diff options
Diffstat (limited to 'base/server/cms/src/com/netscape/cms/servlet/request/KeyRequestService.java')
-rw-r--r-- | base/server/cms/src/com/netscape/cms/servlet/request/KeyRequestService.java | 476 |
1 files changed, 0 insertions, 476 deletions
diff --git a/base/server/cms/src/com/netscape/cms/servlet/request/KeyRequestService.java b/base/server/cms/src/com/netscape/cms/servlet/request/KeyRequestService.java deleted file mode 100644 index e2253b6e8..000000000 --- a/base/server/cms/src/com/netscape/cms/servlet/request/KeyRequestService.java +++ /dev/null @@ -1,476 +0,0 @@ -// --- BEGIN COPYRIGHT BLOCK --- -// This program is free software; you can redistribute it and/or modify -// it under the terms of the GNU General Public License as published by -// the Free Software Foundation; version 2 of the License. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -// GNU General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -// -// (C) 2011 Red Hat, Inc. -// All rights reserved. -// --- END COPYRIGHT BLOCK --- - -package com.netscape.cms.servlet.request; - -import java.lang.reflect.InvocationTargetException; -import java.math.BigInteger; -import java.net.URI; -import java.net.URISyntaxException; -import java.security.cert.CertificateException; -import java.util.HashMap; -import java.util.Map; - -import javax.servlet.http.HttpServletRequest; -import javax.ws.rs.core.Context; -import javax.ws.rs.core.HttpHeaders; -import javax.ws.rs.core.MultivaluedMap; -import javax.ws.rs.core.Request; -import javax.ws.rs.core.Response; -import javax.ws.rs.core.UriInfo; - -import netscape.security.x509.X509CertImpl; - -import org.mozilla.jss.crypto.KeyGenAlgorithm; -import org.mozilla.jss.crypto.SymmetricKey; - -import com.netscape.certsrv.apps.CMS; -import com.netscape.certsrv.base.BadRequestException; -import com.netscape.certsrv.base.EBaseException; -import com.netscape.certsrv.base.PKIException; -import com.netscape.certsrv.base.ResourceMessage; -import com.netscape.certsrv.dbs.keydb.KeyId; -import com.netscape.certsrv.key.KeyArchivalRequest; -import com.netscape.certsrv.key.KeyRecoveryRequest; -import com.netscape.certsrv.key.KeyRequestInfo; -import com.netscape.certsrv.key.KeyRequestInfoCollection; -import com.netscape.certsrv.key.KeyRequestResource; -import com.netscape.certsrv.key.KeyRequestResponse; -import com.netscape.certsrv.key.SymKeyGenerationRequest; -import com.netscape.certsrv.kra.IKeyRecoveryAuthority; -import com.netscape.certsrv.kra.IKeyService; -import com.netscape.certsrv.logging.ILogger; -import com.netscape.certsrv.request.IRequest; -import com.netscape.certsrv.request.IRequestQueue; -import com.netscape.certsrv.request.RequestId; -import com.netscape.certsrv.request.RequestNotFoundException; -import com.netscape.cms.servlet.base.PKIService; -import com.netscape.cms.servlet.key.KeyRequestDAO; -import com.netscape.cmsutil.ldap.LDAPUtil; -import com.netscape.cmsutil.util.Utils; - -/** - * @author alee - * - */ -public class KeyRequestService extends PKIService implements KeyRequestResource { - - @Context - private UriInfo uriInfo; - - @Context - private HttpHeaders headers; - - @Context - private Request request; - - @Context - private HttpServletRequest servletRequest; - - private static final String LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST = - "LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_4"; - - private static final String LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST = - "LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST_4"; - - private static final String LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST = - "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_4"; - - private static final String LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE = - "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE_4"; - - public static final int DEFAULT_START = 0; - public static final int DEFAULT_PAGESIZE = 20; - public static final int DEFAULT_MAXRESULTS = 100; - public static final int DEFAULT_MAXTIME = 10; - - private IKeyRecoveryAuthority kra; - private IRequestQueue queue; - private IKeyService