diff options
| author | Endi Sukma Dewata <edewata@redhat.com> | 2012-03-24 02:27:47 -0500 |
|---|---|---|
| committer | Endi Sukma Dewata <edewata@redhat.com> | 2012-03-26 11:43:54 -0500 |
| commit | 621d9e5c413e561293d7484b93882d985b3fe15f (patch) | |
| tree | 638f3d75761c121d9a8fb50b52a12a6686c5ac5c /pki/base/common/src/com/netscape/cms/authentication | |
| parent | 40d3643b8d91886bf210aa27f711731c81a11e49 (diff) | |
| download | pki-621d9e5c413e561293d7484b93882d985b3fe15f.tar.gz pki-621d9e5c413e561293d7484b93882d985b3fe15f.tar.xz pki-621d9e5c413e561293d7484b93882d985b3fe15f.zip | |
Removed unnecessary pki folder.
Previously the source code was located inside a pki folder.
This folder was created during svn migration and is no longer
needed. This folder has now been removed and the contents have
been moved up one level.
Ticket #131
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/authentication')
17 files changed, 0 insertions, 6673 deletions
diff --git a/pki/base/common/src/com/netscape/cms/authentication/AVAPattern.java b/pki/base/common/src/com/netscape/cms/authentication/AVAPattern.java deleted file mode 100644 index 6a8bbcbf2..000000000 --- a/pki/base/common/src/com/netscape/cms/authentication/AVAPattern.java +++ /dev/null @@ -1,559 +0,0 @@ -// --- BEGIN COPYRIGHT BLOCK --- -// This program is free software; you can redistribute it and/or modify -// it under the terms of the GNU General Public License as published by -// the Free Software Foundation; version 2 of the License. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -// GNU General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -// -// (C) 2007 Red Hat, Inc. -// All rights reserved. -// --- END COPYRIGHT BLOCK --- -package com.netscape.cms.authentication; - -import java.io.IOException; -import java.io.PushbackReader; -import java.io.StringReader; -import java.util.Enumeration; -import java.util.StringTokenizer; -import java.util.Vector; - -import netscape.ldap.LDAPAttribute; -import netscape.ldap.LDAPDN; -import netscape.ldap.LDAPEntry; -import netscape.security.util.ObjectIdentifier; -import netscape.security.x509.AVA; -import netscape.security.x509.LdapV3DNStrConverter; - -import com.netscape.certsrv.apps.CMS; -import com.netscape.certsrv.authentication.EAuthException; -import com.netscape.certsrv.authentication.ECompSyntaxErr; - -/** - * class for parsing a DN pattern used to construct a certificate - * subject name from ldap attributes and dn. - * <p> - * - * dnpattern is a string representing a subject name pattern to formulate from the directory attributes and entry dn. If - * empty or not set, the ldap entry DN will be used as the certificate subject name. - * <p> - * - * The syntax is - * - * <pre> - * dnPattern := rdnPattern *[ "," rdnPattern ] - * rdnPattern := avaPattern *[ "+" avaPattern ] - * avaPattern := name "=" value | - * name "=" "$attr" "." attrName [ "." attrNumber ] | - * name "=" "$dn" "." attrName [ "." attrNumber ] | - * "$dn" "." "$rdn" "." number - * </pre> - * - * <pre> - * Example1: <i>E=$attr.mail.1, CN=$attr.cn, OU=$dn.ou.2, O=$dn.o, C=US </i> - * Ldap entry: dn: UID=jjames, OU=IS, OU=people, O=acme.org - * Ldap attributes: cn: Jesse James - * Ldap attributes: mail: jjames@acme.org - * <p> - * The subject name formulated will be : <br> - * E=jjames@acme.org, CN=Jesse James, OU=people, O=acme.org, C=US - * <p> - * E = the first 'mail' ldap attribute value in user's entry. <br> - * CN = the (first) 'cn' ldap attribute value in the user's entry. <br> - * OU = the second 'ou' value in the user's entry DN. <br> - * O = the (first) 'o' value in the user's entry DN. <br> - * C = the string "US" - * <p> - * Example2: <i>E=$attr.mail.1, CN=$attr.cn, OU=$dn.ou.2, O=$dn.o, C=US</i> - * Ldap entry: dn: UID=jjames, OU=IS+OU=people, O=acme.org - * Ldap attributes: cn: Jesse James - * Ldap attributes: mail: jjames@acme.org - * <p> - * The subject name formulated will be : <br> - * E=jjames@acme.org, CN=Jesse James, OU=people, O=acme.org, C=US - * <p> - * E = the first 'mail' ldap attribute value in user's entry. <br> - * CN = the (first) 'cn' ldap attribute value in the user's entry. <br> - * OU = the second 'ou' value in the user's entry DN. note multiple AVAs - * in a RDN in this example. <br> - * O = the (first) 'o' value in the user's entry DN. <br> - * C = the string "US" - * <p> - * </pre> - * - * <pre> - * Example3: <i>CN=$attr.cn, $rdn.2, O=$dn.o, C=US</i> - * Ldap entry: dn: UID=jjames, OU=IS+OU=people, O=acme.org - * Ldap attributes: cn: Jesse James - * Ldap attributes: mail: jjames@acme.org - * <p> - * The subject name formulated will be : <br> - * CN=Jesse James, OU=IS+OU=people, O=acme.org, C=US - * <p> - * CN = the (first) 'cn' ldap attribute value in the user's entry. <br> - * followed by the second RDN in the user's entry DN. <br> - * O = the (first) 'o' value in the user's entry DN. <br> - * C = the string "US" - * <p> - * Example4: <i>CN=$attr.cn, OU=$dn.ou.2+OU=$dn.ou.1, O=$dn.o, C=US</i> - * Ldap entry: dn: UID=jjames, OU=IS+OU=people, O=acme.org - * Ldap attributes: cn: Jesse James - * Ldap attributes: mail: jjames@acme.org - * <p> - * The subject name formulated will be : <br> - * CN=Jesse James, OU=people+OU=IS, O=acme.org, C=US - * <p> - * CN = the (first) 'cn' ldap attribute value in the user's entry. <br> - * OU = the second 'ou' value in the user's entry DN followed by the - * first 'ou' value in the user's entry. note multiple AVAs - * in a RDN in this example. <br> - * O = the (first) 'o' value in the user's entry DN. <br> - * C = the string "US" - * <p> - * </pre> - * - * If an attribute or subject DN component does not exist the attribute is skipped. - * - * @version $Revision$, $Date$ - */ -class AVAPattern { - - /* the value type of the dn component */ - public static final String TYPE_ATTR = "$attr"; - public static final String TYPE_DN = "$dn"; - public static final String TYPE_RDN = "$rdn"; - public static final String TYPE_CONSTANT = "constant"; - - private static final char[] endChars = new char[] { '+', ',' }; - - private static final LdapV3DNStrConverter mLdapDNStrConverter = - new LdapV3DNStrConverter(); - - /* ldap attributes needed by this AVA (to retrieve from ldap) */ - protected String[] mLdapAttrs = null; - - /* value type */ - protected String mType = null; - - /* the attribute in the AVA pair */ - protected String mAttr = null; - - /* value - could be name of an ldap attribute or entry dn attribute. */ - protected String mValue = null; - - /* nth value of the ldap or dn attribute */ - protected int mElement = 0; - - protected String mTestDN = null; - - public AVAPattern(String component) - throws EAuthException { - if (component == null || component.length() == 0) - throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", component)); - parse(new PushbackReader(new StringReader(component))); - } - - public AVAPattern(PushbackReader in) - throws EAuthException { - parse(in); - } - - private void parse(PushbackReader in) - throws EAuthException { - int c; - - // mark ava beginning. - - // skip spaces - //System.out.println("============ AVAPattern Begin ==========="); - //System.out.println("skip spaces"); - - try { - while ((c = in.read()) == ' ' || c == '\t') {//System.out.println("spaces read "+(char)c); - ; - } - } catch (IOException e) { - throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", "All blank")); - } - if (c == -1) - throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", "All blank")); - - // $rdn "." number syntax. - - if (c == '$') { - //System.out.println("$rdn syntax"); - mType = TYPE_RDN; - try { - if (in.read() != 'r' || - in.read() != 'd' || - in.read() != 'n' || - in.read() != '.') - throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", - "Invalid $ syntax, expecting $rdn")); - } catch (IOException e) { - throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", - "Invalid $ syntax, expecting $rdn")); - } - - StringBuffer rdnNumberBuf = new StringBuffer(); - - try { - while ((c = in.read()) != ',' && c != -1 && c != '+') { - //System.out.println("rdnNumber read "+(char)c); - rdnNumberBuf.append((char) c); - } - if (c != -1) // either ',' or '+' - in.unread(c); - } catch (IOException e) { - throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); - } - - String rdnNumber = rdnNumberBuf.toString().trim(); - - if (rdnNumber.length() == 0) - throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", - "$rdn number not set in ava pattern")); - try { - mElement = Integer.parseInt(rdnNumber) - 1; - } catch (NumberFormatException e) { - throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", - "Invalid $rdn number in ava pattern")); - } - return; - } - - // name "=" ... syntax. - - // read name - //System.out.println("reading name"); - - StringBuffer attrBuf = new StringBuffer(); - - try { - while (c != '=' && c != -1 && c != ',' && c != '+') { - attrBuf.append((char) c); - c = in.read(); - //System.out.println("name read "+(char)c); - } - if (c == ',' || c == '+') - in.unread(c); - } catch (IOException e) { - throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); - } - if (c != '=') - throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", - "Missing \"=\" in ava pattern")); - - // read value - //System.out.println("reading value"); - - // skip spaces - //System.out.println("skip spaces for value"); - try { - while ((c = in.read()) == ' ' || c == '\t') {//System.out.println("spaces2 read "+(char)c); - ; - } - } catch (IOException e) { - throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); - } - if (c == -1) - throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", - "no value after = in ava pattern")); - - if (c == '$') { - // check for $dn or $attr - try { - c = in.read(); - //System.out.println("check $dn or $attr read "+(char)c); - } catch (IOException e) { - throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); - } - if (c == -1) - throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", - "expecting $dn or $attr in ava pattern")); - if (c == 'a') { - try { - if (in.read() != 't' || - in.read() != 't' || - in.read() != 'r' || - in.read() != '.') - throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", - "expecting $attr in ava pattern")); - } catch (IOException e) { - throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); - } - mType = TYPE_ATTR; - //System.out.println("---- mtype $attr"); - } else if (c == 'd') { - try { - if (in.read() != 'n' || - in.read() != '.') - throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", - "expecting $dn in ava pattern")); - } catch (IOException e) { - throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); - } - mType = TYPE_DN; - //System.out.println("----- mtype $dn"); - } else { - throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", - "unknown keyword. expecting $dn or $attr.")); - } - - // get attr name of dn pattern from above. - String attrName = attrBuf.toString().trim(); - - //System.out.println("----- attrName "+attrName); - if (attrName.length() == 0) - throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", - "attribute name expected")); - try { - ObjectIdentifier attrOid = - mLdapDNStrConverter.parseAVAKeyword(attrName); - - mAttr = mLdapDNStrConverter.encodeOID(attrOid); - //System.out.println("----- mAttr "+mAttr); - } catch (IOException e) { - throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", e.getMessage())); - } - - // get dn or attribute from ldap search. - StringBuffer valueBuf = new StringBuffer(); - - try { - while ((c = in.read()) != ',' && - c != -1 && c != '.' && c != '+') { - //System.out.println("mValue read "+(char)c); - valueBuf.append((char) c); - } - if (c == '+' || c == ',') // either ',' or '+' - in.unread(c); // pushback last , or + - } catch (IOException e) { - throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); - } - - mValue = valueBuf.toString().trim(); - if (mValue.length() == 0) - throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", - "$dn or $attr attribute name expected")); - //System.out.println("----- mValue "+mValue); - - // get nth dn or attribute from ldap search. - if (c == '.') { - StringBuffer attrNumberBuf = new StringBuffer(); - - try { - while ((c = in.read()) != ',' && c != -1 && c != '+') { - //System.out.println("mElement read "+(char)c); - attrNumberBuf.append((char) c); - } - if (c != -1) // either ',' or '+' - in.unread(c); // pushback last , or + - } catch (IOException e) { - throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); - } - String attrNumber = attrNumberBuf.toString().trim(); - - if (attrNumber.length() == 0) - throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", - "nth element $dn or $attr expected")); - try { - mElement = Integer.parseInt(attrNumber) - 1; - } catch (NumberFormatException e) { - throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", - "Invalid format in nth element $dn or $attr")); - } - } - //System.out.println("----- mElement "+mElement); - } else { - // value is constant. treat as regular ava. - mType = TYPE_CONSTANT; - //System.out.println("----- mType constant"); - // parse ava value. - StringBuffer valueBuf = new StringBuffer(); - - valueBuf.append((char) c); - try { - while ((c = in.read()) != ',' && - c != -1) { - valueBuf.append((char) c); - } - if (c == '+' || c == ',') { // either ',' or '+' - in.unread(c); // pushback last , or + - } - } catch (IOException e) { - throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", e.getMessage())); - } - try { - AVA ava = mLdapDNStrConverter.parseAVA(attrBuf + "=" + valueBuf); - - mValue = ava.toLdapDNString(); - //System.out.println("----- mValue "+mValue); - } catch (IOException e) { - throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", e.getMessage())); - } - } - } - - public String formAVA(LDAPEntry entry) - throws EAuthException { - if (mType == TYPE_CONSTANT) - return mValue; - - if (mType == TYPE_RDN) { - String dn = entry.getDN(); - - if (mTestDN != null) - dn = mTestDN; - //System.out.println("AVAPattern Using dn "+mTestDN); - String[] rdns = LDAPDN.explodeDN(dn, false); - - if (mElement >= rdns.length) - return null; - return rdns[mElement]; - } - - if (mType == TYPE_DN) { - String dn = entry.getDN(); - - if (mTestDN != null) - dn = mTestDN; - //System.out.println("AVAPattern Using dn "+mTestDN); - String[] rdns = LDAPDN.explodeDN(dn, false); - String value = null; - int nFound = -1; - - for (int i = 0; i < rdns.length; i++) { - String[] avas = explodeRDN(rdns[i]); - - for (int j = 0; j < avas.length; j++) { - String[] exploded = explodeAVA(avas[j]); - - if (exploded[0].equalsIgnoreCase(mValue) && - ++nFound == mElement) { - value = exploded[1]; - break; - } - } - } - if (value == null) - return null; - return mAttr + "=" + value; - } - - if (mType == TYPE_ATTR) { - LDAPAttribute ldapAttr = entry.getAttribute(mValue); - - if (ldapAttr == null) - return null; - String value = null; - @SuppressWarnings("unchecked") - Enumeration<String> ldapValues = ldapAttr.getStringValues(); - - for (int i = 0; ldapValues.hasMoreElements(); i++) { - String val = (String) ldapValues.nextElement(); - - if (i == mElement) { - value = val; - break; - } - } - if (value == null) - return null; - String v = escapeLdapString(value); - - return mAttr + "=" + v; - } - - return null; - } - - private String escapeLdapString(String value) { - int len = value.length(); - char[] c = new char[len]; - char[] newc = new char[len * 2]; - - value.getChars(0, len, c, 0); - int j = 0; - - for (int i = 0; i < c.length; i++) { - // escape special characters that directory does not. - if ((c[i] == ',' || c[i] == '=' || c[i] == '+' || c[i] == '<' || - c[i] == '>' || c[i] == '#' || c[i] == ';')) { - if (i == 0 || c[i - 1] != '\\') { - newc[j++] = '\\'; - newc[j++] = c[i]; - } - } // escape "\" - else if (c[i] == '\\') { - int k = i + 1; - - if (i == len - 1 || - (c[k] == ',' || c[k] == '=' || c[k] == '+' || c[k] == '<' || - c[k] == '>' || c[k] == '#' || c[k] == ';')) { - newc[j++] = '\\'; - newc[j++] = c[i]; - } - } // escape QUOTATION - else if (c[i] == '"') { - if ((i == 0 && c[len - 1] != '"') || - (i == len - 1 && c[0] != '"') || - (i > 0 && i < len - 1)) { - newc[j++] = '\\'; - newc[j++] = c[i]; - } - } else - newc[j++] = c[i]; - } - return new String(newc, 0, j); - } - - public String getLdapAttr() { - if (mType == TYPE_ATTR) - return mValue; - else - return null; - } - - /** - * Explode RDN into AVAs. - * Does not handle escaped '+' - * Java ldap library does not yet support multiple avas per rdn. - * If RDN is malformed returns empty array. - */ - public static String[] explodeRDN(String rdn) { - int plus = rdn.indexOf('+'); - - if (plus == -1) - return new String[] { rdn }; - Vector<String> avas = new Vector<String>(); - StringTokenizer token = new StringTokenizer(rdn, "+"); - - while (token.hasMoreTokens()) - avas.addElement(token.nextToken()); - String[] theAvas = new String[avas.size()]; - - avas.copyInto(theAvas); - return theAvas; - } - - /** - * Explode AVA into name and value. - * Does not handle escaped '=' - * If AVA is malformed empty array is returned. - */ - public static String[] explodeAVA(String ava) { - int equals = ava.indexOf('='); - - if (equals == -1) - return null; - return new String[] { - ava.substring(0, equals).trim(), ava.substring(equals + 1).trim() }; - } -} diff --git a/pki/base/common/src/com/netscape/cms/authentication/AgentCertAuthentication.java b/pki/base/common/src/com/netscape/cms/authentication/AgentCertAuthentication.java deleted file mode 100644 index 65ef434a9..000000000 --- a/pki/base/common/src/com/netscape/cms/authentication/AgentCertAuthentication.java +++ /dev/null @@ -1,332 +0,0 @@ -// --- BEGIN COPYRIGHT BLOCK --- -// This program is free software; you can redistribute it and/or modify -// it under the terms of the GNU General Public License as published by -// the Free Software Foundation; version 2 of the License. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -// GNU General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -// -// (C) 2007 Red Hat, Inc. -// All rights reserved. -// --- END COPYRIGHT BLOCK --- -package com.netscape.cms.authentication; - -import java.security.cert.CertificateException; -import java.security.cert.X509Certificate; -import java.util.Enumeration; -import java.util.Locale; - -import netscape.security.x509.X509CertImpl; - -import com.netscape.certsrv.apps.CMS; -import com.netscape.certsrv.authentication.AuthToken; -import com.netscape.certsrv.authentication.EInvalidCredentials; -import com.netscape.certsrv.authentication.EMissingCredential; -import com.netscape.certsrv.authentication.IAuthCredentials; -import com.netscape.certsrv.authentication.IAuthManager; -import com.netscape.certsrv.authentication.IAuthToken; -import com.netscape.certsrv.authentication.ISSLClientCertProvider; -import com.netscape.certsrv.base.EBaseException; -import com.netscape.certsrv.base.IConfigStore; -import com.netscape.certsrv.base.SessionContext; -import com.netscape.certsrv.logging.ILogger; -import com.netscape.certsrv.profile.EProfileException; -import com.netscape.certsrv.profile.IProfile; -import com.netscape.certsrv.profile.IProfileAuthenticator; -import com.netscape.certsrv.property.IDescriptor; -import com.netscape.certsrv.request.IRequest; -import com.netscape.certsrv.usrgrp.Certificates; -import com.netscape.certsrv.usrgrp.EUsrGrpException; -import com.netscape.certsrv.usrgrp.ICertUserLocator; -import com.netscape.certsrv.usrgrp.IUGSubsystem; -import com.netscape.certsrv.usrgrp.IUser; - -/** - * Certificate server agent authentication. - * Maps a SSL client authenticate certificate to a user (agent) entry in the - * internal database. - * <P> - * - * @version $Revision$, $Date$ - */ -public class AgentCertAuthentication implements IAuthManager, - IProfileAuthenticator { - - /* result auth token attributes */ - public static final String TOKEN_USERDN = "user"; - public static final String TOKEN_USER_DN = "userdn"; - public static final String TOKEN_USERID = "userid"; - public static final String TOKEN_UID = "uid"; - public static final String TOKEN_GROUP = "group"; - - /* required credentials */ - public static final String CRED_CERT = IAuthManager.CRED_SSL_CLIENT_CERT; - protected String[] mRequiredCreds = { CRED_CERT }; - - /* config parameters to pass to console (none) */ - protected static String[] mConfigParams = null; - - private String mName = null; - private String mImplName = null; - private IConfigStore mConfig = null; - - private IUGSubsystem mUGSub = null; - private ICertUserLocator mCULocator = null; - private ILogger mLogger = CMS.getLogger(); - - private IConfigStore mRevocationChecking = null; - private String mRequestor = null; - - public AgentCertAuthentication() { - } - - /** - * initializes the CertUserDBAuthentication auth manager - * <p> - * called by AuthSubsystem init() method, when initializing all available authentication managers. - * - * @param name The name of this authentication manager instance. - * @param implName The name of the authentication manager plugin. - * @param config The configuration store for this authentication manager. - */ - public void init(String name, String implName, IConfigStore config) - throws EBaseException { - mName = name; - mImplName = implName; - mConfig = config; - - mUGSub = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG); - mCULocator = mUGSub.getCertUserLocator(); - } - - /** - * Gets the name of this authentication manager. - */ - public String getName() { - return mName; - } - - /** - * Gets the plugin name of authentication manager. - */ - public String getImplName() { - return mImplName; - } - - public boolean isSSLClientRequired() { - return true; - } - - /** - * authenticates user(agent) by certificate - * <p> - * called by other subsystems or their servlets to authenticate users (agents) - * - * @param authCred - authentication credential that contains - * an usrgrp.Certificates of the user (agent) - * @return the authentication token that contains the following - * - * @exception EMissingCredential If a required credential for this - * authentication manager is missing. - * @exception EInvalidCredentials If credentials cannot be authenticated. - * @exception EBaseException If an internal error occurred. - * @see com.netscape.certsrv.authentication.AuthToken - * @see com.netscape.certsrv.usrgrp.Certificates - */ - public IAuthToken authenticate(IAuthCredentials authCred) - throws EMissingCredential, EInvalidCredentials, EBaseException { - - CMS.debug("AgentCertAuthentication: start"); - CMS.debug("authenticator instance name is " + getName()); - - // force SSL handshake - SessionContext context = SessionContext.getExistingContext(); - ISSLClientCertProvider provider = (ISSLClientCertProvider) - context.get("sslClientCertProvider"); - - if (provider == null) { - CMS.debug("AgentCertAuthentication: No SSL Client Cert Provider Found"); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - } - CMS.debug("AgentCertAuthenticator: got provider"); - CMS.debug("AgentCertAuthenticator: retrieving client certificate"); - X509Certificate[] allCerts = provider.getClientCertificateChain(); - - if (allCerts == null) { - CMS.debug("AgentCertAuthentication: No SSL Client Certs Found"); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - } - CMS.debug("AgentCertAuthenticator: got certificates"); - - // retreive certificate from socket - AuthToken authToken = new AuthToken(this); - X509Certificate[] x509Certs = allCerts; - - // default certificate default has bugs in version - // version(3) is returned as 3, which should be 2 - X509CertImpl ci[] = new X509CertImpl[x509Certs.length]; - - try { - for (int i = 0; i < x509Certs.length; i++) { - ci[i] = new X509CertImpl(x509Certs[i].getEncoded()); - } - } catch (CertificateException e) { - CMS.debug(e.toString()); - } - - // check if certificate(s) is revoked - boolean checkRevocation = true; - try { - checkRevocation = mConfig.getBoolean("checkRevocation", true); - } catch (EBaseException e) { - // do nothing; default to true - } - if (checkRevocation) { - if (CMS.isRevoked(ci)) { - CMS.debug("AgentCertAuthentication: certificate revoked"); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - } - } - - // map cert to user - IUser user = null; - Certificates certs = new Certificates(ci); - - try { - user = (IUser) mCULocator.locateUser(certs); - } catch (EUsrGrpException e) { - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - } catch (netscape.ldap.LDAPException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", - e.toString())); - } - - // any unexpected error occurs like internal db down, - // UGSubsystem only returns null for user. - if (user == null) { - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - } - - // get group name from configuration file - IConfigStore sconfig = CMS.getConfigStore(); - String groupname = ""; - try { - groupname = sconfig.getString("auths.instance." + getName() + ".agentGroup", - ""); - } catch (EBaseException ee) { - } - - if (!groupname.equals("")) { - CMS.debug("check if " + user.getUserID() + " is in group " + groupname); - IUGSubsystem uggroup = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG); - if (!uggroup.isMemberOf(user, groupname)) { - CMS.debug(user.getUserID() + " is not in this group " + groupname); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHORIZATION_ERROR")); - } - } - authToken.set(TOKEN_USERDN, user.getUserDN()); - authToken.set(TOKEN_USER_DN, user.getUserDN()); - authToken.set(TOKEN_USERID, user.getUserID()); - authToken.set(TOKEN_UID, user.getUserID()); - authToken.set(TOKEN_GROUP, groupname); - authToken.set(CRED_CERT, certs); - - CMS.debug("AgentCertAuthentication: authenticated " + user.getUserDN()); - - return authToken; - } - - /** - * get the list of authentication credential attribute names - * required by this authentication manager. Generally used by - * the servlets that handle agent operations to authenticate its - * users. It calls this method to know which are the - * required credentials from the user (e.g. Javascript form data) - * - * @return attribute names in Vector - */ - public String[] getRequiredCreds() { - return (mRequiredCreds); - } - - /** - * get the list of configuration parameter names - * required by this authentication manager. Generally used by - * the Certificate Server Console to display the table for - * configuration purposes. CertUserDBAuthentication is currently not - * exposed in this case, so this method is not to be used. - * - * @return configuration parameter names in Hashtable of Vectors - * where each hashtable entry's key is the substore name, value is a - * Vector of parameter names. If no substore, the parameter name - * is the Hashtable key itself, with value same as key. - */ - public String[] getConfigParams() { - return (mConfigParams); - } - - /** - * prepare this authentication manager for shutdown. - */ - public void shutdown() { - } - - /** - * gets the configuretion substore used by this authentication - * manager - * - * @return configuration store - */ - public IConfigStore getConfigStore() { - return mConfig; - } - - // Profile-related methods - - public void init(IProfile profile, IConfigStore config) - throws EProfileException { - } - - /** - * Retrieves the localizable name of this policy. - */ - public String getName(Locale locale) { - return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_AGENT_NAME"); - } - - /** - * Retrieves the localizable description of this policy. - */ - public String getText(Locale locale) { - return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_AGENT_TEXT"); - } - - /** - * Retrieves a list of names of the value parameter. - */ - public Enumeration<String> getValueNames() { - return null; - } - - public boolean isValueWriteable(String name) { - return false; - } - - /** - * Retrieves the descriptor of the given value - * parameter by name. - */ - public IDescriptor getValueDescriptor(Locale locale, String name) { - return null; - } - - public void populate(IAuthToken token, IRequest request) - throws EProfileException { - } -} diff --git a/pki/base/common/src/com/netscape/cms/authentication/CMCAuth.java b/pki/base/common/src/com/netscape/cms/authentication/CMCAuth.java deleted file mode 100644 index 06d4eaa0f..000000000 --- a/pki/base/common/src/com/netscape/cms/authentication/CMCAuth.java +++ /dev/null @@ -1,1038 +0,0 @@ -// --- BEGIN COPYRIGHT BLOCK --- -// This program is free software; you can redistribute it and/or modify -// it under the terms of the GNU General Public License as published by -// the Free Software Foundation; version 2 of the License. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -// GNU General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -// -// (C) 2007 Red Hat, Inc. -// All rights reserved. -// --- END COPYRIGHT BLOCK --- -// package statement // -/////////////////////// - -package com.netscape.cms.authentication; - -/////////////////////// -// import statements // -/////////////////////// - -/* cert server imports */ -import java.io.ByteArrayInputStream; -import java.io.ByteArrayOutputStream; -import java.io.IOException; -import java.io.OutputStream; -import java.math.BigInteger; -import java.security.MessageDigest; -import java.security.PublicKey; -import java.util.Enumeration; -import java.util.Hashtable; -import java.util.Locale; -import java.util.Vector; - -import netscape.security.pkcs.PKCS10; -import netscape.security.x509.X500Name; -import netscape.security.x509.X509CertImpl; -import netscape.security.x509.X509CertInfo; -import netscape.security.x509.X509Key; - -import org.mozilla.jss.CryptoManager; -import org.mozilla.jss.asn1.ASN1Util; -import org.mozilla.jss.asn1.INTEGER; -import org.mozilla.jss.asn1.InvalidBERException; -import org.mozilla.jss.asn1.OBJECT_IDENTIFIER; -import org.mozilla.jss.asn1.OCTET_STRING; -import org.mozilla.jss.asn1.SEQUENCE; -import org.mozilla.jss.asn1.SET; -import org.mozilla.jss.crypto.DigestAlgorithm; -import org.mozilla.jss.crypto.PrivateKey; -import org.mozilla.jss.pkcs10.CertificationRequest; -import org.mozilla.jss.pkcs11.PK11PubKey; -import org.mozilla.jss.pkix.cert.Certificate; -import org.mozilla.jss.pkix.cert.CertificateInfo; -import org.mozilla.jss.pkix.cmc.PKIData; -import org.mozilla.jss.pkix.cmc.TaggedAttribute; -import org.mozilla.jss.pkix.cmc.TaggedCertificationRequest; -import org.mozilla.jss.pkix.cmc.TaggedRequest; -import org.mozilla.jss.pkix.cms.EncapsulatedContentInfo; -import org.mozilla.jss.pkix.cms.IssuerAndSerialNumber; -import org.mozilla.jss.pkix.cms.SignedData; -import org.mozilla.jss.pkix.cms.SignerIdentifier; -import org.mozilla.jss.pkix.crmf.CertReqMsg; -import org.mozilla.jss.pkix.crmf.CertRequest; -import org.mozilla.jss.pkix.crmf.CertTemplate; -import org.mozilla.jss.pkix.primitive.AlgorithmIdentifier; -import org.mozilla.jss.pkix.primitive.Name; - -import com.netscape.certsrv.apps.CMS; -import com.netscape.certsrv.authentication.AuthToken; -import com.netscape.certsrv.authentication.EInvalidCredentials; -import com.netscape.certsrv.authentication.EMissingCredential; -import com.netscape.certsrv.authentication.IAuthCredentials; -import com.netscape.certsrv.authentication.IAuthManager; -import com.netscape.certsrv.authentication.IAuthSubsystem; -import com.netscape.certsrv.authentication.IAuthToken; -import com.netscape.certsrv.base.EBaseException; -import com.netscape.certsrv.base.IConfigStore; -import com.netscape.certsrv.base.IExtendedPluginInfo; -import com.netscape.certsrv.base.SessionContext; -import com.netscape.certsrv.logging.ILogger; -import com.netscape.certsrv.profile.EProfileException; -import com.netscape.certsrv.profile.IProfile; -import com.netscape.certsrv.profile.IProfileAuthenticator; -import com.netscape.certsrv.property.Descriptor; -import com.netscape.certsrv.property.IDescriptor; -import com.netscape.certsrv.request.IRequest; -import com.netscape.cmsutil.util.Utils; - -//import com.netscape.cmscore.util.*; -////////////////////// -// class definition // -////////////////////// - -/** - * UID/CMC authentication plug-in - * <P> - * - * @version $Revision$, $Date$ - */ -public class CMCAuth implements IAuthManager, IExtendedPluginInfo, - IProfileAuthenticator { - - //////////////////////// - // default parameters // - //////////////////////// - - ///////////////////////////// - // IAuthManager parameters // - ///////////////////////////// - - /* authentication plug-in configuration store */ - private IConfigStore mConfig; - private static final String HEADER = "-----BEGIN NEW CERTIFICATE REQUEST-----"; - private static final String TRAILER = "-----END NEW CERTIFICATE REQUEST-----"; - public static final String TOKEN_CERT_SERIAL = "certSerialToRevoke"; - public static final String REASON_CODE = "reasonCode"; - /* authentication plug-in name */ - private String mImplName = null; - - /* authentication plug-in instance name */ - private String mName = null; - - /* authentication plug-in fields */ - - /* Holds authentication plug-in fields accepted by this implementation. - * This list is passed to the configuration console so configuration - * for instances of this implementation can be configured through the - * console. - */ - protected static String[] mConfigParams = - new String[] {}; - - /* authentication plug-in values */ - - /* authentication plug-in properties */ - - /* required credentials to authenticate. UID and CMC are strings. */ - public static final String CRED_CMC = "cmcRequest"; - - protected static String[] mRequiredCreds = {}; - - //////////////////////////////////// - // IExtendedPluginInfo parameters // - //////////////////////////////////// - - /* Vector of extendedPluginInfo strings */ - protected static Vector<String> mExtendedPluginInfo = null; - //public static final String AGENT_AUTHMGR_ID = "agentAuthMgr"; - //public static final String AGENT_PLUGIN_ID = "agentAuthPlugin"; - - /* actual help messages */ - static { - mExtendedPluginInfo = new Vector<String>(); - - mExtendedPluginInfo - .add(IExtendedPluginInfo.HELP_TEXT + - ";Authenticate the CMC request. The signer must be an agent. The \"Authentication Instance ID\" must be named \"CMCAuth\""); - mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TOKEN + - ";configuration-authentication"); - } - - /////////////////////// - // Logger parameters // - /////////////////////// - - /* the system's logger */ - private ILogger mLogger = CMS.getLogger(); - - /* signed audit parameters */ - private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); - private final static String SIGNED_AUDIT_ENROLLMENT_REQUEST_TYPE = - "enrollment"; - private final static String SIGNED_AUDIT_REVOCATION_REQUEST_TYPE = - "revocation"; - private final static String LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY = - "LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY_5"; - - ///////////////////// - // default methods // - ///////////////////// - - /** - * Default constructor, initialization must follow. - */ - public CMCAuth() { - } - - ////////////////////////// - // IAuthManager methods // - ////////////////////////// - - /** - * Initializes the CMCAuth authentication plug-in. - * <p> - * - * @param name The name for this authentication plug-in instance. - * @param implName The name of the authentication plug-in. - * @param config - The configuration store for this instance. - * @exception EBaseException If an error occurs during initialization. - */ - public void init(String name, String implName, IConfigStore config) - throws EBaseException { - mName = name; - mImplName = implName; - mConfig = config; - - log(ILogger.LL_INFO, "Initialization complete!"); - } - - /** - * Authenticates user by their CMC; - * resulting AuthToken sets a TOKEN_SUBJECT for the subject name. - * <P> - * - * <ul> - * <li>signed.audit LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY used when CMC (agent-pre-signed) cert - * requests or revocation requests are submitted and signature is verified - * </ul> - * - * @param authCred Authentication credentials, CRED_UID and CRED_CMC. - * @return an AuthToken - * @exception com.netscape.certsrv.authentication.EMissingCredential - * If a required authentication credential is missing. - * @exception com.netscape.certsrv.authentication.EInvalidCredentials - * If credentials failed authentication. - * @exception com.netscape.certsrv.base.EBaseException - * If an internal error occurred. - * @see com.netscape.certsrv.authentication.AuthToken - */ - public IAuthToken authenticate(IAuthCredentials authCred) throws EMissingCredential, EInvalidCredentials, - EBaseException { - String auditMessage = null; - String auditSubjectID = auditSubjectID(); - String auditReqType = ILogger.UNIDENTIFIED; - String auditCertSubject = ILogger.UNIDENTIFIED; - String auditSignerInfo = ILogger.UNIDENTIFIED; - - // ensure that any low-level exceptions are reported - // to the signed audit log and stored as failures - try { - // get the CMC. - - Object argblock = (Object) (authCred.getArgBlock()); - Object returnVal = null; - if (argblock == null) { - returnVal = authCred.get("cert_request"); - if (returnVal == null) - returnVal = authCred.get(CRED_CMC); - } else { - returnVal = authCred.get("cert_request"); - if (returnVal == null) - returnVal = authCred.getArgBlock().get(CRED_CMC); - } - String cmc = (String) returnVal; - if (cmc == null) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.FAILURE, - auditReqType, - auditCertSubject, - auditSignerInfo); - - audit(auditMessage); - - throw new EMissingCredential(CMS.getUserMessage( - "CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_CMC)); - } - - if (cmc.equals("")) { - log(ILogger.LL_FAILURE, - "cmc : attempted login with empty CMC."); - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.FAILURE, - auditReqType, - auditCertSubject, - auditSignerInfo); - - audit(auditMessage); - - throw new EInvalidCredentials(CMS.getUserMessage( - "CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - } - - // authenticate by checking CMC. - - // everything OK. - // now formulate the certificate info. - // set the subject name at a minimum. - // set anything else like version, extensions, etc. - // if nothing except subject name is set the rest of - // cert info will be filled in by policies and CA defaults. - - AuthToken authToken = new AuthToken(this); - - try { - String asciiBASE64Blob; - - int startIndex = cmc.indexOf(HEADER); - int endIndex = cmc.indexOf(TRAILER); - if (startIndex != -1 && endIndex != -1) { - startIndex = startIndex + HEADER.length(); - asciiBASE64Blob = cmc.substring(startIndex, endIndex); - } else - asciiBASE64Blob = cmc; - - byte[] cmcBlob = CMS.AtoB(asciiBASE64Blob); - ByteArrayInputStream cmcBlobIn = new - ByteArrayInputStream(cmcBlob); - - org.mozilla.jss.pkix.cms.ContentInfo cmcReq = - (org.mozilla.jss.pkix.cms.ContentInfo) - org.mozilla.jss.pkix.cms.ContentInfo.getTemplate().decode( - cmcBlobIn); - - if (!cmcReq.getContentType().equals( - org.mozilla.jss.pkix.cms.ContentInfo.SIGNED_DATA) || - !cmcReq.hasContent()) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.FAILURE, - auditReqType, - auditCertSubject, - auditSignerInfo); - - audit(auditMessage); - - // throw new ECMSGWException(CMSGWResources.NO_CMC_CONTENT); - - throw new EBaseException("NO_CMC_CONTENT"); - } - - SignedData cmcFullReq = (SignedData) - cmcReq.getInterpretedContent(); - - IConfigStore cmc_config = CMS.getConfigStore(); - boolean checkSignerInfo = - cmc_config.getBoolean("cmc.signerInfo.verify", true); - String userid = "defUser"; - String uid = "defUser"; - if (checkSignerInfo) { - IAuthToken agentToken = verifySignerInfo(authToken, cmcFullReq); - userid = agentToken.getInString("userid"); - uid = agentToken.getInString("cn"); - } else { - CMS.debug("CMCAuth: authenticate() signerInfo verification bypassed"); - } - // reset value of auditSignerInfo - if (uid != null) { - auditSignerInfo = uid.trim(); - } - - EncapsulatedContentInfo ci = cmcFullReq.getContentInfo(); - - OBJECT_IDENTIFIER id = ci.getContentType(); - - if (!id.equals(OBJECT_IDENTIFIER.id_cct_PKIData) || - !ci.hasContent()) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.FAILURE, - auditReqType, - auditCertSubject, - auditSignerInfo); - - audit(auditMessage); - - // throw new ECMSGWException( - // CMSGWResources.NO_PKIDATA); - - throw new EBaseException("NO_PKIDATA"); - } - - OCTET_STRING content = ci.getContent(); - - ByteArrayInputStream s = new - ByteArrayInputStream(content.toByteArray()); - PKIData pkiData = (PKIData) (new PKIData.Template()).decode(s); - - SEQUENCE reqSequence = pkiData.getReqSequence(); - - int numReqs = reqSequence.size(); - - if (numReqs == 0) { - // revocation request - - // reset value of auditReqType - auditReqType = SIGNED_AUDIT_REVOCATION_REQUEST_TYPE; - - SEQUENCE controlSequence = pkiData.getControlSequence(); - int controlSize = controlSequence.size(); - - if (controlSize > 0) { - for (int i = 0; i < controlSize; i++) { - TaggedAttribute taggedAttribute = - (TaggedAttribute) controlSequence.elementAt(i); - OBJECT_IDENTIFIER type = taggedAttribute.getType(); - - if (type.equals( - OBJECT_IDENTIFIER.id_cmc_revokeRequest)) { - // if( i ==1 ) { - // taggedAttribute.getType() == - // OBJECT_IDENTIFIER.id_cmc_revokeRequest - // } - - SET values = taggedAttribute.getValues(); - int numVals = values.size(); - BigInteger[] bigIntArray = null; - - bigIntArray = new BigInteger[numVals]; - for (int j = 0; j < numVals; j++) { - // serialNumber INTEGER - - // SEQUENCE RevRequest = (SEQUENCE) - // values.elementAt(j); - byte[] encoded = ASN1Util.encode( - values.elementAt(j)); - org.mozilla.jss.asn1.ASN1Template template = new - org.mozilla.jss.pkix.cmmf.RevRequest.Template(); - org.mozilla.jss.pkix.cmmf.RevRequest revRequest = - (org.mozilla.jss.pkix.cmmf.RevRequest) - ASN1Util.decode(template, encoded); - - // SEQUENCE RevRequest = (SEQUENCE) - // ASN1Util.decode( - // SEQUENCE.getTemplate(), - // ASN1Util.encode( - // values.elementAt(j))); - - // SEQUENCE RevRequest = - // values.elementAt(j); - // int revReqSize = RevRequest.size(); - // if( revReqSize > 3 ) { - // INTEGER serialNumber = - // new INTEGER((long)0); - // } - - INTEGER temp = revRequest.getSerialNumber(); - - bigIntArray[j] = temp; - authToken.set(TOKEN_CERT_SERIAL, bigIntArray); - - long reasonCode = revRequest.getReason().getValue(); - Integer IntObject = Integer.valueOf((int) reasonCode); - authToken.set(REASON_CODE, IntObject); - - authToken.set("uid", uid); - authToken.set("userid", userid); - } - } - } - - } - } else { - // enrollment request - - // reset value of auditReqType - auditReqType = SIGNED_AUDIT_ENROLLMENT_REQUEST_TYPE; - - X509CertInfo[] certInfoArray = new X509CertInfo[numReqs]; - String[] reqIdArray = new String[numReqs]; - - for (int i = 0; i < numReqs; i++) { - // decode message. - TaggedRequest taggedRequest = - (TaggedRequest) reqSequence.elementAt(i); - - TaggedRequest.Type type = taggedRequest.getType(); - - if (type.equals(TaggedRequest.PKCS10)) { - CMS.debug("CMCAuth: in PKCS10"); - TaggedCertificationRequest tcr = - taggedRequest.getTcr(); - int p10Id = tcr.getBodyPartID().intValue(); - - reqIdArray[i] = String.valueOf(p10Id); - - CertificationRequest p10 = - tcr.getCertificationRequest(); - - // transfer to sun class - ByteArrayOutputStream ostream = - new ByteArrayOutputStream(); - - p10.encode(ostream); - try { - PKCS10 pkcs10 = - new PKCS10(ostream.toByteArray()); - - // xxx do we need to do anything else? - X509CertInfo certInfo = - CMS.getDefaultX509CertInfo(); - - // fillPKCS10(certInfo,pkcs10,authToken,null); - - // authToken.set( - // pkcs10.getSubjectPublicKeyInfo()); - - X500Name tempName = pkcs10.getSubjectName(); - - // reset value of auditCertSubject - if (tempName != null) { - auditCertSubject = - tempName.toString().trim(); - if (auditCertSubject.equals("")) { - auditCertSubject = - ILogger.SIGNED_AUDIT_EMPTY_VALUE; - } - authToken.set(AuthToken.TOKEN_CERT_SUBJECT, - tempName.toString()); - } - - authToken.set("uid", uid); - authToken.set("userid", userid); - - certInfoArray[i] = certInfo; - } catch (Exception e) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.FAILURE, - auditReqType, - auditCertSubject, - auditSignerInfo); - - audit(auditMessage); - - //throw new ECMSGWException( - //CMSGWResources.ERROR_PKCS101, e.toString()); - - e.printStackTrace(); - throw new EBaseException(e.toString()); - } - } else if (type.equals(TaggedRequest.CRMF)) { - - CMS.debug("CMCAuth: in CRMF"); - try { - CertReqMsg crm = - taggedRequest.getCrm(); - CertRequest certReq = crm.getCertReq(); - INTEGER reqID = certReq.getCertReqId(); - reqIdArray[i] = reqID.toString(); - CertTemplate template = certReq.getCertTemplate(); - Name name = template.getSubject(); - - // xxx do we need to do anything else? - X509CertInfo certInfo = - CMS.getDefaultX509CertInfo(); - - // reset value of auditCertSubject - if (name != null) { - String ss = name.getRFC1485(); - - auditCertSubject = ss; - if (auditCertSubject.equals("")) { - auditCertSubject = - ILogger.SIGNED_AUDIT_EMPTY_VALUE; - } - - authToken.set(AuthToken.TOKEN_CERT_SUBJECT, ss); - authToken.set("uid", uid); - authToken.set("userid", userid); - } - certInfoArray[i] = certInfo; - } catch (Exception e) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.FAILURE, - auditReqType, - auditCertSubject, - auditSignerInfo); - - audit(auditMessage); - - //throw new ECMSGWException( - //CMSGWResources.ERROR_PKCS101, e.toString()); - - e.printStackTrace(); - throw new EBaseException(e.toString()); - } - } - - // authToken.set(AgentAuthentication.CRED_CERT, new - // com.netscape.certsrv.usrgrp.Certificates( - // x509Certs)); - } - } - } catch (Exception e) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.FAILURE, - auditReqType, - auditCertSubject, - auditSignerInfo); - - audit(auditMessage); - - //Debug.printStackTrace(e); - throw new EInvalidCredentials(CMS.getUserMessage( - "CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - } - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.SUCCESS, - auditReqType, - auditCertSubject, - auditSignerInfo); - - audit(auditMessage); - - return authToken; - } catch (EMissingCredential eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.FAILURE, - auditReqType, - auditCertSubject, - auditSignerInfo); - - audit(auditMessage); - - // rethrow the specific exception to be handled later - throw eAudit1; - } catch (EInvalidCredentials eAudit2) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.FAILURE, - auditReqType, - auditCertSubject, - auditSignerInfo); - - audit(auditMessage); - - // rethrow the specific exception to be handled later - throw eAudit2; - } catch (EBaseException eAudit3) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.FAILURE, - auditReqType, - auditCertSubject, - auditSignerInfo); - - audit(auditMessage); - - // rethrow the specific exception to be handled later - throw eAudit3; - } - } - - /** - * Returns a list of configuration parameter names. - * The list is passed to the configuration console so instances of - * this implementation can be configured through the console. - * <p> - * - * @return String array of configuration parameter names. - */ - public String[] getConfigParams() { - return (mConfigParams); - } - - /** - * gets the configuration substore used by this authentication - * plug-in - * <p> - * - * @return configuration store - */ - public IConfigStore getConfigStore() { - return mConfig; - } - - /** - * gets the plug-in name of this authentication plug-in. - */ - public String getImplName() { - return mImplName; - } - - /** - * gets the name of this authentication plug-in instance - */ - public String getName() { - return mName; - } - - /** - * get the list of required credentials. - * <p> - * - * @return list of required credentials as strings. - */ - public String[] getRequiredCreds() { - return (mRequiredCreds); - } - - /** - * prepares for shutdown. - */ - public void shutdown() { - } - - ///////////////////////////////// - // IExtendedPluginInfo methods // - ///////////////////////////////// - - /** - * Activate the help system. - * <p> - * - * @return help messages - */ - public String[] getExtendedPluginInfo() { - CMS.debug("CMCAuth: getExtendedPluginInfo()"); - String[] s = Utils.getStringArrayFromVector(mExtendedPluginInfo); - - CMS.debug("CMCAuth: s.length = " + s.length); - for (int i = 0; i < s.length; i++) { - CMS.debug("" + i + " " + s[i]); - } - return s; - } - - //////////////////// - // Logger methods // - //////////////////// - - /** - * Logs a message for this class in the system log file. - * <p> - * - * @param level The log level. - * @param msg The message to log. - * @see com.netscape.certsrv.logging.ILogger - */ - protected void log(int level, String msg) { - if (mLogger == null) - return; - mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHENTICATION, - level, "CMC Authentication: " + msg); - } - - protected IAuthToken verifySignerInfo(AuthToken authToken, SignedData cmcFullReq) throws EInvalidCredentials { - - EncapsulatedContentInfo ci = cmcFullReq.getContentInfo(); - OBJECT_IDENTIFIER id = ci.getContentType(); - OCTET_STRING content = ci.getContent(); - - try { - ByteArrayInputStream s = new ByteArrayInputStream(content.toByteArray()); - PKIData pkiData = (PKIData) (new PKIData.Template()).decode(s); - - SET dais = cmcFullReq.getDigestAlgorithmIdentifiers(); - int numDig = dais.size(); - Hashtable<String, byte[]> digs = new Hashtable<String, byte[]>(); - - //if request key is used for signing, there MUST be only one signerInfo - //object in the signedData object. - for (int i = 0; i < numDig; i++) { - AlgorithmIdentifier dai = - (AlgorithmIdentifier) dais.elementAt(i); - String name = - DigestAlgorithm.fromOID(dai.getOID()).toString(); - - MessageDigest md = - MessageDigest.getInstance(name); - - byte[] digest = md.digest(content.toByteArray()); - - digs.put(name, digest); - } - - SET sis = cmcFullReq.getSignerInfos(); - int numSis = sis.size(); - - for (int i = 0; i < numSis; i++) { - org.mozilla.jss.pkix.cms.SignerInfo si = (org.mozilla.jss.pkix.cms.SignerInfo) sis.elementAt(i); - - String name = si.getDigestAlgorithm().toString(); - byte[] digest = (byte[]) digs.get(name); - - if (digest == null) { - MessageDigest md = MessageDigest.getInstance(name); - ByteArrayOutputStream ostream = new ByteArrayOutputStream(); - - pkiData.encode((OutputStream) ostream); - digest = md.digest(ostream.toByteArray()); - - } - // signed