diff options
| author | Jack Magne <jmagne@dhcp-16-213.sjc.redhat.com> | 2014-06-03 14:28:47 -0700 |
|---|---|---|
| committer | Jack Magne <jmagne@dhcp-16-213.sjc.redhat.com> | 2014-06-06 14:10:48 -0700 |
| commit | 9e7961aa0904361bb9c88bfabcb99273d55b5739 (patch) | |
| tree | 6a943e9a1e5f5675a122b6e8312afa923535ceef /base | |
| parent | e1809a3c6df50ed2e8a35ab7108a3a057e4fcaff (diff) | |
| download | pki-9e7961aa0904361bb9c88bfabcb99273d55b5739.tar.gz pki-9e7961aa0904361bb9c88bfabcb99273d55b5739.tar.xz pki-9e7961aa0904361bb9c88bfabcb99273d55b5739.zip | |
Initial enrollment progress.
1. Changed the names of some message classes.
2. Did some minor refactoring of methods needed by both the enroll and tps processor.
3. Created classes to handle the parsing and archival of PKCS#11 token data.
4. Created prep code for enrollment that reads in a bunch of config params and creates
convenience objects to carry the data instead of lengthy parameter lists we have had before.
5. Code to generate key on token, tested tpsclient so far.
6. Additional review changes, and merging.
Review changes.
Diffstat (limited to 'base')
34 files changed, 2838 insertions, 232 deletions
diff --git a/base/common/src/org/dogtagpki/tps/apdu/GenerateKeyAPDU.java b/base/common/src/org/dogtagpki/tps/apdu/GenerateKeyAPDU.java index f11f132be..44b942f23 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/GenerateKeyAPDU.java +++ b/base/common/src/org/dogtagpki/tps/apdu/GenerateKeyAPDU.java @@ -46,10 +46,15 @@ public class GenerateKeyAPDU extends APDU { data.add((byte) wrapped_challenge.size()); data.add(wrapped_challenge); - data.add((byte) key_check.size()); + if (key_check != null) { + data.add((byte) key_check.size()); - if (key_check.size() > 0) { - data.add(key_check); + if (key_check.size() > 0) { + data.add(key_check); + } + + } else { + data.add((byte) 0); } } diff --git a/base/common/src/org/dogtagpki/tps/apdu/GenerateKeyECCAPDU.java b/base/common/src/org/dogtagpki/tps/apdu/GenerateKeyECCAPDU.java index 6743822ad..8d4a758ea 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/GenerateKeyECCAPDU.java +++ b/base/common/src/org/dogtagpki/tps/apdu/GenerateKeyECCAPDU.java @@ -49,10 +49,15 @@ public class GenerateKeyECCAPDU extends APDU { data1.add(wrapped_challenge); - data1.add((byte) key_check.size()); + if (key_check != null) { + data1.add((byte) key_check.size()); - if (key_check.size() > 0) { - data1.add(key_check); + if (key_check.size() > 0) { + data1.add(key_check); + } + + } else { + data1.add((byte) 0); } setData(data1); diff --git a/base/common/src/org/dogtagpki/tps/main/TPSBuffer.java b/base/common/src/org/dogtagpki/tps/main/TPSBuffer.java index ef40a3a36..d522c2ab4 100644 --- a/base/common/src/org/dogtagpki/tps/main/TPSBuffer.java +++ b/base/common/src/org/dogtagpki/tps/main/TPSBuffer.java @@ -220,6 +220,15 @@ public class TPSBuffer { } /** + * Get the SubString from start to the end + * @param start + * @return + */ + public TPSBuffer substr(int start) { + return substr(start,buf.length -2); + } + + /** * dump()s this Buffer to stdout. */ public void dump() { @@ -254,6 +263,58 @@ public class TPSBuffer { return result.toString(); } + public int getIntFrom1Byte(int offset) { + + if (offset < 0 || offset >= (this.size())) { + return 0; + } + + int result = (this.at(offset) & 0xff); + + return result; + } + + public int getIntFrom2Bytes(int offset) { + + if (offset < 0 || offset >= (this.size() - 1)) { + return 0; + } + + int i1 = (this.at(offset) & 0xff) << 8; + int i2 = this.at(offset + 1) & 0xff; + + return i1 + i2; + } + + public void addLong4Bytes(long value) { + + this.add((byte) ((value >> 24) & 0xff)); + + this.add((byte) ((value >> 16) & 0xff)); + this.add((byte) ((value >> 8) & 0xff)); + this.add((byte) (value & 0xff)); + } + + public void addInt2Bytes(int value) { + this.add((byte) ((value >> 8) & 0xff)); + this.add((byte) (value & 0xff)); + } + + public long getLongFrom4Bytes(int offset) { + + if (offset < 0 || offset >= (this.size() - 3)) { + return 0; + } + + long l1 = (long) (this.at(offset + 0) & 0xff) << 24; + + long l2 = (long) (this.at(offset + 1) & 0xff) << 16; + long l3 = (long) (this.at(offset + 2) & 0xff) << 8; + long l4 = this.at(offset + 3) & 0xff; + + return l1 + l2 + l3 + l4; + } + public static void main(String[] args) { byte[] first = { 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4a }; diff --git a/base/common/src/org/dogtagpki/tps/main/TPSException.java b/base/common/src/org/dogtagpki/tps/main/TPSException.java index ee3ef5793..0d89aae5b 100644 --- a/base/common/src/org/dogtagpki/tps/main/TPSException.java +++ b/base/common/src/org/dogtagpki/tps/main/TPSException.java @@ -17,7 +17,7 @@ // --- END COPYRIGHT BLOCK --- package org.dogtagpki.tps.main; -import org.dogtagpki.tps.msg.EndOp.TPSStatus; +import org.dogtagpki.tps.msg.EndOpMsg.TPSStatus; import com.netscape.certsrv.base.EBaseException; diff --git a/base/common/src/org/dogtagpki/tps/msg/ASQRequest.java b/base/common/src/org/dogtagpki/tps/msg/ASQRequestMsg.java index 2c9be5d86..f6d3aed92 100644 --- a/base/common/src/org/dogtagpki/tps/msg/ASQRequest.java +++ b/base/common/src/org/dogtagpki/tps/msg/ASQRequestMsg.java @@ -18,8 +18,8 @@ package org.dogtagpki.tps.msg; -public class ASQRequest extends TPSMessage { - public ASQRequest(String question) { +public class ASQRequestMsg extends TPSMessage { + public ASQRequestMsg(String question) { put(MSG_TYPE_NAME, msgTypeToInt(MsgType.MSG_ASQ_REQUEST)); put(QUESTION_NAME,question); diff --git a/base/common/src/org/dogtagpki/tps/msg/ASQResponse.java b/base/common/src/org/dogtagpki/tps/msg/ASQResponseMsg.java index bbc7d1bf2..1f093ab17 100644 --- a/base/common/src/org/dogtagpki/tps/msg/ASQResponse.java +++ b/base/common/src/org/dogtagpki/tps/msg/ASQResponseMsg.java @@ -18,9 +18,9 @@ package org.dogtagpki.tps.msg; -public class ASQResponse extends TPSMessage { +public class ASQResponseMsg extends TPSMessage { - public ASQResponse(String answer) { + public ASQResponseMsg(String answer) { put(MSG_TYPE_NAME, msgTypeToInt(MsgType.MSG_ASQ_RESPONSE)); put(QUESTION_NAME,answer); diff --git a/base/common/src/org/dogtagpki/tps/msg/BeginOp.java b/base/common/src/org/dogtagpki/tps/msg/BeginOpMsg.java index de12660f2..250e5c038 100644 --- a/base/common/src/org/dogtagpki/tps/msg/BeginOp.java +++ b/base/common/src/org/dogtagpki/tps/msg/BeginOpMsg.java @@ -21,11 +21,11 @@ import java.util.Map; import com.netscape.certsrv.apps.CMS; -public class BeginOp extends TPSMessage { +public class BeginOpMsg extends TPSMessage { private Map<String, String> extensions; - public BeginOp(OpType theOp, Map<String, String> theExtensions) { + public BeginOpMsg(OpType theOp, Map<String, String> theExtensions) { CMS.debug("BeingOp op: " + theOp + " extensions: " + theExtensions); put(OPERATION_TYPE_NAME, opTypeToInt(theOp)); diff --git a/base/common/src/org/dogtagpki/tps/msg/EndOp.java b/base/common/src/org/dogtagpki/tps/msg/EndOpMsg.java index fbb2f93c6..251898591 100644 --- a/base/common/src/org/dogtagpki/tps/msg/EndOp.java +++ b/base/common/src/org/dogtagpki/tps/msg/EndOpMsg.java @@ -19,7 +19,7 @@ package org.dogtagpki.tps.msg; -public class EndOp extends TPSMessage { +public class EndOpMsg extends TPSMessage { public enum TPSStatus { STATUS_NO_ERROR, @@ -75,7 +75,7 @@ public class EndOp extends TPSMessage { public static final int RESULT_ERROR = 1; - public EndOp(OpType theOp, int result, TPSStatus message) { + public EndOpMsg(OpType theOp, int result, TPSStatus message) { put(MSG_TYPE_NAME, msgTypeToInt(MsgType.MSG_END_OP)); put(OPERATION_TYPE_NAME, opTypeToInt(theOp)); put(RESULT_NAME, result); @@ -235,7 +235,7 @@ public class EndOp extends TPSMessage { public static void main(String[] args) { - EndOp end_msg = new EndOp(OpType.OP_FORMAT,0,TPSStatus.STATUS_NO_ERROR); + EndOpMsg end_msg = new EndOpMsg(OpType.OP_FORMAT,0,TPSStatus.STATUS_NO_ERROR); System.out.println(end_msg.encode()); diff --git a/base/common/src/org/dogtagpki/tps/msg/ExtendedLoginRequest.java b/base/common/src/org/dogtagpki/tps/msg/ExtendedLoginRequestMsg.java index 77081654b..e59f80fff 100644 --- a/base/common/src/org/dogtagpki/tps/msg/ExtendedLoginRequest.java +++ b/base/common/src/org/dogtagpki/tps/msg/ExtendedLoginRequestMsg.java @@ -24,11 +24,11 @@ import java.util.Set; import org.dogtagpki.tps.main.Util; -public class ExtendedLoginRequest extends TPSMessage { +public class ExtendedLoginRequestMsg extends TPSMessage { private Set<String> params; - public ExtendedLoginRequest(int invalid_pw, int blocked, Set<String> params, String title, String description) { + public ExtendedLoginRequestMsg(int invalid_pw, int blocked, Set<String> params, String title, String description) { put(INVALID_PWD_NAME, invalid_pw); put(BLOCKED_NAME, blocked); @@ -82,7 +82,7 @@ public class ExtendedLoginRequest extends TPSMessage { params.add("id=UID&name=LDAP User ID&desc=LDAP User ID&type=string&option="); params.add("id=PASSWORD&name=LDAP Password&desc=LDAP Password&type=password&option="); - ExtendedLoginRequest ext_login_req = new ExtendedLoginRequest(0, 0, params, title, description); + ExtendedLoginRequestMsg ext_login_req = new ExtendedLoginRequestMsg(0, 0, params, title, description); System.out.println(ext_login_req.encode()); diff --git a/base/common/src/org/dogtagpki/tps/msg/ExtendedLoginResponse.java b/base/common/src/org/dogtagpki/tps/msg/ExtendedLoginResponseMsg.java index 29e9b72af..173a775f4 100644 --- a/base/common/src/org/dogtagpki/tps/msg/ExtendedLoginResponse.java +++ b/base/common/src/org/dogtagpki/tps/msg/ExtendedLoginResponseMsg.java @@ -20,11 +20,11 @@ package org.dogtagpki.tps.msg; import java.util.HashMap; import java.util.Map; -public class ExtendedLoginResponse extends TPSMessage { +public class ExtendedLoginResponseMsg extends TPSMessage { private Map<String, String> authParams; - public ExtendedLoginResponse(String msg) { + public ExtendedLoginResponseMsg(String msg) { super(msg); @@ -32,7 +32,7 @@ public class ExtendedLoginResponse extends TPSMessage { //ToDo process the actual params } - public ExtendedLoginResponse(OpType theOp, String uid, String password, Map<String, String> theExtensions) { + public ExtendedLoginResponseMsg(OpType theOp, String uid, String password, Map<String, String> theExtensions) { put(OPERATION_TYPE_NAME, opTypeToInt(theOp)); put(MSG_TYPE_NAME, msgTypeToInt(MsgType.MSG_EXTENDED_LOGIN_RESPONSE)); diff --git a/base/common/src/org/dogtagpki/tps/msg/LoginRequest.java b/base/common/src/org/dogtagpki/tps/msg/LoginRequestMsg.java index 857aaacef..922927fc2 100644 --- a/base/common/src/org/dogtagpki/tps/msg/LoginRequest.java +++ b/base/common/src/org/dogtagpki/tps/msg/LoginRequestMsg.java @@ -18,9 +18,9 @@ package org.dogtagpki.tps.msg; -public class LoginRequest extends TPSMessage { +public class LoginRequestMsg extends TPSMessage { - public LoginRequest(int invalid_pwd, int blocked) { + public LoginRequestMsg(int invalid_pwd, int blocked) { put(INVALID_PWD_NAME, invalid_pwd); put(BLOCKED_NAME,blocked); diff --git a/base/common/src/org/dogtagpki/tps/msg/LoginResponse.java b/base/common/src/org/dogtagpki/tps/msg/LoginResponseMsg.java index afde6849b..71096d261 100644 --- a/base/common/src/org/dogtagpki/tps/msg/LoginResponse.java +++ b/base/common/src/org/dogtagpki/tps/msg/LoginResponseMsg.java @@ -18,9 +18,9 @@ package org.dogtagpki.tps.msg; -public class LoginResponse extends TPSMessage { +public class LoginResponseMsg extends TPSMessage { - public LoginResponse(String uid, String password ) { + public LoginResponseMsg(String uid, String password ) { put(MSG_TYPE_NAME, msgTypeToInt(MsgType.MSG_LOGIN_RESPONSE)); put(SCREEN_NAME_NAME,uid); put(PASSWORD_NAME, password); diff --git a/base/common/src/org/dogtagpki/tps/msg/NewPinRequest.java b/base/common/src/org/dogtagpki/tps/msg/NewPinRequestMsg.java index da4e098c2..5deac3642 100644 --- a/base/common/src/org/dogtagpki/tps/msg/NewPinRequest.java +++ b/base/common/src/org/dogtagpki/tps/msg/NewPinRequestMsg.java @@ -18,8 +18,8 @@ package org.dogtagpki.tps.msg; -public class NewPinRequest extends TPSMessage { - public NewPinRequest(int min_len, int max_len) { +public class NewPinRequestMsg extends TPSMessage { + public NewPinRequestMsg(int min_len, int max_len) { put(MSG_TYPE_NAME, msgTypeToInt(MsgType.MSG_NEW_PIN_REQUEST)); diff --git a/base/common/src/org/dogtagpki/tps/msg/NewPinResponse.java b/base/common/src/org/dogtagpki/tps/msg/NewPinResponseMsg.java index eedb9e336..1607a4e1d 100644 --- a/base/common/src/org/dogtagpki/tps/msg/NewPinResponse.java +++ b/base/common/src/org/dogtagpki/tps/msg/NewPinResponseMsg.java @@ -18,8 +18,8 @@ package org.dogtagpki.tps.msg; -public class NewPinResponse extends TPSMessage { - public NewPinResponse(String new_pin) { +public class NewPinResponseMsg extends TPSMessage { + public NewPinResponseMsg(String new_pin) { put(MSG_TYPE_NAME, msgTypeToInt(MsgType.MSG_NEW_PIN_RESPONSE)); put(NEW_PIN_NAME,new_pin); } diff --git a/base/common/src/org/dogtagpki/tps/msg/SecureIdRequest.java b/base/common/src/org/dogtagpki/tps/msg/SecureIdRequestMsg.java index 12e637e70..c03b3d733 100644 --- a/base/common/src/org/dogtagpki/tps/msg/SecureIdRequest.java +++ b/base/common/src/org/dogtagpki/tps/msg/SecureIdRequestMsg.java @@ -18,8 +18,8 @@ package org.dogtagpki.tps.msg; -public class SecureIdRequest extends TPSMessage { - public SecureIdRequest(int pin_required, int next_value) { +public class SecureIdRequestMsg extends TPSMessage { + public SecureIdRequestMsg(int pin_required, int next_value) { put(MSG_TYPE_NAME, msgTypeToInt(MsgType.MSG_SECUREID_REQUEST)); put(PIN_REQUIRED_NAME,pin_required); diff --git a/base/common/src/org/dogtagpki/tps/msg/SecureIdResponse.java b/base/common/src/org/dogtagpki/tps/msg/SecureIdResponseMsg.java index 47f245c86..507a46f67 100644 --- a/base/common/src/org/dogtagpki/tps/msg/SecureIdResponse.java +++ b/base/common/src/org/dogtagpki/tps/msg/SecureIdResponseMsg.java @@ -17,8 +17,8 @@ // --- END COPYRIGHT BLOCK --- package org.dogtagpki.tps.msg; -public class SecureIdResponse extends TPSMessage { - public SecureIdResponse(String value, String pin) { +public class SecureIdResponseMsg extends TPSMessage { + public SecureIdResponseMsg(String value, String pin) { put(MSG_TYPE_NAME, msgTypeToInt(MsgType.MSG_SECUREID_RESPONSE)); put(VALUE_NAME,value); diff --git a/base/common/src/org/dogtagpki/tps/msg/StatusUpdateRequest.java b/base/common/src/org/dogtagpki/tps/msg/StatusUpdateRequestMsg.java index db742c378..12009fd6e 100644 --- a/base/common/src/org/dogtagpki/tps/msg/StatusUpdateRequest.java +++ b/base/common/src/org/dogtagpki/tps/msg/StatusUpdateRequestMsg.java @@ -17,8 +17,8 @@ // --- END COPYRIGHT BLOCK --- package org.dogtagpki.tps.msg; -public class StatusUpdateRequest extends TPSMessage { - public StatusUpdateRequest(int status, String info) { +public class StatusUpdateRequestMsg extends TPSMessage { + public StatusUpdateRequestMsg(int status, String info) { put(MSG_TYPE_NAME, msgTypeToInt(MsgType.MSG_STATUS_UPDATE_REQUEST)); put(STATUS_NAME, status); @@ -28,7 +28,7 @@ public class StatusUpdateRequest extends TPSMessage { public static void main(String[] args) { - StatusUpdateRequest req = new StatusUpdateRequest(10, "PROGRESS_APPLET_BLOCK"); + StatusUpdateRequestMsg req = new