service; - - public static final Map<String, KeyGenAlgorithm> KEYGEN_ALGORITHMS; - - static { - KEYGEN_ALGORITHMS = new HashMap<String, KeyGenAlgorithm>(); - KEYGEN_ALGORITHMS.put(KeyRequestResource.DES_ALGORITHM, KeyGenAlgorithm.DES); - KEYGEN_ALGORITHMS.put(KeyRequestResource.DESEDE_ALGORITHM, KeyGenAlgorithm.DESede); - KEYGEN_ALGORITHMS.put(KeyRequestResource.DES3_ALGORITHM, KeyGenAlgorithm.DES3); - KEYGEN_ALGORITHMS.put(KeyRequestResource.RC2_ALGORITHM, KeyGenAlgorithm.RC2); - KEYGEN_ALGORITHMS.put(KeyRequestResource.RC4_ALGORITHM, KeyGenAlgorithm.RC4); - KEYGEN_ALGORITHMS.put(KeyRequestResource.AES_ALGORITHM, KeyGenAlgorithm.AES); - } - - public static final Map<String, SymmetricKey.Type> SYMKEY_TYPES; - static { - SYMKEY_TYPES = new HashMap<String, SymmetricKey.Type>(); - SYMKEY_TYPES.put(KeyRequestResource.DES_ALGORITHM, SymmetricKey.DES); - SYMKEY_TYPES.put(KeyRequestResource.DESEDE_ALGORITHM, SymmetricKey.DES3); - SYMKEY_TYPES.put(KeyRequestResource.DES3_ALGORITHM, SymmetricKey.DES3); - SYMKEY_TYPES.put(KeyRequestResource.RC2_ALGORITHM, SymmetricKey.RC2); - SYMKEY_TYPES.put(KeyRequestResource.RC4_ALGORITHM, SymmetricKey.RC4); - SYMKEY_TYPES.put(KeyRequestResource.AES_ALGORITHM, SymmetricKey.AES); - } - - public KeyRequestService() { - kra = ( IKeyRecoveryAuthority ) CMS.getSubsystem( "kra" ); - queue = kra.getRequestQueue(); - service = (IKeyService) kra; - } - - /** - * Used to retrieve key request info for a specific request - */ - @Override - public Response getRequestInfo(RequestId id) { - if (id == null) { - CMS.debug("getRequestInfo: is is null"); - throw new BadRequestException("Unable to get Request: invalid ID"); - } - // auth and authz - KeyRequestDAO dao = new KeyRequestDAO(); - KeyRequestInfo info; - try { - info = dao.getRequest(id, uriInfo); - } catch (EBaseException e) { - // log error - e.printStackTrace(); - throw new PKIException(e.getMessage(), e); - } - if (info == null) { - // request does not exist - throw new RequestNotFoundException(id); - } - return createOKResponse(info); - } - - public Response archiveKey(KeyArchivalRequest data) { - // auth and authz - // Catch this before internal server processing has to deal with it - - if (data == null || data.getClientKeyId() == null || data.getDataType() == null) { - throw new BadRequestException("Invalid key archival request."); - } - - if (data.getWrappedPrivateData() != null) { - if (data.getTransWrappedSessionKey() == null || - data.getAlgorithmOID() == null || - data.getSymmetricAlgorithmParams() == null) { - throw new BadRequestException( - "Invalid key archival request. " + - "Missing wrapped session key, algoriithmOIS or symmetric key parameters"); - } - } else if (data.getPKIArchiveOptions() == null) { - throw new BadRequestException( - "Invalid key archival request. No data to archive"); - } - - if (data.getDataType().equals(KeyRequestResource.SYMMETRIC_KEY_TYPE)) { - if ((data.getKeyAlgorithm() == null) || - (! SYMKEY_TYPES.containsKey(data.getKeyAlgorithm()))) { - throw new BadRequestException("Invalid key archival request. Bad algorithm."); - } - } - - KeyRequestDAO dao = new KeyRequestDAO(); - KeyRequestResponse response; - try { - response = dao.submitRequest(data, uriInfo); - auditArchivalRequestMade(response.getRequestInfo().getRequestId(), ILogger.SUCCESS, data.getClientKeyId()); - - return createCreatedResponse(response, new URI(response.getRequestInfo().getRequestURL())); - - } catch (EBaseException | URISyntaxException e) { - e.printStackTrace(); - auditArchivalRequestMade(null, ILogger.FAILURE, data.getClientKeyId()); - throw new PKIException(e.toString()); - } - } - - public Response recoverKey(KeyRecoveryRequest data) { - // auth and authz - - //Check for entirely illegal data combination here - //Catch this before the internal server processing has to deal with it - //If data has been provided, we need at least the wrapped session key, - //or the command is invalid. - - if (data == null) { - throw new BadRequestException("Invalid request."); - } - if (data.getCertificate() == null && - data.getTransWrappedSessionKey() == null && - data.getSessionWrappedPassphrase() != null) { - throw