by previously certified signature key - SignerIdentifier sid = si.getSignerIdentifier(); - - if (sid.getType().equals(SignerIdentifier.ISSUER_AND_SERIALNUMBER)) { - IssuerAndSerialNumber issuerAndSerialNumber = sid.getIssuerAndSerialNumber(); - // find from the certs in the signedData - java.security.cert.X509Certificate cert = null; - - if (cmcFullReq.hasCertificates()) { - SET certs = cmcFullReq.getCertificates(); - int numCerts = certs.size(); - java.security.cert.X509Certificate[] x509Certs = new java.security.cert.X509Certificate[1]; - byte[] certByteArray = new byte[0]; - for (int j = 0; j < numCerts; j++) { - Certificate certJss = (Certificate) certs.elementAt(j); - CertificateInfo certI = certJss.getInfo(); - Name issuer = certI.getIssuer(); - - byte[] issuerB = ASN1Util.encode(issuer); - INTEGER sn = certI.getSerialNumber(); - // if this cert is the signer cert, not a cert in the chain - if (new String(issuerB).equals(new String( - ASN1Util.encode(issuerAndSerialNumber.getIssuer()))) - && sn.toString().equals(issuerAndSerialNumber.getSerialNumber().toString())) { - ByteArrayOutputStream os = new - ByteArrayOutputStream(); - - certJss.encode(os); - certByteArray = os.toByteArray(); - - X509CertImpl tempcert = new X509CertImpl(os.toByteArray()); - - cert = tempcert; - x509Certs[0] = cert; - // xxx validate the cert length - - } - } - CMS.debug("CMCAuth: start checking signature"); - if (cert == null) { - // find from certDB - CMS.debug("CMCAuth: verifying signature"); - si.verify(digest, id); - } else { - PublicKey signKey = cert.getPublicKey(); - PrivateKey.Type keyType = null; - String alg = signKey.getAlgorithm(); - - if (alg.equals("RSA")) { - keyType = PrivateKey.RSA; - } else if (alg.equals("DSA")) { - keyType = PrivateKey.DSA; - } - PK11PubKey pubK = PK11PubKey.fromRaw(keyType, ((X509Key) signKey).getKey()); - - CMS.debug("CMCAuth: verifying signature with public key"); - si.verify(digest, id, pubK); - } - CMS.debug("CMCAuth: finished checking signature"); - // verify signer's certificate using the revocator - CryptoManager cm = CryptoManager.getInstance(); - if (!cm.isCertValid(certByteArray, true, CryptoManager.CertUsage.SSLClient)) - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - - // authenticate signer's certificate using the userdb - IAuthSubsystem authSS = (IAuthSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTH); - - IAuthManager agentAuth = authSS.getAuthManager(IAuthSubsystem.CERTUSERDB_AUTHMGR_ID);//AGENT_AUTHMGR_ID); - IAuthCredentials agentCred = new com.netscape.certsrv.authentication.AuthCredentials(); - - agentCred.set(IAuthManager.CRED_SSL_CLIENT_CERT, x509Certs); - - IAuthToken tempToken = agentAuth.authenticate(agentCred); - netscape.security.x509.X500Name tempPrincipal = (X500Name) x509Certs[0].getSubjectDN(); - String CN = (String) tempPrincipal.getCommonName();//tempToken.get("userid"); - - BigInteger agentCertSerial = x509Certs[0].getSerialNumber(); - authToken.set(IAuthManager.CRED_SSL_CLIENT_CERT, agentCertSerial.toString()); - tempToken.set("cn", CN); - return tempToken; - - } - // find from internaldb if it's ca. (ra does not have that.) - // find from internaldb usrgrp info - - // find from certDB - si.verify(digest, id); - - } // - } - } catch (InvalidBERException e) { - CMS.debug("CMCAuth: " + e.toString()); - } catch (IOException e) { - CMS.debug("CMCAuth: " + e.toString()); - } catch (Exception e) { - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - } - return (IAuthToken) null; - - } - - public String[] getExtendedPluginInfo(Locale locale) { - return null; - } - - // Profile-related methods - - public void init(IProfile profile, IConfigStore config) - throws EProfileException { - } - - /** - * Retrieves the localizable name of this policy. - */ - public String getName(Locale locale) { - return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_CMS_SIGN_NAME"); - } - - /** - * Retrieves the localizable description of this policy. - */ - public String getText(Locale locale) { - return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_CMS_SIGN_TEXT"); - } - - /** - * Retrieves a list of names of the value parameter. - */ - public Enumeration<String> getValueNames() { - Vector<String> v = new Vector<String>(); - v.addElement("cert_request"); - return v.elements(); - } - - public boolean isValueWriteable(String name) { - return false; - } - - /** - * Retrieves the descriptor of the given value - * parameter by name. - */ - public IDescriptor getValueDescriptor(Locale locale, String name) { - if (name.equals(CRED_CMC)) { - return new Descriptor(IDescriptor.STRING_LIST, null, null, - "CMC request"); - } - return null; - } - - public void populate(IAuthToken token, IRequest request) - throws EProfileException { - request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME, - token.getInString(AuthToken.TOKEN_CERT_SUBJECT)); - } - - public boolean isSSLClientRequired() { - return false; - } - - /** - * Signed Audit Log - * - * This method is called to store messages to the signed audit log. - * <P> - * - * @param msg signed audit log message - */ - private void audit(String msg) { - // in this case, do NOT strip preceding/trailing whitespace - // from passed-in String parameters - - if (mSignedAuditLogger == null) { - return; - } - - mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, - null, - ILogger.S_SIGNED_AUDIT, - ILogger.LL_SECURITY, - msg); - } - - /** - * Signed Audit Log Subject ID - * - * This method is called to obtain the "SubjectID" for - * a signed audit log message. - * <P> - * - * @return id string containing the signed audit log message SubjectID - */ - private String auditSubjectID() { - // if no signed audit object exists, bail - if (mSignedAuditLogger == null) { - return null; - } - - String subjectID = null; - - // Initialize subjectID - SessionContext auditContext = SessionContext.getExistingContext(); - - if (auditContext != null) { - subjectID = (String) - auditContext.get(SessionContext.USER_ID); - - if (subjectID != null) { - subjectID = subjectID.trim(); - } else { - subjectID = ILogger.NONROLEUSER; - } - } else { - subjectID = ILogger.UNIDENTIFIED; - } - - return subjectID; - } -} diff --git a/pki/base/common/src/com/netscape/cms/authentication/Crypt.java b/pki/base/common/src/com/netscape/cms/authentication/Crypt.java deleted file mode 100644 index e6dd7087d..000000000 --- a/pki/base/common/src/com/netscape/cms/authentication/Crypt.java +++ /dev/null @@ -1,438 +0,0 @@ -// --- BEGIN COPYRIGHT BLOCK --- -// This program is free software; you can redistribute it and/or modify -// it under the terms of the GNU General Public License as published by -// the Free Software Foundation; version 2 of the License. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -// GNU General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -// -// (C) 2007 Red Hat, Inc. -// All rights reserved. -// --- END COPYRIGHT BLOCK --- -package com.netscape.cms.authentication; - -public class Crypt { - // Static data: - static byte[] - IP = // Initial permutation - { - 58, 50, 42, 34, 26, 18, 10, 2, - 60, 52, 44, 36, 28, 20, 12, 4, - 62, 54, 46, 38, 30, 22, 14, 6, - 64, 56, 48, 40, 32, 24, 16, 8, - 57, 49, 41, 33, 25, 17, 9, 1, - 59, 51, 43, 35, 27, 19, 11, 3, - 61, 53, 45, 37, 29, 21, 13, 5, - 63, 55, 47, 39, 31, 23, 15, 7 - }, - FP = // Final permutation, FP = IP^(-1) - { - 40, 8, 48, 16, 56, 24, 64, 32, - 39, 7, 47, 15, 55, 23, 63, 31, - 38, 6, 46, 14, 54, 22, 62, 30, - 37, 5, 45, 13, 53, 21, 61, 29, - 36, 4, 44, 12, 52, 20, 60, 28, - 35, 3, 43, 11, 51, 19, 59, 27, - 34, 2, 42, 10, 50, 18, 58, 26, - 33, 1, 41, 9, 49, 17, 57, 25 - }, - // Permuted-choice 1 from the key bits to yield C and D. - // Note that bits 8,16... are left out: - // They are intended for a parity check. - PC1_C = - { - 57, 49, 41, 33, 25, 17, 9, - 1, 58, 50, 42, 34, 26, 18, - 10, 2, 59, 51, 43, 35, 27, - 19, 11, 3, 60, 52, 44, 36 - }, - PC1_D = - { - 63, 55, 47, 39, 31, 23, 15, - 7, 62, 54, 46, 38, 30, 22, - 14, 6, 61, 53, 45, 37, 29, - 21, 13, 5, 28, 20, 12, 4 - }, - shifts = // Sequence of shifts used for the key schedule. - { - 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1 - }, - // Permuted-choice 2, to pick out the bits from - // the CD array that generate the key schedule. - PC2_C = - { - 14, 17, 11, 24, 1, 5, - 3, 28, 15, 6, 21, 10, - 23, 19, 12, 4, 26, 8, - 16, 7, 27, 20, 13, 2 - }, - PC2_D = - { - 41, 52, 31, 37, 47, 55, - 30, 40, 51, 45, 33, 48, - 44, 49, 39, 56, 34, 53, - 46, 42, 50, 36, 29, 32 - }, - e2 = // The E-bit selection table. (see E below) - { - 32, 1, 2, 3, 4, 5, - 4, 5, 6, 7, 8, 9, - 8, 9, 10, 11, 12, 13, - 12, 13, 14, 15, 16, 17, - 16, 17, 18, 19, 20, 21, - 20, 21, 22, 23, 24, 25, - 24, 25, 26, 27, 28, 29, - 28, 29, 30, 31, 32, 1 - }, - // P is a permutation on the selected combination of - // the current L and key. - P = - { - 16, 7, 20, 21, - 29, 12, 28, 17, - 1, 15, 23, 26, - 5, 18, 31, 10, - 2, 8, 24, 14, - 32, 27, 3, 9, - 19, 13, 30, 6, - 22, 11, 4, 25 - }; - // The 8 selection functions. For some reason, they gave a 0-origin - // index, unlike everything else. - static byte[][] S = - { - { - 14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7, - 0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8, - 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0, - 15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13 - }, { - 15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10, - 3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5, - 0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15, - 13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9 - }, { - 10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8, - 13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1, - 13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7, - 1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12 - }, { - 7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15, - 13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9, - 10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4, - 3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14 - }, { - 2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9, - 14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6, - 4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14, - 11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3 - }, { - 12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11, - 10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8, - 9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6, - 4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13 - }, { - 4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1, - 13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6, - 1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2, - 6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12 - }, { - 13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7, - 1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2, - 7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8, - 2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11 - } - }; - - // Dynamic data: - byte[] C = new byte[28], // The C and D arrays used to - D = new byte[28], // calculate the key schedule. - E = new byte[48], // The E bit-selection table. - L = new byte[32], // The current block, - R = new byte[32], // divided into two halves. - tempL = new byte[32], - f = new byte[32], - preS = new byte[48]; // The combination of the key and - // the input, before selection. - // The key schedule. Generated from the key. - byte[][] KS = new byte[16][48]; - - // Object fields: - String Passwd, Salt, Encrypt; - - // Public methods: - /** - * Create Crypt object with no passwd or salt set. Must use setPasswd() - * and setSalt() before getEncryptedPasswd(). - */ - public Crypt() { - Passwd = Salt = Encrypt = ""; - } - - /** - * Create a Crypt object with specified salt. Use setPasswd() before - * getEncryptedPasswd(). - * - * @param salt the salt string for encryption - */ - public Crypt(String salt) { - Passwd = ""; - Salt = salt; - Encrypt = crypt(); - } - - /** - * Create a Crypt object with specified passwd and salt (often the - * already encypted passwd). Get the encrypted result with - * getEncryptedPasswd(). - * - * @param passwd the passwd to encrypt - * @param salt the salt string for encryption - */ - public Crypt(String passwd, String salt) { - Passwd = passwd; - Salt = salt; - Encrypt = crypt(); - } - - /** - * Retrieve the passwd string currently being encrypted. - * - * @return the current passwd string - */ - public String getPasswd() { - return Passwd; - } - - /** - * Retrieve the salt string currently being used for encryption. - * - * @return the current salt string - */ - public String getSalt() { - return Salt; - } - - /** - * Retrieve the resulting encrypted string from the current passwd and - * salt settings. - * - * @return the encrypted passwd - */ - public String getEncryptedPasswd() { - return Encrypt; - } - - /** - * Set a new passwd string for encryption. Use getEncryptedPasswd() to - * retrieve the new result. - * - * @param passwd the new passwd string - */ - public void setPasswd(String passwd) { - Passwd = passwd; - Encrypt = crypt(); - } - - /** - * Set a new salt string for encryption. Use getEncryptedPasswd() to - * retrieve the new result. - * - * @param salt the new salt string - */ - public void setSalt(String salt) { - Salt = salt; - Encrypt = crypt(); - } - - // Internal crypt methods: - String crypt() { - if (Salt.length() == 0) - return ""; - int i, j, pwi; - byte c, temp; - byte[] block = new byte[66], iobuf = new byte[16], salt = new byte[2], pw = Passwd.getBytes(), //jdk1.1 - saltbytes = Salt.getBytes(); //jdk1.1 - - // pw = new byte[Passwd.length()], //jdk1.0.2 - // saltbytes = new byte[Salt.length()]; //jdk1.0.2 - //Passwd.getBytes(0,Passwd.length(),pw,0); //jdk1.0.2 - //Salt.getBytes(0,Salt.length(),saltbytes,0); //jdk1.0.2 - - salt[0] = saltbytes[0]; - salt[1] = (saltbytes.length > 1) ? saltbytes[1] : 0; - - for (i = 0; i < 66; i++) - block[i] = 0; - - for (i = 0, pwi = 0; (pwi < pw.length) && (i < 64); pwi++, i++) { - for (j = 0; j < 7; j++, i++) { - block[i] = (byte) ((pw[pwi] >> (6 - j)) & 1); - } - } - - setkey(block); - - for (i = 0; i < 66; i++) - block[i] = 0; - - for (i = 0; i < 2; i++) { - c = salt[i]; - iobuf[i] = c; - if (c > 'Z') - c -= 6; - if (c > '9') - c -= 7; - c -= '.'; - for (j = 0; j < 6; j++) { - if (((c >> j) & 1) != 0) { - temp = E[6 * i + j]; - E[6 * i + j] = E[6 * i + j + 24]; - E[6 * i + j + 24] = temp; - } - } - } - - for (i = 0; i < 25; i++) { - encrypt(block, 0); - } - - for (i = 0; i < 11; i++) { - c = 0; - for (j = 0; j < 6; j++) { - c <<= 1; - c |= block[6 * i + j]; - } - c += '.'; - if (c > '9') - c += 7; - if (c > 'Z') - c += 6; - iobuf[i + 2] = c; - } - - iobuf[i + 2] = 0; - if (iobuf[1] == 0) - iobuf[1] = iobuf[0]; - - return new String(iobuf); //jdk1.1 - //return new String(iobuf,0); //jdk1.0.2 - } - - void setkey(byte[] key) // Set up the key schedule from the key. - { - int i, j, k; - byte t; - - // First, generate C and D by permuting the key. The low order bit - // of each 8-bit char is not used, so C and D are only 28 bits apiece. - for (i = 0; i < 28; i++) { - C[i] = key[PC1_C[i] - 1]; - D[i] = key[PC1_D[i] - 1]; - } - - // To generate Ki, rotate C and D according to schedule - // and pick up a permutation using PC2. - for (i = 0; i < 16; i++) { - // rotate. - for (k = 0; k < shifts[i]; k++) { - t = C[0]; - for (j = 0; j < 27; j++) - C[j] = C[j + 1]; - C[27] = t; - t = D[0]; - for (j = 0; j < 27; j++) - D[j] = D[j + 1]; - D[27] = t; - } - - // get Ki. Note C and D are concatenated. - for (j = 0; j < 24; j++) { - KS[i][j] = C[PC2_C[j] - 1]; - KS[i][j + 24] = D[PC2_D[j] - 29]; - } - } - - for (i = 0; i < 48; i++) { - E[i] = e2[i]; - } - } - - // The payoff: encrypt a block. - void encrypt(byte[] block, int edflag) { - int i, j, ii, t; - byte k; - - // First, permute the bits in the input - //for (j = 0; j < 64; j++) - //{ - // L[j] = block[IP[j]-1]; - //} - for (j = 0; j < 32; j++) - L[j] = block[IP[j] - 1]; - for (j = 32; j < 64; j++) - R[j - 32] = block[IP[j] - 1]; - - // Perform an encryption operation 16 times. - for (ii = 0; ii < 16; ii++) { - i = ii; - // Save the R array, which will be the new L. - for (j = 0; j < 32; j++) - tempL[j] = R[j]; - // Expand R to 48 bits using the E selector; - // exclusive-or with the current key bits. - for (j = 0; j < 48; j++) - preS[j] = (byte) (R[E[j] - 1] ^ KS[i][j]); - - // The pre-select bits are now considered in 8 groups of - // 6 bits each. The 8 selection functions map these 6-bit - // quantities into 4-bit quantities and the results permuted - // to make an f(R, K). The indexing into the selection functions - // is peculiar; it could be simplified by rewriting the tables. - for (j = 0; j < 8; j++) { - t = 6 * j; - k = S[j][(preS[t] << 5) + - (preS[t + 1] << 3) + - (preS[t + 2] << 2) + - (preS[t + 3] << 1) + - (preS[t + 4]) + - (preS[t + 5] << 4)]; - t = 4 * j; - f[t] = (byte) ((k >> 3) & 1); - f[t + 1] = (byte) ((k >> 2) & 1); - f[t + 2] = (byte) ((k >> 1) & 1); - f[t + 3] = (byte) ((k) & 1); - } - - // The new R is L ^ f(R, K). - // The f here has to be permuted first, though. - for (j = 0; j < 32; j++) { - R[j] = (byte) (L[j] ^ f[P[j] - 1]); - } - - // Finally, the new L (the original R) is copied back. - for (j = 0; j < 32; j++) { - L[j] = tempL[j]; - } - } - - // The output L and R are reversed. - for (j = 0; j < 32; j++) { - k = L[j]; - L[j] = R[j]; - R[j] = k; - } - - // The final output gets the inverse permutation of the very original. - for (j = 0; j < 64; j++) { - //block[j] = L[FP[j]-1]; - block[j] = (FP[j] > 32) ? R[FP[j] - 33] : L[FP[j] - 1]; - } - } -} diff --git a/pki/base/common/src/com/netscape/cms/authentication/DNPattern.java b/pki/base/common/src/com/netscape/cms/authentication/DNPattern.java deleted file mode 100644 index 480b5b909..000000000 --- a/pki/base/common/src/com/netscape/cms/authentication/DNPattern.java +++ /dev/null @@ -1,216 +0,0 @@ -// --- BEGIN COPYRIGHT BLOCK --- -// This program is free software; you can redistribute it and/or modify -// it under the terms of the GNU General Public License as published by -// the Free Software Foundation; version 2 of the License. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -// GNU General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -// -// (C) 2007 Red Hat, Inc. -// All rights reserved. -// --- END COPYRIGHT BLOCK --- -package com.netscape.cms.authentication; - -import java.io.IOException; -import java.io.PushbackReader; -import java.io.StringReader; -import java.util.Vector; - -import netscape.ldap.LDAPEntry; - -import com.netscape.certsrv.authentication.EAuthException; -import com.netscape.certsrv.base.EBaseException; - -/** - * class for parsing a DN pattern used to construct a certificate - * subject name from ldap attributes and dn. - * <p> - * - * dnpattern is a string representing a subject name pattern to formulate from the directory attributes and entry dn. If - * empty or not set, the ldap entry DN will be used as the certificate subject name. - * <p> - * - * The syntax is - * - * <pre> - * dnPattern := rdnPattern *[ "," rdnPattern ] - * rdnPattern := avaPattern *[ "+" avaPattern ] - * avaPattern := name "=" value | - * name "=" "$attr" "." attrName [ "." attrNumber ] | - * name "=" "$dn" "." attrName [ "." attrNumber ] | - * "$dn" "." "$rdn" "." number - * </pre> - * - * <pre> - * Example1: <i>E=$attr.mail.1, CN=$attr.cn, OU=$dn.ou.2, O=$dn.o, C=US </i> - * Ldap entry: dn: UID=jjames, OU=IS, OU=people, O=acme.org - * Ldap attributes: cn: Jesse James - * Ldap attributes: mail: jjames@acme.org - * <p> - * The subject name formulated will be : <br> - * E=jjames@acme.org, CN=Jesse James, OU=people, O=acme.org, C=US - * <p> - * E = the first 'mail' ldap attribute value in user's entry. <br> - * CN = the (first) 'cn' ldap attribute value in the user's entry. <br> - * OU = the second 'ou' value in the user's entry DN. <br> - * O = the (first) 'o' value in the user's entry DN. <br> - * C = the string "US" - * <p> - * Example2: <i>E=$attr.mail.1, CN=$attr.cn, OU=$dn.ou.2, O=$dn.o, C=US</i> - * Ldap entry: dn: UID=jjames, OU=IS+OU=people, O=acme.org - * Ldap attributes: cn: Jesse James - * Ldap attributes: mail: jjames@acme.org - * <p> - * The subject name formulated will be : <br> - * E=jjames@acme.org, CN=Jesse James, OU=people, O=acme.org, C=US - * <p> - * E = the first 'mail' ldap attribute value in user's entry. <br> - * CN = the (first) 'cn' ldap attribute value in the user's entry. <br> - * OU = the second 'ou' value in the user's entry DN. note multiple AVAs - * in a RDN in this example. <br> - * O = the (first) 'o' value in the user's entry DN. <br> - * C = the string "US" - * <p> - * </pre> - * - * <pre> - * Example3: <i>CN=$attr.cn, $rdn.2, O=$dn.o, C=US</i> - * Ldap entry: dn: UID=jjames, OU=IS+OU=people, O=acme.org - * Ldap attributes: cn: Jesse James - * Ldap attributes: mail: jjames@acme.org - * <p> - * The subject name formulated will be : <br> - * CN=Jesse James, OU=IS+OU=people, O=acme.org, C=US - * <p> - * CN = the (first) 'cn' ldap attribute value in the user's entry. <br> - * followed by the second RDN in the user's entry DN. <br> - * O = the (first) 'o' value in the user's entry DN. <br> - * C = the string "US" - * <p> - * Example4: <i>CN=$attr.cn, OU=$dn.ou.2+OU=$dn.ou.1, O=$dn.o, C=US</i> - * Ldap entry: dn: UID=jjames, OU=IS+OU=people, O=acme.org - * Ldap attributes: cn: Jesse James - * Ldap attributes: mail: jjames@acme.org - * <p> - * The subject name formulated will be : <br> - * CN=Jesse James, OU=people+OU=IS, O=acme.org, C=US - * <p> - * CN = the (first) 'cn' ldap attribute value in the user's entry. <br> - * OU = the second 'ou' value in the user's entry DN followed by the - * first 'ou' value in the user's entry. note multiple AVAs - * in a RDN in this example. <br> - * O = the (first) 'o' value in the user's entry DN. <br> - * C = the string "US" - * <p> - * </pre> - * - * If an attribute or subject DN component does not exist the attribute is skipped. - * - * @version $Revision$, $Date$ - */ -public class DNPattern { - - /* ldap attributes to retrieve */ - private String[] mLdapAttrs = null; - - /* rdn patterns */ - protected RDNPattern[] mRDNPatterns = null; - - /* original pattern string */ - protected String mPatternString = null; - - protected String mTestDN = null; - - /** - * Construct a DN pattern by parsing a pattern string. - * - * @param pattern the DN pattern - * @exception EBaseException If parsing error occurs. - */ - public DNPattern(String pattern) - throws EAuthException { - if (pattern == null || pattern.equals("")) { - // create an attribute list that is the dn. - mLdapAttrs = new String[] { "dn" }; - } else { - mPatternString = pattern; - PushbackReader in = new PushbackReader(new StringReader(pattern)); - - parse(in); - } - } - - public DNPattern(PushbackReader in) - throws EAuthException { - parse(in); - } - - private void parse(PushbackReader in) - throws EAuthException { - Vector<RDNPattern> rdnPatterns = new Vector<RDNPattern>(); - RDNPattern rdnPattern = null; - int lastChar = -1; - - do { - rdnPattern = new RDNPattern(in); - rdnPatterns.addElement(rdnPattern); - try { - lastChar = in.read(); - } catch (IOException e) { - throw new EAuthException("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString()); - } - } while (lastChar == ','); - - mRDNPatterns = new RDNPattern[rdnPatterns.size()]; - rdnPatterns.copyInto(mRDNPatterns); - - Vector<String> ldapAttrs = new Vector<String>(); - - for (int i = 0; i < mRDNPatterns.length; i++) { - String[] rdnAttrs = mRDNPatterns[i].getLdapAttrs(); - - if (rdnAttrs != null && rdnAttrs.length > 0) - for (int j = 0; j < rdnAttrs.length; j++) - ldapAttrs.addElement(rdnAttrs[j]); - } - mLdapAttrs = new String[ldapAttrs.size()]; - ldapAttrs.copyInto(mLdapAttrs); - } - - /** - * Form a Ldap v3 DN string from results of a ldap search. - * - * @param entry LDAPentry from a ldap search - * @return Ldap v3 DN string to use for a subject name. - */ - public String formDN(LDAPEntry entry) - throws EAuthException { - StringBuffer formedDN = new StringBuffer(); - - for (int i = 0; i < mRDNPatterns.length; i++) { - if (mTestDN != null) - mRDNPatterns[i].mTestDN = mTestDN; - String rdn = mRDNPatterns[i].formRDN(entry); - - if (rdn != null) { - if (rdn != null && rdn.length() != 0) { - if (formedDN.length() != 0) - formedDN.append(","); - formedDN.append(rdn); - } - } - } - //System.out.println("formed DN "+formedDN.toString()); - return formedDN.toString(); - } - - public String[] getLdapAttrs() { - return (String[]) mLdapAttrs.clone(); - } -} diff --git a/pki/base/common/src/com/netscape/cms/authentication/DirBasedAuthentication.java b/pki/base/common/src/com/netscape/cms/authentication/DirBasedAuthentication.java deleted file mode 100644 index da8d5bd51..000000000 --- a/pki/base/common/src/com/netscape/cms/authentication/DirBasedAuthentication.java +++ /dev/null @@ -1,676 +0,0 @@ -// --- BEGIN COPYRIGHT BLOCK --- -// This program is free software; you can redistribute it and/or modify -// it under the terms of the GNU General Public License as published by -// the Free Software Foundation; version 2 of the License. