SecurePort", "SecureAdminPort"); - } + config.putString("preop.ca.type", "sdca"); + config.putString("preop.ca.hostname", host); + config.putInteger("preop.ca.httpsport", port); + config.putInteger("preop.ca.httpsadminport", admin_port); - try { + context.put("check_sdca", "checked"); + context.put("sdcaHostname", host); + context.put("sdHttpPort", port); + + ConfigurationUtils.importCertChain(host, admin_port, "/ca/admin/ca/getCertChain", "ca"); + + if (subsystem != null) { + config.putString(PCERT_PREFIX + "signing.type", "remote"); + config.putString(PCERT_PREFIX + "signing.profile", "caInstallCACert"); + } + } + config.commit(false); + + } Enumeration<Cert> c = mCerts.elements(); @@ -855,85 +561,30 @@ public class NamePanel extends WizardPanelBase { // commit here in case it changes config.commit(false); - try { - configCert(request, response, context, cert); - config.putBoolean("preop.cert." + cert.getCertTag() + ".done", - true); - config.commit(false); - } catch (Exception e) { - CMS.debug( - "NamePanel: update() exception caught:" - + e.toString()); - hasErr = true; - System.err.println("Exception caught: " + e.toString()); - } - - } // while - if (hasErr == false) { - config.putBoolean("preop.NamePanel.done", true); + ConfigurationUtils.configCert(request, response, context, cert, this); + config.putBoolean("preop.cert." + cert.getCertTag() + ".done", true); config.commit(false); - } - } catch (Exception e) { - CMS.debug("NamePanel: Exception caught: " + e.toString()); - System.err.println("Exception caught: " + e.toString()); - }// try + } // while - try { + config.putBoolean("preop.NamePanel.done", true); config.commit(false); } catch (Exception e) { - } - - if (!hasErr) { - context.put("updateStatus", "success"); - } else { + CMS.debug("NamPanel - update(): Exception thrown : " + e); + e.printStackTrace(); context.put("updateStatus", "failure"); + throw new IOException(e); } - CMS.debug("NamePanel: update() done"); - } - - private void updateCloneSDCAInfo(HttpServletRequest request, Context context, String hostname, String httpsPortStr) - throws IOException { - CMS.debug("NamePanel updateCloneSDCAInfo: selected CA hostname=" + hostname + " port=" + httpsPortStr); - String https_admin_port = ""; - IConfigStore config = CMS.getConfigStore(); - - if (hostname == null || hostname.length() == 0) { - context.put("errorString", "Hostname is null"); - throw new IOException("Hostname is null"); - } - - // Retrieve the associated HTTPS Admin port so that it - // may be stored for use with ImportAdminCertPanel - https_admin_port = getSecurityDomainAdminPort(config, - hostname, - httpsPortStr, - "CA"); - - try { - Integer.parseInt(httpsPortStr); // check for errors - } catch (Exception e) { - CMS.debug( - "NamePanel update: Https port is not valid. Exception: " - + e.toString()); - throw new IOException("Https Port is not valid."); - } + context.put("updateStatus", "success"); - config.putString("preop.ca.hostname", hostname); - config.putString("preop.ca.httpsport", httpsPortStr); - config.putString("preop.ca.httpsadminport", https_admin_port); + CMS.debug("NamePanel: update() done"); } - private void sdca(HttpServletRequest request, Context context, String hostname, String httpsPortStr) - throws IOException { - CMS.debug("NamePanel update: this is the CA in the security domain."); - CMS.debug("NamePanel update: selected CA hostname=" + hostname + " port=" + httpsPortStr); - String https_admin_port = ""; + private void updateCloneSDCAInfo(HttpServletRequest request, Context context, String hostname, int httpsPort) + throws IOException, EPropertyNotFound, EBaseException, SAXException, ParserConfigurationException { + CMS.debug("NamePanel updateCloneSDCAInfo: selected CA hostname=" + hostname + " port=" + httpsPort); IConfigStore config = CMS.getConfigStore(); - context.put("sdcaHostname", hostname); - context.put("sdHttpPort", httpsPortStr); - if (hostname == null || hostname.length() == 0) { context.put("errorString", "Hostname is null"); throw new IOException("Hostname is null"); @@ -941,35 +592,13 @@ public class NamePanel extends WizardPanelBase { // Retrieve the associated HTTPS Admin port so that it // may be stored for use with ImportAdminCertPanel - https_admin_port = getSecurityDomainAdminPort(config, - hostname, - httpsPortStr, - "CA"); - - int httpsport = -1; - - try { - httpsport = Integer.parseInt(httpsPortStr); - } catch (Exception e) { - CMS.debug( - "NamePanel update: Https port is not valid. Exception: " - + e.toString()); - throw new IOException("Https Port is not valid."); - } + String domainXML = config.getString("preop.domainXML"); + int https_admin_port = ConfigurationUtils.getPortFromSecurityDomain(domainXML, + hostname, httpsPort, "CA", "SecurePort", "SecureAdminPort"); config.putString("preop.ca.hostname", hostname); - config.putString("preop.ca.httpsport", httpsPortStr); - config.putString("preop.ca.httpsadminport", https_admin_port); - ConfigCertApprovalCallback certApprovalCallback = new ConfigCertApprovalCallback(); - updateCertChainUsingSecureEEPort(config, "ca", hostname, - httpsport, true, context, - certApprovalCallback); - try { - CMS.debug("Importing CA chain"); - importCertChain("ca"); - } catch (Exception e1) { - CMS.debug("Failed in importing CA chain"); - } + config.putInteger("preop.ca.httpsport", httpsPort); + config.putInteger("preop.ca.httpsadminport", https_admin_port); } public void initParams(HttpServletRequest request, Context context) diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java b/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java index 506abdd70..7ace274a7 100644 --- a/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java +++ b/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java @@ -17,54 +17,14 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.csadmin; -import java.io.ByteArrayInputStream; -import java.io.ByteArrayOutputStream; -import java.io.FileInputStream; import java.io.IOException; -import java.math.BigInteger; -import java.security.Principal; -import java.security.PublicKey; -import java.util.StringTokenizer; -import java.util.Vector; import javax.servlet.ServletConfig; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import netscape.ldap.LDAPDN; -import netscape.security.x509.X509CertImpl; - import org.apache.velocity.context.Context; -import org.mozilla.jss.CryptoManager; -import org.mozilla.jss.asn1.ANY; -import org.mozilla.jss.asn1.BMPString; -import org.mozilla.jss.asn1.OBJECT_IDENTIFIER; -import org.mozilla.jss.asn1.OCTET_STRING; -import org.mozilla.jss.asn1.SEQUENCE; -import org.mozilla.jss.asn1.SET; -import org.mozilla.jss.crypto.Cipher; -import org.mozilla.jss.crypto.CryptoStore; -import org.mozilla.jss.crypto.CryptoToken; -import org.mozilla.jss.crypto.EncryptionAlgorithm; -import org.mozilla.jss.crypto.IVParameterSpec; -import org.mozilla.jss.crypto.InternalCertificate; -import org.mozilla.jss.crypto.KeyGenAlgorithm; -import org.mozilla.jss.crypto.KeyGenerator; -import org.mozilla.jss.crypto.KeyWrapAlgorithm; -import org.mozilla.jss.crypto.KeyWrapper; -import org.mozilla.jss.crypto.SymmetricKey; -import org.mozilla.jss.crypto.X509Certificate; -import org.mozilla.jss.pkcs11.PK11Store; -import org.mozilla.jss.pkcs12.AuthenticatedSafes; -import org.mozilla.jss.pkcs12.CertBag; -import org.mozilla.jss.pkcs12.PFX; -import org.mozilla.jss.pkcs12.PasswordConverter; -import org.mozilla.jss.pkcs12.SafeBag; -import org.mozilla.jss.pkix.primitive.Attribute; -import org.mozilla.jss.pkix.primitive.EncryptedPrivateKeyInfo; -import org.mozilla.jss.pkix.primitive.PrivateKeyInfo; -import org.mozilla.jss.util.Password; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; @@ -197,10 +157,6 @@ public class RestoreKeyCertPanel extends WizardPanelBase { // Path can be empty. If this case, we just want to // get to the next panel. Customer has HSM. String s = HttpInput.getString(request, "path"); - // if (s == null || s.equals("")) { - // CMS.debug("RestoreKeyCertPanel validate: path is empty"); - // throw new IOException("Path is empty"); - // } if (s != null && !s.equals("")) { s = HttpInput.getPassword(request, "__password"); @@ -219,460 +175,50 @@ public class RestoreKeyCertPanel extends WizardPanelBase { HttpServletResponse response, Context context) throws IOException { IConfigStore config = CMS.getConfigStore(); - String path = HttpInput.getString(request, "path"); - if (path == null || path.equals("")) { - // skip to next panel - config.putBoolean("preop.restorekeycert.done", true); - try { - config.commit(false); - } catch (EBaseException e) { - } - getConfigEntriesFromMaster(request, response, context); - context.put("updateStatus", "success"); - return; - } - String pwd = HttpInput.getPassword(request, "__password"); - - String tokenn = ""; - String instanceRoot = ""; - - try { - tokenn = config.getString("preop.module.token"); - instanceRoot = config.getString("instanceRoot"); - } catch (Exception e) { - } - - if (tokenn.equals("Internal Key Storage Token")) { - byte b[] = new byte[1000000]; - FileInputStream fis = new FileInputStream(instanceRoot + "/alias/" + path); - while (fis.available() > 0) - fis.read(b); - fis.close(); - - ByteArrayInputStream bis = new ByteArrayInputStream(b); - StringBuffer reason = new StringBuffer(); - Password password = new Password(pwd.toCharArray()); - PFX pfx = null; - boolean verifypfx = false; - try { - pfx = (PFX) (new PFX.Template()).decode(bis); - verifypfx = pfx.verifyAuthSafes(password, reason); - } catch (Exception e) { - CMS.debug("RestoreKeyCertPanel update: Exception=" + e.toString()); - } - - if (verifypfx) { - CMS.debug("RestoreKeyCertPanel verify the PFX."); - AuthenticatedSafes safes = pfx.getAuthSafes(); - Vector<Vector<Object>> pkeyinfo_collection = new Vector<Vector<Object>>(); - Vector<Vector<Object>> cert_collection = new Vector<Vector<Object>>(); - for (int i = 0; i < safes.getSize(); i++) { - try { - SEQUENCE scontent = safes.getSafeContentsAt(null, i); - for (int j = 0; j < scontent.size(); j++) { - SafeBag bag = (SafeBag) scontent.elementAt(j); - OBJECT_IDENTIFIER oid = bag.getBagType(); - if (oid.equals(SafeBag.PKCS8_SHROUDED_KEY_BAG)) { - EncryptedPrivateKeyInfo privkeyinfo = - (EncryptedPrivateKeyInfo) bag.getInterpretedBagContent(); - PrivateKeyInfo pkeyinfo = privkeyinfo.decrypt(password, new PasswordConverter()); - Vector<Object> pkeyinfo_v = new Vector<Object>(); - pkeyinfo_v.addElement(pkeyinfo); - SET bagAttrs = bag.getBagAttributes(); - for (int k = 0; k < bagAttrs.size(); k++) { - Attribute attrs = (Attribute) bagAttrs.elementAt(k); - OBJECT_IDENTIFIER aoid = attrs.getType(); - if (aoid.equals(SafeBag.FRIENDLY_NAME)) { - SET val = attrs.getValues(); - ANY ss = (ANY) val.elementAt(0); - ByteArrayInputStream bbis = new ByteArrayInputStream(ss.getEncoded()); - BMPString sss = (BMPString) new BMPString.Template().decode(bbis); - String s = sss.toString(); - pkeyinfo_v.addElement(s); - } - } - pkeyinfo_collection.addElement(pkeyinfo_v); - } else if (oid.equals(SafeBag.CERT_BAG)) { - CertBag cbag = (CertBag) bag.getInterpretedBagContent(); - OCTET_STRING str = (OCTET_STRING) cbag.getInterpretedCert(); - byte[] x509cert = str.toByteArray(); - Vector<Object> cert_v = new Vector<Object>(); - cert_v.addElement(x509cert); - SET bagAttrs = bag.getBagAttributes(); - - if (bagAttrs != null) { - for (int k = 0; k < bagAttrs.size(); k++) { - Attribute attrs = (Attribute) bagAttrs.elementAt(k); - OBJECT_IDENTIFIER aoid = attrs.getType(); - if (aoid.equals(SafeBag.FRIENDLY_NAME)) { - SET val = attrs.getValues(); - ANY ss = (ANY) val.elementAt(0); - ByteArrayInputStream bbis = new ByteArrayInputStream(ss.getEncoded()); - BMPString sss = (BMPString) (new BMPString.Template()).decode(bbis); - String s = sss.toString(); - cert_v.addElement(s); - } - } - } - - cert_collection.addElement(cert_v); - } - } - } catch (Exception e) { - CMS.debug("RestoreKeyCertPanel update: Exception=" + e.toString()); - } - } - - importkeycert(pkeyinfo_collection, cert_collection); - } else { - context.put("updateStatus", "failure"); - throw new IOException("The pkcs12 file is not correct."); - } - } - - String subsystemtype = ""; - String cstype = ""; try { - subsystemtype = config.getString("preop.subsystem.select", ""); - cstype = config.getString("cs.type", ""); - } catch (Exception e) { - } - cstype = toLowerCaseSubsystemType(cstype); - - if (subsystemtype.equals("clone")) { - CMS.debug("RestoreKeyCertPanel: this is the clone subsystem"); - boolean cloneReady = isCertdbCloned(request, context); - if (!cloneReady) { - CMS.debug("RestoreKeyCertPanel update: clone does not have all the certificates."); - context.put("errorString", "Make sure you have copied the certificate database over to the clone"); - context.put("updateStatus", "failure"); - throw new IOException("Clone is not ready"); - } - } + ConfigurationUtils.getConfigEntriesFromMaster(); - config.putBoolean("preop.restorekeycert.done", true); - try { - config.commit(false); - } catch (EBaseException e) { - } - - getConfigEntriesFromMaster(request, response, context); - context.put("updateStatus", "success"); - } - - private void getConfigEntriesFromMaster(HttpServletRequest request, - HttpServletResponse response, Context context) throws IOException { - try { - IConfigStore config = CMS.getConfigStore(); - String cstype = ""; - try { - cstype = config.getString("cs.type", ""); - } catch (Exception e) { - } - cstype = toLowerCaseSubsystemType(cstype); - - String session_id = CMS.getConfigSDSessionId(); - String master_hostname = ""; - int master_port = -1; - int master_ee_port = -1; - try { - master_hostname = config.getString("preop.master.hostname", ""); - master_port = config.getInteger("preop.master.httpsadminport", -1); - master_ee_port = config.getInteger("preop.master.httpsport", -1); - - String content = ""; - if (cstype.equals("ca") || cstype.equals("kra")) { - content = "type=request&xmlOutput=true&sessionID=" + session_id; - CMS.debug("http content=" + content); - updateNumberRange(master_hostname, master_ee_port, true, content, "request", response); - - content = "type=serialNo&xmlOutput=true&sessionID=" + session_id; - updateNumberRange(master_hostname, master_ee_port, true, content, "serialNo", response); - - content = "type=replicaId&xmlOutput=true&sessionID=" + session_id; - updateNumberRange(master_hostname, master_ee_port, true, content, "replicaId", response); - } - - String list = ""; - try { - list = config.getString("preop.cert.list", ""); - } catch (Exception e) { - } - - StringBuffer c1 = new StringBuffer(); - StringBuffer s1 = new StringBuffer(); - StringTokenizer tok = new StringTokenizer(list, ","); - while (tok.hasMoreTokens()) { - String t1 = tok.nextToken(); - if (t1.equals("sslserver")) - continue; - c1.append(","); - c1.append("cloning."); - c1.append(t1); - c1.append(".nickname,"); - c1.append("cloning."); - c1.append(t1); - c1.append(".dn,"); - c1.append("cloning."); - c1.append(t1); - c1.append(".keytype,"); - c1.append("cloning."); - c1.append(t1); - c1.append(".keyalgorithm,"); - c1.append("cloning."); - c1.append(t1); - c1.append(".privkey.id,"); - c1.append("cloning."); - c1.append(t1); - c1.append(".pubkey.exponent,"); - c1.append("cloning."); - c1.append(t1); - c1.append(".pubkey.modulus,"); - c1.append("cloning."); - c1.append(t1); - c1.append(".pubkey.encoded"); - - if (s1.length() != 0) - s1.append(","); - - s1.append(cstype); - s1.append("."); - s1.append(t1); - } - - if (!cstype.equals("ca")) { - c1.append(",cloning.ca.hostname,cloning.ca.httpport,cloning.ca.httpsport,cloning.ca.list,cloning.ca.pkcs7,cloning.ca.type"); - } - - if (cstype.equals("ca")) { - /* get ca connector details */ - if (s1.length() != 0) - s1.append(","); - s1.append("ca.connector.KRA"); - } - - s1.append(",internaldb,internaldb.ldapauth,internaldb.ldapconn"); - - content = - "op=get&names=cloning.token,instanceId,internaldb.basedn,internaldb.ldapauth.password," - + "internaldb.replication.password" + c1.toString() - + "&substores=" + s1.toString() - + "&xmlOutput=true&sessionID=" - + session_id; - boolean success = updateConfigEntries(master_hostname, master_port, true, - "/" + cstype + "/admin/" + cstype + "/getConfigEntries", content, config, response); - if (!success) { - context.put("errorString", "Failed to get configuration entries from the master"); - throw new IOException("Failed to get configuration entries from the master"); - } - config.putString("preop.clone.configuration", "true"); - try { - config.commit(false); - } catch (Exception ee) { - } - } catch (IOException eee) { - throw eee; - } catch (Exception eee) { - CMS.debug("RestoreKeyCertPanel: update exception caught:" + eee.toString()); + String path = HttpInput.getString(request, "path"); + if (path == null || path.equals("")) { + // skip to next panel + config.putBoolean("preop.restorekeycert.done", true); + config.commit(false); + context.put("updateStatus", "success"); + return; } - } catch (IOException ee) { - throw ee; - } catch (Exception ee) { - } - } + String pwd = HttpInput.getPassword(request, "__password"); - private void deleteExistingCerts() { - IConfigStore cs = CMS.getConfigStore(); - try { - String list = cs.getString("preop.cert.list", ""); - StringTokenizer st = new StringTokenizer(list, ","); - while (st.hasMoreTokens()) { - String s = st.nextToken(); - if (s.equals("sslserver")) - continue; - String name = "preop.master." + s + ".nickname"; - String nickname = cs.getString(name, ""); - CryptoManager cm = CryptoManager.getInstance(); - X509Certificate xcert = null; - try { - xcert = cm.findCertByNickname(nickname); - } catch (Exception ee) { - CMS.debug("RestoreKeyCertPanel deleteExistingCerts: Exception=" + ee.toString()); - } - CryptoToken ct = cm.getInternalKeyStorageToken(); - CryptoStore store = ct.getCryptoStore(); - try { - store.deleteCert(xcert); - } catch (Exception ee) { - CMS.debug("RestoreKeyCertPanel deleteExistingCerts: Exception=" + ee.toString()); - } + String tokenn = config.getString("preop.module.token"); + if (tokenn.equals("Internal Key Storage Token")) { + ConfigurationUtils.restoreCertsFromP12(path, pwd); } - } catch (Exception e) { - CMS.debug("RestoreKeyCertPanel deleteExistingCerts: Exception=" + e.toString()); - } - } - - private org.mozilla.jss.crypto.PrivateKey.Type getPrivateKeyType(PublicKey pubkey) { - CMS.debug("Key Algorithm '" + pubkey.getAlgorithm() + "'"); - if (pubkey.getAlgorithm().equals("EC")) { - return org.mozilla.jss.crypto.PrivateKey.Type.EC; - } - return org.mozilla.jss.crypto.PrivateKey.Type.RSA; - } - - private void importkeycert(Vector<Vector<Object>> pkeyinfo_collection, - Vector<Vector<Object>> cert_collection) throws IOException { - CryptoManager cm = null; - try { - cm = CryptoManager.getInstance(); - } catch (Exception e) { - } - - // delete all existing certificates first - deleteExistingCerts(); - for (int i = 0; i < pkeyinfo_collection.size(); i++) { - try { - Vector<Object> pkeyinfo_v = pkeyinfo_collection.elementAt(i); - PrivateKeyInfo pkeyinfo = (PrivateKeyInfo) pkeyinfo_v.elementAt(0); - String nickname = (String) pkeyinfo_v.elementAt(1); - byte[] x509cert = getX509Cert(nickname, cert_collection); - X509Certificate cert = cm.importCACertPackage(x509cert); - ByteArrayOutputStream bos = new ByteArrayOutputStream(); - pkeyinfo.encode(bos); - byte[] pkey = bos.toByteArray(); - - PublicKey publickey = cert.getPublicKey(); - CryptoToken token = cm.getInternalKeyStorageToken(); - CryptoStore store = token.getCryptoStore(); - CMS.debug("RestoreKeyCertPanel deleteCert: this is pk11store"); - try { - store.deleteCert(cert); - } catch (Exception ee) { - CMS.debug("RestoreKeyCertPanel importKeyCert: Exception=" + ee.toString()); + String subsystemtype = config.getString("preop.subsystem.select", ""); + if (subsystemtype.equals("clone")) { + CMS.debug("RestoreKeyCertPanel: this is the clone subsystem"); + boolean cloneReady = ConfigurationUtils.isCertdbCloned(); + if (!cloneReady) { + CMS.debug("RestoreKeyCertPanel update: clone does not have all the certificates."); + throw new IOException("Clone is not ready"); } - - KeyGenerator kg = token.getKeyGenerator(KeyGenAlgorithm.DES3); - SymmetricKey sk = kg.generate(); - byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; - IVParameterSpec param = new IVParameterSpec(iv); - Cipher c = token.getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD); - c.initEncrypt(sk, param); - byte[] encpkey = c.doFinal(pkey); - - KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD); - wrapper.initUnwrap(sk, param); - wrapper.unwrapPrivate(encpkey, getPrivateKeyType(publickey), publickey); - - } catch (Exception e) { - CMS.debug("RestoreKeyCertPanel importkeycert: Exception=" + e.toString()); } - } - for (int i = 0; i < cert_collection.size(); i++) { - try { - Vector<Object> cert_v = cert_collection.elementAt(i); - byte[] cert = (byte[]) cert_v.elementAt(0); - if (cert_v.size() > 1) { - String name = (String) cert_v.elementAt(1); - // we need to delete the trusted CA certificate if it is - // the same as the ca signing certificate - if (isCASigningCert(name)) { - X509Certificate certchain = getX509CertFromToken(cert); - if (certchain != null) { - CryptoToken token = cm.getInternalKeyStorageToken(); - CryptoStore