diff options
Diffstat (limited to 'base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java')
| -rw-r--r-- | base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java | 543 |
1 files changed, 28 insertions, 515 deletions
diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java b/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java index 506abdd70..7ace274a7 100644 --- a/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java +++ b/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java @@ -17,54 +17,14 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.csadmin; -import java.io.ByteArrayInputStream; -import java.io.ByteArrayOutputStream; -import java.io.FileInputStream; import java.io.IOException; -import java.math.BigInteger; -import java.security.Principal; -import java.security.PublicKey; -import java.util.StringTokenizer; -import java.util.Vector; import javax.servlet.ServletConfig; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import netscape.ldap.LDAPDN; -import netscape.security.x509.X509CertImpl; - import org.apache.velocity.context.Context; -import org.mozilla.jss.CryptoManager; -import org.mozilla.jss.asn1.ANY; -import org.mozilla.jss.asn1.BMPString; -import org.mozilla.jss.asn1.OBJECT_IDENTIFIER; -import org.mozilla.jss.asn1.OCTET_STRING; -import org.mozilla.jss.asn1.SEQUENCE; -import org.mozilla.jss.asn1.SET; -import org.mozilla.jss.crypto.Cipher; -import org.mozilla.jss.crypto.CryptoStore; -import org.mozilla.jss.crypto.CryptoToken; -import org.mozilla.jss.crypto.EncryptionAlgorithm; -import org.mozilla.jss.crypto.IVParameterSpec; -import org.mozilla.jss.crypto.InternalCertificate; -import org.mozilla.jss.crypto.KeyGenAlgorithm; -import org.mozilla.jss.crypto.KeyGenerator; -import org.mozilla.jss.crypto.KeyWrapAlgorithm; -import org.mozilla.jss.crypto.KeyWrapper; -import org.mozilla.jss.crypto.SymmetricKey; -import org.mozilla.jss.crypto.X509Certificate; -import org.mozilla.jss.pkcs11.PK11Store; -import org.mozilla.jss.pkcs12.AuthenticatedSafes; -import org.mozilla.jss.pkcs12.CertBag; -import org.mozilla.jss.pkcs12.PFX; -import org.mozilla.jss.pkcs12.PasswordConverter; -import org.mozilla.jss.pkcs12.SafeBag; -import org.mozilla.jss.pkix.primitive.Attribute; -import org.mozilla.jss.pkix.primitive.EncryptedPrivateKeyInfo; -import org.mozilla.jss.pkix.primitive.PrivateKeyInfo; -import org.mozilla.jss.util.Password; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; @@ -197,10 +157,6 @@ public class RestoreKeyCertPanel extends WizardPanelBase { // Path can be empty. If this case, we just want to // get to the next panel. Customer has HSM. String s = HttpInput.getString(request, "path"); - // if (s == null || s.equals("")) { - // CMS.debug("RestoreKeyCertPanel validate: path is empty"); - // throw new IOException("Path is empty"); - // } if (s != null && !s.equals("")) { s = HttpInput.getPassword(request, "__password"); @@ -219,460 +175,50 @@ public class RestoreKeyCertPanel extends WizardPanelBase { HttpServletResponse response, Context context) throws IOException { IConfigStore config = CMS.getConfigStore(); - String path = HttpInput.getString(request, "path"); - if (path == null || path.equals("")) { - // skip to next panel - config.putBoolean("preop.restorekeycert.done", true); - try { - config.commit(false); - } catch (EBaseException e) { - } - getConfigEntriesFromMaster(request, response, context); - context.put("updateStatus", "success"); - return; - } - String pwd = HttpInput.getPassword(request, "__password"); - - String tokenn = ""; - String instanceRoot = ""; - - try { - tokenn = config.getString("preop.module.token"); - instanceRoot = config.getString("instanceRoot"); - } catch (Exception e) { - } - - if (tokenn.equals("Internal Key Storage Token")) { - byte b[] = new byte[1000000]; - FileInputStream fis = new FileInputStream(instanceRoot + "/alias/" + path); - while (fis.available() > 0) - fis.read(b); - fis.close(); - - ByteArrayInputStream bis = new ByteArrayInputStream(b); - StringBuffer reason = new StringBuffer(); - Password password = new Password(pwd.toCharArray()); - PFX pfx = null; - boolean verifypfx = false; - try { - pfx = (PFX) (new PFX.Template()).decode(bis); - verifypfx = pfx.verifyAuthSafes(password, reason); - } catch (Exception e) { - CMS.debug("RestoreKeyCertPanel update: Exception=" + e.toString()); - } - - if (verifypfx) { - CMS.debug("RestoreKeyCertPanel verify the PFX."); - AuthenticatedSafes safes = pfx.getAuthSafes(); - Vector<Vector<Object>> pkeyinfo_collection = new Vector<Vector<Object>>(); - Vector<Vector<Object>> cert_collection = new Vector<Vector<Object>>(); - for (int i = 0; i < safes.getSize(); i++) { - try { - SEQUENCE scontent = safes.getSafeContentsAt(null, i); - for (int j = 0; j < scontent.size(); j++) { - SafeBag bag = (SafeBag) scontent.elementAt(j); - OBJECT_IDENTIFIER oid = bag.getBagType(); - if (oid.equals(SafeBag.PKCS8_SHROUDED_KEY_BAG)) { - EncryptedPrivateKeyInfo privkeyinfo = - (EncryptedPrivateKeyInfo) bag.getInterpretedBagContent(); - PrivateKeyInfo pkeyinfo = privkeyinfo.decrypt(password, new PasswordConverter()); - Vector<Object> pkeyinfo_v = new Vector<Object>(); - pkeyinfo_v.addElement(pkeyinfo); - SET bagAttrs = bag.getBagAttributes(); - for (int k = 0; k < bagAttrs.size(); k++) { - Attribute attrs = (Attribute) bagAttrs.elementAt(k); - OBJECT_IDENTIFIER aoid = attrs.getType(); - if (aoid.equals(SafeBag.FRIENDLY_NAME)) { - SET val = attrs.getValues(); - ANY ss = (ANY) val.elementAt(0); - ByteArrayInputStream bbis = new ByteArrayInputStream(ss.getEncoded()); - BMPString sss = (BMPString) new BMPString.Template().decode(bbis); - String s = sss.toString(); - pkeyinfo_v.addElement(s); - } - } - pkeyinfo_collection.addElement(pkeyinfo_v); - } else if (oid.equals(SafeBag.CERT_BAG)) { - CertBag cbag = (CertBag) bag.getInterpretedBagContent(); - OCTET_STRING str = (OCTET_STRING) cbag.getInterpretedCert(); - byte[] x509cert = str.toByteArray(); - Vector<Object> cert_v = new Vector<Object>(); - cert_v.addElement(x509cert); - SET bagAttrs = bag.getBagAttributes(); - - if (bagAttrs != null) { - for (int k = 0; k < bagAttrs.size(); k++) { - Attribute attrs = (Attribute) bagAttrs.elementAt(k); - OBJECT_IDENTIFIER aoid = attrs.getType(); - if (aoid.equals(SafeBag.FRIENDLY_NAME)) { - SET val = attrs.getValues(); - ANY ss = (ANY) val.elementAt(0); - ByteArrayInputStream bbis = new ByteArrayInputStream(ss.getEncoded()); - BMPString sss = (BMPString) (new BMPString.Template()).decode(bbis); - String s = sss.toString(); - cert_v.addElement(s); - } - } - } - - cert_collection.addElement(cert_v); - } - } - } catch (Exception e) { - CMS.debug("RestoreKeyCertPanel update: Exception=" + e.toString()); - } - } - - importkeycert(pkeyinfo_collection, cert_collection); - } else { - context.put("updateStatus", "failure"); - throw new IOException("The pkcs12 file is not correct."); - } - } - - String subsystemtype = ""; - String cstype = ""; try { - subsystemtype = config.getString("preop.subsystem.select", ""); - cstype = config.getString("cs.type", ""); - } catch (Exception e) { - } - cstype = toLowerCaseSubsystemType(cstype); - - if (subsystemtype.equals("clone")) { - CMS.debug("RestoreKeyCertPanel: this is the clone subsystem"); - boolean cloneReady = isCertdbCloned(request, context); - if (!cloneReady) { - CMS.debug("RestoreKeyCertPanel update: clone does not have all the certificates."); - context.put("errorString", "Make sure you have copied the certificate database over to the clone"); - context.put("updateStatus", "failure"); - throw new IOException("Clone is not ready"); - } - } + ConfigurationUtils.getConfigEntriesFromMaster(); - config.putBoolean("preop.restorekeycert.done", true); - try { - config.commit(false); - } catch (EBaseException e) { - } - - getConfigEntriesFromMaster(request, response, context); - context.put("updateStatus", "success"); - } - - private void getConfigEntriesFromMaster(HttpServletRequest request, - HttpServletResponse response, Context context) throws IOException { - try { - IConfigStore config = CMS.getConfigStore(); - String cstype = ""; - try { - cstype = config.getString("cs.type", ""); - } catch (Exception e) { - } - cstype = toLowerCaseSubsystemType(cstype); - - String