diff options
| author | Jack Magne <jmagne@dhcp-16-213.sjc.redhat.com> | 2014-09-18 17:11:07 -0700 |
|---|---|---|
| committer | Jack Magne <jmagne@dhcp-16-213.sjc.redhat.com> | 2014-09-23 10:02:41 -0700 |
| commit | ade950ce82e0eeff267a66fcb44df61d055f4eb5 (patch) | |
| tree | 50bf5c5a4fd11d1e1b3c827aae38bea5c36376fd /base/tps | |
| parent | c16d09af5f6117967e34d33b4811ea12dbffd22c (diff) | |
| download | pki-ade950ce82e0eeff267a66fcb44df61d055f4eb5.tar.gz pki-ade950ce82e0eeff267a66fcb44df61d055f4eb5.tar.xz pki-ade950ce82e0eeff267a66fcb44df61d055f4eb5.zip | |
Provide standalone Pin Reset Processor.
Now an enrolled token can have its pin changed with esc without doing another enrollment.
Actually call authentication for this pin reset operation now.
Review fix.
Diffstat (limited to 'base/tps')
4 files changed, 295 insertions, 202 deletions
diff --git a/base/tps/src/org/dogtagpki/server/tps/engine/TPSEngine.java b/base/tps/src/org/dogtagpki/server/tps/engine/TPSEngine.java index c4b485c45..8783e48ef 100644 --- a/base/tps/src/org/dogtagpki/server/tps/engine/TPSEngine.java +++ b/base/tps/src/org/dogtagpki/server/tps/engine/TPSEngine.java @@ -181,7 +181,7 @@ public class TPSEngine { public static final Object RECOVERY_RECOVER_LAST = "RecoverLast"; public static final String CFG_OVERWRITE = "overwrite"; - public static final String PIN_RESET_OP = "pin_reset"; + public static final String PIN_RESET_OP = "pinReset"; public static final String ENROLL_MODE_ENROLLMENT = ENROLL_OP; public static final String ENROLL_MODE_RECOVERY = RECOVERY_OP; public static final String ERNOLL_MODE_RENEWAL = RENEWAL_OP; diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java index 1cb869079..dde24e496 100644 --- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java +++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java @@ -19,7 +19,6 @@ import netscape.security.x509.X509CertImpl; import org.dogtagpki.server.tps.TPSSession; import org.dogtagpki.server.tps.TPSSubsystem; import org.dogtagpki.server.tps.TPSTokenPolicy; -import org.dogtagpki.server.tps.authentication.TPSAuthenticator; import org.dogtagpki.server.tps.channel.SecureChannel; import org.dogtagpki.server.tps.channel.SecureChannel.TokenKeyType; import org.dogtagpki.server.tps.cms.CAEnrollCertResponse; @@ -36,7 +35,6 @@ import org.dogtagpki.server.tps.engine.TPSEngine; import org.dogtagpki.server.tps.engine.TPSEngine.ENROLL_MODES; import org.dogtagpki.server.tps.main.ObjectSpec; import org.dogtagpki.server.tps.main.PKCS11Obj; -import org.dogtagpki.tps.apdu.ExternalAuthenticateAPDU.SecurityLevel; import org.dogtagpki.tps.main.TPSBuffer; import org.dogtagpki.tps.main.TPSException; import org.dogtagpki.tps.main.Util; @@ -50,8 +48,6 @@ import org.mozilla.jss.pkcs11.PK11RSAPublicKey; import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo; import com.netscape.certsrv.apps.CMS; -import com.netscape.certsrv.authentication.IAuthCredentials; -import com.netscape.certsrv.authentication.IAuthToken; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.EPropertyNotFound; import com.netscape.certsrv.base.IConfigStore; @@ -397,198 +393,6 @@ public class TPSEnrollProcessor extends TPSProcessor { } - private void checkAndAuthenticateUser(AppletInfo appletInfo, String tokenType) throws TPSException { - IAuthCredentials userCred; - IAuthToken authToken; - TokenRecord tokenRecord = getTokenRecord(); - if (!isExternalReg) { - // authenticate per profile/tokenType configuration - String configName = TPSEngine.OP_ENROLL_PREFIX + "." + tokenType + ".auth.enable"; - IConfigStore configStore = CMS.getConfigStore(); - - TPSSubsystem tps = - (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID); - //TPSSession session = getSession(); - boolean isAuthRequired; - try { - CMS.debug("TPSEnrollProcessor.checkAndAuthenticateUser: getting config: " + configName); - isAuthRequired = configStore.getBoolean(configName, true); - } catch (EBaseException e) { - CMS.debug("TPSEnrollProcessor.checkAndAuthenticateUser: Internal Error obtaining mandatory config values. Error: " - + e); - throw new TPSException("TPS error getting config values from config store.", - TPSStatus.STATUS_ERROR_MISCONFIGURATION); - } - if (isAuthRequired) { - try { - TPSAuthenticator userAuth = - getAuthentication(TPSEngine.OP_ENROLL_PREFIX, tokenType); - userCred = requestUserId(TPSEngine.ENROLL_OP, appletInfo.getCUIDhexString(), userAuth, - beginMsg.getExtensions()); - userid = (String) userCred.get(userAuth.getAuthCredName()); - CMS.debug("TPSEnrollProcessor.checkAndAuthenticateUser: userCred (attempted) userid=" + userid); - // initialize userid first for logging purposes in case authentication fails - tokenRecord.setUserID(userid); - authToken = authenticateUser(TPSEngine.ENROLL_OP, userAuth, userCred); - userid = authToken.getInString("userid"); - tokenRecord.setUserID(userid); - CMS.debug("TPSEnrollProcessor.checkAndAuthenticateUser: auth passed: userid: " - + authToken.get("userid")); - - } catch (Exception e) { - // all exceptions are considered login failure - CMS.debug("TPSEnrollProcessor.checkAndAuthenticateUser:: authentication exception thrown: " + e); - String msg = "TPS error user authentication failed:" + e; - tps.tdb.tdbActivity(ActivityDatabase.OP_ENROLLMENT, tokenRecord, session.getIpAddress(), msg, - "failure"); - - throw new TPSException(msg, - TPSStatus.STATUS_ERROR_LOGIN); - } - } else { - throw new TPSException( - "TPSEnrollProcessor.checkAndAuthenticateUser: TPS enrollment must have authentication enabled.", - TPSStatus.STATUS_ERROR_LOGIN); - - } - - } - } - - private void checkAndHandlePinReset(SecureChannel channel) throws TPSException, IOException { - - CMS.debug("TPSEnrollProcessor.checkAndHandlePinReset entering..."); - - if (channel == null) { - throw new TPSException("TPSEnrollProcessor.checkAndHandlePinReset: invalid input data!", - TPSStatus.STATUS_ERROR_TOKEN_RESET_PIN_FAILED); - } - - IConfigStore configStore = CMS.getConfigStore(); - - String pinResetEnableConfig = "op." + currentTokenOperation + "." + selectedTokenType + "." - + TPSEngine.CFG_PIN_RESET_ENABLE; - - CMS.debug("TPSEnrollProcessor.checkAndHandlePinReset config to check: " + pinResetEnableConfig); - - String minLenConfig = "op." + currentTokenOperation + "." + selectedTokenType + "." - + TPSEngine.CFG_PIN_RESET_MIN_LEN; - - CMS.debug("TPSEnrollProcessor.checkAndHandlePinReset config to check: " + minLenConfig); - - String maxLenConfig = "op." + currentTokenOperation + "." + selectedTokenType + "." - + TPSEngine.CFG_PIN_RESET_MAX_LEN; - - CMS.debug("TPSEnrollProcessor.checkAndHandlePinReset config to check: " + maxLenConfig); - - String maxRetriesConfig = "op." + currentTokenOperation + "." + selectedTokenType + "." - + TPSEngine.CFG_PIN_RESET_MAX_RETRIES; - - CMS.debug("TPSEnrollProcessor.checkAndHandlePinReset config to check: " + maxRetriesConfig); - - String pinStringConfig = TPSEngine.CFG_PIN_RESET_STRING; - - CMS.debug("TPSEnrollProcessor.checkAndHandlePinReset config to check: " + pinStringConfig); - - boolean enabled = false; - int minLen; - int maxLen; - int maxRetries; - String stringName; - - try { - - enabled = configStore.getBoolean(pinResetEnableConfig, true); - - if (enabled == false) { - CMS.debug("TPSEnrollProcessor.checkAndHandlePinReset: Pin Reset not allowed by configuration, exiting..."); - return; - - } - - minLen = configStore.getInteger(minLenConfig, 4); - maxLen = configStore.getInteger(maxLenConfig, 10); - maxRetries = configStore.getInteger(maxRetriesConfig, 0x7f); - stringName = configStore.getString(pinStringConfig, "password"); - - CMS.debug("TPSEnrollProcessor.checkAndHandlePinReset: config vals: enabled: " + enabled + " minLen: " - + minLen + " maxLen: " + maxLen); - - } catch (EBaseException e) { - throw new TPSException( - "TPSEnrollProcessor.checkAndHandlePinReset: internal error in getting value from config."); - } - - String new_pin = requestNewPin(minLen, maxLen); - - channel.createPin(0x0, maxRetries, stringName); - - channel.resetPin(0x0, new_pin); - - } - - private void checkAndUpgradeApplet(AppletInfo appletInfo) throws TPSException, IOException { - // TODO Auto-generated method stub - - CMS.debug("checkAndUpgradeApplet: entering.."); - - SecurityLevel securityLevel = SecurityLevel.SECURE_MSG_MAC; - - boolean useEncryption = checkUpdateAppletEncryption(); - - String tksConnId = getTKSConnectorID(); - if (useEncryption) - securityLevel = SecurityLevel.SECURE_MSG_MAC_ENC; - - if (checkForAppletUpdateEnabled()) { - - String targetAppletVersion = checkForAppletUpgrade("op." + currentTokenOperation); - targetAppletVersion = targetAppletVersion.toLowerCase(); - - String currentAppletVersion = formatCurrentAppletVersion(appletInfo); - - CMS.debug("TPSEnrollProcessor.checkAndUpgradeApplet: currentAppletVersion: " + currentAppletVersion - + " targetAppletVersion: " + targetAppletVersion); - - if (targetAppletVersion.compareTo(currentAppletVersion) != 0) { - - CMS.debug("TPSEnrollProessor.checkAndUpgradeApplet: Upgrading applet to : " + targetAppletVersion); - upgradeApplet("op." + currentTokenOperation, targetAppletVersion, securityLevel, getBeginMessage() - .getExtensions(), - tksConnId, 5, 12); - } else { - CMS.debug("TPSEnrollProcessor.checkAndUpgradeApplet: applet already at correct version."); - } - } - - } - - protected boolean checkUpdateAppletEncryption() throws TPSException { - - CMS.debug("TPSEnrollProcessor.checkUpdateAppletEncryption entering..."); - - IConfigStore configStore = CMS.getConfigStore(); - - String appletEncryptionConfig = "op." + currentTokenOperation + "." + selectedTokenType + "." - + TPSEngine.CFG_UPDATE_APPLET_ENCRYPTION; - - CMS.debug("TPSEnrollProcessor.checkUpdateAppletEncryption config to check: " + appletEncryptionConfig); - - boolean appletEncryption = false; - - try { - appletEncryption = configStore.getBoolean(appletEncryptionConfig, false); - } catch (EBaseException e) { - //Default TPSException will return a "contact admin" error code. - throw new TPSException( - "TPSEnrollProcessor.checkUpdateAppletEncryption: internal error in getting value from config."); - } - - CMS.debug("TPSEnrollProcessor.checkUpdateAppletEncryption returning: " + appletEncryption); - return appletEncryption; - - } - private PKCS11Obj getCurrentObjectsOnToken(SecureChannel channel) throws TPSException, IOException, DataFormatException { diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java index b92cd8b91..73085b19c 100644 --- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java +++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java @@ -20,11 +20,17 @@ package org.dogtagpki.server.tps.processor; import java.io.IOException; import org.dogtagpki.server.tps.TPSSession; +import org.dogtagpki.server.tps.TPSSubsystem; +import org.dogtagpki.server.tps.channel.SecureChannel; +import org.dogtagpki.server.tps.dbs.ActivityDatabase; +import org.dogtagpki.server.tps.dbs.TokenRecord; +import org.dogtagpki.server.tps.engine.TPSEngine; import org.dogtagpki.tps.main.TPSException; import org.dogtagpki.tps.msg.BeginOpMsg; import org.dogtagpki.tps.msg.EndOpMsg.TPSStatus; import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.tps.token.TokenStatus; public class TPSPinResetProcessor extends TPSProcessor { @@ -40,21 +46,88 @@ public class TPSPinResetProcessor extends TPSProcessor { TPSStatus.STATUS_ERROR_CONTACT_ADMIN); } setBeginMessage(beginMsg); - setCurrentTokenOperation("pinReset"); + setCurrentTokenOperation(TPSEngine.PIN_RESET_OP); resetPin(); } - private void resetPin() throws TPSException { + private void resetPin() throws TPSException, IOException { + String method = "TPSPinResetProcessor.resetPin()"; //ToDo: Implement full pin reset processor, the pin reset portion // of an enrollment works fine. We just need to finish this to perform // a completely stand alone pin reset of an already enrolled token. - CMS.debug("TPSPinResetProcessor.resetPin: entering..."); + CMS.debug(method + ": entering..."); + + String auditMsg = null; + TPSSubsystem tps = (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID); + + AppletInfo appletInfo = null; + TokenRecord tokenRecord = null; + + statusUpdate(10, "PROGRESS_START_PIN_RESET"); + + try { + appletInfo = getAppletInfo(); + } catch (TPSException e) { + auditMsg = e.toString(); + tps.tdb.tdbActivity(ActivityDatabase.OP_ENROLLMENT, tokenRecord, session.getIpAddress(), auditMsg, + "failure"); + + throw e; + } + appletInfo.setAid(getCardManagerAID()); + + tokenRecord = isTokenRecordPresent(appletInfo); + + if(tokenRecord == null) { + //We can't reset the pin of a token that does not exist. + + CMS.debug(method + ": Token does not exist!"); + throw new TPSException(method + " Can't reset pin of token that does not exist ",TPSStatus.STATUS_ERROR_MAC_RESET_PIN_PDU); + } + + TokenStatus status = tokenRecord.getTokenStatus(); + + CMS.debug(method + ": Token status: " + status); + + if(!status.equals(TokenStatus.ACTIVE)) { + throw new TPSException(method + " Attempt to reset pin of token not currently active!",TPSStatus.STATUS_ERROR_MAC_RESET_PIN_PDU); + + } + + session.setTokenRecord(tokenRecord); + + String resolverInstName = getResolverInstanceName(); + + String tokenType = null; + + tokenType = resolveTokenProfile(resolverInstName, appletInfo.getCUIDhexString(), appletInfo.getMSNString(), + appletInfo.getMajorVersion(), appletInfo.getMinorVersion()); + CMS.debug(method + ": resolved tokenType: " + tokenType); + + statusUpdate(15, "PROGRESS_PIN_RESET_RESOLVE_PROFILE"); + + checkProfileStateOK(); + + checkAndAuthenticateUser(appletInfo, tokenType); + + checkAndUpgradeApplet(appletInfo); + appletInfo = getAppletInfo(); + + + //Check and upgrade keys if called for + + SecureChannel channel = checkAndUpgradeSymKeys(); + channel.externalAuthenticate(); + + checkAndHandlePinReset(channel); + + statusUpdate(100, "PROGRESS_PIN_RESET_COMPLETE"); + + CMS.debug(method + ": Token Pin successfully reset!"); - throw new TPSException("TPSPinResetProcessor.resetPin: Pin Reset standalone operation not yet supported!", - TPSStatus.STATUS_ERROR_MAC_RESET_PIN_PDU); } diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java index e23cea0ad..c37a17c11 100644 --- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java +++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java @@ -154,6 +154,10 @@ public class TPSProcessor { selectedTokenType = theTokenType; TokenRecord tokenRecord = getTokenRecord(); + + if(tokenRecord == null) { + throw new NullPointerException("TPSProcessor.setSelectedTokenType: Can't find token record for token!"); + } tokenRecord.setType(selectedTokenType); } @@ -545,6 +549,68 @@ public class TPSProcessor { return channel; } + protected boolean checkUpdateAppletEncryption() throws TPSException { + + CMS.debug("TPSProcessor.checkUpdateAppletEncryption entering..."); + + IConfigStore configStore = CMS.getConfigStore(); + + String appletEncryptionConfig = "op." + currentTokenOperation + "." + selectedTokenType + "." + + TPSEngine.CFG_UPDATE_APPLET_ENCRYPTION; + + CMS.debug("TPSProcessor.checkUpdateAppletEncryption config to check: " + appletEncryptionConfig); + + boolean appletEncryption = false; + + try { + appletEncryption = configStore.getBoolean(appletEncryptionConfig, false); + } catch (EBaseException e) { + //Default TPSException will return a "contact admin" error code. + throw new TPSException( + "TPSProcessor.checkUpdateAppletEncryption: internal error in getting value from config."); + } + + CMS.debug("TPSProcessor.checkUpdateAppletEncryption returning: " + appletEncryption); + return appletEncryption; + + } + + protected void checkAndUpgradeApplet(AppletInfo appletInfo) throws TPSException, IOException { + // TODO Auto-generated method stub + + CMS.debug("checkAndUpgradeApplet: entering.."); + + SecurityLevel securityLevel = SecurityLevel.SECURE_MSG_MAC; + + boolean useEncryption = checkUpdateAppletEncryption(); + + String tksConnId = getTKSConnectorID(); + if (useEncryption) + securityLevel = SecurityLevel.SECURE_MSG_MAC_ENC; + + if (checkForAppletUpdateEnabled()) { + + String targetAppletVersion = checkForAppletUpgrade("op." + currentTokenOperation); + targetAppletVersion = targetAppletVersion.toLowerCase(); + + String currentAppletVersion = formatCurrentAppletVersion(appletInfo); + + CMS.debug("TPSProcessor.checkAndUpgradeApplet: currentAppletVersion: " + currentAppletVersion + + " targetAppletVersion: " + targetAppletVersion); + + if (targetAppletVersion.compareTo(currentAppletVersion) != 0) { + + CMS.debug("TPSProcessor.checkAndUpgradeApplet: Upgrading applet to : " + targetAppletVersion); + upgradeApplet("op." + currentTokenOperation, targetAppletVersion, securityLevel, getBeginMessage() + .getExtensions(), + tksConnId, 5, 12); + } else { + CMS.debug("TPSProcessor.checkAndUpgradeApplet: applet already at correct version."); + } + } + + } + protected void upgradeApplet(String operation, String new_version, SecurityLevel securityLevel, Map<String, String> extensions, String connId, int startProgress, int endProgress) throws IOException, TPSException { @@ -1472,6 +1538,8 @@ public class TPSProcessor { opDefault = TPSEngine.CFG_DEF_PIN_RESET_PROFILE_RESOLVER; opPrefix = TPSEngine.OP_PIN_RESET_PREFIX; + } else{ + throw new TPSException("TPSProcessor.getResolverInstanceName: Invalid operation type, can not calculate resolver instance!",TPSStatus.STATUS_ERROR_MISCONFIGURATION); } String config = opPrefix + @@ -2398,6 +2466,154 @@ public class TPSProcessor { } + protected void checkAndHandlePinReset(SecureChannel channel) throws TPSException, IOException { + + CMS.debug("TPSProcessor.checkAndHandlePinReset entering..."); + + if (channel == null) { + throw new TPSException("TPSProcessor.checkAndHandlePinReset: invalid input data!", + TPSStatus.STATUS_ERROR_TOKEN_RESET_PIN_FAILED); + } + + IConfigStore configStore = CMS.getConfigStore(); + + String pinResetEnableConfig = "op." + currentTokenOperation + "." + selectedTokenType + "." + + TPSEngine.CFG_PIN_RESET_ENABLE; + + CMS.debug("TPSProcessor.checkAndHandlePinReset config to check: " + pinResetEnableConfig); + + String minLenConfig = "op." + currentTokenOperation + "." + selectedTokenType + "." + + TPSEngine.CFG_PIN_RESET_MIN_LEN; + + CMS.debug("TPSProcessor.checkAndHandlePinReset config to check: " + minLenConfig); + + String maxLenConfig = "op." + currentTokenOperation + "." + selectedTokenType + "." + + TPSEngine.CFG_PIN_RESET_MAX_LEN; + + CMS.debug("TPSProcessor.checkAndHandlePinReset config to check: " + maxLenConfig); + + String maxRetriesConfig = "op." + currentTokenOperation + "." + selectedTokenType + "." + + TPSEngine.CFG_PIN_RESET_MAX_RETRIES; + + CMS.debug("TPSProcessor.checkAndHandlePinReset config to check: " + maxRetriesConfig); + + String pinStringConfig = TPSEngine.CFG_PIN_RESET_STRING; + + CMS.debug("TPSProcessor.checkAndHandlePinReset config to check: " + pinStringConfig); + + boolean enabled = false; + int minLen; + int maxLen; + int maxRetries; + String stringName; + + try { + + enabled = configStore.getBoolean(pinResetEnableConfig, true); + + if (enabled == false) { + CMS.debug("TPSProcessor.checkAndHandlePinReset: Pin Reset not allowed by configuration, exiting..."); + return; + + } + + minLen = configStore.getInteger(minLenConfig, 4); + maxLen = configStore.getInteger(maxLenConfig, 10); + maxRetries = configStore.getInteger(maxRetriesConfig, 0x7f); + stringName = configStore.getString(pinStringConfig, "password"); + + CMS.debug("TPSProcessor.checkAndHandlePinReset: config vals: enabled: " + enabled + " minLen: " + + minLen + " maxLen: " + maxLen); + + } catch (EBaseException e) { + throw new TPSException( + "TPSProcessor.checkAndHandlePinReset: internal error in getting value from config."); + } + + String new_pin = requestNewPin(minLen, maxLen); + + channel.createPin(0x0, maxRetries, stringName); + + channel.resetPin(0x0, new_pin); + + } + + protected void checkAndAuthenticateUser(AppletInfo appletInfo, String tokenType) throws TPSException { + IAuthCredentials userCred; + IAuthToken authToken; + TokenRecord tokenRecord = getTokenRecord(); + String method = "checkAndAuthenticateUser"; + + String opPrefix = null; + + if(TPSEngine.ENROLL_OP.equals( currentTokenOperation)) { + opPrefix = TPSEngine.OP_ENROLL_PREFIX; + } else if (TPSEngine.FORMAT_OP.equals(currentTokenOperation)) { + opPrefix = TPSEngine.OP_FORMAT_PREFIX; + } else { + opPrefix = TPSEngine.OP_PIN_RESET_PREFIX; + } + + + if (!isExternalReg) { + // authenticate per profile/tokenType configuration + String configName = opPrefix + "." + tokenType + ".auth.enable"; + IConfigStore configStore = CMS.getConfigStore(); + + TPSSubsystem tps = + (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID); + //TPSSession session = getSession(); + boolean isAuthRequired; + try { + CMS.debug("TPSProcessor.checkAndAuthenticateUser: getting config: " + configName); + isAuthRequired = configStore.getBoolean(configName, true); + } catch (EBaseException e) { + CMS.debug("TPSProcessor.checkAndAuthenticateUser: Internal Error obtaining mandatory config values. Error: " + + e); + throw new TPSException("TPS error getting config values from config store.", + TPSStatus.STATUS_ERROR_MISCONFIGURATION); + } + + + + CMS.debug(method + ": opPrefox: " + opPrefix); + + if (isAuthRequired) { + try { + TPSAuthenticator userAuth = + getAuthentication(opPrefix, tokenType); + userCred = requestUserId(TPSEngine.ENROLL_OP, appletInfo.getCUIDhexString(), userAuth, + beginMsg.getExtensions()); + userid = (String) userCred.get(userAuth.getAuthCredName()); + CMS.debug("TPSEnrollProcessor.checkAndAuthenticateUser: userCred (attempted) userid=" + userid); + // initialize userid first for logging purposes in case authentication fails + tokenRecord.setUserID(userid); + authToken = authenticateUser(TPSEngine.ENROLL_OP, userAuth, userCred); + userid = authToken.getInString("userid"); + tokenRecord.setUserID(userid); + CMS.debug("TPSProcessor.checkAndAuthenticateUser: auth passed: userid: " + + authToken.get("userid")); + + } catch (Exception e) { + // all exceptions are considered login failure + CMS.debug("TPSProcessor.checkAndAuthenticateUser:: authentication exception thrown: " + e); + String msg = "TPS error user authentication failed:" + e; + tps.tdb.tdbActivity(ActivityDatabase.OP_ENROLLMENT, tokenRecord, session.getIpAddress(), msg, + "failure"); + + throw new TPSException(msg, + TPSStatus.STATUS_ERROR_LOGIN); + } + } else { + throw new TPSException( + "TPSProcessor.checkAndAuthenticateUser: TPS enrollment must have authentication enabled.", + TPSStatus.STATUS_ERROR_LOGIN); + + } + + } + } + public static void main(String[] args) { } |