summaryrefslogtreecommitdiffstats
path: root/pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java
diff options
context:
space:
mode:
authoralee <alee@c9f7a03b-bd48-0410-a16d-cbbf54688b0b>2010-07-27 19:03:40 +0000
committeralee <alee@c9f7a03b-bd48-0410-a16d-cbbf54688b0b>2010-07-27 19:03:40 +0000
commit2eb3243de06f1589991da47bfde6271e0d80abe6 (patch)
tree8168ed24525ffd35989d54bd6dd81471d5df0b08 /pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java
parent9f8b12b0400f654f8b3f10ddbd731735c1d45607 (diff)
downloadpki-2eb3243de06f1589991da47bfde6271e0d80abe6.tar.gz
pki-2eb3243de06f1589991da47bfde6271e0d80abe6.tar.xz
pki-2eb3243de06f1589991da47bfde6271e0d80abe6.zip
merge 8.1 -> tip, multiple bugs (base)
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1134 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java')
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java322
1 files changed, 270 insertions, 52 deletions
diff --git a/pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java b/pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java
index d4f3d1dee..25059cac5 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java
@@ -75,13 +75,41 @@ public class TokenServlet extends CMSServlet {
private final static String
LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST =
- "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_5";
+ "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_3";
- private final static String
- LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED =
- "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_5";
+ private final static String
+ LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS =
+ "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS_8";
+
+ private final static String
+ LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE =
+ "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE_9";
+
+ private final static String
+ LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST =
+ "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_5";
+
+ private final static String
+ LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS =
+ "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS_6";
+
+ private final static String
+ LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE =
+ "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE_7";
+ private final static String
+ LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST =
+ "LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_4";
+
+ private final static String
+ LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS =
+ "LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS_7";
+
+ private final static String
+ LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE =
+ "LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE_8";
+
/**
* Constructs tks servlet.
*/
@@ -209,7 +237,10 @@ public class TokenServlet extends CMSServlet {
byte[] xcard_challenge, xhost_challenge;
byte[] enc_session_key, xkeyInfo;
String auditMessage = null;
-
+ String errorMsg = "";
+ String badParams = "";
+
+ String rCUID = req.getParameter("CUID");
String keySet = req.getParameter("keySet");
if (keySet == null || keySet.equals("")) {
keySet = "defKeySet";
@@ -231,6 +262,22 @@ public class TokenServlet extends CMSServlet {
enc_session_key = null;
// kek_session_key = null;
+ SessionContext sContext = SessionContext.getContext();
+
+ String agentId="";
+ if (sContext != null) {
+ agentId =
+ (String) sContext.get(SessionContext.USER_ID);
+ }
+
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST,
+ rCUID,
+ ILogger.SUCCESS,
+ agentId);
+
+ audit(auditMessage);
+
String kek_wrapped_desKeyString = null;
String keycheck_s = null;
@@ -255,32 +302,27 @@ public class TokenServlet extends CMSServlet {
String rcard_challenge = req.getParameter("card_challenge");
String rhost_challenge = req.getParameter("host_challenge");
String rKeyInfo = req.getParameter("KeyInfo");
- String rCUID = req.getParameter("CUID");
String rcard_cryptogram = req.getParameter("card_cryptogram");
if ((rCUID == null) || (rCUID.equals(""))) {
CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: CUID");
+ badParams += " CUID,";
missingParam = true;
}
- SessionContext sContext = SessionContext.getContext();
-
- String agentId="";
- if (sContext != null) {
- agentId =
- (String) sContext.get(SessionContext.USER_ID);
- }
-
if ((rcard_challenge == null) || (rcard_challenge.equals(""))) {
