diff options
| author | Christina Fu <cfu@redhat.com> | 2017-05-15 18:15:36 -0700 |
|---|---|---|
| committer | Christina Fu <cfu@redhat.com> | 2017-05-17 11:45:14 -0700 |
| commit | 3c43b1119ca978c296a38a9fe404e1c0cdcdab63 (patch) | |
| tree | e232c34a1f4fdba15737e6d55c24ecfdaccfce13 /base/server/cms/src/com/netscape | |
| parent | 75f588c291c1ab27e1e2b4edaa4c254a8bbc21a2 (diff) | |
| download | pki-3c43b1119ca978c296a38a9fe404e1c0cdcdab63.tar.gz pki-3c43b1119ca978c296a38a9fe404e1c0cdcdab63.tar.xz pki-3c43b1119ca978c296a38a9fe404e1c0cdcdab63.zip | |
Tocket2673- CMC: allow enrollment key signed (self-signed) CMC with identity proof
This patch implements the self-signed CMC requests, where the request is signed by the public key of the underlying request (PKCS#10 or CRMF). The scenario for when this method is used is when there was no existing signing cert for the user has been issued before, and once it is issued, it can be used to sign subsequent cert requests by the same user. The new enrollment profile introduced is : caFullCMCSelfSignedCert.cfg The new option introduced to both CRMFPopClient and PKCS10Client is "-y" which will add the required SubjectKeyIdentifier to the underlying request. When a CMC request is self-signed, no auditSubjectID is available until Identification Proof (v2) is verified, however, the cert subject DN is recorded in log as soon as it was available for additional information. Auditing is adjusted. More will come in the next couple CMC patches.
Diffstat (limited to 'base/server/cms/src/com/netscape')
7 files changed, 629 insertions, 298 deletions
diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java index a72ce5863..2128c1e30 100644 --- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java +++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java @@ -39,6 +39,7 @@ import java.util.Vector; import org.mozilla.jss.CryptoManager; import org.mozilla.jss.CryptoManager.NotInitializedException; import org.mozilla.jss.asn1.ASN1Util; +import org.mozilla.jss.asn1.BIT_STRING; import org.mozilla.jss.asn1.INTEGER; import org.mozilla.jss.asn1.InvalidBERException; import org.mozilla.jss.asn1.OBJECT_IDENTIFIER; @@ -66,6 +67,7 @@ import org.mozilla.jss.pkix.crmf.CertRequest; import org.mozilla.jss.pkix.crmf.CertTemplate; import org.mozilla.jss.pkix.primitive.AlgorithmIdentifier; import org.mozilla.jss.pkix.primitive.Name; +import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.authentication.AuthToken; @@ -90,6 +92,9 @@ import com.netscape.cmsutil.crypto.CryptoUtil; import com.netscape.cmsutil.util.Utils; import netscape.security.pkcs.PKCS10; +import netscape.security.x509.KeyIdentifier; +import netscape.security.x509.PKIXExtensions; +import netscape.security.x509.SubjectKeyIdentifierExtension; import netscape.security.x509.X500Name; import netscape.security.x509.X509CertImpl; import netscape.security.x509.X509CertInfo; @@ -103,14 +108,15 @@ import netscape.security.x509.X509Key; /** * User Signed CMC authentication plug-in * note: - * - this version differs from CMCAuth in that it allows non-agent users - * to sign own cmc requests; It is expected to be used with - * CMCUserSignedSubjectNameDefault and CMCUserSignedSubjectNameConstraint - * so that the resulting cert will bear the same subjectDN of that of the CMC - * signing cert - * - it originates from CMCAuth with modification for user-signed cmc + * - this version differs from CMCAuth in that it allows non-agent users + * to sign own cmc requests; It is expected to be used with + * CMCUserSignedSubjectNameDefault and CMCUserSignedSubjectNameConstraint + * so that the resulting cert will bear the same subjectDN of that of the CMC + * signing cert + * - it originates from CMCAuth with modification for user-signed cmc + * * @author cfu - user signed cmc authentication - * <P> + * <P> * * @version $Revision$, $Date$ */ @@ -121,6 +127,12 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, // default parameters // //////////////////////// + // only one request for self-signed + boolean selfSigned = false; + SubjectKeyIdentifierExtension selfsign_skiExtn = null; + PK11PubKey selfsign_pubK = null; + byte[] selfsign_digest = null; + ///////////////////////////// // IAuthManager parameters // ///////////////////////////// @@ -144,8 +156,7 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, * for instances of this implementation can be configured through the * console. */ - protected static String[] mConfigParams = - new String[] {}; + protected static String[] mConfigParams = new String[] {}; /* authentication plug-in values */ @@ -171,7 +182,7 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, mExtendedPluginInfo .add(IExtendedPluginInfo.HELP_TEXT + - ";Authenticate the CMC request. The \"Authentication Instance ID\" must be named \"CMCUserSignedAuth\""); + ";Authenticate the CMC request. The \"Authentication Instance ID\" must be named \"CMCUserSignedAuth\""); mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TOKEN + ";configuration-authentication"); } @@ -185,10 +196,8 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, /* signed audit parameters */ private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); - private final static String SIGNED_AUDIT_ENROLLMENT_REQUEST_TYPE = - "enrollment"; - private final static String SIGNED_AUDIT_REVOCATION_REQUEST_TYPE = - "revocation"; + private final static String SIGNED_AUDIT_ENROLLMENT_REQUEST_TYPE = "enrollment"; + private final static String SIGNED_AUDIT_REVOCATION_REQUEST_TYPE = "revocation"; ///////////////////// // default methods // @@ -228,7 +237,8 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, * <P> * * <ul> - * <li>signed.audit LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY used when CMC (user-pre-signed) cert + * <li>signed.audit LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY used when CMC + * (user-pre-signed or self-signed) cert * requests or revocation requests are submitted and signature is verified * </ul> * @@ -245,6 +255,7 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, public IAuthToken authenticate(IAuthCredentials authCred) throws EMissingCredential, EInvalidCredentials, EBaseException { String method = "CMCUserSignedAuth: authenticate: "; + String msg = ""; CMS.debug(method + "begins"); String auditMessage = null; @@ -273,40 +284,19 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, if (cmc == null) { CMS.debug(method + " Authentication failed. Missing CMC."); - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.FAILURE, - auditReqType, - auditCertSubject, - auditSignerInfo); - - audit(auditMessage); - throw new EMissingCredential(CMS.getUserMessage( "CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_CMC)); } if (cmc.equals("")) { - log(ILogger.LL_FAILURE, - "cmc : attempted login with empty CMC."); - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.FAILURE, - auditReqType, - auditCertSubject, - auditSignerInfo); - - audit(auditMessage); - - throw new EInvalidCredentials(CMS.getUserMessage( - "CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + msg = "attempted login with empty cert_request in authCred."; + CMS.debug(method + msg); + + throw new EInvalidCredentials(msg); } + SessionContext auditContext = SessionContext.getExistingContext(); + // authenticate by checking CMC. // everything OK. @@ -330,84 +320,88 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, asciiBASE64Blob = cmc; byte[] cmcBlob = CMS.AtoB(asciiBASE64Blob); - ByteArrayInputStream cmcBlobIn = new - ByteArrayInputStream(cmcBlob); + ByteArrayInputStream cmcBlobIn = new ByteArrayInputStream(cmcBlob); org.mozilla.jss.pkix.cms.ContentInfo cmcReq = - (org.mozilla.jss.pkix.cms.ContentInfo) - org.mozilla.jss.pkix.cms.ContentInfo.getTemplate().decode( + (org.mozilla.jss.pkix.cms.ContentInfo) org.mozilla.jss.pkix.cms.ContentInfo + .getTemplate().decode( cmcBlobIn); if (!cmcReq.getContentType().equals( org.mozilla.jss.pkix.cms.ContentInfo.SIGNED_DATA) || !cmcReq.hasContent()) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.FAILURE, - auditReqType, - auditCertSubject, - auditSignerInfo); - audit(auditMessage); - - // throw new ECMSGWException(CMSGWResources.NO_CMC_CONTENT); - - throw new EBaseException("NO_CMC_CONTENT"); + cmcBlobIn.close(); + msg = "cmc rquest content type is not ContentInfo.SIGNED_DATA"; + CMS.debug(msg); + throw new EBaseException(msg); } - SignedData cmcFullReq = (SignedData) - cmcReq.getInterpretedContent(); + SignedData cmcFullReq = (SignedData) cmcReq.getInterpretedContent(); + + String userid = ILogger.UNIDENTIFIED; + String uid = ILogger.UNIDENTIFIED; IConfigStore cmc_config = CMS.getConfigStore(); - boolean checkSignerInfo = - cmc_config.getBoolean("cmc.signerInfo.verify", true); - String userid = "defUser"; - String uid = "defUser"; + boolean checkSignerInfo = cmc_config.getBoolean("cmc.signerInfo.verify", true); if (checkSignerInfo) { - IAuthToken userToken = verifySignerInfo(authToken, cmcFullReq); + // selfSigned will be set in verifySignerInfo if applicable + IAuthToken userToken = verifySignerInfo(auditContext, authToken, cmcFullReq); if (userToken == null) { - CMS.debug(method + " authenticate() userToken null"); - throw new EBaseException(method + " verifySignerInfo failure"); + msg = "userToken null; verifySignerInfo failure"; + CMS.debug(method + msg); + throw new EBaseException(msg); + } else { + if (selfSigned) { + CMS.debug(method + + " self-signed cmc request will not have user identification info at this point."); + auditSignerInfo = "selfSigned"; + } else { + CMS.debug(method + "signed with user cert"); + userid = userToken.getInString("userid"); + uid = userToken.getInString("cn"); + if (userid == null && uid == null) { + msg = " verifySignerInfo failure... missing userid and cn"; + CMS.debug(method + msg); + throw new EBaseException(msg); + } + // reset value of auditSignerInfo + if (uid != null && !uid.equals(ILogger.UNIDENTIFIED)) { + CMS.debug(method + "setting auditSignerInfo to uid:" + uid.trim()); + auditSignerInfo = uid.trim(); + auditSubjectID = uid.trim(); + authToken.set(IAuthToken.USER_ID, auditSubjectID); + } else if (userid != null && !userid.equals(ILogger.UNIDENTIFIED)) { + CMS.debug(method + "setting auditSignerInfo to userid:" + userid); + auditSignerInfo = userid.trim(); + auditSubjectID = userid.trim(); + authToken.set(IAuthToken.USER_ID, auditSubjectID); + } + } } - userid = userToken.getInString("userid"); - uid = userToken.getInString("cn"); } else { - CMS.debug(method + " authenticate() signerInfo verification bypassed"); - } - // reset value of auditSignerInfo - if (uid != null) { - auditSignerInfo = uid.trim(); + CMS.debug(method + " signerInfo verification bypassed"); } EncapsulatedContentInfo ci = cmcFullReq.getContentInfo(); + SET sis = cmcFullReq.getSignerInfos(); + // only one SignerInfo for selfSigned + org.mozilla.jss.pkix.cms.SignerInfo selfsign_signerInfo = + (org.mozilla.jss.pkix.cms.SignerInfo) sis.elementAt(0); OBJECT_IDENTIFIER id = ci.getContentType(); if (!id.equals(OBJECT_IDENTIFIER.id_cct_PKIData) || !ci.hasContent()) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.FAILURE, - auditReqType, - auditCertSubject, - auditSignerInfo); - - audit(auditMessage); + msg = "request EncapsulatedContentInfo content type not OBJECT_IDENTIFIER.id_cct_PKIData"; + CMS.debug(method + msg); - // throw new ECMSGWException( - // CMSGWResources.NO_PKIDATA); - - throw new EBaseException("NO_PKIDATA"); + throw new EBaseException(msg); } OCTET_STRING content = ci.getContent(); - ByteArrayInputStream s = new - ByteArrayInputStream(content.toByteArray()); + ByteArrayInputStream s = new ByteArrayInputStream(content.toByteArray()); PKIData pkiData = (PKIData) (new PKIData.Template()).decode(s); SEQUENCE reqSequence = pkiData.getReqSequence(); @@ -426,13 +420,12 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, if (controlSize > 0) { for (int i = 0; i < controlSize; i++) { - TaggedAttribute taggedAttribute = - (TaggedAttribute) controlSequence.elementAt(i); + TaggedAttribute taggedAttribute = (TaggedAttribute) controlSequence.elementAt(i); OBJECT_IDENTIFIER type = taggedAttribute.getType(); if (type.equals( OBJECT_IDENTIFIER.id_cmc_revokeRequest)) { -/* TODO: user-signed revocation to be handled in next ticket + /* TODO: user-signed revocation to be handled in next ticket // if( i ==1 ) { // taggedAttribute.getType() == // OBJECT_IDENTIFIER.id_cmc_revokeRequest @@ -479,10 +472,13 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, Integer IntObject = Integer.valueOf((int) reasonCode); authToken.set(REASON_CODE, IntObject); - authToken.set("uid", uid); - authToken.set("userid", userid); + + //authToken.set("uid", uid); + //authToken.set("userid", userid); + } -*/ + */ + } } @@ -499,8 +495,7 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, for (int i = 0; i < numReqs; i++) { // decode message. - TaggedRequest taggedRequest = - (TaggedRequest) reqSequence.elementAt(i); + TaggedRequest taggedRequest = (TaggedRequest) reqSequence.elementAt(i); TaggedRequest.Type type = taggedRequest.getType(); @@ -508,18 +503,15 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, CMS.debug(method + " type is PKCS10"); authToken.set("cert_request_type", "cmc-pkcs10"); - TaggedCertificationRequest tcr = - taggedRequest.getTcr(); + TaggedCertificationRequest tcr = taggedRequest.getTcr(); int p10Id = tcr.getBodyPartID().intValue(); reqIdArray[i] = String.valueOf(p10Id); - CertificationRequest p10 = - tcr.getCertificationRequest(); + CertificationRequest p10 = tcr.getCertificationRequest(); // transfer to sun class - ByteArrayOutputStream ostream = - new ByteArrayOutputStream(); + ByteArrayOutputStream ostream = new ByteArrayOutputStream(); p10.encode(ostream); boolean sigver = true; @@ -533,8 +525,8 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, try { cm = CryptoManager.getInstance(); if (sigver == true) { - String tokenName = - CMS.getConfigStore().getString("ca.requestVerify.token", CryptoUtil.INTERNAL_TOKEN_NAME); + String tokenName = CMS.getConfigStore().getString("ca.requestVerify.token", + CryptoUtil.INTERNAL_TOKEN_NAME); savedToken = cm.getThreadToken(); signToken = CryptoUtil.getCryptoToken(tokenName); if (!savedToken.getName().equals(signToken.getName())) { @@ -543,65 +535,92 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, } } - PKCS10 pkcs10 = - new PKCS10(ostream.toByteArray(), sigver); + PKCS10 pkcs10 = new PKCS10(ostream.toByteArray(), sigver); + // reset value of auditCertSubject + X500Name tempName = pkcs10.getSubjectName(); + CMS.debug(method + "request subject name=" + tempName.toString()); + if (tempName != null) { + auditCertSubject = tempName.toString().trim(); + if (auditCertSubject.equals("")) { + auditCertSubject = ILogger.SIGNED_AUDIT_EMPTY_VALUE; + } + authToken.set(AuthToken.TOKEN_CERT_SUBJECT, + auditCertSubject/*tempName.toString()*/); + } + + if (selfSigned) { + // prepare for checking SKI extension + try { + selfsign_skiExtn = (SubjectKeyIdentifierExtension) CryptoUtil + .getExtensionFromPKCS10(pkcs10, "SubjectKeyIdentifier"); + if (selfsign_skiExtn != null) + CMS.debug(method + "SubjectKeyIdentifierExtension found:"); + else { + msg = "missing SubjectKeyIdentifierExtension in request"; + CMS.debug(method + msg); + throw new EBaseException(msg); + } + } catch (IOException e) { + msg = method + "SubjectKeyIdentifierExtension not found:" + e; + CMS.debug(msg); + throw new EBaseException(msg); + } catch (Exception e) { + msg = method + "SubjectKeyIdentifierExtension not found:" + e; + CMS.debug(msg); + throw new EBaseException(msg); + } + + X509Key pubKey = pkcs10.getSubjectPublicKeyInfo(); + PrivateKey.Type keyType = null; + String alg = pubKey.getAlgorithm(); + + if (alg.equals("RSA")) { + CMS.debug(method + "signing key alg=RSA"); + keyType = PrivateKey.RSA; + selfsign_pubK = PK11PubKey.fromRaw(keyType, pubKey.getKey()); + } else if (alg.equals("EC")) { + CMS.debug(method + "signing key alg=EC"); + keyType = PrivateKey.EC; + byte publicKeyData[] = (pubKey).getEncoded(); + selfsign_pubK = PK11ECPublicKey.fromSPKI(/*keyType,*/ publicKeyData); + } else { + msg = "unsupported signature algorithm: " + alg; + CMS.debug(method + msg); + throw new EInvalidCredentials(msg); + } + CMS.debug(method + "public key retrieved"); + verifySelfSignedCMC(selfsign_signerInfo, id); + + } //selfSigned // xxx do we need to do anything else? - X509CertInfo certInfo = - CMS.getDefaultX509CertInfo(); + X509CertInfo certInfo = CMS.getDefaultX509CertInfo(); // fillPKCS10(certInfo,pkcs10,authToken,null); // authToken.set( // pkcs10.getSubjectPublicKeyInfo()); - X500Name tempName = pkcs10.getSubjectName(); - - // reset value of auditCertSubject - if (tempName != null) { - auditCertSubject = - tempName.toString().trim(); - if (auditCertSubject.equals("")) { - auditCertSubject = - ILogger.SIGNED_AUDIT_EMPTY_VALUE; - } - authToken.set(AuthToken.TOKEN_CERT_SUBJECT, - tempName.toString()); - } - + /* authToken.set("uid", uid); authToken.set("userid", userid); + */ certInfoArray[i] = certInfo; } catch (Exception e) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.FAILURE, - auditReqType, - auditCertSubject, - auditSignerInfo); - - audit(auditMessage); - - //throw new ECMSGWException( - //CMSGWResources.ERROR_PKCS101, e.toString()); - e.printStackTrace(); throw new EBaseException(e.toString()); } finally { - if ((sigver == true) && (tokenSwitched == true)){ + if ((sigver == true) && (tokenSwitched == true)) { cm.setThreadToken(savedToken); } - } + } } else if (type.equals(TaggedRequest.CRMF)) { CMS.debug(method + " type is CRMF"); authToken.set("cert_request_type", "cmc-crmf"); try { - CertReqMsg crm = - taggedRequest.getCrm(); + CertReqMsg crm = taggedRequest.getCrm(); CertRequest certReq = crm.getCertReq(); INTEGER reqID = certReq.getCertReqId(); reqIdArray[i] = reqID.toString(); @@ -609,70 +628,82 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, Name name = template.getSubject(); // xxx do we need to do anything else? - X509CertInfo certInfo = - CMS.getDefaultX509CertInfo(); + X509CertInfo certInfo = CMS.getDefaultX509CertInfo(); // reset value of auditCertSubject if (name != null) { String ss = name.getRFC1485(); + CMS.debug(method + "setting auditCertSubject to: " + ss); auditCertSubject = ss; if (auditCertSubject.equals("")) { - auditCertSubject = - ILogger.SIGNED_AUDIT_EMPTY_VALUE; + auditCertSubject = ILogger.SIGNED_AUDIT_EMPTY_VALUE; } authToken.set(AuthToken.TOKEN_CERT_SUBJECT, ss); - authToken.set("uid", uid); - authToken.set("userid", userid); + //authToken.set("uid", uid); + //authToken.set("userid", userid); } certInfoArray[i] = certInfo; - } catch (Exception e) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.FAILURE, - auditReqType, - auditCertSubject, - auditSignerInfo); - audit(auditMessage); + if (selfSigned) { + selfsign_skiExtn = + (SubjectKeyIdentifierExtension) CryptoUtil + .getExtensionFromCertTemplate(template, PKIXExtensions.SubjectKey_Id); + if (selfsign_skiExtn != null) { + CMS.debug(method + + "SubjectKeyIdentifierExtension found"); + } else { + CMS.debug(method + + "SubjectKeyIdentifierExtension not found"); + } + + // get public key for verifying signature later + SubjectPublicKeyInfo pkinfo = template.getPublicKey(); + PrivateKey.Type keyType = null; + String alg = pkinfo.getAlgorithm(); + BIT_STRING bitString = pkinfo.getSubjectPublicKey(); + byte[] publicKeyData = bitString.getBits(); + if (alg.equals("RSA")) { + CMS.debug(method + "signing key alg=RSA"); + keyType = PrivateKey.RSA; + selfsign_pubK = PK11PubKey.fromRaw(keyType, publicKeyData); + } else if (alg.equals("EC")) { + CMS.debug(method + "signing key alg=EC"); + keyType = PrivateKey.EC; + selfsign_pubK = PK11ECPublicKey.fromSPKI(/*keyType,*/ publicKeyData); + } else { + msg = "unsupported signature algorithm: " + alg; + CMS.debug(method + msg); + throw new EInvalidCredentials(msg); + } + CMS.debug(method + "public key retrieved"); - //throw new ECMSGWException( - //CMSGWResources.ERROR_PKCS101, e.toString()); + verifySelfSignedCMC(selfsign_signerInfo, id); + } //selfSigned + } catch (Exception e) { e.printStackTrace(); + cmcBlobIn.close(); + s.close(); throw new EBaseException(e.toString()); } } - // authToken.set(AgentAuthentication.CRED_CERT, new - // com.netscape.certsrv.usrgrp.Certificates( - // x509Certs)); } } + + authToken.set("uid", uid); + authToken.set("userid", userid); } catch (Exception e) { CMS.debug(method + e); - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.FAILURE, - auditReqType, - auditCertSubject, - auditSignerInfo); - - audit(auditMessage); - //Debug.printStackTrace(e); - throw new EInvalidCredentials(CMS.getUserMessage( - "CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + throw new EInvalidCredentials(e.toString()); } // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, + AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS, auditSubjectID, ILogger.SUCCESS, auditReqType, @@ -687,12 +718,13 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, CMS.debug(method + eAudit1); // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, + AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE, auditSubjectID, ILogger.FAILURE, auditReqType, auditCertSubject, - auditSignerInfo); + auditSignerInfo, + eAudit1.toString()); audit(auditMessage); @@ -702,12 +734,13 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, CMS.debug(method + eAudit2); // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, + AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE, auditSubjectID, ILogger.FAILURE, auditReqType, auditCertSubject, - auditSignerInfo); + auditSignerInfo, + eAudit2.toString()); audit(auditMessage); @@ -717,17 +750,70 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, CMS.debug(method + eAudit3); // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, + AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE, auditSubjectID, ILogger.FAILURE, auditReqType, auditCertSubject, - auditSignerInfo); + auditSignerInfo, + eAudit3.toString()); audit(auditMessage); // rethrow the specific exception to be handled later throw eAudit3; + } catch (Exception eAudit4) { + CMS.debug(method + eAudit4); + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE, + auditSubjectID, + ILogger.FAILURE, + auditReqType, + auditCertSubject, + auditSignerInfo, + eAudit4.toString()); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit4; + } + } + + /* + * verifySelfSignedCMC() verifies