Tocket2673- CMC: allow enrollment key signed (self-signed) CMC with identity proof

This patch implements the self-signed CMC requests, where the request is signed by the public key of the underlying request (PKCS#10 or CRMF). The scenario for when this method is used is when there was no existing signing cert for the user has been issued before, and once it is issued, it can be used to sign subsequent cert requests by the same user. The new enrollment profile introduced is : caFullCMCSelfSignedCert.cfg The new option introduced to both CRMFPopClient and PKCS10Client is "-y" which will add the required SubjectKeyIdentifier to the underlying request. When a CMC request is self-signed, no auditSubjectID is available until Identification Proof (v2) is verified, however, the cert subject DN is recorded in log as soon as it was available for additional information. Auditing is adjusted. More will come in the next couple CMC patches.
author: Christina Fu <cfu@redhat.com> 2017-05-15 18:15:36 -0700
committer: Christina Fu <cfu@redhat.com> 2017-05-17 11:45:14 -0700
commit: 3c43b1119ca978c296a38a9fe404e1c0cdcdab63 (patch)
tree: e232c34a1f4fdba15737e6d55c24ecfdaccfce13 /base/server/cms/src/com/netscape/cms/servlet/processors
parent: 75f588c291c1ab27e1e2b4edaa4c254a8bbc21a2 (diff)
download: pki-3c43b1119ca978c296a38a9fe404e1c0cdcdab63.tar.gz
pki-3c43b1119ca978c296a38a9fe404e1c0cdcdab63.tar.xz
pki-3c43b1119ca978c296a38a9fe404e1c0cdcdab63.zip
1 files changed, 20 insertions, 15 deletions
diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CRMFProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CRMFProcessor.java
index 70a4a421a..c57c53230 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/processors/CRMFProcessor.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CRMFProcessor.java
@@ -23,17 +23,6 @@ import java.io.IOException;
 import java.security.InvalidKeyException;
 import java.security.cert.CertificateException;
 
-import netscape.security.util.ObjectIdentifier;
-import netscape.security.x509.CertificateExtensions;
-import netscape.security.x509.CertificateSubjectName;
-import netscape.security.x509.CertificateValidity;
-import netscape.security.x509.CertificateVersion;
-import netscape.security.x509.CertificateX509Key;
-import netscape.security.x509.Extension;
-import netscape.security.x509.X500Name;
-import netscape.security.x509.X509CertInfo;
-import netscape.security.x509.X509Key;
-
 import org.mozilla.jss.asn1.INTEGER;
 import org.mozilla.jss.asn1.InvalidBERException;
 import org.mozilla.jss.asn1.SEQUENCE;
@@ -56,6 +45,17 @@ import com.netscape.certsrv.request.IRequest;
 import com.netscape.cms.servlet.base.CMSServlet;
 import com.netscape.cms.servlet.common.ECMSGWException;
 
+import netscape.security.util.ObjectIdentifier;
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.CertificateSubjectName;
+import netscape.security.x509.CertificateValidity;
+import netscape.security.x509.CertificateVersion;
+import netscape.security.x509.CertificateX509Key;
+import netscape.security.x509.Extension;
+import netscape.security.x509.X500Name;
+import netscape.security.x509.X509CertInfo;
+import netscape.security.x509.X509Key;
+
 /**
  * Process CRMF requests, according to RFC 2511
  * See http://www.ietf.org/rfc/rfc2511.txt
@@ -98,6 +98,7 @@ public class CRMFProcessor extends PKIProcessor {
      */
     private void verifyPOP(CertReqMsg certReqMsg)
             throws EBaseException {
+        String method = "CRMFProcessor: verifyPOP: ";
         String auditMessage = null;
         String auditSubjectID = auditSubjectID();
 
@@ -118,7 +119,8 @@ public class CRMFProcessor extends PKIProcessor {
                         auditMessage = CMS.getLogMessage(
                                 AuditEvent.PROOF_OF_POSSESSION,
                                 auditSubjectID,
-                                ILogger.SUCCESS);
+                                ILogger.SUCCESS,
+                                "method=" + method);
 
                         audit(auditMessage);
                     } catch (Exception e) {
@@ -131,7 +133,8 @@ public class CRMFProcessor extends PKIProcessor {
                         auditMessage = CMS.getLogMessage(
                                 AuditEvent.PROOF_OF_POSSESSION,
                                 auditSubjectID,
-                                ILogger.FAILURE);
+                                ILogger.FAILURE,
+                                method + e.toString());
 
                         audit(auditMessage);
 
@@ -148,7 +151,8 @@ public class CRMFProcessor extends PKIProcessor {
                     auditMessage = CMS.getLogMessage(
                             AuditEvent.PROOF_OF_POSSESSION,
                             auditSubjectID,
-                            ILogger.FAILURE);
+                            ILogger.FAILURE,
+                            method + "required POP missing");
 
                     audit(auditMessage);
 
@@ -161,7 +165,8 @@ public class CRMFProcessor extends PKIProcessor {
             auditMessage = CMS.getLogMessage(
                     AuditEvent.PROOF_OF_POSSESSION,
                     auditSubjectID,
-                    ILogger.FAILURE);
+                    ILogger.FAILURE,
+                    method + eAudit1.toString());
 
             audit(auditMessage);
         }
author	Christina Fu <cfu@redhat.com>	2017-05-15 18:15:36 -0700
committer	Christina Fu <cfu@redhat.com>	2017-05-17 11:45:14 -0700
commit	3c43b1119ca978c296a38a9fe404e1c0cdcdab63 (patch)
tree	e232c34a1f4fdba15737e6d55c24ecfdaccfce13 /base/server/cms/src/com/netscape/cms/servlet/processors
parent	75f588c291c1ab27e1e2b4edaa4c254a8bbc21a2 (diff)
download	pki-3c43b1119ca978c296a38a9fe404e1c0cdcdab63.tar.gz pki-3c43b1119ca978c296a38a9fe404e1c0cdcdab63.tar.xz pki-3c43b1119ca978c296a38a9fe404e1c0cdcdab63.zip