diff options
| author | Christina Fu <cfu@redhat.com> | 2014-01-23 15:26:13 -0800 |
|---|---|---|
| committer | Christina Fu <cfu@redhat.com> | 2014-01-23 15:26:13 -0800 |
| commit | 352040246bbd96bc59a2e2b9156c65837a6c02b7 (patch) | |
| tree | cb9a267bbcbe20209da619c87420f14aa5b7864d /base/server/cms/src/com | |
| parent | b3d5206cd5c06f3c32994698c37b5f52a23f3aa7 (diff) | |
External Registration feature merge (excluding TPS portion due to current TPS-rewrite effort):
http://pki.fedoraproject.org/wiki/TPS_-_New_Recovery_Option:_External_Registration_DS
Diffstat (limited to 'base/server/cms/src/com')
6 files changed, 186 insertions, 33 deletions
diff --git a/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java index 7b4c3c74d..417f78123 100644 --- a/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java +++ b/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java @@ -497,6 +497,8 @@ public abstract class EnrollDefault implements IPolicyDefault, ICertInfoPolicyDe String on_oid = nameValue.substring(pos0 + 1, pos1).trim(); String on_value = nameValue.substring(pos1 + 1).trim(); if (isValidOID(on_oid)) { + CMS.debug("OtherName about to create OtherName object:"); + CMS.debug("OID: " + on_oid + " Value:" + on_value); return new OtherName(new ObjectIdentifier(on_oid), DerValue.tag_PrintableString, on_value); } else { return null; diff --git a/base/server/cms/src/com/netscape/cms/profile/def/SubjectAltNameExtDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/SubjectAltNameExtDefault.java index 61c200a96..240f86a13 100644 --- a/base/server/cms/src/com/netscape/cms/profile/def/SubjectAltNameExtDefault.java +++ b/base/server/cms/src/com/netscape/cms/profile/def/SubjectAltNameExtDefault.java @@ -57,6 +57,7 @@ public class SubjectAltNameExtDefault extends EnrollExtDefault { public static final String CONFIG_PATTERN = "subjAltExtPattern_"; public static final String CONFIG_SOURCE = "subjAltExtSource_"; public static final String CONFIG_SOURCE_UUID4 = "UUID4"; + public static final String CONFIG_SAN_REQ_PATTERN_PREFIX = "$request.req_san_pattern_"; public static final String CONFIG_OLD_TYPE = "subjAltExtType"; public static final String CONFIG_OLD_PATTERN = "subjAltExtPattern"; @@ -447,6 +448,7 @@ public class SubjectAltNameExtDefault extends EnrollExtDefault { } if (!pattern.equals("")) { + CMS.debug("SubjectAltNameExtDefault: createExtension() pattern="+ pattern); String gname = ""; // cfu - see if this is server-generated (e.g. UUID4) @@ -480,8 +482,8 @@ public class SubjectAltNameExtDefault extends EnrollExtDefault { } } - if (gname.equals("")) { - CMS.debug("gname is empty, not added"); + if (gname.equals("") || gname.contains("$")) { + CMS.debug("ubjectAltNameExtDefault: mapPattern()failed. Not added. gname="+ gname); continue; } CMS.debug("SubjectAltNameExtDefault: createExtension got gname=" + gname); diff --git a/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java index 77d743334..61d57ec7e 100644 --- a/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java +++ b/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java @@ -138,6 +138,7 @@ public class UserSubjectNameDefault extends EnrollDefault { } catch (Exception e) { // failed to insert subject name CMS.debug("UserSubjectNameDefault: populate " + e.toString()); + throw new EProfileException(e.toString()); } } } diff --git a/base/server/cms/src/com/netscape/cms/profile/input/SubjectAltNameExtInput.java b/base/server/cms/src/com/netscape/cms/profile/input/SubjectAltNameExtInput.java new file mode 100644 index 000000000..72dc55b6c --- /dev/null +++ b/base/server/cms/src/com/netscape/cms/profile/input/SubjectAltNameExtInput.java @@ -0,0 +1,127 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2013 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.input; + +import java.util.*; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.profile.*; +import com.netscape.certsrv.request.*; +import com.netscape.certsrv.property.*; +import com.netscape.certsrv.apps.*; + +import com.netscape.cms.profile.common.