the following + * a. the required (per RFC 5272) SKI extension in the request matches that in the + * SignerIdentifier + * b. the signature in the request + */ + protected void verifySelfSignedCMC( + org.mozilla.jss.pkix.cms.SignerInfo signerInfo, + OBJECT_IDENTIFIER id) + throws EBaseException { + String method = "CMCUserSignedAuth: verifySelfSignedCMC: "; + CMS.debug(method + "begins"); + try { + SignerIdentifier sid = signerInfo.getSignerIdentifier(); + OCTET_STRING subjKeyId = sid.getSubjectKeyIdentifier(); + KeyIdentifier keyIdObj = + (KeyIdentifier) selfsign_skiExtn.get(SubjectKeyIdentifierExtension.KEY_ID); + boolean match = CryptoUtil.compare(subjKeyId.toByteArray(), keyIdObj.getIdentifier()); + if (match) { + CMS.debug(method + + " SignerIdentifier SUBJECT_KEY_IDENTIFIER matches SKI of request"); + } else { + CMS.debug(method + + " SignerIdentifier SUBJECT_KEY_IDENTIFIER failed to match"); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + } + // verify sig using public key in request + CMS.debug(method + "verifying request signature with public key"); + signerInfo.verify(selfsign_digest, id, selfsign_pubK); + CMS.debug(method + " signature verified"); + } catch (Exception e) { + CMS.debug(method + e.toString()); + throw new EBaseException(method + e.toString()); } } @@ -825,10 +911,24 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, level, "CMC User Signed Authentication: " + msg); } - protected IAuthToken verifySignerInfo(AuthToken authToken, SignedData cmcFullReq) throws EBaseException { + /** + * User-signed CMC requests can be signed in two ways: + * a. signed with previously issued user signing cert + * b. self-signed with the private key paired with the public key in + * the request + * + * In case "a", the resulting authToke would contain + * (IAuthManager.CRED_CMC_SIGNING_CERT, signing cert serial number) + * In case "b", the resulting authToke would not contain the attribute + * IAuthManager.CRED_CMC_SIGNING_CERT + */ + protected IAuthToken verifySignerInfo( + SessionContext auditContext, // to capture info in case of failure + AuthToken authToken, + SignedData cmcFullReq) + throws EBaseException { String method = "CMCUserSignedAuth: verifySignerInfo: "; CMS.debug(method + "begins"); - EncapsulatedContentInfo ci = cmcFullReq.getContentInfo(); OBJECT_IDENTIFIER id = ci.getContentType(); OCTET_STRING content = ci.getContent(); @@ -849,13 +949,10 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, //if request key is used for signing, there MUST be only one signerInfo //object in the signedData object. for (int i = 0; i < numDig; i++) { - AlgorithmIdentifier dai = - (AlgorithmIdentifier) dais.elementAt(i); - String name = - DigestAlgorithm.fromOID(dai.getOID()).toString(); + AlgorithmIdentifier dai = (AlgorithmIdentifier) dais.elementAt(i); + String name = DigestAlgorithm.fromOID(dai.getOID()).toString(); - MessageDigest md = - MessageDigest.getInstance(name); + MessageDigest md = MessageDigest.getInstance(name); byte[] digest = md.digest(content.toByteArray()); @@ -867,6 +964,7 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, for (int i = 0; i < numSis; i++) { org.mozilla.jss.pkix.cms.SignerInfo si = (org.mozilla.jss.pkix.cms.SignerInfo) sis.elementAt(i); + //selfsign_SignerInfo = (org.mozilla.jss.pkix.cms.SignerInfo) sis.elementAt(i); String name = si.getDigestAlgorithm().toString(); byte[] digest = digs.get(name); @@ -879,11 +977,14 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, digest = md.digest(ostream.toByteArray()); } + // signed by previously certified signature key SignerIdentifier sid = si.getSignerIdentifier(); - // TODO: need to handle signing key being the matching key from - // the request if (sid.getType().equals(SignerIdentifier.ISSUER_AND_SERIALNUMBER)) { + CMS.debug(method + "SignerIdentifier type: ISSUER_AND_SERIALNUMBER"); + selfSigned = false; + CMS.debug(method + "selfSigned is false"); + IssuerAndSerialNumber issuerAndSerialNumber = sid.getIssuerAndSerialNumber(); // find from the certs in the signedData java.security.cert.X509Certificate cert = null; @@ -899,14 +1000,12 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, Name issuer = certI.getIssuer(); byte[] issuerB = ASN1Util.encode(issuer); -CMS.debug(method + "issuer = " + new String(issuerB)); INTEGER sn = certI.getSerialNumber(); // if this cert is the signer cert, not a cert in the chain if (new String(issuerB).equals(new String( ASN1Util.encode(issuerAndSerialNumber.getIssuer()))) && sn.toString().equals(issuerAndSerialNumber.getSerialNumber().toString())) { - ByteArrayOutputStream os = new - ByteArrayOutputStream(); + ByteArrayOutputStream os = new ByteArrayOutputStream(); certJss.encode(os); certByteArray = os.toByteArray(); @@ -919,13 +1018,23 @@ CMS.debug(method + "issuer = " + new String(issuerB)); } } + CMS.debug(method + "start checking signature"); + String CN = null; if (cert == null) { // find from certDB CMS.debug(method + "verifying signature"); si.verify(digest, id); } else { CMS.debug(method + "found signing cert... verifying"); + + //capture auditSubjectID first in case of failure + netscape.security.x509.X500Name tempPrincipal = + (X500Name) x509Certs[0].getSubjectDN(); + CN = tempPrincipal.getCommonName(); //tempToken.get("userid"); + CMS.debug(method + " Principal name = " + CN); + auditContext.put(SessionContext.USER_ID, CN); + PublicKey signKey = cert.getPublicKey(); PrivateKey.Type keyType = null; String alg = signKey.getAlgorithm(); @@ -942,21 +1051,24 @@ CMS.debug(method + "issuer = " + new String(issuerB)); pubK = PK11ECPublicKey.fromSPKI(/*keyType,*/ publicKeyData); } else { CMS.debug(method + "unsupported signature algorithm: " + alg); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + s.close(); + throw new EInvalidCredentials( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } - String tokenName = - CMS.getConfigStore().getString("ca.requestVerify.token", CryptoUtil.INTERNAL_TOKEN_NAME); + String tokenName = CMS.getConfigStore().getString("ca.requestVerify.token", + CryptoUtil.INTERNAL_TOKEN_NAME); // by default JSS will use internal crypto token if (!CryptoUtil.isInternalToken(tokenName)) { savedToken = cm.getThreadToken(); signToken = CryptoUtil.getCryptoToken(tokenName); - if(signToken != null) { + if (signToken != null) { cm.setThreadToken(signToken); tokenSwitched = true; - CMS.debug(method + "verifySignerInfo token switched:"+ tokenName); + CMS.debug(method + "verifySignerInfo token switched:" + tokenName); } else { - CMS.debug(method + "verifySignerInfo token not found:"+ tokenName+ ", trying internal"); + CMS.debug(method + "verifySignerInfo token not found:" + tokenName + + ", trying internal"); } } @@ -967,6 +1079,7 @@ CMS.debug(method + "issuer = " + new String(issuerB)); // verify signer's certificate using the revocator if (!cm.isCertValid(certByteArray, true, CryptoManager.CertUsage.SSLClient)) { CMS.debug(method + "CMC signature failed to be verified"); + s.close(); throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } else { CMS.debug(method + "CMC signature verified; but signer not yet;"); @@ -974,23 +1087,38 @@ CMS.debug(method + "issuer = " + new String(issuerB)); // At this point, the signature has been verified; IAuthToken tempToken = new AuthToken(null); +/* netscape.security.x509.X500Name