new BadRequestException("No wrapped session key."); - } - KeyRequestDAO dao = new KeyRequestDAO(); - KeyRequestResponse response; - try { - response = (data.getCertificate() != null)? - requestKeyRecovery(data): dao.submitRequest(data, uriInfo); - auditRecoveryRequestMade(response.getRequestInfo().getRequestId(), - ILogger.SUCCESS, data.getKeyId()); - - return createCreatedResponse(response, new URI(response.getRequestInfo().getRequestURL())); - - } catch (EBaseException | URISyntaxException e) { - e.printStackTrace(); - auditRecoveryRequestMade(null, ILogger.FAILURE, data.getKeyId()); - throw new PKIException(e.toString()); - } - } - - private KeyRequestResponse requestKeyRecovery(KeyRecoveryRequest data) { - KeyRequestResponse response = null; - if (data == null) { - throw new BadRequestException("Invalid request."); - } - String keyId = data.getKeyId().toString(); - String b64Certificate = data.getCertificate(); - byte[] certData = Utils.base64decode(b64Certificate); - String agentID = servletRequest.getUserPrincipal().getName(); - String requestId = null; - try { - requestId = service.initAsyncKeyRecovery(new BigInteger(keyId), new X509CertImpl(certData), agentID); - } catch (EBaseException | CertificateException e) { - e.printStackTrace(); - throw new PKIException(e.toString()); - } - IRequest request = null; - try { - request = queue.findRequest(new RequestId(requestId)); - } catch (EBaseException e) { - } - KeyRequestDAO dao = new KeyRequestDAO(); - response = dao.createCMSRequestResponse(request, uriInfo); - - return response; - } - - @Override - public Response approveRequest(RequestId id) { - if (id == null) { - throw new BadRequestException("Invalid request id."); - } - // auth and authz - KeyRequestDAO dao = new KeyRequestDAO(); - try { - IRequest request = queue.findRequest(id); - String type = request.getRequestType(); - if (IRequest.KEYRECOVERY_REQUEST.equals(type)) { - service.addAgentAsyncKeyRecovery(id.toString(), servletRequest.getUserPrincipal().getName()); - auditRecoveryRequestChange(id, ILogger.SUCCESS, "approve"); - } else if (IRequest.SECURITY_DATA_RECOVERY_REQUEST.equals(type)) { - dao.approveRequest(id); - auditRecoveryRequestChange(id, ILogger.SUCCESS, "approve"); - } - } catch (EBaseException e) { - e.printStackTrace(); - auditRecoveryRequestChange(id, ILogger.FAILURE, "approve"); - throw new PKIException(e.toString()); - } - - return createNoContentResponse(); - } - - @Override - public Response rejectRequest(RequestId id) { - if (id == null) { - throw new BadRequestException("Invalid request id."); - } - // auth and authz - KeyRequestDAO dao = new KeyRequestDAO(); - try { - dao.rejectRequest(id); - auditRecoveryRequestChange(id, ILogger.SUCCESS, "reject"); - } catch (EBaseException e) { - e.printStackTrace(); - auditRecoveryRequestChange(id, ILogger.FAILURE, "reject"); - throw new PKIException(e.toString()); - } - - return createNoContentResponse(); - } - - @Override - public Response cancelRequest(RequestId id) { - if (id == null) { - throw new BadRequestException("Invalid request id."); - } - // auth and authz - KeyRequestDAO dao = new KeyRequestDAO(); - try { - dao.cancelRequest(id); - auditRecoveryRequestChange(id, ILogger.SUCCESS, "cancel"); - } catch (EBaseException e) { - e.printStackTrace(); - auditRecoveryRequestChange(id, ILogger.FAILURE, "cancel"); - throw new PKIException(e.toString()); - } - - return createNoContentResponse(); - } - - /** - * Used to generate list of key requests based on the search parameters - */ - @Override - public Response listRequests(String requestState, String requestType, String clientKeyID, - RequestId start, Integer pageSize, Integer maxResults, Integer maxTime) { - // auth and authz - - // get ldap filter - String filter = createSearchFilter(requestState, requestType, clientKeyID); - CMS.debug("listRequests: filter is " + filter); - - start = start == null ? new RequestId(KeyRequestService.DEFAULT_START) : start; - pageSize = pageSize == null ? DEFAULT_PAGESIZE : pageSize; - maxResults = maxResults == null ? DEFAULT_MAXRESULTS : maxResults; - maxTime = maxTime == null ? DEFAULT_MAXTIME : maxTime; - - KeyRequestDAO reqDAO = new KeyRequestDAO(); - KeyRequestInfoCollection requests; - try { - requests = reqDAO.listRequests(filter, start, pageSize, maxResults, maxTime, uriInfo); - } catch (EBaseException e) { - CMS.debug("listRequests: error in obtaining request results" + e); - e.printStackTrace(); - throw new PKIException(e.toString()); - } - return createOKResponse(requests); - } - - private String createSearchFilter(String requestState, String requestType, String clientKeyID) { - String filter = ""; - int matches = 0; - - if ((requestState == null) && (requestType == null) && (clientKeyID == null)) { - filter = "(requeststate=*)"; - return filter; - } - - if (requestState != null) { - filter += "(requeststate=" + LDAPUtil.escapeFilter(requestState) + ")"; - matches ++; - } - - if (requestType != null) { - filter += "(requesttype=" + LDAPUtil.escapeFilter(requestType) + ")"; - matches ++; - } - - if (clientKeyID != null) { - filter += "(clientID=" + LDAPUtil.escapeFilter(clientKeyID) + ")"; - matches ++; - } - - if (matches > 1) { - filter = "(&" + filter + ")"; - } - - return filter; - } - - public void auditRecoveryRequestChange(RequestId requestId, String status, String operation) { - String msg = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE, - servletRequest.getUserPrincipal().getName(), - status, - requestId.toString(), - operation); - auditor.log(msg); - } - - public void auditRecoveryRequestMade(RequestId requestId, String status, KeyId dataId) { - String msg = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST, - servletRequest.getUserPrincipal().getName(), - status, - requestId != null? requestId.toString(): "null", - dataId.toString()); - auditor.log(msg); - } - - public void auditArchivalRequestMade(RequestId requestId, String status, String clientKeyID) { - String msg = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST, - servletRequest.getUserPrincipal().getName(), - status, - requestId != null? requestId.toString(): "null", - clientKeyID); - auditor.log(msg); - } - - public void auditSymKeyGenRequestMade(RequestId requestId, String status, String clientKeyID) { - String msg = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST, - servletRequest.getUserPrincipal().getName(), - status, - requestId != null ? requestId.toString() : "null", - clientKeyID); - auditor.log(msg); - } - - @Override - public Response createRequest(MultivaluedMap<String, String> form) { - ResourceMessage data = new ResourceMessage(form); - return createRequest(data); - } - - @Override - public Response createRequest(ResourceMessage data) { - Object request = null; - try { - Class<?> requestClazz = Class.forName(data.getClassName()); - request = requestClazz.getDeclaredConstructor(ResourceMessage.class).newInstance(data); - } catch (ClassNotFoundException | NoSuchMethodException | SecurityException | InstantiationException - | IllegalAccessException | IllegalArgumentException | InvocationTargetException e) { - throw new BadRequestException("Invalid request class." + e); - } - - if (request instanceof KeyArchivalRequest) { - return archiveKey(new KeyArchivalRequest(data)); - } else if (request instanceof KeyRecoveryRequest) { - return recoverKey(new KeyRecoveryRequest(data)); - } else if (request instanceof SymKeyGenerationRequest) { - return generateSymKey(new SymKeyGenerationRequest(data)); - } else { - throw new BadRequestException("Invalid request class."); - } - } - - public Response generateSymKey(SymKeyGenerationRequest data) { - if (data == null) { - throw new BadRequestException("Invalid key generation request."); - } - - KeyRequestDAO dao = new KeyRequestDAO(); - KeyRequestResponse response; - try { - response = dao.submitRequest(data, uriInfo); - auditSymKeyGenRequestMade(response.getRequestInfo().getRequestId(), ILogger.SUCCESS, - data.getClientKeyId()); - - return createCreatedResponse(response, new URI(response.getRequestInfo().getRequestURL())); - - } catch (EBaseException | URISyntaxException e) { - e.printStackTrace(); - auditArchivalRequestMade(null, ILogger.FAILURE, data.getClientKeyId()); - throw new PKIException(e.toString()); - } - } -} |