diff options
Diffstat (limited to 'base/tps/src/org')
9 files changed, 1104 insertions, 159 deletions
diff --git a/base/tps/src/org/dogtagpki/server/tps/TPSSession.java b/base/tps/src/org/dogtagpki/server/tps/TPSSession.java index 4a175e698..6f175e207 100644 --- a/base/tps/src/org/dogtagpki/server/tps/TPSSession.java +++ b/base/tps/src/org/dogtagpki/server/tps/TPSSession.java @@ -20,6 +20,7 @@ package org.dogtagpki.server.tps; import java.io.IOException; import org.dogtagpki.server.tps.dbs.TokenRecord; +import org.dogtagpki.server.tps.main.ExternalRegAttrs; import org.dogtagpki.server.tps.processor.TPSEnrollProcessor; import org.dogtagpki.server.tps.processor.TPSPinResetProcessor; import org.dogtagpki.server.tps.processor.TPSProcessor; @@ -37,6 +38,8 @@ public class TPSSession { private String ipAddress; /* remote IP */ private TokenRecord tokenRecord; + private ExternalRegAttrs extRegAttrs; + public TPSSession(TPSConnection conn, String ip) { if (conn == null) { @@ -171,4 +174,11 @@ public class TPSSession { this.ipAddress = ipAddress; } + public void setExternalRegAttrs(ExternalRegAttrs erAttrs) { + extRegAttrs = erAttrs; + } + + public ExternalRegAttrs getExternalRegAttrs() { + return extRegAttrs; + } } diff --git a/base/tps/src/org/dogtagpki/server/tps/cms/CARemoteRequestHandler.java b/base/tps/src/org/dogtagpki/server/tps/cms/CARemoteRequestHandler.java index 5851d2f69..5e2bfc724 100644 --- a/base/tps/src/org/dogtagpki/server/tps/cms/CARemoteRequestHandler.java +++ b/base/tps/src/org/dogtagpki/server/tps/cms/CARemoteRequestHandler.java @@ -77,6 +77,21 @@ public class CARemoteRequestHandler extends RemoteRequestHandler String tokenType, String keyType) throws EBaseException { + return enrollCertificate(pubKeybuf, uid, null /*subjectdn*/, + 0/*sanNum*/, null /*urlSANext*/, + cuid, tokenType, keyType); + } + + public CAEnrollCertResponse enrollCertificate( + TPSBuffer pubKeybuf, + String uid, + String subjectdn, + int sanNum, + String urlSANext, + String cuid, + String tokenType, + String keyType) + throws EBaseException { CMS.debug("CARemoteRequestHandler: enrollCertificate(): begins."); if (pubKeybuf == null || uid == null || cuid == null) { @@ -101,18 +116,82 @@ public class CARemoteRequestHandler extends RemoteRequestHandler CMS.debug("CARemoteRequestHandler: enrollCertificate(): uriEncode of pubkey failed: " + e); throw new EBaseException("CARemoteRequestHandler: enrollCertificate(): uriEncode of pubkey failed: " + e); } + String sendMsg = null; + if (subjectdn == null) + CMS.debug("CARemoteRequestHandler: enrollCertificate():subjectdn null"); + if (sanNum == 0) + CMS.debug("CARemoteRequestHandler: enrollCertificate():sanNum 0"); + if (subjectdn == null && sanNum == 0) { + sendMsg = IRemoteRequest.GET_XML + "=" + + true + + "&" + IRemoteRequest.TOKEN_CUID + "=" + + cuid + + "&" + IRemoteRequest.CA_ENROLL_screenname + "=" + + uid + + "&" + IRemoteRequest.CA_ENROLL_publickey + "=" + + encodedPubKey + + "&" + IRemoteRequest.CA_ProfileId + "=" + + profileId; + } else { + CMS.debug("CARemoteRequestHandler: enrollCertificate(): before send() with subjectdn and/or url_SAN_ext"); + if (subjectdn != null && sanNum == 0) { + try { + String urlSubjectdn = Util.uriEncode(subjectdn); + sendMsg = IRemoteRequest.GET_XML + "=" + + true + + "&" + IRemoteRequest.TOKEN_CUID + "=" + + cuid + + "&" + IRemoteRequest.CA_ENROLL_screenname + "=" + + uid + + "&" + IRemoteRequest.CA_ENROLL_publickey + "=" + + encodedPubKey + + "&" + IRemoteRequest.CA_ProfileId + "=" + + profileId + + "&" + IRemoteRequest.CA_ENROLL_subjectdn + "=" + + urlSubjectdn; + } catch (Exception e) { + CMS.debug("CARemoteRequestHandler: enrollCertificate(): uriEncode of pubkey failed: " + e); + throw new EBaseException( + "CARemoteRequestHandler: enrollCertificate(): uriEncode of subjectdn failed: " + e); + } + } else if (subjectdn == null && sanNum != 0) { + sendMsg = IRemoteRequest.GET_XML + "=" + + true + + "&" + IRemoteRequest.TOKEN_CUID + "=" + + cuid + + "&" + IRemoteRequest.CA_ENROLL_screenname + "=" + + uid + + "&" + IRemoteRequest.CA_ENROLL_publickey + "=" + + encodedPubKey + + "&" + IRemoteRequest.CA_ProfileId + "=" + + profileId + + "&" + urlSANext; + } else if (subjectdn != null && sanNum != 0) { + try { + String urlSubjectdn = Util.uriEncode(subjectdn); + sendMsg = IRemoteRequest.GET_XML + "=" + + true + + "&" + IRemoteRequest.TOKEN_CUID + "=" + + cuid + + "&" + IRemoteRequest.CA_ENROLL_screenname + "=" + + uid + + "&" + IRemoteRequest.CA_ENROLL_publickey + "=" + + encodedPubKey + + "&" + IRemoteRequest.CA_ProfileId + "=" + + profileId + + "&" + IRemoteRequest.CA_ENROLL_subjectdn + "=" + + urlSubjectdn + + "&" + urlSANext; + } catch (Exception e) { + CMS.debug("CARemoteRequestHandler: enrollCertificate(): uriEncode of pubkey failed: " + e); + throw new EBaseException( + "CARemoteRequestHandler: enrollCertificate(): uriEncode of subjectdn failed: " + e); + } + } + } + CMS.debug("CARemoteRequestHandler: enrollCertificate(): sendMsg =" + sendMsg); HttpResponse resp = - conn.send("enrollment", - IRemoteRequest.GET_XML + "=" + - true + - "&" + IRemoteRequest.TOKEN_CUID + "=" + - cuid + - "&" + IRemoteRequest.CA_ENROLL_screenname + "=" + - uid + - "&" + IRemoteRequest.CA_ENROLL_publickey + "=" + - encodedPubKey + - "&" + IRemoteRequest.CA_ProfileId + "=" + - profileId); + conn.send("enrollment", sendMsg); String content = resp.getContent(); @@ -215,7 +294,6 @@ public class CARemoteRequestHandler extends RemoteRequestHandler String servlet = conf.getString(configName, "/ca/ee/ca/displayBySerial"); */ - TPSSubsystem subsystem = (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID); HttpConnector conn = @@ -404,7 +482,7 @@ public class CARemoteRequestHandler extends