summaryrefslogtreecommitdiffstats
path: root/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
diff options
context:
space:
mode:
Diffstat (limited to 'base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java')
-rw-r--r--base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java114
1 files changed, 62 insertions, 52 deletions
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
index 31d3eedad..af3e92e08 100644
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
@@ -15,11 +15,6 @@ import java.util.Map;
import java.util.Random;
import java.util.zip.DataFormatException;
-import netscape.security.provider.RSAPublicKey;
-//import org.mozilla.jss.pkcs11.PK11ECPublicKey;
-import netscape.security.util.BigInt;
-import netscape.security.x509.X509CertImpl;
-
import org.dogtagpki.server.tps.TPSSession;
import org.dogtagpki.server.tps.TPSSubsystem;
import org.dogtagpki.server.tps.TPSTokenPolicy;
@@ -35,13 +30,13 @@ import org.dogtagpki.server.tps.cms.KRARecoverKeyResponse;
import org.dogtagpki.server.tps.cms.KRAServerSideKeyGenResponse;
import org.dogtagpki.server.tps.dbs.ActivityDatabase;
import org.dogtagpki.server.tps.dbs.TPSCertRecord;
+import org.dogtagpki.server.tps.dbs.TokenCertStatus;
import org.dogtagpki.server.tps.dbs.TokenRecord;
import org.dogtagpki.server.tps.engine.TPSEngine;
import org.dogtagpki.server.tps.engine.TPSEngine.ENROLL_MODES;
import org.dogtagpki.server.tps.main.AttributeSpec;
import org.dogtagpki.server.tps.main.ExternalRegAttrs;
import org.dogtagpki.server.tps.main.ExternalRegCertToRecover;
-import org.dogtagpki.server.tps.main.ExternalRegCertToRecover.CertStatus;
import org.dogtagpki.server.tps.main.ObjectSpec;
import org.dogtagpki.server.tps.main.PKCS11Obj;
import org.dogtagpki.server.tps.mapping.BaseMappingResolver;
@@ -58,8 +53,6 @@ import org.mozilla.jss.pkcs11.PK11PubKey;
import org.mozilla.jss.pkcs11.PK11RSAPublicKey;
import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo;
-import sun.security.pkcs11.wrapper.PKCS11Constants;
-
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.base.EBaseException;
import com.netscape.certsrv.base.EPropertyNotFound;
@@ -67,6 +60,13 @@ import com.netscape.certsrv.base.IConfigStore;
import com.netscape.certsrv.tps.token.TokenStatus;
import com.netscape.cmsutil.util.Utils;
+import netscape.security.provider.RSAPublicKey;
+//import org.mozilla.jss.pkcs11.PK11ECPublicKey;
+import netscape.security.util.BigInt;
+import netscape.security.x509.RevocationReason;
+import netscape.security.x509.X509CertImpl;
+import sun.security.pkcs11.wrapper.PKCS11Constants;
+
public class TPSEnrollProcessor extends TPSProcessor {
public TPSEnrollProcessor(TPSSession session) {
@@ -543,6 +543,7 @@ public class TPSEnrollProcessor extends TPSProcessor {
statusUpdate(99, "PROGRESS_SET_LIFECYCLE");
channel.setLifeycleState((byte) 0x0f);
+
//update the tokendb with new certs
CMS.debug(method + " updating tokendb with certs.");
try {
@@ -555,10 +556,7 @@ public class TPSEnrollProcessor extends TPSProcessor {
}
CMS.debug(method + " adding certs to token with tdbAddCertificatesForCUID...");
ArrayList<TPSCertRecord> certRecords = certsInfo.toTPSCertRecords(tokenRecord.getId(), tokenRecord.getUserID());
- if (isExternalReg)
- tps.tdb.tdbAddCertificatesForCUID(tokenRecord.getId(), certRecords, erAttrs);
- else
- tps.tdb.tdbAddCertificatesForCUID(tokenRecord.getId(), certRecords);
+ tps.tdb.tdbAddCertificatesForCUID(tokenRecord.getId(), certRecords);
CMS.debug(method + " tokendb updated with certs to the cuid so that it reflects what's on the token");
logMsg = "appletVersion=" + lastObjVer + "; tokenType =" + selectedTokenType + "; userid =" + userid;
@@ -1250,27 +1248,16 @@ public class TPSEnrollProcessor extends TPSProcessor {
return TPSStatus.STATUS_ERROR_RECOVERY_FAILED;
}
