diff options
author | cfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2010-09-21 00:28:48 +0000 |
---|---|---|
committer | cfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2010-09-21 00:28:48 +0000 |
commit | 962d2c5f60b2498511fc9f675d1e1117995cdd03 (patch) | |
tree | 6f6794b68c6f91e751e95fb54fe70b8e1b77eed0 /pki/base/common/src/com | |
parent | c305cf21c4649944c21fd7eb228c3645fc3b9679 (diff) | |
download | pki-962d2c5f60b2498511fc9f675d1e1117995cdd03.tar.gz pki-962d2c5f60b2498511fc9f675d1e1117995cdd03.tar.xz pki-962d2c5f60b2498511fc9f675d1e1117995cdd03.zip |
Bug 634663 - CA CMC response default hard-coded to SHA1
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1310 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat (limited to 'pki/base/common/src/com')
4 files changed, 37 insertions, 12 deletions
diff --git a/pki/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java b/pki/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java index 40a762ab5..bc545a9ba 100644 --- a/pki/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java +++ b/pki/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java @@ -26,6 +26,7 @@ import java.security.*; import java.security.cert.*; import netscape.security.x509.*; import netscape.security.util.*; +import org.mozilla.jss.crypto.*; import com.netscape.certsrv.base.*; import com.netscape.certsrv.request.*; @@ -167,6 +168,13 @@ public interface ICertificateAuthority extends ISubsystem { public void setMaxSerial(String serial) throws EBaseException; /** + * Retrieves the default signature algorithm of this certificate authority. + * + * @return the default signature algorithm of this CA + */ + public SignatureAlgorithm getDefaultSignatureAlgorithm(); + + /** * Retrieves the default signing algorithm of this certificate authority. * * @return the default signing algorithm of this CA diff --git a/pki/base/common/src/com/netscape/certsrv/security/ISigningUnit.java b/pki/base/common/src/com/netscape/certsrv/security/ISigningUnit.java index 4996cb866..ac46a271d 100644 --- a/pki/base/common/src/com/netscape/certsrv/security/ISigningUnit.java +++ b/pki/base/common/src/com/netscape/certsrv/security/ISigningUnit.java @@ -104,6 +104,13 @@ public interface ISigningUnit { * * @return default signing algorithm */ + public SignatureAlgorithm getDefaultSignatureAlgorithm(); + + /** + * Retrieves the default algorithm name. + * + * @return default signing algorithm name + */ public String getDefaultAlgorithm(); /** diff --git a/pki/base/common/src/com/netscape/cms/authentication/CMCAuth.java b/pki/base/common/src/com/netscape/cms/authentication/CMCAuth.java index 3885a9688..eb09e5b47 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/CMCAuth.java +++ b/pki/base/common/src/com/netscape/cms/authentication/CMCAuth.java @@ -339,9 +339,18 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, SignedData cmcFullReq = (SignedData) cmcReq.getInterpretedContent(); - IAuthToken agentToken = verifySignerInfo(authToken,cmcFullReq); - String userid = agentToken.getInString("userid"); - String uid = agentToken.getInString("cn"); + IConfigStore cmc_config = CMS.getConfigStore(); + boolean checkSignerInfo = + cmc_config.getBoolean("cmc.signerInfo.verify", true); + String userid = "defUser"; + String uid = "defUser"; + if (checkSignerInfo) { + IAuthToken agentToken = verifySignerInfo(authToken,cmcFullReq); + userid = agentToken.getInString("userid"); + uid = agentToken.getInString("cn"); + } else { + CMS.debug("CMCAuth: authenticate() signerInfo verification bypassed"); + } // reset value of auditSignerInfo if( uid != null ) { auditSignerInfo = uid.trim(); diff --git a/pki/base/common/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java b/pki/base/common/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java index e7d2aaa94..6cd9e7afb 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java +++ b/pki/base/common/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java @@ -41,6 +41,7 @@ import org.mozilla.jss.*; import netscape.security.x509.*; import com.netscape.certsrv.profile.*; import com.netscape.certsrv.ca.*; +import com.netscape.certsrv.security.*; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; @@ -350,13 +351,12 @@ public class CMCOutputTemplate { issuer, new INTEGER(x509CAcert.getSerialNumber().toString())); SignerIdentifier si = new SignerIdentifier( SignerIdentifier.ISSUER_AND_SERIALNUMBER, ias, null); - // SHA1 is the default digest Alg for now. - DigestAlgorithm digestAlg = null; - SignatureAlgorithm signAlg = null; + // use CA instance's default signature and digest algorithm + SignatureAlgorithm signAlg = ca.getDefaultSignatureAlgorithm(); org.mozilla.jss.crypto.PrivateKey privKey = CryptoManager.getInstance().findPrivKeyByCert(x509CAcert); +/* org.mozilla.jss.crypto.PrivateKey.Type keyType = privKey.getType(); - if( keyType.equals( org.mozilla.jss.crypto.PrivateKey.RSA ) ) { signAlg = SignatureAlgorithm.RSASignatureWithSHA1Digest; } else if( keyType.equals( org.mozilla.jss.crypto.PrivateKey.DSA ) ) { @@ -368,17 +368,17 @@ public class CMCOutputTemplate { + "signAlg is unsupported!" ); return null; } - - MessageDigest SHADigest = null; +*/ + DigestAlgorithm digestAlg = signAlg.getDigestAlg(); + MessageDigest msgDigest = null; byte[] digest = null; - SHADigest = MessageDigest.getInstance("SHA1"); - digestAlg = DigestAlgorithm.SHA1; + msgDigest = MessageDigest.getInstance(digestAlg.toString()); ByteArrayOutputStream ostream = new ByteArrayOutputStream(); respBody.encode((OutputStream) ostream); - digest = SHADigest.digest(ostream.toByteArray()); + digest = msgDigest.digest(ostream.toByteArray()); SignerInfo signInfo = new SignerInfo(si, null, null, @@ -400,6 +400,7 @@ public class CMCOutputTemplate { enContentInfo, certs, null, signInfos); ContentInfo contentInfo = new ContentInfo(signedData); + CMS.debug("CMCOutputTemplate::getContentInfo() - done"); return contentInfo; } catch (Exception e) { CMS.debug("CMCOutputTemplate: Failed to create CMCContentInfo. Exception: "+e.toString()); |