tempPrincipal = (X500Name) x509Certs[0].getSubjectDN(); String CN = tempPrincipal.getCommonName(); //tempToken.get("userid"); CMS.debug(method + " Principal name = " + CN); +*/ BigInteger certSerial = x509Certs[0].getSerialNumber(); CMS.debug(method + " verified cert serial=" + certSerial.toString()); authToken.set(IAuthManager.CRED_CMC_SIGNING_CERT, certSerial.toString()); tempToken.set("cn", CN); + s.close(); return tempToken; + } else { + CMS.debug(method + "no certificate found in cmcFullReq"); } - + } else if (sid.getType().equals(SignerIdentifier.SUBJECT_KEY_IDENTIFIER)) { + CMS.debug(method + "SignerIdentifier type: SUBJECT_KEY_IDENTIFIER"); + CMS.debug(method + "selfSigned is true"); + selfSigned = true; + selfsign_digest = digest; + + IAuthToken tempToken = new AuthToken(null); + authToken.set(IAuthManager.CRED_CMC_SELF_SIGNED, "true"); + s.close(); + return tempToken; } else { CMS.debug(method + "unsupported SignerIdentifier type"); } - } + } //for + } catch (InvalidBERException e) { CMS.debug(method + e.toString()); } catch (IOException e) { @@ -1001,7 +1129,7 @@ CMS.debug(method + "issuer = " + new String(issuerB)); CMS.debug(method + e.toString()); throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } finally { - if ((tokenSwitched == true) && (savedToken != null)){ + if ((tokenSwitched == true) && (savedToken != null)) { cm.setThreadToken(savedToken); CMS.debug(method + "verifySignerInfo token restored"); } @@ -1123,8 +1251,7 @@ CMS.debug(method + "issuer = " + new String(issuerB)); SessionContext auditContext = SessionContext.getExistingContext(); if (auditContext != null) { - subjectID = (String) - auditContext.get(SessionContext.USER_ID); + subjectID = (String) auditContext.get(SessionContext.USER_ID); if (subjectID != null) { subjectID = subjectID.trim(); diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java index 7d52fc86c..1443a0a6d 100644 --- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java +++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java @@ -110,6 +110,8 @@ import netscape.security.x509.CertificateVersion; import netscape.security.x509.CertificateX509Key; import netscape.security.x509.Extension; import netscape.security.x509.Extensions; +import netscape.security.x509.PKIXExtensions; +import netscape.security.x509.SubjectKeyIdentifierExtension; import netscape.security.x509.X500Name; import netscape.security.x509.X509CertImpl; import netscape.security.x509.X509CertInfo; @@ -656,6 +658,8 @@ public abstract class EnrollProfile extends BasicProfile String msg = ""; // for capturing debug and throw info //CMS.debug(method + " Start parseCMC(): " + certreq); CMS.debug(method + "starts"); + String auditMessage = ""; + String auditSubjectID = auditSubjectID(); /* cert request must not be null */ if (certreq == null) { @@ -742,22 +746,27 @@ public abstract class EnrollProfile extends BasicProfile msg = " id_cmc_identification attribute value not found in"; CMS.debug(method + msg); +/* throw new EProfileException( CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST") + msg); +*/ + } else { + ident_s = (UTF8String) (ASN1Util.decode(UTF8String.getTemplate(), + ASN1Util.encode(ident.elementAt(0)))); } - ident_s = (UTF8String) (ASN1Util.decode(UTF8String.getTemplate(), - ASN1Util.encode(ident.elementAt(0)))); - if (ident_s == null) { + if (ident == null && ident_s == null) { msg = " id_cmc_identification contains invalid content"; CMS.debug(method + msg); SEQUENCE bpids = getRequestBpids(reqSeq); context.put("identification", bpids); CMS.debug(method + msg); +/* throw new EProfileException( CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST") + msg); +*/ } } @@ -776,19 +785,27 @@ public abstract class EnrollProfile extends BasicProfile } } else if (id_cmc_identityProofV2 && (attr != null)) { // either V2 or not V2; can't be both - CMS.debug(method + "not pre-signed CMC request; calling verifyIdentityProofV2;"); - if (!id_cmc_identification) { + CMS.debug(method + + "not pre-signed CMC request; calling verifyIdentityProofV2;"); + if (!id_cmc_identification || ident_s == null) { SEQUENCE bpids = getRequestBpids(reqSeq); context.put("identification", bpids); context.put("identityProofV2", bpids); msg = "id_cmc_identityProofV2 missing id_cmc_identification"; CMS.debug(method + msg); + auditMessage = CMS.getLogMessage( + AuditEvent.CMC_PROOF_OF_IDENTIFICATION, + auditSubjectID, + ILogger.FAILURE, + method + msg); + audit(auditMessage); + throw new EProfileException( CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST") + msg); } - boolean valid = verifyIdentityProofV2(attr, ident_s, + boolean valid = verifyIdentityProofV2(context, attr, ident_s, reqSeq); if (!valid) { SEQUENCE bpids = getRequestBpids(reqSeq); @@ -815,10 +832,18 @@ public abstract class EnrollProfile extends BasicProfile "CMS_POI_VERIFICATION_ERROR") + msg); } else { CMS.debug(method + "passed verifyIdentityProof; Proof of Identity successful;"); + // in case it was set + auditSubjectID = auditSubjectID(); } } else { msg = "not pre-signed CMC request; missing Proof of Identification control"; CMS.debug(method + msg); + auditMessage = CMS.getLogMessage( + AuditEvent.CMC_PROOF_OF_IDENTIFICATION, + auditSubjectID, + ILogger.FAILURE, + method + msg); + audit(auditMessage); throw new EProfileException(CMS.getUserMessage(locale, "CMS_POI_VERIFICATION_ERROR") + ":" + method + msg); } @@ -837,6 +862,13 @@ public abstract class EnrollProfile extends BasicProfile } else { //decPopVals == null msg = "id_cmc_decryptedPOP contains invalid DecryptedPOP"; CMS.debug(method + msg); + auditMessage = CMS.getLogMessage( + AuditEvent.PROOF_OF_POSSESSION, + auditSubjectID, + ILogger.SUCCESS, + method + msg); + audit(auditMessage); + SEQUENCE bpids = getRequestBpids(reqSeq); context.put("decryptedPOP", bpids); } @@ -877,6 +909,11 @@ public abstract class EnrollProfile extends BasicProfile String configName = "cmc.popLinkWitnessRequired"; CMS.debug(method + "getting :" + configName); popLinkWitnessRequired = CMS.getConfigStore().getBoolean(configName, false); + if (popLinkWitnessRequired) { + CMS.debug(method + "popLinkWitness(V2) required"); + } else { + CMS.debug(method + "popLinkWitness(V2) not required"); + } } catch (Exception e) { // unlikely to get here msg = method + " Failed to retrieve cmc.popLinkWitnessRequired"; @@ -897,8 +934,16 @@ public abstract class EnrollProfile extends BasicProfile !context.containsKey("POPLinkWitnessV2") && !context.containsKey("POPLinkWitness")) { CMS.debug(method + "popLinkWitness(V2) required"); - if (randomSeed == null) { - CMS.debug(method + "no randomSeed found"); + if (randomSeed == null || ident_s == null) { + msg = "no randomSeed or identification found needed for popLinkWitness(V2)"; + CMS.debug(method + msg); + auditMessage = CMS.getLogMessage( + AuditEvent.CMC_ID_POP_LINK_WITNESS, + auditSubjectID, + ILogger.FAILURE, + method + msg); + audit(auditMessage); + context.put("POPLinkWitnessV2", bpids); return null; } @@ -913,11 +958,26 @@ public abstract class EnrollProfile extends BasicProfile else if (context.containsKey("POPLinkWitness")) msg = " in POPLinkWitness"; else - msg = " unspecified failure from verifyPOPLinkWitness"; + msg = " failure from verifyPOPLinkWitness"; + msg = msg + ": ident_s=" + ident_s; CMS.debug(method + msg); + auditMessage = CMS.getLogMessage( + AuditEvent.CMC_ID_POP_LINK_WITNESS, + auditSubjectID, + ILogger.FAILURE, + method + msg); + audit(auditMessage); throw new EProfileException(CMS.getUserMessage(locale, "CMS_POP_LINK_WITNESS_VERIFICATION_ERROR") + msg); + } else { + msg = ": ident_s=" + ident_s; + auditMessage = CMS.getLogMessage( + AuditEvent.CMC_ID_POP_LINK_WITNESS, + auditSubjectID, + ILogger.SUCCESS, + method + msg); + audit(auditMessage); } } } //for @@ -1441,22 +1501,37 @@ public abstract class EnrollProfile extends BasicProfile * @author cfu */ private boolean verifyIdentityProofV2( + SessionContext sessionContext, TaggedAttribute attr, UTF8String ident, SEQUENCE reqSeq) { String method = "EnrollProfile:verifyIdentityProofV2: "; + String msg = ""; CMS.debug(method + " begins"); + boolean verified = false; + String auditMessage = method; + if ((attr == null) || (ident == null) || (reqSeq == null)) { CMS.debug(method + "method parameters cannot be null"); + // this is internal error return false; } String ident_string = ident.toString(); + String auditAttemptedCred = null; SET vals = attr.getValues(); // getting the IdentityProofV2 structure if (vals.size() < 1) { + msg = " invalid TaggedAttribute in request"; + CMS.debug(method + msg); + auditMessage = CMS.getLogMessage( + AuditEvent.CMC_PROOF_OF_IDENTIFICATION, + auditAttemptedCred, + ILogger.FAILURE, + method + msg); + audit(auditMessage); return false; } @@ -1464,18 +1539,33 @@ public abstract class EnrollProfile extends BasicProfile ISharedToken tokenClass = getSharedTokenClass(configName); if (tokenClass == null) { - CMS.debug(method + " Failed to retrieve shared secret plugin class"); + msg = " Failed to retrieve shared secret plugin class"; + CMS.debug(method + msg); + auditMessage = CMS.getLogMessage( + AuditEvent.CMC_PROOF_OF_IDENTIFICATION, + auditAttemptedCred, + ILogger.FAILURE, + method + msg); + audit(auditMessage); return false; } String token = null; - if (ident_string != null) + if (ident_string != null) { + auditAttemptedCred = ident_string; token = tokenClass.getSharedToken(ident_string); - else + } else token = tokenClass.getSharedToken(mCMCData); if (token == null) { - CMS.debug(method + " Failed to retrieve shared secret"); + msg = " Failed to retrieve shared secret"; + CMS.debug(method + msg); + auditMessage = CMS.getLogMessage( + AuditEvent.CMC_PROOF_OF_IDENTIFICATION, + auditAttemptedCred, + ILogger.FAILURE, + method + msg); + audit(auditMessage); return false; } @@ -1493,26 +1583,64 @@ public abstract class EnrollProfile extends BasicProfile OCTET_STRING witness = idV2val.getWitness(); if (witness == null) { - CMS.debug(method + " witness reurned by idV2val.getWitness is null"); - return false; + msg = " witness reurned by idV2val.getWitness is null"; + CMS.debug(method + msg); + throw new EBaseException(msg); } byte[] witness_bytes = witness.toByteArray(); byte[] request_bytes = ASN1Util.encode(reqSeq); // PKIData reqSequence field - return verifyDigest( + verified = verifyDigest( (ident_string != null) ? (token + ident_string).getBytes() : token.getBytes(), request_bytes, witness_bytes, hashAlg, macAlg); + + String authMgrID = + (String) sessionContext.get(SessionContext.AUTH_MANAGER_ID); + String auditSubjectID = null; + + if (verified) { + // update auditSubjectID + if (sessionContext != null) { + auditSubjectID = (String) + sessionContext.get(SessionContext.USER_ID); + CMS.debug(method + "current auditSubjectID was:"+ auditSubjectID); + CMS.debug(method + "identity verified. Updating auditSubjectID"); + CMS.debug(method + "updated auditSubjectID is:"+ ident_string); + auditSubjectID = ident_string; + sessionContext.put(SessionContext.USER_ID, auditSubjectID); + } else { //very unlikely + CMS.debug(method + "sessionContext null; cannot update auditSubjectID"); + } + + auditMessage = CMS.getLogMessage( + AuditEvent.CMC_PROOF_OF_IDENTIFICATION, + auditSubjectID, + ILogger.SUCCESS, + "method=" + method); + audit(auditMessage); + } else { + throw new EBaseException("failed to verify"); + } + return verified; } catch (Exception e) { CMS.debug(method + " Failed with Exception: " + e.toString()); + auditMessage = CMS.getLogMessage( + AuditEvent.CMC_PROOF_OF_IDENTIFICATION, + auditAttemptedCred, + ILogger.FAILURE, + method + e.toString()); + audit(auditMessage); return false; } } // verifyIdentityProofV2 - private boolean verifyIdentityProof(TaggedAttribute attr, SEQUENCE reqSeq) { + private boolean verifyIdentityProof( + TaggedAttribute attr, SEQUENCE reqSeq) { String method = "verifyIdentityProof: "; + boolean verified = false; SET vals = attr.getValues(); if (vals.size() < 1) @@ -1537,7 +1665,11 @@ public abstract class EnrollProfile extends BasicProfile byte[] b = ostr.toByteArray(); byte[] text = ASN1Util.encode(reqSeq); - return verifyDigest(token.getBytes(), text, b); + verified = verifyDigest(token.getBytes(), text, b); + if (verified) {// update auditSubjectID + //placeholder. Should probably just disable this v1 method + } + return verified; } public void fillTaggedRequest(Locale locale, TaggedRequest tagreq, X509CertInfo info, @@ -1592,13 +1724,22 @@ public abstract class EnrollProfile extends BasicProfile p10.encode(ostream); PKCS10 pkcs10 = new PKCS10(ostream.toByteArray(), sigver); + if (sigver) { + auditMessage = CMS.getLogMessage( + AuditEvent.PROOF_OF_POSSESSION, + auditSubjectID, + ILogger.SUCCESS, + "method="+method); + audit(auditMessage); + } req.setExtData("bodyPartId", tcr.getBodyPartID()); fillPKCS10(locale, pkcs10, info, req); } catch (Exception e) { CMS.debug(method + e); // this will throw - popFailed(locale, auditSubjectID, auditMessage, e); + if (sigver) + popFailed(locale, auditSubjectID, auditMessage, e); } finally { if ((sigver == true) && (tokenSwitched == true)){ cm.setThreadToken(savedToken); @@ -1787,8 +1928,9 @@ public abstract class EnrollProfile extends BasicProfile public void fillCertReqMsg(Locale locale, CertReqMsg certReqMsg, X509CertInfo info, IRequest req) throws EProfileException { + String method = "EnrollProfile: fillCertReqMsg: "; try { - CMS.debug("Start parseCertReqMsg "); + CMS.debug(method + "Start parseCertReqMsg "); CertRequest certReq = certReqMsg.getCertReq(); req.setExtData("bodyPartId", certReq.getCertReqId()); // handle PKIArchiveOption (key archival) @@ -1897,12 +2039,20 @@ public abstract class EnrollProfile extends BasicProfile extensions = new CertificateExtensions(); int numexts = certTemplate.numExtensions(); + /* + * there seems to be an issue with constructor in Extension + * when feeding SubjectKeyIdentifierExtension; + * Special-case it + */ + OBJECT_IDENTIFIER SKIoid = + new OBJECT_IDENTIFIER(PKIXExtensions.SubjectKey_Id.toString()); for (int j = 0; j < numexts; j++) { org.mozilla.jss.pkix.cert.Extension jssext = certTemplate.extensionAt(j); boolean isCritical = jssext.getCritical(); org.mozilla.jss.asn1.OBJECT_IDENTIFIER jssoid = jssext.getExtnId(); + CMS.debug(method + "found extension:" + jssoid.toString()); long[] numbers = jssoid.getNumbers(); int[] oidNumbers = new int[numbers.length]; @@ -1919,8 +2069,14 @@ public abstract class EnrollProfile extends BasicProfile jssvalue.encode(jssvalueout); byte[] extValue = jssvalueout.toByteArray(); - Extension ext = - new Extension(oid, isCritical, extValue); + Extension ext = null; + if (jssoid.equals(SKIoid)) { + CMS.debug(method + "found SUBJECT_KEY_IDENTIFIER extension"); + ext = new SubjectKeyIdentifierExtension(false, + jssext.getExtnValue().toByteArray()); + } else { + new