Ticket 1307 (part2 keySet mapping) [RFE] Support multiple keySets for different cards for ExternalReg This patch adds support to keyset mapping

author: Christina Fu <cfu@redhat.com> 2015-05-18 16:14:47 -0700
committer: Christina Fu <cfu@redhat.com> 2015-05-21 16:46:45 -0700
commit: fe9e2d9a677317585db34ac5131d17f696c1e09e (patch)
tree: 544cb410e8fd7af5d2da1eb7d9ce27e9dc2e65f6 /base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
parent: 2e6537e80d42c208a96e218d84ed4fb5c6b7a9d4 (diff)
download: pki-fe9e2d9a677317585db34ac5131d17f696c1e09e.tar.gz
pki-fe9e2d9a677317585db34ac5131d17f696c1e09e.tar.xz
pki-fe9e2d9a677317585db34ac5131d17f696c1e09e.zip
1 files changed, 115 insertions, 40 deletions
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
index 00303432c..82c0734ac 100644
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
@@ -118,6 +118,7 @@ public class TPSProcessor {
     protected TPSSession session;
     //protected TokenRecord tokenRecord;
     protected String selectedTokenType;
+    protected String selectedKeySet;
     IAuthToken authToken;
     List<String> ldapStringAttrs;
 
@@ -182,6 +183,22 @@ public class TPSProcessor {
         return selectedTokenType;
     }
 
+    protected void setSelectedKeySet(String theKeySet) {
+
+        if (theKeySet == null) {
+            throw new NullPointerException("TPSProcessor.setSelectedKeySet: Attempt to set invalid null key set!");
+        }
+        CMS.debug("TPS_Processor.setSelectedKeySet: keySet=" +
+                theKeySet);
+        selectedKeySet = theKeySet;
+
+    }
+
+    public String getSelectedKeySet() {
+        return selectedKeySet;
+    }
+
+
     protected TPSBuffer extractTokenMSN(TPSBuffer cplc_data) throws TPSException {
         //Just make sure no one is inputing bogus cplc_data
         if (cplc_data == null || cplc_data.size() < CPLC_DATA_SIZE) {
@@ -369,7 +386,7 @@ public class TPSProcessor {
         TKSEncryptDataResponse data = null;
 
         try {
-            tks = new TKSRemoteRequestHandler(connId);
+            tks = new TKSRemoteRequestHandler(connId, getSelectedKeySet());
             data = tks.encryptData(appletInfo.getKDD(),appletInfo.getCUID(), keyInfo, plaintextChallenge);
         } catch (EBaseException e) {
             throw new TPSException("TPSProcessor.encryptData: Erorr getting wrapped data from TKS!",
@@ -616,7 +633,7 @@ public class TPSProcessor {
 
             resp = engine.computeSessionKey(keyDiversificationData, appletInfo.getCUID(), keyInfoData,
                     cardChallenge, hostChallenge, cardCryptogram,
-                    connId, getSelectedTokenType());
+                    connId, getSelectedTokenType(), getSelectedKeySet());
 
             hostCryptogram = resp.getHostCryptogram();
 
@@ -691,7 +708,7 @@ public class TPSProcessor {
             CMS.debug("TPSProcessor.generateSecureChannel Trying secure channel protocol 02");
             respEnc02 = engine.computeSessionKeySCP02(keyDiversificationData, appletInfo.getCUID(), keyInfoData,
                     sequenceCounter, new TPSBuffer(SecureChannel.ENCDerivationConstant),
-                    connId, getSelectedTokenType());
+                    connId, getSelectedTokenType(), getSelectedKeySet());
 
             TPSBuffer encSessionKeyWrappedSCP02 = respEnc02.getSessionKey();
             encSessionKeySCP02 = SessionKey.UnwrapSessionKeyWithSharedSecret(tokenName, sharedSecret,
@@ -705,7 +722,7 @@ public class TPSProcessor {
 
             respCMac02 = engine.computeSessionKeySCP02(keyDiversificationData, appletInfo.getCUID(), keyInfoData,
                     sequenceCounter, new TPSBuffer(SecureChannel.C_MACDerivationConstant),
-                    connId, getSelectedTokenType());
+                    connId, getSelectedTokenType(), getSelectedKeySet());
 