store = token.getCryptoStore(); - CMS.debug("RestoreKeyCertPanel deleteCert: this is pk11store"); - if (store instanceof PK11Store) { - try { - PK11Store pk11store = (PK11Store) store; - pk11store.deleteCertOnly(certchain); - } catch (Exception ee) { - CMS.debug("RestoreKeyCertPanel importKeyCert: Exception=" + ee.toString()); - } - } - } - } - - X509Certificate xcert = cm.importUserCACertPackage(cert, name); - if (name.startsWith("caSigningCert")) { - // we need to change the trust attribute to CT - InternalCertificate icert = (InternalCertificate) xcert; - icert.setSSLTrust(InternalCertificate.TRUSTED_CA - | InternalCertificate.TRUSTED_CLIENT_CA - | InternalCertificate.VALID_CA); - } else if (name.startsWith("auditSigningCert")) { - InternalCertificate icert = (InternalCertificate) xcert; - icert.setObjectSigningTrust(InternalCertificate.USER - | InternalCertificate.VALID_PEER | InternalCertificate.TRUSTED_PEER); - } - } else - cm.importCACertPackage(cert); - } catch (Exception e) { - CMS.debug("RestoreKeyCertPanel importkeycert: Exception=" + e.toString()); - } - } - } - - private boolean isCASigningCert(String name) { - String n = "preop.master.signing.nickname"; - IConfigStore cs = CMS.getConfigStore(); - try { - String nickname = cs.getString(n); - if (nickname.equals(name)) - return true; - } catch (Exception e) { - return false; - } - - return false; - } - - private X509Certificate getX509CertFromToken(byte[] cert) - throws IOException { - try { - X509CertImpl impl = new X509CertImpl(cert); - String issuer_impl = impl.getIssuerDN().toString(); - BigInteger serial_impl = impl.getSerialNumber(); - CryptoManager cm = CryptoManager.getInstance(); - X509Certificate[] permcerts = cm.getPermCerts(); - for (int i = 0; i < permcerts.length; i++) { - String issuer_p = permcerts[i].getSubjectDN().toString(); - BigInteger serial_p = permcerts[i].getSerialNumber(); - if (issuer_p.equals(issuer_impl) && serial_p.compareTo(serial_impl) == 0) { - return permcerts[i]; - } - } + config.putBoolean("preop.restorekeycert.done", true); + config.commit(false); } catch (Exception e) { - CMS.debug("RestoreKeyCertPanel getX509CertFromToken: Exception=" + e.toString()); + CMS.debug("RestoreKeyCertPanel update: exception thrown:" + e); + e.printStackTrace(); + context.put("errorString", e.toString()); + context.put("updateStatus", "failure"); + throw new IOException(e); } - return null; - } - - private byte[] getX509Cert(String nickname, Vector<Vector<Object>> cert_collection) - throws IOException { - for (int i = 0; i < cert_collection.size(); i++) { - Vector<Object> v = cert_collection.elementAt(i); - byte[] b = (byte[]) v.elementAt(0); - X509CertImpl impl = null; - try { - impl = new X509CertImpl(b); - } catch (Exception e) { - CMS.debug("RestoreKeyCertPanel getX509Cert: Exception=" + e.toString()); - throw new IOException(e.toString()); - } - Principal subjectdn = impl.getSubjectDN(); - if (LDAPDN.equals(subjectdn.toString(), nickname)) - return b; - } - - return null; + context.put("updateStatus", "success"); } /** - * If validiate() returns false, this method will be called. + * If validate() returns false, this method will be called. */ public void displayError(HttpServletRequest request, HttpServletResponse response, @@ -682,37 +228,4 @@ public class RestoreKeyCertPanel extends WizardPanelBase { context.put("path", ""); context.put("panel", "admin/console/config/restorekeycertpanel.vm"); } - - private boolean isCertdbCloned(HttpServletRequest request, - Context context) { - IConfigStore config = CMS.getConfigStore(); - String certList = ""; - try { - CryptoManager cm = CryptoManager.getInstance(); - certList = config.getString("preop.cert.list"); - StringTokenizer st = new StringTokenizer(certList, ","); - while (st.hasMoreTokens()) { - String token = st.nextToken(); - if (token.equals("sslserver")) - continue; - String tokenname = config.getString("preop.module.token", ""); - cm.getTokenByName(tokenname); // throw exception if token doesn't exist - String name1 = "preop.master." + token + ".nickname"; - String nickname = config.getString(name1, ""); - if (!tokenname.equals("Internal Key Storage Token") && - !tokenname.equals("internal")) - nickname = tokenname + ":" + nickname; - - CMS.debug("RestoreKeyCertPanel isCertdbCloned: " + nickname); - X509Certificate cert = cm.findCertByNickname(nickname); - if (cert == null) - return false; - } - } catch (Exception e) { - context.put("errorString", "Check your CS.cfg for cloning"); - return false; - } - - return true; - } } diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/SavePKCS12Panel.java b/base/common/src/com/netscape/cms/servlet/csadmin/SavePKCS12Panel.java index 0c066268d..cdcefbfe7 100644 --- a/base/common/src/com/netscape/cms/servlet/csadmin/SavePKCS12Panel.java +++ b/base/common/src/com/netscape/cms/servlet/csadmin/SavePKCS12Panel.java @@ -107,7 +107,7 @@ public class SavePKCS12Panel extends WizardPanelBase { } catch (Exception e) { } - subsystemtype = toLowerCaseSubsystemType(subsystemtype); + subsystemtype = subsystemtype.toLowerCase(); context.put("panel", "admin/console/config/savepkcs12panel.vm"); context.put("subsystemtype", subsystemtype); diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/SecurityDomainPanel.java b/base/common/src/com/netscape/cms/servlet/csadmin/SecurityDomainPanel.java index a36db6439..1ae4c3397 100644 --- a/base/common/src/com/netscape/cms/servlet/csadmin/SecurityDomainPanel.java +++ b/base/common/src/com/netscape/cms/servlet/csadmin/SecurityDomainPanel.java @@ -324,7 +324,6 @@ public class SecurityDomainPanel extends WizardPanelBase { public void update(HttpServletRequest request, HttpServletResponse response, Context context) throws IOException { - String errorString = ""; String select = HttpInput.getID(request, "choice"); if (select == null) { @@ -334,94 +333,65 @@ public class SecurityDomainPanel extends WizardPanelBase { } IConfigStore config = CMS.getConfigStore(); - if (select.equals("newdomain")) { - config.putString("preop.securitydomain.select", "new"); - config.putString("securitydomain.select", "new"); - config.putString("preop.securitydomain.name", - HttpInput.getDomainName(request, "sdomainName")); - config.putString("securitydomain.name", - HttpInput.getDomainName(request, "sdomainName")); - config.putString("securitydomain.host", - CMS.getEENonSSLHost()); - config.putString("securitydomain.httpport", - CMS.getEENonSSLPort()); - config.putString("securitydomain.httpsagentport", - CMS.getAgentPort()); - config.putString("securitydomain.httpseeport", - CMS.getEESSLPort()); - config.putString("securitydomain.httpsadminport", - CMS.getAdminPort()); - - // make sure the subsystem certificate is issued by the security - // domain - config.putString("preop.cert.subsystem.type", "local"); - config.putString("preop.cert.subsystem.profile", "subsystemCert.profile"); + try { + if (select.equals("newdomain")) { + config.putString("preop.securitydomain.select", "new"); + config.putString("securitydomain.select", "new"); + config.putString("preop.securitydomain.name", HttpInput.getDomainName(request, "sdomainName")); + config.putString("securitydomain.name", HttpInput.getDomainName(request, "sdomainName")); + config.putString("securitydomain.host", CMS.getEENonSSLHost()); + config.putString("securitydomain.httpport", CMS.getEENonSSLPort()); + config.putString("securitydomain.httpsagentport", CMS.getAgentPort()); + config.putString("securitydomain.httpseeport", CMS.getEESSLPort()); + config.putString("securitydomain.httpsadminport", CMS.getAdminPort()); + + // make sure the subsystem certificate is issued locallly + config.putString("preop.cert.subsystem.type", "local"); + config.putString("preop.cert.subsystem.profile", "subsystemCert.profile"); - try { config.commit(false); - } catch (EBaseException e) { - } - - } else if (select.equals("existingdomain")) { - config.putString("preop.securitydomain.select", "existing"); - config.putString("securitydomain.select", "existing"); + } else if (select.equals("existingdomain")) { + config.putString("preop.securitydomain.select", "existing"); + config.putString("securitydomain.select", "existing"); - // make sure the subsystem certificate is issued by the security - // domain - config.putString("preop.cert.subsystem.type", "remote"); - config.putString("preop.cert.subsystem.profile", "caInternalAuthSubsystemCert"); + // make sure the subsystem certificate is issued by the security domain + config.putString("preop.cert.subsystem.type", "remote"); + config.putString("preop.cert.subsystem.profile", "caInternalAuthSubsystemCert"); - String admin_url = HttpInput.getURL(request, "sdomainURL"); - String hostname = ""; - int admin_port = -1; + String admin_url = HttpInput.getURL(request, "sdomainURL"); + String hostname = ""; + int admin_port = -1; - if (admin_url != null) { - try { + if (admin_url != null) { URL admin_u = new URL(admin_url); - hostname = admin_u.getHost(); admin_port = admin_u.getPort(); - } catch (MalformedURLException e) { - errorString = "Malformed SSL Admin HTTPS URL"; - context.put("updateStatus", "failure"); - throw new IOException(errorString); + context.put("sdomainURL", admin_url); + config.putString("securitydomain.host", hostname); + config.putInteger("securitydomain.httpsadminport", admin_port); } - - context.put("sdomainURL", admin_url); - config.putString("securitydomain.host", hostname); - config.putInteger("securitydomain.httpsadminport", - admin_port); - } - - try { config.commit(false); - } catch (EBaseException e) { - } - ConfigCertApprovalCallback certApprovalCallback = new ConfigCertApprovalCallback(); - updateCertChain(config, "securitydomain", hostname, admin_port, - true, context, certApprovalCallback); - } else { - CMS.debug("SecurityDomainPanel: invalid choice " + select); - errorString = "Invalid choice"; - context.put("updateStatus", "failure"); - throw new IOException("invalid choice " + select); - } + ConfigurationUtils.importCertChain(hostname, admin_port, "/ca/admin/ca/getCertChain", "securitydomain"); + } else { + CMS.debug("SecurityDomainPanel: invalid choice " + select); + throw new IOException("invalid choice " + select); + } - try { config.commit(false); - } catch (EBaseException e) { - } - try { context.put("cstype", config.getString("cs.type")); context.put("wizardname", config.getString("preop.wizard.name")); context.put("panelname", "Security Domain Configuration"); context.put("systemname", config.getString("preop.system.name")); - } catch (EBaseException e) { + } catch (Exception e) { + CMS.debug("SecurityDomainPanel update(): Exception