summaryrefslogtreecommitdiffstats
path: root/base/server/cms/src/com
diff options
context:
space:
mode:
Diffstat (limited to 'base/server/cms/src/com')
-rw-r--r--base/server/cms/src/com/netscape/cms/servlet/key/KeyService.java70
-rw-r--r--base/server/cms/src/com/netscape/cms/servlet/request/KeyRequestService.java65
2 files changed, 128 insertions, 7 deletions
diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/KeyService.java b/base/server/cms/src/com/netscape/cms/servlet/key/KeyService.java
index 27cc909e5..a2e48b9ec 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/key/KeyService.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/key/KeyService.java
@@ -53,6 +53,7 @@ import com.netscape.certsrv.key.KeyRecoveryRequest;
import com.netscape.certsrv.key.KeyRequestInfo;
import com.netscape.certsrv.key.KeyResource;
import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
+import com.netscape.certsrv.kra.IKeyService;
import com.netscape.certsrv.logging.ILogger;
import com.netscape.certsrv.request.IRequest;
import com.netscape.certsrv.request.IRequestQueue;
@@ -60,6 +61,7 @@ import com.netscape.certsrv.request.RequestId;
import com.netscape.certsrv.request.RequestStatus;
import com.netscape.cms.servlet.base.PKIService;
import com.netscape.cmsutil.ldap.LDAPUtil;
+import com.netscape.cmsutil.util.Utils;
/**
* @author alee
@@ -89,11 +91,13 @@ public class KeyService extends PKIService implements KeyResource {
private IKeyRepository repo;
private IKeyRecoveryAuthority kra;
private IRequestQueue queue;
+ private IKeyService service;
public KeyService() {
kra = ( IKeyRecoveryAuthority ) CMS.getSubsystem( "kra" );
repo = kra.getKeyRepository();
queue = kra.getRequestQueue();
+ service = (IKeyService) kra;
}
/**
@@ -108,11 +112,25 @@ public class KeyService extends PKIService implements KeyResource {
throw new BadRequestException("Cannot retrieve key. Invalid request");
}
// auth and authz
- KeyId keyId = validateRequest(data);
RequestId requestID = data.getRequestId();
+ IRequest request;
+ try {
+ request = queue.findRequest(requestID);
+ } catch (EBaseException e) {
+ e.printStackTrace();
+ auditRetrieveKey(ILogger.FAILURE, requestID, null, e.getMessage());
+ throw new PKIException(e.getMessage());
+ }
+ String type = request.getRequestType();
+ KeyId keyId = null;
KeyData keyData;
try {
- keyData = getKey(keyId, data);
+ if (IRequest.KEYRECOVERY_REQUEST.equals(type)) {
+ keyData = recoverKey(data);
+ } else {
+ keyId = validateRequest(data);
+ keyData = getKey(keyId, data);
+ }
} catch (EBaseException e) {
e.printStackTrace();
auditRetrieveKey(ILogger.FAILURE, requestID, keyId, e.getMessage());
@@ -403,4 +421,52 @@ public class KeyService extends PKIService implements KeyResource {
reason);
auditor.log(msg);
}
+
+ /**
+ * Used to retrieve a key
+ * @param data
+ * @return
+ */
+ private KeyData recoverKey(KeyRecoveryRequest data) {
+ // confirm request exists
+ RequestId reqId = data.getRequestId();
+
+ IRequest request = null;
+ try {
+ request = queue.findRequest(reqId);
+ } catch (EBaseException e) {
+ }
+ if (request == null) {
+ throw new HTTPGoneException("No request record.");
+ }
+ String type = request.getRequestType();
+ RequestStatus status = request.getRequestStatus();
+ if (!IRequest.KEYRECOVERY_REQUEST.equals(type) ||
+ !status.equals(RequestStatus.APPROVED)) {
+ auditRetrieveKey(ILogger.FAILURE, reqId, null, "Unauthorized request.");
+ throw new UnauthorizedException("Unauthorized request.");
+ }
+
+ String passphrase = data.getPassphrase();
+ byte pkcs12[] = null;
+ try {
+ pkcs12 = service.doKeyRecovery(reqId.toString(), passphrase);
+ } catch (EBaseException e) {
+ }
+ if (pkcs12 == null) {
+ throw new HTTPGoneException("Key not recovered.");
+ }
+ String pkcs12base64encoded = Utils.base64encode(pkcs12);
+
+ KeyData keyData = new KeyData();
+ keyData.setP12Data(pkcs12base64encoded);
+
+ try {
+ queue.processRequest(request);
+ queue.markAsServiced(request);
+ } catch (EBaseException e) {
+ }
+
+ return keyData;
+ }
}
diff --git a/base/server/cms/src/com/netscape/cms/servlet/request/KeyRequestService.java b/base/server/cms/src/com/netscape/cms/servlet/request/KeyRequestService.java
index 06b03176d..ada11be7c 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/request/KeyRequestService.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/request/KeyRequestService.java
@@ -18,8 +18,10 @@
package com.netscape.cms.servlet.request;
