Added log messages for certificate validation.

The ConfigCertApprovalCallback has been modified such that it logs the server certificate being validated and can be configured to ignore certain validation errors. The ConfigurationUtils has been modified to use the ConfigCertApprovalCallback to show and validate the server certificate in all GET and POST operations except for the importCertChain() in which the code needs to ignore untrusted issuer in order to get the certificate chain via SSL. https://fedorahosted.org/pki/ticket/2424
author: Endi S. Dewata <edewata@redhat.com> 2016-08-01 22:35:32 +0200
committer: Endi S. Dewata <edewata@redhat.com> 2016-08-05 22:22:20 +0200
commit: f726f9a668b523c4e5a9438d8ea301f4b556efd4 (patch)
tree: 47e4b3534ca22a3ef8b9c000db35c31cec1d21a9
parent: f0b1854a8f5cfe97d2d267ea16e4556d94666bb6 (diff)
download: pki-f726f9a668b523c4e5a9438d8ea301f4b556efd4.tar.gz
pki-f726f9a668b523c4e5a9438d8ea301f4b556efd4.tar.xz
pki-f726f9a668b523c4e5a9438d8ea301f4b556efd4.zip
2 files changed, 97 insertions, 29 deletions
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigCertApprovalCallback.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigCertApprovalCallback.java
index 956c285b5..9b741af02 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigCertApprovalCallback.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigCertApprovalCallback.java
@@ -17,17 +17,78 @@
 // --- END COPYRIGHT BLOCK ---
 package com.netscape.cms.servlet.csadmin;
 
+import java.lang.reflect.Field;
+import java.lang.reflect.Modifier;
+import java.util.Enumeration;
+import java.util.HashSet;
+import java.util.Set;
+
 import org.mozilla.jss.crypto.X509Certificate;
 import org.mozilla.jss.ssl.SSLCertificateApprovalCallback;
 
+import com.netscape.certsrv.apps.CMS;
+
 public class ConfigCertApprovalCallback
         implements SSLCertificateApprovalCallback {
 
+    public Set<Integer> ignoredErrors = new HashSet<Integer>();
+
     public ConfigCertApprovalCallback() {
     }
 
+    public void ignoreError(int error) {
+        ignoredErrors.add(error);
+    }
+
+    public String getErrorDescription(int reason) {
+
+        // iterate through all constants in ValidityStatus
+        for (Field f : ValidityStatus.class.getDeclaredFields()) {
+            int mod = f.getModifiers();
+            if (Modifier.isPublic(mod) &&
+                Modifier.isFinal(mod) &&
+                Modifier.isStatic(mod)) {
+
+                try {
+                    int value = f.getInt(null);
+
+                    // if value matches the reason, return the name
+                    if (value == reason) {
+                        return f.getName();
+                    }
+
+                } catch (IllegalAccessException e) {
+                    return "ERROR #" + reason;
+                }
+            }
+        }
+
+        return "UNKNOWN_ERROR";
+    }
+
     public boolean approve(X509Certificate cert,
             SSLCertificateApprovalCallback.ValidityStatus status) {
-        return true;
+
+        CMS.debug("Server certificate:");
+        CMS.debug(" - subject: " + cert.getSubjectDN());
+        CMS.debug(" - issuer: " + cert.getIssuerDN());
+
+        Enumeration<?> errors = status.getReasons();
+        boolean result = true;
+
+        while (errors.hasMoreElements()) {
+            SSLCertificateApprovalCallback.ValidityItem item = (SSLCertificateApprovalCallback.ValidityItem) errors.nextElement();
+            int reason = item.getReason();
+            String description = getErrorDescription(reason);
+
+            if (ignoredErrors.contains(reason)) {
+                CMS.debug("WARNING: " + description);
+            } else {
+                CMS.debug("ERROR: " + description);
+                result = false;
+            }
+        }
+
+        return result;
     }
 }
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
index ab5e4d63d..fe65bb855 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
@@ -58,34 +58,6 @@ import javax.ws.rs.core.MultivaluedMap;
 import javax.ws.rs.core.Response;
 import javax.xml.parsers.ParserConfigurationException;
 
