diff options
author | Christina Fu <cfu@redhat.com> | 2016-05-17 17:57:11 -0700 |
---|---|---|
committer | Christina Fu <cfu@redhat.com> | 2016-05-18 10:18:48 -0700 |
commit | 5fe2ebbf66a5ebe0acc11ea7868db8a79b332ddb (patch) | |
tree | bda4b60c941995d9e65172c832e0aa323ea32e4b | |
parent | 81c1d8fdd2c6e6248190cdeafe3ce032c8876e95 (diff) | |
download | pki-5fe2ebbf66a5ebe0acc11ea7868db8a79b332ddb.tar.gz pki-5fe2ebbf66a5ebe0acc11ea7868db8a79b332ddb.tar.xz pki-5fe2ebbf66a5ebe0acc11ea7868db8a79b332ddb.zip |
Ticket #1527 reopened: retrieved wrong ca connector config parameter
This ticket was reopened due to retrieving wrong ca connector config param for the case when format is done within an enrollment.
The following is attempted:
op.enroll.userKey.ca.conn
while the following is intended:
op.format.userKey.ca.conn
In addition, this patch also fixes the following issues;
a. reason param name is not conforming: "reason" instead of "revokeReason"
b. adding default reason to format TPS profiles
c. by default mappingResolver.formatProfileMappingResolver resolves
to tokenKey, while enroll resolves to userKey.
-> now changed the userKey
d. if revocation fails during format, it was forgiving.
-> now changed so that error is logged in activity log and exception
thrown and bail out
-rw-r--r-- | base/tps/shared/conf/CS.cfg | 12 | ||||
-rw-r--r-- | base/tps/src/org/dogtagpki/server/tps/cms/CARemoteRequestHandler.java | 37 | ||||
-rw-r--r-- | base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java | 22 |
3 files changed, 62 insertions, 9 deletions
diff --git a/base/tps/shared/conf/CS.cfg b/base/tps/shared/conf/CS.cfg index 638787d22..90d1747dd 100644 --- a/base/tps/shared/conf/CS.cfg +++ b/base/tps/shared/conf/CS.cfg @@ -428,6 +428,7 @@ op.format.delegateIEtoken.issuerinfo.enable=true op.format.delegateIEtoken.issuerinfo.value=http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/tps/phoneHome op.format.delegateIEtoken.loginRequest.enable=true op.format.delegateIEtoken.revokeCert=false +op.format.delegateIEtoken.revokeCert.reason=0 op.format.delegateIEtoken.tks.conn=tks1 op.format.delegateIEtoken.update.applet.directory=/usr/share/pki/tps/applets op.format.delegateIEtoken.update.applet.emptyToken.enable=true @@ -686,6 +687,7 @@ op.format.delegateISEtoken.issuerinfo.enable=true op.format.delegateISEtoken.issuerinfo.value=http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/tps/phoneHome op.format.delegateISEtoken.loginRequest.enable=true op.format.delegateISEtoken.revokeCert=false +op.format.delegateISEtoken.revokeCert.reason=0 op.format.delegateISEtoken.tks.conn=tks1 op.format.delegateISEtoken.update.applet.directory=/usr/share/pki/tps/applets op.format.delegateISEtoken.update.applet.emptyToken.enable=true @@ -770,6 +772,7 @@ op.format.externalRegAddToToken.update.applet.requiredVersion=1.4.54de790f op.format.externalRegAddToToken.update.symmetricKeys.enable=false op.format.externalRegAddToToken.update.symmetricKeys.requiredVersion=1 op.format.externalRegAddToToken.revokeCert=false +op.format.externalRegAddToToken.revokeCert.reason=0 op.enroll.allowUnknownToken=true op.enroll.mappingResolver=enrollProfileMappingResolver op.enroll.soKey.cuidMustMatchKDD=false @@ -1392,6 +1395,7 @@ op.format.cleanToken.issuerinfo.enable=true op.format.cleanToken.issuerinfo.value= op.format.cleanToken.loginRequest.enable=true op.format.cleanToken.revokeCert=true +op.format.cleanToken.revokeCert.reason=0 op.format.cleanToken.tks.conn=tks1 op.format.cleanToken.update.applet.directory=[TPS_DIR]/applets op.format.cleanToken.update.applet.emptyToken.enable=true @@ -1413,6 +1417,7 @@ op.format.soCleanSOToken.issuerinfo.enable=true