RemoteRequestHandler RevocationReason reason) throws EBaseException { - CMS.debug("CARemoteRequestHandler: revokeCertificate(): begins on serial#:"+ serialno); + CMS.debug("CARemoteRequestHandler: revokeCertificate(): begins on serial#:" + serialno); if (serialno == null || reason == null) { throw new EBaseException("CARemoteRequestHandler: revokeCertificate(): input parameter null."); } @@ -473,7 +551,7 @@ public class CARemoteRequestHandler extends RemoteRequestHandler String serialno) throws EBaseException { - CMS.debug("CARemoteRequestHandler: unrevokeCertificate(): begins on serial#:"+ serialno); + CMS.debug("CARemoteRequestHandler: unrevokeCertificate(): begins on serial#:" + serialno); if (serialno == null) { throw new EBaseException("CARemoteRequestHandler: unrevokeCertificate(): input parameter null."); } @@ -554,7 +632,6 @@ public class CARemoteRequestHandler extends RemoteRequestHandler return revokeFromOtherCA(revoke, cert.getSerialNumber().toString(), certAkiString, reason); } - private CARevokeCertResponse revokeFromOtherCA( boolean revoke, // true==revoke; false==unrevoke String serialno, @@ -562,7 +639,6 @@ public class CARemoteRequestHandler extends RemoteRequestHandler RevocationReason reason) throws EBaseException { - CMS.debug("CARemoteRequestHandler: revokeFromOtherCA: begins"); TPSSubsystem subsystem = @@ -673,8 +749,6 @@ public class CARemoteRequestHandler extends RemoteRequestHandler return caSkiString; } - - /** * revokeCertificate() supports revocation routing by providing * CA discovery. When needed, it searchs through all listed ca diff --git a/base/tps/src/org/dogtagpki/server/tps/cms/KRARemoteRequestHandler.java b/base/tps/src/org/dogtagpki/server/tps/cms/KRARemoteRequestHandler.java index 87388ff99..aea41a29c 100644 --- a/base/tps/src/org/dogtagpki/server/tps/cms/KRARemoteRequestHandler.java +++ b/base/tps/src/org/dogtagpki/server/tps/cms/KRARemoteRequestHandler.java @@ -94,19 +94,19 @@ public class KRARemoteRequestHandler extends RemoteRequestHandler } request = IRemoteRequest.KRA_KEYGEN_Archive + "=" + - archive + - "&" + IRemoteRequest.TOKEN_CUID + "=" + - cuid + - "&" + IRemoteRequest.KRA_UserId + "=" + - userid + - "&" + IRemoteRequest.KRA_KEYGEN_KeyType + "=" + - "EC" + - "&" + IRemoteRequest.KRA_KEYGEN_EC_KeyCurve + "=" + - eckeycurve + - "&" + IRemoteRequest.KRA_Trans_DesKey + "=" + - sDesKey; - - CMS.debug("KRARemoteRequestHandler: outgoing request for ECC: " + request); + archive + + "&" + IRemoteRequest.TOKEN_CUID + "=" + + cuid + + "&" + IRemoteRequest.KRA_UserId + "=" + + userid + + "&" + IRemoteRequest.KRA_KEYGEN_KeyType + "=" + + "EC" + + "&" + IRemoteRequest.KRA_KEYGEN_EC_KeyCurve + "=" + + eckeycurve + + "&" + IRemoteRequest.KRA_Trans_DesKey + "=" + + sDesKey; + + CMS.debug("KRARemoteRequestHandler: outgoing request for ECC: " + request); resp = conn.send("GenerateKeyPair", @@ -136,8 +136,9 @@ public class KRARemoteRequestHandler extends RemoteRequestHandler //For some reason the send method can return null and not throw an exception. // Check here; - if(resp == null) { - throw new EBaseException("KRARemoteRequestHandler: serverSideKeyGen(): No response object returned from connection."); + if (resp == null) { + throw new EBaseException( + "KRARemoteRequestHandler: serverSideKeyGen(): No response object returned from connection."); } String content = resp.getContent(); @@ -155,7 +156,7 @@ public class KRARemoteRequestHandler extends RemoteRequestHandler Integer ist = new Integer(IRemoteRequest.RESPONSE_STATUS_NOT_FOUND); String value = (String) response.get(IRemoteRequest.RESPONSE_STATUS); - if(value == null) { + if (value == null) { throw new EBaseException("KRARemoteRequestHandler: serverSideKeyGen(): Invalide status returned!"); } diff --git a/base/tps/src/org/dogtagpki/server/tps/dbs/ActivityDatabase.java b/base/tps/src/org/dogtagpki/server/tps/dbs/ActivityDatabase.java index 9b4a4b28d..4eb3e11e7 100644 --- a/base/tps/src/org/dogtagpki/server/tps/dbs/ActivityDatabase.java +++ b/base/tps/src/org/dogtagpki/server/tps/dbs/ActivityDatabase.java @@ -41,6 +41,7 @@ public class ActivityDatabase extends LDAPDatabase<ActivityRecord> { public final static String OP_DELETE = "delete"; // delete a token //public final static String OP_MODIFY_AUDIT_SIGNING = "modify_audit_signing"; public final static String OP_ENROLLMENT = "enrollment"; + public final static String OP_RECOVERY = "recovery"; public final static String OP_RENEWAL = "renewal"; public final static String OP_PIN_RESET = "pin_reset"; public final static String OP_FORMAT = "format"; diff --git a/base/tps/src/org/dogtagpki/server/tps/engine/TPSEngine.java b/base/tps/src/org/dogtagpki/server/tps/engine/TPSEngine.java index 8783e48ef..9221d1ba0 100644 --- a/base/tps/src/org/dogtagpki/server/tps/engine/TPSEngine.java +++ b/base/tps/src/org/dogtagpki/server/tps/engine/TPSEngine.java @@ -152,6 +152,7 @@ public class TPSEngine { /* External reg values */ public static final String CFG_EXTERNAL_REG = "externalReg"; + public static final String CFG_ER_DELEGATION = "delegation"; /* misc values */ diff --git a/base/tps/src/org/dogtagpki/server/tps/main/ExternalRegAttrs.java b/base/tps/src/org/dogtagpki/server/tps/main/ExternalRegAttrs.java new file mode 100644 index 000000000..2c85fefec --- /dev/null +++ b/base/tps/src/org/dogtagpki/server/tps/main/ExternalRegAttrs.java @@ -0,0 +1,107 @@ +package org.dogtagpki.server.tps.main; + +import java.util.ArrayList; +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.IConfigStore; +import org.dogtagpki.server.tps.engine.TPSEngine; + +public class ExternalRegAttrs { + public String ldapAttrNameTokenType; + public String ldapAttrNameTokenCUID; + public String ldapAttrNameCertsToRecover; + + String