-import netscape.ldap.LDAPAttribute;
-import netscape.ldap.LDAPAttributeSet;
-import netscape.ldap.LDAPConnection;
-import netscape.ldap.LDAPDN;
-import netscape.ldap.LDAPEntry;
-import netscape.ldap.LDAPException;
-import netscape.ldap.LDAPModification;
-import netscape.ldap.LDAPSearchConstraints;
-import netscape.ldap.LDAPSearchResults;
-import netscape.ldap.LDAPv3;
-import netscape.security.pkcs.ContentInfo;
-import netscape.security.pkcs.PKCS10;
-import netscape.security.pkcs.PKCS12;
-import netscape.security.pkcs.PKCS12Util;
-import netscape.security.pkcs.PKCS7;
-import netscape.security.pkcs.SignerInfo;
-import netscape.security.util.DerOutputStream;
-import netscape.security.util.ObjectIdentifier;
-import netscape.security.x509.AlgorithmId;
-import netscape.security.x509.BasicConstraintsExtension;
-import netscape.security.x509.CertificateChain;
-import netscape.security.x509.Extension;
-import netscape.security.x509.Extensions;
-import netscape.security.x509.KeyUsageExtension;
-import netscape.security.x509.X500Name;
-import netscape.security.x509.X509CertImpl;
-import netscape.security.x509.X509Key;
-
 import org.apache.commons.lang.StringUtils;
 import org.apache.velocity.context.Context;
 import org.mozilla.jss.CryptoManager;
@@ -131,6 +103,7 @@ import org.mozilla.jss.pkix.primitive.Attribute;
 import org.mozilla.jss.pkix.primitive.EncryptedPrivateKeyInfo;
 import org.mozilla.jss.pkix.primitive.PrivateKeyInfo;
 import org.mozilla.jss.ssl.SSLCertificateApprovalCallback;
+import org.mozilla.jss.ssl.SSLCertificateApprovalCallback.ValidityStatus;
 import org.mozilla.jss.util.IncorrectPasswordException;
 import org.mozilla.jss.util.Password;
 import org.w3c.dom.Document;
@@ -180,6 +153,34 @@ import com.netscape.cmsutil.ldap.LDAPUtil;
 import com.netscape.cmsutil.util.Utils;
 import com.netscape.cmsutil.xml.XMLObject;
 
+import netscape.ldap.LDAPAttribute;
+import netscape.ldap.LDAPAttributeSet;
+import netscape.ldap.LDAPConnection;
+import netscape.ldap.LDAPDN;
+import netscape.ldap.LDAPEntry;
+import netscape.ldap.LDAPException;
+import netscape.ldap.LDAPModification;
+import netscape.ldap.LDAPSearchConstraints;
+import netscape.ldap.LDAPSearchResults;
+import netscape.ldap.LDAPv3;
+import netscape.security.pkcs.ContentInfo;
+import netscape.security.pkcs.PKCS10;
+import netscape.security.pkcs.PKCS12;
+import netscape.security.pkcs.PKCS12Util;
+import netscape.security.pkcs.PKCS7;
+import netscape.security.pkcs.SignerInfo;
+import netscape.security.util.DerOutputStream;
+import netscape.security.util.ObjectIdentifier;
+import netscape.security.x509.AlgorithmId;
+import netscape.security.x509.BasicConstraintsExtension;
+import netscape.security.x509.CertificateChain;
+import netscape.security.x509.Extension;
+import netscape.security.x509.Extensions;
+import netscape.security.x509.KeyUsageExtension;
+import netscape.security.x509.X500Name;
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509Key;
+
 /**
  * Utility class for functions to be used by the RESTful installer.
  *
@@ -196,6 +197,8 @@ public class ConfigurationUtils {
     public static final Long MINUS_ONE = Long.valueOf(-1);
     public static final String DBUSER = "pkidbuser";
 
+    public static ConfigCertApprovalCallback certApprovalCallback = new ConfigCertApprovalCallback();
+
     public static boolean loginToken(CryptoToken token, String tokPwd) throws TokenException,
             IncorrectPasswordException {
         boolean rv = true;
@@ -229,6 +232,7 @@ public class ConfigurationUtils {
 
         CMS.debug("ConfigurationUtils: GET " + config.getServerURI() + path);
         PKIConnection connection = new PKIConnection(config);
+        if (certApprovalCallback == null) certApprovalCallback = ConfigurationUtils.certApprovalCallback;
         connection.setCallback(certApprovalCallback);
         return connection.get(path);
     }
@@ -245,6 +249,7 @@ public class ConfigurationUtils {
 
         CMS.debug("ConfigurationUtils: POST " + config.getServerURI() + path);
         PKIConnection connection = new PKIConnection(config);
+        if (certApprovalCallback == null) certApprovalCallback = ConfigurationUtils.certApprovalCallback;
         connection.setCallback(certApprovalCallback);
         return connection.post(path, content);
     }
@@ -256,6 +261,8 @@ public class ConfigurationUtils {
 
         IConfigStore cs = CMS.getConfigStore();
         ConfigCertApprovalCallback certApprovalCallback = new ConfigCertApprovalCallback();
+        // Ignore untrusted issuer to get cert chain.
+        certApprovalCallback.ignoreError(ValidityStatus.UNTRUSTED_ISSUER);
         String c = get(host, port, true, serverPath, null, certApprovalCallback);
 
         if (c != null) {
author	Endi S. Dewata <edewata@redhat.com>	2016-08-01 22:35:32 +0200
committer	Endi S. Dewata <edewata@redhat.com>	2016-08-05 22:22:20 +0200
commit	f726f9a668b523c4e5a9438d8ea301f4b556efd4 (patch)
tree	47e4b3534ca22a3ef8b9c000db35c31cec1d21a9
parent	f0b1854a8f5cfe97d2d267ea16e4556d94666bb6 (diff)
download	pki-f726f9a668b523c4e5a9438d8ea301f4b556efd4.tar.gz pki-f726f9a668b523c4e5a9438d8ea301f4b556efd4.tar.xz pki-f726f9a668b523c4e5a9438d8ea301f4b556efd4.zip