+ badParams += " card_challenge,";
CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: card challenge");
missingParam = true;
}
if ((rhost_challenge == null) || (rhost_challenge.equals(""))) {
+ badParams += " host_challenge,";
CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: host challenge");
missingParam = true;
}
if ((rKeyInfo == null) || (rKeyInfo.equals(""))) {
+ badParams += " KeyInfo,";
CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: key info");
missingParam = true;
}
@@ -291,38 +333,34 @@ public class TokenServlet extends CMSServlet {
boolean sameCardCrypto = true;
if (!missingParam) {
- auditMessage = CMS.getLogMessage(
- LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST,
- rCUID,
- ILogger.SUCCESS,
- agentId,
- isCryptoValidate? "true":"false",
- serversideKeygen? "true":"false");
-
- audit(auditMessage);
- xCUID =com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID);
+ xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID);
if (xCUID == null || xCUID.length != 10) {
+ badParams += " CUID length,";
CMS.debug("TokenServlet: Invalid CUID length");
missingParam = true;
}
xkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo);
if (xkeyInfo == null || xkeyInfo.length != 2) {
- CMS.debug("TokenServlet: Invalid key info length");
+ badParams += " KeyInfo length,";
+ CMS.debug("TokenServlet: Invalid key info length.");
missingParam = true;
}
xcard_challenge =
com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_challenge);
if (xcard_challenge == null || xcard_challenge.length != 8) {
- CMS.debug("TokenServlet: Invalid card challenge length");
+ badParams += " card_challenge length,";
+ CMS.debug("TokenServlet: Invalid card challenge length.");
missingParam = true;
}
xhost_challenge = com.netscape.cmsutil.util.Utils.SpecialDecode(rhost_challenge);
if (xhost_challenge == null || xhost_challenge.length != 8) {
+ badParams += " host_challenge length,";
CMS.debug("TokenServlet: Invalid host challenge length");
missingParam = true;
}
+
}
CUID = null;
@@ -565,42 +603,73 @@ public class TokenServlet extends CMSServlet {
if (session_key != null && session_key.length > 0) {
outputString =
com.netscape.cmsutil.util.Utils.SpecialEncode(session_key);
- } else
+ } else {
+
status = "1";
+ }
if (enc_session_key != null && enc_session_key.length > 0) {
encSessionKeyString =
com.netscape.cmsutil.util.Utils.SpecialEncode(enc_session_key);
- } else
+ } else {
status = "1";
+ }
+
if (serversideKeygen == true) {
if ( drm_trans_wrapped_desKey != null && drm_trans_wrapped_desKey.length > 0)
drm_trans_wrapped_desKeyString =
com.netscape.cmsutil.util.Utils.SpecialEncode(drm_trans_wrapped_desKey);
- else
+ else {
status = "1";
+ }
}
+
if (host_cryptogram != null && host_cryptogram.length > 0) {
cryptogram =
com.netscape.cmsutil.util.Utils.SpecialEncode(host_cryptogram);
- } else
+ } else {
status = "2";
+ }
- if (selectedToken == null || keyNickName == null)
+ if (selectedToken == null || keyNickName == null) {
status = "4";
+ }
- if (!sameCardCrypto)
+ if (!sameCardCrypto) {
status = "3";
+ }
- if (missingParam)
+ if (missingParam) {
status = "3";
-
- if (!status.equals("0"))
+ }
+
+ if (!status.equals("0")) {
+
+
+ if(status.equals("1")) {
+ errorMsg = "Problem generating session key info.";
+ }
+
+ if(status.equals("2")) {
+ errorMsg = "Problem creating host_cryptogram.";
+ }
+
+ if(status.equals("4")) {
+ errorMsg = "Problem obtaining token information.";
+ }
+
+ if(status.equals("3")) {
+ if(badParams.endsWith(",")) {
+ badParams = badParams.substring(0,badParams.length() -1);
+ }
+ errorMsg = "Missing input parameters :" + badParams;
+ }
+
value = "status="+status;
+ }
else {
-
if (serversideKeygen == true) {
StringBuffer sb = new StringBuffer();
sb.append("status=0&");
@@ -642,14 +711,35 @@ public class TokenServlet extends CMSServlet {
} catch (IOException e) {
CMS.debug("TokenServlet: " + e.toString());
}
- auditMessage = CMS.getLogMessage(
- LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED,
+
+ if(status.equals("0")) {
+
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS,
rCUID,
+ ILogger.SUCCESS,
status,
agentId,
isCryptoValidate? "true":"false",
- serversideKeygen? "true":"false");
+ serversideKeygen? "true":"false",
+ selectedToken,
+ keyNickName);
+
+ } else {
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,
+ rCUID,
+ ILogger.FAILURE,
+ status,
+ agentId,
+ isCryptoValidate? "true":"false",
+ serversideKeygen? "true":"false",
+ selectedToken,
