Ticket #2298 exclude some ldap record attributes with key archival This is part 2 of: https://fedorahosted.org/pki/ticket/2298 [non-TMS] for key archival/recovery, not to record certain data in ldap and logs

This patch allows one to exclude certain ldap attributes from the enrollment records for crmf requests
(both CRMF, and CMC CRMF).  The following are the highlights:
* CRMF Manual approval profile is disabled: caDualCert.cfg
  - If excludedLdapAttrs.enabled is true, then this profile will not work, as the crmf requests (by default it is false)
    are not written to ldap record for agents to act on
* excludedLdapAttrs.attrs can be used to configure the attribute list to be excluded
* a new CRMF "auto approval" (directory based, needs to be setup) is provided
* if excludedLdapAttrs.enabled is true (in both ca and kra), the following fields are not written to the ldap record in case of CRMF:
(note: the code deliberately use literal strings on purpose for the reason that the exact literal strings need to be spelled out
in excludedLdapAttrs.attrs if the admin chooses to override the default)
           "req_x509info",
           "publickey",
            "req_extensions",
            "cert_request",
            "req_archive_options",
            "req_key"
* Because of the above (possible exclusion of cert requests in record, profiles
  that require agent manual approval will no longer function in the case that
  excludedLdapAttrs.enabled is true
* a sleepOneMinute() method is added for debugging purpose.  It is not called in the final code, but is left there for future debugging purpose
* code was fixed so that in KRA request will display subject name even though the x509info is missing from request
* cmc requests did not have request type in records, so they had to be added for differentiation

The following have been tested:
* CRMF auto enroll
* CRMF manual enroll/approval
* CMC-CRMF enroll
* both CA and KRA internal ldap are examined for correct data exclusion

Note: CRMF could potentially not include key archival option, however, I am not going to differentiate them at the moment.  An earlier prototype I had built attempted to do that and the signing cert's record isn't excluded for attrs write while it's CRMF request is the same as that of its encryption cert counterpart within the same request.  Due to this factor (multiple cert reqs with the same request blob), I am treating them the same for exclusion.

4 files changed, 74 insertions, 30 deletions

diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java
index f2bf40241..67938af5d 100644
--- a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java
+++ b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java
@@ -489,6 +489,8 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
 
                         if (type.equals(TaggedRequest.PKCS10)) {
                             CMS.debug("CMCAuth: type is PKCS10");
+                            authToken.set("cert_request_type", "cmc-pkcs10");
+
                             TaggedCertificationRequest tcr =
                                     taggedRequest.getTcr();
                             int p10Id = tcr.getBodyPartID().intValue();
@@ -581,6 +583,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
                         } else if (type.equals(TaggedRequest.CRMF)) {
 
                             CMS.debug("CMCAuth: type is CRMF");
+                            authToken.set("cert_request_type", "cmc-crmf");
                             try {
                                 CertReqMsg crm =
                                         taggedRequest.getCrm();
diff --git a/base/server/cms/src/com/netscape/cms/profile/def/AuthorityKeyIdentifierExtDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/AuthorityKeyIdentifierExtDefault.java
index e2208aba7..9aaa29d7a 100644
--- a/base/server/cms/src/com/netscape/cms/profile/def/AuthorityKeyIdentifierExtDefault.java
+++ b/base/server/cms/src/com/netscape/cms/profile/def/AuthorityKeyIdentifierExtDefault.java
@@ -100,6 +100,10 @@ public class AuthorityKeyIdentifierExtDefault extends CAEnrollDefault {
             throw new EPropertyException(CMS.getUserMessage(
                         locale, "CMS_INVALID_PROPERTY", name));
         }
+        if (info == null) {
+            // info is null; possibly strippedldapRecords enabled
+            return null;
+        }
 
         AuthorityKeyIdentifierExtension ext =
                 (AuthorityKeyIdentifierExtension) getExtension(
diff --git a/base/server/cms/src/com/netscape/cms/profile/def/ValidityDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/ValidityDefault.java
index ad4281b80..634d07093 100644
--- a/base/server/cms/src/com/netscape/cms/profile/def/ValidityDefault.java
+++ b/base/server/cms/src/com/netscape/cms/profile/def/ValidityDefault.java
@@ -195,7 +195,7 @@ public class ValidityDefault extends EnrollDefault {
             } catch (Exception e) {
                 CMS.debug("ValidityDefault: getValue " + e.toString());
             }
-            throw new EPropertyException("Invalid valie");
+            throw new EPropertyException("Invalid value");
         } else if (name.equals(VAL_NOT_AFTER)) {
             SimpleDateFormat formatter =
                     new SimpleDateFormat(DATE_FORMAT);
diff --git a/base/server/cms/src/com/netscape/cms/servlet/request/CertReqParser.java b/base/server/cms/src/com/netscape/cms/servlet/request/CertReqParser.java
index 03975ac4f..64adebf68 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/request/CertReqParser.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/request/CertReqParser.java
@@ -30,6 +30,19 @@ import java.util.Hashtable;
 import java.util.Locale;
 import java.util.Vector;
 
