diff options
Diffstat (limited to 'base/server')
7 files changed, 198 insertions, 31 deletions
diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java index f2bf40241..67938af5d 100644 --- a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java +++ b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java @@ -489,6 +489,8 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, if (type.equals(TaggedRequest.PKCS10)) { CMS.debug("CMCAuth: type is PKCS10"); + authToken.set("cert_request_type", "cmc-pkcs10"); + TaggedCertificationRequest tcr = taggedRequest.getTcr(); int p10Id = tcr.getBodyPartID().intValue(); @@ -581,6 +583,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, } else if (type.equals(TaggedRequest.CRMF)) { CMS.debug("CMCAuth: type is CRMF"); + authToken.set("cert_request_type", "cmc-crmf"); try { CertReqMsg crm = taggedRequest.getCrm(); diff --git a/base/server/cms/src/com/netscape/cms/profile/def/AuthorityKeyIdentifierExtDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/AuthorityKeyIdentifierExtDefault.java index e2208aba7..9aaa29d7a 100644 --- a/base/server/cms/src/com/netscape/cms/profile/def/AuthorityKeyIdentifierExtDefault.java +++ b/base/server/cms/src/com/netscape/cms/profile/def/AuthorityKeyIdentifierExtDefault.java @@ -100,6 +100,10 @@ public class AuthorityKeyIdentifierExtDefault extends CAEnrollDefault { throw new EPropertyException(CMS.getUserMessage( locale, "CMS_INVALID_PROPERTY", name)); } + if (info == null) { + // info is null; possibly strippedldapRecords enabled + return null; + } AuthorityKeyIdentifierExtension ext = (AuthorityKeyIdentifierExtension) getExtension( diff --git a/base/server/cms/src/com/netscape/cms/profile/def/ValidityDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/ValidityDefault.java index ad4281b80..634d07093 100644 --- a/base/server/cms/src/com/netscape/cms/profile/def/ValidityDefault.java +++ b/base/server/cms/src/com/netscape/cms/profile/def/ValidityDefault.java @@ -195,7 +195,7 @@ public class ValidityDefault extends EnrollDefault { } catch (Exception e) { CMS.debug("ValidityDefault: getValue " + e.toString()); } - throw new EPropertyException("Invalid valie"); + throw new EPropertyException("Invalid value"); } else if (name.equals(VAL_NOT_AFTER)) { SimpleDateFormat formatter = new SimpleDateFormat(DATE_FORMAT); diff --git a/base/server/cms/src/com/netscape/cms/servlet/request/CertReqParser.java b/base/server/cms/src/com/netscape/cms/servlet/request/CertReqParser.java index 03975ac4f..64adebf68 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/request/CertReqParser.java +++ b/base/server/cms/src/com/netscape/cms/servlet/request/CertReqParser.java @@ -30,6 +30,19 @@ import java.util.Hashtable; import java.util.Locale; import java.util.Vector; +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.authentication.IAuthToken; +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.IArgBlock; +import com.netscape.certsrv.base.IPrettyPrintFormat; +import com.netscape.certsrv.profile.IEnrollProfile; +import com.netscape.certsrv.request.IRequest; +import com.netscape.certsrv.request.RequestStatus; +import com.netscape.cms.servlet.common.CMSTemplate; +import com.netscape.cms.servlet.common.CMSTemplateParams; +import com.netscape.cms.servlet.common.RawJS; +import com.netscape.cmsutil.util.Utils; + import netscape.security.extensions.NSCertTypeExtension; import netscape.security.x509.AlgorithmId; import netscape.security.x509.BasicConstraintsExtension; @@ -44,23 +57,11 @@ import netscape.security.x509.CertificateX509Key; import netscape.security.x509.Extension; import netscape.security.x509.RevocationReason; import netscape.security.x509.RevokedCertImpl; +import netscape.security.x509.X500Name; import netscape.security.x509.X509CertImpl; import netscape.security.x509.X509CertInfo; import netscape.security.x509.X509Key; -import com.netscape.certsrv.apps.CMS; -import com.netscape.certsrv.authentication.IAuthToken; -import com.netscape.certsrv.base.EBaseException; -import com.netscape.certsrv.base.IArgBlock; -import com.netscape.certsrv.base.IPrettyPrintFormat; -import com.netscape.certsrv.profile.IEnrollProfile; -import com.netscape.certsrv.request.IRequest; -import com.netscape.certsrv.request.RequestStatus; -import com.netscape.cms.servlet.common.CMSTemplate; -import com.netscape.cms.servlet.common.CMSTemplateParams; -import com.netscape.cms.servlet.common.RawJS; -import com.netscape.cmsutil.util.Utils; - /** * Output a 'pretty print' of a certificate request * @@ -102,6 +103,26 @@ public class CertReqParser extends ReqParser { */ public void fillRequestIntoArg(Locale l, IRequest req, CMSTemplateParams argSet, IArgBlock arg) throws EBaseException { + + // in case x509CertInfo is missing, at least add the subject