diff options
author | Ade Lee <alee@redhat.com> | 2016-05-04 18:25:51 -0400 |
---|---|---|
committer | Ade Lee <alee@redhat.com> | 2016-05-09 21:47:11 -0400 |
commit | 5384c8c21ed167e3b08f0d709c43a68fd49ffc38 (patch) | |
tree | 40e3df2dd35a289906cea538a3c5cd12cb364a23 /base/ca | |
parent | fe1f36dd601f5d8956cf6e1d9b1855b5ea755596 (diff) | |
download | pki-5384c8c21ed167e3b08f0d709c43a68fd49ffc38.tar.gz pki-5384c8c21ed167e3b08f0d709c43a68fd49ffc38.tar.xz pki-5384c8c21ed167e3b08f0d709c43a68fd49ffc38.zip |
Add realm to requests coming in from CA
Requests to the KRA through the CA-KRA connector use the Enrollment
Service. This has been modified to read and store any realm passed in.
The realm can be added to the request by havibg the admin add
a AuthzRealmDefault and AuthzRealmConstraint in a profile.
At this point, all the constraint does is verify that the realm is
one of a specified list of realms. More verification will be added
in a subsequent patch.
No attempt is made yet to allow users to specify the realm. This
would need to be added as a ProfileInput.
Part of Ticket 2041
Diffstat (limited to 'base/ca')
-rw-r--r-- | base/ca/shared/conf/registry.cfg | 10 | ||||
-rw-r--r-- | base/ca/src/com/netscape/ca/CAService.java | 64 |
2 files changed, 41 insertions, 33 deletions
diff --git a/base/ca/shared/conf/registry.cfg b/base/ca/shared/conf/registry.cfg index 9cd4e6d5c..0bd7c0548 100644 --- a/base/ca/shared/conf/registry.cfg +++ b/base/ca/shared/conf/registry.cfg @@ -1,8 +1,11 @@ types=profile,defaultPolicy,constraintPolicy,profileInput,profileOutput,profileUpdater -constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,userSubjectNameConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl +constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,userSubjectNameConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl,authzRealmConstraintImpl constraintPolicy.signingAlgConstraintImpl.class=com.netscape.cms.profile.constraint.SigningAlgConstraint constraintPolicy.signingAlgConstraintImpl.desc=Signing Algorithm Constraint constraintPolicy.signingAlgConstraintImpl.name=Signing Algorithm Constraint +constraintPolicy.authzRealmConstraintImpl.class=com.netscape.cms.profile.constraint.AuthzRealmConstraint +constraintPolicy.authzRealmConstraintImpl.desc=Authz Realm Constraint +constraintPolicy.authzRealmConstraintImpl.name=Authz Realm Constraint constraintPolicy.extensionConstraintImpl.class=com.netscape.cms.profile.constraint.ExtensionConstraint constraintPolicy.extensionConstraintImpl.desc=Extension Constraint constraintPolicy.extensionConstraintImpl.name=Extension Constraint @@ -42,7 +45,7 @@ constraintPolicy.renewGracePeriodConstraintImpl.name=Renewal Grace Period Constr constraintPolicy.uniqueKeyConstraintImpl.class=com.netscape.cms.profile.constraint.UniqueKeyConstraint constraintPolicy.uniqueKeyConstraintImpl.desc=Unique Public Key Constraint constraintPolicy.uniqueKeyConstraintImpl.name=Unique Public Key Constraint -defaultPolicy.ids=noDefaultImpl,genericExtDefaultImpl,autoAssignDefaultImpl,subjectNameDefaultImpl,validityDefaultImpl,randomizedValidityDefaultImpl,caValidityDefaultImpl,subjectKeyIdentifierExtDefaultImpl,authorityKeyIdentifierExtDefaultImpl,basicConstraintsExtDefaultImpl,keyUsageExtDefaultImpl,nsCertTypeExtDefaultImpl,extendedKeyUsageExtDefaultImpl,ocspNoCheckExtDefaultImpl,issuerAltNameExtDefaultImpl,subjectAltNameExtDefaultImpl,userSubjectNameDefaultImpl,signingAlgDefaultImpl,userKeyDefaultImpl,userValidityDefaultImpl,userExtensionDefaultImpl,userSigningAlgDefaultImpl,authTokenSubjectNameDefaultImpl,subjectInfoAccessExtDefaultImpl,authInfoAccessExtDefaultImpl,nscCommentExtDefaultImpl,freshestCRLExtDefaultImpl,crlDistributionPointsExtDefaultImpl,policyConstraintsExtDefaultImpl,policyMappingsExtDefaultImpl,nameConstraintsExtDefaultImpl,certificateVersionDefaultImpl,certificatePoliciesExtDefaultImpl,subjectDirAttributesExtDefaultImpl,privateKeyPeriodExtDefaultImpl,inhibitAnyPolicyExtDefaultImpl,imageDefaultImpl,nsTokenDeviceKeySubjectNameDefaultImpl,nsTokenUserKeySubjectNameDefaultImpl +defaultPolicy.ids=noDefaultImpl,genericExtDefaultImpl,autoAssignDefaultImpl,subjectNameDefaultImpl,validityDefaultImpl,randomizedValidityDefaultImpl,caValidityDefaultImpl,subjectKeyIdentifierExtDefaultImpl,authorityKeyIdentifierExtDefaultImpl,basicConstraintsExtDefaultImpl,keyUsageExtDefaultImpl,nsCertTypeExtDefaultImpl,extendedKeyUsageExtDefaultImpl,ocspNoCheckExtDefaultImpl,issuerAltNameExtDefaultImpl,subjectAltNameExtDefaultImpl,userSubjectNameDefaultImpl,signingAlgDefaultImpl,userKeyDefaultImpl,userValidityDefaultImpl,userExtensionDefaultImpl,userSigningAlgDefaultImpl,authTokenSubjectNameDefaultImpl,subjectInfoAccessExtDefaultImpl,authInfoAccessExtDefaultImpl,nscCommentExtDefaultImpl,freshestCRLExtDefaultImpl,crlDistributionPointsExtDefaultImpl,policyConstraintsExtDefaultImpl,policyMappingsExtDefaultImpl,nameConstraintsExtDefaultImpl,certificateVersionDefaultImpl,certificatePoliciesExtDefaultImpl,subjectDirAttributesExtDefaultImpl,privateKeyPeriodExtDefaultImpl,inhibitAnyPolicyExtDefaultImpl,imageDefaultImpl,nsTokenDeviceKeySubjectNameDefaultImpl,nsTokenUserKeySubjectNameDefaultImpl,authzRealmDefaultImpl defaultPolicy.autoAssignDefaultImpl.class=com.netscape.cms.profile.def.AutoAssignDefault defaultPolicy.autoAssignDefaultImpl.desc=Auto Request Assignment Default defaultPolicy.autoAssignDefaultImpl.name=Auto Request Assignment Default @@ -76,6 +79,9 @@ defaultPolicy.userSigningAlgDefaultImpl.name=User Supplied Signing Alg Default defaultPolicy.signingAlgDefaultImpl.class=com.netscape.cms.profile.def.SigningAlgDefault defaultPolicy.signingAlgDefaultImpl.desc=Signing Algorithm Default defaultPolicy.signingAlgDefaultImpl.name=Signing Algorithm Default +defaultPolicy.authzRealmDefaultImpl.class=com.netscape.cms.profile.def.AuthzRealmDefault +defaultPolicy.authzRealmDefaultImpl.desc=Authz Realm Default +defaultPolicy.authzRealmDefaultImpl.name=Authz Realm Default defaultPolicy.authorityKeyIdentifierExtDefaultImpl.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault defaultPolicy.authorityKeyIdentifierExtDefaultImpl.desc=Authority Key Identifier Extension Default defaultPolicy.authorityKeyIdentifierExtDefaultImpl.name=Authority Key Identifier Extension Default diff --git a/base/ca/src/com/netscape/ca/CAService.java b/base/ca/src/com/netscape/ca/CAService.java index db692e3d0..2b5d5f732 100644 --- a/base/ca/src/com/netscape/ca/CAService.java +++ b/base/ca/src/com/netscape/ca/CAService.java @@ -31,33 +31,6 @@ import java.util.Enumeration; import java.util.Hashtable; import java.util.Vector; -import netscape.security.extensions.CertInfo; -import netscape.security.util.BigInt; -import netscape.security.util.DerValue; -import netscape.security.x509.AlgorithmId; -import netscape.security.x509.BasicConstraintsExtension; -import netscape.security.x509.CRLExtensions; -import netscape.security.x509.CRLReasonExtension; -import netscape.security.x509.CertificateAlgorithmId; -import netscape.security.x509.CertificateChain; -import netscape.security.x509.CertificateExtensions; -import netscape.security.x509.CertificateIssuerName; -import netscape.security.x509.CertificateSerialNumber; -import netscape.security.x509.CertificateSubjectName; -import netscape.security.x509.CertificateValidity; -import netscape.security.x509.Extension; -import netscape.security.x509.LdapV3DNStrConverter; -import netscape.security.x509.PKIXExtensions; -import netscape.security.x509.RevocationReason; -import netscape.security.x509.RevokedCertImpl; -import