StatusUpdateRequestMsg(10, "PROGRESS_APPLET_BLOCK"); System.out.println(req.encode()); } diff --git a/base/common/src/org/dogtagpki/tps/msg/StatusUpdateResponse.java b/base/common/src/org/dogtagpki/tps/msg/StatusUpdateResponseMsg.java index 1de95b820..7dc0727f6 100644 --- a/base/common/src/org/dogtagpki/tps/msg/StatusUpdateResponse.java +++ b/base/common/src/org/dogtagpki/tps/msg/StatusUpdateResponseMsg.java @@ -18,9 +18,9 @@ package org.dogtagpki.tps.msg; -public class StatusUpdateResponse extends TPSMessage { +public class StatusUpdateResponseMsg extends TPSMessage { - public StatusUpdateResponse(int status) { + public StatusUpdateResponseMsg(int status) { put(MSG_TYPE_NAME, msgTypeToInt(MsgType.MSG_STATUS_UPDATE_RESPONSE)); put(STATUS_NAME,status); } diff --git a/base/common/src/org/dogtagpki/tps/msg/TPSMessage.java b/base/common/src/org/dogtagpki/tps/msg/TPSMessage.java index 39af93c7d..16fec1dd8 100644 --- a/base/common/src/org/dogtagpki/tps/msg/TPSMessage.java +++ b/base/common/src/org/dogtagpki/tps/msg/TPSMessage.java @@ -441,7 +441,7 @@ public class TPSMessage { switch (val) { case MSG_BEGIN_OP: - result = new BeginOp(op_val, extsMap); + result = new BeginOpMsg(op_val, extsMap); break; case MSG_ASQ_REQUEST: @@ -454,7 +454,7 @@ public class TPSMessage { break; case MSG_EXTENDED_LOGIN_RESPONSE: result = - new ExtendedLoginResponse(op_val, + new ExtendedLoginResponseMsg(op_val, get(SCREEN_NAME_NAME), get(PASSWORD_NAME), extsMap); @@ -463,7 +463,7 @@ public class TPSMessage { break; case MSG_LOGIN_RESPONSE: result = - new LoginResponse(get(SCREEN_NAME_NAME), + new LoginResponseMsg(get(SCREEN_NAME_NAME), get(PASSWORD_NAME)); break; case MSG_NEW_PIN_REQUEST: @@ -482,12 +482,12 @@ public class TPSMessage { CMS.debug("statusValue: " + statusValue); int statusInt = Integer.parseInt(statusValue); CMS.debug("statusInt: " + statusInt); - result = new StatusUpdateResponse(statusInt); + result = new StatusUpdateResponseMsg(statusInt); break; case MSG_TOKEN_PDU_REQUEST: break; case MSG_TOKEN_PDU_RESPONSE: - result = new TokenPDUResponse(encode()); + result = new TokenPDUResponseMsg(encode()); break; default: //Something was garbled with the message coming in @@ -519,7 +519,7 @@ public class TPSMessage { public static void main(String[] args) throws IOException { String encoded = "s=204&msg_type=2&operation=5&extensions=tokenType%3DuserKey%26clientVersion%3DESC+1%2E0%2E1%26tokenATR%3D3BFF1400FF8131FE458025A00000005657534336353003003B%26statusUpdate%3Dtrue%26extendedLoginRequest%3Dtrue%26"; - BeginOp testMessage = (BeginOp) TPSMessage.createMessage(encoded); + BeginOpMsg testMessage = (BeginOpMsg) TPSMessage.createMessage(encoded); System.out.println("Encoded msg: " + testMessage.encode()); System.out.println("msg Extensions: " + testMessage.getExtensions()); diff --git a/base/common/src/org/dogtagpki/tps/msg/TokenPDURequest.java b/base/common/src/org/dogtagpki/tps/msg/TokenPDURequestMsg.java index e27f98416..42fcf257c 100644 --- a/base/common/src/org/dogtagpki/tps/msg/TokenPDURequest.java +++ b/base/common/src/org/dogtagpki/tps/msg/TokenPDURequestMsg.java @@ -22,9 +22,9 @@ import org.dogtagpki.tps.apdu.SelectAPDU; import org.dogtagpki.tps.main.TPSBuffer; import org.dogtagpki.tps.main.Util; -public class TokenPDURequest extends TPSMessage { +public class TokenPDURequestMsg extends TPSMessage { - public TokenPDURequest(APDU apdu) { + public TokenPDURequestMsg(APDU apdu) { put(MSG_TYPE_NAME, msgTypeToInt(MsgType.MSG_TOKEN_PDU_REQUEST)); @@ -52,7 +52,7 @@ public class TokenPDURequest extends TPSMessage { apdu = new SelectAPDU((byte) 0x4, (byte) 0x0, select); - TokenPDURequest request = new TokenPDURequest(apdu); + TokenPDURequestMsg request = new TokenPDURequestMsg(apdu); System.out.println(request.encode()); diff --git a/base/common/src/org/dogtagpki/tps/msg/TokenPDUResponse.java b/base/common/src/org/dogtagpki/tps/msg/TokenPDUResponseMsg.java index b654e80cc..60e079bf9 100644 --- a/base/common/src/org/dogtagpki/tps/msg/TokenPDUResponse.java +++ b/base/common/src/org/dogtagpki/tps/msg/TokenPDUResponseMsg.java @@ -21,11 +21,11 @@ import org.dogtagpki.tps.apdu.APDUResponse; import org.dogtagpki.tps.main.TPSBuffer; import org.dogtagpki.tps.main.Util; -public class TokenPDUResponse extends TPSMessage { +public class TokenPDUResponseMsg extends TPSMessage { private APDUResponse response; - public TokenPDUResponse(String message) { + public TokenPDUResponseMsg(String message) { super(message); response = null; @@ -54,12 +54,12 @@ public class TokenPDUResponse extends TPSMessage { public static void main(String[] args) { String pdu_data = "s=46&msg_type=10&pdu_size=6&pdu_data=R%B3F%85%90%00"; - TokenPDUResponse msg = new TokenPDUResponse(pdu_data); + TokenPDUResponseMsg msg = new TokenPDUResponseMsg(pdu_data); System.out.println(msg.encode()); String pdu_data1 = "s=38&msg_type=10&pdu_size=2&pdu_data=%90%00"; - TokenPDUResponse msg1 = new TokenPDUResponse(pdu_data1); + TokenPDUResponseMsg msg1 = new TokenPDUResponseMsg(pdu_data1); System.out.println(msg1.encode()); diff --git a/base/tps-tomcat/src/org/dogtagpki/server/tps/TPSSession.java b/base/tps-tomcat/src/org/dogtagpki/server/tps/TPSSession.java index 31b6c41c5..aefdb815b 100644 --- a/base/tps-tomcat/src/org/dogtagpki/server/tps/TPSSession.java +++ b/base/tps-tomcat/src/org/dogtagpki/server/tps/TPSSession.java @@ -19,11 +19,12 @@ package org.dogtagpki.server.tps; import java.io.IOException; +import org.dogtagpki.server.tps.processor.TPSEnrollProcessor; import org.dogtagpki.server.tps.processor.TPSProcessor; import org.dogtagpki.tps.TPSConnection; import org.dogtagpki.tps.main.TPSException; -import org.dogtagpki.tps.msg.BeginOp; -import org.dogtagpki.tps.msg.EndOp; +import org.dogtagpki.tps.msg.BeginOpMsg; +import org.dogtagpki.tps.msg.EndOpMsg; import org.dogtagpki.tps.msg.TPSMessage; import com.netscape.certsrv.apps.CMS; @@ -77,7 +78,7 @@ public class TPSSession { } public void process() throws IOException { - EndOp.TPSStatus status = EndOp.TPSStatus.STATUS_NO_ERROR; + EndOpMsg.TPSStatus status = EndOpMsg.TPSStatus.STATUS_NO_ERROR; CMS.debug("In TPSSession.process()"); TPSMessage firstMsg = read(); @@ -89,17 +90,24 @@ public class TPSSession { throw new IOException("Wrong first message type read in TPSSession.process!"); } - int result = EndOp.RESULT_GOOD; + int result = EndOpMsg.RESULT_ERROR; + BeginOpMsg beginOp = (BeginOpMsg) firstMsg; try { switch (op_type) { case OP_FORMAT: + //Assume success, processor will indicate otherwise + result = EndOpMsg.RESULT_GOOD; TPSProcessor processor = new TPSProcessor(this); - BeginOp beginOp = (BeginOp) firstMsg; processor.process(beginOp); + break; case OP_ENROLL: + //Assume success, processor will indicate otherwise + result = EndOpMsg.RESULT_GOOD; + TPSEnrollProcessor enrollProcessor = new TPSEnrollProcessor(this); + enrollProcessor.process(beginOp); break; case OP_RENEW: break; @@ -117,7 +125,7 @@ public class TPSSession { //Get the status from the exception and return it to the client. CMS.debug("TPSSession.process: Message processing failed: " + e); status = e.getStatus(); - result = EndOp.RESULT_ERROR; + result = EndOpMsg.RESULT_ERROR; } catch (IOException e) { CMS.debug("TPSSession.process: IO error happened during processing: " + e); // We get here we are done. @@ -125,7 +133,7 @@ public class TPSSession { } - EndOp endOp = new EndOp(firstMsg.getOpType(), result, status); + EndOpMsg endOp = new EndOpMsg(firstMsg.getOpType(), result, status); write(endOp); CMS.debug("TPSSession.process: leaving: result: " + result + " status: " + status); diff --git a/base/tps-tomcat/src/org/dogtagpki/server/tps/channel/SecureChannel.java b/base/tps-tomcat/src/org/dogtagpki/server/tps/channel/SecureChannel.java index 22ee96825..67ab08bcf 100644 --- a/base/tps-tomcat/src/org/dogtagpki/server/tps/channel/SecureChannel.java +++ b/base/tps-tomcat/src/org/dogtagpki/server/tps/channel/SecureChannel.java @@ -25,14 +25,17 @@ import org.dogtagpki.tps.apdu.APDUResponse; import org.dogtagpki.tps.apdu.DeleteFileAPDU; import org.dogtagpki.tps.apdu.ExternalAuthenticateAPDU; import org.dogtagpki.tps.apdu.ExternalAuthenticateAPDU.SecurityLevel; +import org.dogtagpki.tps.apdu.GenerateKeyAPDU; +import org.dogtagpki.tps.apdu.GenerateKeyECCAPDU; import org.dogtagpki.tps.apdu.InstallAppletAPDU; import org.dogtagpki.tps.apdu.InstallLoadAPDU; import org.dogtagpki.tps.apdu.LoadFileAPDU; +import org.dogtagpki.tps.apdu.ReadObjectAPDU; import org.dogtagpki.tps.apdu.SetIssuerInfoAPDU; import org.dogtagpki.tps.main.TPSBuffer; import org.dogtagpki.tps.main.TPSException; import org.dogtagpki.tps.main.Util; -import org.dogtagpki.tps.msg.EndOp.TPSStatus; +import org.dogtagpki.tps.msg.EndOpMsg.TPSStatus; import org.mozilla.jss.pkcs11.PK11SymKey; import com.netscape.certsrv.apps.CMS; @@ -54,14 +57,17 @@ public class SecureChannel { private TPSBuffer hostChallenge; private TPSBuffer hostCryptogram; private TPSBuffer icv; + private TPSBuffer keyInfoData; private SecurityLevel secLevel; public SecureChannel(TPSProcessor processor, PK11SymKey sessionKey, PK11SymKey encSessionKey, TPSBuffer drmDesKey, TPSBuffer kekDesKey, TPSBuffer keyCheck, TPSBuffer keyDiversificationData, TPSBuffer cardChallenge, - TPSBuffer cardCryptogram, TPSBuffer hostChallenge, TPSBuffer hostCryptogram) throws TPSException { + TPSBuffer cardCryptogram, TPSBuffer hostChallenge, TPSBuffer hostCryptogram, TPSBuffer keyInfoData) + throws TPSException { if (processor == null || sessionKey == null | encSessionKey == null || keyDiversificationData == null - || cardChallenge == null || cardCryptogram == null || hostChallenge == null || hostCryptogram == null) { + || cardChallenge == null || cardCryptogram == null || hostChallenge == null || hostCryptogram == null + || keyInfoData == null) { throw new TPSException("SecureChannel.SecureChannel: Invalid data in constructor!", TPSStatus.STATUS_ERROR_SECURE_CHANNEL); } @@ -78,6 +84,7 @@ public class SecureChannel { this.hostChallenge = hostChallenge; this.hostCryptogram = hostCryptogram; this.icv = new TPSBuffer(8); + this.keyInfoData = keyInfoData; this.secLevel = SecurityLevel.SECURE_MSG_MAC_ENC; //ToDo: Write method that reads this from the config @@ -394,4 +401,121 @@ public class SecureChannel { return cardCryptogram; } + public TPSBuffer getKeyInfoData() { + return keyInfoData; + } + + public TPSBuffer readObject(TPSBuffer objectID, int offset, int len) throws TPSException, IOException { + + CMS.debug("SecureChannel.readObject: entering ..."); + + if (objectID == null || len == 0) { + throw new TPSException("SecureChannel.readObject: invalid input data.", + TPSStatus.STATUS_ERROR_READ_OBJECT_PDU); + } + + final int MAX_READ_BUFFER_SIZE = 0xd0; + + ReadObjectAPDU read = null; + TPSBuffer result = new TPSBuffer(); + + int cur_read = 0; + int cur_offset = 0; + int sum = 0; + + if (len > MAX_READ_BUFFER_SIZE) { + cur_offset = offset; + cur_read = MAX_READ_BUFFER_SIZE; + } else { + cur_offset = offset; + cur_read = len; + } + + while (sum < len) { + + read = new ReadObjectAPDU(objectID.toBytesArray(), cur_offset, cur_read); + computeAPDU(read); + + APDUResponse response = processor.handleAPDURequest(read); + + if (!response.checkResult()) { + CMS.debug("SecureChannel.readObject: bad apdu return!"); + throw new TPSException("SecureChannel.installApplett. Failed in middle of readObject.", + TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + } + + TPSBuffer resp = response.getResultDataNoCode(); + + result.add(resp); + + sum += resp.size(); + cur_offset += resp.size(); + + if ((len - sum) < MAX_READ_BUFFER_SIZE) { + cur_read = len - sum; + } else { + cur_read = MAX_READ_BUFFER_SIZE; + } + + } + + return result; + } + + public int startEnrollment(int pe1, int pe2, TPSBuffer wrappedChallenge, TPSBuffer keyCheck, int algorithm, + int keySize, int option) throws TPSException, IOException { + + if (wrappedChallenge == null) { + throw new TPSException("SecureChannel.startEnrollment. Bad input data.", + TPSStatus.STATUS_ERROR_MAC_ENROLL_PDU); + } + + CMS.debug("SecureChannel.startEnrollment: entering ..."); + + boolean isECC = processor.getTPSEngine().isAlgorithmECC(algorithm); + + GenerateKeyAPDU generate_key_apdu = null; + GenerateKeyECCAPDU generate_ecc_key_apdu = null; + + APDUResponse response = null; + if (isECC) { + + generate_ecc_key_apdu = new GenerateKeyECCAPDU((byte) pe1, (byte) pe2, (byte) algorithm, keySize, + (byte) option, (byte) 0, wrappedChallenge, keyCheck); + + computeAPDU(generate_ecc_key_apdu); + + response = processor.handleAPDURequest(generate_ecc_key_apdu); + + if (!response.checkResult()) { + throw new TPSException("SecureChannel.startEnrollment. Failed generate key on token.", + TPSStatus.STATUS_ERROR_MAC_ENROLL_PDU); + } + + } else { + + generate_key_apdu = new GenerateKeyAPDU((byte) pe1, (byte) pe2, (byte) algorithm, keySize, + (byte) option, (byte) 0, wrappedChallenge, keyCheck); + + computeAPDU(generate_key_apdu); + + response = processor.handleAPDURequest(generate_key_apdu); + + if (!response.checkResult()) { + throw new TPSException("SecureChannel.startEnrollment. Failed generate key on token.", + TPSStatus.STATUS_ERROR_MAC_ENROLL_PDU); + } + + } + + TPSBuffer data = response.getData(); + + int size = data.getIntFrom2Bytes(0); + + CMS.debug("SecureChannel.startEnrollment: returning key size: " + size); + + return size; + + } + } diff --git a/base/tps-tomcat/src/org/dogtagpki/server/tps/engine/TPSEngine.java b/base/tps-tomcat/src/org/dogtagpki/server/tps/engine/TPSEngine.java index 71239a4b9..2d6b09e86 100644 --- a/base/tps-tomcat/src/org/dogtagpki/server/tps/engine/TPSEngine.java +++ b/base/tps-tomcat/src/org/dogtagpki/server/tps/engine/TPSEngine.java @@ -21,13 +21,22 @@ import org.dogtagpki.server.tps.cms.TKSComputeSessionKeyResponse; import org.dogtagpki.server.tps.cms.TKSRemoteRequestHandler; import org.dogtagpki.tps.main.TPSBuffer; import org.dogtagpki.tps.main.TPSException; -import org.dogtagpki.tps.msg.EndOp.TPSStatus; +import org.dogtagpki.tps.msg.EndOpMsg.TPSStatus; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; public class TPSEngine { + public enum RA_Algs { + ALG_RSA , + ALG_RSA_CRT , + ALG_DSA , + ALG_EC_F2M , + ALG_EC_FP +}; + + public static final String CFG_DEBUG_ENABLE = "logging.debug.enable"; public static final String CFG_DEBUG_FILENAME = "logging.debug.filename"; public static final String CFG_DEBUG_LEVEL = "logging.debug.level"; @@ -85,6 +94,9 @@ public class TPSEngine { public static final String CFG_CHANNEL_DEFKEY_INDEX = "channel.defKeyIndex"; public static final String CFG_ISSUER_INFO_ENABLE = "issuerinfo.enable"; public static final String CFG_ISSUER_INFO_VALUE = "issuerinfo.value"; + public static final String CFG_UPDATE_APPLET_ENCRYPTION = "update.applet.encryption"; + public static final String CFG_UPDATE_APPLET_ENABLE = "update.applet.enable"; + public static final String CFG_SYMM_KEY_UPGRADE_ENABLED = "update.symmetricKeys.enable"; /* default values */ public static final String CFG_DEF_CARDMGR_INSTANCE_AID = "A0000000030000"; @@ -99,6 +111,11 @@ public class TPSEngine { public static final int CFG_CHANNEL_DEF_INSTANCE_SIZE = 18000; public static final int CFG_CHANNEL_DEF_APPLET_MEMORY_SIZE = 5000; + /* token enrollment values */ + public static final String CFG_KEYGEN_KEYTYPE_NUM = "keyGen.keyType.num"; + public static final String CFG_KEYGEN_KEYTYPE_VALUE = "keyGen.keyType.value"; + public static final String CFG_SERVER_KEYGEN_ENABLE = "serverKeygen.enable"; + /* External reg values */ @@ -109,6 +126,15 @@ public class TPSEngine { public static final String OP_FORMAT_PREFIX = "op.format"; public static final String CFG_PROFILE_RESOLVER = "tokenProfileResolver"; public static final String CFG_DEF_FORMAT_PROFILE_RESOLVER = "formatMappingResolver"; + public static final String CFG_DEF_ENROLL_PROFILE_RESOLVER = "enrollMappingResolver"; + public static final String CFG_DEF_PIN_RESET_PROFILE_RESOLVER = "pinResetMappingResolver"; + public static final String OP_ENROLL_PREFIX = "op.enroll"; + public static final String OP_PIN_RESET_PREFIX = "op.pinReset"; + public static final String ENROLL_OP = "enroll"; + public static final String FORMAT_OP = "format"; + + public static String CFG_OVERWRITE = "overwrite"; + public static String PIN_RESET_OP = "pin_reset"; public void init() { //ToDo @@ -166,4 +192,50 @@ public class TPSEngine { } + public boolean raForceTokenFormat(String cuid) { + // TODO Auto-generated method stub + return false; + } + + public boolean isAlgorithmECC(int algorithm) { + + RA_Algs algEnum = intToRAAlgs(algorithm); + + boolean isECC = false; + + if(algEnum == RA_Algs.ALG_EC_F2M || algEnum == RA_Algs.ALG_EC_FP) { + isECC = true; + } + + CMS.debug("TPSEngine.isAlgorithmECC: result: " + isECC); + return isECC; + + } + + public static RA_Algs intToRAAlgs(int alg) { + + RA_Algs def = RA_Algs.ALG_RSA; + + switch(alg) { + + case 1: + return RA_Algs.ALG_RSA; + + case 2: + return RA_Algs.ALG_RSA_CRT; + case 3: + return RA_Algs.ALG_DSA; + case 4: + return RA_Algs.ALG_EC_F2M; + case 5: + return RA_Algs.ALG_EC_FP; + + default: + return def; + + } + + + } + } diff --git a/base/tps-tomcat/src/org/dogtagpki/server/tps/main/AttributeSpec.java b/base/tps-tomcat/src/org/dogtagpki/server/tps/main/AttributeSpec.java new file mode 100644 index 000000000..444f22c4b --- /dev/null +++ b/base/tps-tomcat/src/org/dogtagpki/server/tps/main/AttributeSpec.java @@ -0,0 +1,71 @@ +package org.dogtagpki.server.tps.main; + +import org.dogtagpki.tps.main.TPSBuffer; + +public class AttributeSpec { + + public AttributeSpec() { + } + + private long id; + private byte type; + private TPSBuffer data; + + public void setAttributeID(long attribute_id) { + id = attribute_id; + } + + public long getAttributeID() { + return id; + } + + public void setType(byte type) { + this.type = type; + } + + public byte getType() { + return type; + } + + public void setData(TPSBuffer data) { + this.data = data; + + } + + public TPSBuffer getData() { + TPSBuffer theData = new TPSBuffer(); + theData.addLong4Bytes(id); + theData.add(type); + + if (type == 0) { /* String */ + theData.addInt2Bytes(data.size()); + } + theData.add(data); + return theData; + } + + public TPSBuffer getValue() { + return data; + } + + public static AttributeSpec parse(TPSBuffer b, int offset) { + AttributeSpec o = new AttributeSpec(); + + long id = b.getLongFrom4Bytes(offset); + + o.setAttributeID(id); + + o.setType(b.at(offset + 4)); + // DatatypeString contains two bytes for AttributeLen of AttributeData + TPSBuffer theData; + if (o.getType() == (byte) 0) + theData = b.substr(offset + 5 + 2, b.size() - 5 - 2); + else + theData = b.substr(offset + 5, b.size() - 5); + + o.setData(theData); + return o; + + } + +} diff --git a/base/tps-tomcat/src/org/dogtagpki/server/tps/main/ObjectSpec.java b/base/tps-tomcat/src/org/dogtagpki/server/tps/main/ObjectSpec.java new file mode 100644 index 000000000..a8dbdb1bc --- /dev/null +++ b/base/tps-tomcat/src/org/dogtagpki/server/tps/main/ObjectSpec.java @@ -0,0 +1,456 @@ +package org.dogtagpki.server.tps.main; + +import java.util.ArrayList; + +import org.dogtagpki.tps.main.TPSBuffer; +import org.dogtagpki.tps.main.TPSException; + +import sun.security.pkcs11.wrapper.PKCS11Constants; + +import com.netscape.certsrv.apps.CMS; + +public class ObjectSpec { + + public ObjectSpec() + { + attributeSpecs = new ArrayList<AttributeSpec>(); + } + + final static int DATATYPE_STRING = 0; + final static int DATATYPE_INTEGER = 1; + final static int DATATYPE_BOOL_FALSE = 2; + final static int DATATYPE_BOOL_TRUE = 3; + + private long objectID; + private long fixedAttributes; + private ArrayList<AttributeSpec> attributeSpecs; + private int parseRead; + + public int getParseReadSize() { + return parseRead; + } + + /** + * Parse 'c' object. + */ + public static void parseAttributes(String objectID, ObjectSpec objectSpec, TPSBuffer b) + { + int curpos = 7; + long fixedAttrs = 0; + int xclass = 0; + int id = 0; + + /* skip first 7 bytes */ + + while (curpos < ((b.size()))) { + long attribute_id = b.getLongFrom4Bytes(curpos); + int attribute_size = b.getIntFrom2Bytes(curpos + 4); + + byte type = 0; + TPSBuffer data = new TPSBuffer(); + boolean found = false; + /* modify fixed attributes */ + + switch ((int) attribute_id) { + case (int) PKCS11Constants.CKA_TOKEN: + if (b.at(curpos + 6) != 0) { + fixedAttrs |= 0x00000080; + } + break; + case (int) PKCS11Constants.CKA_PRIVATE: + if (b.at(curpos + 6) != 0) { + fixedAttrs |= 0x00000100; + } else { + } + break; + case (int) PKCS11Constants.CKA_MODIFIABLE: + if (b.at(curpos + 6) != 0) { + fixedAttrs |= 0x00000200; + } + break; + case (int) PKCS11Constants.CKA_DERIVE: + if (b.at(curpos + 6) != 0) { + fixedAttrs |= 0x00000400; + } + break; + case (int) PKCS11Constants.CKA_LOCAL: + if (b.at(curpos + 6) != 0) { + fixedAttrs |= 0x00000800; + } + break; + case (int) PKCS11Constants.CKA_ENCRYPT: + if (b.at(curpos + 6) != 0) { + fixedAttrs |= 0x00001000; + } + break; + case (int) PKCS11Constants.CKA_DECRYPT: + if (b.at(curpos + 6) != 0) { + fixedAttrs |= 0x00002000; + } + break; + case (int) PKCS11Constants.CKA_WRAP: + if (b.at(curpos + 6) != 0) { + fixedAttrs |= 0x00004000; + } + break; + case (int) PKCS11Constants.CKA_UNWRAP: + if (b.at(curpos + 6) != 0) { + fixedAttrs |= 0x00008000; + } + break; + case (int) PKCS11Constants.CKA_SIGN: + if (b.at(curpos + 6) != 0) { + fixedAttrs |= 0x00010000; + } + break; + case (int) PKCS11Constants.CKA_SIGN_RECOVER: + if (b.at(curpos + 6) != 0) { + fixedAttrs |= 0x00020000; + } + break; + case (int) PKCS11Constants.CKA_VERIFY: + if (b.at(curpos + 6) != 0) { + fixedAttrs |= 0x00040000; + } + break; + case (int) PKCS11Constants.CKA_VERIFY_RECOVER: + if (b.at(curpos + 6) != 0) { + fixedAttrs |= 0x00080000; + } + break; + case (int) PKCS11Constants.CKA_SENSITIVE: + if (b.at(curpos + 6) != 0) { + fixedAttrs |= 0x00100000; + } + break; + case (int) PKCS11Constants.CKA_ALWAYS_SENSITIVE: + if (b.at(curpos + 6) != 0) { + fixedAttrs |= 0x00200000; + } + break; + case (int) PKCS11Constants.CKA_EXTRACTABLE: + if (b.at(curpos + 6) != 0) { + fixedAttrs |= 0x00400000; + } + break; + case (int) PKCS11Constants.CKA_NEVER_EXTRACTABLE: + if (b.at(curpos + 6) != 0) { + fixedAttrs |= 0x00800000; + } + break; + case (int) PKCS11Constants.CKA_SUBJECT: + type = DATATYPE_STRING; + data = b.substr(curpos + 6, attribute_size); + /* build by PKCS11 */ + break; + case (int) PKCS11Constants.CKA_LABEL: + type = DATATYPE_STRING; + data = b.substr(curpos + 6, attribute_size); + found = true; + break; + case (int) PKCS11Constants.CKA_MODULUS: + type = DATATYPE_STRING; + data = b.substr(curpos + 6, attribute_size); + /* build by PKCS11 */ + break; + case (int) PKCS11Constants.CKA_ID: + type = DATATYPE_STRING; + data = b.substr(curpos + 6, attribute_size); + /* build by PKCS11 */ + break; + case (int) PKCS11Constants.CKA_KEY_TYPE: + type = DATATYPE_INTEGER; + data = b.substr(curpos + 6, 4); + found = true; + /* build by PKCS11 */ + break; + case (int) PKCS11Constants.CKA_CLASS: + type = DATATYPE_INTEGER; + data = b.substr(curpos + 6, 4); + xclass = data.at(0); + /* build by PKCS11 */ + break; + case (int) PKCS11Constants.CKA_PUBLIC_EXPONENT: + type = DATATYPE_STRING; + data = b.substr(curpos + 6, attribute_size); + /* build by PKCS11 */ + break; + case (int) PKCS11Constants.CKA_CERTIFICATE_TYPE: + type = DATATYPE_INTEGER; + data = b.substr(curpos + 6, 4); + /* build by PKCS11 */ + break; + + case (int) PKCS11Constants.CKA_EC_PARAMS: + type = DATATYPE_STRING; + data = b.substr(curpos + 6, attribute_size); + found = true; + break; + + case (int) PKCS11Constants.CKA_EC_POINT: + type = DATATYPE_STRING; + data = b.substr(curpos + 6, attribute_size); + found = true; + break; + default: + CMS.debug("ObjectSpec.parseKeyBlob" + + "skipped attribute_id = " + + attribute_id); + break; + } + + if (found) { + /* add attribute spec */ + AttributeSpec attrSpec = new AttributeSpec(); + attrSpec.setAttributeID(attribute_id); + attrSpec.setType(type); + + switch (type) { + case DATATYPE_STRING: + attrSpec.setData(data); + break; + case DATATYPE_INTEGER: + attrSpec.setData(data); + break; + case DATATYPE_BOOL_FALSE: + break; + case DATATYPE_BOOL_TRUE: + break; + default: + break; + } + + objectSpec.addAttributeSpec(attrSpec); + } + + curpos += 4 + 2 + attribute_size; + } + + //Here the objectID fixed attribute gets massaged. Here's how: + // The objectID becomes the cert container id, ex: 01 + // Each key pair associated with the cert must have the same ID. + // This is done by math using the following formula: + // Given a cert id of "2", the keyAttrIds of the keys are originally + // configured as k4 and k5. Note that one is twice the cert id, and + // the other is twice the cert id plus 1. In order to map the key ids + // down to the cert's id, the code below changes both "4" and "5" back + // to "2". + + int val = (objectID.charAt(1) - '0'); + switch (objectID.charAt(0)) { + case 'c': + + id = val; + + break; + case 'k': + if ((val % 2) != 0) { + id = (val - 1) / 2; + } else { + id = (val / 2); + + } + + break; + } + + objectSpec.setFixedAttributes(fixedAttrs | (xclass << 4) | id); + } + + /** + * Parse 'c' object. + */ + public static void parseCertificateAttributes(String objectID, ObjectSpec objectSpec, TPSBuffer b) + { + parseAttributes(objectID, objectSpec, b); + } + + /** + * Parse 'k' object. + */ + public static void parseKeyAttributes(String objectID, ObjectSpec objectSpec, TPSBuffer b) + { + parseAttributes(objectID, objectSpec, b); + } + + /** + * Parse 'C' object. + */ + public static void parseCertificateBlob(String objectID, ObjectSpec objectSpec, TPSBuffer b) + { + long fixedAttrs = 0; + int xclass = 0; + int id = 0; + + AttributeSpec value = new AttributeSpec(); + value.setAttributeID((int) PKCS11Constants.CKA_VALUE); + value.setType((byte) DATATYPE_STRING); + value.setData(b); + objectSpec.addAttributeSpec(value); + + fixedAttrs = 0x00000080; /* CKA_TOKEN */ + xclass = (int) PKCS11Constants.CKO_CERTIFICATE; + id = objectID.charAt(1) - '0'; + + objectSpec.setFixedAttributes(fixedAttrs | (xclass << 4) | id); + } + + /** + * Convert object from token into object spec. + * + * Reference: + * http://netkey/design/applet_readable_object_spec-0.1.txt + * http://netkey/design/pkcs11obj.txt + * + * @throws TPSException + */ + public static ObjectSpec parseFromTokenData(long objid, TPSBuffer b) throws TPSException + { + String objectID = null; + + StringBuilder idBuilder = new StringBuilder(); + + ObjectSpec o = new ObjectSpec(); + o.setObjectID(objid); + + char[] b1 = new char[4]; + b1[0] = (char) ((objid >> 24) & 0xff); + b1[1] = (char) ((objid >> 16) & 0xff); + b1[2] = (char) ((objid >> 8) & 0xff); + b1[3] = (char) (objid & 0xff); + + idBuilder.append(b1[0]); + idBuilder.append(b1[1]); + idBuilder.append(b1[2]); + idBuilder.append(b1[3]); + + objectID = idBuilder.toString(); + switch (b1[0]) { + case 'c': /* certificate attributes */ + parseCertificateAttributes(objectID, o, b); + break; + case 'k': /* public key or private key attributes */ + parseKeyAttributes(objectID, o, b); + break; + case 'C': /* certificate in DER */ + parseCertificateBlob(objectID, o, b); + break; + default: + CMS.debug("ObjectSpec::ParseKeyBlob" + + "unknown objectID = " + objectID.charAt(0)); + throw new TPSException("ObjectSpec parseFromToken data: Invalid object type, aborting.."); + } + + return o; + } + + public static ObjectSpec parse(TPSBuffer b, int offset) throws TPSException + { + int sum = 0; + + if ((b.size() - offset) < 10) + return null; + + ObjectSpec o = new ObjectSpec(); + long id = b.getLongFrom4Bytes(offset); + + o.setObjectID(id); + long attribute = b.getLongFrom4Bytes(offset + 4); + + o.setFixedAttributes(attribute); + int count = b.getIntFrom2Bytes(offset + 8); + sum += 10; + int curpos = offset + 10; + for (int i = 0; i < count; i++) { + int len = 0; + switch (b.at(curpos + 4)) { + case DATATYPE_STRING: + len = 4 + 1 + 2 + b.getIntFrom2Bytes(curpos + 5); + break; + case DATATYPE_INTEGER: + len = 4 + 1 + 4; + break; + case DATATYPE_BOOL_FALSE: + len = 4 + 1; + break; + case DATATYPE_BOOL_TRUE: + len = 4 + 1; + break; + default: + CMS.debug("ObjectSpec::parse" + + "unknown DataType = " + b.at(curpos + 4)); + throw new TPSException("ObjectSpec parse: Invalid data type, aborting.."); + } + TPSBuffer attr = b.substr(curpos, len); + AttributeSpec attrSpec = AttributeSpec.parse(attr, 0); + o.addAttributeSpec(attrSpec); + curpos += len; + sum += len; + } + o.setParseRead(sum); + return o; + } + + private void setParseRead(int nread) { + parseRead = nread; + } + + void setObjectID(long v) + { + objectID = v; + } + + public long getObjectID() + { + return objectID; + } + + public void setFixedAttributes(long v) + { + fixedAttributes = v; + } + + public long getFixedAttributes() + { + return fixedAttributes; + } + + public int getAttributeSpecCount() + { + return attributeSpecs.size(); + } + + public AttributeSpec getAttributeSpec(int p) + { + return attributeSpecs.get(p); + } + + public void addAttributeSpec(AttributeSpec p) + { + attributeSpecs.add(p); + } + + public void removeAttributeSpec(int p) + { + attributeSpecs.remove(p); + + } + + TPSBuffer getData() + { + TPSBuffer data = new TPSBuffer(); + + data.addLong4Bytes(objectID); + data.addLong4Bytes(fixedAttributes); + + int attributeCount = getAttributeSpecCount(); + data.addInt2Bytes(attributeCount); + for (int i = 0; i < attributeCount; i++) { + AttributeSpec spec = getAttributeSpec(i); + data.add(spec.getData()); + } + + return data; + } + +} diff --git a/base/tps-tomcat/src/org/dogtagpki/server/tps/main/PKCS11Obj.java b/base/tps-tomcat/src/org/dogtagpki/server/tps/main/PKCS11Obj.java new file mode 100644 index 000000000..7e3290fb2 --- /dev/null +++ b/base/tps-tomcat/src/org/dogtagpki/server/tps/main/PKCS11Obj.java @@ -0,0 +1,594 @@ +package org.dogtagpki.server.tps.main; + +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.zip.DataFormatException; +import java.util.zip.Deflater; +import java.util.zip.Inflater; + +import org.dogtagpki.tps.main.TPSBuffer; +import org.dogtagpki.tps.main.TPSException; +import org.dogtagpki.tps.main.Util; + +import sun.security.pkcs11.wrapper.PKCS11Constants; + +import com.netscape.certsrv.apps.CMS; + +public class PKCS11Obj { + + private ArrayList<ObjectSpec> objectSpecs; + + public PKCS11Obj() { + objectSpecs = new ArrayList<ObjectSpec>(); + } + + private int formatVersion; + private int objectVersion; + + private TPSBuffer tokenName; + private TPSBuffer cuid; + + public static