             TPSBuffer cmacSessionKeyWrappedSCP02 = respCMac02.getSessionKey();
 
@@ -720,7 +737,7 @@ public class TPSProcessor {
 
             respRMac02 = engine.computeSessionKeySCP02(keyDiversificationData, appletInfo.getCUID(), keyInfoData,
                     sequenceCounter, new TPSBuffer(SecureChannel.R_MACDerivationConstant),
-                    connId, getSelectedTokenType());
+                    connId, getSelectedTokenType(), getSelectedKeySet());
 
             TPSBuffer rmacSessionKeyWrappedSCP02 = respRMac02.getSessionKey();
 
@@ -735,7 +752,7 @@ public class TPSProcessor {
 
             respDek02 = engine.computeSessionKeySCP02(keyDiversificationData, appletInfo.getCUID(), keyInfoData,
                     sequenceCounter, new TPSBuffer(SecureChannel.DEKDerivationConstant),
-                    connId, getSelectedTokenType());
+                    connId, getSelectedTokenType(), getSelectedKeySet());
 
             CMS.debug("Past engine.computeSessionKeyData: After dek key request.");
 
@@ -1623,7 +1640,8 @@ public class TPSProcessor {
                 erAttrs.addCertToRecover(erCert);
             }
         } else {
-            CMS.debug(method + ": certsToRecover attribute not found");
+            CMS.debug(method + ": certsToRecover attribute " + erAttrs.ldapAttrNameCertsToRecover +
+                    " not found");
         }
 
         /*
@@ -1720,7 +1738,6 @@ public class TPSProcessor {
                 + " app_major_version: " + app_major_version + " app_minor_version: " + app_minor_version);
 
         String tokenType = "tokenType";
-        String resolverInstName = getResolverInstanceName();
 
         IAuthCredentials userCred =
                 new com.netscape.certsrv.authentication.AuthCredentials();
@@ -1816,6 +1833,33 @@ public class TPSProcessor {
                 session.setExternalRegAttrs(erAttrs);
                 setSelectedTokenType(erAttrs.getTokenType());
             }
+            CMS.debug("In TPSProcessor.format: isExternalReg: about to process keySet resolver");
+            /*
+             * Note: externalReg.mappingResolver=none indicates no resolver
+             *    plugin used
+             */
+            try {
+            String resolverInstName = getKeySetResolverInstanceName();
+
+                if (!resolverInstName.equals("none") && (selectedKeySet == null)) {
+                    FilterMappingParams mappingParams = createFilterMappingParams(resolverInstName,
+                            appletInfo.getCUIDhexString(), appletInfo.getMSNString(),
+                            appletInfo.getMajorVersion(), appletInfo.getMinorVersion());
+                    TPSSubsystem subsystem =
+                            (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID);
+                    BaseMappingResolver resolverInst =
+                            subsystem.getMappingResolverManager().getResolverInstance(resolverInstName);
+                    String keySet = resolverInst.getResolvedMapping(mappingParams, "keySet");
+                    setSelectedKeySet(keySet);
+                    CMS.debug("In TPSProcessor.format: resolved keySet: " + keySet);
+                }
+            } catch (TPSException e) {
+                auditMsg = e.toString();
+                tps.tdb.tdbActivity(ActivityDatabase.OP_FORMAT, tokenRecord, session.getIpAddress(), auditMsg,
+                        "failure");
+
+                throw new TPSException(auditMsg, TPSStatus.STATUS_ERROR_MISCONFIGURATION);
+            }
         } else {
             CMS.debug("In TPSProcessor.format isExternalReg: OFF");
             /*
@@ -1824,7 +1868,19 @@ public class TPSProcessor {
              */
 