+ keyNickName,
+ errorMsg);
+ }
+
audit(auditMessage);
}
@@ -658,12 +748,15 @@ public class TokenServlet extends CMSServlet {
byte[] KeySetData,KeysValues,CUID,xCUID;
byte[] xkeyInfo,xnewkeyInfo;
boolean missingParam = false;
+ String errorMsg = "";
+ String badParams = "";
IConfigStore sconfig = CMS.getConfigStore();
String rnewKeyInfo = req.getParameter("newKeyInfo");
String newMasterKeyName = req.getParameter("newKeyInfo");
String oldMasterKeyName = req.getParameter("KeyInfo");
String rCUID =req.getParameter("CUID");
+ String auditMessage="";
String keySet = req.getParameter("keySet");
if (keySet == null || keySet.equals("")) {
@@ -671,15 +764,37 @@ public class TokenServlet extends CMSServlet {
}
CMS.debug("keySet selected: " + keySet);
+ SessionContext sContext = SessionContext.getContext();
+
+ String agentId="";
+ if (sContext != null) {
+ agentId =
+ (String) sContext.get(SessionContext.USER_ID);
+ }
+
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST,
+ rCUID,
+ ILogger.SUCCESS,
+ agentId,
+ oldMasterKeyName,
+ newMasterKeyName);
+
+ audit(auditMessage);
+
+
if ((rCUID == null) || (rCUID.equals(""))) {
+ badParams += " CUID,";
CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: CUID");
missingParam = true;
}
if ((rnewKeyInfo == null) || (rnewKeyInfo.equals(""))) {
+ badParams += " newKeyInfo,";
CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: newKeyInfo");
missingParam = true;
}
if ((oldMasterKeyName == null) || (oldMasterKeyName.equals(""))){
+ badParams += " KeyInfo,";
CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: KeyInfo");
missingParam = true;
}
@@ -687,11 +802,13 @@ public class TokenServlet extends CMSServlet {
if (!missingParam) {
xkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(oldMasterKeyName);
if (xkeyInfo == null || xkeyInfo.length != 2) {
+ badParams += " KeyInfo length,";
CMS.debug("TokenServlet: Invalid key info length");
missingParam = true;
}
xnewkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(newMasterKeyName);
if (xnewkeyInfo == null || xnewkeyInfo.length != 2) {
+ badParams += " NewKeyInfo length,";
CMS.debug("TokenServlet: Invalid new key info length");
missingParam = true;
}
@@ -705,6 +822,7 @@ public class TokenServlet extends CMSServlet {
if (!missingParam) {
xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID);
if (xCUID == null || xCUID.length != 10) {
+ badParams += " CUID length,";
CMS.debug("TokenServlet: Invalid CUID length");
missingParam = true;
}
@@ -776,14 +894,24 @@ public class TokenServlet extends CMSServlet {
//String value="keySetData=%00" if the KeySetData=byte[0]=0;
String value = "";
+ String status = "0";
+
if (KeySetData != null && KeySetData.length > 1) {
value = "status=0&"+"keySetData=" +
com.netscape.cmsutil.util.Utils.SpecialEncode(KeySetData);
CMS.debug("TokenServlet:process DiversifyKey.encode " +value);
} else if (missingParam) {
- value = "status=3";
- } else
- value = "status=1";
+ status = "3";
+ if(badParams.endsWith(",")) {
+ badParams = badParams.substring(0,badParams.length() -1);
+ }
+ errorMsg = "Missing input parameters: " + badParams;
+ value = "status=" + status;
+ } else {
+ errorMsg = "Problem diversifying key data.";
+ status = "1";
+ value = "status=" + status;
+ }
resp.setContentLength(value.length());
CMS.debug("TokenServlet:outputString.length " +value.length());
@@ -796,6 +924,32 @@ public class TokenServlet extends CMSServlet {
} catch (Exception e) {
CMS.debug("TokenServlet:process DiversifyKey: " + e.toString());
}
+
+ if(status.equals("0")) {
+
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS,
+ rCUID,
+ ILogger.SUCCESS,
+ status,
+ agentId,
+ oldMasterKeyName,
+ newMasterKeyName);
+
+ } else {
+
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,
+ rCUID,
+ ILogger.FAILURE,
+ status,
+ agentId,
+ oldMasterKeyName,
+ newMasterKeyName,
+ errorMsg);
+ }
+
+ audit(auditMessage);
}
private void processEncryptData(HttpServletRequest req,
@@ -805,6 +959,8 @@ public class TokenServlet extends CMSServlet {
byte[] data = null;
boolean isRandom = true; // randomly generate the data to be encrypted
+ String errorMsg = "";
+ String badParams = "";
IConfigStore sconfig = CMS.getConfigStore();
encryptedData = null;
String rdata = req.getParameter("data");
@@ -814,6 +970,15 @@ public class TokenServlet extends CMSServlet {
if (keySet == null || keySet.equals("")) {
keySet = "defKeySet";
}
+
+ SessionContext sContext = SessionContext.getContext();