PKCS11Obj parse(TPSBuffer b, int offset) throws TPSException, DataFormatException, IOException + { + PKCS11Obj o = new PKCS11Obj(); + + int formatVersion = b.getIntFrom2Bytes(0); + o.setFormatVersion(formatVersion); + int objectVersion = b.getIntFrom2Bytes(2); + + o.setObjectVersion(objectVersion); + o.setCUID(b.substr(offset + 4, 10)); + + int compressionType = b.getIntFrom2Bytes(14); + int dataSize = b.getIntFrom2Bytes(16); + + int dataOffset = b.getIntFrom2Bytes(18); + + CMS.debug("PKCS11Obj.parse: commpressionType: " + compressionType + " DataSize:" + + dataSize + "DataOffset: " + dataOffset); + + TPSBuffer data = new TPSBuffer(); + + if (compressionType == 0) { /* no compression */ + data.add(b.substr(offset + dataOffset, dataSize)); + } else if (compressionType == 1) { /* zlib */ + TPSBuffer compressedData = b.substr(offset + dataOffset, dataSize); + + TPSBuffer uncompressedData = uncompress( + compressedData); + + data = new TPSBuffer(uncompressedData); + } else { + throw new TPSException("PKCS11Obj.parse: error parsing object data!"); + } + + int objOffset = data.getIntFrom2Bytes(0); + int objCount = data.getIntFrom2Bytes(2); + + //Check for absurd number of objects + if (objCount < 0 || objCount > 100) { + throw new TPSException("PKCS11Obj.parse: error parsing object data!"); + } + + TPSBuffer tokenName = data.substr(5, data.at(4)); + o.setTokenName(tokenName); + + System.out.println("tokenName: " + tokenName.toHexString()); + System.out.println("uncompressed data size: " + data.size()); + + CMS.debug("PKCS11Obj.parse" + "objcount = " + objCount); + + int curpos = objOffset; + int nread = 0; + for (int i = 0; i < objCount; i++) { + CMS.debug("PKCS11Ob.parse: working on object " + i); + ObjectSpec objSpec = ObjectSpec.parse(data, curpos); + + if (objSpec == null) + continue; + + nread = objSpec.getParseReadSize(); + o.addObjectSpec(objSpec); + + long oid = objSpec.getObjectID(); + char[] b1 = new char[2]; + + b1[0] = (char) ((oid >> 24) & 0xff); + b1[1] = (char) ((oid >> 16) & 0xff); + + CMS.debug("PKCS11Obj.parse " + "About to parse = " + b1[0] + ":" + b1[1]); + System.out.println("PKCS11Obj.parse " + "About to parse = " + b1[0] + ":" + b1[1]); + + // add corresponding 'C' object for 'c' + if (b1[0] == 'c') { + for (int j = 0; j < objSpec.getAttributeSpecCount(); j++) { + AttributeSpec as = objSpec.getAttributeSpec(j); + if (as.getAttributeID() == PKCS11Constants.CKA_VALUE) { + if (as.getType() == (byte) 0) { + TPSBuffer cert = as.getValue(); + + long l1 = 0x43; // 'C' + long l2 = b1[1]; + + l1 = (l1 & 0xff) << 24; + l2 = (l2 & 0xff) << 16; + long certid = l1 + l2; + + ObjectSpec certSpec = + ObjectSpec.parseFromTokenData( + certid, cert); + o.addObjectSpec(certSpec); + + objSpec.removeAttributeSpec(j); + break; + } + } + } + + } + + curpos += nread; + } + return o; + } + + public boolean doesCertIdExist(String certId) { + + boolean foundObj = false; + char[] certChars = certId.toCharArray(); + + for (ObjectSpec objSpec : objectSpecs) { + + long oid = objSpec.getObjectID(); + + char[] b1 = new char[2]; + + b1[0] = (char) ((oid >> 24) & 0xff); + b1[1] = (char) ((oid >> 16) & 0xff); + + if (Arrays.equals(b1, certChars)) { + foundObj = true; + CMS.debug("PKCD11Obj.doesCertIdExist: match found!"); + break; + } + + } + + return foundObj; + } + + public void setFormatVersion(int v) + { + formatVersion = v; + } + + public void setObjectVersion(int v) + { + objectVersion = v; + } + + public int getFormatVersion() + { + return formatVersion; + } + + public int getObjectVersion() + { + return objectVersion; + } + + public void setCUID(TPSBuffer cuid) + { + this.cuid = cuid; + ; + } + + public TPSBuffer getCUID() + { + return cuid; + } + + public void setTokenName(TPSBuffer tokenName) + { + this.tokenName = tokenName; + } + + public TPSBuffer getTokenName() + { + return tokenName; + } + + int getObjectSpecCount() + { + return objectSpecs.size(); + } + + public ObjectSpec getObjectSpec(int p) + { + return objectSpecs.get(p); + } + + public void addObjectSpec(ObjectSpec p) + { + objectSpecs.add(p); + } + + public void removeObjectSpec(int p) + { + objectSpecs.remove(p); + + } + + public void removeAllObjectSpecs() { + + objectSpecs.clear(); + } + + private TPSBuffer getRawHeaderData(int compressionType, TPSBuffer data) { + TPSBuffer header = new TPSBuffer(); + + header.add((byte) ((formatVersion >> 8) & 0xff)); + header.add((byte) (formatVersion & 0xff)); + header.add((byte) ((objectVersion >> 8) & 0xff)); + header.add((byte) (objectVersion & 0xff)); + header.add(cuid); + // COMP_NONE = 0x00 + // COMP_ZLIB = 0x01 + + header.add((byte) ((compressionType >> 8) & 0xff)); + header.add((byte) (compressionType & 0xff)); + int compressedDataSize = data.size(); + header.add((byte) ((compressedDataSize >> 8) & 0xff)); + header.add((byte) (compressedDataSize & 0xff)); + int compressedDataOffset = 20; + header.add((byte) ((compressedDataOffset >> 8) & 0xff)); + header.add((byte) (compressedDataOffset & 0xff)); + + return header; + + } + + private TPSBuffer getRawData() { + TPSBuffer data = new TPSBuffer(); + + int objectOffset = tokenName.size() + 2 + 3; + + data.add((byte) ((objectOffset >> 8) & 0xff)); + data.add((byte) (objectOffset & 0xff)); + int objectCount = getObjectSpecCount(); + int objectCountX = objectCount; + if (objectCountX == 0) { + objectCountX = 0; + } else { + objectCountX = objectCountX - (objectCountX / 4); + } + + data.add((byte) ((objectCountX >> 8) & 0xff)); + data.add((byte) (objectCountX & 0xff)); + data.add((byte) (tokenName.size() & 0xff)); + data.add(tokenName); + for (int i = 0; i < objectCount; i++) { + ObjectSpec spec = getObjectSpec(i); + long objectID = spec.getObjectID(); + char c = (char) ((objectID >> 24) & 0xff); + long fixedAttrs = spec.getFixedAttributes(); + int xclass = (int) ((fixedAttrs & 0x70) >> 4); + char cont_id = (char) ((objectID >> 16) & 0xff); + long id = (int) (fixedAttrs & 0x0f); + /* locate all certificate objects */ + if (c == 'c' && xclass == PKCS11Constants.CKO_CERTIFICATE) { + + //We need to use the container id, there may be more than one cert + //with the same CKA_ID byte + + id = cont_id - '0'; + + /* locate the certificate object */ + for (int u = 0; u < objectCount; u++) { + ObjectSpec u_spec = getObjectSpec(u); + long u_objectID = u_spec.getObjectID(); + char u_c = (char) ((u_objectID >> 24) & 0xff); + long u_fixedAttrs = + u_spec.getFixedAttributes(); + int u_xclass = (int) ((u_fixedAttrs & 0x70) >> 4); + int u_id = (int) (u_fixedAttrs & 0x0f); + if (u_c == 'C' && u_xclass == PKCS11Constants.CKO_CERTIFICATE && u_id == id) { + AttributeSpec u_attr = + u_spec.getAttributeSpec(0); + AttributeSpec n_attr = new AttributeSpec(); + n_attr.setAttributeID(u_attr.getAttributeID()); + n_attr.setType(u_attr.getType()); + n_attr.setData(u_attr.getValue()); + spec.addAttributeSpec(n_attr); + } + } + + data.add(spec.getData()); + + /* locate public object */ + for (int x = 0; x < objectCount; x++) { + ObjectSpec x_spec = getObjectSpec(x); + long x_fixedAttrs = + x_spec.getFixedAttributes(); + int x_xclass = (int) ((x_fixedAttrs & 0x70) >> 4); + int x_id = (int) (x_fixedAttrs & 0x0f); + if (x_xclass == PKCS11Constants.CKO_PUBLIC_KEY && x_id == id) { + data.add(x_spec.getData()); + } + } + + /* locate private object */ + for (int y = 0; y < objectCount; y++) { + ObjectSpec y_spec = getObjectSpec(y); + long y_fixedAttrs = + y_spec.getFixedAttributes(); + int y_xclass = (int) ((y_fixedAttrs & 0x70) >> 4); + int y_id = (int) (y_fixedAttrs & 0x0f); + if (y_xclass == PKCS11Constants.CKO_PRIVATE_KEY && y_id == id) { + data.add(y_spec.getData()); + } + } + } + } + + return data; + + } + + public TPSBuffer getData() + { + TPSBuffer data = getRawData(); + TPSBuffer header = getRawHeaderData(0, data); + + TPSBuffer result = new TPSBuffer(header); + result.add(data); + return result; + } + + TPSBuffer getCompressedData() throws TPSException, IOException + { + TPSBuffer data = getRawData(); // new TPSBuffer(); + + CMS.debug("PKCS11Obj.getCompressedData: " + "before compress length = " + data.size()); + System.out.println("Raw data before compress length: " + data.size()); + + TPSBuffer src_buffer = new TPSBuffer(data); + + CMS.debug("PKCS11Obj.getCompressedData: " + "sizeof src_buffer = " + src_buffer.size()); + CMS.debug("PKCS11Obj.getCompressedData: " + "data size = " + data.size()); + + TPSBuffer compressed = compress(src_buffer); + TPSBuffer header = getRawHeaderData(0x01, compressed); + + TPSBuffer result = new TPSBuffer(header); + result.add(compressed); + + return result; + } + + static private TPSBuffer compress(TPSBuffer uncompressedData) throws TPSException, IOException { + + if (uncompressedData == null) { + throw new TPSException("PKCS11Obj.uncompress: bad input data!"); + } + + byte[] data = uncompressedData.toBytesArray(); + + Deflater deflater = new Deflater(); + + deflater.setInput(data); + + byte[] buffer = new byte[1024]; + ByteArrayOutputStream outputStream = new ByteArrayOutputStream(data.length); + deflater.finish(); + while (!deflater.finished()) { + int count = deflater.deflate(buffer); + outputStream.write(buffer, 0, count); + } + outputStream.close(); + byte[] output = outputStream.toByteArray(); + CMS.debug("Original: " + data.length); + CMS.debug("Compressed: " + output.length); + + TPSBuffer result = new TPSBuffer(output); + + return result; + + } + + static private TPSBuffer uncompress(TPSBuffer compressedData) throws TPSException, DataFormatException, IOException { + + if (compressedData == null) { + throw new TPSException("PKCS11Obj.uncompress: bad input data!"); + } + byte[] data = compressedData.toBytesArray(); + + Inflater inflater = new Inflater(); + inflater.setInput(data); + ByteArrayOutputStream outputStream = new ByteArrayOutputStream(data.length); + byte[] buffer = new byte[1024]; + while (!inflater.finished()) { + int count = inflater.inflate(buffer); + outputStream.write(buffer, 0, count); + } + outputStream.close(); + byte[] output = outputStream.toByteArray(); + CMS.debug("Original: " + data.length); + CMS.debug("Uncompressed: " + output.length); + + TPSBuffer result = new TPSBuffer(output); + + return result; + } + + public static void main(String[] args) throws TPSException, DataFormatException, IOException { + + //Sample token data taken from previous server for + // testing this functionality. + + String compressedTokenData = + + "%01%00%38%4c%53%4e%06%50%00%01" + + "%00%00%01%08%00%01%04%03%00%14" + + "%78%9c%63%e0%61%e0%64%cf%ca%4d" + + "%4c%cf%4b%55%48%36%64%00%81%89" + + "%0c%4c%40%92%99%81%41%ac%38%33" + + "%3d%2f%33%2f%5d%21%3b%b5%52%21" + + "%2d%bf%48%01%a2%0e%28%29%c8%c0" + + "%f8%c7%a0%89%f1%07%10%cf%59%c0" + + "%cc%c4%c8%c4%c4%e8%69%c0%c3%c6" + + "%a1%d5%e6%71%ce%96%85%99%89%95" + + "%c1%20%d2%50%c1%40%8e%8d%39%94" + + "%85%4b%58%3c%28%35%45%c1%23%b1" + + "%44%21%38%35%b9%b4%28%b3%a4%52" + + "%c1%25%3f%37%31%33%cf%50%d4%40" + + "%18%a4%82%5b%98%a7%20%3b%53%37" + + "%39%51%37%2b%31%39%db%c8%50%ce" + + "%40%06%24%cc%2c%2c%ea%9c%5a%54" + + "%92%99%96%99%9c%58%92%aa%e0%58" + + "%5a%92%91%0f%d2%6d%20%27%ce%6b" + + "%68%62%60%68%60%61%60%64%68%69" + + "%6a%10%05%e4%5a%02%b9%e6%50%ae" + + "%81%a1%a1%b8%81%28%c4%6a%be%90" + + "%fc%ec%d4%3c%05%6f%a0%07%42%8b" + + "%53%8b%0c%c5%0c%44%d8%b8%38%27" + + "%a9%75%4e%fe%a4%93%c2%c8%28%cc" + + "%06%f1%92%41%24%d0%25%ec%60%d7" + + "%33%31%42%bd%c1%cc%c8%ce%ec%c4" + + "%c0%12%dc%1d%9d%b7%91%ef%a6%dd" + + "%8a%27%01%3f%cf%3e%3d%7e%23%78" + + "%4e%8f%8c%c4%89%f7%ad%4b%1c%92" + + "%0c%2e%1d%5d%b5%46%ad%7a%aa%d9" + + "%7b%13%c7%6d%07%fb%0d%67%f5%45" + + "%ce%3e%52%b6%fc%ed%14%87%8a%04" + + "%29%3d%4e%b5%b5%2e%0f%33%fc%17" + + "%57%1b%54%1a%f0%01%5d%23%cb%cf" + + "%c8%f8%9f%05%18%38%6c%07%c0%fe" + + "%93%15%64%01%fa%bf%51%10%e2%02" + + "%87%a2%d4%94%8c%c4%12%bd%e4%fc" + + "%5c%03%59%90%2c%1f%8b%18%8b%88" + + "%d6%6f%81%1f%09%45%05%16%cf%64" + + "%27%1d%fe%e2%99%df%c7%64%c1%37" + + "%cf%40%1e%24%ad%cc%22%61%20%d6" + + "%20%72%ec%2a%6b%5d%94%e1%bb%c0" + + "%6f%05%33%5a%0e%ec%90%bb%b6%29" + + "%b1%d4%d1%80%13%a4%40%98%85%c9" + + "%80%01%35%4e%98%3d%18%0c%5c%99" + + "%14%19%16%d6%14%64%1c%9b%d2%a4" + + "%90%6e%1b%e3%56%cc%d6%36%7f%5a" + + "%8b%1a%87%f9%79%a7%a8%92%24%c7" + + "%49%4b%59%02%1e%32%29%78%9a%f0" + + "%70%45%1c%57%b9%77%60%b7%82%c6" + + "%fc%fc%09%8b%f7%a8%ec%6e%51%3d" + + "%60%cb%58%b3%e5%5d%af%c0%f9%a6" + + "%c7%d9%c6%c0%44%c0%c3%b0%10%94" + + "%4a%18%81%10%9c%5c%18%1b%18%18" + + "%b8%10%81%07%14%68%64%60%70%a4" + + "%38%00%b3%8d%80%c6%0b%33%6e%04" + + "%a5%4a%5c%76%25%1b%81%53%ee%24" + + "%58%ca%95%4c%cd%4b%2e%aa%2c%28" + + "%c9%cc%cf%c3%9a%78%7f%03%13%ee" + + "%77%a4%c4%eb%35%50%89%d7%10%35" + + "%f1%1a%52%39%f1%06%de%54%65%71" + + "%10%e3%2a%fe%5e%aa%7a%9e%77%f3" + + "%fe%e6%0d%ed%02%0d%37%0e%33%71" + + "%2c%58%65%c4%2f%b9%53%6c%5d%f7" + + "%c4%53%07%d7%eb%5d%79%df%d8%fc" + + "%43%c3%c0%6b%f3%89%ef%47%96%3e" + + "%72%7e%9b%fc%f6%4c%83%77%bf%ce" + + "%5d%7b%35%cc%c4%cb%aa%40%74%e2" + + "%fd%7d%75%09%57%fb%01%4f%cd%ab" + + "%4b%b3%58%5b%f7%9f%bf%a7%be%4a" + + "%2c%85%82%c4%eb%ce%60%e0%c2%a4" + + "%10%1f%7c%75%eb%26%9f%83%2d%8f" + + "%f5%3a%76%b5%f2%d4%cf%3b%de%b7" + + "%bb%e9%56%8a%ef%f4%af%3c%31%3c" + + "%76%77%b9%1a%98%14%32%3e%09%cd" + + "%fc%c8%f9%f3%c9%b2%45%21%f3%b6" + + "%2c%56%0c%39%fb%2d%e5%7f%da%de" + + "%fd%ce%33%17%d4%c8%af%15%c8%dd" + + "%99%6d%0a%4a%2a%01%8b%88%49%bb" + + "%94%86%5f%b6%09%d0%78%81%85%9b" + + "%f0%a6%5d%63%70%da%9d%0c%4b%bb" + + "%32%38%d3%ae%02%58%29%96%b2%d7" + + "%84%be%c9%d7%d8%d0%c8%c8%00%98" + + "%50%4d%8c%c1%65%af%85%a1%11%28" + + "%09%83%b9%d4%4d%be%49%31%e1%27" + + "%cf%4e%93%9b%7a%35%6d%1b%db%e1" + + "%10%3b%ee%c5%1e%b6%1f%23%ee%7c" + + "%9c%b7%6e%ee%aa%57%a2%7f%95%fb" + + "%fd%3a%3b%ab%de%46%cb%ff%62%9e" + + "%ac%90%66%b3%f0%58%b3%dd%ed%38" + + "%e1%16%9f%a4%56%8d%fb%6b%db%96" + + "%ba%ef%aa%a4%28%f9%66%b5%2f%9d" + + "%36%cd%7b%52%6b%4b%68%e5%8d%57" + + "%92%92%5f%78%36%7e%31%a4%b4%ec" + + "%55%a8%95%da%7c%76%42%8a%19%a3" + + "%d9%f1%03%27%af%cb%14%fb%3b%44" + + "%cf%dc%b1%fc%a1%dc%8f%95%31%b9" + + "%5f%ff%2e%aa%b8%00%2c%9d%f7%b9" + + "%1e%bd%c5%2e%78%b4%48%4e%aa%7b" + + "%92%e1%16%5d%af%cd%1f%94%93%96" + + "%3b%27%c5%ed%ab%f6%0c%dd%cb%73" + + "%fd%7a%b6%39%38%fd%2e%26%26%fd" + + "%52%1a%80%d9%66%e0%f4%bb%19%5f" + + "%fa%05%00%21%15%7f%b0"; + + System.out.println("Test PKCS11 Blob data: " + compressedTokenData); + System.out.println("Test Data: Len: " + compressedTokenData.length()); + + // Test getting integer values from a TPSBuffer + + byte[] value = { (byte) 99, (byte) 49, (byte) 0, (byte) 0 }; + + TPSBuffer valBuf = new TPSBuffer(value); + + long l1 = valBuf.getLongFrom4Bytes(0); + + int i1 = valBuf.getIntFrom2Bytes(0); + + int i2 = valBuf.getIntFrom1Byte(0); + + System.out.println("4 bytes long: " + l1 + " 2 bytes int: " + i1 + " 1 byte int: " + i2); + + // Now test the parsing and un-parsing of the data, the result at the end should be + // the same as the original data. + // The data above is an exact copy of a blob taken off of a real token in the + // old TPS. + + byte[] decoded = Util.uriDecodeFromHex(compressedTokenData); + + System.out.println("decoded compressed datat size: " + decoded.length); + + // This is buffer containing sample copressed pkcs#11 blob. + TPSBuffer tokenData = new