diff options
9 files changed, 396 insertions, 238 deletions
diff --git a/base/common/src/com/netscape/certsrv/cert/CertClient.java b/base/common/src/com/netscape/certsrv/cert/CertClient.java index 86e5e1537..42b04b702 100644 --- a/base/common/src/com/netscape/certsrv/cert/CertClient.java +++ b/base/common/src/com/netscape/certsrv/cert/CertClient.java @@ -23,6 +23,7 @@ import javax.ws.rs.core.Response; import com.netscape.certsrv.client.Client; import com.netscape.certsrv.client.PKIClient; +import com.netscape.certsrv.client.SubsystemClient; import com.netscape.certsrv.dbs.certdb.CertId; import com.netscape.certsrv.profile.ProfileDataInfos; import com.netscape.certsrv.request.RequestId; @@ -35,6 +36,10 @@ public class CertClient extends Client { public CertResource certClient; public CertRequestResource certRequestClient; + public CertClient(SubsystemClient subsystemClient) throws URISyntaxException { + this(subsystemClient.client, subsystemClient.getName()); + } + public CertClient(PKIClient client, String subsystem) throws URISyntaxException { super(client, subsystem, "cert"); init(); diff --git a/base/common/src/com/netscape/certsrv/client/PKICertificateApprovalCallback.java b/base/common/src/com/netscape/certsrv/client/PKICertificateApprovalCallback.java new file mode 100644 index 000000000..3ec46f573 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/client/PKICertificateApprovalCallback.java @@ -0,0 +1,196 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2015 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- + +package com.netscape.certsrv.client; + +import java.io.BufferedReader; +import java.io.InputStreamReader; +import java.lang.reflect.Field; +import java.lang.reflect.Modifier; +import java.util.Enumeration; + +import org.mozilla.jss.crypto.X509Certificate; +import org.mozilla.jss.ssl.SSLCertificateApprovalCallback; + +public class PKICertificateApprovalCallback implements SSLCertificateApprovalCallback { + + public PKIClient client; + + public PKICertificateApprovalCallback(PKIClient client) { + this.client = client; + } + + // NOTE: The following helper method defined as + // 'public String displayReason(int reason)' + // should be moved into the JSS class called + // 'org.mozilla.jss.ssl.SSLCertificateApprovalCallback' + // under its nested subclass called 'ValidityStatus'. + + // While all reason values should be unique, this method has been + // written to return the name of the first defined reason that is + // encountered which contains the requested value, or null if no + // reason containing the requested value is encountered. + public String displayReason(int reason) { + + for (Field f : ValidityStatus.class.getDeclaredFields()) { + int mod = f.getModifiers(); + if (Modifier.isStatic(mod) && + Modifier.isPublic(mod) && + Modifier.isFinal(mod)) { + try { + int value = f.getInt(null); + if (value == reason) { + return f.getName(); + } + } catch (IllegalAccessException e) { + e.printStackTrace(); + } + } + } + + return null; + } + + public String getMessage(X509Certificate serverCert, int reason) { + + if (reason == SSLCertificateApprovalCallback.ValidityStatus.BAD_CERT_DOMAIN) { + return "BAD_CERT_DOMAIN encountered on '"+serverCert.getSubjectDN()+"' indicates a common-name mismatch"; + } + + if (reason == SSLCertificateApprovalCallback.ValidityStatus.UNTRUSTED_ISSUER) { + return "UNTRUSTED ISSUER encountered on '" + + serverCert.getSubjectDN() + "' indicates a non-trusted CA cert '" + + serverCert.getIssuerDN() + "'"; + } + + if (reason == SSLCertificateApprovalCallback.ValidityStatus.CA_CERT_INVALID) { + return "CA_CERT_INVALID encountered on '"+serverCert.getSubjectDN()+"' results in a denied SSL server cert!"; + } + + String reasonName = displayReason(reason); + if (reasonName != null) { + return reasonName+" encountered on '"+serverCert.getSubjectDN()+"' results in a denied SSL server cert!"; + } + + return "Unknown/undefined reason "+reason+" encountered on '"+serverCert.getSubjectDN()+"' results in a denied SSL server cert!"; + } + + public boolean handleUntrustedIssuer(X509Certificate serverCert) { + try { + System.out.print("Import CA certificate (Y/n)? "); + + BufferedReader reader = new BufferedReader(new InputStreamReader(System.in)); + String