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.IAuthToken;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IArgBlock;
+import com.netscape.certsrv.base.IPrettyPrintFormat;
+import com.netscape.certsrv.profile.IEnrollProfile;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.RequestStatus;
+import com.netscape.cms.servlet.common.CMSTemplate;
+import com.netscape.cms.servlet.common.CMSTemplateParams;
+import com.netscape.cms.servlet.common.RawJS;
+import com.netscape.cmsutil.util.Utils;
+
 import netscape.security.extensions.NSCertTypeExtension;
 import netscape.security.x509.AlgorithmId;
 import netscape.security.x509.BasicConstraintsExtension;
@@ -44,23 +57,11 @@ import netscape.security.x509.CertificateX509Key;
 import netscape.security.x509.Extension;
 import netscape.security.x509.RevocationReason;
 import netscape.security.x509.RevokedCertImpl;
+import netscape.security.x509.X500Name;
 import netscape.security.x509.X509CertImpl;
 import netscape.security.x509.X509CertInfo;
 import netscape.security.x509.X509Key;
 
-import com.netscape.certsrv.apps.CMS;
-import com.netscape.certsrv.authentication.IAuthToken;
-import com.netscape.certsrv.base.EBaseException;
-import com.netscape.certsrv.base.IArgBlock;
-import com.netscape.certsrv.base.IPrettyPrintFormat;
-import com.netscape.certsrv.profile.IEnrollProfile;
-import com.netscape.certsrv.request.IRequest;
-import com.netscape.certsrv.request.RequestStatus;
-import com.netscape.cms.servlet.common.CMSTemplate;
-import com.netscape.cms.servlet.common.CMSTemplateParams;
-import com.netscape.cms.servlet.common.RawJS;
-import com.netscape.cmsutil.util.Utils;
-
 /**
  * Output a 'pretty print' of a certificate request
  *
@@ -102,6 +103,26 @@ public class CertReqParser extends ReqParser {
      */
     public void fillRequestIntoArg(Locale l, IRequest req, CMSTemplateParams argSet, IArgBlock arg)
             throws EBaseException {
+
+        // in case x509CertInfo is missing, at least add the subject for display
+        if (req.getExtDataInCertInfo("req_x509info"/*IRequest.CERT_INFO*/) == null
+                && req.getExtDataInCertInfo(IRequest.CERT_INFO) == null
+                && arg.getValueAsString("subject", "").equals("")) {
+            //CMS.debug("CertReqParser.fillRequestIntoArg: filling subject due to missing x509CertInfo in request");
+            try {
+                String subjectnamevalue = req.getExtDataInString("req_subject_name");
+                if (subjectnamevalue != null && !subjectnamevalue.equals("")) {
+                    X500Name name = new X500Name(Utils.base64decode(subjectnamevalue));
+                    CertificateSubjectName sbjName = new CertificateSubjectName(name);
+                    if (sbjName != null) {
+                        arg.addStringValue("subject", sbjName.toString());
+                    }
+                }
+            } catch (Exception ee) {
+                CMS.debug("CertReqParser.fillRequestIntoArg: Exception:" + ee.toString());
+            }
+        }
+
         if (req.getExtDataInCertInfoArray(IRequest.CERT_INFO) != null) {
             fillX509RequestIntoArg(l, req, argSet, arg);
         } else if (req.getExtDataInRevokedCertArray(IRequest.CERT_INFO) != null) {
@@ -609,9 +630,36 @@ public class CertReqParser extends ReqParser {
                 CMSTemplate.escapeJavaScriptStringHTML(v.toString()) + "\"";
     }
 
+    public String getCertSubjectDN(IRequest request) {
+        try {
+            String cert = request.getExtDataInString("cert");
+            if (cert == null) {
+                cert = request.getExtDataInString("req_issued_cert");
+            }
+
+            if (cert != null) {
+
+                X509CertImpl theCert = null;
+                try {
+                    theCert = new X509CertImpl(Utils.base64decode(cert));
+                } catch (CertificateException e) {
+                }
+
+                if (theCert != null) {
+                    String subject = theCert.getSubjectDN().toString();
+                    return subject;
+                }
+            }
+        } catch (Exception e) {
+            CMS.debug("CertReqParser: getCertSubjectDN " + e.toString());
+        }
+        return null;
+    }
+
     public String getRequestorDN(IRequest request) {
         try {
             X509CertInfo info = request.getExtDataInCertInfo(IEnrollProfile.REQUEST_CERTINFO);
+            if (info == null) return null;
             // retrieve the subject name
             CertificateSubjectName sn = (CertificateSubjectName)
                     info.get(X509CertInfo.SUBJECT);
@@ -661,28 +709,17 @@ public class CertReqParser extends ReqParser {
         if (profile != null) {
             arg.addStringValue("profile", profile);
             String requestorDN = getRequestorDN(req);
+            if (requestorDN == null) {
+                requestorDN = getCertSubjectDN(req);
+            }
 
             if (requestorDN != null) {
                 arg.addStringValue("subject", requestorDN);
             }
         } else if (IRequest.KEYRECOVERY_REQUEST.equals(reqType)) {
             arg.addStringValue("profile", "false");
-
-            String cert = req.getExtDataInString("cert");
-
-            if (cert != null) {
-
-                X509CertImpl theCert = null;
-                try {
-                    theCert = new X509CertImpl(Utils.base64decode(cert));
-                } catch (CertificateException e) {
-                }
-
-                if (theCert != null) {
-                    String subject = theCert.getSubjectDN().toString();
-                    arg.addStringValue("subject", subject);
-                }
-            }
+            String subjectDN = getCertSubjectDN(req);
+            arg.addStringValue("subject", subjectDN);
 
         } else { //TMS
             arg.addStringValue("profile", "false");