for display + if (req.getExtDataInCertInfo("req_x509info"/*IRequest.CERT_INFO*/) == null + && req.getExtDataInCertInfo(IRequest.CERT_INFO) == null + && arg.getValueAsString("subject", "").equals("")) { + //CMS.debug("CertReqParser.fillRequestIntoArg: filling subject due to missing x509CertInfo in request"); + try { + String subjectnamevalue = req.getExtDataInString("req_subject_name"); + if (subjectnamevalue != null && !subjectnamevalue.equals("")) { + X500Name name = new X500Name(Utils.base64decode(subjectnamevalue)); + CertificateSubjectName sbjName = new CertificateSubjectName(name); + if (sbjName != null) { + arg.addStringValue("subject", sbjName.toString()); + } + } + } catch (Exception ee) { + CMS.debug("CertReqParser.fillRequestIntoArg: Exception:" + ee.toString()); + } + } + if (req.getExtDataInCertInfoArray(IRequest.CERT_INFO) != null) { fillX509RequestIntoArg(l, req, argSet, arg); } else if (req.getExtDataInRevokedCertArray(IRequest.CERT_INFO) != null) { @@ -609,9 +630,36 @@ public class CertReqParser extends ReqParser { CMSTemplate.escapeJavaScriptStringHTML(v.toString()) + "\""; } + public String getCertSubjectDN(IRequest request) { + try { + String cert = request.getExtDataInString("cert"); + if (cert == null) { + cert = request.getExtDataInString("req_issued_cert"); + } + + if (cert != null) { + + X509CertImpl theCert = null; + try { + theCert = new X509CertImpl(Utils.base64decode(cert)); + } catch (CertificateException e) { + } + + if (theCert != null) { + String subject = theCert.getSubjectDN().toString(); + return subject; + } + } + } catch (Exception e) { + CMS.debug("CertReqParser: getCertSubjectDN " + e.toString()); + } + return null; + } + public String getRequestorDN(IRequest request) { try { X509CertInfo info = request.getExtDataInCertInfo(IEnrollProfile.REQUEST_CERTINFO); + if (info == null) return null; // retrieve the subject name CertificateSubjectName sn = (CertificateSubjectName) info.get(X509CertInfo.SUBJECT); @@ -661,28 +709,17 @@ public class CertReqParser extends ReqParser { if (profile != null) { arg.addStringValue("profile", profile); String requestorDN = getRequestorDN(req); + if (requestorDN == null) { + requestorDN = getCertSubjectDN(req); + } if (requestorDN != null) { arg.addStringValue("subject", requestorDN); } } else if (IRequest.KEYRECOVERY_REQUEST.equals(reqType)) { arg.addStringValue("profile", "false"); - - String cert = req.getExtDataInString("cert"); - - if (cert != null) { - - X509CertImpl theCert = null; - try { - theCert = new X509CertImpl(Utils.base64decode(cert)); - } catch (CertificateException e) { - } - - if (theCert != null) { - String subject = theCert.getSubjectDN().toString(); - arg.addStringValue("subject", subject); - } - } + String subjectDN = getCertSubjectDN(req); + arg.addStringValue("subject", subjectDN); } else { //TMS arg.addStringValue("profile", "false"); diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java index d68290195..02cc8ff53 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java +++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java @@ -31,9 +31,11 @@ import java.security.cert.X509CRL; import java.security.cert.X509Certificate; import java.text.MessageFormat; import java.util.ArrayList; +import java.util.Arrays; import java.util.Date; import java.util.Enumeration; import java.util.Hashtable; +import java.util.List; import java.util.Locale; import java.util.ResourceBundle; import java.util.StringTokenizer; @@ -207,6 +209,7 @@ public class CMSEngine implements ICMSEngine { private CryptoManager mManager = null; private IConfigStore mConfig = null; + private boolean mExcludedLdapAttrsEnabled = false; // AutoSD : AutoShutdown private String mAutoSD_CrumbFile = null; private boolean mAutoSD_Restart = false; @@ -1246,8 +1249,62 @@ public class CMSEngine implements ICMSEngine { } } } + + if (id.equals("ca") || id.equals("kra")) { + + /* + figure out if any ldap attributes need exclusion in enrollment records + Default config: + excludedLdapAttrs.enabled=false; + (excludedLdapAttrs.attrs unspecified to take default) + */ + mExcludedLdapAttrsEnabled = mConfig.getBoolean("excludedLdapAttrs.enabled", false); + if (mExcludedLdapAttrsEnabled == true) { + CMS.debug("CMSEngine: initSubsystem: excludedLdapAttrs.enabled: true"); + excludedLdapAttrsList = Arrays.asList(excludedLdapAttrs); + String unparsedExcludedLdapAttrs = ""; + try { + unparsedExcludedLdapAttrs = mConfig.getString("excludedLdapAttrs.attrs"); + CMS.debug("CMSEngine: initSubsystem: excludedLdapAttrs.attrs =" + unparsedExcludedLdapAttrs); + } catch (Exception e) { + CMS.debug("CMSEngine: initSubsystem: excludedLdapAttrs.attrs unspecified, taking default"); + } + if (!unparsedExcludedLdapAttrs.equals("")) { + excludedLdapAttrsList = Arrays.asList(unparsedExcludedLdapAttrs.split(",")); + // overwrites the default + //excludedLdapAttrSet = new HashSet(excludedLdapAttrsList); + } + } else { + CMS.debug("CMSEngine: initSubsystem: excludedLdapAttrs.enabled: false"); + } + } } + public boolean isExcludedLdapAttrsEnabled() { + return mExcludedLdapAttrsEnabled; + } + + public boolean isExcludedLdapAttr(String key) { + if (isExcludedLdapAttrsEnabled()) { + return excludedLdapAttrsList.contains(key); + } else { + return false; + } + } + + // default for excludedLdapAttrs.enabled == false + // can be overwritten with excludedLdapAttrs.attrs + public List<String> excludedLdapAttrsList = new ArrayList<String>(); + + public static String excludedLdapAttrs[] = { + "req_x509info", + "publickey", + "req_extensions", + "cert_request", + "req_archive_options", + "req_key" + }; + /** * sign some known data to determine if signing key is botched; * if so, proceed to graceful shutdown @@ -2299,6 +2356,25 @@ public class CMSEngine implements ICMSEngine { public String getServerStatus() { return serverStatus; } + + // for debug only + public void sleepOneMinute() { + boolean debugSleep = false; + try { + debugSleep = mConfig.getBoolean("debug.sleepOneMinute", false); + } catch (Exception e) { + } + + /* debugSleep: sleep for one minute to check request on ldap*/ + if (debugSleep == true) { + CMS.debug("debugSleep: about to sleep for one minute; check ldap"); + try { + Thread.sleep(60000); + } catch (InterruptedException e) { + CMS.debug("debugSleep: sleep out:" + e.toString()); + } + } + } } class WarningListener implements ILogEventListener { diff --git a/base/server/cmscore/src/com/netscape/cmscore/request/RequestRecord.java b/base/server/cmscore/src/com/netscape/cmscore/request/RequestRecord.java index a6e454dd1..8e01290cf 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/request/RequestRecord.java +++ b/base/server/cmscore/src/com/netscape/cmscore/request/RequestRecord.java @@ -49,6 +49,8 @@ import com.netscape.cmscore.dbs.BigIntegerMapper; import com.netscape.cmscore.dbs.DateMapper; import com.netscape.cmscore.dbs.StringMapper; import com.netscape.cmscore.util.Debug; +import netscape.security.x509.CertificateSubjectName; +import netscape.security.x509.X509CertInfo; import netscape.ldap.LDAPAttribute; import netscape.ldap.LDAPAttributeSet; @@ -243,11 +245,42 @@ public class RequestRecord protected static Hashtable<String, Object> loadExtDataFromRequest(IRequest r) throws EBaseException { Hashtable<String, Object> h = new Hashtable<String, Object>(); - + String reqType = r.getExtDataInString("cert_request_type"); + if (reqType == null || reqType.equals("")) { + // where CMC puts it + reqType = r.getExtDataInString("auth_token.cert_request_type"); + } Enumeration<String> e = r.getExtDataKeys(); while (e.hasMoreElements()) { String key = e.nextElement(); if (r.isSimpleExtDataValue(key)) { + if (key.equals("req_x509info")) { + // extract subjectName if possible here + // if already there, skip it + String subjectName = r.getExtDataInString("req_subject_name"); + if (subjectName == null || subjectName.equals("")) { + X509CertInfo info = r.getExtDataInCertInfo(IRequest.CERT_INFO); + CMS.debug("RequestRecord.loadExtDataFromRequest: missing subject name. Processing extracting subjectName from req_x509info"); + try { + CertificateSubjectName subjName = (CertificateSubjectName) info.get(X509CertInfo.SUBJECT); + if (subjName != null) { + CMS.debug("RequestRecord.loadExtDataFromRequest: got subjName"); + h.put("req_subject_name", subjName.toString()); + } + } catch (Exception es) { + //if failed, then no other way to get subject name. + //so be it + } + }/* else { //this is the common case + CMS.debug("RequestRecord.loadExtDataFromRequest: subject name already exists, no action needed"); + }*/ + } + if (reqType != null && + (reqType.equals("crmf") || reqType.equals("cmc-crmf")) && + CMS.isExcludedLdapAttr(key)) { + //CMS.debug("RequestRecord.loadExtDataFromRequest: found excluded attr; key=" + key); + continue; + } h.put(key, r.getExtDataInString(key)); } else { h.put(key, r.getExtDataInHashtable(key)); diff --git a/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java b/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java index 2b85eacac..d2b7fe8b7 100644 --- a/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java +++ b/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java @@ -639,4 +639,18 @@ public class CMSEngineDefaultStub implements ICMSEngine { public String getServerStatus() { return null; } + + @Override + public void sleepOneMinute() { + } + + @Override + public boolean isExcludedLdapAttrsEnabled() { + return true; + } + + @Override + public boolean isExcludedLdapAttr(String key) { + return false; + } } |