Fixed problem submitting renewal request.

The RenewalProcessor.processRenewal() has been modified to get the
serial number of the certificate to renew from the profile input
in addition to the <SerialNumber> attribute and client certificate.

The serialNum field in CertEnrollmentRequest has been modified to
use CertId which accepts both decimal and hexadecimal value.

https://fedorahosted.org/pki/ticket/999

2 files changed, 80 insertions, 17 deletions

diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java
index eaf230b03..b22cc1ce4 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java
@@ -38,13 +38,19 @@ import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.EPropertyNotFound;
 import com.netscape.certsrv.base.SessionContext;
 import com.netscape.certsrv.cert.CertEnrollmentRequest;
+import com.netscape.certsrv.dbs.certdb.CertId;
 import com.netscape.certsrv.dbs.certdb.ICertRecord;
 import com.netscape.certsrv.profile.IEnrollProfile;
 import com.netscape.certsrv.profile.IProfile;
 import com.netscape.certsrv.profile.IProfileAuthenticator;
 import com.netscape.certsrv.profile.IProfileContext;
 import com.netscape.certsrv.profile.IProfileInput;
+import com.netscape.certsrv.profile.ProfileAttribute;
+import com.netscape.certsrv.profile.ProfileInput;
+import com.netscape.certsrv.registry.IPluginInfo;
+import com.netscape.certsrv.registry.IPluginRegistry;
 import com.netscape.certsrv.request.IRequest;
+import com.netscape.cms.profile.input.SerialNumRenewInput;
 import com.netscape.cms.servlet.common.AuthCredentials;
 import com.netscape.cms.servlet.common.CMSTemplate;
 import com.netscape.cms.servlet.profile.SSLClientCertProvider;
@@ -77,7 +83,8 @@ public class RenewalProcessor extends CertProcessor {
                 HashMap<String, String> params = data.toParams();
                 printParameterValues(params);
             }
-            CMS.debug("RenewalSubmitter: isRenewal true");
+
+            CMS.debug("RenewalProcessor: processRenewal()");
 
             startTiming("enrollment");
             request.setAttribute("reqType", "renewal");
@@ -85,7 +92,7 @@ public class RenewalProcessor extends CertProcessor {
             // in case of renew, "profile" is the orig profile
             // while "renewProfile" is the current profile used for renewal
             String renewProfileId = (this.profileID == null) ? data.getProfileId() : this.profileID;
-            CMS.debug("processRenewal: renewProfileId " + renewProfileId);
+            CMS.debug("RenewalProcessor: profile: " + renewProfileId);
 
             IProfile renewProfile = ps.getProfile(renewProfileId);
             if (renewProfile == null) {
@@ -94,27 +101,79 @@ public class RenewalProcessor extends CertProcessor {
                 throw new BadRequestDataException(CMS.getUserMessage(locale, "CMS_PROFILE_NOT_FOUND",CMSTemplate.escapeJavaScriptStringHTML(renewProfileId)));
             }
             if (!ps.isProfileEnable(renewProfileId)) {
-                CMS.debug("RenewalSubmitter: Profile " + renewProfileId + " not enabled");
+                CMS.debug("RenewalProcessor: Profile " + renewProfileId + " not enabled");
                 throw new BadRequestDataException("Profile " + renewProfileId + " not enabled");
             }
 
-            String serial = data.getSerialNum();
             BigInteger certSerial = null;
 
