diff options
Diffstat (limited to 'base/server/cms/src/com')
-rw-r--r-- | base/server/cms/src/com/netscape/cms/servlet/key/KeyService.java | 70 | ||||
-rw-r--r-- | base/server/cms/src/com/netscape/cms/servlet/request/KeyRequestService.java | 65 |
2 files changed, 128 insertions, 7 deletions
diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/KeyService.java b/base/server/cms/src/com/netscape/cms/servlet/key/KeyService.java index 27cc909e5..a2e48b9ec 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/key/KeyService.java +++ b/base/server/cms/src/com/netscape/cms/servlet/key/KeyService.java @@ -53,6 +53,7 @@ import com.netscape.certsrv.key.KeyRecoveryRequest; import com.netscape.certsrv.key.KeyRequestInfo; import com.netscape.certsrv.key.KeyResource; import com.netscape.certsrv.kra.IKeyRecoveryAuthority; +import com.netscape.certsrv.kra.IKeyService; import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.IRequestQueue; @@ -60,6 +61,7 @@ import com.netscape.certsrv.request.RequestId; import com.netscape.certsrv.request.RequestStatus; import com.netscape.cms.servlet.base.PKIService; import com.netscape.cmsutil.ldap.LDAPUtil; +import com.netscape.cmsutil.util.Utils; /** * @author alee @@ -89,11 +91,13 @@ public class KeyService extends PKIService implements KeyResource { private IKeyRepository repo; private IKeyRecoveryAuthority kra; private IRequestQueue queue; + private IKeyService service; public KeyService() { kra = ( IKeyRecoveryAuthority ) CMS.getSubsystem( "kra" ); repo = kra.getKeyRepository(); queue = kra.getRequestQueue(); + service = (IKeyService) kra; } /** @@ -108,11 +112,25 @@ public class KeyService extends PKIService implements KeyResource { throw new BadRequestException("Cannot retrieve key. Invalid request"); } // auth and authz - KeyId keyId = validateRequest(data); RequestId requestID = data.getRequestId(); + IRequest request; + try { + request = queue.findRequest(requestID); + } catch (EBaseException e) { + e.printStackTrace(); + auditRetrieveKey(ILogger.FAILURE, requestID, null, e.getMessage()); + throw new PKIException(e.getMessage()); + } + String type = request.getRequestType(); + KeyId keyId = null; KeyData keyData; try { - keyData = getKey(keyId, data); + if (IRequest.KEYRECOVERY_REQUEST.equals(type)) { + keyData = recoverKey(data); + } else { + keyId = validateRequest(data); + keyData = getKey(keyId, data); + } } catch (EBaseException e) { e.printStackTrace(); auditRetrieveKey(ILogger.FAILURE, requestID, keyId, e.getMessage()); @@ -403,4 +421,52 @@ public class KeyService extends PKIService implements KeyResource { reason); auditor.log(msg); } + + /** + * Used to retrieve a key + * @param data + * @return + */ + private KeyData recoverKey(KeyRecoveryRequest data) { + // confirm request exists + RequestId reqId = data.getRequestId(); + + IRequest request = null; + try { + request = queue.findRequest(reqId); + } catch (EBaseException e) { + } + if (request == null) { + throw new HTTPGoneException("No request record."); + } + String type = request.getRequestType(); + RequestStatus status = request.getRequestStatus(); + if (!IRequest.KEYRECOVERY_REQUEST.equals(type) || + !status.equals(RequestStatus.APPROVED)) { + auditRetrieveKey(ILogger.FAILURE, reqId, null, "Unauthorized request."); + throw new UnauthorizedException("Unauthorized request."); + } + + String passphrase = data.getPassphrase(); + byte pkcs12[] = null; + try { + pkcs12 = service.doKeyRecovery(reqId.toString(), passphrase); + } catch (EBaseException e) { + } + if (pkcs12 == null) { + throw new HTTPGoneException("Key not recovered."); + } + String pkcs12base64encoded = Utils.base64encode(pkcs12); + + KeyData keyData = new KeyData(); + keyData.setP12Data(pkcs12base64encoded); + + try { + queue.processRequest(request); + queue.markAsServiced(request); + } catch (EBaseException e) { + } + + return keyData; + } } diff --git a/base/server/cms/src/com/netscape/cms/servlet/request/KeyRequestService.java b/base/server/cms/src/com/netscape/cms/servlet/request/KeyRequestService.java index 06b03176d..ada11be7c 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/request/KeyRequestService.java +++ b/base/server/cms/src/com/netscape/cms/servlet/request/KeyRequestService.java @@ -18,8 +18,10 @@ package com.netscape.cms.servlet.request; +import java.math.BigInteger; import java.net.URI; import java.net.URISyntaxException; +import