tokenCUID; + String tokenType; + String tokenUserId; + String tokenMSN; + + ArrayList<ExternalRegCertToRecover> certsToRecover; + + boolean isDelegation; + + public ExternalRegAttrs(String authId) { + String method = "ExternalRegAttrs"; + IConfigStore configStore = CMS.getConfigStore(); + String configName = null; + + try { + configName = "auths.instance." + authId + ".externalReg.tokenTypeAttributeName"; + CMS.debug(method + ": getting config: " + configName); + ldapAttrNameTokenType = configStore.getString(configName, + "tokenType"); + + configName = "auths.instance." + authId + ".externalReg.cuidAttributeName"; + CMS.debug(method + ": getting config: " + configName); + ldapAttrNameTokenCUID = configStore.getString(configName, + "tokenCUID"); + + configName = "auths.instance." + authId + ".externalReg.certs.recoverAttributeName"; + CMS.debug(method + ": getting config: " + configName); + ldapAttrNameCertsToRecover = configStore.getString(configName, + "certsToRecover"); + + String RH_Delegation_Cfg = TPSEngine.CFG_EXTERNAL_REG + "." + + TPSEngine.CFG_ER_DELEGATION + ".enable"; + isDelegation = configStore.getBoolean(RH_Delegation_Cfg, false); + } catch (EBaseException e) { + CMS.debug("ExternalRegAttrs: unable to obtain certain config values. Default to be used"); + } + + certsToRecover = new ArrayList<ExternalRegCertToRecover>(); + } + + public void setTokenType(String type) { + tokenType = type; + } + + public String getTokenType() { + return tokenType; + } + + public void setTokenCUID(String cuid) { + tokenCUID = cuid; + } + + public String getTokenCUID() { + return tokenCUID; + } + + public void setTokenUserId(String uid) { + tokenUserId = uid; + } + + public String getTokenUserId() { + return tokenUserId; + } + + public void setTokenMSN(String msn) { + tokenMSN = msn; + } + + public String getTokenMSN() { + return tokenMSN; + } + + public int getCertsToRecoverCount() + { + return certsToRecover.size(); + } + + public void addCertToRecover(ExternalRegCertToRecover cert) + { + certsToRecover.add(cert); + } + + public ArrayList<ExternalRegCertToRecover> getCertsToRecover() { + return certsToRecover; + } + + public void setIsDelegation(boolean isDelegation) { + this.isDelegation = isDelegation; + } + + public boolean getIsDelegation() { + return isDelegation; + } +} diff --git a/base/tps/src/org/dogtagpki/server/tps/main/ExternalRegCertToRecover.java b/base/tps/src/org/dogtagpki/server/tps/main/ExternalRegCertToRecover.java new file mode 100644 index 000000000..69585849b --- /dev/null +++ b/base/tps/src/org/dogtagpki/server/tps/main/ExternalRegCertToRecover.java @@ -0,0 +1,54 @@ +package org.dogtagpki.server.tps.main; + +import java.math.BigInteger; + +public class ExternalRegCertToRecover { + BigInteger keyid; + BigInteger serial; + String caConn; + String kraConn; + boolean ignoreForUpdateCerts; + + public ExternalRegCertToRecover() { + } + + public void setKeyid(BigInteger keyid) { + this.keyid = keyid; + } + + public BigInteger getKeyid() { + return keyid; + } + + public void setSerial(BigInteger serial) { + this.serial = serial; + } + + public BigInteger getSerial() { + return serial; + } + + public void setCaConn(String conn) { + caConn = conn; + } + + public String getCaConn() { + return caConn; + } + + public void setKraConn(String conn) { + kraConn = conn; + } + + public String getKraConn() { + return kraConn; + } + + public void setIgnoreForUpdateCerts(boolean ignore) { + ignoreForUpdateCerts = ignore; + } + + public boolean getIgnoreForUpdateCerts() { + return ignoreForUpdateCerts; + } +} diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java index dde24e496..482236bc3 100644 --- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java +++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java @@ -6,6 +6,7 @@ import java.security.InvalidKeyException; import java.security.NoSuchAlgorithmException; import java.util.ArrayList; import java.util.Date; +import java.util.Enumeration; import java.util.LinkedHashMap; import java.util.Map; import java.util.Random; @@ -19,6 +20,7 @@ import netscape.security.x509.X509CertImpl; import org.dogtagpki.server.tps.TPSSession; import org.dogtagpki.server.tps.TPSSubsystem; import org.dogtagpki.server.tps.TPSTokenPolicy; +import org.dogtagpki.server.tps.authentication.TPSAuthenticator; import org.dogtagpki.server.tps.channel.SecureChannel; import org.dogtagpki.server.tps.channel.SecureChannel.TokenKeyType; import org.dogtagpki.server.tps.cms.CAEnrollCertResponse; @@ -27,12 +29,15 @@ import org.dogtagpki.server.tps.cms.CARenewCertResponse; import org.dogtagpki.server.tps.cms.CARetrieveCertResponse; import org.dogtagpki.server.tps.cms.CARevokeCertResponse; import org.dogtagpki.server.tps.cms.KRARecoverKeyResponse; +import org.dogtagpki.server.tps.cms.KRARemoteRequestHandler; import org.dogtagpki.server.tps.cms.KRAServerSideKeyGenResponse; import org.dogtagpki.server.tps.dbs.ActivityDatabase; import org.dogtagpki.server.tps.dbs.TPSCertRecord; import org.dogtagpki.server.tps.dbs.TokenRecord; import org.dogtagpki.server.tps.engine.TPSEngine; import org.dogtagpki.server.tps.engine.TPSEngine.ENROLL_MODES; +import org.dogtagpki.server.tps.main.ExternalRegAttrs; +import org.dogtagpki.server.tps.main.ExternalRegCertToRecover; import org.dogtagpki.server.tps.main.ObjectSpec; import org.dogtagpki.server.tps.main.PKCS11Obj; import org.dogtagpki.tps.main.TPSBuffer; @@ -48,6 +53,7 @@ import org.mozilla.jss.pkcs11.PK11RSAPublicKey; import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo; import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.authentication.IAuthCredentials; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.EPropertyNotFound; import com.netscape.certsrv.base.IConfigStore; @@ -62,6 +68,7 @@ public class TPSEnrollProcessor extends TPSProcessor { @Override public void process(BeginOpMsg beginMsg) throws TPSException, IOException { + if (beginMsg == null) { throw new TPSException("TPSEnrollrocessor.process: invalid input data, not beginMsg provided.", TPSStatus.STATUS_ERROR_CONTACT_ADMIN); @@ -79,6 +86,8 @@ public class TPSEnrollProcessor extends TPSProcessor { String auditMsg = null; TPSSubsystem tps = (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID); TPSTokenPolicy tokenPolicy = new TPSTokenPolicy(tps); + IConfigStore configStore = CMS.getConfigStore(); + String configName; AppletInfo appletInfo = null; TokenRecord tokenRecord = null; @@ -108,18 +117,123 @@ public class TPSEnrollProcessor extends TPSProcessor { } fillTokenRecord(tokenRecord, appletInfo); + String cuid = appletInfo.getCUIDhexStringPlain(); session.setTokenRecord(tokenRecord); + String tokenType = null; + + if (isExternalReg) { + CMS.debug("In TPSEnrollProcessor.enroll isExternalReg: ON"); + /* + * need to reach out to the Registration DB (authid) + * Entire user entry should be retrieved and parsed, if needed + * The following are retrieved, e.g.: + * externalReg.tokenTypeAttributeName=tokenType + * externalReg.certs.recoverAttributeName=certsToRecover + * externalReg.tokenCuidName=userKey + */ + configName = "externalReg.authId"; + String authId; + try { + authId = configStore.getString(configName); + } catch (EBaseException e) { + CMS.debug("TPSEnrollProcessor.enroll: Internal Error obtaining mandatory config values. Error: " + e); + auditMsg = "TPS error getting config values from config store." + e.toString(); + tps.tdb.tdbActivity(ActivityDatabase.OP_ENROLLMENT, tokenRecord, session.getIpAddress(), auditMsg, + "failure"); - String resolverInstName = getResolverInstanceName(); + throw new TPSException(auditMsg, TPSStatus.STATUS_ERROR_MISCONFIGURATION); + } - String tokenType = null; + /* get user login and password - set in "login" */ + IAuthCredentials userCred; + try { + CMS.debug("In TPSEnrollProcessor.enroll: isExternalReg: calling requestUserId"); + TPSAuthenticator userAuth = + getAuthentication(authId); + processAuthentication(TPSEngine.ENROLL_OP, userAuth, cuid, tokenRecord); + } catch (Exception e) { + // all exceptions are considered login failure + CMS.debug("TPSEnrollProcessor.enroll:: authentication exception thrown: " + e); + auditMsg = "ExternalReg authentication failed, status = STATUS_ERROR_LOGIN"; - tokenType = resolveTokenProfile(resolverInstName, appletInfo.getCUIDhexString(), appletInfo.getMSNString(), - appletInfo.getMajorVersion(), appletInfo.getMinorVersion()); - CMS.debug("TPSEnrollProcessor.enroll: resolved tokenType: " + tokenType); + tps.tdb.tdbActivity(ActivityDatabase.OP_ENROLLMENT, tokenRecord, session.getIpAddress(), auditMsg, + "failure"); + + throw new TPSException(auditMsg, + TPSStatus.STATUS_ERROR_LOGIN); + } + + ExternalRegAttrs erAttrs; + try { + erAttrs = processExternalRegAttrs(authId); + } catch (EBaseException ee) { + auditMsg = "after processExternalRegAttrs: " + ee.toString(); + tps.tdb.tdbActivity(ActivityDatabase.OP_ENROLLMENT, tokenRecord, session.getIpAddress(), auditMsg, + "failure"); + + throw new TPSException(auditMsg, TPSStatus.STATUS_ERROR_MISCONFIGURATION); + } + + /* + * If cuid is provided on the user registration record, then + * we have to compare that with the current token cuid; + * + * If, the cuid is not provided on the user registration record, + * then any token can be used. + */ + if (erAttrs.getTokenCUID() != null) { + CMS.debug("TPSEnrollProcessor.enroll: erAttrs.getTokenCUID()=" + erAttrs.getTokenCUID()); + CMS.debug("TPSEnrollProcessor.enroll: tokenRecord.getId()=" + tokenRecord.getId()); + if (!tokenRecord.getId().equals(erAttrs.getTokenCUID())) { + auditMsg = "isExternalReg: token CUID not matching record:" + erAttrs.getTokenCUID(); + CMS.debug("TPSEnrollProcessor.enroll:" + auditMsg); + tps.tdb.tdbActivity(ActivityDatabase.OP_ENROLLMENT, tokenRecord, session.getIpAddress(), auditMsg, + "failure"); + throw new TPSException(auditMsg, TPSStatus.STATUS_ERROR_NOT_TOKEN_OWNER); + } + } + + session.setExternalRegAttrs(erAttrs); + if (erAttrs.getTokenType() != null) { + CMS.debug("In TPSEnrollProcessor.enroll: isExternalReg: setting tokenType to tokenType attribute of user entry:" + + + erAttrs.getTokenType()); + setSelectedTokenType(erAttrs.getTokenType()); + } else { + // get the default externalReg tokenType + configName = "externalReg.default.tokenType"; + CMS.debug("TPSEnrollProcessor.enroll: externalReg user entry does not contain tokenType...setting to config: " + + configName); + try { + tokenType = configStore.getString(configName, + "externalRegAddToToken"); + CMS.debug("In TPSEnrollProcessor.enroll: isExternalReg: setting tokenType to default:" + + tokenType); + setSelectedTokenType(tokenType); + } catch (EBaseException e) { + CMS.debug("TPSEnrollProcessor.enroll: Internal Error obtaining mandatory config values. Error: " + + e); + auditMsg = "TPS error getting config values from config store." + e.toString(); + tps.tdb.tdbActivity(ActivityDatabase.OP_ENROLLMENT, tokenRecord, session.getIpAddress(), auditMsg, + "failure"); + + throw new TPSException(auditMsg, TPSStatus.STATUS_ERROR_MISCONFIGURATION); + } + } + } else { + CMS.debug("In TPSEnrollProcessor.enroll isExternalReg: OFF"); + /* + * Note: op.enroll.tokenProfileResolver=none indicates no resolver + * plugin used (tokenType resolved perhaps via authentication) + */ + String resolverInstName = getResolverInstanceName(); + + tokenType = resolveTokenProfile(resolverInstName, appletInfo.getCUIDhexString(), appletInfo.getMSNString(), + appletInfo.getMajorVersion(), appletInfo.getMinorVersion()); + CMS.debug("TPSEnrollProcessor.enroll: resolved tokenType: " + tokenType); + } checkProfileStateOK(); - String cuid = appletInfo.getCUIDhexStringPlain(); boolean do_force_format = false; if (isTokenPresent) { @@ -148,7 +262,8 @@ public class TPSEnrollProcessor extends TPSProcessor { do_force_format = tokenPolicy.isForceTokenFormat(cuid); - if (!tokenPolicy.isAllowdTokenReenroll(cuid) && + if (!isExternalReg && + !tokenPolicy.isAllowdTokenReenroll(cuid) && !tokenPolicy.isAllowdTokenRenew(cuid)) { CMS.debug("TPSEnrollProcessor.enroll: token renewal or reEnroll disallowed "); auditMsg = "Operation renewal or reEnroll for CUID " + cuid + @@ -158,6 +273,9 @@ public class TPSEnrollProcessor extends TPSProcessor { throw new TPSException(auditMsg, TPSStatus.STATUS_ERROR_DISABLED_TOKEN); + } else { + auditMsg = "isExternalReg: skip token policy (reenroll, renewal) check"; + CMS.debug("TPSEnrollProcessor.enroll:" + auditMsg); } } else { CMS.debug("TPSEnrollProcessor.enroll: token does not exist"); @@ -165,7 +283,10 @@ public class TPSEnrollProcessor extends TPSProcessor { checkAllowUnknownToken(TPSEngine.OP_FORMAT_PREFIX); } - checkAndAuthenticateUser(appletInfo, tokenType); + + // isExternalReg : user already authenticated earlier + if (!isExternalReg) + checkAndAuthenticateUser(appletInfo, tokenType); if (do_force_format) { CMS.debug("TPSEnrollProcessor.enroll: About to force format first due to policy."); @@ -213,6 +334,8 @@ public class TPSEnrollProcessor extends TPSProcessor { } catch (Exception e) { String failMsg = "add token failure"; auditMsg = failMsg + ":" + e.toString(); + tps.tdb.tdbActivity(ActivityDatabase.OP_ENROLLMENT, tokenRecord, session.getIpAddress(), auditMsg, + "failure"); throw new TPSException(auditMsg); } } @@ -227,38 +350,95 @@ public class TPSEnrollProcessor extends TPSProcessor { certsInfo.setEndProgress(90); boolean renewed = false; - TPSStatus status = generateCertsAfterRenewalRecoveryPolicy(certsInfo, channel, appletInfo); + boolean recovered = false; + TPSStatus status = TPSStatus.STATUS_NO_ERROR; + + if (!isExternalReg) { + status = generateCertsAfterRenewalRecoveryPolicy(certsInfo, channel, appletInfo); + } + //most failed would have thrown an exception String statusString = "Unknown"; // gives some meaningful debug message if (status == TPSStatus.STATUS_NO_ERROR) statusString = "Enrollment to follow"; - else if (status == TPSStatus.STATUS_ERROR_RECOVERY_IS_PROCESSED) + else if (status == TPSStatus.STATUS_ERROR_RECOVERY_IS_PROCESSED) { statusString = "Recovery processed"; - else if (status == TPSStatus.STATUS_ERROR_RENEWAL_IS_PROCESSED) + recovered = true; + //TODO: + //tps.tdb.tdbActivity(ActivityDatabase.OP_RECOVERY, tokenRecord, session.getIpAddress(), auditMsg, "success"); + } else if (status == TPSStatus.STATUS_ERROR_RENEWAL_IS_PROCESSED) { statusString = "Renewal processed"; - else { + renewed = true; + //TODO: + //tps.tdb.tdbActivity(ActivityDatabase.OP_RENEWAL, tokenRecord, session.getIpAddress(), auditMsg, "success"); + } else { auditMsg = " generateCertsAfterRenewalRecoveryPolicy returned status=" + status; CMS.debug("TPSEnrollProcessor.enroll:" + auditMsg); + tps.tdb.tdbActivity(ActivityDatabase.OP_ENROLLMENT, tokenRecord, session.getIpAddress(), auditMsg, + "failure"); throw new TPSException(auditMsg); } - auditMsg = "generateCertsAfterRenewalRecoveryPolicy returns status:" - + EndOpMsg.statusToInt(status) + " : " + statusString; - CMS.debug("TPSEnrollProcessor.enroll: " + auditMsg); + if (!isExternalReg) { + auditMsg = "generateCertsAfterRenewalRecoveryPolicy returns status:" + + EndOpMsg.statusToInt(status) + " : " + statusString; + CMS.debug("TPSEnrollProcessor.enroll: " + auditMsg); + } if (status == TPSStatus.STATUS_NO_ERROR) { if (!generateCertificates(certsInfo, channel, appletInfo)) { - CMS.debug("TPSEnrollProcessor.enroll:generateCertificates returned false means some certs failed enrollment; clean up (format) the token"); - format(true /*skipAuth*/); + // in case isExternalReg, leave the token alone, do not format + if (!isExternalReg) { + CMS.debug("TPSEnrollProcessor.enroll:generateCertificates returned false means some certs failed enrollment; clean up (format) the token"); + format(true /*skipAuth*/); + } + tps.tdb.tdbActivity(ActivityDatabase.OP_ENROLLMENT, tokenRecord, session.getIpAddress(), auditMsg, + "failure"); throw new TPSException("generateCertificates failed"); } else { CMS.debug("TPSEnrollProcessor.enroll:generateCertificates returned true means cert enrollment successful"); + /* + * isExternalReg - + * ?? Renew if token has "RENEW=YES" set by admin + * recovery and delete/revoke happens: + * recover certsToRecover + * delete/revoke certsToDelete + * (per latest design, delete is implied for certs + * not existing in the recover list) + */ + + if (isExternalReg) { + try { + TPSStatus recoverStatus = externalRegRecover(cuid, userid, channel, certsInfo, appletInfo, + tokenRecord); + CMS.debug("TPSEnrollProcessor.enroll: after externalRegRecover status is:" + recoverStatus); + if (recoverStatus == TPSStatus.STATUS_ERROR_RECOVERY_IS_PROCESSED) { + recovered = true; + //TODO: + //tps.tdb.tdbActivity(ActivityDatabase.OP_RECOVERY, tokenRecord, session.getIpAddress(), auditMsg, "success"); + } + } catch (EBaseException e) { + auditMsg = "TPSEnrollProcessor.enroll: externalRegRecover: " + e; + CMS.debug(auditMsg); + tps.tdb.tdbActivity(ActivityDatabase.OP_RECOVERY, tokenRecord, session.getIpAddress(), + auditMsg, + "failure"); + + throw new TPSException(auditMsg, TPSStatus.STATUS_ERROR_BAD_STATUS); + } + } else { + //TODO: + //tps.tdb.tdbActivity(ActivityDatabase.OP_ENROLLMENT, tokenRecord, session.getIpAddress(), auditMsg, + //"success"); + } } } // at this