- if (certResp.isCertRevoked()) {
- CMS.debug(method + " cert revoked");
- if (!allowRecoverInvalidCert()) {
- logMsg = "revoked cert not allowed on token per policy;";
- CMS.debug(method + logMsg);
- return TPSStatus.STATUS_ERROR_RECOVERY_FAILED;
- }
- erCert.setCertStatus(CertStatus.REVOKED);
- CMS.debug(method + " erCert status =" + erCert.getCertStatus());
- } else {
- CMS.debug(method + " cert not revoked ");
- erCert.setCertStatus(CertStatus.ACTIVE);
-
- // check if expired or not yet valid
- if (!certResp.isCertValid()) {
- logMsg = "cert expired or not yet valid";
- CMS.debug(logMsg);
- erCert.setCertStatus(CertStatus.EXPIRED); // it could be not yet valid
- }
+ TokenCertStatus recoveredCertStatus = getRetrievedCertStatus(certResp);
+ if ((recoveredCertStatus != TokenCertStatus.ACTIVE) &&
+ !allowRecoverInvalidCert()) {
+ logMsg = "invalid cert not allowed on token per policy; serial=" + serial.toString() + "; cert status=" + recoveredCertStatus.toString();
+ CMS.debug(method + logMsg);
+ return TPSStatus.STATUS_ERROR_RECOVERY_FAILED;
}
+ certsInfo.addCertStatus(recoveredCertStatus);
+
// default: externalReg.recover.byKeyID=false
String b64cert = null;
if (getExternalRegRecoverByKeyID() == false) {
@@ -1364,8 +1351,6 @@ public class TPSEnrollProcessor extends TPSProcessor {
int newCertId = pkcs11obj.getNextFreeCertIdNumber();
certsInfo.setCurrentCertIndex(i);
- //certsInfo.setCurrentCertIndex(i);
-
CMS.debug(method + "before calling generateCertificate, certsInfo.getCurrentCertIndex() ="
+ certsInfo.getCurrentCertIndex());
generateCertificate(certsInfo, channel, appletInfo,
@@ -1946,7 +1931,7 @@ public class TPSEnrollProcessor extends TPSProcessor {
actualCertIndex, cEnrollInfo);
// unrevoke cert if needed
- if (certToRecover.getStatus().equalsIgnoreCase("revoked_on_hold")) {
+ if (certToRecover.getStatus().equalsIgnoreCase(TokenCertStatus.ONHOLD.toString())) {
logMsg = "unrevoking cert...";
CMS.debug(method + ":" + logMsg);
@@ -1961,7 +1946,8 @@ public class TPSEnrollProcessor extends TPSProcessor {
CMS.debug(method + ": response status =" + response.getStatus());
auditRevoke(certToRecover.getTokenID(), false /*off-hold*/, -1 /*na*/,
String.valueOf(response.getStatus()), serialToRecover, caConnId, null);
-
+ // successful unrevoke should mark the cert "active"
+ certsInfo.addCertStatus(TokenCertStatus.ACTIVE);
} catch (EBaseException e) {
logMsg = "failed getting CARemoteRequestHandler";
CMS.debug(method + ":" + logMsg);
@@ -1970,17 +1956,6 @@ public class TPSEnrollProcessor extends TPSProcessor {
throw new TPSException(method + ":" + logMsg, TPSStatus.STATUS_ERROR_RECOVERY_FAILED);
}
}
-
- try {
- // set cert status to active
- tps.tdb.updateCertsStatus(certToRecover.getSerialNumber(),
- certToRecover.getIssuedBy(),
- "active");
- } catch (Exception e) {
- logMsg = "failed tdbUpdateCertEntry";
- CMS.debug(method + ":" + logMsg);
- throw new TPSException(method + ":" + logMsg, TPSStatus.STATUS_ERROR_RECOVERY_FAILED);
- }
} else {
}
@@ -2020,7 +1995,7 @@ public class TPSEnrollProcessor extends TPSProcessor {
certsInfo.setNumCertsToEnroll(keyTypeNum);
- CMS.debug("TPSEnrollProcessor.generateCertificate: Number of certs to enroll: " + keyTypeNum);
+ CMS.debug("TPSEnrollProcessor.generateCertificates: Number of certs to enroll: " + keyTypeNum);
for (int i = 0; i < keyTypeNum; i++) {
String keyType = getConfiguredKeyType(i);
@@ -2477,6 +2452,7 @@ public class TPSEnrollProcessor extends TPSProcessor {
// enrollment/recovery begins
CMS.debug("TPSEnrollProcessor.enrollOneCertificate:: enrollment begins");
X509CertImpl x509Cert = null;
+ TokenCertStatus certStatus = TokenCertStatus.ACTIVE; // track cert status
byte[] cert_bytes = null;
try {
@@ -2613,14 +2589,14 @@ public class TPSEnrollProcessor extends TPSProcessor {