java.security.cert.CertificateException; import javax.servlet.http.HttpServletRequest; import javax.ws.rs.core.Context; @@ -30,6 +32,8 @@ import javax.ws.rs.core.Request; import javax.ws.rs.core.Response; import javax.ws.rs.core.UriInfo; +import netscape.security.x509.X509CertImpl; + import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.BadRequestException; import com.netscape.certsrv.base.EBaseException; @@ -40,12 +44,17 @@ import com.netscape.certsrv.key.KeyRecoveryRequest; import com.netscape.certsrv.key.KeyRequestInfo; import com.netscape.certsrv.key.KeyRequestInfos; import com.netscape.certsrv.key.KeyRequestResource; +import com.netscape.certsrv.kra.IKeyRecoveryAuthority; +import com.netscape.certsrv.kra.IKeyService; import com.netscape.certsrv.logging.ILogger; +import com.netscape.certsrv.request.IRequest; +import com.netscape.certsrv.request.IRequestQueue; import com.netscape.certsrv.request.RequestId; import com.netscape.certsrv.request.RequestNotFoundException; import com.netscape.cms.servlet.base.PKIService; import com.netscape.cms.servlet.key.KeyRequestDAO; import com.netscape.cmsutil.ldap.LDAPUtil; +import com.netscape.cmsutil.util.Utils; /** * @author alee @@ -79,6 +88,16 @@ public class KeyRequestService extends PKIService implements KeyRequestResource public static final int DEFAULT_MAXRESULTS = 100; public static final int DEFAULT_MAXTIME = 10; + private IKeyRecoveryAuthority kra; + private IRequestQueue queue; + private IKeyService service; + + public KeyRequestService() { + kra = ( IKeyRecoveryAuthority ) CMS.getSubsystem( "kra" ); + queue = kra.getRequestQueue(); + service = (IKeyService) kra; + } + /** * Used to retrieve key request info for a specific request */ @@ -160,14 +179,16 @@ public class KeyRequestService extends PKIService implements KeyRequestResource if (data == null) { throw new BadRequestException("Invalid request."); } - if (data.getTransWrappedSessionKey() == null - && data.getSessionWrappedPassphrase() != null) { + if (data.getCertificate() == null && + data.getTransWrappedSessionKey() == null && + data.getSessionWrappedPassphrase() != null) { throw new BadRequestException("No wrapped session key."); } KeyRequestDAO dao = new KeyRequestDAO(); KeyRequestInfo info; try { - info = dao.submitRequest(data, uriInfo); + info = (data.getCertificate() != null)? + requestKeyRecovery(data): dao.submitRequest(data, uriInfo); auditRecoveryRequestMade(info.getRequestId(), ILogger.SUCCESS, data.getKeyId()); return Response @@ -182,6 +203,33 @@ public class KeyRequestService extends PKIService implements KeyRequestResource } } + private KeyRequestInfo requestKeyRecovery(KeyRecoveryRequest data) { + KeyRequestInfo info = null; + if (data == null) { + throw new BadRequestException("Invalid request."); + } + String keyId = data.getKeyId().toString(); + String b64Certificate = data.getCertificate(); + byte[] certData = Utils.base64decode(b64Certificate); + String agentID = servletRequest.getUserPrincipal().getName(); + String requestId = null; + try { + requestId = service.initAsyncKeyRecovery(new BigInteger(keyId), new X509CertImpl(certData), agentID); + } catch (EBaseException | CertificateException e) { + e.printStackTrace(); + throw new PKIException(e.toString()); + } + IRequest request = null; + try { + request = queue.findRequest(new RequestId(requestId)); + } catch (EBaseException e) { + } + KeyRequestDAO dao = new KeyRequestDAO(); + info = dao.createCMSRequestInfo(request, uriInfo); + + return info; + } + @Override public void approveRequest(RequestId id) { if (id == null) { @@ -190,8 +238,15 @@ public class KeyRequestService extends PKIService implements KeyRequestResource // auth and authz KeyRequestDAO dao = new KeyRequestDAO(); try { - dao.approveRequest(id); - auditRecoveryRequestChange(id, ILogger.SUCCESS, "approve"); + IRequest request = queue.findRequest(id); + String type = request.getRequestType(); + if (IRequest.KEYRECOVERY_REQUEST.equals(type)) { + service.addAgentAsyncKeyRecovery(id.toString(), servletRequest.getUserPrincipal().getName()); + auditRecoveryRequestChange(id, ILogger.SUCCESS, "approve"); + } else if (IRequest.SECURITY_DATA_RECOVERY_REQUEST.equals(type)) { + dao.approveRequest(id); + auditRecoveryRequestChange(id, ILogger.SUCCESS, "approve"); + } } catch (EBaseException e) { e.printStackTrace(); auditRecoveryRequestChange(id, ILogger.FAILURE, "approve"); |