point, enrollment, renewal, or recovery have been processed accordingly; - if (status == TPSStatus.STATUS_ERROR_RENEWAL_IS_PROCESSED && + if (!isExternalReg && + status == TPSStatus.STATUS_ERROR_RENEWAL_IS_PROCESSED && tokenPolicy.isAllowdTokenRenew(cuid)) { renewed = true; CMS.debug("TPSEnrollProcessor.enroll: renewal happened.. "); } + /* * TODO: * find the point to do the following... @@ -306,7 +486,7 @@ public class TPSEnrollProcessor extends TPSProcessor { } catch (Exception e) { String failMsg = "update token failure"; auditMsg = failMsg + ":" + e.toString(); - tps.tdb.tdbActivity(ActivityDatabase.OP_ENROLLMENT, tokenRecord, session.getIpAddress(), failMsg, + tps.tdb.tdbActivity(ActivityDatabase.OP_ENROLLMENT, tokenRecord, session.getIpAddress(), auditMsg, "failure"); throw new TPSException(auditMsg); } @@ -316,7 +496,8 @@ public class TPSEnrollProcessor extends TPSProcessor { // clean up the cert records used to belong to this token in tokendb tps.tdb.tdbRemoveCertificatesByCUID(tokenRecord.getId()); } catch (Exception e) { - auditMsg = "Attempt to clean up record with tdbRemoveCertificatesByCUID failed; token probably clean; continue anyway:" + e; + auditMsg = "Attempt to clean up record with tdbRemoveCertificatesByCUID failed; token probably clean; continue anyway:" + + e; CMS.debug("TPSEnrollProcessor.enroll:" + auditMsg); } CMS.debug("TPSEnrollProcessor.enroll: adding certs to token with tdbAddCertificatesForCUID..."); @@ -325,18 +506,38 @@ public class TPSEnrollProcessor extends TPSProcessor { CMS.debug("TPSEnrollProcessor.enroll: tokendb updated with certs to the cuid so that it reflects what's on the token"); auditMsg = "appletVersion=" + lastObjVer + "; tokenType =" + selectedTokenType + "; userid =" + userid; - if (renewed) { - tps.tdb.tdbActivity(ActivityDatabase.OP_RENEWAL, tokenRecord, session.getIpAddress(), auditMsg, "success"); - } else { - tps.tdb.tdbActivity(ActivityDatabase.OP_ENROLLMENT, tokenRecord, session.getIpAddress(), auditMsg, - "success"); - } + tps.tdb.tdbActivity(ActivityDatabase.OP_ENROLLMENT, tokenRecord, session.getIpAddress(), auditMsg, + "success"); CMS.debug("TPSEnrollProcessor.enroll: leaving ..."); statusUpdate(100, "PROGRESS_DONE_ENROLLMENT"); } +/* + protected void checkIsDelegation() throws TPSException { + String method = "TPSEnrollProcessor.checkIsDelegation:"; + String auditMsg; + + IConfigStore configStore = CMS.getConfigStore(); + CMS.debug(method + "begins"); + String RH_Delegation_Cfg = TPSEngine.CFG_EXTERNAL_REG + "." + + TPSEngine.CFG_ER_DELEGATION + ".enable"; + + try { + //These defaults are well known, it is safe to use them. + + this.isDelegation = configStore.getBoolean(RH_Delegation_Cfg, false); + CMS.debug(method + " isDelegation: " + isDelegation); + } catch (EBaseException e1) { + auditMsg = "Internal Error obtaining config values. Error: " + e1; + CMS.debug(method + auditMsg); + throw new TPSException(method + auditMsg); + } + + } +*/ + private void writeFinalPKCS11ObjectToToken(PKCS11Obj pkcs11objx, AppletInfo ainfo, SecureChannel channel) throws TPSException, IOException { if (pkcs11objx == null || ainfo == null || channel == null) { @@ -482,6 +683,8 @@ public class TPSEnrollProcessor extends TPSProcessor { String auditMsg; final String method = "TPSEnrollProcessor.generateCertsAfterRenewalRecoveryPolicy"; CMS.debug(method + ": begins"); + IConfigStore configStore = CMS.getConfigStore(); + String configName; TPSSubsystem tps = (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID); TPSTokenPolicy tokenPolicy = new TPSTokenPolicy(tps); @@ -625,8 +828,8 @@ public class TPSEnrollProcessor extends TPSProcessor { // ToDo: This section has not been tested to work.. Make sure this works. - IConfigStore configStore = CMS.getConfigStore(); - String configName = TPSEngine.OP_ENROLL_PREFIX + "." + getSelectedTokenType() + configStore = CMS.getConfigStore(); + configName = TPSEngine.OP_ENROLL_PREFIX + "." + getSelectedTokenType() + ".temporaryToken.tokenType"; try { String tmpTokenType = configStore.getString(configName); @@ -657,6 +860,113 @@ public class TPSEnrollProcessor extends TPSProcessor { } /* + * (for isExternalReg) + * externalRegRecover + * reaches out to CA for retrieving cert to recover + * reaches out to KRA for key recovery. + * All the certs to have keys recovered are in + * session.getExternalRegAttrs().getCertsToRecover() + * + * when returned successfully, externalRegCertToRecover should have + * completed externalReg recovery + */ + private TPSStatus externalRegRecover( + String cuid, + String userid, + SecureChannel channel, + EnrolledCertsInfo certsInfo, + AppletInfo appletInfo, + TokenRecord tokenRecord) + throws EBaseException, IOException { + + String method = "TPSEnrollProcessor.externalRegRecover:"; + String auditMsg; + CMS.debug(method + "begins"); + TPSStatus status = TPSStatus.STATUS_ERROR_RECOVERY_IS_PROCESSED; + if (session == null || session.getExternalRegAttrs() == null || + session.getExternalRegAttrs().getCertsToRecover() == null) { + CMS.debug(method + "nothing to recover..."); + } + CMS.debug(method + "number of certs to recover=" + + session.getExternalRegAttrs().getCertsToRecoverCount()); + ArrayList<ExternalRegCertToRecover> erCertsToRecover = + session.getExternalRegAttrs().getCertsToRecover(); + + for (ExternalRegCertToRecover erCert : erCertsToRecover) { + BigInteger keyid = erCert.getKeyid(); + BigInteger serial = erCert.getSerial(); + String caConn = erCert.getCaConn(); + String kraConn = erCert.getKraConn(); + + auditMsg = "ExternalReg cert record: serial=" + + serial.toString(); + + // recover cert + CARemoteRequestHandler caRH = new CARemoteRequestHandler(caConn); + CARetrieveCertResponse certResp = caRH.retrieveCertificate(serial); + if (certResp == null) { + auditMsg = "In recovery mode, CARetieveCertResponse object not found!"; + CMS.debug(method + auditMsg); + return TPSStatus.STATUS_ERROR_RECOVERY_FAILED; + } + + String retCertB64 = certResp.getCertB64(); + CMS.debug(method + "recovering: retCertB64: " + retCertB64); + byte[] cert_bytes = Utils.base64decode(retCertB64); + + TPSBuffer cert_bytes_buf = new TPSBuffer(cert_bytes); + CMS.debug(method + "recovering: retCertB64: " + + cert_bytes_buf.toHexString()); + if (retCertB64 != null) + CMS.debug(method + "recovering: cert b64 =" + retCertB64); + else { + auditMsg = "recovering cert b64 not found"; + CMS.debug(method + auditMsg); + return TPSStatus.STATUS_ERROR_RECOVERY_FAILED; + } + + // recover keys + KRARecoverKeyResponse keyResp = null; + if (kraConn != null) { + auditMsg = "kraConn not null"; + CMS.debug(method + auditMsg); + KRARemoteRequestHandler kraRH = new KRARemoteRequestHandler(kraConn); + if (channel.getDRMWrappedDesKey() == null) { + auditMsg = "channel.getDRMWrappedDesKey() null"; + CMS.debug(method + auditMsg); + return TPSStatus.STATUS_ERROR_RECOVERY_FAILED; + } else { + auditMsg = "channel.getDRMWrappedDesKey() not null"; + CMS.debug(method + auditMsg); + } + keyResp = kraRH.recoverKey(cuid, userid, Util.specialURLEncode(channel.getDRMWrappedDesKey()), + Util.uriEncode(retCertB64)); + if (keyResp == null) { + auditMsg = "recovering key not found"; + CMS.debug(method + auditMsg); + return TPSStatus.STATUS_ERROR_RECOVERY_FAILED; + } + } + + CertEnrollInfo cEnrollInfo = new CertEnrollInfo(); + + cEnrollInfo.setTokenToBeRecovered(tokenRecord); + cEnrollInfo.setRecoveredCertData(certResp); + cEnrollInfo.setRecoveredKeyData(keyResp); + + generateCertificate(certsInfo, channel, appletInfo, + "encryption", + TPSEngine.ENROLL_MODES.MODE_RECOVERY, + certsInfo.getCurrentCertIndex() + 1, cEnrollInfo); + + CMS.debug(method + "after generateCertificate() with MODE_RECOVERY"); + } + + CMS.debug(method + "ends"); + return status; + } + + /* * Renewal logic * 1. Create Optional local TPS grace period per token profile, * per token type, such as signing or encryption. @@ -1077,7 +1387,8 @@ public class TPSEnrollProcessor extends TPSProcessor { if (serialToRecover != null) { // get recovery conn id String caConnId; - String config = "op.enroll." + certToRecover.getType() + ".keyGen." + certToRecover.getKeyType() + ".ca.conn"; + String config = "op.enroll." + certToRecover.getType() + ".keyGen." + certToRecover.getKeyType() + + ".ca.conn"; try { caConnId = configStore.getString(config); } catch (Exception e) { @@ -1170,6 +1481,12 @@ public class TPSEnrollProcessor extends TPSProcessor { int keyTypeNum = getNumberCertsToEnroll(); + if (isExternalReg && keyTypeNum == 0) { + CMS.debug("TPSEnrollProcess.generateCertificates: isExternalReg with tokenType:" + selectedTokenType + + "; no certs to enroll per configuration"); + return noFailedCerts; + } + certsInfo.setNumCertsToEnroll(keyTypeNum); CMS.debug("TPSEnrollProcessor.generateCertificate: Number of certs to enroll: " + keyTypeNum); @@ -1254,7 +1571,7 @@ public class TPSEnrollProcessor extends TPSProcessor { CMS.debug("TPSEnrollProcessor.generateCertificate: entering ... certIdNumOverride: " + certIdNumOverride + " mode: " + mode); - if (certsInfo == null || aInfo == null || channel == null || aInfo == null) { + if (certsInfo == null || aInfo == null || channel == null) { throw new TPSException("TPSEnrollProcessor.generateCertificate: Bad Input data!", TPSStatus.STATUS_ERROR_MAC_ENROLL_PDU); } @@ -1283,8 +1600,13 @@ public class TPSEnrollProcessor extends TPSProcessor { CMS.debug("TPSEnrollProcessor.generateCertificate: keyTypePrefix: " + keyTypePrefix); String configName = keyTypePrefix + ".ca.profileId"; - String profileId = configStore.getString(configName); - CMS.debug("TPSEnrollProcessor.generateCertificate: profileId: " + profileId); + String profileId = null; + if (isExternalReg) { + profileId = configStore.getString(configName, "NA"); // if not supplied then does not apply due to recovery + } else { + profileId = configStore.getString(configName); + CMS.debug("TPSEnrollProcessor.generateCertificate: profileId: " + profileId); + } configName = keyTypePrefix + ".certId"; String certId = configStore.getString(configName, "C0"); @@ -1587,9 +1909,116 @@ public class TPSEnrollProcessor extends TPSProcessor { CMS.debug("TPSEnrollProcessor.enrollOneCertificate:: userid =" + userid + ", cuid=" + aInfo.getCUIDhexString()); - CAEnrollCertResponse caEnrollResp = caRH.enrollCertificate(encodedParsedPubKey, userid, - aInfo.getCUIDhexString(), getSelectedTokenType(), - cEnrollInfo.getKeyType()); + + CAEnrollCertResponse caEnrollResp; + if (session.getExternalRegAttrs()!= null && + session.getExternalRegAttrs().getIsDelegation()) { + int sanNum = 0; + String urlSanExt = null; + CMS.debug("TPSEnrollProcessor.enrollOneCertificate:: isDelegation true"); + /* + * build up name/value pairs for pattern mapping + */ + LinkedHashMap<String, String> nv = new LinkedHashMap<String, String>(); + + nv.put("cuid", aInfo.getCUIDhexStringPlain()); + nv.put("msn", aInfo.getMSNString()); + nv.put("userid", userid); + nv.put("auth.cn", userid); + nv.put("profileId", getSelectedTokenType()); + + CMS.debug("TPSEnrollProcessor.enrollOneCertificate:: fill in nv with authToken name/value pairs"); + Enumeration<String> n = authToken.getElements(); + while (n.hasMoreElements()) { + String name = n.nextElement(); + CMS.debug("TPSEnrollProcessor.enrollOneCertificate::name =" + name); + if (ldapStringAttrs != null && ldapStringAttrs.contains(name)) { + String[] vals = authToken.getInStringArray(name); + if (vals != null) { + CMS.debug("TPSEnrollProcessor.enrollOneCertificate::val =" + vals[0]); + nv.put("auth." + name, vals[0]); + } else { + CMS.debug("TPSEnrollProcessor.enrollOneCertificate::name not found in authToken:" + + name); + } + } + } + + String subjectdn = ""; + /* + * isDelegate: process subjectdn + * e.g. + * op.enroll.delegateISEtoken.keyGen.encryption.dnpattern= + * cn=$auth.firstname$.