Ticket#2737 CMC: check HTTPS client authentication cert against CMC signer

This patch adds enforcement in CMCUserSignedAuth to make sure SSL client authentication is performed and the authenticated cert matches that of the CMC signing cert.
Some auditing adjustments are also done.

1 files changed, 9 insertions, 1 deletions

diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java
index 9dc74701a..65dc06aa3 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java
@@ -843,6 +843,10 @@ public abstract class CMSServlet extends HttpServlet {
      * get ssl client authenticated certificate
      */
     protected X509Certificate getSSLClientCertificate(HttpServletRequest httpReq) throws EBaseException {
+        return getSSLClientCertificate(httpReq, true);
+    }
+
+    protected X509Certificate getSSLClientCertificate(HttpServletRequest httpReq, boolean clientCertRequired) throws EBaseException {
 
         X509Certificate cert = null;
 
@@ -855,7 +859,11 @@ public abstract class CMSServlet extends HttpServlet {
         X509Certificate[] allCerts = (X509Certificate[]) httpReq.getAttribute(CERT_ATTR);
 
         if (allCerts == null || allCerts.length == 0) {
-            throw new EBaseException("You did not provide a valid certificate for this operation");
+            if (!clientCertRequired) {
+                return null;
+            } else {
+                throw new EBaseException("You did not provide a valid certificate for this operation");
+            }
         }
 
         cert = allCerts[0];