op.format.soCleanSOToken.issuerinfo.value= op.format.soCleanSOToken.loginRequest.enable=false op.format.soCleanSOToken.revokeCert=true +op.format.soCleanSOToken.revokeCert.reason=0 op.format.soCleanSOToken.tks.conn=tks1 op.format.soCleanSOToken.update.applet.directory=[TPS_DIR]/applets op.format.soCleanSOToken.update.applet.emptyToken.enable=true @@ -1434,6 +1439,7 @@ op.format.soCleanUserToken.issuerinfo.enable=true op.format.soCleanUserToken.issuerinfo.value= op.format.soCleanUserToken.loginRequest.enable=false op.format.soCleanUserToken.revokeCert=true +op.format.soCleanUserToken.revokeCert.reason=0 op.format.soCleanUserToken.tks.conn=tks1 op.format.soCleanUserToken.update.applet.directory=[TPS_DIR]/applets op.format.soCleanUserToken.update.applet.emptyToken.enable=true @@ -1455,6 +1461,7 @@ op.format.soKey.issuerinfo.enable=true op.format.soKey.issuerinfo.value=http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/tps/phoneHome op.format.soKey.loginRequest.enable=true op.format.soKey.revokeCert=true +op.format.soKey.revokeCert.reason=0 op.format.soKey.tks.conn=tks1 op.format.soKey.update.applet.directory=[TPS_DIR]/applets op.format.soKey.update.applet.emptyToken.enable=true @@ -1476,6 +1483,7 @@ op.format.soUserKey.issuerinfo.enable=true op.format.soUserKey.issuerinfo.value=http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/tps/phoneHome op.format.soUserKey.loginRequest.enable=false op.format.soUserKey.revokeCert=true +op.format.soUserKey.revokeCert.reason=0 op.format.soUserKey.tks.conn=tks1 op.format.soUserKey.update.applet.directory=[TPS_DIR]/applets op.format.soUserKey.update.applet.emptyToken.enable=true @@ -1497,6 +1505,7 @@ op.format.tokenKey.issuerinfo.enable=true op.format.tokenKey.issuerinfo.value=http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/tps/phoneHome op.format.tokenKey.loginRequest.enable=true op.format.tokenKey.revokeCert=true +op.format.tokenKey.revokeCert.reason=0 op.format.tokenKey.tks.conn=tks1 op.format.tokenKey.update.applet.directory=[TPS_DIR]/applets op.format.tokenKey.update.applet.emptyToken.enable=true @@ -1518,6 +1527,7 @@ op.format.userKey.issuerinfo.enable=true op.format.userKey.issuerinfo.value=http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/tps/phoneHome op.format.userKey.loginRequest.enable=true op.format.userKey.revokeCert=true +op.format.userKey.revokeCert.reason=0 op.format.userKey.tks.conn=tks1 op.format.userKey.update.applet.directory=[TPS_DIR]/applets op.format.userKey.update.applet.emptyToken.enable=true @@ -1768,7 +1778,7 @@ mappingResolver.formatProfileMappingResolver.mapping.6.filter.appletMinorVersion mappingResolver.formatProfileMappingResolver.mapping.6.filter.tokenATR= mappingResolver.formatProfileMappingResolver.mapping.6.filter.tokenCUID.end= mappingResolver.formatProfileMappingResolver.mapping.6.filter.tokenCUID.start= -mappingResolver.formatProfileMappingResolver.mapping.6.target.tokenType=tokenKey +mappingResolver.formatProfileMappingResolver.mapping.6.target.tokenType=userKey mappingResolver.formatProfileMappingResolver.mapping.order=0,1,2,3,4,5,6 mappingResolver.pinResetProfileMappingResolver.class_id=filterMappingResolverImpl mappingResolver.pinResetProfileMappingResolver.mapping.0.filter.appletMajorVersion= diff --git a/base/tps/src/org/dogtagpki/server/tps/cms/CARemoteRequestHandler.java b/base/tps/src/org/dogtagpki/server/tps/cms/CARemoteRequestHandler.java index 0a68e6583..ace5f389f 100644 --- a/base/tps/src/org/dogtagpki/server/tps/cms/CARemoteRequestHandler.java +++ b/base/tps/src/org/dogtagpki/server/tps/cms/CARemoteRequestHandler.java @@ -108,6 +108,9 @@ public class CARemoteRequestHandler extends RemoteRequestHandler (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID); HttpConnector conn = (HttpConnector) subsystem.getConnectionManager().getConnector(connid); + if (conn == null) { + throw new EBaseException("CARemoteRequestHandler: enrollCertificate() to connid: " + connid + ": HttpConnector conn null."); + } CMS.debug("CARemoteRequestHandler: enrollCertificate(): sending request to CA"); String encodedPubKey = null; try { @@ -192,12 +195,14 @@ public class CARemoteRequestHandler extends RemoteRequestHandler CMS.debug("CARemoteRequestHandler: enrollCertificate(): sendMsg =" + sendMsg); HttpResponse resp = conn.send("enrollment", sendMsg); + if (resp == null) { + throw new EBaseException("CARemoteRequestHandler: enrollCertificate() to connid: " + connid + ": response null."); + } String content = resp.getContent(); - CMS.debug("CARemoteRequestHandler: enrollCertificate(): got content = " + content); - if (content != null && !content.equals("")) { + CMS.debug("CARemoteRequestHandler: enrollCertificate(): got content = " + content); XMLObject xmlResponse = getXMLparser(content); @@ -298,12 +303,18 @@ public class CARemoteRequestHandler extends RemoteRequestHandler (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID); HttpConnector conn = (HttpConnector) subsystem.getConnectionManager().getConnector(connid); + if (conn == null) { + throw new EBaseException("CARemoteRequestHandler: retrieveCertificate() to connid: " + connid + ": HttpConnector conn null."); + } CMS.debug("CARemoteRequestHandler: retrieveCertificate(): sending request to CA"); HttpResponse resp = conn.send("getcert", IRemoteRequest.GET_XML + "=" + true + "&" + IRemoteRequest.CA_GET_CERT_B64CertOnly + "=" + true + "&" + IRemoteRequest.CA_GET_CERT_SERIAL + "=" + serialno.toString()); + if (resp == null) { + throw new EBaseException("CARemoteRequestHandler: retrieveCertificate() to connid: " + connid + ": response null."); + } String content = resp.getContent(); if (content != null && !content.equals("")) { @@ -395,6 +406,9 @@ public class CARemoteRequestHandler extends RemoteRequestHandler (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID); HttpConnector conn = (HttpConnector) subsystem.getConnectionManager().getConnector(connid); + if (conn == null) { + throw new EBaseException("CARemoteRequestHandler: renewCertificate() to connid: " + connid + ": HttpConnector conn null."); + } CMS.debug("CARemoteRequestHandler: renewCertificate(): sending request to CA"); HttpResponse resp = conn.send("renewal", @@ -403,6 +417,9 @@ public class CARemoteRequestHandler extends RemoteRequestHandler "&" + IRemoteRequest.CA_RENEWAL_SerialNum + "=" + serialno.toString() + "&" + IRemoteRequest.CA_ProfileId + "=" + profileId); + if (resp == null) { + throw new EBaseException("CARemoteRequestHandler: renewCertificate() to connid: " + connid + ": response null."); + } String content = resp.getContent(); if (content != null && !content.equals("")) { @@ -503,6 +520,9 @@ public class CARemoteRequestHandler extends RemoteRequestHandler (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID); HttpConnector conn = (HttpConnector) subsystem.getConnectionManager().getConnector(connid); + if (conn == null) { + throw new EBaseException("CARemoteRequestHandler: revokeCertificate() to connid: " + connid + ": HttpConnector conn null."); + } CMS.debug("CARemoteRequestHandler: revokeCertificate(): sending request to CA"); HttpResponse resp = conn.send("revoke", @@ -511,10 +531,13 @@ public class CARemoteRequestHandler extends RemoteRequestHandler "&" + IRemoteRequest.CA_REVOKE_ALL + "=(" + IRemoteRequest.CA_REVOKE_SERIAL + "=" + serialno + ")&" + IRemoteRequest.CA_REVOKE_COUNT + "=1"); + if (resp == null) { + throw new EBaseException("CARemoteRequestHandler: revokeCertificate() to connid: " + connid + ": response null."); + } String content = resp.getContent(); - CMS.debug("CARemoteRequestHandler: revokeCertificate(): got content = " + content); if (content != null && !content.equals("")) { + CMS.debug("CARemoteRequestHandler: revokeCertificate(): got content = " + content); Hashtable<String, Object> response = parseResponse(content); @@ -570,14 +593,20 @@ public class CARemoteRequestHandler extends RemoteRequestHandler (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID); HttpConnector conn = (HttpConnector) subsystem.getConnectionManager().getConnector(connid); + if (conn == null) { + throw new EBaseException("CARemoteRequestHandler: unrevokeCertificate() to connid: " + connid + ": HttpConnector conn null."); + } CMS.debug("CARemoteRequestHandler: unrevokeCertificate(): sending request to CA"); HttpResponse resp = conn.send("unrevoke", IRemoteRequest.CA_UNREVOKE_SERIAL + "=" + serialno); + if (resp == null) { + throw new EBaseException("CARemoteRequestHandler: unrevokeCertificate() to connid: " + connid + ": response null."); + } String content = resp.getContent(); - CMS.debug("CARemoteRequestHandler: unrevokeCertificate(): got content = " + content); if (content != null && !content.equals("")) { + CMS.debug("CARemoteRequestHandler: unrevokeCertificate(): got content = " + content); Hashtable<String, Object> response = parseResponse(content); diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java index bbc9fcb5e..5b471ca24 100644 --- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java +++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java @@ -1376,7 +1376,7 @@ public class TPSProcessor { ".ca.conn"; CMS.debug(method + " finding config: " + config); } else { - config = "op." + currentTokenOperation + "." + + config = TPSEngine.OP_FORMAT_PREFIX + "." + selectedTokenType + ".ca.conn"; CMS.debug(method + " finding config: " + config); @@ -1424,7 +1424,9 @@ public class TPSProcessor { String logMsg; IConfigStore configStore = CMS.getConfigStore(); - String configName = TPSEngine.OP_FORMAT_PREFIX + "." + selectedTokenType + ".revokeCert.revokeReason"; + String configName = TPSEngine.OP_FORMAT_PREFIX + "." + selectedTokenType + ".revokeCert.reason"; + CMS.debug(method + " finding config: " + configName); + RevocationReason revokeReason = RevocationReason.UNSPECIFIED; try { int revokeReasonInt = configStore.getInteger(configName); @@ -2137,7 +2139,19 @@ public class TPSProcessor { revokeCertificates(tokenRecord.getId(), reason, caConnId); } catch (TPSException te) { // failed revocation; capture message and continue - logMsg = te.getMessage(); + String failMsg = "revoke certificates failure"; + logMsg = failMsg + ":" + te.toString(); + CMS.debug("TPSProcessor.format: " + logMsg); + tps.tdb.tdbActivity(ActivityDatabase.OP_FORMAT, tokenRecord, session.getIpAddress(), logMsg, + "failure"); + throw new TPSException(logMsg, TPSStatus.STATUS_ERROR_CONTACT_ADMIN); + } catch (Exception ee) { + String failMsg = "revoke certificates failure"; + logMsg = failMsg + ":" + ee.toString(); + CMS.debug("TPSProcessor.format: " + logMsg); + tps.tdb.tdbActivity(ActivityDatabase.OP_FORMAT, tokenRecord, session.getIpAddress(), logMsg, + "failure"); + throw new TPSException(logMsg, TPSStatus.STATUS_ERROR_CONTACT_ADMIN); } } @@ -2160,7 +2174,7 @@ public class TPSProcessor { tps.tdb.tdbActivity(ActivityDatabase.OP_FORMAT, tokenRecord, session.getIpAddress(), failMsg, "failure"); - throw new TPSException(logMsg); + throw new TPSException(logMsg, TPSStatus.STATUS_ERROR_CONTACT_ADMIN); } logMsg = "format operation succeeded"; |