Extension(oid, isCritical, extValue); + } extensions.parseExtension(ext); } @@ -2042,12 +2198,12 @@ public abstract class EnrollProfile extends BasicProfile DerInputStream extIn = new DerInputStream(extB); CertificateExtensions exts = new CertificateExtensions(extIn); if (exts != null) { - CMS.debug(method + "Set extensions " + exts); + CMS.debug(method + "PKCS10 found extensions " + exts); // info.set(X509CertInfo.EXTENSIONS, exts); req.setExtData(REQUEST_EXTENSIONS, exts); } } else { - CMS.debug(method + "PKCS10 extension Not Found"); + CMS.debug(method + "PKCS10 no extension found"); } } @@ -2406,7 +2562,7 @@ public abstract class EnrollProfile extends BasicProfile String method = "EnrollProfile: verifyPOP: "; CMS.debug(method + "for signing keys begins."); - String auditMessage = null; + String auditMessage = method; String auditSubjectID = auditSubjectID(); if (!certReqMsg.hasPop()) { @@ -2437,7 +2593,8 @@ public abstract class EnrollProfile extends BasicProfile auditMessage = CMS.getLogMessage( AuditEvent.PROOF_OF_POSSESSION, auditSubjectID, - ILogger.SUCCESS); + ILogger.SUCCESS, + "method="+method); audit(auditMessage); } catch (Exception e) { CMS.debug(method + "Unable to verify POP: " + e); @@ -2446,19 +2603,21 @@ public abstract class EnrollProfile extends BasicProfile CMS.debug(method + "done."); } - private void popFailed(Locale locale, String auditSubjectID, String auditMessage) + private void popFailed(Locale locale, String auditSubjectID, String msg) throws EProfileException { - popFailed(locale, auditSubjectID, auditMessage, null); + popFailed(locale, auditSubjectID, msg, null); } - private void popFailed(Locale locale, String auditSubjectID, String auditMessage, Exception e) + private void popFailed(Locale locale, String auditSubjectID, String msg, Exception e) throws EProfileException { + if (e != null) + msg = msg + e.toString(); // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( + String auditMessage = CMS.getLogMessage( AuditEvent.PROOF_OF_POSSESSION, auditSubjectID, - ILogger.FAILURE); - + ILogger.FAILURE, + msg); audit(auditMessage); if (e != null) { diff --git a/base/server/cms/src/com/netscape/cms/profile/def/CAEnrollDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/CAEnrollDefault.java index 14484e0c3..635c04439 100644 --- a/base/server/cms/src/com/netscape/cms/profile/def/CAEnrollDefault.java +++ b/base/server/cms/src/com/netscape/cms/profile/def/CAEnrollDefault.java @@ -25,6 +25,7 @@ import java.security.cert.CertificateException; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.ca.ICertificateAuthority; +import com.netscape.cmsutil.crypto.CryptoUtil; import netscape.security.x509.CertificateX509Key; import netscape.security.x509.KeyIdentifier; @@ -46,30 +47,29 @@ public abstract class CAEnrollDefault extends EnrollDefault { } public KeyIdentifier getKeyIdentifier(X509CertInfo info) { + String method = "CAEnrollDefault: getKeyIdentifier: "; try { CertificateX509Key ckey = (CertificateX509Key) info.get(X509CertInfo.KEY); X509Key key = (X509Key) ckey.get(CertificateX509Key.KEY); - MessageDigest md = MessageDigest.getInstance("SHA-1"); - - md.update(key.getKey()); - byte[] hash = md.digest(); + byte[] hash = CryptoUtil.generateKeyIdentifier(key.getKey()); + if (hash == null) { + CMS.debug(method + + "CryptoUtil.generateKeyIdentifier returns null"); + return null; + } return new KeyIdentifier(hash); } catch (IOException e) { - CMS.debug("AuthorityKeyIdentifierExtDefault: getKeyId " + - e.toString()); + CMS.debug(method + e.toString()); } catch (CertificateException e) { - CMS.debug("AuthorityKeyIdentifierExtDefault: getKeyId " + - e.toString()); - } catch (NoSuchAlgorithmException e) { - CMS.debug("AuthorityKeyIdentifierExtDefault: getKeyId " + - e.toString()); + CMS.debug(method + e.toString()); } return null; } public KeyIdentifier getCAKeyIdentifier(ICertificateAuthority ca) throws EBaseException { + String method = "CAEnrollDefault: getCAKeyIdentifier: "; X509CertImpl caCert = ca.getCACert(); if (caCert == null) { // during configuration, we dont have the CA certificate @@ -89,16 +89,11 @@ public abstract class CAEnrollDefault extends EnrollDefault { } } - try { - MessageDigest md = MessageDigest.getInstance("SHA-1"); - - md.update(key.getKey()); - byte[] hash = md.digest(); - - return new KeyIdentifier(hash); - } catch (NoSuchAlgorithmException e) { - CMS.debug("AuthorityKeyIdentifierExtDefault: getKeyId " + - e.toString()); + byte[] hash = CryptoUtil.generateKeyIdentifier(key.getKey()); + if (hash == null) { + CMS.debug(method + + "CryptoUtil.generateKeyIdentifier returns null"); + return null; } return null; } diff --git a/base/server/cms/src/com/netscape/cms/profile/def/SubjectKeyIdentifierExtDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/SubjectKeyIdentifierExtDefault.java index a8f6a7415..d787575ac 100644 --- a/base/server/cms/src/com/netscape/cms/profile/def/SubjectKeyIdentifierExtDefault.java +++ b/base/server/cms/src/com/netscape/cms/profile/def/SubjectKeyIdentifierExtDefault.java @@ -37,6 +37,7 @@ import com.netscape.certsrv.property.Descriptor; import com.netscape.certsrv.property.EPropertyException; import com.netscape.certsrv.property.IDescriptor; import com.netscape.certsrv.request.IRequest; +import com.netscape.cmsutil.crypto.CryptoUtil; /** * This class implements an enrollment default policy @@ -195,22 +196,26 @@ public class SubjectKeyIdentifierExtDefault extends EnrollExtDefault { } public KeyIdentifier getKeyIdentifier(X509CertInfo info) { + String method = "SubjectKeyIdentifierExtDefault: getKeyIdentifier: "; try { CertificateX509Key infokey = (CertificateX509Key) info.get(X509CertInfo.KEY); X509Key key = (X509Key) infokey.get(CertificateX509Key.KEY); - MessageDigest md = MessageDigest.getInstance("SHA-1"); - md.update(key.getKey()); - byte[] hash = md.digest(); + // "SHA-1" is default for CryptoUtil.generateKeyIdentifier. + // you could specify different algorithm with the alg parameter + // like this: + //byte[] hash = CryptoUtil.generateKeyIdentifier(key.getKey(), "SHA-256"); + byte[] hash = CryptoUtil.generateKeyIdentifier(key.getKey()); + if (hash == null) { + CMS.debug(method + + "CryptoUtil.generateKeyIdentifier returns null"); + return null; + } return new KeyIdentifier(hash); - } catch (NoSuchAlgorithmException e) { - CMS.debug("SubjectKeyIdentifierExtDefault: getKeyIdentifier " + - e.toString()); } catch (Exception e) { - CMS.debug("SubjectKeyIdentifierExtDefault: getKeyIdentifier " + - e.toString()); + CMS.debug(method + e.toString()); } return null; } diff --git a/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java b/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java index 84a639800..2affaf385 100644 --- a/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java +++ b/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java @@ -179,26 +179,27 @@ public abstract class EnrollInput implements IProfileInput { public void verifyPOP(Locale locale, CertReqMsg certReqMsg) throws EProfileException { + String method = "EnrollInput: verifyPOP: "; CMS.debug("EnrollInput ::in verifyPOP"); String auditMessage = null; String auditSubjectID = auditSubjectID(); if (!certReqMsg.hasPop()) { - CMS.debug("CertReqMsg has not POP, return"); + CMS.debug(method + "CertReqMsg has not POP, return"); return; } ProofOfPossession pop = certReqMsg.getPop(); ProofOfPossession.Type popType = pop.getType(); if (popType != ProofOfPossession.SIGNATURE) { - CMS.debug("not POP