session_id = CMS.getConfigSDSessionId(); - String master_hostname = ""; - int master_port = -1; - int master_ee_port = -1; - try { - master_hostname = config.getString("preop.master.hostname", ""); - master_port = config.getInteger("preop.master.httpsadminport", -1); - master_ee_port = config.getInteger("preop.master.httpsport", -1); - - String content = ""; - if (cstype.equals("ca") || cstype.equals("kra")) { - content = "type=request&xmlOutput=true&sessionID=" + session_id; - CMS.debug("http content=" + content); - updateNumberRange(master_hostname, master_ee_port, true, content, "request", response); - - content = "type=serialNo&xmlOutput=true&sessionID=" + session_id; - updateNumberRange(master_hostname, master_ee_port, true, content, "serialNo", response); - - content = "type=replicaId&xmlOutput=true&sessionID=" + session_id; - updateNumberRange(master_hostname, master_ee_port, true, content, "replicaId", response); - } - - String list = ""; - try { - list = config.getString("preop.cert.list", ""); - } catch (Exception e) { - } - - StringBuffer c1 = new StringBuffer(); - StringBuffer s1 = new StringBuffer(); - StringTokenizer tok = new StringTokenizer(list, ","); - while (tok.hasMoreTokens()) { - String t1 = tok.nextToken(); - if (t1.equals("sslserver")) - continue; - c1.append(","); - c1.append("cloning."); - c1.append(t1); - c1.append(".nickname,"); - c1.append("cloning."); - c1.append(t1); - c1.append(".dn,"); - c1.append("cloning."); - c1.append(t1); - c1.append(".keytype,"); - c1.append("cloning."); - c1.append(t1); - c1.append(".keyalgorithm,"); - c1.append("cloning."); - c1.append(t1); - c1.append(".privkey.id,"); - c1.append("cloning."); - c1.append(t1); - c1.append(".pubkey.exponent,"); - c1.append("cloning."); - c1.append(t1); - c1.append(".pubkey.modulus,"); - c1.append("cloning."); - c1.append(t1); - c1.append(".pubkey.encoded"); - - if (s1.length() != 0) - s1.append(","); - - s1.append(cstype); - s1.append("."); - s1.append(t1); - } - - if (!cstype.equals("ca")) { - c1.append(",cloning.ca.hostname,cloning.ca.httpport,cloning.ca.httpsport,cloning.ca.list,cloning.ca.pkcs7,cloning.ca.type"); - } - - if (cstype.equals("ca")) { - /* get ca connector details */ - if (s1.length() != 0) - s1.append(","); - s1.append("ca.connector.KRA"); - } - - s1.append(",internaldb,internaldb.ldapauth,internaldb.ldapconn"); - - content = - "op=get&names=cloning.token,instanceId,internaldb.basedn,internaldb.ldapauth.password," - + "internaldb.replication.password" + c1.toString() - + "&substores=" + s1.toString() - + "&xmlOutput=true&sessionID=" - + session_id; - boolean success = updateConfigEntries(master_hostname, master_port, true, - "/" + cstype + "/admin/" + cstype + "/getConfigEntries", content, config, response); - if (!success) { - context.put("errorString", "Failed to get configuration entries from the master"); - throw new IOException("Failed to get configuration entries from the master"); - } - config.putString("preop.clone.configuration", "true"); - try { - config.commit(false); - } catch (Exception ee) { - } - } catch (IOException eee) { - throw eee; - } catch (Exception eee) { - CMS.debug("RestoreKeyCertPanel: update exception caught:" + eee.toString()); + String path = HttpInput.getString(request, "path"); + if (path == null || path.equals("")) { + // skip to next panel + config.putBoolean("preop.restorekeycert.done", true); + config.commit(false); + context.put("updateStatus", "success"); + return; } - } catch (IOException ee) { - throw ee; - } catch (Exception ee) { - } - } + String pwd = HttpInput.getPassword(request, "__password"); - private void deleteExistingCerts() { - IConfigStore cs = CMS.getConfigStore(); - try { - String list = cs.getString("preop.cert.list", ""); - StringTokenizer st = new StringTokenizer(list, ","); - while (st.hasMoreTokens()) { - String s = st.nextToken(); - if (s.equals("sslserver")) - continue; - String name = "preop.master." + s + ".nickname"; - String nickname = cs.getString(name, ""); - CryptoManager cm = CryptoManager.getInstance(); - X509Certificate xcert = null; - try { - xcert = cm.findCertByNickname(nickname); - } catch (Exception ee) { - CMS.debug("RestoreKeyCertPanel deleteExistingCerts: Exception=" + ee.toString()); - } - CryptoToken ct = cm.getInternalKeyStorageToken(); - CryptoStore store = ct.getCryptoStore(); - try { - store.deleteCert(xcert); - } catch (Exception ee) { - CMS.debug("RestoreKeyCertPanel deleteExistingCerts: Exception=" + ee.toString()); - } + String tokenn = config.getString("preop.module.token"); + if (tokenn.equals("Internal Key Storage Token")) { + ConfigurationUtils.restoreCertsFromP12(path, pwd); } - } catch (Exception e) { - CMS.debug("RestoreKeyCertPanel deleteExistingCerts: Exception=" + e.toString()); - } - } - - private org.mozilla.jss.crypto.PrivateKey.Type getPrivateKeyType(PublicKey pubkey) { - CMS.debug("Key Algorithm '" + pubkey.getAlgorithm() + "'"); - if (pubkey.getAlgorithm().equals("EC")) { - return org.mozilla.jss.crypto.PrivateKey.Type.EC; - } - return org.mozilla.jss.crypto.PrivateKey.Type.RSA; - } - - private void importkeycert(Vector<Vector<Object>> pkeyinfo_collection, - Vector<Vector<Object>> cert_collection) throws IOException { - CryptoManager cm = null; - try { - cm = CryptoManager.getInstance(); - } catch (Exception e) { - } - - // delete all existing certificates first - deleteExistingCerts(); - for (int i = 0; i < pkeyinfo_collection.size(); i++) { - try { - Vector<Object> pkeyinfo_v = pkeyinfo_collection.elementAt(i); - PrivateKeyInfo pkeyinfo = (PrivateKeyInfo) pkeyinfo_v.elementAt(0); - String nickname = (String) pkeyinfo_v.elementAt(1); - byte[] x509cert = getX509Cert(nickname, cert_collection); - X509Certificate cert = cm.importCACertPackage(x509cert); - ByteArrayOutputStream bos = new ByteArrayOutputStream(); - pkeyinfo.encode(bos); - byte[] pkey = bos.toByteArray(); - - PublicKey publickey = cert.getPublicKey(); - CryptoToken token = cm.getInternalKeyStorageToken(); - CryptoStore store = token.getCryptoStore(); - CMS.debug("RestoreKeyCertPanel deleteCert: this is pk11store"); - try { - store.deleteCert(cert); - } catch (Exception ee) { - CMS.debug("RestoreKeyCertPanel importKeyCert: Exception=" + ee.toString()); + String subsystemtype = config.getString("preop.subsystem.select", ""); + if (subsystemtype.equals("clone")) { + CMS.debug("RestoreKeyCertPanel: this is the clone subsystem"); + boolean cloneReady = ConfigurationUtils.isCertdbCloned(); + if (!cloneReady) { + CMS.debug("RestoreKeyCertPanel update: clone does not have all the certificates."); + throw new IOException("Clone is not ready"); } - - KeyGenerator kg = token.getKeyGenerator(KeyGenAlgorithm.DES3); - SymmetricKey sk = kg.generate(); - byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; - IVParameterSpec param = new IVParameterSpec(iv); - Cipher c = token.getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD); - c.initEncrypt(sk, param); - byte[] encpkey = c.doFinal(pkey); - - KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD); - wrapper.initUnwrap(sk, param); - wrapper.unwrapPrivate(encpkey, getPrivateKeyType(publickey), publickey); - - } catch (Exception e) { - CMS.debug("RestoreKeyCertPanel importkeycert: Exception=" + e.toString()); } - } - for (int i = 0; i < cert_collection.size(); i++) { - try { - Vector<Object> cert_v = cert_collection.elementAt(i); - byte[] cert = (byte[]) cert_v.elementAt(0); - if (cert_v.size() > 1) { - String name = (String) cert_v.elementAt(1); - // we need to delete the trusted CA certificate if it is - // the same as the ca signing certificate - if (isCASigningCert(name)) { - X509Certificate certchain = getX509CertFromToken(cert); - if (certchain != null) { - CryptoToken token = cm.getInternalKeyStorageToken(); - CryptoStore store = token.getCryptoStore(); - CMS.debug("RestoreKeyCertPanel deleteCert: this is pk11store"); - if (store instanceof PK11Store) { - try { - PK11Store pk11store = (PK11Store) store; - pk11store.deleteCertOnly(certchain); - } catch (Exception ee) { - CMS.debug("RestoreKeyCertPanel importKeyCert: Exception=" + ee.toString()); - } - } - } - } - - X509Certificate xcert = cm.importUserCACertPackage(cert, name); - if (name.startsWith("caSigningCert")) { - // we need to change the trust attribute to CT - InternalCertificate icert = (InternalCertificate) xcert; - icert.setSSLTrust(InternalCertificate.TRUSTED_CA - | InternalCertificate.TRUSTED_CLIENT_CA - | InternalCertificate.VALID_CA); - } else if (name.startsWith("auditSigningCert")) { - InternalCertificate icert = (InternalCertificate) xcert; - icert.setObjectSigningTrust(InternalCertificate.USER - | InternalCertificate.VALID_PEER | InternalCertificate.TRUSTED_PEER); - } - } else - cm.importCACertPackage(cert); - } catch (Exception e) { - CMS.debug("RestoreKeyCertPanel importkeycert: Exception=" + e.toString()); - } - } - } - - private boolean isCASigningCert(String name) { - String n = "preop.master.signing.nickname"; - IConfigStore cs = CMS.getConfigStore(); - try { - String nickname = cs.getString(n); - if (nickname.equals(name)) - return true; - } catch (Exception e) { - return false; - } - - return false; - } - - private X509Certificate getX509CertFromToken(byte[] cert) - throws IOException { - try { - X509CertImpl impl = new X509CertImpl(cert); - String issuer_impl = impl.getIssuerDN().toString(); - BigInteger serial_impl = impl.getSerialNumber(); - CryptoManager cm = CryptoManager.getInstance(); - X509Certificate[] permcerts = cm.getPermCerts(); - for (int i = 0; i < permcerts.length; i++) { - String issuer_p = permcerts[i].getSubjectDN().toString(); - BigInteger serial_p = permcerts[i].getSerialNumber(); - if (issuer_p.equals(issuer_impl) && serial_p.compareTo(serial_impl) == 0) { - return permcerts[i]; - } - } + config.putBoolean("preop.restorekeycert.done", true); + config.commit(false); } catch (Exception e) { - CMS.debug("RestoreKeyCertPanel getX509CertFromToken: Exception=" + e.toString()); + CMS.debug("RestoreKeyCertPanel update: exception thrown:" + e); + e.printStackTrace(); + context.put("errorString", e.toString()); + context.put("updateStatus", "failure"); + throw new IOException(e); } - return null; - } - - private byte[] getX509Cert(String nickname, Vector<Vector<Object>> cert_collection) - throws IOException { - for (int i = 0; i < cert_collection.size(); i++) { - Vector<Object> v = cert_collection.elementAt(i); - byte[] b = (byte[]) v.elementAt(0); - X509CertImpl impl = null; - try { - impl = new X509CertImpl(b); - } catch (Exception e) { - CMS.debug("RestoreKeyCertPanel getX509Cert: Exception=" + e.toString()); - throw new IOException(e.toString()); - } - Principal subjectdn = impl.getSubjectDN(); - if (LDAPDN.equals(subjectdn.toString(), nickname)) - return b; - } - - return null; + context.put("updateStatus", "success"); } /** - * If validiate() returns false, this method will be called. + * If validate() returns false, this method will be called. */ public void displayError(HttpServletRequest request, HttpServletResponse response, @@ -682,37 +228,4 @@ public class RestoreKeyCertPanel extends WizardPanelBase { context.put("path", ""); context.put("panel", "admin/console/config/restorekeycertpanel.vm"); } - - private boolean isCertdbCloned(HttpServletRequest request, - Context context) { - IConfigStore config = CMS.getConfigStore(); - String certList = ""; - try { - CryptoManager cm = CryptoManager.getInstance(); - certList = config.getString("preop.cert.list"); - StringTokenizer st = new StringTokenizer(certList, ","); - while (st.hasMoreTokens()) { - String token = st.nextToken(); - if (token.equals("sslserver")) - continue; - String tokenname = config.getString("preop.module.token", ""); - cm.getTokenByName(tokenname); // throw exception if token doesn't exist - String name1 = "preop.master." + token + ".nickname"; - String nickname = config.getString(name1, ""); - if (!tokenname.equals("Internal Key Storage Token") && - !tokenname.equals("internal")) - nickname = tokenname + ":" + nickname; - - CMS.debug("RestoreKeyCertPanel isCertdbCloned: " + nickname); - X509Certificate cert = cm.findCertByNickname(nickname); - if (cert == null) - return false; - } - } catch (Exception e) { - context.put("errorString", "Check your CS.cfg for cloning"); - return false; - } - - return true; - } } |