diff options
| author | awnuk <awnuk@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2009-06-12 20:05:56 +0000 |
|---|---|---|
| committer | awnuk <awnuk@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2009-06-12 20:05:56 +0000 |
| commit | d6612d3df6cdc65df0d3de645e397cc45f39f965 (patch) | |
| tree | ffa509a471d322a2ddb0b1d971f7496c21e05e60 | |
| parent | e4852c11aa10773425abef5327735f7f3339ac0e (diff) | |
Bugzilla bug #502694.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@600 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
| -rw-r--r-- | pki/base/common/src/com/netscape/cms/servlet/profile/ProfileProcessServlet.java | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/pki/base/common/src/com/netscape/cms/servlet/profile/ProfileProcessServlet.java b/pki/base/common/src/com/netscape/cms/servlet/profile/ProfileProcessServlet.java index dcbca5e3b..74df04f30 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/profile/ProfileProcessServlet.java +++ b/pki/base/common/src/com/netscape/cms/servlet/profile/ProfileProcessServlet.java @@ -33,6 +33,7 @@ import com.netscape.certsrv.request.*; import com.netscape.certsrv.authentication.*; import com.netscape.certsrv.authorization.*; import com.netscape.certsrv.logging.*; +import com.netscape.certsrv.ca.*; import com.netscape.cms.servlet.common.*; import java.security.cert.*; @@ -47,6 +48,7 @@ import netscape.security.x509.*; public class ProfileProcessServlet extends ProfileServlet { private static final String PROP_AUTHORITY_ID = "authorityId"; private String mAuthorityId = null; + private Nonces mNonces = null; private final static byte EOL[] = { Character.LINE_SEPARATOR }; private final static String SIGNED_AUDIT_CERT_REQUEST_REASON = @@ -60,6 +62,14 @@ public class ProfileProcessServlet extends ProfileServlet { public void init(ServletConfig sc) throws ServletException { super.init(sc); mAuthorityId = sc.getInitParameter(PROP_AUTHORITY_ID); + + ICertificateAuthority authority = null; + if (mAuthorityId != null) + authority = (ICertificateAuthority) CMS.getSubsystem(mAuthorityId); + + if (authority != null && authority.noncesEnabled()) { + mNonces = authority.getNonces(); + } } public void process(CMSRequest cmsReq) throws EBaseException { @@ -118,6 +128,35 @@ public class ProfileProcessServlet extends ProfileServlet { return; } + if (mNonces != null) { + String requestNonce = request.getParameter(ARG_REQUEST_NONCE); + boolean nonceVerified = false; + if (requestNonce != null) { + long nonce = Long.parseLong(requestNonce.trim()); + X509Certificate cert1 = mNonces.getCertificate(nonce); + X509Certificate cert2 = getSSLClientCertificate(request); + if (cert1 == null) { + CMS.debug("ProfileProcessServlet: Unknown nonce"); + } else if (cert1 != null && cert2 != null && cert1.equals(cert2)) { + nonceVerified = true; + mNonces.removeNonce(nonce); + } + } else { + CMS.debug("ProfileProcessServlet: Missing nonce"); + } + CMS.debug("ProfileProcessServlet: nonceVerified="+nonceVerified); + if (!nonceVerified) { + args.set(ARG_ERROR_CODE, "1"); + args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale, + "CMS_AUTHORIZATION_ERROR")); + outputTemplate(request, response, args); + if (statsSub != null) { + statsSub.endTiming("approval"); + } + return; + } + } + CMS.debug("ProfileProcessServlet: start serving"); // (1) Read request from the database |