*; + + +/** + * This plugin populates text fields to the enrollment + * page so that SAN parameters + * can be collected from the user. + * <p> + * The collected parameters could be used for + * fomulating the SAN attributes in the certificate. + * <p> + * + */ +public class SubjectAltNameExtInput extends EnrollInput implements IProfileInput { + + public static final int DEF_REQ_ENTRIES = 4; + + public static final String CONFIG_SAN_REQ_PATTERN = "req_san_pattern_"; + public static final String CONFIG_SAN_REQ_TYPE = "req_san_type_"; + + public static final String VAL_SAN_REQ_PATTERN = "req_san_pattern_"; + public static final String VAL_SAN_REQ_TYPE = "req_san_type_"; + + /* defined in CS.cfg: "ca.SAN.entryNum" */ + private int mSANentryNum = DEF_REQ_ENTRIES; + + public SubjectAltNameExtInput() { + for (int i = 0; i< mSANentryNum; i++) { + addValueName(CONFIG_SAN_REQ_PATTERN + i); + addValueName(CONFIG_SAN_REQ_TYPE + i); + } + } + + /** + * Initializes this default policy. + */ + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + try { + mSANentryNum = + CMS.getConfigStore().getInteger("ca.SAN.entryNum", DEF_REQ_ENTRIES); + } catch (EBaseException e) { + /* mSANentryNum has default; ok */ + CMS.debug("SubjectAltNameExtInput: init(): getting config failed on ca.SAN.entryNum"); + } + } + + /** + * Retrieves the localizable name of this policy. + */ + public String getName(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_SUBJECT_ALT_NAME_EXT_NAME"); + } + + /** + * Retrieves the localizable description of this policy. + */ + public String getText(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_SUBJECT_ALT_NAME_EXT_TEXT"); + } + + /** + * Returns selected value names based on the configuration. + */ + public Enumeration<String> getValueNames() { + Vector<String> v = new Vector<String>(); + + for (int i = 0; i< mSANentryNum; i++) { + v.addElement(VAL_SAN_REQ_TYPE + i); // default case + v.addElement(VAL_SAN_REQ_PATTERN + i); // default case + } + + return v.elements(); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IProfileContext ctx, IRequest request) + throws EProfileException { + // + } + + /** + * Retrieves the descriptor of the given value + * parameter by name. + */ + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_SAN_REQ_TYPE)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_REQ_SAN_TYPE")); + } else if (name.equals(VAL_SAN_REQ_PATTERN)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_REQ_SAN_PATTERN")); + } + return null; + } +} diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/DisplayBySerial.java b/base/server/cms/src/com/netscape/cms/servlet/cert/DisplayBySerial.java index da7f01ca5..51fecd15a 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/cert/DisplayBySerial.java +++ b/base/server/cms/src/com/netscape/cms/servlet/cert/DisplayBySerial.java @@ -250,6 +250,12 @@ public class DisplayBySerial extends CMSServlet { HttpServletResponse resp, Locale locale) throws EBaseException { + boolean b64CertOnly = false; // for request that needs only b64 cert + String isB64CertOnly = req.getParameter("b64CertOnly"); + if (isB64CertOnly != null && isB64CertOnly.equals("true")) { + b64CertOnly = true; + } + try { ICertRecord rec = mCertDB.readCertificateRecord(seq); if (rec == null) { @@ -326,6 +332,10 @@ public class DisplayBySerial extends CMSServlet { CMS.getLogMessage("CMSGW_ERROR_PARSING_EXTENS", e.toString())); } + byte[] ba = cert.getEncoded(); + // Do base 64 encoding + header.addStringValue("certChainBase64", CMS.BtoA(ba)); + IRevocationInfo revocationInfo = rec.getRevocationInfo(); if (revocationInfo != null) { @@ -346,10 +356,11 @@ public class DisplayBySerial extends CMSServlet { } } - ICertPrettyPrint certDetails = CMS.getCertPrettyPrint(cert); - - header.addStringValue("certPrettyPrint", + if (!b64CertOnly) { + ICertPrettyPrint certDetails = CMS.getCertPrettyPrint(cert); + header.addStringValue("certPrettyPrint", certDetails.toString(locale)); + } /* String scheme = req.getScheme(); @@ -365,21 +376,19 @@ public class DisplayBySerial extends CMSServlet { */ header.addStringValue("authorityid", mAuthority.getId()); - String certFingerprints = ""; + if (!b64CertOnly) { + String certFingerprints = ""; - try { - certFingerprints = CMS.getFingerPrints(cert); - } catch (Exception e) { - log(ILogger.LL_FAILURE, + try { + certFingerprints = CMS.getFingerPrints(cert); + } catch (Exception e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERR_DIGESTING_CERT", e.toString())); + } + if (certFingerprints.length() > 0) + header.addStringValue("certFingerprint", certFingerprints); } - if (certFingerprints.length() > 0) - header.addStringValue("certFingerprint", certFingerprints); - byte[] ba = cert.getEncoded(); - // Do base 64 encoding - - header.addStringValue("certChainBase64", Utils.base64encode(ba)); header.addStringValue("serialNumber", seq.toString(16)); /* @@ -412,28 +421,30 @@ public class DisplayBySerial extends CMSServlet { } } - // Wrap the chain into a degenerate P7 object - String p7Str; + if (!b64CertOnly) { + // Wrap the chain into a degenerate P7 object + String p7Str; - try { - PKCS7 p7 = new PKCS7(new AlgorithmId[0], + try { + PKCS7 p7 = new PKCS7(new AlgorithmId[0], new ContentInfo(new byte[0]), certsInChain, new SignerInfo[0]); - ByteArrayOutputStream bos = new ByteArrayOutputStream(); + ByteArrayOutputStream bos = new ByteArrayOutputStream(); - p7.encodeSignedData(bos, false); - byte[] p7Bytes = bos.toByteArray(); + p7.encodeSignedData(bos, false); + byte[] p7Bytes = bos.toByteArray(); - p7Str = Utils.base64encode(p7Bytes); - header.addStringValue("pkcs7ChainBase64", p7Str); - } catch (Exception e) { - //p7Str = "PKCS#7 B64 Encoding error - " + e.toString() - //+ "; Please contact your administrator"; - log(ILogger.LL_FAILURE, + p7Str = Utils.base64encode(p7Bytes); + header.addStringValue("pkcs7ChainBase64", p7Str); + } catch (Exception e) { + //p7Str = "PKCS#7 B64 Encoding error - " + e.toString() + //+ "; Please contact your administrator"; + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERROR_FORMING_PKCS7_1", e.toString())); - throw new ECMSGWException( + throw new ECMSGWException( CMS.getLogMessage("CMSGW_ERROR_FORMING_PKCS7")); + } } } catch (EBaseException e) { log(ILogger.LL_FAILURE, diff --git a/base/server/cms/src/com/netscape/cms/servlet/connector/TokenKeyRecoveryServlet.java b/base/server/cms/src/com/netscape/cms/servlet/connector/TokenKeyRecoveryServlet.java index ebcd42c14..cd3c22adf 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/connector/TokenKeyRecoveryServlet.java +++ b/base/server/cms/src/com/netscape/cms/servlet/connector/TokenKeyRecoveryServlet.java @@ -124,6 +124,7 @@ public class TokenKeyRecoveryServlet extends CMSServlet { * input params are: * CUID - the CUID of the old token where the keys/certs were initially for * userid - the userid that belongs to both the old token and the new token + * keyid - the keyid in DRM for recovery using keyid * drm_trans_desKey - the des key generated for the NEW token * wrapped with DRM transport key * cert - the user cert corresponding to the key to be recovered @@ -155,6 +156,7 @@ public class TokenKeyRecoveryServlet extends CMSServlet { String rCUID = req.getParameter("CUID"); String rUserid = req.getParameter("userid"); + String rKeyid = req.getParameter("keyid"); String rdesKeyString = req.getParameter("drm_trans_desKey"); String rCert = req.getParameter("cert"); @@ -174,8 +176,9 @@ public class TokenKeyRecoveryServlet extends CMSServlet { missingParam = true; } - if ((rCert == null) || (rCert.equals(""))) { - CMS.debug("TokenKeyRecoveryServlet: processTokenKeyRecovery(): missing request parameter: cert"); + if (((rCert == null) || (rCert.equals(""))) && + ((rKeyid == null) || (rKeyid.equals("")))) { + CMS.debug("TokenKeyRecoveryServlet: processTokenKeyRecovery(): missing request parameter: cert or keyid"); missingParam = true; } @@ -186,7 +189,14 @@ public class TokenKeyRecoveryServlet extends CMSServlet { thisreq.setExtData(IRequest.NETKEY_ATTR_CUID, rCUID); thisreq.setExtData(IRequest.NETKEY_ATTR_USERID, rUserid); thisreq.setExtData(IRequest.NETKEY_ATTR_DRMTRANS_DES_KEY, rdesKeyString); - thisreq.setExtData(IRequest.NETKEY_ATTR_USER_CERT, rCert); + if ((rCert != null) && (!rCert.equals(""))) { + thisreq.setExtData(IRequest.NETKEY_ATTR_USER_CERT, rCert); + CMS.debug("TokenKeyRecoveryServlet: processTokenKeyRecovery(): received request parameter: cert"); + } + if ((rKeyid != null) && (!rKeyid.equals(""))) { + thisreq.setExtData(IRequest.NETKEY_ATTR_KEYID, rKeyid); + CMS.debug("TokenKeyRecoveryServlet: processTokenKeyRecovery(): received request parameter: keyid"); + } //XXX auto process for netkey queue.processRequest(thisreq); |