cert_bytes = Utils.base64decode(retCertB64);
- TPSBuffer cert_bytes_buf = new TPSBuffer(cert_bytes);
+ //TPSBuffer cert_bytes_buf = new TPSBuffer(cert_bytes);
//CMS.debug("TPSEnrollProcessor.enrollOneCertificate: retCertB64: " + cert_bytes_buf.toHexString());
CMS.debug("TPSEnrollProcessor.enrollOneCertificate: retCertB64 base64decode done");
x509Cert = caEnrollResp.getCert();
- if (x509Cert != null)
+ if (x509Cert != null) {
CMS.debug("TPSEnrollProcessor.enrollOneCertificate:: new cert retrieved");
- else {
+ } else {
CMS.debug("TPSEnrollProcessor.enrollOneCertificate:: new cert not found");
throw new TPSException("TPSEnrollProcessor.enrollOneCertificate: new cert not found",
TPSStatus.STATUS_ERROR_MAC_ENROLL_PDU);
@@ -2660,14 +2636,16 @@ public class TPSEnrollProcessor extends TPSProcessor {
CMS.debug("TPSEnrollProcessor.enrollOneCertificate: recovering: retCertB64 retrieved from certResp");
cert_bytes = Utils.base64decode(retCertB64);
- TPSBuffer cert_bytes_buf = new TPSBuffer(cert_bytes);
CMS.debug("TPSEnrollProcessor.enrollOneCertificate: recovering: retCertB64 base64decode done");
+ //TPSBuffer cert_bytes_buf = new TPSBuffer(cert_bytes);
//CMS.debug("TPSEnrollProcessor.enrollOneCertificate: recovering: retCertB64: "
// + cert_bytes_buf.toHexString());
x509Cert = certResp.getCert();
if (x509Cert != null) {
CMS.debug("TPSEnrollProcessor.enrollOneCertificate:: recovering new cert retrieved");
+ // recovered cert might have different status
+ certStatus = getRetrievedCertStatus(certResp);
auditEnrollment(userid, "retrieval", aInfo, "success",
channel.getKeyInfoData().toHexStringPlain(), x509Cert.getSerialNumber(),
certResp.getConnID(), null);
@@ -2713,8 +2691,8 @@ public class TPSEnrollProcessor extends TPSProcessor {
}
cert_bytes = Utils.base64decode(retCertB64);
- TPSBuffer cert_bytes_buf = new TPSBuffer(cert_bytes);
CMS.debug("TPSEnrollProcessor.enrollOneCertificate: renewing: retCertB64 base64decode done");
+ //TPSBuffer cert_bytes_buf = new TPSBuffer(cert_bytes);
//CMS.debug("TPSEnrollProcessor.enrollOneCertificate: renewing: retCertB64: "
// + cert_bytes_buf.toHexString());
@@ -2758,6 +2736,7 @@ public class TPSEnrollProcessor extends TPSProcessor {
certsInfo.addOrigin(aInfo.getCUIDhexStringPlain());
}
+ certsInfo.addCertStatus(certStatus);
certsInfo.addTokenType(selectedTokenType);
SubjectPublicKeyInfo publicKeyInfo = null;
@@ -2892,6 +2871,37 @@ public class TPSEnrollProcessor extends TPSProcessor {
}
+ /*
+ * getRetrievedCertStatus
+ * @returns TokenCertStatus certificate status of the cert retrieved in certResponse
+ */
+ TokenCertStatus getRetrievedCertStatus(CARetrieveCertResponse certResponse)
+ throws TPSException {
+ String method = "TPSEnrollProcessor.getRetrievedCertStatus";
+ CMS.debug(method + " begins");
+ if (certResponse == null) {
+ throw new TPSException(
+ "TPSEnrollProcessor.getRetrievedCertStatus: invalid input data! certResponse cannot be null",
+ TPSStatus.STATUS_ERROR_MAC_ENROLL_PDU);
+ }
+ TokenCertStatus ret = TokenCertStatus.ACTIVE;
+ if (!certResponse.isCertValid()) {
+ CMS.debug(method + ": cert expired");
+ ret = TokenCertStatus.EXPIRED;
+ }
+ //This would overwrite the "EXPIRED" status,
+ //but "REVOKED" would be a more serious invalid status
+ if (certResponse.isCertRevoked()) {
+ String revReason = certResponse.getRevocationReason();
+ CMS.debug(method + ": cert revoked; reason=" + revReason);
+ if (RevocationReason.fromInt(Integer.parseInt(revReason)) == RevocationReason.CERTIFICATE_HOLD)
+ ret = TokenCertStatus.ONHOLD;
+ else
+ ret = TokenCertStatus.REVOKED;
+ }
+ return ret;
+ }
+
private void importPrivateKeyPKCS8(KRARecoverKeyResponse keyResp, CertEnrollInfo cEnrollInfo,
SecureChannel channel,
boolean isECC) throws TPSException, IOException {
generated by cgit (git 2.34.1) at 2024-09-26 06:32:37 +0000