-            if (StringUtils.isNotEmpty(serial)) {
-                // if serial number is sent with request, then the authentication
-                // method is not ssl client auth.  In this case, an alternative
-                // authentication method is used (default: ldap based)
-                // usr_origreq evaluator should be used to authorize ownership
-                // of the cert
-                CMS.debug("RenewalSubmitter: renewal: serial number: " + serial);
-                certSerial = new BigInteger(serial);
+            // get serial number from <SerialNumber> element (no auth required)
+            CertId serial = data.getSerialNum();
+            if (serial != null) {
+                CMS.debug("RenewalProcessor: serial number: " + serial);
+                certSerial = serial.toBigInteger();
+            }
+
+            // if not found, get serial number from profile input (no auth required)
+            if (certSerial == null) {
+
+                IPluginRegistry registry = (IPluginRegistry) CMS.getSubsystem(CMS.SUBSYSTEM_REGISTRY);
+
+                // find SerialNumRenewInput
+                for (ProfileInput input : data.getInputs()) {
+
+                    String inputId = input.getId();
+                    if (inputId == null) {
+                        throw new BadRequestException("Missing input ID");
+                    }
+
+                    String classId = input.getClassId();
+                    if (classId == null) {
+                        throw new BadRequestException("Missing class ID in input " + inputId);
+                    }
+
+                    IPluginInfo pluginInfo = registry.getPluginInfo("profileInput", classId);
+                    if (pluginInfo == null) {
+                        throw new BadRequestException("Unregistered class ID " + classId + " in input " + inputId);
+                    }
+
+                    String className = pluginInfo.getClassName();
+                    if (!SerialNumRenewInput.class.getName().equals(className)) {
+                        // check the next input
+                        continue;
+                    }
+
+                    CMS.debug("RenewalProcessor: found SerialNumRenewInput");
+                    ProfileAttribute attribute = input.getAttribute(SerialNumRenewInput.SERIAL_NUM);
+
+                    if (attribute == null) {
+                        throw new BadRequestException("Missing attribute " + SerialNumRenewInput.SERIAL_NUM + " in input " + inputId);
+                    }
+
+                    String value = attribute.getValue();
+                    CMS.debug("RenewalProcessor: profile input " + SerialNumRenewInput.SERIAL_NUM + " value: " + value);
+
+                    if (StringUtils.isEmpty(value)) {
+                        throw new BadRequestException("Missing attribute value for " + SerialNumRenewInput.SERIAL_NUM + " in input " + inputId);
+                    }
+
+                    serial = new CertId(value);
+                    certSerial = serial.toBigInteger();
+                    break;
+                }
+            }
+
+            // if still not found, get serial number from client certificate (if provided)
+            if (certSerial == null) {
+
+                if (!request.isSecure()) {
+                    throw new BadRequestException("Missing serial number");
+                }
 
-            } else {
                 // ssl client auth is to be used
                 // this is not authentication. Just use the cert to search
                 // for orig request and find the right profile
-                CMS.debug("RenewalSubmitter: renewal: serial_num not found, must do ssl client auth");
+                CMS.debug("RenewalProcessor: get serial number from client certificate");
                 certSerial = getSerialNumberFromCert(request);
             }
 
diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java
index 7cced7c47..5a38a4929 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java
@@ -37,6 +37,7 @@ import com.netscape.certsrv.ca.AuthorityID;
 import com.netscape.certsrv.ca.CANotFoundException;
 import com.netscape.certsrv.ca.ICertificateAuthority;
 import com.netscape.certsrv.cert.CertEnrollmentRequest;
+import com.netscape.certsrv.dbs.certdb.CertId;
 import com.netscape.certsrv.profile.EProfileException;
 import com.netscape.certsrv.profile.IEnrollProfile;
 import com.netscape.certsrv.profile.IProfile;
@@ -138,8 +139,8 @@ public class ProfileSubmitServlet extends ProfileServlet {
             CMS.debug("ProfileSubmitServlet: authentication error in processing request: " + e.toString());
             errorExit(response, xmlOutput, e.getMessage(), null);
             return;
-        } catch (EBaseException e) {
-            e.printStackTrace();
+        } catch (Exception e) {
+            CMS.debug(e);
             CMS.debug("ProfileSubmitServlet: error in processing request: " + e.toString());
             errorExit(response, xmlOutput, e.getMessage(), null);
             return;
@@ -264,7 +265,10 @@ public class ProfileSubmitServlet extends ProfileServlet {
         CertEnrollmentRequest data = CertEnrollmentRequestFactory.create(cmsReq, profile, locale);
 
         //only used in renewal
-        data.setSerialNum(request.getParameter("serial_num"));
+        String serialNumber = request.getParameter("serial_num");
+        if (serialNumber != null) {
+            data.setSerialNum(new CertId(serialNumber));
+        }
 
         return processor.processRenewal(data, request, null);
     }