TPSBuffer(decoded); + + // Parse the given token data into PKCS#11 objects and attributes + + PKCS11Obj object = PKCS11Obj.parse(tokenData, 0); + + String certId = "C1"; + boolean exists = object.doesCertIdExist(certId); + + System.out.println("CertID " + certId + " exists: " + exists); + + // This gets the compressed blob that will go out to token of the parsed data. + TPSBuffer implodedData = object.getCompressedData(); + + System.out.println("imploded token data size: " + implodedData.size()); + + String encodedImplodedData = implodedData.toHexString(); + + System.out.println("encodedImplodedData: " + encodedImplodedData); + + // Now test to see if both blobs are identical + + boolean identical = implodedData.equals(tokenData); + + System.out.println("Before and after comparison result: Are the blobs identical?: " + identical); + + } + +} diff --git a/base/tps-tomcat/src/org/dogtagpki/server/tps/processor/AppletInfo.java b/base/tps-tomcat/src/org/dogtagpki/server/tps/processor/AppletInfo.java new file mode 100644 index 000000000..c61734a82 --- /dev/null +++ b/base/tps-tomcat/src/org/dogtagpki/server/tps/processor/AppletInfo.java @@ -0,0 +1,77 @@ +package org.dogtagpki.server.tps.processor; + +import org.dogtagpki.tps.main.TPSBuffer; + + +public class AppletInfo { + + private byte majorVersion; + private byte minorVersion; + private byte appMajorVersion; + private byte appMinorVersion; + + + private TPSBuffer cuid; + private TPSBuffer msn; + + public AppletInfo(byte appletMajorVer,byte appletMinorVer,byte appMajorVer,byte appMinorVer) { + + majorVersion = appletMajorVer; + minorVersion = appletMinorVer; + appMajorVersion = appMajorVer; + appMinorVersion = appMinorVer; + + } + + public void setCUID(TPSBuffer theCuid) { + cuid = new TPSBuffer(theCuid); + } + + public TPSBuffer getCUID() { + return cuid; + } + + public void setMSN(TPSBuffer theMsn) { + msn = new TPSBuffer(theMsn); + } + + public TPSBuffer getMSN() { + return msn; + } + + public String getCUIDString() { + if(cuid != null) { + return cuid.toHexString(); + } + + return null; + } + + public String getMSNString() { + if(msn != null) { + return msn.toHexString(); + } + return null; + } + + public byte getMajorVersion() { + return majorVersion; + } + + public byte getMinorVersion() { + return minorVersion; + } + + public byte getAppMinorVersion() { + return appMinorVersion; + } + + public byte getAppMajorVersion() { + return appMajorVersion; + } + + public static void main(String[] args) { + + } + +} diff --git a/base/tps-tomcat/src/org/dogtagpki/server/tps/processor/CertEnrollInfo.java b/base/tps-tomcat/src/org/dogtagpki/server/tps/processor/CertEnrollInfo.java new file mode 100644 index 000000000..18c750d29 --- /dev/null +++ b/base/tps-tomcat/src/org/dogtagpki/server/tps/processor/CertEnrollInfo.java @@ -0,0 +1,162 @@ +package org.dogtagpki.server.tps.processor; + +import org.dogtagpki.server.tps.processor.TPSEnrollProcessor.TokenKeyType; + +public class CertEnrollInfo { + + private TokenKeyType keyTypeEnum; + private String profileId; + private String certId; + private String certAttrId; + private String privateKeyAttrId; + private String publicKeyAttrId; + private String publisherId; + private String keyType; + private String keyTypePrefix; + + private int keySize; + private int algorithm; + private int keyUsage; + private int keyUser; + private int privateKeyNumber; + private int publicKeyNumber; + private int startProgress; + private int endProgress; + + public void setStartProgressValue(int progress) { + startProgress = progress; + } + + public int getStartProgressValue() { + return startProgress; + } + + public void setEndProgressValue(int progress) { + endProgress = progress; + } + + public int getEndProgressValue() { + return endProgress; + } + + public void setKeyTypeEnum(TokenKeyType keyTypeEnum) { + this.keyTypeEnum = keyTypeEnum; + } + + public TokenKeyType getKeyTypeEnum() { + return keyTypeEnum; + } + + public void setProfileId(String profileId) { + this.profileId = profileId; + } + + public String getProfileId() { + return profileId; + } + + public void setCertId(String certId) { + this.certId = certId; + } + + public String getCertId() { + return certId; + } + + public void setCertAttrId(String certAttrId) { + this.certAttrId = certAttrId; + } + + public String getCertAttrId() { + return certAttrId; + } + + public void setPrivateKeyAttrId(String priKeyAttrId) { + privateKeyAttrId = priKeyAttrId; + } + + public String getPrivateKeyAttrId() { + return privateKeyAttrId; + } + + public void setPublicKeyAttrId(String publicKeyAttrId) { + this.publicKeyAttrId = publicKeyAttrId; + } + + public String getPublicKeyAttrId() { + return publicKeyAttrId; + } + + public void setKeySize(int keySize) { + this.keySize = keySize; + } + + public int getKeySize() { + return keySize; + } + + public void setPublisherId(String publisherId) { + this.publisherId = publisherId; + } + + public String getPublisherId() { + return publisherId; + } + + public void setAlgorithm(int algorithm) { + this.algorithm = algorithm; + } + + public int getAlgorithm() { + return algorithm; + } + + public void setKeyUsage(int keyUsage) { + this.keyUsage = keyUsage; + } + + public int getKeyUsage() { + return keyUsage; + } + + public void setKeyUser(int keyUser) { + this.keyUser = keyUser; + } + + public int getKeyUser() { + return keyUser; + } + + public void setPrivateKeyNumber(int priKeyNumber) { + privateKeyNumber = priKeyNumber; + } + + public int getPrivateKeyNumber() { + return privateKeyNumber; + } + + public void setPublicKeyNumber(int pubKeyNumber) { + publicKeyNumber = pubKeyNumber; + } + + public int getPublicKeyNumber() { + return publicKeyNumber; + } + + public void setKeyType(String keyType) { + this.keyType = keyType; + } + + public String getKeyType() { + return keyType; + } + + public void setKeyTypePrefix(String keyTypePrefix) { + this.keyTypePrefix = keyTypePrefix; + } + + public String getKeyTypePrefix() { + return keyTypePrefix; + } + +} diff --git a/base/tps-tomcat/src/org/dogtagpki/server/tps/processor/EnrolledCertsInfo.java b/base/tps-tomcat/src/org/dogtagpki/server/tps/processor/EnrolledCertsInfo.java new file mode 100644 index 000000000..419395f20 --- /dev/null +++ b/base/tps-tomcat/src/org/dogtagpki/server/tps/processor/EnrolledCertsInfo.java @@ -0,0 +1,113 @@ +package org.dogtagpki.server.tps.processor; + +import java.util.ArrayList; + +import org.dogtagpki.server.tps.main.PKCS11Obj; +import org.dogtagpki.tps.main.TPSBuffer; +import org.mozilla.jss.pkix.cert.Certificate; + +public class EnrolledCertsInfo { + + EnrolledCertsInfo() { + } + + EnrolledCertsInfo(PKCS11Obj obj, TPSBuffer wrappedChallenge, TPSBuffer plainChallenge, int keyTypeNum) { + this.wrappedChallenge = wrappedChallenge; + plaintextChallenge = plainChallenge; + pkcs11objx = obj; + numCertsToEnroll = keyTypeNum; + } + + //Tables that will get set during processing + private ArrayList<String> origins; + private ArrayList<String> ktypes; + private ArrayList<String> tokenTypes; + private ArrayList<Certificate> certificates; + + //Input challenge data + private TPSBuffer wrappedChallenge; + private TPSBuffer plaintextChallenge; + private TPSBuffer keyCheck; + + private int numCertsToEnroll; + private int currentCertIndex; + + static final private int startProgress = 15; + static final private int endProgress = 90; + + public int getCurrentCertIndex() { + return currentCertIndex; + } + + public void setCurrentCertIndex(int index) { + currentCertIndex = index; + } + + public void setNumCertsToEnroll(int num) { + numCertsToEnroll = num; + } + + public int getNumCertsToEnroll() { + return numCertsToEnroll; + } + + int getStartProgressValue() { + return startProgress; + } + + int getEndProgressValue() { + return endProgress; + } + + public void setKeyCheck(TPSBuffer keyCheck) { + this.keyCheck = keyCheck; + } + + public TPSBuffer getKeyCheck() { + return keyCheck; + } + + //PKCS11Object that will have values added to it during processing + private PKCS11Obj pkcs11objx; + + public void setWrappedChallenge(TPSBuffer wrappedChallenge) { + this.wrappedChallenge = wrappedChallenge; + } + + public TPSBuffer getWrappedChallenge() { + return wrappedChallenge; + } + + public void setPlaintextChallenge(TPSBuffer plaintextChallenge) { + this.plaintextChallenge = plaintextChallenge; + } + + public TPSBuffer getPlaintextChallenge() { + return plaintextChallenge; + } + + public void setPKCS11Obj(PKCS11Obj pkcs11obj) { + pkcs11objx = pkcs11obj; + } + + public PKCS11Obj getPKCS11Obj() { + return pkcs11objx; + } + + public void addOrigin(String origin) { + origins.add(origin); + } + + public void addKType(String ktype) { + ktypes.add(ktype); + } + + public void addTokenType(String tokenType) { + tokenTypes.add(tokenType); + } + + public void addCertificate(Certificate cert) { + certificates.add(cert); + } + +} diff --git a/base/tps-tomcat/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java b/base/tps-tomcat/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java new file mode 100644 index 000000000..ae7b5c61e --- /dev/null +++ b/base/tps-tomcat/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java @@ -0,0 +1,642 @@ +package org.dogtagpki.server.tps.processor; + +import java.io.IOException; +import java.util.zip.DataFormatException; + +import org.dogtagpki.server.tps.TPSSession; +import org.dogtagpki.server.tps.authentication.TPSAuthenticator; +import org.dogtagpki.server.tps.channel.SecureChannel; +import org.dogtagpki.server.tps.engine.TPSEngine; +import org.dogtagpki.server.tps.main.ObjectSpec; +import org.dogtagpki.server.tps.main.PKCS11Obj; +import org.dogtagpki.tps.apdu.ExternalAuthenticateAPDU.SecurityLevel; +import org.dogtagpki.tps.main.TPSBuffer; +import org.dogtagpki.tps.main.TPSException; +import org.dogtagpki.tps.msg.BeginOpMsg; +import org.dogtagpki.tps.msg.EndOpMsg.TPSStatus; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.authentication.IAuthCredentials; +import com.netscape.certsrv.authentication.IAuthToken; +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.IConfigStore; + +public class TPSEnrollProcessor extends TPSProcessor { + + public enum TokenKeyType { + KEY_TYPE_ENCRYPTION, + KEY_TYPE_SIGNING, + KEY_TYPE_SIGNING_AND_ENCRYPTION + }; + + public TPSEnrollProcessor(TPSSession session) { + super(session); + + } + + @Override + public void process(BeginOpMsg beginMsg) throws TPSException, IOException { + if (beginMsg == null) { + throw new TPSException("TPSEnrollrocessor.process: invalid input data, not beginMsg provided.", + TPSStatus.STATUS_ERROR_CONTACT_ADMIN); + } + setBeginMessage(beginMsg); + setCurrentTokenOperation("enroll"); + checkIsExternalReg(); + + enroll(); + + } + + private void enroll() throws TPSException, IOException { + CMS.debug("TPSEnrollProcessor enroll: entering..."); + + TPSEngine engine = getTPSEngine(); + AppletInfo appletInfo = getAppletInfo(); + String resolverInstName = getResolverInstanceName(); + + String tokenType = null; + + tokenType = resolveTokenProfile(resolverInstName, appletInfo.getCUIDString(), appletInfo.getMSNString(), + appletInfo.getMajorVersion(), appletInfo.getMinorVersion()); + CMS.debug("TPSProcessor.enroll: calculated tokenType: " + tokenType); + CMS.debug("TPSEnrollProcessor.enroll: tokenType: " + tokenType); + + checkProfileStateOK(); + + if (engine.isTokenPresent(appletInfo.getCUIDString())) { + //ToDo + + } else { + checkAllowUnknownToken(TPSEngine.OP_FORMAT_PREFIX); + checkAndAuthenticateUser(appletInfo, tokenType); + } + + //ToDo: check transition state here + + boolean do_force_format = engine.raForceTokenFormat(appletInfo.getCUIDString()); + + if (do_force_format) { + CMS.debug("TPSEnrollProcessor.enroll: About to force format first due to policy."); + //We will skip the auth step inside of format + format(true); + } else { + checkAndUpgradeApplet(appletInfo); + //Get new applet info + appletInfo = getAppletInfo(); + } + + CMS.debug("TPSEnrollProcessor.enroll: Finished updating applet if needed."); + + //call stub for key changeover,will take more params when implemented. + + SecureChannel channel = checkAndUpgradeSymKeys(); + + channel.externalAuthenticate(); + + //Call stub to reset pin, method here will be small and call into common pin reset functionality. + // Will be implemented during pin reset task. + + checkAndHandlePinReset(); + + String tksConnId = getTKSConnectorID(); + TPSBuffer plaintextChallenge = computeRandomData(16, tksConnId); + + //These will be used shortly + TPSBuffer wrappedChallenge = encryptData(appletInfo, channel.getKeyInfoData(), plaintextChallenge, tksConnId); + PKCS11Obj pkcs11objx = null; + + try { + pkcs11objx = getCurrentObjectsOnToken(channel); + } catch (DataFormatException e) { + throw new TPSException("TPSEnrollProcessor.enroll: Failed to parse original token data: " + e.toString()); + } + + //ToDo: Add token to token db + + statusUpdate(15, "PROGRESS_PROCESS_PROFILE"); + + EnrolledCertsInfo certsInfo = new EnrolledCertsInfo(); + certsInfo.setWrappedChallenge(wrappedChallenge); + certsInfo.setPlaintextChallenge(plaintextChallenge); + certsInfo.setPKCS11Obj(pkcs11objx); + + generateCertificates(certsInfo, channel, appletInfo); + + throw new TPSException("TPSEnrollProcessor.enroll: Failed to enroll token!", + TPSStatus.STATUS_ERROR_CONTACT_ADMIN); + + } + + private void checkAndAuthenticateUser(AppletInfo appletInfo, String tokenType) throws TPSException { + IAuthCredentials userCred; + IAuthToken authToken; + if (!isExternalReg) { + // authenticate per profile/tokenType configuration + String configName = TPSEngine.OP_ENROLL_PREFIX + "." + tokenType + ".auth.enable"; + IConfigStore configStore = CMS.getConfigStore(); + boolean isAuthRequired; + try { + CMS.debug("TPSEnrollProcessor.checkAndAuthenticateUser: getting config: " + configName); + isAuthRequired = configStore.getBoolean(configName, true); + } catch (EBaseException e) { + CMS.debug("TPSEnrollProcessor.checkAndAuthenticateUser: Internal Error obtaining mandatory config values. Error: " + + e); + throw new TPSException("TPS error getting config values from config store.", + TPSStatus.STATUS_ERROR_MISCONFIGURATION); + } + if (isAuthRequired) { + try { + TPSAuthenticator userAuth = + getAuthentication(TPSEngine.OP_ENROLL_PREFIX, tokenType); + userCred = requestUserId(TPSEngine.ENROLL_OP, appletInfo.getCUIDString(), userAuth, + beginMsg.getExtensions()); + authToken = authenticateUser(TPSEngine.ENROLL_OP, userAuth, userCred); + CMS.debug("TPSEnrollProcessor.checkAndAuthenticateUser: auth passed: userid: " + authToken.get("userid")); + } catch (Exception e) { + // all exceptions are considered login failure + CMS.debug("TPSEnrollProcessor.checkAndAuthenticateUser:: authentication exception thrown: " + e); + throw new TPSException("TPS error user authentication failed.", + TPSStatus.STATUS_ERROR_LOGIN); + } + } else { + throw new TPSException("TPSEnrollProcessor.checkAndAuthenticateUser: TPS enrollment must have authentication enabled.", + TPSStatus.STATUS_ERROR_LOGIN); + + } + + } + } + + private void checkAndHandlePinReset() { + // TODO Auto-generated method stub + + } + + private void checkAndUpgradeApplet(AppletInfo appletInfo) throws TPSException, IOException { + // TODO Auto-generated method