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -// GNU General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -// -// (C) 2007 Red Hat, Inc. -// All rights reserved. -// --- END COPYRIGHT BLOCK --- -package com.netscape.cms.authentication; - -// ldap java sdk -import java.io.IOException; -import java.security.cert.CertificateException; -import java.util.Date; -import java.util.Enumeration; -import java.util.Locale; -import java.util.StringTokenizer; -import java.util.Vector; - -import netscape.ldap.LDAPAttribute; -import netscape.ldap.LDAPConnection; -import netscape.ldap.LDAPEntry; -import netscape.ldap.LDAPException; -import netscape.ldap.LDAPSearchResults; -import netscape.ldap.LDAPv2; -import netscape.security.x509.CertificateExtensions; -import netscape.security.x509.CertificateSubjectName; -import netscape.security.x509.CertificateValidity; -import netscape.security.x509.X500Name; -import netscape.security.x509.X509CertInfo; - -import com.netscape.certsrv.apps.CMS; -import com.netscape.certsrv.authentication.AuthToken; -import com.netscape.certsrv.authentication.EAuthException; -import com.netscape.certsrv.authentication.EFormSubjectDN; -import com.netscape.certsrv.authentication.EInvalidCredentials; -import com.netscape.certsrv.authentication.EMissingCredential; -import com.netscape.certsrv.authentication.IAuthCredentials; -import com.netscape.certsrv.authentication.IAuthManager; -import com.netscape.certsrv.authentication.IAuthToken; -import com.netscape.certsrv.base.EBaseException; -import com.netscape.certsrv.base.EPropertyNotFound; -import com.netscape.certsrv.base.IConfigStore; -import com.netscape.certsrv.base.IExtendedPluginInfo; -import com.netscape.certsrv.ldap.ELdapException; -import com.netscape.certsrv.ldap.ILdapConnFactory; -import com.netscape.certsrv.logging.ILogger; -import com.netscape.cmsutil.util.Utils; - -/** - * Abstract class for directory based authentication managers - * Uses a pattern for formulating subject names. - * The pattern is read from configuration file. - * Syntax of the pattern is described in the init() method. - * - * <P> - * - * @version $Revision$, $Date$ - */ -public abstract class DirBasedAuthentication - implements IAuthManager, IExtendedPluginInfo { - - protected static final String USER_DN = "userDN"; - - /* configuration parameter keys */ - protected static final String PROP_LDAP = "ldap"; - protected static final String PROP_BASEDN = "basedn"; - protected static final String PROP_DNPATTERN = "dnpattern"; - protected static final String PROP_LDAPSTRINGATTRS = "ldapStringAttributes"; - protected static final String PROP_LDAPBYTEATTRS = "ldapByteAttributes"; - - // members - - /* name of this authentication manager instance */ - protected String mName = null; - - /* name of the authentication manager plugin */ - protected String mImplName = null; - - /* configuration store */ - protected IConfigStore mConfig; - - /* ldap configuration sub-store */ - protected IConfigStore mLdapConfig; - - /* ldap base dn */ - protected String mBaseDN = null; - - /* factory of anonymous ldap connections */ - protected ILdapConnFactory mConnFactory = null; - - /* the system logger */ - protected ILogger mLogger = CMS.getLogger(); - - /* the subject DN pattern */ - protected DNPattern mPattern = null; - - /* the list of LDAP attributes with string values to retrieve to - * save in the auth token including ones from the dn pattern. */ - protected String[] mLdapStringAttrs = null; - - /* the list of LDAP attributes with byte[] values to retrive to save - * in authtoken. */ - protected String[] mLdapByteAttrs = null; - - /* the combined list of LDAP attriubutes to retrieve*/ - protected String[] mLdapAttrs = null; - - /* default dn pattern if left blank or not set in the config */ - protected static String DEFAULT_DNPATTERN = - "E=$attr.mail, CN=$attr.cn, O=$dn.o, C=$dn.c"; - - /* Vector of extendedPluginInfo strings */ - protected static Vector<String> mExtendedPluginInfo = null; - - static { - mExtendedPluginInfo = new Vector<String>(); - mExtendedPluginInfo.add(PROP_DNPATTERN + ";string;Template for cert" + - " Subject Name. ($dn.xxx - get value from user's LDAP " + - "DN. $attr.yyy - get value from LDAP attributes in " + - "user's entry.) Default: " + DEFAULT_DNPATTERN); - mExtendedPluginInfo.add(PROP_LDAPSTRINGATTRS + ";string;" + - "Comma-separated list of LDAP attributes to copy from " + - "the user's LDAP entry into the AuthToken. e.g use " + - "'mail' to copy user's email address for subjectAltName"); - mExtendedPluginInfo.add(PROP_LDAPBYTEATTRS + ";string;" + - "Comma-separated list of binary LDAP attributes to copy" + - " from the user's LDAP entry into the AuthToken"); - mExtendedPluginInfo.add("ldap.ldapconn.host;string,required;" + - "LDAP host to connect to"); - mExtendedPluginInfo.add("ldap.ldapconn.port;number,required;" + - "LDAP port number (use 389, or 636 if SSL)"); - mExtendedPluginInfo.add("ldap.ldapconn.secureConn;boolean;" + - "Use SSL to connect to directory?"); - mExtendedPluginInfo.add("ldap.ldapconn.version;choice(3,2);" + - "LDAP protocol version"); - mExtendedPluginInfo.add("ldap.basedn;string,required;Base DN to start searching " + - "under. If your user's DN is 'uid=jsmith, o=company', you " + - "might want to use 'o=company' here"); - mExtendedPluginInfo.add("ldap.minConns;number;number of connections " + - "to keep open to directory server. Default 5."); - mExtendedPluginInfo.add("ldap.maxConns;number;when needed, connection " + - "pool can grow to this many (multiplexed) connections. Default 1000."); - } - - /** - * Default constructor, initialization must follow. - */ - public DirBasedAuthentication() { - } - - /** - * Initializes the UidPwdDirBasedAuthentication auth manager. - * - * Takes the following configuration parameters: <br> - * - * <pre> - * ldap.basedn - the ldap base dn. - * ldap.ldapconn.host - the ldap host. - * ldap.ldapconn.port - the ldap port - * ldap.ldapconn.secureConn - whether port should be secure - * ldap.minConns - minimum connections - * ldap.maxConns - max connections - * dnpattern - dn pattern. - * </pre> - * <p> - * <i><b>dnpattern</b></i> is a string representing a subject name pattern to formulate from the directory - * attributes and entry dn. If empty or not set, the ldap entry DN will be used as the certificate subject name. - * <p> - * The syntax is - * - * <pre> - * dnpattern = SubjectNameComp *[ "," SubjectNameComp ] - * - * SubjectNameComponent = DnComp | EntryComp | ConstantComp - * DnComp = CertAttr "=" "$dn" "." DnAttr "." Num - * EntryComp = CertAttr "=" "$attr" "." EntryAttr "." Num - * ConstantComp = CertAttr "=" Constant - * DnAttr = an attribute in the Ldap entry dn - * EntryAttr = an attribute in the Ldap entry - * CertAttr = a Component in the Certificate Subject Name - * (multiple AVA in one RDN not supported) - * Num = the nth value of tha attribute in the dn or entry. - * Constant = Constant String, with any accepted ldap string value. - * - * </pre> - * <p> - * <b>Example:</b> - * - * <pre> - * dnpattern: - * E=$attr.mail.1, CN=$attr.cn, OU=$attr.ou.2, O=$dn.o, C=US - * <br> - * Ldap entry dn: - * UID=joesmith, OU=people, O=Acme.com - * <br> - * Ldap attributes: - * cn: Joe Smith - * sn: Smith - * mail: joesmith@acme.com - * mail: joesmith@redhat.com - * ou: people - * ou: IS - * <i>etc.</i> - * </pre> - * <p> - * The subject name formulated in the cert will be : <br> - * - * <pre> - * E=joesmith@acme.com, CN=Joe Smith, OU=Human Resources, O=Acme.com, C=US - * - * E = the first 'mail' ldap attribute value in user's entry - joesmithe@acme.com - * CN = the (first) 'cn' ldap attribute value in the user's entry - Joe Smith - * OU = the second 'ou' value in the ldap entry - IS - * O = the (first) 'o' value in the user's entry DN - "Acme.com" - * C = the constant string "US" - * </pre> - * - * @param name The name for this authentication manager instance. - * @param implName The name of the authentication manager plugin. - * @param config - The configuration store for this instance. - * @exception EBaseException If an error occurs during initialization. - */ - public void init(String name, String implName, IConfigStore config) - throws EBaseException { - init(name, implName, config, true); - } - - public void init(String name, String implName, IConfigStore config, boolean needBaseDN) - throws EBaseException { - mName = name; - mImplName = implName; - mConfig = config; - - /* initialize ldap server configuration */ - mLdapConfig = mConfig.getSubStore(PROP_LDAP); - if (needBaseDN) - mBaseDN = mLdapConfig.getString(PROP_BASEDN); - if (needBaseDN && ((mBaseDN == null) || (mBaseDN.length() == 0) || (mBaseDN.trim().equals("")))) - throw new EPropertyNotFound(CMS.getUserMessage("CMS_BASE_GET_PROPERTY_FAILED", "basedn")); - mConnFactory = CMS.getLdapAnonConnFactory(); - mConnFactory.init(mLdapConfig); - - /* initialize dn pattern */ - String pattern = mConfig.getString(PROP_DNPATTERN, null); - - if (pattern == null || pattern.length() == 0) - pattern = DEFAULT_DNPATTERN; - mPattern = new DNPattern(pattern); - String[] patternLdapAttrs = mPattern.getLdapAttrs(); - - /* initialize ldap string attribute list */ - String ldapStringAttrs = mConfig.getString(PROP_LDAPSTRINGATTRS, null); - - if (ldapStringAttrs == null) { - mLdapStringAttrs = patternLdapAttrs; - } else { - StringTokenizer pAttrs = - new StringTokenizer(ldapStringAttrs, ",", false); - int begin = 0; - - if (patternLdapAttrs != null && patternLdapAttrs.length > 0) { - mLdapStringAttrs = new String[ - patternLdapAttrs.length + pAttrs.countTokens()]; - System.arraycopy(patternLdapAttrs, 0, - mLdapStringAttrs, 0, patternLdapAttrs.length); - begin = patternLdapAttrs.length; - } else { - mLdapStringAttrs = new String[pAttrs.countTokens()]; - } - for (int i = begin; i < mLdapStringAttrs.length; i++) { - mLdapStringAttrs[i] = ((String) pAttrs.nextElement()).trim(); - } - } - - /* initialize ldap byte[] attribute list */ - String ldapByteAttrs = mConfig.getString(PROP_LDAPBYTEATTRS, null); - - if (ldapByteAttrs == null) { - mLdapByteAttrs = new String[0]; - } else { - StringTokenizer byteAttrs = - new StringTokenizer(ldapByteAttrs, ",", false); - - mLdapByteAttrs = new String[byteAttrs.countTokens()]; - for (int j = 0; j < mLdapByteAttrs.length; j++) { - mLdapByteAttrs[j] = ((String) byteAttrs.nextElement()).trim(); - } - } - - /* make the combined list */ - mLdapAttrs = - new String[mLdapStringAttrs.length + mLdapByteAttrs.length]; - System.arraycopy(mLdapStringAttrs, 0, mLdapAttrs, - 0, mLdapStringAttrs.length); - System.arraycopy(mLdapByteAttrs, 0, mLdapAttrs, - mLdapStringAttrs.length, mLdapByteAttrs.length); - - log(ILogger.LL_INFO, CMS.getLogMessage("CMS_AUTH_INIT_DONE")); - } - - /** - * gets the name of this authentication manager instance - */ - public String getName() { - return mName; - } - - /** - * gets the plugin name of this authentication manager. - */ - public String getImplName() { - return mImplName; - } - - /** - * Authenticates user through LDAP by a set of credentials. - * Resulting AuthToken a TOKEN_CERTINFO field of a X509CertInfo - * <p> - * - * @param authCred Authentication credentials, CRED_UID and CRED_PWD. - * @return A AuthToken with a TOKEN_SUBJECT of X500name type. - * @exception com.netscape.certsrv.authentication.EMissingCredential - * If a required authentication credential is missing. - * @exception com.netscape.certsrv.authentication.EInvalidCredentials - * If credentials failed authentication. - * @exception com.netscape.certsrv.base.EBaseException - * If an internal error occurred. - * @see com.netscape.certsrv.authentication.AuthToken - */ - public IAuthToken authenticate(IAuthCredentials authCred) - throws EMissingCredential, EInvalidCredentials, EBaseException { - String userdn = null; - LDAPConnection conn = null; - AuthToken authToken = new AuthToken(this); - - try { - if (mConnFactory == null) { - conn = null; - } else { - conn = mConnFactory.getConn(); - } - - // authenticate the user and get a user entry. - userdn = authenticate(conn, authCred, authToken); - authToken.set(USER_DN, userdn); - - // formulate the cert info. - // set each seperatly since otherwise they won't serialize - // in the request queue. - X509CertInfo certInfo = new X509CertInfo(); - - formCertInfo(conn, userdn, certInfo, authToken); - - // set subject name. - try { - CertificateSubjectName subjectname = (CertificateSubjectName) - certInfo.get(X509CertInfo.SUBJECT); - - if (subjectname != null) - authToken.set(AuthToken.TOKEN_CERT_SUBJECT, - subjectname.toString()); - } // error means it's not set. - catch (CertificateException e) { - } catch (IOException e) { - } - - // set validity if any - try { - CertificateValidity validity = (CertificateValidity) - certInfo.get(X509CertInfo.VALIDITY); - - if (validity != null) { - // the gets throws IOException but only if attribute - // not recognized. In these cases they are always. - authToken.set(AuthToken.TOKEN_CERT_NOTBEFORE, - (Date) validity.get(CertificateValidity.NOT_BEFORE)); - authToken.set(AuthToken.TOKEN_CERT_NOTAFTER, - (Date) validity.get(CertificateValidity.NOT_AFTER)); - } - } // error means it's not set. - catch (CertificateException e) { - } catch (IOException e) { - } - - // set extensions if any. - try { - CertificateExtensions extensions = (CertificateExtensions) - certInfo.get(X509CertInfo.EXTENSIONS); - - if (extensions != null) - authToken.set(AuthToken.TOKEN_CERT_EXTENSIONS, extensions); - } // error means it's not set. - catch (CertificateException e) { - } catch (IOException e) { - } - - } finally { - if (conn != null) - mConnFactory.returnConn(conn); - } - - return authToken; - } - - /** - * get the list of required credentials. - * - * @return list of required credentials as strings. - */ - public abstract String[] getRequiredCreds(); - - /** - * Returns a list of configuration parameter names. - * The list is passed to the configuration console so instances of - * this implementation can be configured through the console. - * - * @return String array of configuration parameter names. - */ - public abstract String[] getConfigParams(); - - /** - * disconnects the ldap connections - */ - public void shutdown() { - try { - if (mConnFactory != null) { - mConnFactory.reset(); - mConnFactory = null; - } - } catch (ELdapException e) { - // ignore - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_SHUTDOWN_ERROR", e.toString())); - } - } - - /** - * Gets the configuration substore used by this authentication manager - * - * @return configuration store - */ - public IConfigStore getConfigStore() { - return mConfig; - } - - /** - * Authenticates a user through directory based a set of credentials. - * - * @param authCreds The authentication credentials. - * @return The user's ldap entry dn. - * @exception EInvalidCredentials If the uid and password are not valid - * @exception EBaseException If an internal error occurs. - */ - protected abstract String authenticate( - LDAPConnection conn, IAuthCredentials authCreds, AuthToken token) - throws EBaseException; - - /** - * Formulate the cert info. - * - * @param conn A LDAP Connection authenticated to user to use. - * @param userdn The user's dn. - * @param certinfo A certinfo object to fill. - * @param token A authentication token to fill. - * @exception EBaseException If an internal error occurs. - */ - protected void formCertInfo(LDAPConnection conn, - String userdn, - X509CertInfo certinfo, - AuthToken token) - throws EBaseException { - String dn = null; - // get ldap attributes to retrieve. - String[] attrs = getLdapAttrs(); - - // retrieve the attributes. - try { - if (conn != null) { - LDAPEntry entry = null; - LDAPSearchResults results = - conn.search(userdn, LDAPv2.SCOPE_BASE, "objectclass=*", - attrs, false); - - if (!results.hasMoreElements()) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_NO_ATTR_ERROR")); - throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_LDAPATTRIBUTES_NOT_FOUND")); - } - entry = results.next(); - - // formulate the subject dn - try { - dn = formSubjectName(entry); - } catch (EBaseException e) { - //e.printStackTrace(); - throw e; - } - // Put selected values from the entry into the token - setAuthTokenValues(entry, token); - } else { - dn = userdn; - } - - // add anything else in cert info such as validity, extensions - // (nothing now) - - // pack the dn into X500name and set subject name. - if (dn.length() == 0) { - EBaseException ex = - new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_EMPTY_DN_FORMED", mName)); - - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_NO_DN_ERROR", ex.toString())); - throw ex; - } - X500Name subjectdn = new X500Name(dn); - - certinfo.set(X509CertInfo.SUBJECT, - new CertificateSubjectName(subjectdn)); - } catch (LDAPException e) { - switch (e.getLDAPResultCode()) { - case LDAPException.SERVER_DOWN: - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_NO_AUTH_ATTR_ERROR")); - throw new ELdapException( - CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), "" + conn.getPort())); - - case LDAPException.NO_SUCH_OBJECT: - case LDAPException.LDAP_PARTIAL_RESULTS: - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_NO_USER_ENTRY_ERROR", userdn)); - - // fall to below. - default: - log(ILogger.LL_FAILURE, CMS.getLogMessage("LDAP_ERROR", e.toString())); - throw new ELdapException( - CMS.getUserMessage("CMS_LDAP_OTHER_LDAP_EXCEPTION", - e.errorCodeToString())); - } - } catch (IOException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_CREATE_SUBJECT_ERROR", userdn, e.getMessage())); - throw new EFormSubjectDN(CMS.getUserMessage("CMS_AUTHENTICATION_FORM_SUBJECTDN_ERROR")); - } catch (CertificateException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_CREATE_CERTINFO_ERROR", userdn, e.getMessage())); - throw new EFormSubjectDN(CMS.getUserMessage("CMS_AUTHENTICATION_FORM_SUBJECTDN_ERROR")); - } - } - - /** - * Copy values from the LDAPEntry into the AuthToken. The - * list of values that should be store this way is given in - * a the ldapAttributes configuration parameter. - */ - protected void setAuthTokenValues(LDAPEntry e, AuthToken tok) { - for (int i = 0; i < mLdapStringAttrs.length; i++) - setAuthTokenStringValue(mLdapStringAttrs[i], e, tok); - for (int j = 0; j < mLdapByteAttrs.length; j++) - setAuthTokenByteValue(mLdapByteAttrs[j], e, tok); - } - - protected void setAuthTokenStringValue( - String name, LDAPEntry entry, AuthToken tok) { - LDAPAttribute values = entry.getAttribute(name); - - if (values == null) - return; - - Vector<String> v = new Vector<String>(); - @SuppressWarnings("unchecked") - Enumeration<String> e = values.getStringValues(); - - while (e.hasMoreElements()) { - v.addElement(e.nextElement()); - } - - String a[] = new String[v.size()]; - - v.copyInto(a); - - tok.set(name, a); - } - - protected void setAuthTokenByteValue( - String name, LDAPEntry entry, AuthToken tok) { - LDAPAttribute values = entry.getAttribute(name); - - if (values == null) - return; - - Vector<byte[]> v = new Vector<byte[]>(); - @SuppressWarnings("unchecked") - Enumeration<byte[]> e = values.getByteValues(); - - while (e.hasMoreElements()) { - v.addElement(e.nextElement()); - } - - byte[][] a = new byte[v.size()][]; - - v.copyInto(a); - - tok.set(name, a); - } - - /** - * Return a list of LDAP attributes with String values to retrieve. - * Subclasses can override to return any set of attributes. - * - * @return Array of LDAP attributes to retrieve from the directory. - */ - protected String[] getLdapAttrs() { - return mLdapAttrs; - } - - /** - * Return a list of LDAP attributes with byte[] values to retrieve. - * Subclasses can override to return any set of attributes. - * - * @return Array of LDAP attributes to retrieve from the directory. - */ - protected String[] getLdapByteAttrs() { - return mLdapByteAttrs; - } - - /** - * Formulate the subject name - * - * @param entry The LDAP entry - * @return The subject name string. - * @exception EBaseException If an internal error occurs. - */ - protected String formSubjectName(LDAPEntry entry) - throws EAuthException { - if (mPattern.mPatternString == null) - return entry.getDN(); - - /* - if (mTestDNString != null) { - mPattern.mTestDN = mTestDNString; - //System.out.println("Set DNPattern.mTestDN to "+mPattern.mTestDN); - } - */ - - String dn = mPattern.formDN(entry); - - CMS.debug("DirBasedAuthentication: formed DN '" + dn + "'"); - return dn; - } - - /** - * Logs a message for this class in the system log file. - * - * @param level The log level. - * @param msg The message to log. - * @see com.netscape.certsrv.logging.ILogger - */ - protected void log(int level, String msg) { - if (mLogger == null) - return; - mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHENTICATION, - level, msg); - } - - public String[] getExtendedPluginInfo(Locale locale) { - String[] s = Utils.getStringArrayFromVector(mExtendedPluginInfo); - - return s; - - } - -} diff --git a/pki/base/common/src/com/netscape/cms/authentication/FlatFileAuth.java b/pki/base/common/src/com/netscape/cms/authentication/FlatFileAuth.java deleted file mode 100644 index f60110b0b..000000000 --- a/pki/base/common/src/com/netscape/cms/authentication/FlatFileAuth.java +++ /dev/null @@ -1,686 +0,0 @@ -// --- BEGIN COPYRIGHT BLOCK --- -// This program is free software; you can redistribute it and/or modify -// it under the terms of the GNU General Public License as published by -// the Free Software Foundation; version 2 of the License. