diff options
author | Christina Fu <cfu@redhat.com> | 2015-04-10 11:26:25 -0700 |
---|---|---|
committer | Christina Fu <cfu@redhat.com> | 2015-04-14 16:45:17 -0700 |
commit | 711d3ca66b6702a33839c3a436550464fa49d0d8 (patch) | |
tree | b9c037d045147eead5077e758608b66b84663fd3 /base/kra | |
parent | bdd5cc759f5d1642986330a4c29ccfa131ab034f (diff) | |
download | pki-711d3ca66b6702a33839c3a436550464fa49d0d8.tar.gz pki-711d3ca66b6702a33839c3a436550464fa49d0d8.tar.xz pki-711d3ca66b6702a33839c3a436550464fa49d0d8.zip |
Ticket#1028 phase2: TPS rewrite: provide externalReg functionality
This patch is the 2nd phase of the externalReg feature, it makes the
following improvements:
* added feature: recovery by keyid (v.s. by cert)
* fixed some auditing message errors
* added some missing ldapStringAttributes needed for delegation to work
properly
* added missing externalReg required config parameters
* made corrections to some externalReg related parameters to allow
delegation to work properly
* added handle of some error cases
* made sure externalReg enrollment does not go half-way (once fails,
bails out)
tested:
* enrollment of the three default TPS profiles (tokenTypes)
* format of the tokens enrolled with the three default tps profiles
* delegation enrollments
* cuid match check
next phase:
* cert/key retention (allow preserving existing certs/keys on the token)
note:
* some of the activity log and cert status related issues that are not
specifically relating to externalReg will be addressed in other more
relevant tickets.
Diffstat (limited to 'base/kra')
-rw-r--r-- | base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java | 104 |
1 files changed, 63 insertions, 41 deletions
diff --git a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java index b59a8b942..79110f52b 100644 --- a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java +++ b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java @@ -22,6 +22,7 @@ import java.io.ByteArrayOutputStream; import java.io.FilterOutputStream; import java.io.IOException; import java.io.PrintStream; +import java.math.BigInteger; import java.security.PublicKey; import java.security.SecureRandom; import java.util.Hashtable; @@ -287,8 +288,10 @@ public class TokenKeyRecoveryService implements IService { // retrieve based on Certificate String cert_s = request.getExtDataInString(ATTR_USER_CERT); - if (cert_s == null) { - CMS.debug("TokenKeyRecoveryService: not receive cert"); + String keyid_s = request.getExtDataInString(IRequest.NETKEY_ATTR_KEYID); + /* have to have at least one */ + if ((cert_s == null) && (keyid_s == null)) { + CMS.debug("TokenKeyRecoveryService: not receive cert or keyid"); request.setExtData(IRequest.RESULT, Integer.valueOf(3)); auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, @@ -301,13 +304,29 @@ public class TokenKeyRecoveryService implements IService { return false; } - String cert = normalizeCertStr(cert_s); + String cert = null; + BigInteger keyid = null; java.security.cert.X509Certificate x509cert = null; - try { - x509cert = Cert.mapCert(cert); - if (x509cert == null) { - CMS.debug("cert mapping failed"); - request.setExtData(IRequest.RESULT, Integer.valueOf(5)); + if (keyid_s == null) { + cert = normalizeCertStr(cert_s); + try { + x509cert = Cert.mapCert(cert); + if (x509cert == null) { + CMS.debug("cert mapping failed"); + request.setExtData(IRequest.RESULT, Integer.valueOf(5)); + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRecoveryID, + agentId); + + audit(auditMessage); + return false; + } + } catch (IOException e) { + CMS.debug("TokenKeyRecoveryService: mapCert failed"); + request.setExtData(IRequest.RESULT, Integer.valueOf(6)); auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, auditSubjectID, @@ -318,18 +337,8 @@ public class TokenKeyRecoveryService implements IService { audit(auditMessage); return false; } - } catch (IOException e) { - CMS.debug("TokenKeyRecoveryService: mapCert failed"); - request.setExtData(IRequest.RESULT, Integer.valueOf(6)); - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, - agentId); - - audit(auditMessage); - return false; + } else { + keyid = new BigInteger(keyid_s); } try { @@ -346,7 +355,14 @@ public class TokenKeyRecoveryService implements IService { KeyRecord keyRecord = null; CMS.debug("KRA reading key record"); try { - keyRecord = (KeyRecord) mStorage.readKeyRecord(cert); + if (keyid != null) { + CMS.debug("TokenKeyRecoveryService: recover by keyid"); + keyRecord = (KeyRecord) mStorage.readKeyRecord(keyid); + } else { + CMS.debug("TokenKeyRecoveryService: recover by cert"); + keyRecord = (KeyRecord) mStorage.readKeyRecord(cert); + } + if (keyRecord != null) CMS.debug("read key record"); else { @@ -389,25 +405,15 @@ public class TokenKeyRecoveryService implements IService { } // see if the certificate matches the key - byte pubData[] = keyRecord.getPublicKeyData(); - byte inputPubData[] = x509cert.getPublicKey().getEncoded(); - - if (inputPubData.length != pubData.length) { - mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN")); - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, - agentId); - - audit(auditMessage); - throw new EKRAException( - CMS.getUserMessage("CMS_KRA_PUBLIC_KEY_NOT_MATCHED")); - } - - for (int i = 0; i < pubData.length; i++) { - if (pubData[i] != inputPubData[i]) { + byte pubData[] = null; + pubData = keyRecord.getPublicKeyData(); + // but if search by keyid, did not come with a cert + // so can't check + if (keyid == null) { + // see if the certificate matches the key + byte inputPubData[] = x509cert.getPublicKey().getEncoded(); + + if (inputPubData.length != pubData.length) { mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN")); auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, @@ -420,7 +426,23 @@ public class TokenKeyRecoveryService implements IService { throw new EKRAException( CMS.getUserMessage("CMS_KRA_PUBLIC_KEY_NOT_MATCHED")); } - } + + for (int i = 0; i < pubData.length; i++) { + if (pubData[i] != inputPubData[i]) { + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN")); + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRecoveryID, + agentId); + + audit(auditMessage); + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_PUBLIC_KEY_NOT_MATCHED")); + } + } + } // else, searched by keyid, can't check Type keyType = PrivateKey.RSA; byte wrapped[]; |