line = reader.readLine().trim(); + + if (!line.equals("") && !line.equalsIgnoreCase("Y")) + return false; + + String caServerURI = "http://" + client.getConfig().getServerURI().getHost() + ":8080/ca"; + + System.out.print("CA server URI [" + caServerURI + "]: "); + System.out.flush(); + + line = reader.readLine().trim(); + if (!line.equals("")) { + caServerURI = line; + } + + if (client.verbose) System.out.println("Downloading CA certificate chain from " + caServerURI + "."); + byte[] bytes = client.downloadCACertChain(caServerURI); + + if (client.verbose) System.out.println("Importing CA certificate chain."); + client.importCACertPackage(bytes); + + if (client.verbose) System.out.println("Imported CA certificate."); + return true; + + } catch (Exception e) { + System.err.println("ERROR: "+e); + return false; + } + } + + // Callback to approve or deny returned SSL server cert. + // Right now, simply approve the cert. + public boolean approve(X509Certificate serverCert, + SSLCertificateApprovalCallback.ValidityStatus status) { + + boolean approval = true; + + if (client.verbose) System.out.println("Server certificate: "+serverCert.getSubjectDN()); + + SSLCertificateApprovalCallback.ValidityItem item; + + // If there are no items in the Enumeration returned by + // getReasons(), you can assume that the certificate is + // trustworthy, and return true to allow the connection to + // continue, or you can continue to make further tests of + // your own to determine trustworthiness. + Enumeration<?> errors = status.getReasons(); + + while (errors.hasMoreElements()) { + item = (SSLCertificateApprovalCallback.ValidityItem) errors.nextElement(); + int reason = item.getReason(); + + if (client.isRejected(reason)) { + if (!client.statuses.contains(reason)) + System.err.println("ERROR: " + getMessage(serverCert, reason)); + approval = false; + + } else if (client.isIgnored(reason)) { + // Ignore validity status + + } else if (reason == SSLCertificateApprovalCallback.ValidityStatus.UNTRUSTED_ISSUER) { + // Issue a WARNING, but allow this process + // to continue since we haven't installed a trusted CA + // cert for this operation. + if (!client.statuses.contains(reason)) { + System.err.println("WARNING: " + getMessage(serverCert, reason)); + handleUntrustedIssuer(serverCert); + } + + } else if (reason == SSLCertificateApprovalCallback.ValidityStatus.BAD_CERT_DOMAIN) { + // Issue a WARNING, but allow this process to continue on + // common-name mismatches. + if (!client.statuses.contains(reason)) + System.err.println("WARNING: " + getMessage(serverCert, reason)); + + } else if (reason == SSLCertificateApprovalCallback.ValidityStatus.CA_CERT_INVALID) { + // Set approval false to deny this + // certificate so that the connection is terminated. + // (Expect an IOException on the outstanding + // read()/write() on the socket). + if (!client.statuses.contains(reason)) + System.err.println("ERROR: " + getMessage(serverCert, reason)); + approval = false; + + } else { + // Set approval false to deny this certificate so that + // the connection is terminated. (Expect an IOException + // on the outstanding read()/write() on the socket). + if (!client.statuses.contains(reason)) + System.err.println("ERROR: " + getMessage(serverCert, reason)); + approval = false; + } + + client.statuses.add(reason); + } + + return approval; + } +} diff --git a/base/common/src/com/netscape/certsrv/client/PKIClient.java b/base/common/src/com/netscape/certsrv/client/PKIClient.java index e06b4db54..9015cfa38 100644 --- a/base/common/src/com/netscape/certsrv/client/PKIClient.java +++ b/base/common/src/com/netscape/certsrv/client/PKIClient.java @@ -1,3 +1,21 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2015 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- + package com.netscape.certsrv.client; import java.io.IOException; @@ -5,6 +23,8 @@ import java.net.URI; import java.net.URISyntaxException; import java.net.URL; import java.security.cert.CertificateEncodingException; +import java.util.Collection; +import java.util.HashSet; import javax.ws.rs.core.Response; import javax.xml.parsers.DocumentBuilder; @@ -42,10 +62,22 @@ public class PKIClient { public boolean verbose; + Collection<Integer> rejectedCertStatuses = new HashSet<Integer>(); + Collection<Integer> ignoredCertStatuses = new HashSet<Integer>(); + + // List to prevent displaying the same warnings/errors again. + Collection<Integer> statuses = new HashSet<Integer>(); + + public PKIClient(ClientConfig config) { + this(config, null); + } + public PKIClient(ClientConfig config, CryptoProvider crypto) { this.config = config; this.crypto = crypto; - connection = new PKIConnection(this); + + connection = new PKIConnection(config); + connection.setCallback(new PKICertificateApprovalCallback(this)); } public <T> T createProxy(String subsystem, Class<T> clazz) throws URISyntaxException { @@ -102,6 +134,7 @@ public class PKIClient { public void setVerbose(boolean verbose) { this.verbose = verbose; + connection.setVerbose(verbose); } public X509Certificate getCert(String nickname) @@ -183,4 +216,32 @@ public class PKIClient { cryptoToken.getCryptoStore().deleteCert(cert); } + + public void addRejectedCertStatus(Integer rejectedCertStatus) { + rejectedCertStatuses.add(rejectedCertStatus); + } + + public void setRejectedCertStatuses(Collection<Integer> rejectedCertStatuses) { + this.rejectedCertStatuses.clear(); + if (rejectedCertStatuses == null) return; + this.rejectedCertStatuses.addAll(rejectedCertStatuses); + } + + public boolean isRejected(Integer certStatus) { + return rejectedCertStatuses.contains(certStatus); + } + + public void addIgnoredCertStatus(Integer ignoredCertStatus) { + ignoredCertStatuses.add(ignoredCertStatus); + } + + public void setIgnoredCertStatuses(Collection<Integer> ignoredCertStatuses) { + this.ignoredCertStatuses.clear(); + if (ignoredCertStatuses == null) return; + this.ignoredCertStatuses.addAll(ignoredCertStatuses); + } + + public boolean isIgnored(Integer certStatus) { + return ignoredCertStatuses.contains(certStatus); + } } diff --git a/base/common/src/com/netscape/certsrv/client/PKIConnection.java b/base/common/src/com/netscape/certsrv/client/PKIConnection.java index 0ecee4d8e..1f9b6dff1 100644 --- a/base/common/src/com/netscape/certsrv/client/PKIConnection.java +++ b/base/common/src/com/netscape/certsrv/client/PKIConnection.java @@ -1,15 +1,29 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2015 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- + package com.netscape.certsrv.client; -import java.io.BufferedReader; import java.io.File; import java.io.IOException; import java.io.InputStream; -import java.io.InputStreamReader; import java.io.OutputStream; import java.io.PrintStream; -import java.lang.reflect.Field; import java.lang.reflect.InvocationTargetException; -import java.lang.reflect.Modifier; import java.net.InetAddress; import java.net.InetSocketAddress; import java.net.Socket; @@ -18,9 +32,6 @@ import java.net.URISyntaxException; import java.net.UnknownHostException; import java.util.ArrayList; import java.util.Arrays; -import java.util.Collection; -import java.util.Enumeration; -import java.util.HashSet; import java.util.List; import javax.ws.rs.client.Entity; @@ -67,7 +78,6 @@ import org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine; import org.jboss.resteasy.spi.ResteasyProviderFactory; import org.mozilla.jss.CryptoManager; import org.mozilla.jss.CryptoManager.NotInitializedException; -import org.mozilla.jss.crypto.X509Certificate; import org.mozilla.jss.ssl.SSLCertificateApprovalCallback; import org.mozilla.jss.ssl.SSLSocket; @@ -76,16 +86,12 @@ import com.netscape.certsrv.base.PKIException; public class PKIConnection { - PKIClient client; - ClientConfig config; - - Collection<Integer> rejectedCertStatuses = new HashSet<Integer>(); - Collection<Integer> ignoredCertStatuses = new HashSet<Integer>(); + boolean verbose; - // List to prevent displaying the same warnings/errors again. - Collection<Integer> statuses = new HashSet<Integer>(); + ClientConfig config; DefaultHttpClient httpClient = new DefaultHttpClient(); + SSLCertificateApprovalCallback callback; ApacheHttpClient4Engine engine; ResteasyClient resteasyClient; @@ -96,11 +102,9 @@ public class PKIConnection { File output; - public PKIConnection(final PKIClient client) { - - this.client = client; + public PKIConnection(ClientConfig config) { - config = client.getConfig(); + this.config = config; // Register