             try {
-                tokenType = resolveTokenProfile(resolverInstName, cuid, msn, major_version, minor_version);
+                String resolverInstName = getResolverInstanceName();
+
+                if (!resolverInstName.equals("none") && (selectedKeySet == null)) {
+                    FilterMappingParams mappingParams  = createFilterMappingParams(resolverInstName, cuid, msn, major_version, minor_version);
+
+                    TPSSubsystem subsystem =
+                            (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID);
+                    BaseMappingResolver resolverInst =
+                            subsystem.getMappingResolverManager().getResolverInstance(resolverInstName);
+                    tokenType = resolverInst.getResolvedMapping(mappingParams);
+                    setSelectedTokenType(tokenType);
+                    CMS.debug("In TPSProcessor.format: resolved tokenType: " + tokenType);
+                }
             } catch (TPSException e) {
                 auditMsg = e.toString();
                 tps.tdb.tdbActivity(ActivityDatabase.OP_FORMAT, tokenRecord, session.getIpAddress(), auditMsg,
@@ -2033,7 +2089,7 @@ public class TPSProcessor {
         }
 
         String config = opPrefix +
-                "." + TPSEngine.CFG_PROFILE_RESOLVER;
+                "." + TPSEngine.CFG_MAPPING_RESOLVER;
 
         CMS.debug("TPSProcessor.getResolverInstanceName: config: " + config);
         try {
@@ -2048,6 +2104,33 @@ public class TPSProcessor {
         return resolverInstName;
     }
 
+    protected String getKeySetResolverInstanceName() throws TPSException {
+        String method = "TPSProcessor.getKeySetResolverInstanceName: ";
+        CMS.debug(method + " begins");
+        IConfigStore configStore = CMS.getConfigStore();
+        String resolverInstName = null;
+
+        if (!isExternalReg) {
+            CMS.debug(method + "externalReg not enabled; keySet mapping currently only supported in externalReg.");
+            return null;
+        }
+        String config = "externalReg" +
+                "." + TPSEngine.CFG_MAPPING_RESOLVER;
+
+        CMS.debug(method + " config: " + config);
+        try {
+            resolverInstName = configStore.getString(config, "none");
+        } catch (EBaseException e) {
+            throw new TPSException(e.getMessage());
+        }
+        if (resolverInstName.equals(""))
+            resolverInstName = "none";
+
+        CMS.debug(method + " returning: " + resolverInstName);
+
+        return resolverInstName;
+    }
+
     /**
      * @param resolverInstName
      * @param cuid
@@ -2056,52 +2139,44 @@ public class TPSProcessor {
      * @param minor_version
      * @return
      */
-    protected String resolveTokenProfile(
+    protected FilterMappingParams createFilterMappingParams(
             String resolverInstName,
             String cuid,
             String msn,
             byte major_version,
             byte minor_version)
             throws TPSException {
-        String tokenType;
+        String method = "TPSProcessor.createFilterMappingParams: ";
+        FilterMappingParams mappingParams = new FilterMappingParams();
 