+
+ String agentId="";
+ if (sContext != null) {
+ agentId =
+ (String) sContext.get(SessionContext.USER_ID);
+ }
+
CMS.debug("keySet selected: " + keySet);
String s_isRandom = sconfig.getString("tks.EncryptData.isRandom", "true");
@@ -825,6 +990,15 @@ public class TokenServlet extends CMSServlet {
isRandom = true;
}
+ String auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST,
+ rCUID,
+ ILogger.SUCCESS,
+ agentId,
+ s_isRandom);
+
+ audit(auditMessage);
+
if (isRandom) {
if ((rdata == null) || (rdata.equals(""))) {
CMS.debug("TokenServlet: processEncryptData(): no data in request. Generating random number as data");
@@ -837,33 +1011,40 @@ public class TokenServlet extends CMSServlet {
random.nextBytes(data);
} catch (Exception e) {
CMS.debug("TokenServlet: processEncryptData():"+ e.toString());
- throw new EBaseException("processEncryptData:"+ e.toString());
+ badParams += " Random Number,";
+ missingParam = true;
}
} else if ((!isRandom) && (((rdata == null) || (rdata.equals(""))))){
CMS.debug("TokenServlet: processEncryptData(): missing request parameter: data.");
+ badParams += " data,";
missingParam = true;
}
if ((rCUID == null) || (rCUID.equals(""))) {
-
+ badParams += " CUID,";
CMS.debug("TokenServlet: processEncryptData(): missing request parameter: CUID");
missingParam = true;
}
+
if ((rKeyInfo == null) || (rKeyInfo.equals(""))) {
+ badParams += " KeyInfo,";
CMS.debug("TokenServlet: processEncryptData(): missing request parameter: key info");
missingParam = true;
}
+
if (!missingParam) {
xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID);
if (xCUID == null || xCUID.length != 10) {
+ badParams += " CUID length,";
CMS.debug("TokenServlet: Invalid CUID length");
- throw new EBaseException("Invalid CUID length");
+ missingParam = true;
}
xkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo);
if (xkeyInfo == null || xkeyInfo.length != 2) {
+ badParams += " KeyInfo length,";
CMS.debug("TokenServlet: Invalid key info length");
- throw new EBaseException("Invalid key info length");
+ missingParam = true;
}
}
@@ -871,6 +1052,8 @@ public class TokenServlet extends CMSServlet {
if (!useSoftToken_s.equalsIgnoreCase("true"))
useSoftToken_s = "false";
+ String selectedToken = null;
+ String keyNickName = null;
if (!missingParam) {
if (!isRandom)
data = com.netscape.cmsutil.util.Utils.SpecialDecode(rdata);
@@ -879,8 +1062,6 @@ public class TokenServlet extends CMSServlet {
String keyInfoMap = "tks." + keySet + ".mk_mappings." + rKeyInfo;
String mappingValue = CMS.getConfigStore().getString(keyInfoMap, null);
- String selectedToken = null;
- String keyNickName = null;
if (mappingValue == null) {
selectedToken = CMS.getConfigStore().getString("tks.defaultSlot", "internal");
keyNickName = rKeyInfo;
@@ -902,6 +1083,7 @@ public class TokenServlet extends CMSServlet {
resp.setContentType("text/html");
String value = "";
+ String status = "0";
if (encryptedData != null && encryptedData.length > 0) {
String outputString = new String(encryptedData);
// sending both the pre-encrypted and encrypted data back
@@ -910,9 +1092,17 @@ public class TokenServlet extends CMSServlet {
"&encryptedData=" +
com.netscape.cmsutil.util.Utils.SpecialEncode(encryptedData);
} else if (missingParam) {
- value = "status=3";
- } else
- value = "status=1";
+ if(badParams.endsWith(",")) {
+ badParams = badParams.substring(0,badParams.length() -1);
+ }
+ errorMsg = "Missing input parameters: " + badParams;
+ status = "3";
+ value = "status=" + status;
+ } else {
+ errorMsg = "Problem encrypting data.";
+ status = "1";
+ value = "status=" + status;
+ }
CMS.debug("TokenServlet:process EncryptData.encode " +value);
@@ -927,6 +1117,34 @@ public class TokenServlet extends CMSServlet {
} catch (Exception e) {
CMS.debug("TokenServlet: " + e.toString());
}
+
+ if(status.equals("0")) {
+
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,
+ rCUID,
+ ILogger.SUCCESS,
+ status,
+ agentId,
+ s_isRandom,
+ selectedToken,
+ keyNickName);
+
+ } else {
+
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,
+ rCUID,
+ ILogger.FAILURE,
+ status,
+ agentId,
+ s_isRandom,
+ selectedToken,
+ keyNickName,
+ errorMsg);
+ }
+
+ audit(auditMessage);
}
/*
@@ -953,7 +1171,7 @@ public class TokenServlet extends CMSServlet {
try {
authzToken = authorize(mAclMethod, authToken,
- mAuthzResourceName, "read");
+ mAuthzResourceName, "execute");
} catch (Exception e) {
}
generated by cgit (git 2.34.1) at 2024-07-04 07:19:32 +0000