thrown:" + e); + e.printStackTrace(); + context.put("errorString", e.toString()); + context.put("updateStatus", "failure"); + throw new IOException(e); } - context.put("errorString", errorString); context.put("updateStatus", "success"); } @@ -447,8 +417,7 @@ public class SecurityDomainPanel extends WizardPanelBase { String r = null; try { - // check to see if "default" security domain exists - // on local machine + // check to see if "default" security domain exists on local machine URL u = new URL(default_admin_url); String hostname = u.getHost(); diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/SizePanel.java b/base/common/src/com/netscape/cms/servlet/csadmin/SizePanel.java index e1217a460..45a4fe106 100644 --- a/base/common/src/com/netscape/cms/servlet/csadmin/SizePanel.java +++ b/base/common/src/com/netscape/cms/servlet/csadmin/SizePanel.java @@ -18,9 +18,6 @@ package com.netscape.cms.servlet.csadmin; import java.io.IOException; -import java.security.KeyPair; -import java.security.NoSuchAlgorithmException; -import java.security.interfaces.RSAPublicKey; import java.util.Enumeration; import java.util.StringTokenizer; import java.util.Vector; @@ -31,9 +28,6 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.velocity.context.Context; -import org.mozilla.jss.CryptoManager; -import org.mozilla.jss.NoSuchTokenException; -import org.mozilla.jss.crypto.TokenException; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; @@ -43,7 +37,6 @@ import com.netscape.certsrv.property.IDescriptor; import com.netscape.certsrv.property.PropertySet; import com.netscape.certsrv.util.HttpInput; import com.netscape.cms.servlet.wizard.WizardServlet; -import com.netscape.cmsutil.crypto.CryptoUtil; public class SizePanel extends WizardPanelBase { private Vector<Cert> mCerts = null; @@ -160,12 +153,10 @@ public class SizePanel extends WizardPanelBase { while (st.hasMoreTokens()) { String certTag = st.nextToken(); - String nn = config.getString( - PCERT_PREFIX + certTag + ".nickname"); + String nn = config.getString(PCERT_PREFIX + certTag + ".nickname"); Cert c = new Cert(token, nn, certTag); - String s = config.getString( - PCERT_PREFIX + certTag + ".keysize.select", "default"); + String s = config.getString(PCERT_PREFIX + certTag + ".keysize.select", "default"); if (s.equals("default")) { c.setKeyOption("default"); @@ -174,13 +165,11 @@ public class SizePanel extends WizardPanelBase { c.setKeyOption("custom"); } - s = config.getString( - PCERT_PREFIX + certTag + ".keysize.custom_size", + s = config.getString(PCERT_PREFIX + certTag + ".keysize.custom_size", default_rsa_key_size); c.setCustomKeysize(s); - s = config.getString( - PCERT_PREFIX + certTag + ".curvename.custom_name", + s = config.getString(PCERT_PREFIX + certTag + ".curvename.custom_name", default_ecc_curve_name); c.setCustomCurvename(s); @@ -287,47 +276,36 @@ public class SizePanel extends WizardPanelBase { throw new IOException( "SizePanel: " + ct + "_choice not found"); } - CMS.debug( - "SizePanel: update() keysize choice selected:" + select); - String oldkeysize = - config.getString(PCERT_PREFIX + ct + ".keysize.size", ""); - String oldkeytype = - config.getString(PCERT_PREFIX + ct + ".keytype", ""); - String oldkeyalgorithm = - config.getString(PCERT_PREFIX + ct + ".keyalgorithm", ""); - String oldsigningalgorithm = - config.getString(PCERT_PREFIX + ct + ".signingalgorithm", ""); - String oldcurvename = - config.getString(PCERT_PREFIX + ct + ".curvename.name", ""); + CMS.debug("SizePanel: update() keysize choice selected:" + select); + String oldkeysize = config.getString(PCERT_PREFIX + ct + ".keysize.size", ""); + String oldkeytype = config.getString(PCERT_PREFIX + ct + ".keytype", ""); + String oldkeyalgorithm = config.getString(PCERT_PREFIX + ct + ".keyalgorithm", ""); + String oldsigningalgorithm = config.getString(PCERT_PREFIX + ct + ".signingalgorithm", ""); + String oldcurvename = config.getString(PCERT_PREFIX + ct + ".curvename.name", ""); if (select.equals("default")) { // XXXrenaming these...keep for now just in case config.putString("preop.keysize.select", "default"); if (keytype != null && keytype.equals("ecc")) { - config.putString("preop.curvename.custom_name", - default_ecc_curve_name); + config.putString("preop.curvename.custom_name", default_ecc_curve_name); config.putString("preop.curvename.name", default_ecc_curve_name); } else { - config.putString("preop.keysize.custom_size", - default_rsa_key_size); + config.putString("preop.keysize.custom_size", default_rsa_key_size); config.putString("preop.keysize.size", default_rsa_key_size); } config.putString(PCERT_PREFIX + ct + ".keytype", keytype); config.putString(PCERT_PREFIX + ct + ".keyalgorithm", keyalgorithm); config.putString(PCERT_PREFIX + ct + ".signingalgorithm", signingalgorithm); - config.putString(PCERT_PREFIX + ct + ".keysize.select", - "default"); + config.putString(PCERT_PREFIX + ct + ".keysize.select", "default"); if (keytype != null && keytype.equals("ecc")) { - config.putString(PCERT_PREFIX + ct + - ".curvename.custom_name", + config.putString(PCERT_PREFIX + ct +".curvename.custom_name", default_ecc_curve_name); config.putString(PCERT_PREFIX + ct + ".curvename.name", default_ecc_curve_name); } else { - config.putString(PCERT_PREFIX + ct + - ".keysize.custom_size", + config.putString(PCERT_PREFIX + ct + ".keysize.custom_size", default_rsa_key_size); config.putString(PCERT_PREFIX + ct + ".keysize.size", default_rsa_key_size); @@ -350,8 +328,7 @@ public class SizePanel extends WizardPanelBase { config.putString(PCERT_PREFIX + ct + ".keytype", keytype); config.putString(PCERT_PREFIX + ct + ".keyalgorithm", keyalgorithm); config.putString(PCERT_PREFIX + ct + ".signingalgorithm", signingalgorithm); - config.putString(PCERT_PREFIX + ct + ".keysize.select", - "custom"); + config.putString(PCERT_PREFIX + ct + ".keysize.select", "custom"); if (keytype != null && keytype.equals("ecc")) { config.putString(PCERT_PREFIX + ct + ".curvename.custom_name", @@ -369,16 +346,11 @@ public class SizePanel extends WizardPanelBase { throw new IOException("invalid choice " + select); } - String newkeysize = - config.getString(PCERT_PREFIX + ct + ".keysize.size", ""); - String newkeytype = - config.getString(PCERT_PREFIX + ct + ".keytype", ""); - String newkeyalgorithm = - config.getString(PCERT_PREFIX + ct + ".keyalgorithm", ""); - String newsigningalgorithm = - config.getString(PCERT_PREFIX + ct + ".signingalgorithm", ""); - String newcurvename = - config.getString(PCERT_PREFIX + ct + ".curvename.name", ""); + String newkeysize = config.getString(PCERT_PREFIX + ct + ".keysize.size", ""); + String newkeytype = config.getString(PCERT_PREFIX + ct + ".keytype", ""); + String newkeyalgorithm = config.getString(PCERT_PREFIX + ct + ".keyalgorithm", ""); + String newsigningalgorithm = config.getString(PCERT_PREFIX + ct + ".signingalgorithm", ""); + String newcurvename = config.getString(PCERT_PREFIX + ct + ".curvename.name", ""); if (!oldkeysize.equals(newkeysize) || !oldkeytype.equals(newkeytype) || @@ -435,14 +407,11 @@ public class SizePanel extends WizardPanelBase { String keytype = config.getString(PCERT_PREFIX + ct + ".keytype"); if (keytype.equals("rsa")) { - int keysize = config.getInteger( - PCERT_PREFIX + ct + ".keysize.size"); - - createRSAKeyPair(token, keysize, config, ct); + int keysize = config.getInteger(PCERT_PREFIX + ct + ".keysize.size"); + ConfigurationUtils.createRSAKeyPair(token, keysize, config, ct); } else { - String curveName = config.getString( - PCERT_PREFIX + ct + ".curvename.name", default_ecc_curve_name); - createECCKeyPair(token, curveName, config, ct); + String curveName = config.getString(PCERT_PREFIX + ct + ".curvename.name", default_ecc_curve_name); + ConfigurationUtils.createECCKeyPair(token, curveName, config, ct); } config.commit(false); } catch (Exception e) { @@ -459,158 +428,11 @@ public class SizePanel extends WizardPanelBase { try { config.commit(false); } catch (EBaseException e) { - CMS.debug( - "SizePanel: update() Exception caught at config commit: " - + e.toString()); + CMS.debug("SizePanel: update() Exception caught at config commit: "+ e.toString()); } } CMS.debug("SizePanel: update() done"); context.put("updateStatus", "success"); - - } - - public void createECCKeyPair(String token, String curveName, IConfigStore config, String ct) - throws NoSuchAlgorithmException, NoSuchTokenException, TokenException, - CryptoManager.NotInitializedException { - CMS.debug("Generating ECC key pair with curvename=" + curveName + - ", token=" + token); - KeyPair pair = null; - /* - * default ssl server cert to ECDHE unless stated otherwise - * note: IE only supports "ECDHE", but "ECDH" is more efficient - * - * for "ECDHE", server.xml should have the following for ciphers: - * +TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, - * -TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA - * - * for "ECDH", server.xml should have the following for ciphers: - * -TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, - * +TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA - */ - String sslType = "ECDHE"; - try { - sslType = config.getString(PCERT_PREFIX + ct + "ec.type", "ECDHE"); - } catch (Exception e) { - CMS.debug("SizePanel: createECCKeyPair() Exception caught at config.getString for ec type"); - } - - // ECDHE needs "SIGN" but no "DERIVE" - org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage usages_mask[] = { - org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage.DERIVE - }; - - // ECDH needs "DERIVE" but no any kind of "SIGN" - org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage ECDH_usages_mask[] = { - org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage.SIGN, - org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage.SIGN_RECOVER, - }; - - do { - if (ct.equals("sslserver") && sslType.equalsIgnoreCase("ECDH")) { - CMS.debug("SizePanel: createECCKeypair: sslserver cert for ECDH. Make sure server.xml is set properly with -TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"); - pair = CryptoUtil.generateECCKeyPair(token, curveName, - null, - ECDH_usages_mask, false, -1, -1); - } else { - if (ct.equals("sslserver")) { - CMS.debug("SizePanel: createECCKeypair: sslserver cert for ECDHE. Make sure server.xml is set properly with +TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"); - } - pair = CryptoUtil.generateECCKeyPair(token, curveName, - null, - usages_mask, false, -1, -1); - } - - // XXX - store curve , w - byte id[] = ((org.mozilla.jss.crypto.PrivateKey) pair.getPrivate()).getUniqueID(); - String kid = CryptoUtil.byte2string(id); - config.putString(PCERT_PREFIX + ct + ".privkey.id", kid); - - // try to locate the private key - org.mozilla.jss.crypto.PrivateKey privk = - CryptoUtil.findPrivateKeyFromID(CryptoUtil.string2byte(kid)); - if (privk == null) { - CMS.debug("Found bad ECC key id " + kid); - pair = null; - } - } while (pair == null); - - CMS.debug("Public key class " + pair.getPublic().getClass().getName()); - byte encoded[] = pair.getPublic().getEncoded(); - config.putString(PCERT_PREFIX + ct + ".pubkey.encoded", - CryptoUtil.byte2string(encoded)); - - String keyAlgo = ""; - try { - keyAlgo = config.getString(PCERT_PREFIX + ct + ".signingalgorithm"); - } catch (Exception e1) { - } - - setSigningAlgorithm(ct, keyAlgo, config); - } - - public void createRSAKeyPair(String token, int keysize, IConfigStore config, String ct) - throws NoSuchAlgorithmException, NoSuchTokenException, TokenException, - CryptoManager.NotInitializedException { - /* generate key pair */ - KeyPair pair = null; - do { - pair = CryptoUtil.generateRSAKeyPair(token, keysize); - byte id[] = ((org.mozilla.jss.crypto.PrivateKey) pair.getPrivate()).getUniqueID(); - String kid = CryptoUtil.byte2string(id); - config.putString(PCERT_PREFIX + ct + ".privkey.id", kid); - // try to locate the private key - org.mozilla.jss.crypto.PrivateKey privk = - CryptoUtil.findPrivateKeyFromID(CryptoUtil.string2byte(kid)); - if (privk == null) { - CMS.debug("Found bad RSA key id " + kid); - pair = null; - } - } while (pair == null); - - byte modulus[] = ((RSAPublicKey) pair.getPublic()).getModulus().toByteArray(); - byte exponent[] = ((RSAPublicKey) pair.getPublic()).getPublicExponent().toByteArray(); - - config.putString(PCERT_PREFIX + ct + ".pubkey.modulus", - CryptoUtil.byte2string(modulus)); - config.putString(PCERT_PREFIX + ct + ".pubkey.exponent", - CryptoUtil.byte2string(exponent)); - - String keyAlgo = ""; - try { - keyAlgo = config.getString(PCERT_PREFIX + ct + ".signingalgorithm"); - } catch (Exception e1) { - } - - setSigningAlgorithm(ct, keyAlgo, config); - } - - public void setSigningAlgorithm(String ct, String keyAlgo, IConfigStore config) { - String systemType = ""; - try { - systemType = config.getString("preop.system.name"); - } catch (Exception e1) { - } - if (systemType.equalsIgnoreCase("CA")) { - if (ct.equals("signing")) { - config.putString("ca.signing.defaultSigningAlgorithm", - keyAlgo); - config.putString("ca.crl.MasterCRL.signingAlgorithm", - keyAlgo); - } else if (ct.equals("ocsp_signing")) { - config.putString("ca.ocsp_signing.defaultSigningAlgorithm", - keyAlgo); - } - } else if (systemType.equalsIgnoreCase("OCSP")) { - if (ct.equals("signing")) { - config.putString("ocsp.signing.defaultSigningAlgorithm", - keyAlgo); - } - } else if (systemType.equalsIgnoreCase("KRA") || - systemType.equalsIgnoreCase("DRM")) { - if (ct.equals("transport")) { - config.putString("kra.transportUnit.signingAlgorithm", keyAlgo); - } - } } public void initParams(HttpServletRequest request, Context context) diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigurationResourceService.java b/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigurationResourceService.java index b2bb39fa9..8481de33a 100644 --- a/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigurationResourceService.java +++ b/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigurationResourceService.java @@ -677,7 +677,7 @@ public class SystemConfigurationResourceService extends CMSResourceService imple } } catch (Exception e) { e.printStackTrace(); - throw new CMSException("Errors in updating nxt serial number ranges in DB: " + e); + throw new CMSException("Errors in updating next serial number ranges in DB: " + e); } } diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java b/base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java index 276b76d4e..273e33173 100644 --- a/base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java +++ b/base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java @@ -19,33 +19,23 @@ package com.netscape.cms.servlet.csadmin; import java.io.ByteArrayInputStream; import java.io.IOException; -import java.net.ConnectException; import java.net.URLEncoder; +import java.security.cert.CertificateEncodingException; import java.util.Locale; -import java.util.StringTokenizer; -import java.util.Vector; import javax.servlet.ServletConfig; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; - -import netscape.ldap.LDAPConnection; -import netscape.ldap.LDAPDN; -import netscape.ldap.LDAPEntry; -import netscape.ldap.LDAPSearchConstraints; -import netscape.ldap.LDAPSearchResults; +import javax.xml.parsers.ParserConfigurationException; import org.apache.velocity.context.Context; -import org.mozilla.jss.CryptoManager; -import org.mozilla.jss.crypto.CryptoStore; -import org.mozilla.jss.crypto.CryptoToken; -import org.mozilla.jss.pkcs11.PK11Store; import org.mozilla.jss.ssl.SSLCertificateApprovalCallback; import org.w3c.dom.Document; import org.w3c.dom.Element; import org.w3c.dom.Node; import org.w3c.dom.NodeList; +import org.xml.sax.SAXException; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; @@ -55,10 +45,6 @@ import com.netscape.cms.servlet.base.UserInfo; import com.netscape.cms.servlet.wizard.IWizardPanel; import com.netscape.cms.servlet.wizard.WizardServlet; import com.netscape.cmsutil.crypto.CryptoUtil; -import com.netscape.cmsutil.http.HttpClient; -import com.netscape.cmsutil.http.HttpRequest; -import com.netscape.cmsutil.http.HttpResponse; -import com.netscape.cmsutil.http.JssSSLSocketFactory; import com.netscape.cmsutil.xml.XMLObject; public class WizardPanelBase implements IWizardPanel { @@ -228,290 +214,40 @@ public class WizardPanelBase implements IWizardPanel { return locale; } - public String getNickname(IConfigStore config, String certTag) { - String instanceID = ""; - - try { - instanceID = config.getString("instanceId", ""); - } catch (Exception e) { - } - - String nickname = certTag + "Cert cert-" + instanceID; - String preferredNickname = null; - - try { - preferredNickname = config.getString( - PCERT_PREFIX + certTag + ".nickname", null); - } catch (Exception e) { - } - - if (preferredNickname != null) { - nickname = preferredNickname; - } - return nickname; - } - - public void updateDomainXML(String hostname, int port, boolean https, - String servlet, String uri) throws IOException { - CMS.debug("WizardPanelBase updateDomainXML start hostname=" + hostname + " port=" + port); - IConfigStore cs = CMS.getConfigStore(); - String nickname = ""; - String tokenname = ""; - try { - nickname = cs.getString("preop.cert.subsystem.nickname", ""); - tokenname = cs.getString("preop.module.token", ""); - } catch (Exception e) { - } - - if (!tokenname.equals("") && - !tokenname.equals("Internal Key Storage Token") && - !tokenname.equals("internal")) { - nickname = tokenname + ":" + nickname; - } - - CMS.debug("WizardPanelBase updateDomainXML nickname=" + nickname); - CMS.debug("WizardPanelBase: start sending updateDomainXML request"); - String c = getHttpResponse(hostname, port, https, servlet, uri, nickname); - CMS.debug("WizardPanelBase: done sending updateDomainXML request"); - - if (c != null) { - try { - ByteArrayInputStream bis = new ByteArrayInputStream(c.getBytes()); - XMLObject obj = null; - try { - obj = new XMLObject(bis); - } catch (Exception e) { - CMS.debug("WizardPanelBase::updateDomainXML() - " - + "Exception=" + e.toString()); - throw new IOException(e.toString()); - } - - String status = obj.getValue("Status"); - CMS.debug("WizardPanelBase updateDomainXML: status=" + status); - - if (status.equals(SUCCESS)) { - return; - } else { - String error = obj.getValue("Error"); - throw new IOException(error); - } - } catch (IOException e) { - CMS.debug("WizardPanelBase: updateDomainXML: " + e.toString()); - throw e; - } catch (Exception e) { - CMS.debug("WizardPanelBase: updateDomainXML: " + e.toString()); - throw new IOException(e.toString()); - } - } - } - public int getSubsystemCount(String hostname, int https_admin_port, - boolean https, String type) - throws IOException { + boolean https, String type) throws IOException, SAXException, ParserConfigurationException { CMS.debug("WizardPanelBase getSubsystemCount start"); - String c = getDomainXML(hostname, https_admin_port, true); + String c = ConfigurationUtils.getDomainXML(hostname, https_admin_port, true); if (c != null) { - try { - ByteArrayInputStream bis = new ByteArrayInputStream(c.getBytes()); - XMLObject obj = new XMLObject(bis); - String containerName = type + "List"; - Node n = obj.getContainer(containerName); - NodeList nlist = n.getChildNodes(); - String countS = ""; - for (int i = 0; i < nlist.getLength(); i++) { - Element nn = (Element) nlist.item(i); - String tagname = nn.getTagName(); - if (tagname.equals("SubsystemCount")) { - NodeList nlist1 = nn.getChildNodes(); - Node nn1 = nlist1.item(0); - countS = nn1.getNodeValue(); - break; - } - } - CMS.debug("WizardPanelBase getSubsystemCount: SubsystemCount=" + countS); - int num = 0; - - if (countS != null && !countS.equals("")) { - try { - num = Integer.parseInt(countS); - } catch (Exception ee) { - } + ByteArrayInputStream bis = new ByteArrayInputStream(c.getBytes()); + XMLObject obj = new XMLObject(bis); + String containerName = type + "List"; + Node n = obj.getContainer(containerName); + NodeList nlist = n.getChildNodes(); + String countS = ""; + for (int i = 0; i < nlist.getLength(); i++) { + Element nn = (Element) nlist.item(i); + String tagname = nn.getTagName(); + if (tagname.equals("SubsystemCount")) { + NodeList nlist1 = nn.getChildNodes(); + Node nn1 = nlist1.item(0); + countS = nn1.getNodeValue(); + break; } - - return num; - } catch (Exception e) { - CMS.debug("WizardPanelBase: getSubsystemCount: " + e.toString()); - throw new IOException(e.toString()); } - } - - return -1; - } - - public String getDomainXML(String hostname, int https_admin_port, - boolean https) - throws IOException { - CMS.debug("WizardPanelBase getDomainXML start"); - String c = getHttpResponse(hostname, https_admin_port, https, - "/ca/admin/ca/getDomainXML", null, null); - if (c != null) { - try { - ByteArrayInputStream bis = new ByteArrayInputStream(c.getBytes()); - XMLObject parser = null; + CMS.debug("WizardPanelBase getSubsystemCount: SubsystemCount=" + countS); + int num = 0; + if (countS != null && !countS.equals("")) { try { - parser = new XMLObject(bis); - } catch (Exception e) { - CMS.debug("WizardPanelBase::getDomainXML() - " - + "Exception=" + e.toString()); - throw new IOException(e.toString()); - } - - String status = parser.getValue("Status"); - - CMS.debug("WizardPanelBase getDomainXML: status=" + status); - - if (status.equals(SUCCESS)) { - String domainInfo = parser.getValue("DomainInfo"); - - CMS.debug( - "WizardPanelBase getDomainXML: domainInfo=" - + domainInfo); - return domainInfo; - } else { - String error = parser.getValue("Error"); - - throw new IOException(error); + num = Integer.parseInt(countS); + } catch (Exception ee) { } - } catch (IOException e) { - CMS.debug("WizardPanelBase: getDomainXML: " + e.toString()); - throw e; - } catch (Exception e) { - CMS.debug("WizardPanelBase: getDomainXML: " + e.toString()); - throw new IOException(e.toString()); } - } - - return null; - } - public String getSubsystemCert(String host, int port, boolean https) - throws IOException { - CMS.debug("WizardPanelBase getSubsystemCert start"); - String c = getHttpResponse(host, port, https, - "/ca/admin/ca/getSubsystemCert", null, null); - if (c != null) { - try { - ByteArrayInputStream bis = - new ByteArrayInputStream(c.getBytes()); - XMLObject parser = null; - try { - parser = new XMLObject(bis); - } catch (Exception e) { - CMS.debug("WizardPanelBase::getSubsystemCert() - " - + "Exception=" + e.toString()); - throw new IOException(e.toString()); - } - String status = parser.getValue("Status"); - if (status.equals(SUCCESS)) { - String s = parser.getValue("Cert"); - return s; - } else - return null; - } catch (Exception e) { - } + return num; } - - return null; - } - - public void updateConnectorInfo(String host, int port, boolean https, - String content) throws IOException { - CMS.debug("WizardPanelBase updateConnectorInfo start"); - String c = getHttpResponse(host, port, https, - "/ca/admin/ca/updateConnector", content, null); - if (c != null) { - try { - ByteArrayInputStream bis = new ByteArrayInputStream(c.getBytes()); - XMLObject parser = null; - - try { - parser = new XMLObject(bis); - } catch (Exception e) { - CMS.debug("WizardPanelBase::updateConnectorInfo() - " - + "Exception=" + e.toString()); - throw new IOException(e.toString()); - } - - String status = parser.getValue("Status"); - - CMS.debug("WizardPanelBase updateConnectorInfo: status=" + status); - - if (!status.equals(SUCCESS)) { - String error = parser.getValue("Error"); - throw new IOException(error); - } - } catch (IOException e) { - CMS.debug("WizardPanelBase: updateConnectorInfo: " + e.toString()); - throw e; - } catch (Exception e) { - CMS.debug("WizardPanelBase: updateConnectorInfo: " + e.toString()); - throw new IOException(e.toString()); - } - } - } - - public String getCertChainUsingSecureAdminPort(String hostname, - int https_admin_port, - boolean https, - ConfigCertApprovalCallback - certApprovalCallback) - throws IOException { - CMS.debug("WizardPanelBase getCertChainUsingSecureAdminPort start"); - String c = getHttpResponse(hostname, https_admin_port, https, - "/ca/admin/ca/getCertChain", null, null, - certApprovalCallback); - - if (c != null) { - try { - ByteArrayInputStream bis = new ByteArrayInputStream(c.getBytes()); - XMLObject parser = null; - - try { - parser = new XMLObject(bis); - } catch (Exception e) { - CMS.debug("WizardPanelBase::getCertChainUsingSecureAdminPort() - " - + "Exception=" + e.toString()); - throw new IOException(e.toString()); - } - - String status = parser.getValue("Status"); - - CMS.debug("WizardPanelBase getCertChainUsingSecureAdminPort: status=" + status); - - if (status.equals(SUCCESS)) { - String certchain = parser.getValue("ChainBase64"); - - certchain = CryptoUtil.normalizeCertStr(certchain); - CMS.debug( - "WizardPanelBase getCertChainUsingSecureAdminPort: certchain=" - + certchain); - return certchain; - } else { - String error = parser.getValue("Error"); - - throw new IOException(error); - } - } catch (IOException e) { - CMS.debug("WizardPanelBase: getCertChainUsingSecureAdminPort: " + e.toString()); - throw e; - } catch (Exception e) { - CMS.debug("WizardPanelBase: getCertChainUsingSecureAdminPort: " + e.toString()); - throw new IOException(e.toString()); - } - } - - return null; + return -1; } public String getCertChainUsingSecureEEPort(String hostname, @@ -521,7 +257,7 @@ public class WizardPanelBase implements IWizardPanel { certApprovalCallback) throws IOException { CMS.debug("WizardPanelBase getCertChainUsingSecureEEPort start"); - String c = getHttpResponse(hostname, https_ee_port, https, + String c = ConfigurationUtils.getHttpResponse(hostname, https_ee_port, https, "/ca/ee/ca/getCertChain", null, null, certApprovalCallback); @@ -571,7 +307,7 @@ public class WizardPanelBase implements IWizardPanel { String servlet, String uri, IConfigStore config, HttpServletResponse response) throws IOException { CMS.debug("WizardPanelBase updateConfigEntries start"); - String c = getHttpResponse(hostname, port, https, servlet, uri, null); + String c = ConfigurationUtils.getHttpResponse(hostname, port, https, servlet, uri, null); if (c != null) { try { @@ -714,7 +450,7 @@ public class WizardPanelBase implements IWizardPanel { public boolean authenticate(String hostname, int port, boolean https, String servlet, String uri) throws IOException { CMS.debug("WizardPanelBase authenticate start"); - String c = getHttpResponse(hostname, port, https, servlet, uri, null); + String c = ConfigurationUtils.getHttpResponse(hostname, port, https, servlet, uri, null); IConfigStore cs = CMS.getConfigStore(); if (c != null) { @@ -750,518 +486,12 @@ public class WizardPanelBase implements IWizardPanel { return false; } - public void updateOCSPConfig(String hostname, int port, boolean https, - String content, HttpServletResponse response) - throws IOException { - CMS.debug("WizardPanelBase updateOCSPConfig start"); - String c = getHttpResponse(hostname, port, https, - "/ca/ee/ca/updateOCSPConfig", content, null); - if (c == null || c.equals("")) { - CMS.debug("WizardPanelBase updateOCSPConfig: content is null."); - throw new IOException("The server you want to contact is not available"); - } else { - try { - ByteArrayInputStream bis = new ByteArrayInputStream(c.getBytes()); - XMLObject parser = null; - - try { - parser = new XMLObject(bis); - } catch (Exception e) { - CMS.debug("WizardPanelBase::updateOCSPConfig() - " - + "Exception=" + e.toString()); - throw new IOException(e.toString()); - } - - String status = parser.getValue("Status"); - - CMS.debug("WizardPanelBase updateOCSPConfig: status=" + status); - - if (status.equals(SUCCESS)) { - CMS.debug("WizardPanelBase updateOCSPConfig: Successfully update the OCSP configuration in the CA."); - } else if (status.equals(AUTH_FAILURE)) { - reloginSecurityDomain(response); - return; - } else { - String error = parser.getValue("Error"); - - throw new IOException(error); - } - } catch (IOException e) { - CMS.debug("WizardPanelBase updateOCSPConfig: " + e.toString()); - throw e; - } catch (Exception e) { - CMS.debug("WizardPanelBase updateOCSPConfig: " + e.toString()); - throw new IOException(e.toString()); - } - } - } - - public void updateNumberRange(String hostname, int port, boolean https, - String content, String type, HttpServletResponse response) - throws IOException { - CMS.debug("WizardPanelBase updateNumberRange start host=" + hostname + - " port=" + port); - IConfigStore cs = CMS.getConfigStore(); - String cstype = ""; - try { - cstype = cs.getString("cs.type", ""); - } catch (Exception e) { - } - - cstype = toLowerCaseSubsystemType(cstype); - String c = getHttpResponse(hostname, port, https, - "/" + cstype + "/ee/" + cstype + "/updateNumberRange", content, null); - if (c == null || c.equals("")) { - CMS.debug("WizardPanelBase updateNumberRange: content is null."); - throw new IOException("The server you want to contact is not available"); - } else { - CMS.debug("content=" + c); - try { - ByteArrayInputStream bis = new ByteArrayInputStream(c.getBytes()); - XMLObject parser = null; - - try { - parser = new XMLObject(bis); - } catch (Exception e) { - CMS.debug("WizardPanelBase::updateNumberRange() - " - + "Exception=" + e.toString()); - throw new IOException(e.toString()); - } - - String status = parser.getValue("Status"); - - CMS.debug("WizardPanelBase updateNumberRange: status=" + status); - if (status.equals(SUCCESS)) { - String beginNum = parser.getValue("beginNumber"); - String endNum = parser.getValue("endNumber"); - if (type.equals("request")) { - cs.putString("dbs.beginRequestNumber", beginNum); - cs.putString("dbs.endRequestNumber", endNum); - } else if (type.equals("serialNo")) { - cs.putString("dbs.beginSerialNumber", beginNum); - cs.putString("dbs.endSerialNumber", endNum); - } else if (type.equals("replicaId")) { - cs.putString("dbs.beginReplicaNumber", beginNum); - cs.putString("dbs.endReplicaNumber", endNum); - } - // enable serial number management in clone - cs.putString("dbs.enableSerialManagement", "true"); - cs.commit(false); - } else if (status.equals(AUTH_FAILURE)) { - reloginSecurityDomain(response); - return; - } else { - String error = parser.getValue("Error"); - - throw new IOException(error); - } - } catch (IOException e) { - CMS.debug("WizardPanelBase: updateNumberRange: " + e.toString()); - CMS.debug(e); - throw e; - } catch (Exception e) { - CMS.debug("WizardPanelBase: updateNumberRange: " + e.toString()); - CMS.debug(e); - throw new IOException(e.toString()); - } - } - } - - public int getPort(String hostname, int port, boolean https, - String portServlet, boolean sport) - throws IOException { - CMS.debug("WizardPanelBase getPort start"); - String c = getHttpResponse(hostname, port, https, portServlet, - "secure=" + sport, null); - - if (c != null) { - try { - ByteArrayInputStream bis = new ByteArrayInputStream(c.getBytes()); - XMLObject parser = null; - - try { - parser = new XMLObject(bis); - } catch (Exception e) { - CMS.debug("WizardPanelBase::getPort() - " - + "Exception=" + e.toString()); - throw new IOException(e.toString()); - } - - String status = parser.getValue("Status"); - - CMS.debug("WizardPanelBase getPort: status=" + status); - - if (status.equals(SUCCESS)) { - String portStr = parser.getValue("Port"); - - port = Integer.parseInt(portStr); - return port; - } else { - String error = parser.getValue("Error"); - - throw new IOException(error); - } - } catch (IOException e) { - CMS.debug("WizardPanelBase: getPort: " + e.toString()); - throw e; - } catch (Exception e) { - CMS.debug("WizardPanelBase: getPort: " + e.toString()); - throw new IOException(e.toString()); - } - } - - return -1; - } - - public String getHttpResponse(String hostname, int port, boolean secure, - String uri, String content, String clientnickname) throws IOException { - return getHttpResponse(hostname, port, secure, uri, content, clientnickname, null); - } - - public String getHttpResponse(String hostname, int