diff options
author | Christina Fu <cfu@redhat.com> | 2017-06-26 18:09:55 -0700 |
---|---|---|
committer | Christina Fu <cfu@redhat.com> | 2017-07-07 16:51:22 -0700 |
commit | 65b1242cd139e6306fb3e039193a3a6b223ea9b1 (patch) | |
tree | f192920abad6f9c9546503ad07521c5a9e2aca4d /base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java | |
parent | 876d13c6d20e7e1235b9efbd601b47315debb492 (diff) | |
download | pki-65b1242cd139e6306fb3e039193a3a6b223ea9b1.tar.gz pki-65b1242cd139e6306fb3e039193a3a6b223ea9b1.tar.xz pki-65b1242cd139e6306fb3e039193a3a6b223ea9b1.zip |
Ticket #2757 CMC enrollment profiles for system certificates
This patch supports CMC-based system certificate requests.
This patch contains the following:
* The code in CMCAuth (agent-based) to check ssl client auth cert against the CMC signing cert
* The cmc-based system enrollment profiles:
caCMCauditSigningCert.cfg
caCMCcaCert.cfg
caCMCkraStorageCert.cfg
caCMCkraTransportCert.cfg
caCMCocspCert.cfg
caCMCserverCert.cfg
caCMCsubsystemCert.cfg
* new URI's in web.xml as new access points
Usage example can be found here:
http://pki.fedoraproject.org/wiki/PKI_10.4_CMC_Feature_Update_(RFC5272)#Examples_.28System_Certificates.29
Diffstat (limited to 'base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java')
-rw-r--r-- | base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java | 48 |
1 files changed, 45 insertions, 3 deletions
diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java index 66a356965..97d51715d 100644 --- a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java +++ b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java @@ -29,6 +29,7 @@ import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.math.BigInteger; +import java.security.cert.X509Certificate; import java.security.MessageDigest; import java.security.PublicKey; import java.util.Enumeration; @@ -247,6 +248,10 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, String auditCertSubject = ILogger.UNIDENTIFIED; String auditSignerInfo = ILogger.UNIDENTIFIED; + SessionContext auditContext = SessionContext.getExistingContext(); + X509Certificate clientCert = + (X509Certificate) auditContext.get(SessionContext.SSL_CLIENT_CERT); + // ensure that any low-level exceptions are reported // to the signed audit log and stored as failures try { @@ -362,7 +367,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, String userid = "defUser"; String uid = "defUser"; if (checkSignerInfo) { - IAuthToken agentToken = verifySignerInfo(authToken, cmcFullReq); + IAuthToken agentToken = verifySignerInfo(auditContext, authToken, cmcFullReq); if (agentToken == null) { CMS.debug(method + "agentToken null"); throw new EBaseException("CMCAuth: agent verifySignerInfo failure"); @@ -813,8 +818,12 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, level, "CMC Authentication: " + msg); } - protected IAuthToken verifySignerInfo(AuthToken authToken, SignedData cmcFullReq) throws EBaseException { - + protected IAuthToken verifySignerInfo( + SessionContext auditContext, + AuthToken authToken, + SignedData cmcFullReq) throws EBaseException { + String method = "CMCAuth: verifySignerInfo: "; + String msg = ""; EncapsulatedContentInfo ci = cmcFullReq.getContentInfo(); OBJECT_IDENTIFIER id = ci.getContentType(); OCTET_STRING content = ci.getContent(); @@ -823,6 +832,11 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, CryptoToken signToken = null; CryptoToken savedToken = null; CryptoManager cm = null; + + if (auditContext == null) { + CMS.debug(method + " auditConext can't be null"); + return null; + } try { cm = CryptoManager.getInstance(); ByteArrayInputStream s = new ByteArrayInputStream(content.toByteArray()); @@ -910,6 +924,34 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, si.verify(digest, id); } else { CMS.debug("CMCAuth: found signing cert... verifying"); + + X509Certificate clientCert = + (X509Certificate) auditContext.get(SessionContext.SSL_CLIENT_CERT); + if (clientCert == null) { + // createAuditSubjectFromCert(auditContext, x509Certs[0]); + msg = "missing SSL client authentication certificate;"; + CMS.debug(method + msg); + s.close(); + throw new EMissingCredential( + CMS.getUserMessage("CMS_AUTHENTICATION_NO_CERT")); + } + netscape.security.x509.X500Name clientPrincipal = + (X500Name) clientCert.getSubjectDN(); + + netscape.security.x509.X500Name cmcPrincipal = + (X500Name) x509Certs[0].getSubjectDN(); + + // check ssl client cert against cmc signer + if (!clientPrincipal.equals(cmcPrincipal)) { + msg = "SSL client authentication certificate and CMC signer do not match"; + CMS.debug(method + msg); + s.close(); + throw new EInvalidCredentials( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + ":" + msg); + } else { + CMS.debug(method + "ssl client cert principal and cmc signer principal match"); + } + PublicKey signKey = cert.getPublicKey(); PrivateKey.Type keyType = null; String alg = signKey.getAlgorithm(); |