stub + + CMS.debug("checkAndUpgradeApplet: entering.."); + + SecurityLevel securityLevel = SecurityLevel.SECURE_MSG_MAC; + + boolean useEncryption = checkUpdateAppletEncryption(); + + String tksConnId = getTKSConnectorID(); + if (useEncryption) + securityLevel = SecurityLevel.SECURE_MSG_MAC_ENC; + + if (checkForAppletUpdateEnabled()) { + String targetAppletVersion = checkForAppletUpgrade(currentTokenOperation); + upgradeApplet(currentTokenOperation, targetAppletVersion, securityLevel, getBeginMessage().getExtensions(), + tksConnId, 5, 12); + } + + } + + protected boolean checkUpdateAppletEncryption() throws TPSException { + + CMS.debug("TPSProcessor.checkUpdateAppletEncryption entering..."); + + IConfigStore configStore = CMS.getConfigStore(); + + String appletEncryptionConfig = "op." + currentTokenOperation + "." + selectedTokenType + "." + + TPSEngine.CFG_UPDATE_APPLET_ENCRYPTION; + + CMS.debug("TPSProcessor.checkUpdateAppletEncryption config to check: " + appletEncryptionConfig); + + boolean appletEncryption = false; + + try { + appletEncryption = configStore.getBoolean(appletEncryptionConfig, false); + } catch (EBaseException e) { + //Default TPSException will return a "contact admin" error code. + throw new TPSException( + "TPSProcessor.checkUpdateAppletEncryption: internal error in getting value from config."); + } + + CMS.debug("TPSProcessor.checkUpdateAppletEncryption returning: " + appletEncryption); + return appletEncryption; + + } + + private PKCS11Obj getCurrentObjectsOnToken(SecureChannel channel) throws TPSException, IOException, + DataFormatException { + + byte seq = 0; + + TPSBuffer objects = null; + + PKCS11Obj pkcs11objx = new PKCS11Obj(); + do { + objects = listObjects(seq); + + if (objects == null) { + seq = 0; + } else { + seq = 1; // get next entry + + TPSBuffer objectID = objects.substr(0, 4); + TPSBuffer objectLen = objects.substr(4, 4); + + long objectIDVal = objectID.getLongFrom4Bytes(0); + + long objectLenVal = objectLen.getLongFrom4Bytes(0); + + TPSBuffer obj = channel.readObject(objectID, 0, (int) objectLenVal); + + if ((char) obj.at(0) == 'z' && obj.at(1) == 0x0) { + pkcs11objx = PKCS11Obj.parse(obj, 0); + seq = 0; + + } else { + ObjectSpec objSpec = ObjectSpec.parseFromTokenData(objectIDVal, obj); + pkcs11objx.addObjectSpec(objSpec); + } + + CMS.debug("TPSEnrollProcessor.getCurrentObjectsOnToken. just read object from token: " + + obj.toHexString()); + } + + } while (seq != 0); + + return pkcs11objx; + } + + //Stub to generate a certificate, more to come + private void generateCertificates(EnrolledCertsInfo certsInfo, SecureChannel channel, AppletInfo aInfo) + throws TPSException, IOException { + + if (certsInfo == null || aInfo == null) { + throw new TPSException("TPSEnrollProcessor.generateCertificates: Bad Input data!", + TPSStatus.STATUS_ERROR_MAC_ENROLL_PDU); + } + + int keyTypeNum = getNumberCertsToEnroll(); + + certsInfo.setNumCertsToEnroll(keyTypeNum); + + CMS.debug("TPSEnrollProcessor.generateCertificate: Number of certs to enroll: " + keyTypeNum); + + for (int i = 0; i < keyTypeNum; i++) { + String keyType = getConfiguredKeyType(i); + certsInfo.setCurrentCertIndex(i); + generateCertificate(certsInfo, channel, aInfo, keyType); + } + + } + + private void generateCertificate(EnrolledCertsInfo certsInfo, SecureChannel channel, AppletInfo aInfo, + String keyType) throws TPSException, IOException { + + CMS.debug("TPSEnrollProcessor.generateCertificate: entering ..."); + + if (certsInfo == null || aInfo == null) { + throw new TPSException("TPSEnrollProcessor.generateCertificate: Bad Input data!", + TPSStatus.STATUS_ERROR_MAC_ENROLL_PDU); + } + + //get the params needed all at once + + IConfigStore configStore = CMS.getConfigStore(); + + try { + + String keyTypePrefix = TPSEngine.OP_ENROLL_PREFIX + "." + getSelectedTokenType() + ".keyGen." + keyType; + CMS.debug("TPSEnrollProcessor.generateCertificate: keyTypePrefix: " + keyTypePrefix); + + String configName = keyTypePrefix + ".ca.profileId"; + String profileId = configStore.getString(configName); + CMS.debug("TPSEnrollProcessor.generateCertificate: profileId: " + profileId); + + configName = keyTypePrefix + ".certId"; + String certId = configStore.getString(configName, "C0"); + CMS.debug("TPSEnrollProcessor.generateCertificate: certId: " + certId); + + configName = keyTypePrefix + ".certAttrId"; + String certAttrId = configStore.getString(configName, "c0"); + CMS.debug("TPSEnrollProcessor.generateCertificate: certAttrId: " + certAttrId); + + configName = keyTypePrefix + ".privateKeyAttrId"; + String priKeyAttrId = configStore.getString(configName, "k0"); + CMS.debug("TPSEnrollProcessor.generateCertificate: priKeyAttrId: " + priKeyAttrId); + + configName = keyTypePrefix + ".publicKeyAttrId"; + String publicKeyAttrId = configStore.getString(configName, "k1"); + CMS.debug("TPSEnrollProcessor.generateCertificate: publicKeyAttrId: " + publicKeyAttrId); + + configName = keyTypePrefix + ".keySize"; + int keySize = configStore.getInteger(configName, 1024); + CMS.debug("TPSEnrollProcessor.generateCertificate: keySize: " + keySize); + + //Default RSA_CRT=2 + configName = keyTypePrefix + ".alg"; + int algorithm = configStore.getInteger(configName, 2); + CMS.debug("TPSEnrollProcessor.generateCertificate: algorithm: " + algorithm); + + configName = keyTypePrefix + ".publisherId"; + String publisherId = configStore.getString(configName, ""); + CMS.debug("TPSEnrollProcessor.generateCertificate: publisherId: " + publisherId); + + configName = keyTypePrefix + ".keyUsage"; + int keyUsage = configStore.getInteger(configName, 0); + CMS.debug("TPSEnrollProcessor.generateCertificate: keyUsage: " + keyUsage); + + configName = keyTypePrefix + ".keyUser"; + int keyUser = configStore.getInteger(configName, 0); + CMS.debug("TPSEnrollProcessor.generateCertificate: keyUser: " + keyUser); + + configName = keyTypePrefix + ".privateKeyNumber"; + int priKeyNumber = configStore.getInteger(configName, 0); + CMS.debug("TPSEnrollProcessor.generateCertificate: privateKeyNumber: " + priKeyNumber); + + configName = keyTypePrefix + ".publicKeyNumber"; + int pubKeyNumber = configStore.getInteger(configName, 0); + CMS.debug("TPSEnrollProcessor.generateCertificate: pubKeyNumber: " + pubKeyNumber); + + // get key capabilites to determine if the key type is SIGNING, + // ENCRYPTION, or SIGNING_AND_ENCRYPTION + + configName = keyTypePrefix + ".private.keyCapabilities.sign"; + boolean isSigning = configStore.getBoolean(configName); + CMS.debug("TPSEnrollProcessor.generateCertificate: isSigning: " + isSigning); + + configName = keyTypePrefix + ".public.keyCapabilities.encrypt"; + CMS.debug("TPSEnrollProcessor.generateCertificate: encrypt config name: " + configName); + boolean isEncrypt = configStore.getBoolean(configName); + CMS.debug("TPSEnrollProcessor.generateCertificate: isEncrypt: " + isEncrypt); + + TokenKeyType keyTypeEnum; + + if (isSigning && isEncrypt) { + keyTypeEnum = TokenKeyType.KEY_TYPE_SIGNING_AND_ENCRYPTION; + } else if (isSigning) { + keyTypeEnum = TokenKeyType.KEY_TYPE_SIGNING; + } else if (isEncrypt) { + keyTypeEnum = TokenKeyType.KEY_TYPE_ENCRYPTION; + } else { + CMS.debug("TPSEnrollProcessor.generateCertificate: Illegal toke key type!"); + throw new TPSException("TPSEnrollProcessor.generateCertificate: Illegal toke key type!", + TPSStatus.STATUS_ERROR_MAC_ENROLL_PDU); + } + + CMS.debug("TPSEnrollProcessor.generateCertificate: keyTypeEnum value: " + keyTypeEnum); + + CertEnrollInfo cEnrollInfo = new CertEnrollInfo(); + + cEnrollInfo.setKeyTypeEnum(keyTypeEnum); + cEnrollInfo.setProfileId(profileId); + cEnrollInfo.setCertId(certId); + cEnrollInfo.setCertAttrId(certAttrId); + cEnrollInfo.setPrivateKeyAttrId(priKeyAttrId); + cEnrollInfo.setPublicKeyAttrId(publicKeyAttrId); + cEnrollInfo.setKeySize(keySize); + cEnrollInfo.setAlgorithm(algorithm); + cEnrollInfo.setPublisherId(publisherId); + cEnrollInfo.setKeyUsage(keyUsage); + cEnrollInfo.setKeyUser(keyUser); + cEnrollInfo.setPrivateKeyNumber(priKeyNumber); + cEnrollInfo.setPublicKeyNumber(pubKeyNumber); + cEnrollInfo.setKeyType(keyType); + cEnrollInfo.setKeyTypePrefix(keyTypePrefix); + + int certsStartProgress = cEnrollInfo.getStartProgressValue(); + int certsEndProgress = cEnrollInfo.getEndProgressValue(); + int currentCertIndex = certsInfo.getCurrentCertIndex(); + int totalNumCerts = certsInfo.getNumCertsToEnroll(); + + int progressBlock = (certsEndProgress - certsStartProgress) / totalNumCerts; + + int startCertProgValue = certsStartProgress + currentCertIndex * progressBlock; + + int endCertProgValue = startCertProgValue + progressBlock; + + cEnrollInfo.setStartProgressValue(startCertProgValue); + cEnrollInfo.setEndProgressValue(endCertProgValue); + + enrollOneCertificate(certsInfo, cEnrollInfo, aInfo, channel); + + } catch (EBaseException e) { + + throw new TPSException( + "TPSEnrollProcessor.generateCertificate: Internal error finding config value: " + e, + TPSStatus.STATUS_ERROR_MAC_ENROLL_PDU); + } + + } + + private void enrollOneCertificate(EnrolledCertsInfo certsInfo, CertEnrollInfo cEnrollInfo, AppletInfo aInfo, + SecureChannel channel) throws TPSException, IOException { + + CMS.debug("TPSEnrollProcessor.enrollOneCertificate: entering ..."); + + if (certsInfo == null || aInfo == null || cEnrollInfo == null) { + throw new TPSException("TPSEnrollProcessor.enrollOneCertificate: Bad Input data!", + TPSStatus.STATUS_ERROR_MAC_ENROLL_PDU); + } + + statusUpdate(cEnrollInfo.getStartProgressValue(), "PROGRESS_KEY_GENERATION"); + boolean serverSideKeyGen = checkForServerSideKeyGen(cEnrollInfo); + boolean objectOverwrite = checkForObjectOverwrite(cEnrollInfo); + + PKCS11Obj pkcs11obj = certsInfo.getPKCS11Obj(); + + int keyAlg = cEnrollInfo.getAlgorithm(); + + boolean isECC = getTPSEngine().isAlgorithmECC(keyAlg); + + if (objectOverwrite) { + CMS.debug("TPSEnrollProcessor.enrollOneCertificate: We are configured to overwrite existing cert objects."); + + } else { + + boolean certIdExists = pkcs11obj.doesCertIdExist(cEnrollInfo.getCertId()); + + //Bomb out if cert exists, we ca't overwrite + + if (certIdExists) { + throw new TPSException( + "TPSEnrollProcessor.enrollOneCertificate: Overwrite of certificates not allowed!", + TPSStatus.STATUS_ERROR_MAC_ENROLL_PDU); + } + + } + + if (serverSideKeyGen) { + //Handle server side keyGen + + } else { + //Handle token side keyGen + CMS.debug("TPSEnrollProcessor.enrollOneCertificate: about to generate the keys on the token."); + + int algorithm = 0x80; + + if (certsInfo.getKeyCheck() != null) { + algorithm = 0x81; + } + + if (isECC) { + algorithm = keyAlg; + } + + int pe1 = (cEnrollInfo.getKeyUser() << 4) + cEnrollInfo.getPrivateKeyNumber(); + int pe2 = (cEnrollInfo.getKeyUsage() << 4) + cEnrollInfo.getPublicKeyNumber(); + + int size = channel.startEnrollment(pe1, pe2, certsInfo.getWrappedChallenge(), certsInfo.getKeyCheck(), + algorithm, cEnrollInfo.getKeySize(), 0x0); + + byte[] iobytes = { (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff }; + TPSBuffer iobuf = new TPSBuffer(iobytes); + + TPSBuffer public_key = channel.readObject(iobuf, 0, size); + + parsePublicKeyInfo(public_key); + + //ToDo: Finish the rest of this + + } + + statusUpdate(cEnrollInfo.getEndProgressValue(), "PROGRESS_ENROLL_CERT"); + + } + + //We don't know what to return for this as of yet, make it void for now. + private void parsePublicKeyInfo(TPSBuffer public_key) throws TPSException { + + if (public_key == null) { + throw new TPSException("TPSEnrollProcessor.parsePublicKeyBlob: Bad input data!", + TPSStatus.STATUS_ERROR_MAC_ENROLL_PDU); + } + + CMS.debug("TPSEnrollProcessor.enrollOneCertificate: public key returned from token: " + + public_key.toHexString()); + + TPSBuffer pKeyBlob = public_key.substr(2); + //Check for bad blob here: + + if (pKeyBlob == null) { + throw new TPSException("TPSEnrollProcessor.parsePublicKeyBlob: Bad input data!", + TPSStatus.STATUS_ERROR_MAC_ENROLL_PDU); + } + + //ToDo: finish this + } + + private boolean checkForServerSideKeyGen(CertEnrollInfo cInfo) throws TPSException { + + if (cInfo == null) { + throw new TPSException("TPSEnrollProcessor.checkForServerSideKeyGen: invalid cert info.", + TPSStatus.STATUS_ERROR_MAC_ENROLL_PDU); + } + IConfigStore configStore = CMS.getConfigStore(); + boolean serverSideKeygen = false; + + try { + String configValue = cInfo.getKeyTypePrefix() + "." + TPSEngine.CFG_SERVER_KEYGEN_ENABLE; + CMS.debug("TPSEnrollProcessor.checkForServerSideKeyGen: config: " + configValue); + serverSideKeygen = configStore.getBoolean( + configValue, false); + + } catch (EBaseException e) { + throw new TPSException( + "TPSEnrollProcessor.checkForServerSideKeyGen: Internal error finding config value: " + e, + TPSStatus.STATUS_ERROR_MAC_ENROLL_PDU); + } + + CMS.debug("TPSProcess.checkForServerSideKeyGen: returning: " + serverSideKeygen); + + return serverSideKeygen; + + } + + private boolean checkForObjectOverwrite(CertEnrollInfo cInfo) throws TPSException { + + if (cInfo == null) { + throw new TPSException("TPSEnrollProcessor.checkForObjectOverwrite: invalid cert info.", + TPSStatus.STATUS_ERROR_MAC_ENROLL_PDU); + } + IConfigStore configStore = CMS.getConfigStore(); + boolean objectOverwrite = false; + + try { + String configValue = TPSEngine.OP_ENROLL_PREFIX + "." + getSelectedTokenType() + ".keyGen." + + cInfo.getKeyType() + "." + TPSEngine.CFG_OVERWRITE; + + CMS.debug("TPSProcess.checkForObjectOverwrite: config: " + configValue); + objectOverwrite = configStore.getBoolean( + configValue, true); + + } catch (EBaseException e) { + throw new TPSException( + "TPSEnrollProcessor.checkForServerSideKeyGen: Internal error finding config value: " + e, + TPSStatus.STATUS_ERROR_MAC_ENROLL_PDU); + } + + CMS.debug("TPSProcess.checkForObjectOverwrite: returning: " + objectOverwrite); + + return objectOverwrite; + + } + + private String getConfiguredKeyType(int keyTypeIndex) throws TPSException { + + IConfigStore configStore = CMS.getConfigStore(); + String keyType = null; + + try { + String configValue = TPSEngine.OP_ENROLL_PREFIX + "." + selectedTokenType + "." + + TPSEngine.CFG_KEYGEN_KEYTYPE_VALUE + "." + keyTypeIndex; + keyType = configStore.getString( + configValue, null); + + } catch (EBaseException e) { + throw new TPSException( + "TPSEnrollProcessor.getConfiguredKeyType: Internal error finding config value: " + e, + TPSStatus.STATUS_ERROR_MAC_ENROLL_PDU); + } + + //We would really like one of these to exist + + if (keyType == null) { + throw new TPSException( + "TPSEnrollProcessor.getConfiguredKeyType: Internal error finding config value: ", + TPSStatus.STATUS_ERROR_MAC_ENROLL_PDU); + } + + CMS.debug("TPSProcess.getConfiguredKeyType: returning: " + keyType); + + return keyType; + + } + + protected int getNumberCertsToEnroll() throws TPSException { + + IConfigStore configStore = CMS.getConfigStore(); + int keyTypeNum = 0; + try { + String configValue = TPSEngine.OP_ENROLL_PREFIX + "." + selectedTokenType + "." + + TPSEngine.CFG_KEYGEN_KEYTYPE_NUM; + keyTypeNum = configStore.getInteger( + configValue, 0); + + } catch (EBaseException e) { + throw new TPSException("TPSEnrollProcessor.getNumberCertsToEnroll: Internal error finding config value: " + + e, + TPSStatus.STATUS_ERROR_UPGRADE_APPLET); + + } + + if (keyTypeNum == 0) { + throw new TPSException( + "TPSEnrollProcessor.getNumberCertsToEnroll: invalid number of certificates configured!", + TPSStatus.STATUS_ERROR_MISCONFIGURATION); + } + CMS.debug("TPSProcess.getNumberCertsToEnroll: returning: " + keyTypeNum); + + return keyTypeNum; + } + + public static void main(String[] args) { + } + +} diff --git a/base/tps-tomcat/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps-tomcat/src/org/dogtagpki/server/tps/processor/TPSProcessor.java index 4efb2fb52..df312d1ed 100644 --- a/base/tps-tomcat/src/org/dogtagpki/server/tps/processor/TPSProcessor.java +++ b/base/tps-tomcat/src/org/dogtagpki/server/tps/processor/TPSProcessor.java @@ -33,6 +33,7 @@ import org.dogtagpki.server.tps.authentication.TPSAuthenticator; import org.dogtagpki.server.tps.channel.SecureChannel; import org.dogtagpki.server.tps.cms.TKSComputeRandomDataResponse; import org.dogtagpki.server.tps.cms.TKSComputeSessionKeyResponse; +import org.dogtagpki.server.tps.cms.TKSEncryptDataResponse; import org.dogtagpki.server.tps.cms.TKSRemoteRequestHandler; import org.dogtagpki.server.tps.engine.TPSEngine; import org.dogtagpki.server.tps.profile.BaseTokenProfileResolver; @@ -44,19 +45,20 @@ import org.dogtagpki.tps.apdu.GetDataAPDU; import org.dogtagpki.tps.apdu.GetStatusAPDU; import org.dogtagpki.tps.apdu.GetVersionAPDU; import org.dogtagpki.tps.apdu.InitializeUpdateAPDU; +import org.dogtagpki.tps.apdu.ListObjectsAPDU; import org.dogtagpki.tps.apdu.SelectAPDU; import org.dogtagpki.tps.main.TPSBuffer; import org.dogtagpki.tps.main.TPSException; -import org.dogtagpki.tps.msg.BeginOp; -import org.dogtagpki.tps.msg.EndOp.TPSStatus; -import org.dogtagpki.tps.msg.ExtendedLoginRequest; -import org.dogtagpki.tps.msg.ExtendedLoginResponse; -import org.dogtagpki.tps.msg.LoginRequest; -import org.dogtagpki.tps.msg.LoginResponse; -import org.dogtagpki.tps.msg.StatusUpdateRequest; +import org.dogtagpki.tps.msg.BeginOpMsg; +import org.dogtagpki.tps.msg.EndOpMsg.TPSStatus; +import org.dogtagpki.tps.msg.ExtendedLoginRequestMsg; +import org.dogtagpki.tps.msg.ExtendedLoginResponseMsg; +import org.dogtagpki.tps.msg.LoginRequestMsg; +import org.dogtagpki.tps.msg.LoginResponseMsg; +import org.dogtagpki.tps.msg.StatusUpdateRequestMsg; import org.dogtagpki.tps.msg.TPSMessage; -import org.dogtagpki.tps.msg.TokenPDURequest; -import org.dogtagpki.tps.msg.TokenPDUResponse; +import org.dogtagpki.tps.msg.TokenPDURequestMsg; +import org.dogtagpki.tps.msg.TokenPDUResponseMsg; import org.mozilla.jss.CryptoManager.NotInitializedException; import org.mozilla.jss.pkcs11.PK11SymKey; @@ -85,15 +87,15 @@ public class TPSProcessor { public static final int CARD_CHALLENGE_OFFSET = 12; public static final int CARD_CHALLENGE_SIZE = 8; - private boolean isExternalReg; + protected boolean isExternalReg; - private TPSSession session; - private String selectedTokenType; + protected TPSSession session; + protected String selectedTokenType; - private String currentTokenOperation; - private String userid; + protected String userid; + protected String currentTokenOperation; - private BeginOp beginMsg; + protected BeginOpMsg beginMsg; public TPSProcessor(TPSSession session) { setSession(session); @@ -114,11 +116,11 @@ public class TPSProcessor { return session; } - protected void setBeginMessage(BeginOp msg) { + protected void setBeginMessage(BeginOpMsg msg) { beginMsg = msg; } - public BeginOp getBeginMessage() { + public BeginOpMsg getBeginMessage() { return beginMsg; } @@ -223,7 +225,7 @@ public class TPSProcessor { throw new TPSException("TPSProcessor.handleAPDURequest: invalid incoming apdu!"); } - TokenPDURequest request_msg = new TokenPDURequest(apdu); + TokenPDURequestMsg request_msg = new TokenPDURequestMsg(apdu); try { session.write(request_msg); @@ -233,10 +235,10 @@ public class TPSProcessor { } - TokenPDUResponse response_msg = null; + TokenPDUResponseMsg response_msg = null; try { - response_msg = (TokenPDUResponse) session.read(); + response_msg = (TokenPDUResponseMsg) session.read(); } catch (IOException e) { CMS.debug("TPS_Processor.HandleAPDURequest failed ReadMsg: " + e.toString()); throw e; @@ -295,6 +297,31 @@ public class TPSProcessor { } + protected TPSBuffer encryptData(AppletInfo appletInfo, TPSBuffer keyInfo, TPSBuffer plaintextChallenge, + String connId) throws TPSException { + + TKSRemoteRequestHandler tks = null; + + TKSEncryptDataResponse data = null; + + try { + tks = new TKSRemoteRequestHandler(connId); + data = tks.encryptData(appletInfo.getCUID(), keyInfo, plaintextChallenge); + } catch (EBaseException e) { + throw new TPSException("TPSProcessor.encryptData: Erorr getting wrapped data from TKS!", + TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + } + + int status = data.getStatus(); + + if (status != 0) { + throw new TPSException("TPSProcessor.computeRandomData: Erorr getting wrapped data from TKS!", + TPSStatus.STATUS_ERROR_MAC_ENROLL_PDU); + } + + return data.getEncryptedData(); + } + TPSBuffer computeRandomData(int dataSize, String connId) throws TPSException { TKSRemoteRequestHandler tks = null; @@ -459,10 +486,9 @@ public class TPSProcessor { //ToDo handle server side keygen. } - channel = new SecureChannel(this, sessionKey, encSessionKey, drmDesKey, kekDesKey, keyCheck, keyDiversificationData, cardChallenge, - cardCryptogram, hostChallenge, hostCryptogram); + cardCryptogram, hostChallenge, hostCryptogram, keyInfoData); return channel; } @@ -471,37 +497,20 @@ public class TPSProcessor { Map<String, String> extensions, String connId, int startProgress, int endProgress) throws IOException, TPSException { - String NetKeyAID = null; - String NetKeyPAID = null; - String CardMgrAID = null; - - IConfigStore configStore = CMS.getConfigStore(); - - try { - //These defaults are well known, it is safe to use them. - - NetKeyAID = configStore.getString(TPSEngine.CFG_APPLET_NETKEY_INSTANCE_AID, - TPSEngine.CFG_DEF_NETKEY_INSTANCE_AID); - CMS.debug("In TPS_Processor.upgradeApplet. CardManagerAID: " + " NetKeyAID: " + NetKeyAID); - NetKeyPAID = configStore.getString(TPSEngine.CFG_APPLET_NETKEY_FILE_AID, TPSEngine.CFG_DEF_NETKEY_FILE_AID); - CardMgrAID = configStore.getString(TPSEngine.CFG_APPLET_CARDMGR_INSTANCE_AID, - TPSEngine.CFG_DEF_CARDMGR_INSTANCE_AID); - - } catch (EBaseException e1) { - CMS.debug("TPS_Processor.upgradeApplet: Internal Error obtaining mandatory config values. Error: " + e1); - throw new TPSException("TPS error getting config values from config store.", - TPSStatus.STATUS_ERROR_UPGRADE_APPLET); - } + TPSBuffer netkeyAIDBuff = null; + TPSBuffer cardMgrAIDBuff = null; + TPSBuffer netkeyPAIDBuff = null; - TPSBuffer netkeyAIDBuff = new TPSBuffer(NetKeyAID); - TPSBuffer netkeyPAIDBuff = new TPSBuffer(NetKeyPAID); - TPSBuffer cardMgrAIDBuff = new TPSBuffer(CardMgrAID); + netkeyAIDBuff = getNetkeyAID(); + netkeyPAIDBuff = getNetkeyPAID(); + cardMgrAIDBuff = getCardManagerAID(); int channelBlockSize = getChannelBlockSize(); int channelInstanceSize = getChannelInstanceSize(); int channelAppletMemSize = getAppletMemorySize(); int defKeyVersion = getChannelDefKeyVersion(); int defKeyIndex = getChannelDefKeyIndex(); + byte[] appletData = null; String directory = getAppletDirectory(operation); @@ -614,7 +623,7 @@ public class TPSProcessor { * @param tokenType the profile name * @param userCred IAuthCredentials obtained from a successful requestUserId call * @return IAuthToken information relating to the performed authentication - * -- plugin-specific + * -- plugin-specific */ public IAuthToken authenticateUser( String op, @@ -679,14 +688,14 @@ public class TPSProcessor { String title = auth.getUiTitle(locale); if (title.isEmpty()) title = auth.getUiTitle("en"); - // description + // description String description = auth.getUiDescription(locale); if (description.isEmpty()) description = auth.getUiTitle("en"); // parameters HashMap<String, AuthUIParameter> authParamSet = auth.getUiParamSet(); Set<String> params = new HashSet<String>(); - for (Map.Entry<String, AuthUIParameter> entry: authParamSet.entrySet()) { + for (Map.Entry<String, AuthUIParameter> entry : authParamSet.entrySet()) { params.add(auth.getUiParam(entry.getKey()).toString(locale)); CMS.debug("TPSProcessor.requestUserId: for extendedLoginRequest, added param: " + auth.getUiParam(entry.getKey()).toString(locale)); @@ -752,8 +761,8 @@ public class TPSProcessor { throw new EBaseException( "TPSProcessor.requestExtendedLogin: missing parameter(s): parameters, title, description, or auth"); } - ExtendedLoginRequest loginReq = - new ExtendedLoginRequest(invalidPW, blocked, parameters, title, description); + ExtendedLoginRequestMsg loginReq = + new ExtendedLoginRequestMsg(invalidPW, blocked, parameters, title, description); try { session.write(loginReq); @@ -763,9 +772,9 @@ public class TPSProcessor { } CMS.debug("TPSProcessor.requestExtendedLogin: extendedLoginRequest sent"); - ExtendedLoginResponse loginResp = null; + ExtendedLoginResponseMsg loginResp = null; try { - loginResp = (ExtendedLoginResponse) session.read(); + loginResp = (ExtendedLoginResponseMsg) session.read(); } catch (IOException e) { CMS.debug("TPSProcessor.requestExtendedLogin failed ReadMsg: " + e.toString()); throw e; @@ -789,7 +798,7 @@ public class TPSProcessor { throw new EBaseException( "TPSProcessor.requestLogin: missing parameter(s): parameters, title, description, or auth"); } - LoginRequest loginReq = new LoginRequest(invalidPW, blocked); + LoginRequestMsg loginReq = new LoginRequestMsg(invalidPW, blocked); try { session.write(loginReq); @@ -799,9 +808,9 @@ public class TPSProcessor { } CMS.debug("TPSProcessor.requestLogin: loginRequest sent"); - LoginResponse loginResp = null; + LoginResponseMsg loginResp = null; try { - loginResp = (LoginResponse) session.read(); + loginResp = (LoginResponseMsg) session.read(); } catch (IOException e) { CMS.debug("TPSProcessor.requestLogin failed ReadMsg: " + e.toString()); throw e; @@ -811,88 +820,31 @@ public class TPSProcessor { return login; } - protected void format() throws TPSException, IOException { - - IConfigStore configStore = CMS.getConfigStore(); + protected void format(boolean skipAuth) throws TPSException, IOException { - String CardManagerAID = null; - String NetKeyAID = null; String appletVersion = null; TPSSubsystem tps = (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID); TPSEngine engine = tps.getEngine(); - String External_Reg_Cfg = TPSEngine.CFG_EXTERNAL_REG + "." + "enable"; boolean isExternalReg = false; - String resolverInstName = ""; - - setCurrentTokenOperation("format"); - - try { - //These defaults are well known, it is safe to use them. - CardManagerAID = configStore.getString(TPSEngine.CFG_APPLET_CARDMGR_INSTANCE_AID, - TPSEngine.CFG_DEF_CARDMGR_INSTANCE_AID); - NetKeyAID = configStore.getString(TPSEngine.CFG_APPLET_NETKEY_INSTANCE_AID, - TPSEngine.CFG_DEF_NETKEY_INSTANCE_AID); - CMS.debug("In TPS_Processor.Format. CardManagerAID: " + CardManagerAID + " NetKeyAID: " + NetKeyAID); - this.isExternalReg = configStore.getBoolean(External_Reg_Cfg, false); - CMS.debug("In TPSProcessor.format isExternalReg: " + isExternalReg); - resolverInstName = configStore.getString(TPSEngine.OP_FORMAT_PREFIX+ - "."+ TPSEngine.CFG_PROFILE_RESOLVER, TPSEngine.CFG_DEF_FORMAT_PROFILE_RESOLVER); - } catch (EBaseException e1) { - CMS.debug("TPS_Processor.Format: Internal Error obtaining mandatory config values. Error: " + e1); - throw new TPSException("TPS error getting config values from config store.", - TPSStatus.STATUS_ERROR_MISCONFIGURATION); - } - - TPSBuffer aidBuf = new TPSBuffer(CardManagerAID); - - APDUResponse select = selectApplet((byte) 0x04, (byte) 0x00, aidBuf); - - if (!select.checkResult()) { - throw new TPSException("TPSProcessor.format: Can't selelect the card manager!"); - } - - TPSBuffer cplc_data = getCplcData(); - CMS.debug("cplc_data: " + cplc_data.toString()); - - TPSBuffer token_cuid = extractTokenCUID(cplc_data); - String cuid = token_cuid.toHexString(); - - TPSBuffer token_msn = extractTokenMSN(cplc_data); - String msn = token_msn.toHexString(); - - /** - * Checks if the netkey has the required applet version. - */ + AppletInfo appletInfo = getAppletInfo(); - TPSBuffer netkeyAid = new TPSBuffer(NetKeyAID); + String cuid = appletInfo.getCUIDString(); + String msn = appletInfo.getMSNString(); - // We don't care if the above fails now. getStatus will determine outcome. - - select = selectApplet((byte) 0x04, (byte) 0x00, netkeyAid); + byte major_version = appletInfo.getMajorVersion(); + byte minor_version = appletInfo.getAppMinorVersion(); + byte app_major_version = appletInfo.getAppMajorVersion(); + byte app_minor_version = appletInfo.getAppMinorVersion(); - CMS.debug("TPSProcessor.format: First time select netkey applet: " + select.checkResult()); - - TPSBuffer token_status = getStatus(); - - byte major_version = 0x0; - byte minor_version = 0x0; - byte app_major_version = 0x0; - byte app_minor_version = 0x0; - - CMS.debug("TPS_Processor.format: status: " + token_status.toHexString()); - if (token_status.size() >= 4) { - major_version = token_status.at(0); - minor_version = token_status.at(1); - app_major_version = token_status.at(2); - app_minor_version = token_status.at(3); - } CMS.debug("TPSProcessor.format: major_version " + major_version + " minor_version: " + minor_version + " app_major_version: " + app_major_version + " app_minor_version: " + app_minor_version); String tokenType = "tokenType"; - IAuthCredentials userCred= + String resolverInstName = getResolverInstanceName(); + + IAuthCredentials userCred = new com.netscape.certsrv.authentication.AuthCredentials(); if (isExternalReg) { //ToDo, do some external Reg stuff along with authentication @@ -903,18 +855,16 @@ public class TPSProcessor { * Note: op.format.tokenProfileResolver=none indicates no resolver * plugin used (tokenType resolved perhaps via authentication) */ - if (!resolverInstName.equals("none") && (selectedTokenType == null)) { - tokenType = resolveTokenProfile(resolverInstName, cuid, msn, major_version, minor_version); - CMS.debug("TPSProcessor.format: calculated tokenType: " + tokenType); - } else { - CMS.debug("TPSProcessor.format: : selectedTokenType already set: " + selectedTokenType); - } + + tokenType = resolveTokenProfile(resolverInstName, cuid, msn, major_version, minor_version); + CMS.debug("TPSProcessor.format: calculated tokenType: " + tokenType); } // isExternalReg : user already authenticated earlier if (!isExternalReg) { // authenticate per profile/tokenType configuration String configName = TPSEngine.OP_FORMAT_PREFIX + "." + tokenType + ".auth.enable"; + IConfigStore configStore = CMS.getConfigStore(); boolean isAuthRequired; try { CMS.debug("TPSProcessor.format: getting config: " + configName); @@ -924,14 +874,14 @@ public class TPSProcessor { throw new TPSException("TPS error getting config values from config store.", TPSStatus.STATUS_ERROR_MISCONFIGURATION); } - if (isAuthRequired) { + if (isAuthRequired && ! skipAuth) { try { TPSAuthenticator userAuth = getAuthentication(TPSEngine.OP_FORMAT_PREFIX, tokenType); userCred = requestUserId("format", cuid, userAuth, beginMsg.getExtensions()); IAuthToken authToken = authenticateUser("format", userAuth, userCred); userid = authToken.getInString("userid"); - CMS.debug("TPSProcessor.format:: auth token userid="+ userid); + CMS.debug("TPSProcessor.format:: auth token userid=" + userid); } catch (Exception e) { // all exceptions are considered login failure CMS.debug("TPSProcessor.format:: authentication exception thrown: " + e); @@ -1009,11 +959,49 @@ public class TPSProcessor { //ToDo: Symmetric Key Changeover // ToDo: Update Token DB - // ToDo: Revoke certificates } + protected String getResolverInstanceName() throws TPSException { + + CMS.debug("TPSProcessor.getResolverInstanceName: entering for operaiton : " + currentTokenOperation); + IConfigStore configStore = CMS.getConfigStore(); + String resolverInstName = null; + + String opPrefix = null; + String opDefault = null; + + if (currentTokenOperation.equals(TPSEngine.FORMAT_OP)) { + opPrefix = TPSEngine.OP_FORMAT_PREFIX; + opDefault = TPSEngine.CFG_DEF_FORMAT_PROFILE_RESOLVER; + + } else if (currentTokenOperation.equals(TPSEngine.ENROLL_OP)) { + opDefault = TPSEngine.CFG_DEF_ENROLL_PROFILE_RESOLVER; + opPrefix = TPSEngine.OP_ENROLL_PREFIX; + } else if (currentTokenOperation.equals(TPSEngine.PIN_RESET_OP)) { + + opDefault = TPSEngine.CFG_DEF_PIN_RESET_PROFILE_RESOLVER; + opPrefix = TPSEngine.OP_PIN_RESET_PREFIX; + } + + String config = opPrefix + + "." + TPSEngine.CFG_PROFILE_RESOLVER; + + CMS.debug("TPSProcessor.getResolverInstanceName: config: " + config); + try { + resolverInstName = configStore.getString(config, opDefault); + } catch (EBaseException e) { + throw new TPSException("TPSProcessor.getResolverInstanceName: Internal error finding config value."); + + } + + CMS.debug("TPSProcessor.getResolverInstanceName: returning: " + resolverInstName); + + // TODO Auto-generated method stub + return resolverInstName; + } + /** * @param resolverInstName * @param cuid @@ -1030,34 +1018,43 @@ public class TPSProcessor { byte minor_version) throws TPSException { String tokenType; - try { - TokenProfileParams pParams = new TokenProfileParams(); - CMS.debug("In TPSProcessor.resolveTokenProfile : after new TokenProfileParams"); - pParams.set(TokenProfileParams.PROFILE_PARAM_MAJOR_VERSION, - String.valueOf((int)major_version)); - pParams.set(TokenProfileParams.PROFILE_PARAM_MINOR_VERSION, - String.valueOf((int)minor_version)); - pParams.set(TokenProfileParams.PROFILE_PARAM_CUID, cuid); - pParams.set(TokenProfileParams.PROFILE_PARAM_MSN, msn); - if (beginMsg.getExtensions() != null) { - pParams.set(TokenProfileParams.PROFILE_PARAM_EXT_TOKEN_TYPE, - beginMsg.getExtensions().get("tokenType")); - pParams.set(TokenProfileParams.PROFILE_PARAM_EXT_TOKEN_ATR, - beginMsg.getExtensions().get("tokenATR")); + + if (!resolverInstName.equals("none") && (selectedTokenType == null)) { + + try { + TokenProfileParams pParams = new TokenProfileParams(); + CMS.debug("In TPSProcessor.resolveTokenProfile : after new TokenProfileParams"); + pParams.set(TokenProfileParams.PROFILE_PARAM_MAJOR_VERSION, + String.valueOf(major_version)); + pParams.set(TokenProfileParams.PROFILE_PARAM_MINOR_VERSION, + String.valueOf(minor_version)); + pParams.set(TokenProfileParams.PROFILE_PARAM_CUID, cuid); + pParams.set(TokenProfileParams.PROFILE_PARAM_MSN, msn); + if (beginMsg.getExtensions() != null) { + pParams.set(TokenProfileParams.PROFILE_PARAM_EXT_TOKEN_TYPE, + beginMsg.getExtensions().get("tokenType")); + pParams.set(TokenProfileParams.PROFILE_PARAM_EXT_TOKEN_ATR, + beginMsg.getExtensions().get("tokenATR")); + } + CMS.debug("In TPSProcessor.resolveTokenProfile : after setting TokenProfileParams"); + TPSSubsystem subsystem = + (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID); + BaseTokenProfileResolver resolverInst = + subsystem.getProfileResolverManager().getResolverInstance(resolverInstName); + tokenType = resolverInst.getTokenType(pParams); + CMS.debug("In TPSProcessor.resolveTokenProfile : profile resolver result: " + tokenType); + setSelectedTokenType(tokenType); + } catch (EBaseException et) { + CMS.debug("In TPSProcessor.resolveTokenProfile exception:" + et); + throw new TPSException("TPSProcessor.resolveTokenProfile failed.", + TPSStatus.STATUS_ERROR_DEFAULT_TOKENTYPE_NOT_FOUND); } - CMS.debug("In TPSProcessor.resolveTokenProfile : after setting TokenProfileParams"); - TPSSubsystem subsystem = - (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID); - BaseTokenProfileResolver resolverInst = - subsystem.getProfileResolverManager().getResolverInstance(resolverInstName); - tokenType = resolverInst.getTokenType(pParams); - CMS.debug("In TPSProcessor.resolveTokenProfile : profile resolver result: "+ tokenType); - setSelectedTokenType(tokenType); - } catch (EBaseException et) { - CMS.debug("In TPSProcessor.resolveTokenProfile exception:"+et); - throw new TPSException("TPSProcessor.resolveTokenProfile failed.", - TPSStatus.STATUS_ERROR_DEFAULT_TOKENTYPE_NOT_FOUND); + + } else { + //Already have a token type, return it + tokenType = getSelectedTokenType(); } + return tokenType; } @@ -1133,6 +1130,27 @@ public class TPSProcessor { } + //Obtain value and set class property. + protected void checkIsExternalReg() throws TPSException { + + IConfigStore configStore = CMS.getConfigStore(); + String External_Reg_Cfg = TPSEngine.CFG_EXTERNAL_REG + "." + "enable"; + + try { + //These defaults are well known, it is safe to use them. + + CMS.debug("In TPS_Processor.checkIsExternalReg."); + + this.isExternalReg = configStore.getBoolean(External_Reg_Cfg, false); + CMS.debug("In TPS_Processor.checkIsExternalReg. isExternalReg: " + isExternalReg); + } catch (EBaseException e1) { + CMS.debug("TPS_Processor.checkIsExternalReg: Internal Error obtaining mandatory config values. Error: " + + e1); + throw new TPSException("TPS error getting config values from config store."); + } + + } + boolean checkServerSideKeyGen(String connId) throws TPSException { boolean result; @@ -1168,6 +1186,26 @@ public class TPSProcessor { } + boolean checkForAppletUpdateEnabled() throws TPSException { + boolean enabled = false; + + IConfigStore configStore = CMS.getConfigStore(); + + String appletUpdate = currentTokenOperation + "." + selectedTokenType + "." + + TPSEngine.CFG_UPDATE_APPLET_ENABLE; + + try { + enabled = configStore.getBoolean(appletUpdate, false); + } catch (EBaseException e) { + throw new TPSException( + "TPSProcessor.checkForAppleUpdateEnabled: Can't find applet Update Enable. Internal error obtaining value.", + TPSStatus.STATUS_ERROR_UPGRADE_APPLET); + + } + + return enabled; + } + protected String checkForAppletUpgrade(String operation) throws TPSException { String requiredVersion = null; IConfigStore configStore = CMS.getConfigStore(); @@ -1232,6 +1270,63 @@ public class TPSProcessor { return id; } + protected TPSBuffer getNetkeyAID() throws TPSException { + + String NetKeyAID = null; + IConfigStore configStore = CMS.getConfigStore(); + try { + + NetKeyAID = configStore.getString(TPSEngine.CFG_APPLET_NETKEY_INSTANCE_AID, + TPSEngine.CFG_DEF_NETKEY_INSTANCE_AID); + + } catch (EBaseException e1) { + CMS.debug("TPS_Processor.getNetkeyAID: Internal Error obtaining mandatory config values. Error: " + e1); + throw new TPSException("TPS error getting config values from config store."); + } + + TPSBuffer ret = new TPSBuffer(NetKeyAID); + + return ret; + } + + protected TPSBuffer getNetkeyPAID() throws TPSException { + + String NetKeyPAID = null; + IConfigStore configStore = CMS.getConfigStore(); + try { + + NetKeyPAID = configStore.getString( + TPSEngine.CFG_APPLET_NETKEY_FILE_AID, TPSEngine.CFG_DEF_NETKEY_FILE_AID); + + } catch (EBaseException e1) { + CMS.debug("TPS_Processor.getNetkeyAID: Internal Error obtaining mandatory config values. Error: " + e1); + throw new TPSException("TPS error getting config values from config store."); + } + + TPSBuffer ret = new TPSBuffer(NetKeyPAID); + + return ret; + } + + protected TPSBuffer getCardManagerAID() throws TPSException { + + String cardMgrAID = null; + IConfigStore configStore = CMS.getConfigStore(); + try { + + cardMgrAID = configStore.getString(TPSEngine.CFG_DEF_CARDMGR_INSTANCE_AID, + TPSEngine.CFG_DEF_CARDMGR_INSTANCE_AID); + + } catch (EBaseException e1) { + CMS.debug("TPS_Processor.getNetkeyAID: Internal Error obtaining mandatory config values. Error: " + e1); + throw new TPSException("TPS error getting config values from config store."); + } + + TPSBuffer ret = new TPSBuffer(cardMgrAID); + + return ret; + } + protected String getAppletExtension() throws TPSException { IConfigStore configStore = CMS.getConfigStore(); String extension = null; @@ -1415,22 +1510,27 @@ public class TPSProcessor { return isExternalReg; } - public void process(BeginOp beginMsg) throws TPSException, IOException { + public void process(BeginOpMsg beginMsg) throws TPSException, IOException { if (beginMsg == null) { throw new TPSException("TPSProcessor.process: invalid input data, not beginMsg provided.", TPSStatus.STATUS_ERROR_UPGRADE_APPLET); } setBeginMessage(beginMsg); + setCurrentTokenOperation("format"); + checkIsExternalReg(); - format(); + format(false); } public void statusUpdate(int status, String info) throws IOException { - CMS.debug("In statusUpdate status: " + " info: " + info); + if (!requiresStatusUpdate()) + return; - StatusUpdateRequest statusUpdate = new StatusUpdateRequest(status, info); + CMS.debug("In TPSProcessor.statusUpdate status: " + " info: " + info); + + StatusUpdateRequestMsg statusUpdate = new StatusUpdateRequestMsg(status, info); session.write(statusUpdate); //We don't really care about the response, just that we get it. @@ -1439,7 +1539,6 @@ public class TPSProcessor { } - public TPSEngine getTPSEngine() { TPSSubsystem subsystem = (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID); @@ -1454,7 +1553,7 @@ public class TPSProcessor { boolean result = false; // We can't get here without a begin message established. - String update = getBeginMessage().getExtension(BeginOp.STATUS_UPDATE_EXTENSION_NAME); + String update = getBeginMessage().getExtension(BeginOpMsg.STATUS_UPDATE_EXTENSION_NAME); if (update != null && update.equals("true")) { result = true; @@ -1464,6 +1563,123 @@ public class TPSProcessor { } + protected AppletInfo getAppletInfo() throws TPSException, IOException { + AppletInfo result = null; + + CMS.debug("TPSProcessor.getAppletInfo, entering ..."); + TPSBuffer aidBuf = getCardManagerAID(); + + APDUResponse select = selectApplet((byte) 0x04, (byte) 0x00, aidBuf); + + if (!select.checkResult()) { + throw new TPSException("TPSProcessor.getAppletInfo: Can't selelect the card manager!"); + } + + TPSBuffer cplc_data = getCplcData(); + CMS.debug("cplc_data: " + cplc_data.toString()); + + TPSBuffer token_cuid = extractTokenCUID(cplc_data); + TPSBuffer token_msn = extractTokenMSN(cplc_data); + + /** + * Checks if the netkey has the required applet version. + */ + + TPSBuffer netkeyAid = getNetkeyAID(); + + // We don't care if the above fails now. getStatus will determine outcome. + + select = selectApplet((byte) 0x04, (byte) 0x00, netkeyAid); + + TPSBuffer token_status = getStatus(); + + byte major_version = 0x0; + byte minor_version = 0x0; + byte app_major_version = 0x0; + byte app_minor_version = 0x0; + + CMS.debug("TPS_Processor.getAppletInfo: status: " + token_status.toHexString()); + if (token_status.size() >= 4) { + major_version = token_status.at(0); + minor_version = token_status.at(1); + app_major_version = token_status.at(2); + app_minor_version = token_status.at(3); + } + + result = new AppletInfo(major_version, minor_version, app_major_version, app_minor_version); + result.setCUID(token_cuid); + result.setMSN(token_msn); + + CMS.debug("TPSProcessor.getAppletInfo: cuid: " + result.getCUIDString() + " msn: " + result.getMSNString() + + " major version: " + result.getMinorVersion() + " minor version: " + result.getMinorVersion() + + " App major version: " + result.getAppMajorVersion() + " App minor version: " + + result.getAppMinorVersion()); + + return result; + } + + protected boolean checkSymmetricKeysEnabled() throws TPSException { + boolean result = true; + + IConfigStore configStore = CMS.getConfigStore(); + + String symmConfig = "op" + "." + currentTokenOperation + "." + selectedTokenType + "." + + TPSEngine.CFG_SYMM_KEY_UPGRADE_ENABLED; + + try { + result = configStore.getBoolean(symmConfig, true); + } catch (EBaseException e) { + throw new TPSException("TPSProcessor.checkSymmetricKeysEnabled: Internal error getting config value."); + } + + return result; + } + + protected SecureChannel checkAndUpgradeSymKeys() throws TPSException, IOException { + + SecureChannel channel = null; + + if (checkSymmetricKeysEnabled()) { + //To be implemented later + throw new TPSException("TPSProcessor.checkAndUpgradeSymKeys: Key changeover not yet implemented!", + TPSStatus.STATUS_ERROR_MISCONFIGURATION); + + } else { + //Create a standard secure channel with current key set. + CMS.debug("TPSProcessor.checkAndUpgradeSymKeys: Key changeover disabled in the configuration."); + + int defKeyVersion = getChannelDefKeyVersion(); + int defKeyIndex = getChannelDefKeyIndex(); + + channel = setupSecureChannel((byte) defKeyVersion, (byte) defKeyIndex, SecurityLevel.SECURE_MSG_MAC_ENC, + getTKSConnectorID()); + + } + + return channel; + } + + //List objects that may be on a given token + //Return null if object void of objects + + protected TPSBuffer listObjects(byte seq) throws TPSException, IOException { + TPSBuffer objects = null; + + ListObjectsAPDU listObjects = new ListObjectsAPDU(seq); + + APDUResponse respApdu = handleAPDURequest(listObjects); + + if (!respApdu.checkResult()) { + CMS.debug("TPSProcessor.listObjects: Bad response from ListObjects! Token possibly has no objects"); + return null; + } + + objects = respApdu.getData(); + + return objects; + + } + public static void main(String[] args) { } diff --git a/base/tps-tomcat/src/org/dogtagpki/server/tps/profile/MappingTokenProfileResolver.java b/base/tps-tomcat/src/org/dogtagpki/server/tps/profile/MappingTokenProfileResolver.java index 91542b8f6..264fba882 100644 --- a/base/tps-tomcat/src/org/dogtagpki/server/tps/profile/MappingTokenProfileResolver.java +++ b/base/tps-tomcat/src/org/dogtagpki/server/tps/profile/MappingTokenProfileResolver.java @@ -1,9 +1,8 @@ package org.dogtagpki.server.tps.profile; -import java.lang.Integer; import org.dogtagpki.server.tps.engine.TPSEngine; import org.dogtagpki.tps.main.TPSException; -import org.dogtagpki.tps.msg.EndOp.TPSStatus; +import org.dogtagpki.tps.msg.EndOpMsg.TPSStatus; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; diff --git a/base/tps-tomcat/src/org/dogtagpki/server/tps/profile/TokenProfileParams.java b/base/tps-tomcat/src/org/dogtagpki/server/tps/profile/TokenProfileParams.java index 1dda47ad8..d04bc9fb8 100644 --- a/base/tps-tomcat/src/org/dogtagpki/server/tps/profile/TokenProfileParams.java +++ b/base/tps-tomcat/src/org/dogtagpki/server/tps/profile/TokenProfileParams.java @@ -21,9 +21,10 @@ import java.util.HashMap; import java.util.Map; import java.util.Set; -import com.netscape.certsrv.apps.CMS; import org.dogtagpki.tps.main.TPSException; -import org.dogtagpki.tps.msg.EndOp.TPSStatus; +import org.dogtagpki.tps.msg.EndOpMsg.TPSStatus; + +import com.netscape.certsrv.apps.CMS; /** * A class represents profile params information. |