port, boolean secure, - String uri, String content, String clientnickname, - SSLCertificateApprovalCallback certApprovalCallback) - throws IOException { - HttpClient httpclient = null; - String c = null; - - try { - if (secure) { - JssSSLSocketFactory factory = null; - if (clientnickname != null && clientnickname.length() > 0) - factory = new JssSSLSocketFactory(clientnickname); - else - factory = new JssSSLSocketFactory(); - - httpclient = new HttpClient(factory, certApprovalCallback); - } else { - httpclient = new HttpClient(); - } - httpclient.connect(hostname, port); - HttpRequest httprequest = new HttpRequest(); - - httprequest.setMethod(HttpRequest.POST); - httprequest.setURI(uri); - // httprequest.setURI("/ca/ee/ca/ports"); - httprequest.setHeader("user-agent", "HTTPTool/1.0"); - // String content_c = "secure="+secure; - httprequest.setHeader("content-type", - "application/x-www-form-urlencoded"); - if (content != null && content.length() > 0) { - String content_c = content; - - httprequest.setHeader("content-length", "" + content_c.length()); - httprequest.setContent(content_c); - } - HttpResponse httpresponse = httpclient.send(httprequest); - - c = httpresponse.getContent(); - } catch (ConnectException e) { - CMS.debug("WizardPanelBase getHttpResponse: " + e.toString()); - throw new IOException("The server you tried to contact is not running."); - } catch (Exception e) { - CMS.debug("WizardPanelBase getHttpResponse: " + e.toString()); - throw new IOException(e.toString()); - } finally { - if (httpclient.connected()) { - httpclient.disconnect(); - } - } - - return c; - } - - public boolean isSDHostDomainMaster(IConfigStore config) { - String dm = "false"; - try { - String hostname = config.getString("securitydomain.host"); - int httpsadminport = config.getInteger("securitydomain.httpsadminport"); - - CMS.debug("Getting domain.xml from CA..."); - String c = getDomainXML(hostname, httpsadminport, true); - - CMS.debug("Getting DomainMaster from security domain"); - - ByteArrayInputStream bis = new ByteArrayInputStream(c.getBytes()); - XMLObject parser = new XMLObject(bis); - Document doc = parser.getDocument(); - NodeList nodeList = doc.getElementsByTagName("CA"); - - int len = nodeList.getLength(); - for (int i = 0; i < len; i++) { - Vector<String> v_hostname = - parser.getValuesFromContainer(nodeList.item(i), - "Host"); - - Vector<String> v_https_admin_port = - parser.getValuesFromContainer(nodeList.item(i), - "SecureAdminPort"); - - Vector<String> v_domain_mgr = - parser.getValuesFromContainer(nodeList.item(i), - "DomainManager"); - - if (v_hostname.elementAt(0).equals(hostname) && - v_https_admin_port.elementAt(0).equals(Integer.toString(httpsadminport))) { - dm = v_domain_mgr.elementAt(0).toString(); - break; - } - } - } catch (Exception e) { - CMS.debug(e.toString()); - } - return dm.equalsIgnoreCase("true"); - } - - public Vector<String> getMasterUrlListFromSecurityDomain(IConfigStore config, - String type, - String portType) { - Vector<String> v = new Vector<String>(); - - try { - String hostname = config.getString("securitydomain.host"); - int httpsadminport = config.getInteger("securitydomain.httpsadminport"); - - CMS.debug("Getting domain.xml from CA..."); - String c = getDomainXML(hostname, httpsadminport, true); - - CMS.debug("Type " + type); - - CMS.debug("Getting " + portType + " from Security Domain ..."); - if (!portType.equals("UnSecurePort") && - !portType.equals("SecureAgentPort") && - !portType.equals("SecurePort") && - !portType.equals("SecureAdminPort")) { - CMS.debug("getPortFromSecurityDomain: " + - "unknown port type " + portType); - return v; - } - - ByteArrayInputStream bis = new ByteArrayInputStream(c.getBytes()); - XMLObject parser = new XMLObject(bis); - Document doc = parser.getDocument(); - NodeList nodeList = doc.getElementsByTagName(type); - - // save domain name in cfg - config.putString("securitydomain.name", - parser.getValue("Name")); - - int len = nodeList.getLength(); - - CMS.debug("Len " + len); - for (int i = 0; i < len; i++) { - Vector<String> v_clone = parser.getValuesFromContainer(nodeList.item(i), - "Clone"); - String clone = v_clone.elementAt(0); - if (clone.equalsIgnoreCase("true")) - continue; - Vector<String> v_name = parser.getValuesFromContainer(nodeList.item(i), - "SubsystemName"); - Vector<String> v_host = parser.getValuesFromContainer(nodeList.item(i), - "Host"); - Vector<String> v_port = parser.getValuesFromContainer(nodeList.item(i), - portType); - - v.addElement(v_name.elementAt(0) - + " - https://" - + v_host.elementAt(0) - + ":" - + v_port.elementAt(0)); - } - } catch (Exception e) { - CMS.debug(e.toString()); - } - - return v; - } - - public Vector<String> getUrlListFromSecurityDomain(IConfigStore config, - String type, - String portType) { - Vector<String> v = new Vector<String>(); - - try { - String hostname = config.getString("securitydomain.host"); - int httpsadminport = config.getInteger("securitydomain.httpsadminport"); - - CMS.debug("Getting domain.xml from CA..."); - String c = getDomainXML(hostname, httpsadminport, true); - - CMS.debug("Getting " + portType + " from Security Domain ..."); - if (!portType.equals("UnSecurePort") && - !portType.equals("SecureAgentPort") && - !portType.equals("SecurePort") && - !portType.equals("SecureAdminPort")) { - CMS.debug("getPortFromSecurityDomain: " + - "unknown port type " + portType); - return v; - } - - ByteArrayInputStream bis = new ByteArrayInputStream(c.getBytes()); - XMLObject parser = new XMLObject(bis); - Document doc = parser.getDocument(); - NodeList nodeList = doc.getElementsByTagName(type); - - // save domain name in cfg - config.putString("securitydomain.name", - parser.getValue("Name")); - - int len = nodeList.getLength(); - - CMS.debug("Len " + len); - for (int i = 0; i < len; i++) { - Vector<String> v_name = parser.getValuesFromContainer(nodeList.item(i), - "SubsystemName"); - Vector<String> v_host = parser.getValuesFromContainer(nodeList.item(i), - "Host"); - Vector<String> v_port = parser.getValuesFromContainer(nodeList.item(i), - portType); - Vector<String> v_admin_port = parser.getValuesFromContainer(nodeList.item(i), - "SecureAdminPort"); - - if (v_host.elementAt(0).equals(hostname) - && v_admin_port.elementAt(0).equals(new Integer(httpsadminport).toString())) { - // add security domain CA to the beginning of list - v.add(0, v_name.elementAt(0) - + " - https://" - + v_host.elementAt(0) - + ":" - + v_port.elementAt(0)); - } else { - v.addElement(v_name.elementAt(0) - + " - https://" - + v_host.elementAt(0) - + ":" - + v_port.elementAt(0)); - } - } - } catch (Exception e) { - CMS.debug(e.toString()); - } - - return v; - } - - // Given an HTTPS Hostname and EE port, - // retrieve the associated HTTPS Admin port - public String getSecurityDomainAdminPort(IConfigStore config, - String hostname, - String https_ee_port, - String cstype) { - String https_admin_port = new String(); - - try { - String sd_hostname = config.getString("securitydomain.host"); - int sd_httpsadminport = - config.getInteger("securitydomain.httpsadminport"); - - CMS.debug("Getting domain.xml from CA ..."); - String c = getDomainXML(sd_hostname, sd_httpsadminport, true); - - CMS.debug("Getting associated HTTPS Admin port from " + - "HTTPS Hostname '" + hostname + - "' and EE port '" + https_ee_port + "'"); - ByteArrayInputStream bis = new ByteArrayInputStream(c.getBytes()); - XMLObject parser = new XMLObject(bis); - Document doc = parser.getDocument(); - NodeList nodeList = doc.getElementsByTagName(cstype.toUpperCase()); - - int len = nodeList.getLength(); - for (int i = 0; i < len; i++) { - Vector<String> v_hostname = - parser.getValuesFromContainer(nodeList.item(i), - "Host"); - - Vector<String> v_https_ee_port = - parser.getValuesFromContainer(nodeList.item(i), - "SecurePort"); - - Vector<String> v_https_admin_port = - parser.getValuesFromContainer(nodeList.item(i), - "SecureAdminPort"); - - if (v_hostname.elementAt(0).equals(hostname) && - v_https_ee_port.elementAt(0).equals(https_ee_port)) { - https_admin_port = - v_https_admin_port.elementAt(0).toString(); - break; - } - } - } catch (Exception e) { - CMS.debug(e.toString()); - } - - return (https_admin_port); - } - - public String getSecurityDomainPort(IConfigStore config, - String portType) { - String port = new String(); - - try { - String hostname = config.getString("securitydomain.host"); - int httpsadminport = - config.getInteger("securitydomain.httpsadminport"); - - CMS.debug("Getting domain.xml from CA ..."); - String c = getDomainXML(hostname, httpsadminport, true); - - CMS.debug("Getting " + portType + " from Security Domain ..."); - if (!portType.equals("UnSecurePort") && - !portType.equals("SecureAgentPort") && - !portType.equals("SecurePort") && - !portType.equals("SecureAdminPort")) { - CMS.debug("getPortFromSecurityDomain: " + - "unknown port type " + portType); - return ""; - } - - ByteArrayInputStream bis = new ByteArrayInputStream(c.getBytes()); - XMLObject parser = new XMLObject(bis); - Document doc = parser.getDocument(); - NodeList nodeList = doc.getElementsByTagName("CA"); - - int len = nodeList.getLength(); - for (int i = 0; i < len; i++) { - Vector<String> v_admin_port = - parser.getValuesFromContainer(nodeList.item(i), - "SecureAdminPort"); - - Vector<String> v_port = null; - if (portType.equals("UnSecurePort")) { - v_port = parser.getValuesFromContainer(nodeList.item(i), - "UnSecurePort"); - } else if (portType.equals("SecureAgentPort")) { - v_port = parser.getValuesFromContainer(nodeList.item(i), - "SecureAgentPort"); - } else if (portType.equals("SecurePort")) { - v_port = parser.getValuesFromContainer(nodeList.item(i), - "SecurePort"); - } else if (portType.equals("SecureAdminPort")) { - v_port = parser.getValuesFromContainer(nodeList.item(i), - "SecureAdminPort"); - } - - if ((v_port != null) && - (v_admin_port.elementAt(0).equals( - Integer.toString(httpsadminport)))) { - port = v_port.elementAt(0).toString(); - break; - } - } - } catch (Exception e) { - CMS.debug(e.toString()); - } - - return (port); - } - public String pingCS(String hostname, int port, boolean https, SSLCertificateApprovalCallback certApprovalCallback) throws IOException { CMS.debug("WizardPanelBase pingCS: started"); - String c = getHttpResponse(hostname, port, https, + String c = ConfigurationUtils.getHttpResponse(hostname, port, https, "/ca/admin/ca/getStatus", null, null, certApprovalCallback); @@ -1296,315 +526,28 @@ public class WizardPanelBase implements IWizardPanel { return null; } - public String toLowerCaseSubsystemType(String s) { - String x = null; - if (s.equals("CA")) { - x = "ca"; - } else if (s.equals("KRA")) { - x = "kra"; - } else if (s.equals("OCSP")) { - x = "ocsp"; - } else if (s.equals("TKS")) { - x = "tks"; - } - - return x; - } - - public void getTokenInfo(IConfigStore config, String type, String host, - int https_ee_port, boolean https, Context context, - ConfigCertApprovalCallback certApprovalCallback) throws IOException { - CMS.debug("WizardPanelBase getTokenInfo start"); - String uri = "/" + type + "/ee/" + type + "/getTokenInfo"; - CMS.debug("WizardPanelBase getTokenInfo: uri=" + uri); - String c = getHttpResponse(host, https_ee_port, https, uri, null, null, - certApprovalCallback); - if (c != null) { - try { - ByteArrayInputStream bis = new ByteArrayInputStream(c.getBytes()); - XMLObject parser = null; - - try { - parser = new XMLObject(bis); - } catch (Exception e) { - CMS.debug("WizardPanelBase::getTokenInfo() - " - + "Exception=" + e.toString()); - throw new IOException(e.toString()); - } - - String status = parser.getValue("Status"); - - CMS.debug("WizardPanelBase getTokenInfo: status=" + status); - - if (status.equals(SUCCESS)) { - Document doc = parser.getDocument(); - NodeList list = doc.getElementsByTagName("name"); - int len = list.getLength(); - for (int i = 0; i < len; i++) { - Node n = list.item(i); - NodeList nn = n.getChildNodes(); - String name = nn.item(0).getNodeValue(); - Node parent = n.getParentNode(); - nn = parent.getChildNodes(); - int len1 = nn.getLength(); - String v = ""; - for (int j = 0; j < len1; j++) { - Node nv = nn.item(j); - String val = nv.getNodeName(); - if (val.equals("value")) { - NodeList n2 = nv.getChildNodes(); - if (n2.getLength() > 0) - v = n2.item(0).getNodeValue(); - break; - } - } - if (name.equals("cloning.signing.nickname")) { - config.putString("preop.master.signing.nickname", v); - config.putString(type + ".cert.signing.nickname", v); - config.putString(name, v); - } else if (name.equals("cloning.ocsp_signing.nickname")) { - config.putString("preop.master.ocsp_signing.nickname", v); - config.putString(type + ".cert.ocsp_signing.nickname", v); - config.putString(name, v); - } else if (name.equals("cloning.subsystem.nickname")) { - config.putString("preop.master.subsystem.nickname", v); - config.putString(type + ".cert.subsystem.nickname", v); - config.putString(name, v); - } else if (name.equals("cloning.transport.nickname")) { - config.putString("preop.master.transport.nickname", v); - config.putString("kra.transportUnit.nickName", v); - config.putString("kra.cert.transport.nickname", v); - config.putString(name, v); - } else if (name.equals("cloning.storage.nickname")) { - config.putString("preop.master.storage.nickname", v); - config.putString("kra.storageUnit.nickName", v); - config.putString("kra.cert.storage.nickname", v); - config.putString(name, v); - } else if (name.equals("cloning.audit_signing.nickname")) { - config.putString("preop.master.audit_signing.nickname", v); - config.putString(type + ".cert.audit_signing.nickname", v); - config.putString(name, v); - } else if (name.equals("cloning.module.token")) { - config.putString("preop.module.token", v); - } else if (name.startsWith("cloning.ca")) { - config.putString(name.replaceFirst("cloning", "preop"), v); - } else if (name.startsWith("cloning")) { - config.putString(name.replaceFirst("cloning", "preop.cert"), v); - } else { - config.putString(name, v); - } - } - - // reset nicknames for system cert verification - String token = config.getString("preop.module.token", - "Internal Key Storage Token"); - if (!token.equals("Internal Key Storage Token")) { - String certlist = config.getString("preop.cert.list"); - - StringTokenizer t1 = new StringTokenizer(certlist, ","); - while (t1.hasMoreTokens()) { - String tag = t1.nextToken(); - if (tag.equals("sslserver")) - continue; - config.putString(type + ".cert." + tag + ".nickname", - token + ":" + - config.getString(type + ".cert." + tag + ".nickname", "")); - } - } - } else { - String error = parser.getValue("Error"); - throw new IOException(error); - } - } catch (IOException e) { - CMS.debug("WizardPanelBase: getTokenInfo: " + e.toString()); - throw e; - } catch (Exception e) { - CMS.debug("WizardPanelBase: getTokenInfo: " + e.toString()); - throw new IOException(e.toString()); - } - } - } - - public void importCertChain(String id) throws IOException { - CMS.debug("DisplayCertChainPanel importCertChain"); - IConfigStore config = CMS.getConfigStore(); - String configName = "preop." + id + ".pkcs7"; - String pkcs7 = ""; - - try { - pkcs7 = config.getString(configName, ""); - } catch (Exception e) { - } - - if (pkcs7.length() > 0) { - try { - CryptoUtil.importCertificateChain(pkcs7); - } catch (Exception e) { - CMS.debug("DisplayCertChainPanel importCertChain: Exception: " + e.toString()); - } - } - } - - public void updateCertChain(IConfigStore config, String name, String host, - int https_admin_port, boolean https, Context context) throws IOException { - updateCertChain(config, name, host, https_admin_port, - https, context, null); - } - - public void updateCertChain(IConfigStore config, String name, String host, - int https_admin_port, boolean https, Context context, - ConfigCertApprovalCallback certApprovalCallback) throws IOException { - String certchain = getCertChainUsingSecureAdminPort(host, - https_admin_port, - https, - certApprovalCallback); + public void updateCertChainUsingSecureEEPort(IConfigStore config, String name, String host, + int https_ee_port, boolean https, Context context, ConfigCertApprovalCallback certApprovalCallback) + throws IOException, CertificateEncodingException, EBaseException { + String certchain = getCertChainUsingSecureEEPort(host, https_ee_port, https, certApprovalCallback); config.putString("preop." + name + ".pkcs7", certchain); byte[] decoded = CryptoUtil.base64Decode(certchain); - java.security.cert.X509Certificate[] b_certchain = null; - - try { - b_certchain = CryptoUtil.getX509CertificateFromPKCS7(decoded); - } catch (Exception e) { - context.put("errorString", - "Failed to get the certificate chain."); - return; - } + java.security.cert.X509Certificate[] b_certchain = CryptoUtil.getX509CertificateFromPKCS7(decoded); int size = 0; if (b_certchain != null) { size = b_certchain.length; } config.putInteger("preop." + name + ".certchain.size", size); - for (int i = 0; i < size; i++) { - byte[] bb = null; - - try { - bb = b_certchain[i].getEncoded(); - } catch (Exception e) { - context.put("errorString", - "Failed to get the der-encoded certificate chain."); - return; - } - config.putString("preop." + name + ".certchain." + i, - CryptoUtil.normalizeCertStr(CryptoUtil.base64Encode(bb))); - } - - try { - config.commit(false); - } catch (EBaseException e) { - } - } - - public void updateCertChainUsingSecureEEPort(IConfigStore config, - String name, String host, - int https_ee_port, - boolean https, - Context context, - ConfigCertApprovalCallback certApprovalCallback) throws IOException { - String certchain = getCertChainUsingSecureEEPort(host, https_ee_port, - https, - certApprovalCallback); - config.putString("preop." + name + ".pkcs7", certchain); - - byte[] decoded = CryptoUtil.base64Decode(certchain); - java.security.cert.X509Certificate[] b_certchain = null; - - try { - b_certchain = CryptoUtil.getX509CertificateFromPKCS7(decoded); - } catch (Exception e) { - context.put("errorString", - "Failed to get the certificate chain."); - return; - } - int size = 0; - if (b_certchain != null) { - size = b_certchain.length; - } - config.putInteger("preop." + name + ".certchain.size", size); for (int i = 0; i < size; i++) { - byte[] bb = null; - - try { - bb = b_certchain[i].getEncoded(); - } catch (Exception e) { - context.put("errorString", - "Failed to get the der-encoded certificate chain."); - return; - } + byte[] bb = b_certchain[i].getEncoded(); config.putString("preop." + name + ".certchain." + i, CryptoUtil.normalizeCertStr(CryptoUtil.base64Encode(bb))); } - try { - config.commit(false); - } catch (EBaseException e) { - } - } - - public void deleteCert(String tokenname, String nickname) { - try { - CryptoManager cm = CryptoManager.getInstance(); - CryptoToken tok = cm.getTokenByName(tokenname); - CryptoStore store = tok.getCryptoStore(); - String fullnickname = nickname; - if (!tokenname.equals("") && - !tokenname.equals("Internal Key Storage Token") && - !tokenname.equals("internal")) - fullnickname = tokenname + ":" + nickname; - - CMS.debug("WizardPanelBase deleteCert: nickname=" + fullnickname); - org.mozilla.jss.crypto.X509Certificate cert = cm.findCertByNickname(fullnickname); - - if (store instanceof PK11Store) { - CMS.debug("WizardPanelBase deleteCert: this is pk11store"); - PK11Store pk11store = (PK11Store) store; - pk11store.deleteCertOnly(cert); - CMS.debug("WizardPanelBase deleteCert: cert deleted successfully"); - } - } catch (Exception e) { - CMS.debug("WizardPanelBase deleteCert: Exception=" + e.toString()); - } - } - - public void deleteEntries(LDAPSearchResults res, LDAPConnection conn, - String dn, String[] entries) { - String[] attrs = null; - LDAPSearchConstraints cons = null; - String filter = "objectclass=*"; - - try { - if (res.getCount() == 0) - return; - else { - while (res.hasMoreElements()) { - LDAPEntry entry = res.next(); - String dn1 = entry.getDN(); - LDAPSearchResults res1 = conn.search(dn1, 1, filter, attrs, true, cons); - deleteEntries(res1, conn, dn1, entries); - deleteEntry(conn, dn1, entries); - } - } - } catch (Exception ee) { - CMS.debug("WizardPanelBase deleteEntries: Exception=" + ee.toString()); - } - } - - public void deleteEntry(LDAPConnection conn, String dn, String[] entries) { - try { - for (int i = 0; i < entries.length; i++) { - if (LDAPDN.equals(dn, entries[i])) { - CMS.debug("WizardPanelBase deleteEntry: entry with this dn " + dn + " is not deleted."); - return; - } - } - - CMS.debug("WizardPanelBase deleteEntry: deleting dn=" + dn); - conn.delete(dn); - } catch (Exception e) { - CMS.debug("WizardPanelBase deleteEntry: Exception=" + e.toString()); - } + config.commit(false); } public void reloginSecurityDomain(HttpServletResponse response) { @@ -1618,7 +561,7 @@ public class WizardPanelBase implements IWizardPanel { String subsystem = cs.getString("cs.type", ""); String urlVal = "https://" - + cs_hostname + ":" + cs_port + "/" + toLowerCaseSubsystemType(subsystem) + + cs_hostname + ":" + cs_port + "/" + subsystem.toLowerCase() + "/admin/console/config/wizard?p=" + panel + "&subsystem=" + subsystem; String encodedValue = URLEncoder.encode(urlVal, "UTF-8"); String sdurl = "https://" + hostname + ":" + port + "/ca/admin/ca/securityDomainLogin?url=" + encodedValue; |