https scheme. Scheme scheme = new Scheme("https", 443, new JSSProtocolSocketFactory()); @@ -125,7 +129,7 @@ public class PKIConnection { requestCounter++; - if (client.verbose) { + if (verbose) { System.out.println("HTTP request: "+request.getRequestLine()); for (Header header : request.getAllHeaders()) { System.out.println(" "+header.getName()+": "+header.getValue()); @@ -153,7 +157,7 @@ public class PKIConnection { responseCounter++; - if (client.verbose) { + if (verbose) { System.out.println("HTTP response: "+response.getStatusLine()); for (Header header : response.getAllHeaders()) { System.out.println(" "+header.getName()+": "+header.getValue()); @@ -175,7 +179,7 @@ public class PKIConnection { HttpUriRequest uriRequest = super.getRedirect(request, response, context); URI uri = uriRequest.getURI(); - if (client.verbose) System.out.println("HTTP redirect: "+uri); + if (verbose) System.out.println("HTTP redirect: "+uri); // Redirect the original request to the new URI. RequestWrapper wrapper; @@ -203,6 +207,18 @@ public class PKIConnection { resteasyClient = new ResteasyClientBuilder().httpEngine(engine).build(); } + public boolean isVerbose() { + return verbose; + } + + public void setVerbose(boolean verbose) { + this.verbose = verbose; + + } + public void setCallback(SSLCertificateApprovalCallback callback) { + this.callback = callback; + } + public void storeRequest(File file, HttpRequest request) throws IOException { try (PrintStream out = new PrintStream(file)) { @@ -273,169 +289,6 @@ public class PKIConnection { } } - private class ServerCertApprovalCB implements SSLCertificateApprovalCallback { - - // NOTE: The following helper method defined as - // 'public String displayReason(int reason)' - // should be moved into the JSS class called - // 'org.mozilla.jss.ssl.SSLCertificateApprovalCallback' - // under its nested subclass called 'ValidityStatus'. - - // While all reason values should be unique, this method has been - // written to return the name of the first defined reason that is - // encountered which contains the requested value, or null if no - // reason containing the requested value is encountered. - public String displayReason(int reason) { - Class<SSLCertificateApprovalCallback.ValidityStatus> c = - SSLCertificateApprovalCallback.ValidityStatus.class; - for (Field f : c.getDeclaredFields()) { - int mod = f.getModifiers(); - if (Modifier.isStatic(mod) && - Modifier.isPublic(mod) && - Modifier.isFinal(mod)) { - try { - int value = f.getInt(null); - if (value == reason) { - return f.getName(); - } - } catch (IllegalAccessException e) { - e.printStackTrace(); - } - } - } - - return null; - } - - public String getMessage(X509Certificate serverCert, int reason) { - - if (reason == SSLCertificateApprovalCallback.ValidityStatus.BAD_CERT_DOMAIN) { - - return "BAD_CERT_DOMAIN encountered on '"+serverCert.getSubjectDN()+"' indicates a common-name mismatch"; - } - - if (reason == SSLCertificateApprovalCallback.ValidityStatus.UNTRUSTED_ISSUER) { - return "UNTRUSTED ISSUER encountered on '" + - serverCert.getSubjectDN() + "' indicates a non-trusted CA cert '" + - serverCert.getIssuerDN() + "'"; - } - - if (reason == SSLCertificateApprovalCallback.ValidityStatus.CA_CERT_INVALID) { - return "CA_CERT_INVALID encountered on '"+serverCert.getSubjectDN()+"' results in a denied SSL server cert!"; - } - - String reasonName = displayReason(reason); - if (reasonName != null) { - return reasonName+" encountered on '"+serverCert.getSubjectDN()+"' results in a denied SSL server cert!"; - } - - return "Unknown/undefined reason "+reason+" encountered on '"+serverCert.getSubjectDN()+"' results in a denied SSL server cert!"; - } - - public boolean handleUntrustedIssuer(X509Certificate serverCert) { - try { - System.out.print("Import CA certificate (Y/n)? "); - - BufferedReader reader = new BufferedReader(new InputStreamReader(System.in)); - String line = reader.readLine().trim(); - - if (!line.equals("") && !line.equalsIgnoreCase("Y")) - return false; - - String caServerURI = "http://" + config.getServerURI().getHost() + ":8080/ca"; - - System.out.print("CA server URI [" + caServerURI + "]: "); - System.out.flush(); - - line = reader.readLine().trim(); - if (!line.equals("")) { - caServerURI = line; - } - - if (client.verbose) System.out.println("Downloading CA certificate chain from " + caServerURI + "."); - byte[] bytes = client.downloadCACertChain(caServerURI); - - if (client.verbose) System.out.println("Importing CA certificate chain."); - client.importCACertPackage(bytes); - - if (client.verbose) System.out.println("Imported CA certificate."); - return true; - - } catch (Exception e) { - System.err.println("ERROR: "+e); - return false; - } - } - - // Callback to approve or deny returned SSL server cert. - // Right now, simply approve the cert. - public boolean approve(X509Certificate serverCert, - SSLCertificateApprovalCallback.ValidityStatus status) { - - boolean approval = true; - - if (client.verbose) System.out.println("Server certificate: "+serverCert.getSubjectDN()); - - SSLCertificateApprovalCallback.ValidityItem item; - - // If there are no items in the Enumeration returned by - // getReasons(), you can assume that the certificate is - // trustworthy, and return true to allow the connection to - // continue, or you can continue to make further tests of - // your own to determine trustworthiness. - Enumeration<?> errors = status.getReasons(); - while (errors.hasMoreElements()) { - item = (SSLCertificateApprovalCallback.ValidityItem) errors.nextElement(); - int reason = item.getReason(); - - if (isRejected(reason)) { - if (!statuses.contains(reason)) - System.err.println("ERROR: " + getMessage(serverCert, reason)); - approval = false; - - } else if (isIgnored(reason)) { - // Ignore validity status - - } else if (reason == SSLCertificateApprovalCallback.ValidityStatus.UNTRUSTED_ISSUER) { - // Issue a WARNING, but allow this process - // to continue since we haven't installed a trusted CA - // cert for this operation. - if (!statuses.contains(reason)) { - System.err.println("WARNING: " + getMessage(serverCert, reason)); - handleUntrustedIssuer(serverCert); - } - - } else if (reason == SSLCertificateApprovalCallback.ValidityStatus.BAD_CERT_DOMAIN) { - // Issue a WARNING, but allow this process to continue on - // common-name mismatches. - if (!statuses.contains(reason)) - System.err.println("WARNING: " + getMessage(serverCert, reason)); - - } else if (reason == SSLCertificateApprovalCallback.ValidityStatus.CA_CERT_INVALID) { - // Set approval false to deny this - // certificate so that the connection is terminated. - // (Expect an IOException on the outstanding - // read()/write() on the socket). - if (!statuses.contains(reason)) - System.err.println("ERROR: " + getMessage(serverCert, reason)); - approval = false; - - } else { - // Set approval false to deny this certificate so that - // the connection is terminated. (Expect an IOException - // on the outstanding read()/write() on the socket). - if (!statuses.contains(reason)) - System.err.println("ERROR: " + getMessage(serverCert, reason)); - approval = false; - } - - statuses.add(reason); - } - - return approval; - } - } - private class JSSProtocolSocketFactory implements SchemeSocketFactory, SchemeLayeredSocketFactory { @Override @@ -499,18 +352,18 @@ public class PKIConnection { port, localAddr, localPort, - new ServerCertApprovalCB(), + callback, null); } else { - socket = new SSLSocket(sock, hostName, new ServerCertApprovalCB(), null); + socket = new SSLSocket(sock, hostName, callback, null); } // setSSLVersionRange needs to be exposed in jss // socket.setSSLVersionRange(org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_0, org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2); String certNickname = config.getCertNickname(); if (certNickname != null) { - if (client.verbose) System.out.println("Client certificate: "+certNickname); + if (verbose) System.out.println("Client certificate: "+certNickname); socket.setClientCertNickname(certNickname); } @@ -592,34 +445,6 @@ public class PKIConnection { return target.request().post(Entity.form(form), String.class); } - public void addRejectedCertStatus(Integer rejectedCertStatus) { - rejectedCertStatuses.add(rejectedCertStatus); - } - - public void setRejectedCertStatuses(Collection<Integer> rejectedCertStatuses) { - this.rejectedCertStatuses.clear(); - if (rejectedCertStatuses == null) return; - this.rejectedCertStatuses.addAll(rejectedCertStatuses); - } - - public