-        if (!resolverInstName.equals("none") && (selectedTokenType == null)) {
 
             try {
-                FilterMappingParams pParams = new FilterMappingParams();
-                CMS.debug("In TPSProcessor.resolveTokenProfile : after new MappingFilterParams");
-                pParams.set(FilterMappingParams.FILTER_PARAM_MAJOR_VERSION,
+                mappingParams = new FilterMappingParams();
+                CMS.debug(method + " after new MappingFilterParams");
+                mappingParams.set(FilterMappingParams.FILTER_PARAM_MAJOR_VERSION,
                         String.valueOf(major_version));
-                pParams.set(FilterMappingParams.FILTER_PARAM_MINOR_VERSION,
+                mappingParams.set(FilterMappingParams.FILTER_PARAM_MINOR_VERSION,
                         String.valueOf(minor_version));
-                pParams.set(FilterMappingParams.FILTER_PARAM_CUID, cuid);
-                pParams.set(FilterMappingParams.FILTER_PARAM_MSN, msn);
+                mappingParams.set(FilterMappingParams.FILTER_PARAM_CUID, cuid);
+                mappingParams.set(FilterMappingParams.FILTER_PARAM_MSN, msn);
+                // fill in the extensions from client, if any
                 if (beginMsg.getExtensions() != null) {
-                    pParams.set(FilterMappingParams.FILTER_PARAM_EXT_TOKEN_TYPE,
+                    mappingParams.set(FilterMappingParams.FILTER_PARAM_EXT_TOKEN_TYPE,
                             beginMsg.getExtensions().get("tokenType"));
-                    pParams.set(FilterMappingParams.FILTER_PARAM_EXT_TOKEN_ATR,
+                    mappingParams.set(FilterMappingParams.FILTER_PARAM_EXT_TOKEN_ATR,
                             beginMsg.getExtensions().get("tokenATR"));
+                    mappingParams.set(FilterMappingParams.FILTER_PARAM_EXT_KEY_SET,
+                            beginMsg.getExtensions().get("keySet"));
                 }
-                CMS.debug("In TPSProcessor.resolveTokenProfile : after setting MappingFilterParams");
-                TPSSubsystem subsystem =
-                        (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID);
-                BaseMappingResolver resolverInst =
-                        subsystem.getMappingResolverManager().getResolverInstance(resolverInstName);
-                tokenType = resolverInst.getResolvedMapping(pParams);
-                CMS.debug("In TPSProcessor.resolveTokenProfile : profile resolver result: " + tokenType);
-                setSelectedTokenType(tokenType);
-            } catch (EBaseException et) {
-                CMS.debug("In TPSProcessor.resolveTokenProfile exception:" + et);
-                throw new TPSException("TPSProcessor.resolveTokenProfile failed.",
+                CMS.debug(method + " MappingFilterParams set");
+
+            } catch (Exception et) {
+                CMS.debug(method + " exception:" + et);
+                throw new TPSException(method + " failed.",
                         TPSStatus.STATUS_ERROR_MAPPING_RESOLVER_FAILED);
             }
 
-        } else {
-            //Already have a token type, return it
-            tokenType = getSelectedTokenType();
-        }
-
-        return tokenType;
+        return mappingParams;
     }
 
     protected String getIssuerInfoValue() throws TPSException {
@@ -2821,7 +2896,7 @@ public class TPSProcessor {
                 }
 
                 TPSBuffer keySetData = engine.createKeySetData(newVersion, curKeyInfo, protocol,
-                        appletInfo.getCUID(),channel.getKeyDiversificationData(), channel.getDekSessionKeyWrapped(), connId);
+                        appletInfo.getCUID(),channel.getKeyDiversificationData(), channel.getDekSessionKeyWrapped(), connId, getSelectedKeySet());
 
                 CMS.debug("TPSProcessor.checkAndUpgradeSymKeys: new keySetData from TKS: " + keySetData.toHexString());
 
@@ -2843,7 +2918,7 @@ public class TPSProcessor {
 
                         byte[] nv_dev = { (byte) 0x1, (byte) 0x1 };
                         TPSBuffer devKeySetData = engine.createKeySetData(new TPSBuffer(nv_dev), curKeyInfo, protocol,
-                              appletInfo.getCUID(),  channel.getKeyDiversificationData(), channel.getDekSessionKeyWrapped(), connId);
+                              appletInfo.getCUID(),  channel.getKeyDiversificationData(), channel.getDekSessionKeyWrapped(), connId, getSelectedKeySet());
 
                         CMS.debug("TPSProcessor.checkAndUpgradeSymKeys: about to get rid of keyset 0xFF and replace it with keyset 0x1 with developer key set");
                         channel.putKeys((byte) 0x0, (byte) 0x1, devKeySetData);
author	Christina Fu <cfu@redhat.com>	2015-05-18 16:14:47 -0700
committer	Christina Fu <cfu@redhat.com>	2015-05-21 16:46:45 -0700
commit	fe9e2d9a677317585db34ac5131d17f696c1e09e (patch)
tree	544cb410e8fd7af5d2da1eb7d9ce27e9dc2e65f6 /base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
parent	2e6537e80d42c208a96e218d84ed4fb5c6b7a9d4 (diff)
download	pki-fe9e2d9a677317585db34ac5131d17f696c1e09e.tar.gz pki-fe9e2d9a677317585db34ac5131d17f696c1e09e.tar.xz pki-fe9e2d9a677317585db34ac5131d17f696c1e09e.zip