netscape.security.x509.SerialNumber; -import netscape.security.x509.X500Name; -import netscape.security.x509.X500NameAttrMap; -import netscape.security.x509.X509CRLImpl; -import netscape.security.x509.X509CertImpl; -import netscape.security.x509.X509CertInfo; -import netscape.security.x509.X509ExtensionException; - import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.authority.IAuthority; import com.netscape.certsrv.authority.ICertAuthority; @@ -66,8 +39,8 @@ import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.base.MetaInfo; import com.netscape.certsrv.base.SessionContext; import com.netscape.certsrv.ca.AuthorityID; -import com.netscape.certsrv.ca.ECAException; import com.netscape.certsrv.ca.CANotFoundException; +import com.netscape.certsrv.ca.ECAException; import com.netscape.certsrv.ca.ICAService; import com.netscape.certsrv.ca.ICRLIssuingPoint; import com.netscape.certsrv.ca.ICertificateAuthority; @@ -95,6 +68,33 @@ import com.netscape.cmscore.dbs.RevocationInfo; import com.netscape.cmscore.util.Debug; import com.netscape.cmsutil.util.Utils; +import netscape.security.extensions.CertInfo; +import netscape.security.util.BigInt; +import netscape.security.util.DerValue; +import netscape.security.x509.AlgorithmId; +import netscape.security.x509.BasicConstraintsExtension; +import netscape.security.x509.CRLExtensions; +import netscape.security.x509.CRLReasonExtension; +import netscape.security.x509.CertificateAlgorithmId; +import netscape.security.x509.CertificateChain; +import netscape.security.x509.CertificateExtensions; +import netscape.security.x509.CertificateIssuerName; +import netscape.security.x509.CertificateSerialNumber; +import netscape.security.x509.CertificateSubjectName; +import netscape.security.x509.CertificateValidity; +import netscape.security.x509.Extension; +import netscape.security.x509.LdapV3DNStrConverter; +import netscape.security.x509.PKIXExtensions; +import netscape.security.x509.RevocationReason; +import netscape.security.x509.RevokedCertImpl; +import netscape.security.x509.SerialNumber; +import netscape.security.x509.X500Name; +import netscape.security.x509.X500NameAttrMap; +import netscape.security.x509.X509CRLImpl; +import netscape.security.x509.X509CertImpl; +import netscape.security.x509.X509CertInfo; +import netscape.security.x509.X509ExtensionException; + /** * Request Service for CertificateAuthority. */ @@ -377,11 +377,11 @@ public class CAService implements ICAService, IService { // short cut profile-based request if (isProfileRequest(request)) { try { - CMS.debug("CAServic: x0 requestStatus=" + CMS.debug("CAService: x0 requestStatus=" + request.getRequestStatus().toString() + " instance=" + request); serviceProfileRequest(request); request.setExtData(IRequest.RESULT, IRequest.RES_SUCCESS); - CMS.debug("CAServic: x1 requestStatus=" + request.getRequestStatus().toString()); + CMS.debug("CAService: x1 requestStatus=" + request.getRequestStatus().toString()); // store a message in the signed audit log file auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, @@ -394,7 +394,7 @@ public class CAService implements ICAService, IService { return true; } catch (EBaseException e) { - CMS.debug("CAServic: x2 requestStatus=" + request.getRequestStatus().toString()); + CMS.debug("CAService: x2 requestStatus=" + request.getRequestStatus().toString()); // need to put error into the request CMS.debug("CAService: serviceRequest " + e.toString()); request.setExtData(IRequest.RESULT, IRequest.RES_ERROR); @@ -435,6 +435,8 @@ public class CAService implements ICAService, IService { return true; } + // NOTE to alee: The request must include the realm by this point. + try { // send request to KRA first if (type.equals(IRequest.ENROLLMENT_REQUEST) && |