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -// GNU General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -// -// (C) 2007 Red Hat, Inc. -// All rights reserved. -// --- END COPYRIGHT BLOCK --- -package com.netscape.cms.authentication; - -// ldap java sdk -import java.io.BufferedReader; -import java.io.BufferedWriter; -import java.io.File; -import java.io.FileReader; -import java.io.FileWriter; -import java.io.IOException; -import java.text.SimpleDateFormat; -import java.util.Date; -import java.util.Enumeration; -import java.util.Hashtable; -import java.util.Locale; -import java.util.StringTokenizer; - -import com.netscape.certsrv.apps.CMS; -import com.netscape.certsrv.authentication.AuthToken; -import com.netscape.certsrv.authentication.EInvalidCredentials; -import com.netscape.certsrv.authentication.EMissingCredential; -import com.netscape.certsrv.authentication.IAuthCredentials; -import com.netscape.certsrv.authentication.IAuthToken; -import com.netscape.certsrv.base.EBaseException; -import com.netscape.certsrv.base.EPropertyNotFound; -import com.netscape.certsrv.base.IConfigStore; -import com.netscape.certsrv.base.IExtendedPluginInfo; -import com.netscape.certsrv.logging.ILogger; -import com.netscape.certsrv.profile.EProfileException; -import com.netscape.certsrv.profile.IProfile; -import com.netscape.certsrv.profile.IProfileAuthenticator; -import com.netscape.certsrv.property.IDescriptor; -import com.netscape.certsrv.request.IRequest; - -/** - * This represents the authentication manager that authenticates - * user against a file where id, and password are stored. - * - * @version $Revision$, $Date$ - */ -public class FlatFileAuth - implements IProfileAuthenticator, IExtendedPluginInfo { - - /* configuration parameter keys */ - protected static final String PROP_FILENAME = "fileName"; - protected static final String PROP_KEYATTRIBUTES = "keyAttributes"; - protected static final String PROP_AUTHATTRS = "authAttributes"; - protected static final String PROP_DEFERONFAILURE = "deferOnFailure"; - - protected String mFilename = "config/pwfile"; - protected long mFileLastRead = 0; - protected String mKeyAttributes = "UID"; - protected String mAuthAttrs = "PWD"; - protected boolean mDeferOnFailure = true; - private static final String DATE_PATTERN = "yyyy-MM-dd-HH-mm-ss"; - private static SimpleDateFormat mDateFormat = new SimpleDateFormat(DATE_PATTERN); - - protected static String[] mConfigParams = - new String[] { - PROP_FILENAME, - PROP_KEYATTRIBUTES, - PROP_AUTHATTRS, - PROP_DEFERONFAILURE - }; - - public String[] getExtendedPluginInfo(Locale locale) { - String s[] = { - PROP_FILENAME + ";string;Pathname of password file", - PROP_KEYATTRIBUTES + ";string;Comma-separated list of attributes" + - " which together form a unique identifier for the user", - PROP_AUTHATTRS + ";string;Comma-separated list of attributes" + - " which are used for further authentication", - PROP_DEFERONFAILURE + ";boolean;if user is not found, defer the " + - "request to the queue for manual-authentication (true), or " + - "simply rejected the request (false)" - }; - - return s; - } - - /** name of this authentication manager instance */ - protected String mName = null; - - protected String FFAUTH = "FlatFileAuth"; - - /** name of the authentication manager plugin */ - protected String mImplName = null; - - /** configuration store */ - protected IConfigStore mConfig = null; - - /** system logger */ - protected ILogger mLogger = CMS.getLogger(); - - /** - * This array is created as to include all the requested attributes - * - */ - String[] reqCreds = null; - - String[] authAttrs = null; - String[] keyAttrs = null; - - /** - * Hashtable of entries from Auth File. Hash index is the - * concatenation of the attributes from matchAttributes property - */ - protected Hashtable<String, Hashtable<String, String>> entries = null; - - /** - * Get the named property - * If the property is not set, use s as the default, and create - * a new value for the property in the config file. - * - * @param propertyName Property name - * @param s The default value of the property - */ - protected String getPropertyS(String propertyName, String s) - throws EBaseException { - String p; - - try { - p = mConfig.getString(propertyName); - } catch (EPropertyNotFound e) { - mConfig.put(propertyName, s); - p = s; - } - return p; - } - - public boolean isSSLClientRequired() { - return false; - } - - /** - * Get the named property, - * If the property is not set, use b as the default, and create - * a new value for the property in the config file. - * - * @param propertyName Property name - * @param b The default value of the property - */ - protected boolean getPropertyB(String propertyName, boolean b) - throws EBaseException { - boolean p; - - try { - p = mConfig.getBoolean(propertyName); - } catch (EPropertyNotFound e) { - mConfig.put(propertyName, b ? "true" : "false"); - p = b; - } - return p; - } - - public void init(String name, String implName, IConfigStore config) - throws EBaseException { - mName = name; - mImplName = implName; - mConfig = config; - - try { - mFilename = getPropertyS(PROP_FILENAME, mFilename); - mKeyAttributes = getPropertyS(PROP_KEYATTRIBUTES, mKeyAttributes); - mAuthAttrs = getPropertyS(PROP_AUTHATTRS, mAuthAttrs); - mDeferOnFailure = getPropertyB(PROP_DEFERONFAILURE, mDeferOnFailure); - } catch (EBaseException e) { - return; - } - - keyAttrs = splitOnComma(mKeyAttributes); - authAttrs = splitOnComma(mAuthAttrs); - - String[][] stringArrays = new String[2][]; - - stringArrays[0] = keyAttrs; - stringArrays[1] = authAttrs; - reqCreds = unionOfStrings(stringArrays); - - print("mFilename = " + mFilename); - print("mKeyAttributes = " + mKeyAttributes); - print("mAuthAttrs = " + mAuthAttrs); - for (int i = 0; i < stringArrays.length; i++) { - for (int j = 0; j < stringArrays[i].length; j++) { - print("stringArrays[" + i + "][" + j + "] = " + stringArrays[i][j]); - } - } - - try { - File file = new File(mFilename); - - mFileLastRead = file.lastModified(); - entries = readFile(file, keyAttrs); - CMS.debug("FlatFileAuth: " + CMS.getLogMessage("CMS_AUTH_READ_ENTRIES", mFilename)); - // printAllEntries(); - } catch (IOException e) { - throw new EBaseException(mName - + " authentication: Could not open file " + mFilename + " (" + e.getMessage() + ")"); - } catch (java.lang.StringIndexOutOfBoundsException ee) { - CMS.debug("FlatFileAuth: " + CMS.getLogMessage("OPERATION_ERROR", ee.toString())); - } - - } - - /** - * Log a message. - * - * @param level The logging level. - * @param msg The message to log. - */ - private void log(int level, String msg) { - if (mLogger == null) - return; - mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHENTICATION, - level, msg); - } - - void print(String s) { - CMS.debug("FlatFileAuth: " + s); - } - - /** - * Return a string array which is the union of all the string arrays - * passed in. The strings are treated as case sensitive - */ - - public String[] unionOfStrings(String[][] stringArrays) { - Hashtable<String, String> ht = new Hashtable<String, String>(); - - for (int i = 0; i < stringArrays.length; i++) { - String[] sa = stringArrays[i]; - - for (int j = 0; j < sa.length; j++) { - print("unionOfStrings: " + i + "," + j + " = " + sa[j]); - ht.put(sa[j], ""); - } - } - - String[] s = new String[ht.size()]; - Enumeration<String> e = ht.keys(); - - for (int i = 0; e.hasMoreElements(); i++) { - s[i] = e.nextElement(); - } - return s; - - } - - /** - * Split a comma-delimited String into an array of individual - * Strings. - */ - private String[] splitOnComma(String s) { - print("Splitting String: " + s + " on commas"); - StringTokenizer st = new StringTokenizer(s, ",", false); - String[] sa = new String[st.countTokens()]; - - print(" countTokens:" + st.countTokens()); - - for (int i = 0; i < sa.length; i++) { - String p = st.nextToken().trim(); - - print(" token " + i + " = " + p); - sa[i] = p; - } - - return sa; - } - - /** - * Join an array of Strings into one string, with - * the specified string between each string - */ - - private String joinStringArray(String[] s, String sep) { - - StringBuffer sb = new StringBuffer(); - for (int i = 0; i < s.length; i++) { - sb.append(s[i]); - if (i < (s.length - 1)) { - sb.append(sep); - } - } - return sb.toString(); - } - - private synchronized void updateFile(String key) { - try { - String name = writeFile(key); - if (name != null) { - File orgFile = new File(mFilename); - long lastModified = orgFile.lastModified(); - File newFile = new File(name); - if (lastModified > mFileLastRead) { - mFileLastRead = lastModified; - } else { - mFileLastRead = newFile.lastModified(); - } - if (orgFile.renameTo(new File(name.substring(0, name.length() - 1)))) { - if (!newFile.renameTo(new File(mFilename))) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("RENAME_FILE_ERROR", name, mFilename)); - File file = new File(name.substring(0, name.length() - 1)); - file.renameTo(new File(mFilename)); - } - } else { - log(ILogger.LL_FAILURE, CMS.getLogMessage("RENAME_FILE_ERROR", mFilename, - name.substring(0, name.length() - 1))); - } - } - } catch (Exception e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("FILE_ERROR", e.getMessage())); - } - } - - private String writeFile(String key) { - BufferedReader reader = null; - BufferedWriter writer = null; - String name = null; - boolean commentOutNextLine = false; - boolean done = false; - String line = null; - try { - reader = new BufferedReader(new FileReader(mFilename)); - name = mFilename + "." + mDateFormat.format(new Date()) + "~"; - writer = new BufferedWriter(new FileWriter(name)); - if (reader != null && writer != null) { - while ((line = reader.readLine()) != null) { - if (commentOutNextLine) { - writer.write("#"); - commentOutNextLine = false; - } - if (line.indexOf(key) > -1) { - writer.write("#"); - commentOutNextLine = true; - } - writer.write(line); - writer.newLine(); - } - done = true; - } - } catch (Exception e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("FILE_ERROR", e.getMessage())); - } - - try { - if (reader != null) { - reader.close(); - } - if (writer != null) { - writer.flush(); - writer.close(); - } - } catch (Exception e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("FILE_ERROR", e.getMessage())); - } - - try { - if (!done) { - long s1 = 0; - long s2 = 0; - File f1 = new File(mFilename); - File f2 = new File(name); - if (f1.exists()) - s1 = f1.length(); - if (f2.exists()) - s2 = f2.length(); - if (s1 > 0 && s2 > 0 && s2 > s1) { - done = true; - } else { - if (f2.exists()) - f2.delete(); - name = null; - } - } - } catch (Exception e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("FILE_ERROR", e.getMessage())); - } - - return name; - } - - /** - * Read a file with the following format: - * <p> - * - * <pre> - * param1: valuea - * param2: valueb - * -blank-line- - * param1: valuec - * param2: valued - * </pre> - * - * @param f The file to read - * @param keys The parameters to concat together to form the hash - * key - * @return a hashtable of hashtables. - */ - protected Hashtable<String, Hashtable<String, String>> readFile(File f, String[] keys) - throws IOException { - log(ILogger.LL_INFO, "Reading file: " + f.getName()); - BufferedReader file = new BufferedReader( - new FileReader(f) - ); - - String line; - Hashtable<String, Hashtable<String, String>> allusers = new Hashtable<String, Hashtable<String, String>>(); - Hashtable<String, String> entry = null; - int linenum = 0; - - while ((line = file.readLine()) != null) { - linenum++; - line = line.trim(); - if (line.length() > 0 && line.charAt(0) == '#') { - continue; - } - int colon = line.indexOf(':'); - - if (entry == null) { - entry = new Hashtable<String, String>(); - } - - if (colon == -1) { // no colon -> empty line signifies end of record - if (!line.trim().equals("")) { - if (file != null) { - file.close(); - } - throw new IOException(FFAUTH + ": Parsing error, " + - "colon missing from line " + linenum + " of " + f.getName()); - } - if (entry.size() > 0) { - putEntry(allusers, entry, keys); - entry = null; - } - continue; - } - - String attr = line.substring(0, colon).trim(); - String val = line.substring(colon + 1).trim(); - - entry.put(attr, val); - } - - putEntry(allusers, entry, keys); - if (file != null) { - file.close(); - } - return allusers; - } - - private void putEntry(Hashtable<String, Hashtable<String, String>> allUsers, - Hashtable<String, String> entry, - String[] keys) { - if (entry == null) { - return; - } - String key = ""; - - print("keys.length = " + keys.length); - for (int i = 0; i < keys.length; i++) { - String s = entry.get(keys[i]); - - print(" concatenating: " + s); - if (s != null) { - key = key.concat(s); - } - } - print("putting: key " + key); - allUsers.put(key, entry); - } - - void printAllEntries() { - Enumeration<String> e = entries.keys(); - - while (e.hasMoreElements()) { - String key = e.nextElement(); - - print("* " + key + " *"); - Hashtable<String, String> ht = entries.get(key); - Enumeration<String> f = ht.keys(); - - while (f.hasMoreElements()) { - String fkey = f.nextElement(); - - print(" " + fkey + " -> " + ht.get(fkey)); - } - } - } - - /** - * Compare attributes provided by the user with those in - * in flat file. - * - */ - - private IAuthToken doAuthentication(Hashtable<String, String> user, IAuthCredentials authCred) - throws EMissingCredential, EInvalidCredentials, EBaseException { - AuthToken authToken = new AuthToken(this); - - for (int i = 0; i < authAttrs.length; i++) { - String ffvalue = (String) user.get(authAttrs[i]); - String uservalue = (String) authCred.get(authAttrs[i]); - - // print("checking authentication token (" + authAttrs[i] + ": " + uservalue + " against ff value: " + ffvalue); - if (!ffvalue.equals(uservalue)) { - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - } - } - return authToken; - } - - private void reReadPwFile() { - - try { - File file = new File(mFilename); - long pwfilelastmodified = file.lastModified(); - - if (pwfilelastmodified > mFileLastRead) { - mFileLastRead = pwfilelastmodified; - entries = readFile(file, keyAttrs); - // printAllEntries(); - } - } catch (Exception e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("READ_FILE_ERROR", mFilename, e.getMessage())); - } - } - - /** - * Authenticate the request - * - */ - public IAuthToken authenticate(IAuthCredentials authCred) - throws EMissingCredential, EInvalidCredentials, EBaseException { - IAuthToken authToken = null; - String keyForUser = ""; - - /* First check if hashtable has been modified since we last read it in */ - - reReadPwFile(); - - /* Find the user in our hashtable */ - - for (int i = 0; i < keyAttrs.length; i++) { - print("concatenating string i=" + i + " keyAttrs[" + i + "] = " + keyAttrs[i]); - String credential = (String) authCred.get(keyAttrs[i]); - - if (credential == null) { - throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", keyAttrs[i])); - } - keyForUser = keyForUser.concat((String) authCred.get(keyAttrs[i])); - } - print("authenticating user: finding user from key: " + keyForUser); - - Hashtable<String, String> user = entries.get(keyForUser); - - try { - if (user != null) { - authToken = doAuthentication(user, authCred); - } else { - CMS.debug("FlatFileAuth: " + CMS.getLogMessage("CMS_AUTH_USER_NOT_FOUND")); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - } - } catch (EInvalidCredentials e) { - // If defer on failure is false, then we re-throw the exception - // which causes the request to be rejected - if (!mDeferOnFailure) { - throw e; - } else { - CMS.debug("FlatFileAuth: Since defering on failure - ignore invalid creds"); - } - } - - // if a dn was specified in the password file for this user, - // replace the requested dn with the one in the pwfile - if (user != null) { - String dn = (String) user.get("dn"); - - if (dn != null && authToken != null) { - authToken.set(AuthToken.TOKEN_CERT_SUBJECT, dn); - } - } - - // If defer on failure is true, and the auth failed, authToken will - // be null here, which causes the request to be deferred. - - if (user != null && authToken != null) { - entries.remove(keyForUser); - updateFile(keyForUser); - // printAllEntries(); - } - return authToken; - } - - /** - * Return a list of HTTP parameters which will be taken from the - * request posting and placed into the AuthCredentials block - * - * Note that this method will not be called until after the - * init() method is called - */ - public String[] getRequiredCreds() { - print("getRequiredCreds returning: " + joinStringArray(reqCreds, ",")); - return reqCreds; - - } - - /** - * Returns a list of configuration parameters, so the console - * can prompt the user when configuring. - */ - public String[] getConfigParams() { - return mConfigParams; - } - - /** - * Returns the configuration store used by this authentication manager - */ - public IConfigStore getConfigStore() { - return mConfig; - } - - public void shutdown() { - } - - public String getName() { - return mName; - } - - public String getImplName() { - return mImplName; - } - - public void init(IProfile profile, IConfigStore config) - throws EProfileException { - } - - /** - * Retrieves the localizable name of this policy. - */ - public String getName(Locale locale) { - return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_AGENT_NAME"); - } - - /** - * Retrieves a list of names of the value parameter. - */ - public Enumeration<String> getValueNames() { - return null; - } - - public boolean isValueWriteable(String name) { - return false; - } - - public IDescriptor getValueDescriptor(Locale locale, String name) { - return null; - } - - public void populate(IAuthToken token, IRequest request) - throws EProfileException { - } - - /** - * Retrieves the localizable description of this policy. - */ - public String getText(Locale locale) { - return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_AGENT_TEXT"); - } - -} diff --git a/pki/base/common/src/com/netscape/cms/authentication/HashAuthData.java b/pki/base/common/src/com/netscape/cms/authentication/HashAuthData.java deleted file mode 100644 index 3a447d282..000000000 --- a/pki/base/common/src/com/netscape/cms/authentication/HashAuthData.java +++ /dev/null @@ -1,118 +0,0 @@ -// --- BEGIN COPYRIGHT BLOCK --- -// This program is free software; you can redistribute it and/or modify -// it under the terms of the GNU General Public License as published by -// the Free Software Foundation; version 2 of the License. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -// GNU General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -// -// (C) 2007 Red Hat, Inc. -// All rights reserved. -// --- END COPYRIGHT BLOCK --- -package com.netscape.cms.authentication; - -// java sdk imports. -import java.util.Hashtable; -import java.util.Vector; - -/** - * The structure stores the information of which machine is enabled for - * the agent-initiated user enrollment, and whom agents enable this feature, - * and the value of the timeout. - * <P> - * - * @version $Revision$, $Date$ - */ -public class HashAuthData extends Hashtable<String, Vector<Object>> { - - /** - * - */ - private static final long serialVersionUID = -988354133432275910L; - public static final long TIMEOUT = 600000; - public static final long LASTLOGIN = 0; - - public HashAuthData() { - } - - public String getAgentName(String hostname) { - Vector<Object> val = get(hostname); - - if (val != null) - return (String) val.elementAt(0); - return null; - } - - public void setAgentName(String hostname, String agentName) { - Vector<Object> val = get(hostname); - - if (val == null) { - val = new Vector<Object>(); - put(hostname, val); - } - val.setElementAt(agentName, 0); - } - - public long getTimeout(String hostname) { - Vector<Object> val = get(hostname); - - if (val != null) { - return ((Long) val.elementAt(1)).longValue(); - } - return TIMEOUT; - } - - public void setTimeout(String hostname, long timeout) { - Vector<Object> val = get(hostname); - - if (val == null) { - val = new Vector<Object>(); - put(hostname, val); - } - val.setElementAt(Long.valueOf(timeout), 1); - } - - public String getSecret(String hostname) { - Vector<Object> val = get(hostname); - - if (val != null) { - return (String) val.elementAt(2); - } - return null; - } - - public void setSecret(String hostname, String secret) { - Vector<Object> val = get(hostname); - - if (val == null) { - val = new Vector<Object>(); - put(hostname, val); - } - val.setElementAt(secret, 2); - } - - public long getLastLogin(String hostname) { - Vector<Object> val = get(hostname); - - if (val != null) { - return ((Long) val.elementAt(3)).longValue(); - } - return LASTLOGIN; - } - - public void setLastLogin(String hostname, long lastLogin) { - Vector<Object> val = get(hostname); - - if (val == null) { - val = new Vector<Object>(); - put(hostname, val); - } - val.setElementAt(Long.valueOf(lastLogin), 3); - } -} diff --git a/pki/base/common/src/com/netscape/cms/authentication/HashAuthentication.java b/pki/base/common/src/com/netscape/cms/authentication/HashAuthentication.java deleted file mode 100644 index 2537efa10..000000000 --- a/pki/base/common/src/com/netscape/cms/authentication/HashAuthentication.java +++ /dev/null @@ -1,288 +0,0 @@ -// --- BEGIN COPYRIGHT BLOCK --- -// This program is free software; you can redistribute it and/or modify -// it under the terms of the GNU General Public License as published by -// the Free Software Foundation; version 2 of the License. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -// GNU General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -// -// (C) 2007 Red Hat, Inc. -// All rights reserved. -// --- END COPYRIGHT BLOCK --- -package com.netscape.cms.authentication; - -// ldap java sdk -import java.security.MessageDigest; -import java.security.NoSuchAlgorithmException; -import java.util.Date; -import java.util.Enumeration; -import java.util.Hashtable; -import java.util.Locale; -import java.util.Vector; - -import com.netscape.certsrv.apps.CMS; -import com.netscape.certsrv.authentication.AuthToken; -import com.netscape.certsrv.authentication.EAuthException; -import com.netscape.certsrv.authentication.EInvalidCredentials; -import com.netscape.certsrv.authentication.IAuthCredentials; -import com.netscape.certsrv.authentication.IAuthManager; -import com.netscape.certsrv.authentication.IAuthToken; -import com.netscape.certsrv.base.EBaseException; -import com.netscape.certsrv.base.IConfigStore; -import com.netscape.certsrv.base.IExtendedPluginInfo; -import com.netscape.certsrv.logging.ILogger; -import com.netscape.cmsutil.util.Utils; - -/** - * Hash uid/pwd directory based authentication manager - * <P> - * - * @version $Revision$, $Date$ - */ -public class HashAuthentication implements IAuthManager, IExtendedPluginInfo { - - public static final String SALT = "lala123"; - public static final String CRED_UID = "uid"; - public static final String CRED_FINGERPRINT = "fingerprint"; - public static final String CRED_PAGEID = "pageID"; - public static final String CRED_HOST = "hostname"; - protected static String[] mRequiredCreds = { CRED_UID, - CRED_PAGEID, CRED_FINGERPRINT, CRED_HOST }; - public static final long DEFAULT_TIMEOUT = 600000; - private boolean mEnable = false; - private long mTimeout = DEFAULT_TIMEOUT; // in milliseconds - private String mSecret; - private int mPageID; - private String mHost; - private long mLastLogin = 0; - private MessageDigest mSHADigest = null; - private Hashtable<String, IAuthToken> mData = null; - private IConfigStore mConfig; - private String mName = null; - private String mImplName = null; - private ILogger mLogger = CMS.getLogger(); - private static Vector<String> mExtendedPluginInfo = null; - private HashAuthData mHosts = null; - - static String[] mConfigParams = - new String[] {}; - - static { - mExtendedPluginInfo = new Vector<String>(); - mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TEXT + - ";Authenticate the username and password provided " + - "by the user against an LDAP directory. Works with the " + - "Dir Based Enrollment HTML form"); - mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TOKEN + - ";configuration-authrules-uidpwddirauth"); - }; - - /** - * Default constructor, initialization must follow. - */ - public HashAuthentication() { - } - - public void init(String name, String implName, IConfigStore config) - throws EBaseException { - mName = name; - mImplName = implName; - mConfig = config; - mData = new Hashtable<String, IAuthToken>(); - mHosts = new HashAuthData(); - - try { - mSHADigest = MessageDigest.getInstance("SHA1"); - } catch (NoSuchAlgorithmException e) { - throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.getMessage())); - } - - } - - public IAuthToken getAuthToken(String key) { - return mData.remove(key); - } - - public void addAuthToken(String pageID, IAuthToken token) { - mData.put(pageID, token); - } - - public void deleteToken(String pageID) { - mData.remove(pageID); - } - - public HashAuthData getData() { - return mHosts; - } - - public void createEntry(String host, String dn, long timeout, - String secret, long lastLogin) { - Vector<Object> v = new Vector<Object>(); - - v.addElement(dn); - v.addElement(Long.valueOf(timeout)); - v.addElement(secret); - v.addElement(Long.valueOf(lastLogin)); - mHosts.put(host, v); - } - - public void disable(String hostname) { - mHosts.remove(hostname); - } - - public String getAgentName(String hostname) { - return mHosts.getAgentName(hostname); - } - - public void setAgentName(String hostname, String agentName) { - mHosts.setAgentName(hostname, agentName); - } - - public boolean isEnable(String hostname) { - return mHosts.containsKey(hostname); - } - - public long getTimeout(String hostname) { - return mHosts.getTimeout(hostname); - } - - public void setTimeout(String hostname, long timeout) { - mHosts.setTimeout(hostname, timeout); - } - - public String getSecret(String hostname) { - return mHosts.getSecret(hostname); - } - - public void setSecret(String hostname, String secret) { - mHosts.setSecret(hostname, secret); - } - - public long getLastLogin(String hostname) { - return mHosts.getLastLogin(hostname); - } - - public void setLastLogin(String hostname, long lastlogin) { - mHosts.setLastLogin(hostname, lastlogin); - } - - public long getPageID() { - Date date = new Date(); - - return date.getTime(); - } - - public void log(int level, String msg) { - if (mLogger == null) - return; - mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHENTICATION, - level, msg); - } - - public boolean validFingerprint(String host, String pageID, String uid, String fingerprint) { - String val = hashFingerprint(host, pageID, uid); - - if (val.equals(fingerprint)) - return true; - return false; - } - - public Enumeration<String> getHosts() { - return mHosts.keys(); - } - - public String hashFingerprint(String host, String pageID, String uid) { - byte[] hash = - mSHADigest.digest((SALT + pageID + getSecret(host) + uid).getBytes()); - String b64E = Utils.base64encode(hash); - - return "{SHA}" + b64E; - } - - public void shutdown() { - } - - /** - * Authenticates a user based on uid, pwd in the directory. - * - * @param authCreds The authentication credentials. - * @return The user's ldap entry dn. - * @exception EInvalidCredentials If the uid and password are not valid - * @exception EBaseException If an internal error occurs. - */ - public IAuthToken authenticate(IAuthCredentials authCreds) - throws EBaseException { - AuthToken token = new AuthToken(this); - String fingerprint = (String) authCreds.get(CRED_FINGERPRINT); - String pageID = (String) authCreds.get(CRED_PAGEID); - String uid = (String) authCreds.get(CRED_UID); - String host = (String) authCreds.get(CRED_HOST); - - if (fingerprint.equals("") || - !validFingerprint(host, pageID, uid, fingerprint)) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_INVALID_FINGER_PRINT")); - throw new EAuthException("Invalid Fingerprint"); - } - - // set uid in the token. - token.set(CRED_UID, uid); - - return token; - } - - /** - * Returns array of required credentials for this authentication manager. - * - * @return Array of required credentials. - */ - public String[] getRequiredCreds() { - return mRequiredCreds; - } - - /** - * Gets the configuration substore used by this authentication manager - * - * @return configuration store - */ - public IConfigStore getConfigStore() { - return mConfig; - } - - /** - * gets the name of this authentication manager instance - */ - public String getName() { - return mName; - } - - /** - * gets the plugin name of this authentication manager. - */ - public String getImplName() { - return mImplName; - } - - public String[] getExtendedPluginInfo(Locale locale) { - String[] s = Utils.getStringArrayFromVector(mExtendedPluginInfo); - - return s; - - } - - /** - * Returns a list of configuration parameter names. - * The list is passed to the configuration console so instances of - * this implementation can be configured through the console. - * - * @return String array of configuration parameter names. - */ - public String[] getConfigParams() { - return (mConfigParams); - } -} diff --git a/pki/base/common/src/com/netscape/cms/authentication/PortalEnroll.java b/pki/base/common/src/com/netscape/cms/authentication/PortalEnroll.java deleted file mode 100644 index 38a3e6fcf..000000000 --- a/pki/base/common/src/com/netscape/cms/authentication/PortalEnroll.java +++ /dev/null @@ -1,468 +0,0 @@ -// --- BEGIN COPYRIGHT BLOCK --- -// This program is free software; you can redistribute it and/or modify -// it under the terms of the GNU General Public License as published by -// the Free Software Foundation; version 2 of the License. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -// GNU General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -// -// (C) 2007 Red Hat, Inc. -// All rights reserved. -// --- END COPYRIGHT BLOCK --- -package com.netscape.cms.authentication; - -// ldap java sdk -import java.util.Enumeration; -import java.util.Locale; -import java.util.Vector; - -import netscape.ldap.LDAPAttribute; -import netscape.ldap.LDAPAttributeSet; -import netscape.ldap.LDAPConnection; -import netscape.ldap.LDAPEntry; -import netscape.ldap.LDAPException; -import netscape.ldap.LDAPObjectClassSchema; -import netscape.ldap.LDAPSchema; -import netscape.ldap.LDAPSearchResults; -import netscape.ldap.LDAPv2; - -import com.netscape.certsrv.apps.CMS; -import com.netscape.certsrv.authentication.AuthToken; -import com.netscape.certsrv.authentication.EAuthInternalError; -import com.netscape.certsrv.authentication.EAuthUserError; -import com.netscape.certsrv.authentication.EInvalidCredentials; -import com.netscape.certsrv.authentication.EMissingCredential; -import com.netscape.certsrv.authentication.IAuthCredentials; -import com.netscape.certsrv.base.EBaseException; -import com.netscape.certsrv.base.EPropertyNotFound; -import com.netscape.certsrv.base.IArgBlock; -import com.netscape.certsrv.base.IConfigStore; -import com.netscape.certsrv.base.IExtendedPluginInfo; -import com.netscape.certsrv.ldap.ELdapException; -import com.netscape.certsrv.ldap.ILdapConnFactory; -import com.netscape.certsrv.logging.ILogger; - -/** - * uid/pwd directory based authentication manager - * <P> - * - * @version $Revision$, $Date$ - */ -public class PortalEnroll extends DirBasedAuthentication { - - /* configuration parameter keys */ - protected static final String PROP_LDAPAUTH = "ldapauth"; - protected static final String PROP_AUTHTYPE = "authtype"; - protected static final String PROP_BINDDN = "bindDN"; - protected static final String PROP_BINDPW = "bindPW"; - protected static final String PROP_LDAPCONN = "ldapconn"; - protected static final String PROP_HOST = "host"; - protected static final String PROP_PORT = "port"; - protected static final String PROP_SECURECONN = "secureConn"; - protected static final String PROP_VERSION = "version"; - protected static final String PROP_OBJECTCLASS = "objectclass"; - - /* required credentials to authenticate. uid and pwd are strings. */ - public static final String CRED_UID = "uid"; - public static final String CRED_PWD = "userPassword"; - protected static String[] mRequiredCreds = { CRED_UID, CRED_PWD }; - - /* ldap configuration sub-store */ - private IArgBlock argblk = null; - private String mObjectClass = null; - private String mBindDN = null; - private String mBaseDN = null; - private ILdapConnFactory mLdapFactory = null; - private LDAPConnection mLdapConn = null; - - // contains all nested superiors' required attrs in the form of a - // vector of "required" attributes in Enumeration - Vector<Enumeration<String>> mRequiredAttrs = null; - - // contains all nested superiors' optional attrs in the form of a - // vector of "optional" attributes in Enumeration - Vector<Enumeration<String>> mOptionalAttrs = null; - - // contains all the objclasses, including superiors and itself - Vector<String> mObjClasses = null; - - /* Holds configuration parameters accepted by this implementation. - * This list is passed to the configuration console so configuration - * for instances of this implementation can be configured through the - * console. - */ - protected static String[] mConfigParams = - new String[] { - PROP_DNPATTERN, - "ldap.ldapconn.host", - "ldap.ldapconn.port", - "ldap.ldapconn.secureConn", - "ldap.ldapconn.version", - "ldap.ldapauth.bindDN", - "ldap.ldapauth.bindPWPrompt", - "ldap.ldapauth.clientCertNickname", - "ldap.ldapauth.authtype", - "ldap.basedn", - "ldap.objectclass", - "ldap.minConns", - "ldap.maxConns", - }; - - /** - * Default constructor, initialization must follow. - */ - public PortalEnroll() - throws EBaseException { - super(); - } - - /** - * Initializes the PortalEnrollment auth manager. - * <p> - * - * @param name - The name for this authentication manager instance. - * @param implName - The name of the authentication manager plugin. - * @param config - The configuration store for this instance. - * @exception EBaseException If an error occurs during initialization. - */ - public void init(String name, String implName, IConfigStore config) - throws EBaseException { - super.init(name, implName, config); - - /* Get Bind DN for directory server */ - mConfig = mLdapConfig.getSubStore(PROP_LDAPAUTH); - mBindDN = mConfig.getString(PROP_BINDDN); - if ((mBindDN == null) || (mBindDN.length() == 0) || (mBindDN == "")) - throw new EPropertyNotFound(CMS.getUserMessage("CMS_BASE_GET_PROPERTY_FAILED", "binddn")); - - /* Get Bind DN for directory server */ - mBaseDN = mLdapConfig.getString(PROP_BASEDN); - if ((mBaseDN == null) || (mBaseDN.length() == 0) || (mBaseDN == "")) - throw new EPropertyNotFound(CMS.getUserMessage("CMS_BASE_GET_PROPERTY_FAILED", "basedn")); - - /* Get Object clase name for enrollment */ - mObjectClass = mLdapConfig.getString(PROP_OBJECTCLASS); - if (mObjectClass == null || mObjectClass.length() == 0) - throw new EPropertyNotFound(CMS.getUserMessage("CMS_BASE_GET_PROPERTY_FAILED", "objectclass")); - - /* Get connect parameter */ - mLdapFactory = CMS.getLdapBoundConnFactory(); - mLdapFactory.init(mLdapConfig); - mLdapConn = mLdapFactory.getConn(); - - log(ILogger.LL_INFO, CMS.getLogMessage("CMS_AUTH_PORTAL_INIT")); - } - - /** - * Authenticates a user based on uid, pwd in the directory. - * - * @param authCreds The authentication credentials. - * @return The user's ldap entry dn. - * @exception EInvalidCredentials If the uid and password are not valid - * @exception EBaseException If an internal error occurs. - */ - protected String authenticate(LDAPConnection conn, - IAuthCredentials authCreds, - AuthToken token) - throws EBaseException { - String uid = null; - String pwd = null; - String dn = null; - - argblk = authCreds.getArgBlock(); - - // authenticate by binding to ldap server with password. - try { - // get the uid. - uid = (String) authCreds.get(CRED_UID); - if (uid == null) { - throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_UID)); - } - - // get the password. - pwd = (String) authCreds.get(CRED_PWD); - if (pwd == null) { - throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_PWD)); - } - if (pwd.equals("")) { - // anonymous binding not allowed - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - } - - // get user dn. - LDAPSearchResults res = conn.search(mBaseDN, - LDAPv2.SCOPE_SUB, "(uid=" + uid + ")", null, false); - - if (res.hasMoreElements()) { - res.nextElement(); // consume the entry - - throw new EAuthUserError(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_ATTRIBUTE_VALUE", - "UID already exists.")); - } else { - dn = regist(token, uid); - if (dn == null) - throw new EAuthUserError(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_ATTRIBUTE_VALUE", - "Could not add user " + uid + ".")); - } - - // bind as user dn and pwd - authenticates user with pwd. - conn.authenticate(dn, pwd); - - // set uid in the token. - token.set(CRED_UID, uid); - - log(ILogger.LL_INFO, "portal authentication is done"); - - return dn; - } catch (ELdapException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("LDAP_ERROR", e.toString())); - throw e; - } catch (LDAPException e) { - switch (e.getLDAPResultCode()) { - case LDAPException.NO_SUCH_OBJECT: - case LDAPException.LDAP_PARTIAL_RESULTS: - log(ILogger.LL_SECURITY, - CMS.getLogMessage("CMS_AUTH_ADD_USER_ERROR", conn.getHost(), Integer.toString(conn.getPort()))); - throw new EAuthInternalError(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", - "Check Configuration detail.")); - - case LDAPException.INVALID_CREDENTIALS: - log(ILogger.LL_SECURITY, - CMS.getLogMessage("CMS_AUTH_BAD_PASSWORD", uid)); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - - case LDAPException.SERVER_DOWN: - log(ILogger.LL_FAILURE, CMS.getLogMessage("LDAP_SERVER_DOWN")); - throw new ELdapException( - CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), "" + conn.getPort())); - - default: - log(ILogger.LL_FAILURE, CMS.getLogMessage("LDAP_ERROR", e.getMessage())); - throw new ELdapException( - CMS.getUserMessage("CMS_LDAP_OTHER_LDAP_EXCEPTION", - e.errorCodeToString())); - } - } catch (EBaseException e) { - if (e.getMessage().equalsIgnoreCase(CMS.getUserMessage("CMS_BASE_ATTRIBUTE_NOT_FOUND")) == true) - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_MAKE_DN_ERROR", e.toString())); - throw e; - } - } - - /** - * Returns a list of configuration parameter names. - * The list is passed to the configuration console so instances of - * this implementation can be configured through the console. - * - * @return String array of configuration parameter names. - */ - public String[] getConfigParams() { - return (mConfigParams); - } - - public String[] getExtendedPluginInfo(Locale locale) { - String[] s = { - PROP_DNPATTERN + ";string;Template for cert" + - " Subject Name. ($dn.xxx - get value from user's LDAP " + - "DN. $attr.yyy - get value from LDAP attributes in " + - "user's entry.) Default: " + DEFAULT_DNPATTERN, - "ldap.ldapconn.host;string,required;" + "LDAP host to connect to", - "ldap.ldapconn.port;number,required;" + "LDAP port number (default 389, or 636 if SSL)", - "ldap.objectclass;string,required;SEE DOCUMENTATION for Object Class. " - + "Default is inetOrgPerson.", - "ldap.ldapconn.secureConn;boolean;" + "Use SSL to connect to directory?", - "ldap.ldapconn.version;choice(3,2);" + "LDAP protocol version", - "ldap.ldapauth.bindDN;string,required;DN to bind as for Directory Manager. " - + "For example 'CN=Directory Manager'", - "ldap.ldapauth.bindPWPrompt;password;Enter password used to bind as " + - "the above user", - "ldap.ldapauth.authtype;choice(BasicAuth,SslClientAuth);" - + "How to bind to the directory (for pin removal only)", - "ldap.ldapauth.clientCertNickname;string;If you want to use " - + "SSL client auth to the directory, set the client " - + "cert nickname here", - "ldap.basedn;string,required;Base DN to start searching " + - "under. If your user's DN is 'uid=jsmith, o=company', you " + - "might want to use 'o=company' here", - "ldap.minConns;number;number of connections " + - "to keep open to directory server", - "ldap.maxConns;number;when needed, connection " + - "pool can grow to this many connections", - IExtendedPluginInfo.HELP_TEXT + - ";This authentication plugin checks to see if a user " + - "exists in the directory. If not, then the user is created " + - "with the requested password.", - IExtendedPluginInfo.HELP_TOKEN + ";configuration-authrules-portalauth" - }; - - return s; - } - - /** - * Returns array of required credentials for this authentication manager. - * - * @return Array of required credentials. - */ - public String[] getRequiredCreds() { - return mRequiredCreds; - } - - /** - * adds a user to the directory. - * - * @return dn upon success and null upon failure. - * @param token authentication token - * @param uid the user's id. - */ - public String regist(AuthToken token, String uid) { - String dn = "uid=" + uid + "," + mBaseDN; - - /* Specify the attributes of the entry */ - Vector<String> objectclass_values = null; - - LDAPAttributeSet attrs = new LDAPAttributeSet(); - LDAPAttribute attr = new LDAPAttribute("objectclass"); - - // initialized to new - mRequiredAttrs = new Vector<Enumeration<String>>(); - mOptionalAttrs = new Vector<Enumeration<String>>(); - mObjClasses = new Vector<String>(); - - LDAPSchema dirSchema = null; - - try { - - /* Construct a new LDAPSchema object to hold - the schema that you want to retrieve. */ - dirSchema = new LDAPSchema(); - - /* Get the schema from the Directory. Anonymous access okay. */ - dirSchema.fetchSchema(mLdapConn); - } catch (LDAPException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("LDAP_ERROR", e.getMessage())); - } - // complete mRequiredAttrs, mOptionalAttrs, and mObjClasses - initLdapAttrs(dirSchema, mObjectClass); - - objectclass_values = mObjClasses; - for (int i = objectclass_values.size() - 1; i >= 0; i--) - attr.addValue((String) objectclass_values.elementAt(i)); - attrs.add(attr); - - Enumeration<Enumeration<String>> objClasses = mRequiredAttrs.elements(); - Enumeration<String> attrnames = null; - - while (objClasses.hasMoreElements()) { - attrnames = objClasses.nextElement(); - CMS.debug("PortalEnroll: Required attrs:"); - while (attrnames.hasMoreElements()) { - String attrname = attrnames.nextElement(); - String attrval = null; - - CMS.debug("PortalEnroll: attrname is: " + attrname); - if (attrname.equalsIgnoreCase("objectclass") == true) - continue; - try { - attrval = (String) argblk.getValueAsString(attrname); - } catch (EBaseException e) { - if (e.getMessage().equalsIgnoreCase(CMS.getUserMessage("CMS_BASE_ATTRIBUTE_NOT_FOUND")) == true) - continue; - } - - CMS.debug("PortalEnroll: " + attrname + " = " + attrval); - attrs.add(new LDAPAttribute(attrname, attrval)); - } - - } - - objClasses = mOptionalAttrs.elements(); - attrnames = null; - - while (objClasses.hasMoreElements()) { - attrnames = objClasses.nextElement(); - CMS.debug("PortalEnroll: Optional attrs:"); - while (attrnames.hasMoreElements()) { - String attrname = attrnames.nextElement(); - String attrval = null; - - CMS.debug("PortalEnroll: attrname is: " + attrname); - try { - attrval = (String) argblk.getValueAsString(attrname); - } catch (EBaseException e) { - if (e.getMessage().equalsIgnoreCase(CMS.getUserMessage("CMS_BASE_ATTRIBUTE_NOT_FOUND")) == true) - continue; - } - CMS.debug("PortalEnroll: " + attrname + " = " + attrval); - if (attrval != null) { - attrs.add(new LDAPAttribute(attrname, attrval)); - } - } - } - - /* Create an entry with this DN and these attributes */ - LDAPEntry entry = new LDAPEntry(dn, attrs); - - try { - - /* Now add the entry to the directory */ - mLdapConn.add(entry); - } catch (LDAPException e) { - if (e.getLDAPResultCode() == LDAPException.ENTRY_ALREADY_EXISTS) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("LDAP_ERROR", e.getMessage())); - } else - log(ILogger.LL_FAILURE, CMS.getLogMessage("LDAP_ERROR", e.getMessage())); - return null; - } - - log(ILogger.LL_INFO, CMS.getLogMessage("CMS_AUTH_REGISTRATION_DONE")); - - return dn; - } - - /* - * get the superiors of "inetOrgPerson" so the "required - * attributes", "optional qttributes", and "object classes" are complete; - * should build up - * mRequiredAttrs, mOptionalAttrs, and mObjClasses when returned - */ - @SuppressWarnings("unchecked") - public void initLdapAttrs(LDAPSchema dirSchema, String oclass) { - CMS.debug("PortalEnroll: in initLdapAttrsAttrs"); - mObjClasses.addElement(oclass); - if (oclass.equalsIgnoreCase("top")) - return; - - try { - - /* Get and print the def. of the object class. */ - LDAPObjectClassSchema objClass = dirSchema.getObjectClass(oclass); - - if (objClass != null) { - mRequiredAttrs.add(objClass.getRequiredAttributes()); - mOptionalAttrs.add(objClass.getOptionalAttributes()); - } else { - return; - } - - CMS.debug("PortalEnroll: getting superiors for: " + oclass); - String superiors[] = objClass.getSuperiors(); - - CMS.debug("PortalEnroll: got superiors, superiors.length=" + superiors.length); - if (superiors.length == 0) - return; - for (int i = 0; i < superiors.length; i++) { - CMS.debug("Portalenroll: superior" + i + "=" + superiors[i]); - objClass = dirSchema.getObjectClass(superiors[i]); - initLdapAttrs(dirSchema, superiors[i]); - } - } catch (Exception e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("LDAP_ERROR", e.getMessage())); - } - } -} diff --git a/pki/base/common/src/com/netscape/cms/authentication/RDNPattern.java b/pki/base/common/src/com/netscape/cms/authentication/RDNPattern.java deleted file mode 100644 index 722aefbc3..000000000 --- a/pki/base/common/src/com/netscape/cms/authentication/RDNPattern.java +++ /dev/null @@ -1,232 +0,0 @@ -// --- BEGIN COPYRIGHT BLOCK --- -// This program is free software; you can redistribute it and/or modify -// it under the terms of the GNU General Public License as published by -// the Free Software Foundation; version 2 of the License. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -// GNU General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -// -// (C) 2007 Red Hat, Inc. -// All rights reserved. -// --- END COPYRIGHT BLOCK --- -package com.netscape.cms.authentication; - -import java.io.IOException; -import java.io.PushbackReader; -import java.io.StringReader; -import java.util.Vector; - -import netscape.ldap.LDAPEntry; - -import com.netscape.certsrv.apps.CMS; -import com.netscape.certsrv.authentication.EAuthException; -import com.netscape.certsrv.base.EBaseException; - -/** - * class for parsing a DN pattern used to construct a certificate - * subject name from ldap attributes and dn. - * <p> - * - * dnpattern is a string representing a subject name pattern to formulate from the directory attributes and entry dn. If - * empty or not set, the ldap entry DN will be used as the certificate subject name. - * <p> - * - * The syntax is - * - * <pre> - * dnPattern := rdnPattern *[ "," rdnPattern ] - * rdnPattern := avaPattern *[ "+" avaPattern ] - * avaPattern := name "=" value | - * name "=" "$attr" "." attrName [ "." attrNumber ] | - * name "=" "$dn" "." attrName [ "." attrNumber ] | - * "$dn" "." "$rdn" "." number - * </pre> - * - * <pre> - * Example1: <i>E=$attr.mail.1, CN=$attr.cn, OU=$dn.ou.2, O=$dn.o, C=US </i> - * Ldap entry: dn: UID=jjames, OU=IS, OU=people, O=acme.org - * Ldap attributes: cn: Jesse James - * Ldap attributes: mail: jjames@acme.org - * <p> - * The subject name formulated will be : <br> - * E=jjames@acme.org, CN=Jesse James, OU=people, O=acme.org, C=US - * <p> - * E = the first 'mail' ldap attribute value in user's entry. <br> - * CN = the (first) 'cn' ldap attribute value in the user's entry. <br> - * OU = the second 'ou' value in the user's entry DN. <br> - * O = the (first) 'o' value in the user's entry DN. <br> - * C = the string "US" - * <p> - * Example2: <i>E=$attr.mail.1, CN=$attr.cn, OU=$dn.ou.2, O=$dn.o, C=US</i> - * Ldap entry: dn: UID=jjames, OU=IS+OU=people, O=acme.org - * Ldap attributes: cn: Jesse James - * Ldap attributes: mail: jjames@acme.org - * <p> - * The subject name formulated will be : <br> - * E=jjames@acme.org, CN=Jesse James, OU=people, O=acme.org, C=US - * <p> - * E = the first 'mail' ldap attribute value in user's entry. <br> - * CN = the (first) 'cn' ldap attribute value in the user's entry. <br> - * OU = the second 'ou' value in the user's entry DN. note multiple AVAs - * in a RDN in this example. <br> - * O = the (first) 'o' value in the user's entry DN. <br> - * C = the string "US" - * <p> - * </pre> - * - * <pre> - * Example3: <i>CN=$attr.cn, $rdn.2, O=$dn.o, C=US</i> - * Ldap entry: dn: UID=jjames, OU=IS+OU=people, O=acme.org - * Ldap attributes: cn: Jesse James - * Ldap attributes: mail: jjames@acme.org - * <p> - * The subject name formulated will be : <br> - * CN=Jesse James, OU=IS+OU=people, O=acme.org, C=US - * <p> - * CN = the (first) 'cn' ldap attribute value in the user's entry. <br> - * followed by the second RDN in the user's entry DN. <br> - * O = the (first) 'o' value in the user's entry DN. <br> - * C = the string "US" - * <p> - * Example4: <i>CN=$attr.cn, OU=$dn.ou.2+OU=$dn.ou.1, O=$dn.o, C=US</i> - * Ldap entry: dn: UID=jjames, OU=IS+OU=people, O=acme.org - * Ldap attributes: cn: Jesse James - * Ldap attributes: mail: jjames@acme.org - * <p> - * The subject name formulated will be : <br> - * CN=Jesse James, OU=people+OU=IS, O=acme.org, C=US - * <p> - * CN = the (first) 'cn' ldap attribute value in the user's entry. <br> - * OU = the second 'ou' value in the user's entry DN followed by the - * first 'ou' value in the user's entry. note multiple AVAs - * in a RDN in this example. <br> - * O = the (first) 'o' value in the user's entry DN. <br> - * C = the string "US" - * <p> - * </pre> - * - * If an attribute or subject DN component does not exist the attribute is skipped. - * - * @version $Revision$, $Date$ - */ -class RDNPattern { - - /* ldap attributes needed by this RDN (to retrieve from ldap) */ - private String[] mLdapAttrs = null; - - /* AVA patterns */ - protected AVAPattern[] mAVAPatterns = null; - - /* original pattern string */ - protected String mPatternString = null; - - protected String mTestDN = null; - - /** - * Construct a DN pattern by parsing a pattern string. - * - * @param pattenr the DN pattern - * @exception EBaseException If parsing error occurs. - */ - public RDNPattern(String pattern) - throws EAuthException { - if (pattern == null || pattern.equals("")) { - // create an attribute list that is the dn. - mLdapAttrs = new String[] { "dn" }; - } else { - mPatternString = pattern; - PushbackReader in = new PushbackReader(new StringReader(pattern)); - - parse(in); - } - } - - /** - * Construct a DN pattern from a input stream of pattern - */ - public RDNPattern(PushbackReader in) - throws EAuthException { - parse(in); - } - - private void parse(PushbackReader in) - throws EAuthException { - //System.out.println("_________ begin rdn _________"); - Vector<AVAPattern> avaPatterns = new Vector<AVAPattern>(); - AVAPattern avaPattern = null; - int lastChar; - - do { - avaPattern = new AVAPattern(in); - avaPatterns.addElement(avaPattern); - //System.out.println("added AVAPattern"+ - //" mType "+avaPattern.mType+ - //" mAttr "+avaPattern.mAttr+ - //" mValue "+avaPattern.mValue+ - //" mElement "+avaPattern.mElement); - try { - lastChar = in.read(); - } catch (IOException e) { - throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); - } - } while (lastChar == '+'); - - if (lastChar != -1) { - try { - in.unread(lastChar); // pushback last , - } catch (IOException e) { - throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); - } - } - - mAVAPatterns = new AVAPattern[avaPatterns.size()]; - avaPatterns.copyInto(mAVAPatterns); - - Vector<String> ldapAttrs = new Vector<String>(); - - for (int i = 0; i < mAVAPatterns.length; i++) { - String avaAttr = mAVAPatterns[i].getLdapAttr(); - - if (avaAttr == null || avaAttr.length() == 0) - continue; - ldapAttrs.addElement(avaAttr); - } - mLdapAttrs = new String[ldapAttrs.size()]; - ldapAttrs.copyInto(mLdapAttrs); - } - - /** - * Form a Ldap v3 DN string from results of a ldap search. - * - * @param entry LDAPentry from a ldap search - * @return Ldap v3 DN string to use for a subject name. - */ - public String formRDN(LDAPEntry entry) - throws EAuthException { - StringBuffer formedRDN = new StringBuffer(); - - for (int i = 0; i < mAVAPatterns.length; i++) { - if (mTestDN != null) - mAVAPatterns[i].mTestDN = mTestDN; - String ava = mAVAPatterns[i].formAVA(entry); - - if (ava != null && ava.length() > 0) { - if (formedRDN.length() != 0) - formedRDN.append("+"); - formedRDN.append(ava); - } - } - //System.out.println("formed RDN "+formedRDN.toString()); - return formedRDN.toString(); - } - - public String[] getLdapAttrs() { - return (String[]) mLdapAttrs.clone(); - } -} diff --git a/pki/base/common/src/com/netscape/cms/authentication/SSLclientCertAuthentication.java b/pki/base/common/src/com/netscape/cms/authentication/SSLclientCertAuthentication.java deleted file mode 100644 index 35c23bd0f..000000000 --- a/pki/base/common/src/com/netscape/cms/authentication/SSLclientCertAuthentication.java +++ /dev/null @@ -1,358 +0,0 @@ -// --- BEGIN COPYRIGHT BLOCK --- -// This program is free software; you can redistribute it and/or modify -// it under the terms of the GNU General Public License as published by -// the Free Software Foundation; version 2 of the License. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -// GNU General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -// -// (C) 2008 Red Hat, Inc. -// All rights reserved. -// --- END COPYRIGHT BLOCK --- -package com.netscape.cms.authentication; - -import java.security.Principal; -import java.security.cert.CertificateException; -import java.security.cert.X509Certificate; -import java.util.Enumeration; -import java.util.Locale; -import java.util.StringTokenizer; - -import netscape.security.x509.BasicConstraintsExtension; -import netscape.security.x509.X509CertImpl; - -import com.netscape.certsrv.apps.CMS; -import com.netscape.certsrv.authentication.AuthToken; -import com.netscape.certsrv.authentication.EInvalidCredentials; -import com.netscape.certsrv.authentication.EMissingCredential; -import com.netscape.certsrv.authentication.IAuthCredentials; -import com.netscape.certsrv.authentication.IAuthManager; -import com.netscape.certsrv.authentication.IAuthToken; -import com.netscape.certsrv.authentication.ISSLClientCertProvider; -import com.netscape.certsrv.base.EBaseException; -import com.netscape.certsrv.base.IConfigStore; -import com.netscape.certsrv.base.SessionContext; -import com.netscape.certsrv.logging.ILogger; -import com.netscape.certsrv.profile.EProfileException; -import com.netscape.certsrv.profile.IProfile; -import com.netscape.certsrv.profile.IProfileAuthenticator; -import com.netscape.certsrv.property.IDescriptor; -import com.netscape.certsrv.request.IRequest; -import com.netscape.certsrv.usrgrp.Certificates; - -/** - * Certificate server SSL client authentication. - * - * @author Christina Fu - * <P> - * - */ -public class SSLclientCertAuthentication implements IAuthManager, - IProfileAuthenticator { - - /* result auth token attributes */ - public static final String TOKEN_USERDN = "user"; - public static final String TOKEN_USER_DN = "userdn"; - public static final String TOKEN_USERID = "userid"; - public static final String TOKEN_UID = "uid"; - - /* required credentials */ - public static final String CRED_CERT = IAuthManager.CRED_SSL_CLIENT_CERT; - protected String[] mRequiredCreds = { CRED_CERT }; - - /* config parameters to pass to console (none) */ - protected static String[] mConfigParams = null; - - private String mName = null; - private String mImplName = null; - private IConfigStore mConfig = null; - - private ILogger mLogger = CMS.getLogger(); - - private IConfigStore mRevocationChecking = null; - private String mRequestor = null; - - public SSLclientCertAuthentication() { - } - - /** - * initializes the SSLClientCertAuthentication auth manager - * <p> - * called by AuthSubsystem init() method, when initializing all available authentication managers. - * - * @param name The name of this authentication manager instance. - * @param implName The name of the authentication manager plugin. - * @param config The configuration store for this authentication manager. - */ - public void init(String name, String implName, IConfigStore config) - throws EBaseException { - mName = name; - mImplName = implName; - mConfig = config; - } - - /** - * Gets the name of this authentication manager. - */ - public String getName() { - return mName; - } - - /** - * Gets the plugin name of authentication manager. - */ - public String getImplName() { - return mImplName; - } - - public boolean isSSLClientRequired() { - return true; - } - - /** - * authenticates user by certificate - * <p> - * called by other subsystems or their servlets to authenticate users - * - * @param authCred - authentication credential that contains - * an usrgrp.Certificates of the user (agent) - * @return the authentication token that contains the following - * - * @exception EMissingCredential If a required credential for this - * authentication manager is missing. - * @exception EInvalidCredentials If credentials cannot be authenticated. - * @exception EBaseException If an internal error occurred. - * @see com.netscape.certsrv.authentication.AuthToken - * @see com.netscape.certsrv.usrgrp.Certificates - */ - public IAuthToken authenticate(IAuthCredentials authCred) - throws EMissingCredential, EInvalidCredentials, EBaseException { - - CMS.debug("SSLclientCertAuthentication: start"); - CMS.debug("authenticator instance name is " + getName()); - - // force SSL handshake - SessionContext context = SessionContext.getExistingContext(); - ISSLClientCertProvider provider = (ISSLClientCertProvider) - context.get("sslClientCertProvider"); - - if (provider == null) { - CMS.debug("SSLclientCertAuthentication: No SSL Client Cert Provider Found"); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - } - CMS.debug("SSLclientCertAuthentication: got provider"); - CMS.debug("SSLclientCertAuthentication: retrieving client certificate"); - X509Certificate[] allCerts = provider.getClientCertificateChain(); - - if (allCerts == null) { - CMS.debug("SSLclientCertAuthentication: No SSL Client Certs Found"); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - } - CMS.debug("SSLclientCertAuthentication: got certificates"); - - // retreive certificate from socket - AuthToken authToken = new AuthToken(this); - X509Certificate[] x509Certs = allCerts; - - // default certificate default has bugs in version - // version(3) is returned as 3, which should be 2 - X509CertImpl ci[] = new X509CertImpl[x509Certs.length]; - - X509Certificate clientCert = null; - try { - for (int i = 0; i < x509Certs.length; i++) { - ci[i] = new X509CertImpl(x509Certs[i].getEncoded()); - // find out which one is the leaf cert - clientCert = ci[i]; - - byte[] extBytes = clientCert.getExtensionValue("2.5.29.19"); - // try to see if this is a leaf cert - // look for BasicConstraint extension - if (extBytes == null) { - // found leaf cert - CMS.debug("SSLclientCertAuthentication: authenticate: found leaf cert"); - break; - } else { - CMS.debug("SSLclientCertAuthentication: authenticate: found cert having BasicConstraints ext"); - // it's got BasicConstraints extension - // so it's not likely to be a leaf cert, - // however, check the isCA field regardless - try { - BasicConstraintsExtension bce = - new BasicConstraintsExtension(true, extBytes); - if (bce != null) { - if (!(Boolean) bce.get("is_ca")) { - CMS.debug("SSLclientCertAuthentication: authenticate: found CA cert in chain"); - break; - } // else found a ca cert, continue - } - } catch (Exception e) { - CMS.debug("SSLclientCertAuthentication: authenticate: exception:" + - e.toString()); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - } - } - } - if (clientCert == null) { - CMS.debug("SSLclientCertAuthentication: authenticate: client cert not found"); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - } - } catch (CertificateException e) { - CMS.debug(e.toString()); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - } - - // check if certificate(s) is revoked - boolean checkRevocation = true; - try { - checkRevocation = mConfig.getBoolean("checkRevocation", true); - } catch (EBaseException e) { - // do nothing; default to true - } - if (checkRevocation) { - if (CMS.isRevoked(ci)) { - CMS.debug("SSLclientCertAuthentication: certificate revoked"); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - } - } - Certificates certs = new Certificates(ci); - Principal p_dn = clientCert.getSubjectDN(); - authToken.set(TOKEN_USERDN, p_dn.getName()); - authToken.set("userdn", p_dn.getName()); - String uid = getUidFromDN(p_dn.getName()); - if (uid != null) { - authToken.set(TOKEN_UID, uid); - authToken.set(TOKEN_USERID, uid); - } - /* - authToken.set(TOKEN_USER_DN, user.getUserDN()); - authToken.set(TOKEN_USERID, user.getUserID()); - authToken.set(TOKEN_UID, user.getUserID()); - authToken.set(TOKEN_GROUP, groupname); - */ - authToken.set(CRED_CERT, certs); - - CMS.debug("SSLclientCertAuthentication: authenticated "); - - return authToken; - } - - String getUidFromDN(String userdn) { - StringTokenizer st = new StringTokenizer(userdn, ","); - while (st.hasMoreTokens()) { - String t = st.nextToken(); - int i = t.indexOf("="); - - if (i == -1) { - continue; - } - String n = t.substring(0, i); - if (n.equalsIgnoreCase("uid")) { - String v = t.substring(i + 1); - CMS.debug("SSLclientCertAuthentication: getUidFromDN(): uid found:" + v); - return v; - } else { - continue; - } - } - return null; - } - - /** - * get the list of authentication credential attribute names - * required by this authentication manager. Generally used by - * the servlets that handle agent operations to authenticate its - * users. It calls this method to know which are the - * required credentials from the user (e.g. Javascript form data) - * - * @return attribute names in Vector - */ - public String[] getRequiredCreds() { - return (mRequiredCreds); - } - - /** - * get the list of configuration parameter names - * required by this authentication manager. Generally used by - * the Certificate Server Console to display the table for - * configuration purposes. CertUserDBAuthentication is currently not - * exposed in this case, so this method is not to be used. - * - * @return configuration parameter names in Hashtable of Vectors - * where each hashtable entry's key is the substore name, value is a - * Vector of parameter names. If no substore, the parameter name - * is the Hashtable key itself, with value same as key. - */ - public String[] getConfigParams() { - return (mConfigParams); - } - - /** - * prepare this authentication manager for shutdown. - */ - public void shutdown() { - } - - /** - * gets the configuretion substore used by this authentication - * manager - * - * @return configuration store - */ - public IConfigStore getConfigStore() { - return mConfig; - } - - // Profile-related methods - - public void init(IProfile profile, IConfigStore config) - throws EProfileException { - } - - /** - * Retrieves the localizable name of this policy. - */ - public String getName(Locale locale) { - return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_SSL_CLIENT_NAME"); - } - - /** - * Retrieves the localizable description of this policy. - */ - public String getText(Locale locale) { - return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_SSL_CLIENT_TEXT"); - } - - /** - * Retrieves a list of names of the value parameter. - */ - public Enumeration<String> getValueNames() { - return null; - } - - public boolean isValueWriteable(String name) { - return false; - } - - /** - * Retrieves the descriptor of the given value - * parameter by name. - */ - public IDescriptor getValueDescriptor(Locale locale, String name) { - return null; - } - - public void populate(IAuthToken token, IRequest request) - throws EProfileException { - request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME, - token.getInString(TOKEN_USERDN)); - request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME, - token.getInString("userDN")); - } -} diff --git a/pki/base/common/src/com/netscape/cms/authentication/SharedSecret.java b/pki/base/common/src/com/netscape/cms/authentication/SharedSecret.java deleted file mode 100644 index 7a0784c53..000000000 --- a/pki/base/common/src/com/netscape/cms/authentication/SharedSecret.java +++ /dev/null @@ -1,38 +0,0 @@ -// --- BEGIN COPYRIGHT BLOCK --- -// This program is free software; you can redistribute it and/or modify -// it under the terms of the GNU General Public License as published by -// the Free Software Foundation; version 2 of the License. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -// GNU General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -// -// (C) 2007 Red Hat, Inc. -// All rights reserved. -// --- END COPYRIGHT BLOCK --- -package com.netscape.cms.authentication; - -import java.math.BigInteger; - -import org.mozilla.jss.pkix.cmc.PKIData; - -import com.netscape.certsrv.authentication.ISharedToken; - -public class SharedSecret implements ISharedToken { - - public SharedSecret() { - } - - public String getSharedToken(PKIData cmcdata) { - return "testing"; - } - - public String getSharedToken(BigInteger serial) { - return "testing"; - } -} diff --git a/pki/base/common/src/com/netscape/cms/authentication/TokenAuthentication.java b/pki/base/common/src/com/netscape/cms/authentication/TokenAuthentication.java deleted file mode 100644 index f8e0669e9..000000000 --- a/pki/base/common/src/com/netscape/cms/authentication/TokenAuthentication.java +++ /dev/null @@ -1,304 +0,0 @@ -// --- BEGIN COPYRIGHT BLOCK --- -// This program is free software; you can redistribute it and/or modify -// it under the terms of the GNU General Public License as published by -// the Free Software Foundation; version 2 of the License. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -// GNU General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -// -// (C) 2007 Red Hat, Inc. -// All rights reserved. -// --- END COPYRIGHT BLOCK --- -package com.netscape.cms.authentication; - -import java.io.ByteArrayInputStream; -import java.util.Enumeration; -import java.util.Locale; -import java.util.Vector; - -import com.netscape.certsrv.apps.CMS; -import com.netscape.certsrv.authentication.AuthToken; -import com.netscape.certsrv.authentication.EInvalidCredentials; -import com.netscape.certsrv.authentication.EMissingCredential; -import com.netscape.certsrv.authentication.IAuthCredentials; -import com.netscape.certsrv.authentication.IAuthManager; -import com.netscape.certsrv.authentication.IAuthToken; -import com.netscape.certsrv.base.EBaseException; -import com.netscape.certsrv.base.IConfigStore; -import com.netscape.certsrv.base.SessionContext; -import com.netscape.certsrv.logging.ILogger; -import com.netscape.certsrv.profile.EProfileException; -import com.netscape.certsrv.profile.IProfile; -import com.netscape.certsrv.profile.IProfileAuthenticator; -import com.netscape.certsrv.property.IDescriptor; -import com.netscape.certsrv.request.IRequest; -import com.netscape.certsrv.usrgrp.IUGSubsystem; -import com.netscape.cmsutil.http.HttpClient; -import com.netscape.cmsutil.http.HttpRequest; -import com.netscape.cmsutil.http.HttpResponse; -import com.netscape.cmsutil.http.JssSSLSocketFactory; -import com.netscape.cmsutil.xml.XMLObject; - -/** - * Token authentication. - * Checked if the given token is valid. - * <P> - * - * @version $Revision$, $Date$ - */ -public class TokenAuthentication implements IAuthManager, - IProfileAuthenticator { - - /* result auth token attributes */ - public static final String TOKEN_UID = "uid"; - public static final String TOKEN_GID = "gid"; - - /* required credentials */ - public static final String CRED_SESSION_ID = IAuthManager.CRED_SESSION_ID; - protected String[] mRequiredCreds = { CRED_SESSION_ID }; - - /* config parameters to pass to console (none) */ - protected static String[] mConfigParams = null; - - private String mName = null; - private String mImplName = null; - private IConfigStore mConfig = null; - - private IUGSubsystem mUGSub = null; - private ILogger mLogger = CMS.getLogger(); - - public TokenAuthentication() { - } - - /** - * initializes the TokenAuthentication auth manager - * <p> - * called by AuthSubsystem init() method, when initializing all available authentication managers. - * - * @param name The name of this authentication manager instance. - * @param implName The name of the authentication manager plugin. - * @param config The configuration store for this authentication manager. - */ - public void init(String name, String implName, IConfigStore config) - throws EBaseException { - mName = name; - mImplName = implName; - mConfig = config; - - mUGSub = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG); - } - - /** - * Gets the name of this authentication manager. - */ - public String getName() { - return mName; - } - - /** - * Gets the plugin name of authentication manager. - */ - public String getImplName() { - return mImplName; - } - - public boolean isSSLClientRequired() { - return false; - } - - /** - * authenticates user(agent) by certificate - * <p> - * called by other subsystems or their servlets to authenticate users (agents) - * - * @param authCred - authentication credential that contains - * an usrgrp.Certificates of the user (agent) - * @return the authentication token that contains the following - * @exception EMissingCredential If a required credential for this - * authentication manager is missing. - * @exception EInvalidCredentials If credentials cannot be authenticated. - * @exception EBaseException If an internal error occurred. - * @see com.netscape.certsrv.authentication.AuthToken - * @see com.netscape.certsrv.usrgrp.Certificates - */ - public IAuthToken authenticate(IAuthCredentials authCred) - throws EMissingCredential, EInvalidCredentials, EBaseException { - - CMS.debug("TokenAuthentication: start"); - - // force SSL handshake - SessionContext context = SessionContext.getExistingContext(); - - // retreive certificate from socket - AuthToken authToken = new AuthToken(this); - - // get group name from configuration file - IConfigStore sconfig = CMS.getConfigStore(); - - String sessionId = (String) authCred.get(CRED_SESSION_ID); - String givenHost = (String) authCred.get("clientHost"); - String auth_host = sconfig.getString("securitydomain.host"); - int auth_port = sconfig.getInteger("securitydomain.httpseeport"); - - HttpClient httpclient = new HttpClient(); - String c = null; - try { - JssSSLSocketFactory factory = new JssSSLSocketFactory(); - httpclient = new HttpClient(factory); - String content = CRED_SESSION_ID + "=" + sessionId + "&hostname=" + givenHost; - CMS.debug("TokenAuthentication: content=" + content); - httpclient.connect(auth_host, auth_port); - HttpRequest httprequest = new HttpRequest(); - httprequest.setMethod(HttpRequest.POST); - httprequest.setURI("/ca/ee/ca/tokenAuthenticate"); - httprequest.setHeader("user-agent", "HTTPTool/1.0"); - httprequest.setHeader("content-length", "" + content.length()); - httprequest.setHeader("content-type", - "application/x-www-form-urlencoded"); - httprequest.setContent(content); - HttpResponse httpresponse = httpclient.send(httprequest); - - c = httpresponse.getContent(); - } catch (Exception e) { - CMS.debug("TokenAuthentication authenticate Exception=" + e.toString()); - } - - if (c != null) { - try { - ByteArrayInputStream bis = new ByteArrayInputStream(c.getBytes()); - XMLObject parser = null; - - try { - parser = new XMLObject(bis); - } catch (Exception e) { - CMS.debug("TokenAuthentication::authenticate() - " - + "Exception=" + e.toString()); - throw new EBaseException(e.toString()); - } - String status = parser.getValue("Status"); - - CMS.debug("TokenAuthentication: status=" + status); - if (!status.equals("0")) { - String error = parser.getValue("Error"); - throw new EBaseException(error); - } - - String uid = parser.getValue("uid"); - String gid = parser.getValue("gid"); - - authToken.set(TOKEN_UID, uid); - authToken.set(TOKEN_GID, gid); - - if (context != null) { - CMS.debug("SessionContext.USER_ID " + uid + " SessionContext.GROUP_ID " + gid); - context.put(SessionContext.USER_ID, uid); - context.put(SessionContext.GROUP_ID, gid); - } - - CMS.debug("TokenAuthentication: authenticated uid=" + uid + ", gid=" + gid); - } catch (EBaseException e) { - throw e; - } catch (Exception e) { - } - } - - return authToken; - } - - /** - * get the list of authentication credential attribute names - * required by this authentication manager. Generally used by - * the servlets that handle agent operations to authenticate its - * users. It calls this method to know which are the - * required credentials from the user (e.g. Javascript form data) - * - * @return attribute names in Vector - */ - public String[] getRequiredCreds() { - return (mRequiredCreds); - } - - /** - * get the list of configuration parameter names - * required by this authentication manager. Generally used by - * the Certificate Server Console to display the table for - * configuration purposes. CertUserDBAuthentication is currently not - * exposed in this case, so this method is not to be used. - * - * @return configuration parameter names in Hashtable of Vectors - * where each hashtable entry's key is the substore name, value is a - * Vector of parameter names. If no substore, the parameter name - * is the Hashtable key itself, with value same as key. - */ - public String[] getConfigParams() { - return (mConfigParams); - } - - /** - * prepare this authentication manager for shutdown. - */ - public void shutdown() { - } - - /** - * gets the configuretion substore used by this authentication - * manager - * - * @return configuration store - */ - public IConfigStore getConfigStore() { - return mConfig; - } - - // Profile-related methods - - public void init(IProfile profile, IConfigStore config) - throws EProfileException { - } - - /** - * Retrieves the localizable name of this policy. - */ - public String getName(Locale locale) { - return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_AGENT_NAME"); - } - - /** - * Retrieves the localizable description of this policy. - */ - public String getText(Locale locale) { - return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_AGENT_TEXT"); - } - - /** - * Retrieves a list of names of the value parameter. - */ - public Enumeration<String> getValueNames() { - Vector<String> v = new Vector<String>(); - - v.addElement(CRED_SESSION_ID); - return v.elements(); - } - - public boolean isValueWriteable(String name) { - return false; - } - - /** - * Retrieves the descriptor of the given value - * parameter by name. - */ - public IDescriptor getValueDescriptor(Locale locale, String name) { - return null; - } - - public void populate(IAuthToken token, IRequest request) - throws EProfileException { - } -} diff --git a/pki/base/common/src/com/netscape/cms/authentication/UdnPwdDirAuthentication.java b/pki/base/common/src/com/netscape/cms/authentication/UdnPwdDirAuthentication.java deleted file mode 100644 index c9fbbf9ac..000000000 --- a/pki/base/common/src/com/netscape/cms/authentication/UdnPwdDirAuthentication.java +++ /dev/null @@ -1,189 +0,0 @@ -// --- BEGIN COPYRIGHT BLOCK --- -// This program is free software; you can redistribute it and/or modify -// it under the terms of the GNU General Public License as published by -// the Free Software Foundation; version 2 of the License. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -// GNU General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -// -// (C) 2007 Red Hat, Inc. -// All rights reserved. -// --- END COPYRIGHT BLOCK --- -package com.netscape.cms.authentication; - -// ldap java sdk -import netscape.ldap.LDAPConnection; -import netscape.ldap.LDAPException; - -import com.netscape.certsrv.apps.CMS; -import com.netscape.certsrv.authentication.AuthToken; -import com.netscape.certsrv.authentication.EInvalidCredentials; -import com.netscape.certsrv.authentication.EMissingCredential; -import com.netscape.certsrv.authentication.IAuthCredentials; -import com.netscape.certsrv.base.EBaseException; -import com.netscape.certsrv.base.IConfigStore; -import com.netscape.certsrv.base.IExtendedPluginInfo; -import com.netscape.certsrv.ldap.ELdapException; -import com.netscape.certsrv.logging.ILogger; - -/** - * udn/pwd directory based authentication manager - * <P> - * - * @version $Revision$, $Date$ - */ -public class UdnPwdDirAuthentication extends DirBasedAuthentication { - - /* required credentials to authenticate. udn and pwd are strings. */ - public static final String CRED_UDN = "udn"; - public static final String CRED_PWD = "pwd"; - protected static String[] mRequiredCreds = { CRED_UDN, CRED_PWD }; - - /* Holds configuration parameters accepted by this implementation. - * This list is passed to the configuration console so configuration - * for instances of this implementation can be configured through the - * console. - */ - protected static String[] mConfigParams = - new String[] { PROP_DNPATTERN, - PROP_LDAPSTRINGATTRS, - PROP_LDAPBYTEATTRS, - "ldap.ldapconn.host", - "ldap.ldapconn.port", - "ldap.ldapconn.secureConn", - "ldap.ldapconn.version", - "ldap.minConns", - "ldap.maxConns", - }; - - static { - mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TEXT + - ";Authenticate the user distinguished name and password provided " + - "by the user against an LDAP directory. Works with the " + - "Dir Based Enrollment HTML form"); - mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TOKEN + - ";configuration-authentication"); - }; - - /** - * Default constructor, initialization must follow. - */ - public UdnPwdDirAuthentication() { - super(); - } - - /** - * Initializes the UdnPwdDirAuthentication auth manager. - * <p> - * - * @param name - The name for this authentication manager instance. - * @param implName - The name of the authentication manager plugin. - * @param config - The configuration store for this instance. - * @exception EBaseException If an error occurs during initialization. - */ - public void init(String name, String implName, IConfigStore config) - throws EBaseException { - super.init(name, implName, config, false); - } - - /** - * Authenticates a user based on udn, pwd in the directory. - * - * @param authCreds The authentication credentials. - * @return The user's ldap entry dn. - * @exception EInvalidCredentials If the udn and password are not valid - * @exception EBaseException If an internal error occurs. - */ - protected String authenticate(LDAPConnection conn, - IAuthCredentials authCreds, - AuthToken token) - throws EBaseException { - String userdn = null; - - // authenticate by binding to ldap server with password. - try { - // get the udn. - userdn = (String) authCreds.get(CRED_UDN); - if (userdn == null) { - throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_UDN)); - } - - // get the password. - String pwd = (String) authCreds.get(CRED_PWD); - - if (pwd == null) { - throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_PWD)); - } - if (pwd.equals("")) { - // anonymous binding not allowed - log(ILogger.LL_FAILURE, - "user " + userdn + " attempted login with empty password."); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - } - - // bind as user dn and pwd - authenticates user with pwd. - conn.authenticate(userdn, pwd); - // set userdn in the token. - token.set(CRED_UDN, userdn); - - return userdn; - } catch (ELdapException e) { - log(ILogger.LL_FAILURE, - "Couldn't get ldap connection. Error: " + e.toString()); - throw e; - } catch (LDAPException e) { - switch (e.getLDAPResultCode()) { - case LDAPException.NO_SUCH_OBJECT: - case LDAPException.LDAP_PARTIAL_RESULTS: - log(ILogger.LL_SECURITY, - "user " + userdn + " does not exist in ldap server host " + - conn.getHost() + ", port " + conn.getPort() + "."); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - - case LDAPException.INVALID_CREDENTIALS: - log(ILogger.LL_SECURITY, - "authenticate user " + userdn + " with bad password."); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - - case LDAPException.SERVER_DOWN: - log(ILogger.LL_FAILURE, "Ldap server is down."); - throw new ELdapException( - CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), "" + conn.getPort())); - - default: - log(ILogger.LL_FAILURE, - "Ldap error encountered. " + e.getMessage()); - throw new ELdapException( - CMS.getUserMessage("CMS_LDAP_OTHER_LDAP_EXCEPTION", - e.errorCodeToString())); - } - } - } - - /** - * Returns a list of configuration parameter names. - * The list is passed to the configuration console so instances of - * this implementation can be configured through the console. - * - * @return String array of configuration parameter names. - */ - public String[] getConfigParams() { - return (mConfigParams); - } - - /** - * Returns array of required credentials for this authentication manager. - * - * @return Array of required credentials. - */ - public String[] getRequiredCreds() { - return mRequiredCreds; - } - -} diff --git a/pki/base/common/src/com/netscape/cms/authentication/UidPwdDirAuthentication.java b/pki/base/common/src/com/netscape/cms/authentication/UidPwdDirAuthentication.java deleted file mode 100644 index d4a9de108..000000000 --- a/pki/base/common/src/com/netscape/cms/authentication/UidPwdDirAuthentication.java +++ /dev/null @@ -1,269 +0,0 @@ -// --- BEGIN COPYRIGHT BLOCK --- -// This program is free software; you can redistribute it and/or modify -// it under the terms of the GNU General Public License as published by -// the Free Software Foundation; version 2 of the License. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -// GNU General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -// -// (C) 2007 Red Hat, Inc. -// All rights reserved. -// --- END COPYRIGHT BLOCK --- -package com.netscape.cms.authentication; - -// ldap java sdk -import java.util.Enumeration; -import java.util.Locale; -import java.util.Vector; - -import netscape.ldap.LDAPConnection; -import netscape.ldap.LDAPEntry; -import netscape.ldap.LDAPException; -import netscape.ldap.LDAPSearchResults; -import netscape.ldap.LDAPv2; - -import com.netscape.certsrv.apps.CMS; -import com.netscape.certsrv.authentication.AuthToken; -import com.netscape.certsrv.authentication.EInvalidCredentials; -import com.netscape.certsrv.authentication.EMissingCredential; -import com.netscape.certsrv.authentication.IAuthCredentials; -import com.netscape.certsrv.authentication.IAuthToken; -import com.netscape.certsrv.base.EBaseException; -import com.netscape.certsrv.base.IConfigStore; -import com.netscape.certsrv.base.IExtendedPluginInfo; -import com.netscape.certsrv.ldap.ELdapException; -import com.netscape.certsrv.logging.ILogger; -import com.netscape.certsrv.profile.EProfileException; -import com.netscape.certsrv.profile.IProfile; -import com.netscape.certsrv.profile.IProfileAuthenticator; -import com.netscape.certsrv.property.Descriptor; -import com.netscape.certsrv.property.IDescriptor; -import com.netscape.certsrv.request.IRequest; - -/** - * uid/pwd directory based authentication manager - * <P> - * - * @version $Revision$, $Date$ - */ -public class UidPwdDirAuthentication extends DirBasedAuthentication - implements IProfileAuthenticator { - - /* required credentials to authenticate. uid and pwd are strings. */ - public static final String CRED_UID = "uid"; - public static final String CRED_PWD = "pwd"; - protected static String[] mRequiredCreds = { CRED_UID, CRED_PWD }; - - /* Holds configuration parameters accepted by this implementation. - * This list is passed to the configuration console so configuration - * for instances of this implementation can be configured through the - * console. - */ - protected static String[] mConfigParams = - new String[] { PROP_DNPATTERN, - PROP_LDAPSTRINGATTRS, - PROP_LDAPBYTEATTRS, - "ldap.ldapconn.host", - "ldap.ldapconn.port", - "ldap.ldapconn.secureConn", - "ldap.ldapconn.version", - "ldap.basedn", - "ldap.minConns", - "ldap.maxConns", - }; - - static { - mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TEXT + - ";Authenticate the username and password provided " + - "by the user against an LDAP directory. Works with the " + - "Dir Based Enrollment HTML form"); - mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TOKEN + - ";configuration-authrules-uidpwddirauth"); - }; - - /** - * Default constructor, initialization must follow. - */ - public UidPwdDirAuthentication() { - super(); - } - - /** - * Authenticates a user based on uid, pwd in the directory. - * - * @param authCreds The authentication credentials. - * @return The user's ldap entry dn. - * @exception EInvalidCredentials If the uid and password are not valid - * @exception EBaseException If an internal error occurs. - */ - protected String authenticate(LDAPConnection conn, - IAuthCredentials authCreds, - AuthToken token) - throws EBaseException { - String userdn = null; - String uid = null; - - // authenticate by binding to ldap server with password. - try { - // get the uid. - uid = (String) authCreds.get(CRED_UID); - CMS.debug("Authenticating UID=" + uid); - if (uid == null) { - throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_UID)); - } - - // get the password. - String pwd = (String) authCreds.get(CRED_PWD); - - if (pwd == null) { - throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_PWD)); - } - if (pwd.equals("")) { - // anonymous binding not allowed - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_EMPTY_PASSWORD", uid)); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - } - - // get user dn. - CMS.debug("Authenticating: Searching for UID=" + uid + - " base DN=" + mBaseDN); - LDAPSearchResults res = conn.search(mBaseDN, - LDAPv2.SCOPE_SUB, "(uid=" + uid + ")", null, false); - - if (res.hasMoreElements()) { - //LDAPEntry entry = (LDAPEntry)res.nextElement(); - LDAPEntry entry = res.next(); - - userdn = entry.getDN(); - CMS.debug("Authenticating: Found User DN=" + userdn); - } else { - log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_USER_NOT_EXIST", uid)); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - } - - // bind as user dn and pwd - authenticates user with pwd. - conn.authenticate(userdn, pwd); - // set uid in the token. - token.set(CRED_UID, uid); - - return userdn; - } catch (ELdapException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CANNOT_CONNECT_LDAP", e.toString())); - throw e; - } catch (LDAPException e) { - switch (e.getLDAPResultCode()) { - case LDAPException.NO_SUCH_OBJECT: - case LDAPException.LDAP_PARTIAL_RESULTS: - log(ILogger.LL_SECURITY, CMS.getLogMessage("USER_NOT_EXIST", uid)); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - - case LDAPException.INVALID_CREDENTIALS: - log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_BAD_PASSWORD", uid)); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - - case LDAPException.SERVER_DOWN: - log(ILogger.LL_FAILURE, CMS.getLogMessage("LDAP_SERVER_DOWN")); - throw new ELdapException( - CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), "" + conn.getPort())); - - default: - log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.getMessage())); - throw new ELdapException( - CMS.getUserMessage("CMS_LDAP_OTHER_LDAP_EXCEPTION", - e.errorCodeToString())); - } - } - } - - /** - * Returns a list of configuration parameter names. - * The list is passed to the configuration console so instances of - * this implementation can be configured through the console. - * - * @return String array of configuration parameter names. - */ - public String[] getConfigParams() { - return (mConfigParams); - } - - /** - * Returns array of required credentials for this authentication manager. - * - * @return Array of required credentials. - */ - public String[] getRequiredCreds() { - return mRequiredCreds; - } - - // Profile-related methods - - public void init(IProfile profile, IConfigStore config) - throws EProfileException { - } - - /** - * Retrieves the localizable name of this policy. - */ - public String getName(Locale locale) { - return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_LDAP_UID_NAME"); - } - - /** - * Retrieves the localizable description of this policy. - */ - public String getText(Locale locale) { - return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_LDAP_UID_TEXT"); - } - - /** - * Retrieves a list of names of the value parameter. - */ - public Enumeration<String> getValueNames() { - Vector<String> v = new Vector<String>(); - - v.addElement(CRED_UID); - v.addElement(CRED_PWD); - return v.elements(); - } - - public boolean isValueWriteable(String name) { - if (name.equals(CRED_UID)) { - return true; - } else if (name.equals(CRED_PWD)) { - return false; - } - return false; - } - - /** - * Retrieves the descriptor of the given value - * parameter by name. - */ - public IDescriptor getValueDescriptor(Locale locale, String name) { - if (name.equals(CRED_UID)) { - return new Descriptor(IDescriptor.STRING, null, null, - CMS.getUserMessage(locale, "CMS_AUTHENTICATION_LDAP_UID")); - } else if (name.equals(CRED_PWD)) { - return new Descriptor(IDescriptor.PASSWORD, null, null, - CMS.getUserMessage(locale, "CMS_AUTHENTICATION_LDAP_PWD")); - - } - return null; - } - - public void populate(IAuthToken token, IRequest request) - throws EProfileException { - request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME, - token.getInString(USER_DN)); - } - - public boolean isSSLClientRequired() { - return false; - } -} diff --git a/pki/base/common/src/com/netscape/cms/authentication/UidPwdPinDirAuthentication.java b/pki/base/common/src/com/netscape/cms/authentication/UidPwdPinDirAuthentication.java deleted file mode 100644 index 880b7c767..000000000 --- a/pki/base/common/src/com/netscape/cms/authentication/UidPwdPinDirAuthentication.java +++ /dev/null @@ -1,464 +0,0 @@ -// --- BEGIN COPYRIGHT BLOCK --- -// This program is free software; you can redistribute it and/or modify -// it under the terms of the GNU General Public License as published by -// the Free Software Foundation; version 2 of the License. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -// GNU General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -// -// (C) 2007 Red Hat, Inc. -// All rights reserved. -// --- END COPYRIGHT BLOCK --- -package com.netscape.cms.authentication; - -// ldap java sdk -import java.security.MessageDigest; -import java.security.NoSuchAlgorithmException; -import java.util.Enumeration; -import java.util.Locale; -import java.util.Vector; - -import netscape.ldap.LDAPAttribute; -import netscape.ldap.LDAPConnection; -import netscape.ldap.LDAPEntry; -import netscape.ldap.LDAPException; -import netscape.ldap.LDAPModification; -import netscape.ldap.LDAPSearchResults; -import netscape.ldap.LDAPv2; - -import com.netscape.certsrv.apps.CMS; -import com.netscape.certsrv.authentication.AuthToken; -import com.netscape.certsrv.authentication.EAuthException; -import com.netscape.certsrv.authentication.EInvalidCredentials; -import com.netscape.certsrv.authentication.EMissingCredential; -import com.netscape.certsrv.authentication.IAuthCredentials; -import com.netscape.certsrv.authentication.IAuthToken; -import com.netscape.certsrv.base.EBaseException; -import com.netscape.certsrv.base.IConfigStore; -import com.netscape.certsrv.base.IExtendedPluginInfo; -import com.netscape.certsrv.ldap.ELdapException; -import com.netscape.certsrv.ldap.ILdapConnFactory; -import com.netscape.certsrv.logging.ILogger; -import com.netscape.certsrv.profile.EProfileException; -import com.netscape.certsrv.profile.IProfile; -import com.netscape.certsrv.profile.IProfileAuthenticator; -import com.netscape.certsrv.property.Descriptor; -import com.netscape.certsrv.property.IDescriptor; -import com.netscape.certsrv.request.IRequest; - -/** - * uid/pwd/pin directory based authentication manager - * <P> - * - * @version $Revision$, $Date$ - */ -public class UidPwdPinDirAuthentication extends DirBasedAuthentication - implements IExtendedPluginInfo, IProfileAuthenticator { - - /* required credentials to authenticate. uid and pwd are strings. */ - public static final String CRED_UID = "uid"; - public static final String CRED_PWD = "pwd"; - public static final String CRED_PIN = "pin"; - protected static String[] mRequiredCreds = { CRED_UID, CRED_PWD, CRED_PIN }; - - public static final String PROP_REMOVE_PIN = "removePin"; - public static final String PROP_PIN_ATTR = "pinAttr"; - - public static final boolean DEF_REMOVE_PIN = false; - public static final String DEF_PIN_ATTR = "pin"; - - protected static final byte SENTINEL_SHA = 0; - protected static final byte SENTINEL_MD5 = 1; - protected static final byte SENTINEL_NONE = 0x2d; - - /* Holds configuration parameters accepted by this implementation. - * This list is passed to the configuration console so configuration - * for instances of this implementation can be configured through the - * console. - */ - protected static String[] mConfigParams = - new String[] { PROP_REMOVE_PIN, - PROP_PIN_ATTR, - PROP_DNPATTERN, - PROP_LDAPSTRINGATTRS, - PROP_LDAPBYTEATTRS, - "ldap.ldapconn.host", - "ldap.ldapconn.port", - "ldap.ldapconn.secureConn", - "ldap.ldapconn.version", - "ldap.ldapauth.bindDN", - "ldap.ldapauth.bindPWPrompt", - "ldap.ldapauth.clientCertNickname", - "ldap.ldapauth.authtype", - "ldap.basedn", - "ldap.minConns", - "ldap.maxConns", - }; - - static { - mExtendedPluginInfo.add( - PROP_REMOVE_PIN + ";boolean;SEE DOCUMENTATION for pin removal"); - mExtendedPluginInfo.add( - PROP_PIN_ATTR + ";string;directory attribute to use for pin (default 'pin')"); - mExtendedPluginInfo.add( - "ldap.ldapauth.bindDN;string;DN to bind as for pin removal. " - + "For example 'CN=PinRemoval User'"); - mExtendedPluginInfo.add( - "ldap.ldapauth.bindPWPrompt;password;Enter password used to bind as " + - "the above user"); - mExtendedPluginInfo.add( - "ldap.ldapauth.clientCertNickname;string;If you want to use " - + "SSL client auth to the directory, set the client " - + "cert nickname here"); - mExtendedPluginInfo.add( - "ldap.ldapauth.authtype;choice(BasicAuth,SslClientAuth),required;" - + "How to bind to the directory (for pin removal only)"); - mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TEXT - + ";Authenticate the username, password and pin provided " - + "by the user against an LDAP directory. Works with the " - + "Dir/Pin Based Enrollment HTML form"); - mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TOKEN + - ";configuration-authrules-uidpwdpindirauth"); - - } - - protected boolean mRemovePin = DEF_REMOVE_PIN; - protected String mPinAttr = DEF_PIN_ATTR; - protected MessageDigest mSHADigest = null; - protected MessageDigest mMD5Digest = null; - - private String mBindDN = null; - private String mBindPassword = null; - - private ILdapConnFactory removePinLdapFactory = null; - private LDAPConnection removePinLdapConnection = null; - private IConfigStore removePinLdapConfigStore = null; - - /** - * Default constructor, initialization must follow. - */ - public UidPwdPinDirAuthentication() { - super(); - } - - public void init(String name, String implName, IConfigStore config) - throws EBaseException { - super.init(name, implName, config); - mRemovePin = - config.getBoolean(PROP_REMOVE_PIN, DEF_REMOVE_PIN); - mPinAttr = - config.getString(PROP_PIN_ATTR, DEF_PIN_ATTR); - if (mPinAttr.equals("")) { - mPinAttr = DEF_PIN_ATTR; - } - - if (mRemovePin) { - removePinLdapConfigStore = config.getSubStore("ldap"); - removePinLdapFactory = CMS.getLdapBoundConnFactory(); - removePinLdapFactory.init(removePinLdapConfigStore); - removePinLdapConnection = removePinLdapFactory.getConn(); - } - - try { - mSHADigest = MessageDigest.getInstance("SHA1"); - mMD5Digest = MessageDigest.getInstance("MD5"); - } catch (NoSuchAlgorithmException e) { - throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.getMessage())); - } - - } - - protected void verifyPassword(String Password) { - } - - /** - * Authenticates a user based on its uid, pwd, pin in the directory. - * - * @param authCreds The authentication credentials with uid, pwd, pin. - * @return The user's ldap entry dn. - * @exception EInvalidCredentials If the uid and password are not valid - * @exception EBaseException If an internal error occurs. - */ - protected String authenticate(LDAPConnection conn, - IAuthCredentials authCreds, - AuthToken token) - throws EBaseException { - String userdn = null; - String uid = null; - String pwd = null; - String pin = null; - - try { - // get the uid. - uid = (String) authCreds.get(CRED_UID); - if (uid == null) { - throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_UID)); - } - - // get the password. - pwd = (String) authCreds.get(CRED_PWD); - if (pwd == null) { - throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_PWD)); - } - if (pwd.equals("")) { - // anonymous binding not allowed - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_EMPTY_PASSWORD", uid)); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - } - - // get the pin. - pin = (String) authCreds.get(CRED_PIN); - if (pin == null) { - throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_PIN)); - } - if (pin.equals("")) { - // empty pin not allowed - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_EMPTY_PIN", uid)); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - } - - // get user dn. - LDAPSearchResults res = conn.search(mBaseDN, - LDAPv2.SCOPE_SUB, "(uid=" + uid + ")", null, false); - - if (res.hasMoreElements()) { - LDAPEntry entry = (LDAPEntry) res.nextElement(); - - userdn = entry.getDN(); - } else { - log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_USER_NOT_EXIST", uid)); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - } - - // bind as user dn and pwd - authenticates user with pwd. - conn.authenticate(userdn, pwd); - - log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_AUTHENTICATED", uid)); - // log(ILogger.LL_SECURITY, "found user : " + userdn); - - // check pin. - checkpin(conn, userdn, uid, pin); - - // set uid in the token. - token.set(CRED_UID, uid); - - return userdn; - } catch (ELdapException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CANNOT_CONNECT_LDAP", e.toString())); - throw e; - } catch (LDAPException e) { - switch (e.getLDAPResultCode()) { - case LDAPException.NO_SUCH_OBJECT: - case LDAPException.LDAP_PARTIAL_RESULTS: - log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_USER_NOT_EXIST", uid)); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - - case LDAPException.INVALID_CREDENTIALS: - log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_BAD_PASSWORD", uid)); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - - case LDAPException.SERVER_DOWN: - log(ILogger.LL_SECURITY, CMS.getLogMessage("LDAP_SERVER_DOWN")); - throw new ELdapException( - CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), "" + conn.getPort())); - - default: - log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.getMessage())); - throw new ELdapException( - CMS.getUserMessage("CMS_LDAP_OTHER_LDAP_EXCEPTION", - e.errorCodeToString())); - } - } - } - - protected void checkpin(LDAPConnection conn, String userdn, - String uid, String pin) - throws EBaseException, LDAPException { - LDAPSearchResults res = null; - LDAPEntry entry = null; - - // get pin. - - res = conn.search(userdn, LDAPv2.SCOPE_BASE, - "(objectclass=*)", new String[] { mPinAttr }, false); - if (res.hasMoreElements()) { - entry = (LDAPEntry) res.nextElement(); - } else { - log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_NO_ENTRY_RETURNED", uid, userdn)); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - } - - LDAPAttribute pinAttr = entry.getAttribute(mPinAttr); - - if (pinAttr == null) { - log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_NO_PIN_FOUND", uid)); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - } - - @SuppressWarnings("unchecked") - Enumeration<byte[]> pinValues = pinAttr.getByteValues(); - - if (!pinValues.hasMoreElements()) { - log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_NO_PIN_FOUND", uid)); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - } - byte[] entrypin = pinValues.nextElement(); - - // compare value digest. - - if (entrypin == null || entrypin.length < 2) { - log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_NO_PIN_FOUND", uid)); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - } - - byte hashtype = entrypin[0]; - - byte[] pinDigest = null; - String toBeDigested = userdn + pin; - - if (hashtype == SENTINEL_SHA) { - - pinDigest = mSHADigest.digest(toBeDigested.getBytes()); - } else if (hashtype == SENTINEL_MD5) { - pinDigest = mMD5Digest.digest(toBeDigested.getBytes()); - } else if (hashtype == SENTINEL_NONE) { - pinDigest = toBeDigested.getBytes(); - } else { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_UKNOWN_ENCODING_TYPE", mPinAttr, "*", userdn)); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - } - - if (pinDigest.length != (entrypin.length - 1)) { - log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_LENGTH_NOT_MATCHED", uid)); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - } - - int i; - - for (i = 0; i < (entrypin.length - 1); i++) { - if (pinDigest[i] != entrypin[i + 1]) - break; - } - if (i != (entrypin.length - 1)) { - log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_BAD_PASSWORD", uid)); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - } - - // pin ok. remove pin if so configured - // Note that this means that a policy may reject this request later, - // but the user will not be able to enroll again as his pin is gone. - - // We remove the pin using a different connection which is bound as - // a more privileged user. - - if (mRemovePin) { - - try { - removePinLdapConnection.modify(userdn, - new LDAPModification( - LDAPModification.DELETE, - new LDAPAttribute(mPinAttr, entrypin))); - - } catch (LDAPException e) { - log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_CANT_REMOVE_PIN", userdn)); - } - - } - } - - /** - * Returns a list of configuration parameter names. - * The list is passed to the configuration console so instances of - * this implementation can be configured through the console. - * - * @return String array of configuration parameter names. - */ - public String[] getConfigParams() { - return (mConfigParams); - } - - /** - * Returns array of required credentials for this authentication manager. - * - * @return Array of required credentials. - */ - public String[] getRequiredCreds() { - return mRequiredCreds; - } - - // Profile-related methods - - public void init(IProfile profile, IConfigStore config) - throws EProfileException { - } - - /** - * Retrieves the localizable name of this policy. - */ - public String getName(Locale locale) { - return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_LDAP_UID_PIN_NAME"); - } - - /** - * Retrieves the localizable description of this policy. - */ - public String getText(Locale locale) { - return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_LDAP_UID_PIN_TEXT"); - } - - /** - * Retrieves a list of names of the value parameter. - */ - public Enumeration<String> getValueNames() { - Vector<String> v = new Vector<String>(); - - v.addElement(CRED_UID); - v.addElement(CRED_PWD); - v.addElement(CRED_PIN); - return v.elements(); - } - - public boolean isValueWriteable(String name) { - if (name.equals(CRED_UID)) { - return true; - } else if (name.equals(CRED_PWD)) { - return false; - } - return false; - } - - /** - * Retrieves the descriptor of the given value - * parameter by name. - */ - public IDescriptor getValueDescriptor(Locale locale, String name) { - if (name.equals(CRED_UID)) { - return new Descriptor(IDescriptor.STRING, null, null, - CMS.getUserMessage(locale, "CMS_AUTHENTICATION_LDAP_UID")); - } else if (name.equals(CRED_PWD)) { - return new Descriptor(IDescriptor.PASSWORD, null, null, - CMS.getUserMessage(locale, "CMS_AUTHENTICATION_LDAP_PWD")); - } else if (name.equals(CRED_PIN)) { - return new Descriptor(IDescriptor.PASSWORD, null, null, - CMS.getUserMessage(locale, "CMS_AUTHENTICATION_LDAP_PIN")); - - } - return null; - } - - public void populate(IAuthToken token, IRequest request) - throws EProfileException { - request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME, - token.getInString(USER_DN)); - } - - public boolean isSSLClientRequired() { - return false; - } -} |