+import java.math.BigInteger;
import java.net.URI;
import java.net.URISyntaxException;
+import java.security.cert.CertificateException;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.core.Context;
@@ -30,6 +32,8 @@ import javax.ws.rs.core.Request;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriInfo;
+import netscape.security.x509.X509CertImpl;
+
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.base.BadRequestException;
import com.netscape.certsrv.base.EBaseException;
@@ -40,12 +44,17 @@ import com.netscape.certsrv.key.KeyRecoveryRequest;
import com.netscape.certsrv.key.KeyRequestInfo;
import com.netscape.certsrv.key.KeyRequestInfos;
import com.netscape.certsrv.key.KeyRequestResource;
+import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
+import com.netscape.certsrv.kra.IKeyService;
import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.IRequestQueue;
import com.netscape.certsrv.request.RequestId;
import com.netscape.certsrv.request.RequestNotFoundException;
import com.netscape.cms.servlet.base.PKIService;
import com.netscape.cms.servlet.key.KeyRequestDAO;
import com.netscape.cmsutil.ldap.LDAPUtil;
+import com.netscape.cmsutil.util.Utils;
/**
* @author alee
@@ -79,6 +88,16 @@ public class KeyRequestService extends PKIService implements KeyRequestResource
public static final int DEFAULT_MAXRESULTS = 100;
public static final int DEFAULT_MAXTIME = 10;
+ private IKeyRecoveryAuthority kra;
+ private IRequestQueue queue;
+ private IKeyService service;
+
+ public KeyRequestService() {
+ kra = ( IKeyRecoveryAuthority ) CMS.getSubsystem( "kra" );
+ queue = kra.getRequestQueue();
+ service = (IKeyService) kra;
+ }
+
/**
* Used to retrieve key request info for a specific request
*/
@@ -160,14 +179,16 @@ public class KeyRequestService extends PKIService implements KeyRequestResource
if (data == null) {
throw new BadRequestException("Invalid request.");
}
- if (data.getTransWrappedSessionKey() == null
- && data.getSessionWrappedPassphrase() != null) {
+ if (data.getCertificate() == null &&
+ data.getTransWrappedSessionKey() == null &&
+ data.getSessionWrappedPassphrase() != null) {
throw new BadRequestException("No wrapped session key.");
}
KeyRequestDAO dao = new KeyRequestDAO();
KeyRequestInfo info;
try {
- info = dao.submitRequest(data, uriInfo);
+ info = (data.getCertificate() != null)?
+ requestKeyRecovery(data): dao.submitRequest(data, uriInfo);
auditRecoveryRequestMade(info.getRequestId(), ILogger.SUCCESS, data.getKeyId());
return Response
@@ -182,6 +203,33 @@ public class KeyRequestService extends PKIService implements KeyRequestResource
}
}
+ private KeyRequestInfo requestKeyRecovery(KeyRecoveryRequest data) {
+ KeyRequestInfo info = null;
+ if (data == null) {
+ throw new BadRequestException("Invalid request.");
+ }
+ String keyId = data.getKeyId().toString();
+ String b64Certificate = data.getCertificate();
+ byte[] certData = Utils.base64decode(b64Certificate);
+ String agentID = servletRequest.getUserPrincipal().getName();
+ String requestId = null;
+ try {
+ requestId = service.initAsyncKeyRecovery(new BigInteger(keyId), new X509CertImpl(certData), agentID);
+ } catch (EBaseException | CertificateException e) {
+ e.printStackTrace();
+ throw new PKIException(e.toString());
+ }
+ IRequest request = null;
+ try {
+ request = queue.findRequest(new RequestId(requestId));
+ } catch (EBaseException e) {
+ }
+ KeyRequestDAO dao = new KeyRequestDAO();
+ info = dao.createCMSRequestInfo(request, uriInfo);
+
+ return info;
+ }
+
@Override
public void approveRequest(RequestId id) {
if (id == null) {
@@ -190,8 +238,15 @@ public class KeyRequestService extends PKIService implements KeyRequestResource
// auth and authz
KeyRequestDAO dao = new KeyRequestDAO();
try {
- dao.approveRequest(id);
- auditRecoveryRequestChange(id, ILogger.SUCCESS, "approve");
+ IRequest request = queue.findRequest(id);
+ String type = request.getRequestType();
+ if (IRequest.KEYRECOVERY_REQUEST.equals(type)) {
+ service.addAgentAsyncKeyRecovery(id.toString(), servletRequest.getUserPrincipal().getName());
+ auditRecoveryRequestChange(id, ILogger.SUCCESS, "approve");
+ } else if (IRequest.SECURITY_DATA_RECOVERY_REQUEST.equals(type)) {
+ dao.approveRequest(id);
+ auditRecoveryRequestChange(id, ILogger.SUCCESS, "approve");
+ }
} catch (EBaseException e) {
e.printStackTrace();
auditRecoveryRequestChange(id, ILogger.FAILURE, "approve");
generated by cgit (git 2.34.1) at 2024-06-30 14:10:53 +0000