boolean isRejected(Integer certStatus) { - return rejectedCertStatuses.contains(certStatus); - } - - public void addIgnoredCertStatus(Integer ignoredCertStatus) { - ignoredCertStatuses.add(ignoredCertStatus); - } - - public void setIgnoredCertStatuses(Collection<Integer> ignoredCertStatuses) { - this.ignoredCertStatuses.clear(); - if (ignoredCertStatuses == null) return; - this.ignoredCertStatuses.addAll(ignoredCertStatuses); - } - - public boolean isIgnored(Integer certStatus) { - return ignoredCertStatuses.contains(certStatus); - } - public File getOutput() { return output; } diff --git a/base/common/src/com/netscape/certsrv/client/SubsystemClient.java b/base/common/src/com/netscape/certsrv/client/SubsystemClient.java index d694b397c..3d44bce41 100644 --- a/base/common/src/com/netscape/certsrv/client/SubsystemClient.java +++ b/base/common/src/com/netscape/certsrv/client/SubsystemClient.java @@ -17,8 +17,13 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.certsrv.client; +import java.net.URI; import java.net.URISyntaxException; +import org.apache.http.HttpResponse; +import org.apache.http.client.methods.HttpGet; +import org.apache.http.impl.client.DefaultHttpClient; + import com.netscape.certsrv.account.AccountClient; @@ -44,6 +49,41 @@ public class SubsystemClient extends Client { accountClient.login(); } + public boolean exists() throws Exception { + + ClientConfig config = client.getConfig(); + URI serverURI = config.getServerURI(); + + URI subsystemURI = new URI( + serverURI.getScheme(), + null, + serverURI.getHost(), + serverURI.getPort(), + "/" + name, + null, + null); + + DefaultHttpClient client = new DefaultHttpClient(); + HttpGet method = new HttpGet(subsystemURI); + try { + HttpResponse response = client.execute(method); + int code = response.getStatusLine().getStatusCode(); + + if (code == 200) { + return true; + + } else if (code == 404) { + return false; + + } else { + throw new Exception("Error: " + response.getStatusLine()); + } + + } finally { + method.releaseConnection(); + } + } + /** * Log out from the subsystem. */ diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java index 4d63d9bc1..159e4ac5a 100644 --- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java @@ -23,8 +23,10 @@ import java.io.Console; import java.io.File; import java.io.FileReader; import java.io.IOException; +import java.io.InputStreamReader; import java.lang.reflect.Field; import java.net.InetAddress; +import java.net.URI; import java.net.UnknownHostException; import java.util.Collection; import java.util.HashSet; @@ -39,6 +41,7 @@ import org.mozilla.jss.ssl.SSLCertificateApprovalCallback; import org.mozilla.jss.util.IncorrectPasswordException; import org.mozilla.jss.util.Password; +import com.netscape.certsrv.ca.CAClient; import com.netscape.certsrv.client.ClientConfig; import com.netscape.certsrv.client.PKIClient; import com.netscape.certsrv.client.PKIConnection; @@ -269,6 +272,36 @@ public class MainCLI extends CLI { return promptForPassword("Enter Password: "); } + public static CAClient createCAClient(PKIClient client) throws Exception { + + ClientConfig config = client.getConfig(); + CAClient caClient = new CAClient(client); + + while (!caClient.exists()) { + System.err.println("ERROR: CA subsystem not available"); + + URI serverURI = config.getServerURI(); + String uri = serverURI.getScheme() + "://" + serverURI.getHost() + ":" + serverURI.getPort(); + + System.out.print("CA server URI [" + uri + "]: "); + System.out.flush(); + + BufferedReader reader = new BufferedReader(new InputStreamReader(System.in)); + String line = reader.readLine().trim(); + if (!line.equals("")) { + uri = line; + } + + config = new ClientConfig(client.getConfig()); + config.setServerURI(uri); + + client = new PKIClient(config); + caClient = new CAClient(client); + } + + return caClient; + } + public void parseOptions(CommandLine cmd) throws Exception { verbose = cmd.hasOption("v"); @@ -465,13 +498,14 @@ public class MainCLI extends CLI { client = new PKIClient(config, null); client.setVerbose(verbose); - PKIConnection connection = client.getConnection(); - connection.setRejectedCertStatuses(rejectedCertStatuses); - connection.setIgnoredCertStatuses(ignoredCertStatuses); + client.setRejectedCertStatuses(rejectedCertStatuses); + client.setIgnoredCertStatuses(ignoredCertStatuses); if (output != null) { File file = new File(output); file.mkdirs(); + + PKIConnection connection = client.getConnection(); connection.setOutput(file); } } diff --git a/base/java-tools/src/com/netscape/cmstools/cli/SubsystemCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/SubsystemCLI.java index 310a4c29c..b28271dd7 100644 --- a/base/java-tools/src/com/netscape/cmstools/cli/SubsystemCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/cli/SubsystemCLI.java @@ -48,17 +48,15 @@ public class SubsystemCLI extends CLI { init(); - try { - // login if username or nickname is specified - ClientConfig config = getClient().getConfig(); - if (config.getUsername() != null || config.getCertNickname() != null) { - login(); - } + // login if username or nickname is specified + ClientConfig config = getClient().getConfig(); + if (config.getUsername() != null || config.getCertNickname() != null) { + login(); + } - super.execute(args); + super.execute(args); - } finally { - logout(); - } + // logout if there is no failures + logout(); } } diff --git a/base/java-tools/src/com/netscape/cmstools/user/UserCertAddCLI.java b/base/java-tools/src/com/netscape/cmstools/user/UserCertAddCLI.java index 4425e7003..3e96c1dee 100644 --- a/base/java-tools/src/com/netscape/cmstools/user/UserCertAddCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/user/UserCertAddCLI.java @@ -25,6 +25,7 @@ import org.apache.commons.cli.CommandLine; import org.apache.commons.cli.Option; import org.apache.commons.io.FileUtils; +import com.netscape.certsrv.ca.CAClient; import com.netscape.certsrv.cert.CertClient; import com.netscape.certsrv.cert.CertData; import com.netscape.certsrv.dbs.certdb.CertId; @@ -114,8 +115,8 @@ public class UserCertAddCLI extends CLI { System.out.println("Downloading certificate " + serialNumber + "."); } - client = parent.getClient(); - CertClient certClient = new CertClient(client, "ca"); + CAClient caClient = MainCLI.createCAClient(parent.getClient()); + CertClient certClient = new CertClient(caClient); CertData certData = certClient.getCert(new CertId(serialNumber)); encoded = certData.getEncoded(); diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java index ee88865e6..7e6c2a3c1 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java @@ -352,17 +352,16 @@ public class ConfigurationUtils { config.setPassword(passwd); PKIClient client = new PKIClient(config, null); - PKIConnection connection = client.getConnection(); // Ignore the "UNTRUSTED_ISSUER" validity status // during PKI instance creation since we are // utilizing an untrusted temporary CA certificate. - connection.addIgnoredCertStatus(SSLCertificateApprovalCallback.ValidityStatus.UNTRUSTED_ISSUER); + client.addIgnoredCertStatus(SSLCertificateApprovalCallback.ValidityStatus.UNTRUSTED_ISSUER); // Ignore the "CA_CERT_INVALID" validity status // during PKI instance creation since we are // utilizing an untrusted temporary CA certificate. - connection.addIgnoredCertStatus(SSLCertificateApprovalCallback.ValidityStatus.CA_CERT_INVALID); + client.addIgnoredCertStatus(SSLCertificateApprovalCallback.ValidityStatus.CA_CERT_INVALID); AccountClient accountClient = new AccountClient(client, "ca"); SecurityDomainClient sdClient = new SecurityDomainClient(client, "ca"); @@ -3972,12 +3971,11 @@ public class ConfigurationUtils { config.setCertPassword(dbPass); PKIClient client = new PKIClient(config, null); - PKIConnection connection = client.getConnection(); // Ignore the "UNTRUSTED_ISSUER" and "CA_CERT_INVALID" validity status // during PKI instance creation since we are using an untrusted temporary CA cert. - connection.addIgnoredCertStatus(SSLCertificateApprovalCallback.ValidityStatus.UNTRUSTED_ISSUER); - connection.addIgnoredCertStatus(SSLCertificateApprovalCallback.ValidityStatus.CA_CERT_INVALID); + client.addIgnoredCertStatus(SSLCertificateApprovalCallback.ValidityStatus.UNTRUSTED_ISSUER); + client.addIgnoredCertStatus(SSLCertificateApprovalCallback.ValidityStatus.CA_CERT_INVALID); AccountClient accountClient = new AccountClient(client, "tks"); TPSConnectorClient tpsConnectorClient = new TPSConnectorClient(client, "tks"); |