SIGNATURE, return"); + CMS.debug(method + "not POP SIGNATURE, return"); return; } try { if (CMS.getConfigStore().getBoolean("cms.skipPOPVerify", false)) { - CMS.debug("skipPOPVerify on, return"); + CMS.debug(method + "skipPOPVerify on, return"); return; } CMS.debug("POP verification begins:"); @@ -207,10 +208,10 @@ public abstract class EnrollInput implements IProfileInput { CryptoToken verifyToken = null; String tokenName = CMS.getConfigStore().getString("ca.requestVerify.token", CryptoUtil.INTERNAL_TOKEN_NAME); if (CryptoUtil.isInternalToken(tokenName)) { - CMS.debug("POP verification using internal token"); + CMS.debug(method + "POP verification using internal token"); certReqMsg.verify(); } else { - CMS.debug("POP verification using token:" + tokenName); + CMS.debug(method + "POP verification using token:" + tokenName); verifyToken = CryptoUtil.getCryptoToken(tokenName); certReqMsg.verify(verifyToken); } @@ -219,18 +220,20 @@ public abstract class EnrollInput implements IProfileInput { auditMessage = CMS.getLogMessage( AuditEvent.PROOF_OF_POSSESSION, auditSubjectID, - ILogger.SUCCESS); + ILogger.SUCCESS, + "method="+method); audit(auditMessage); } catch (Exception e) { - CMS.debug("Failed POP verify! " + e.toString()); + CMS.debug(method + "Failed POP verify! " + e.toString()); CMS.debug(e); // store a message in the signed audit log file auditMessage = CMS.getLogMessage( AuditEvent.PROOF_OF_POSSESSION, auditSubjectID, - ILogger.FAILURE); + ILogger.FAILURE, + method + e.toString()); audit(auditMessage); diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CRMFProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CRMFProcessor.java index 70a4a421a..c57c53230 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/processors/CRMFProcessor.java +++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CRMFProcessor.java @@ -23,17 +23,6 @@ import java.io.IOException; import java.security.InvalidKeyException; import java.security.cert.CertificateException; -import netscape.security.util.ObjectIdentifier; -import netscape.security.x509.CertificateExtensions; -import netscape.security.x509.CertificateSubjectName; -import netscape.security.x509.CertificateValidity; -import netscape.security.x509.CertificateVersion; -import netscape.security.x509.CertificateX509Key; -import netscape.security.x509.Extension; -import netscape.security.x509.X500Name; -import netscape.security.x509.X509CertInfo; -import netscape.security.x509.X509Key; - import org.mozilla.jss.asn1.INTEGER; import org.mozilla.jss.asn1.InvalidBERException; import org.mozilla.jss.asn1.SEQUENCE; @@ -56,6 +45,17 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.cms.servlet.base.CMSServlet; import com.netscape.cms.servlet.common.ECMSGWException; +import netscape.security.util.ObjectIdentifier; +import netscape.security.x509.CertificateExtensions; +import netscape.security.x509.CertificateSubjectName; +import netscape.security.x509.CertificateValidity; +import netscape.security.x509.CertificateVersion; +import netscape.security.x509.CertificateX509Key; +import netscape.security.x509.Extension; +import netscape.security.x509.X500Name; +import netscape.security.x509.X509CertInfo; +import netscape.security.x509.X509Key; + /** * Process CRMF requests, according to RFC 2511 * See http://www.ietf.org/rfc/rfc2511.txt @@ -98,6 +98,7 @@ public class CRMFProcessor extends PKIProcessor { */ private void verifyPOP(CertReqMsg certReqMsg) throws EBaseException { + String method = "CRMFProcessor: verifyPOP: "; String auditMessage = null; String auditSubjectID = auditSubjectID(); @@ -118,7 +119,8 @@ public class CRMFProcessor extends PKIProcessor { auditMessage = CMS.getLogMessage( AuditEvent.PROOF_OF_POSSESSION, auditSubjectID, - ILogger.SUCCESS); + ILogger.SUCCESS, + "method=" + method); audit(auditMessage); } catch (Exception e) { @@ -131,7 +133,8 @@ public class CRMFProcessor extends PKIProcessor { auditMessage = CMS.getLogMessage( AuditEvent.PROOF_OF_POSSESSION, auditSubjectID, - ILogger.FAILURE); + ILogger.FAILURE, + method + e.toString()); audit(auditMessage); @@ -148,7 +151,8 @@ public class CRMFProcessor extends PKIProcessor { auditMessage = CMS.getLogMessage( AuditEvent.PROOF_OF_POSSESSION, auditSubjectID, - ILogger.FAILURE); + ILogger.FAILURE, + method + "required POP missing"); audit(auditMessage); @@ -161,7 +165,8 @@ public class CRMFProcessor extends PKIProcessor { auditMessage = CMS.getLogMessage( AuditEvent.PROOF_OF_POSSESSION, auditSubjectID, - ILogger.FAILURE); + ILogger.FAILURE, + method + eAudit1.toString()); audit(auditMessage); } diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java index 0e101edae..93039a486 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java @@ -39,12 +39,16 @@ import org.mozilla.jss.pkix.cmc.OtherInfo; import org.mozilla.jss.pkix.cmc.TaggedAttribute; import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.authentication.EInvalidCredentials; +import com.netscape.certsrv.authentication.EMissingCredential; import com.netscape.certsrv.authentication.IAuthManager; import com.netscape.certsrv.authentication.IAuthToken; import com.netscape.certsrv.authorization.AuthzToken; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.SessionContext; import com.netscape.certsrv.logging.ILogger; +import com.netscape.certsrv.logging.event.AuthFailEvent; +import com.netscape.certsrv.logging.event.AuthSuccessEvent; import com.netscape.certsrv.logging.event.CertRequestProcessedEvent; import com.netscape.certsrv.profile.EDeferException; import com.netscape.certsrv.profile.EProfileException; @@ -143,6 +147,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { public IAuthToken authenticate(IProfileAuthenticator authenticator, HttpServletRequest request) throws EBaseException { + String method = "ProfileSubmitCMCServlet: authenticate: "; AuthCredentials credentials = new AuthCredentials(); // build credential @@ -158,15 +163,47 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { credentials.set(authName, request.getParameter(authName)); } } - IAuthToken authToken = authenticator.authenticate(credentials); + IAuthToken authToken = null; + String auditSubjectID = null; + String authMgrID = authenticator.getName(); SessionContext sc = SessionContext.getContext(); - if (sc != null) { - sc.put(SessionContext.AUTH_MANAGER_ID, authenticator.getName()); - String userid = authToken.getInString(IAuthToken.USER_ID); - if (userid != null) { - sc.put(SessionContext.USER_ID, userid); + + try { + authToken = authenticator.authenticate(credentials); + if (sc != null) { + sc.put(SessionContext.AUTH_MANAGER_ID, authMgrID); + auditSubjectID = authToken.getInString(IAuthToken.USER_ID); + if (auditSubjectID != null) { + CMS.debug(method + "setting auditSubjectID in SessionContext:" + + auditSubjectID); + sc.put(SessionContext.USER_ID, auditSubjectID); + } else { + CMS.debug(method + "no auditSubjectID found in authToken"); + } + } + + if (!auditSubjectID.equals(ILogger.UNIDENTIFIED) && + !auditSubjectID.equals(ILogger.NONROLEUSER)) { + audit(new AuthSuccessEvent( + auditSubjectID, + ILogger.SUCCESS, + authMgrID)); + } + + } catch (EBaseException e) { + CMS.debug(method + e); + String attempted_auditSubjectID = null; + if (sc != null) { + attempted_auditSubjectID = + (String) sc.get(SessionContext.USER_ID); } + audit(new AuthFailEvent( + auditSubjectID, + ILogger.FAILURE, + authMgrID, + attempted_auditSubjectID)); + throw(e); } return authToken; |