$auth.lastname$.$auth.edipi$,e=$auth.mail$,o=TMS Org + * becomes: + * CN=Jane.Doe.0123456789,E=jdoe@redhat.com,O=TMS Org + */ + IConfigStore configStore = CMS.getConfigStore(); + String configName; + configName = TPSEngine.OP_ENROLL_PREFIX + "." + + getSelectedTokenType() + ".keyGen." + + cEnrollInfo.getKeyType() + ".dnpattern"; + try { + String dnpattern = configStore.getString(configName); + subjectdn = mapPattern(nv, dnpattern); + } catch (EBaseException e) { + CMS.debug("TPSEnrollProcessor.enrollOneCertificate: isDelegation dnpattern not set"); + } + + /* + * isDelegate: process SAN_ext + * e.g. + * op.enroll.delegateISEtoken.keyGen.encryption.SANpattern= + * $auth.edipi$.abc@redhat.com + * becomes: + * 0123456789.abc@redhat.com + */ + configName = TPSEngine.OP_ENROLL_PREFIX + "." + + getSelectedTokenType() + ".keyGen." + + cEnrollInfo.getKeyType() + ".SANpattern"; + try { + String sanPattern = configStore.getString(configName); + String[] sanToks = sanPattern.split(","); + for (String sanToken : sanToks) { + /* + * for every "tok" in pattern, + * 1. mapPattern + * 2. uriEncode + * 3. append + * url_san_ext will look like san1&san2&san3...& + */ + CMS.debug("TPSEnrollProcessor.enrollOneCertificate: isDeletation: sanToken:" + sanToken); + String sanExt = mapPattern(nv, sanToken); + String urlSanExt1 = Util.uriEncode(sanExt); + if (urlSanExt == null) { // first one + urlSanExt = "req_san_pattern_" + + sanNum + "=" + urlSanExt1; + } else { + urlSanExt = urlSanExt + + "&req_san_pattern_" + sanNum + + "=" + urlSanExt1; + } + CMS.debug("TPSEnrollProcessor.enrollOneCertificate: isDelegation: urlSanExt1:" + urlSanExt1); + + sanNum++; + } + } catch (EBaseException e) { + CMS.debug("TPSEnrollProcessor.enrollOneCertificate: isDeletation sanPattern not set"); + } + + CMS.debug("TPSEnrollProcessor.enrollOneCertificate: isDelegation: Before calling enrolCertificate"); + caEnrollResp = + caRH.enrollCertificate(encodedParsedPubKey, userid, + subjectdn, sanNum, urlSanExt, + aInfo.getCUIDhexString(), getSelectedTokenType(), + cEnrollInfo.getKeyType()); + } else { + CMS.debug("TPSEnrollProcessor.enrollOneCertificate: not isDelegation: Before calling enrolCertificate"); + caEnrollResp = caRH.enrollCertificate(encodedParsedPubKey, userid, + aInfo.getCUIDhexString(), getSelectedTokenType(), + cEnrollInfo.getKeyType()); + } + String retCertB64 = caEnrollResp.getCertB64(); CMS.debug("TPSEnrollProcessor.enrollOneCertificate: retCertB64: " + retCertB64); @@ -1689,7 +2118,6 @@ public class TPSEnrollProcessor extends TPSProcessor { TPSStatus.STATUS_ERROR_MAC_ENROLL_PDU); } - TPSBuffer cert_bytes_buf = new TPSBuffer(cert_bytes); CMS.debug("TPSEnrollProcessor.enrollOneCertificate: renewing: retCertB64: " + cert_bytes_buf.toHexString()); @@ -2367,27 +2795,32 @@ public class TPSEnrollProcessor extends TPSProcessor { } protected int getNumberCertsToEnroll() throws TPSException { + String method = "TPSEnrollProcessor.getNumberCertsToEnroll:"; + String auditMsg; IConfigStore configStore = CMS.getConfigStore(); int keyTypeNum = 0; try { String configValue = TPSEngine.OP_ENROLL_PREFIX + "." + selectedTokenType + "." + TPSEngine.CFG_KEYGEN_KEYTYPE_NUM; + CMS.debug(method + "getting config value for:" + configValue); keyTypeNum = configStore.getInteger( configValue, 0); } catch (EBaseException e) { - throw new TPSException("TPSEnrollProcessor.getNumberCertsToEnroll: Internal error finding config value: " - + e, + auditMsg = "Internal error finding config value: " + e; + throw new TPSException(method + auditMsg, TPSStatus.STATUS_ERROR_UPGRADE_APPLET); } - if (keyTypeNum == 0) { - throw new TPSException( - "TPSEnrollProcessor.getNumberCertsToEnroll: invalid number of certificates configured!", - TPSStatus.STATUS_ERROR_MISCONFIGURATION); + if (!isExternalReg) { + if (keyTypeNum == 0) { + throw new TPSException( + method + " invalid number of certificates configured!", + TPSStatus.STATUS_ERROR_MISCONFIGURATION); + } } - CMS.debug("TPSProcess.getNumberCertsToEnroll: returning: " + keyTypeNum); + CMS.debug(method + " returning: " + keyTypeNum); return keyTypeNum; } diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java index c37a17c11..1a87f3e3c 100644 --- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java +++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java @@ -24,9 +24,12 @@ import java.nio.file.Files; import java.nio.file.Path; import java.nio.file.Paths; import java.util.ArrayList; +import java.util.Arrays; +import java.util.Enumeration; import java.util.HashMap; import java.util.HashSet; import java.util.LinkedHashMap; +import java.util.List; import java.util.Map; import java.util.Set; @@ -47,6 +50,9 @@ import org.dogtagpki.server.tps.dbs.ActivityDatabase; import org.dogtagpki.server.tps.dbs.TPSCertRecord; import org.dogtagpki.server.tps.dbs.TokenRecord; import org.dogtagpki.server.tps.engine.TPSEngine; +import org.dogtagpki.server.tps.main.ExternalRegAttrs; +//import org.dogtagpki.server.tps.main.ExternalRegCertToDelete; +import org.dogtagpki.server.tps.main.ExternalRegCertToRecover; import org.dogtagpki.server.tps.profile.BaseTokenProfileResolver; import org.dogtagpki.server.tps.profile.TokenProfileParams; import org.dogtagpki.tps.apdu.APDU; @@ -106,6 +112,8 @@ public class TPSProcessor { protected TPSSession session; //protected TokenRecord tokenRecord; protected String selectedTokenType; + IAuthToken authToken; + List<String> ldapStringAttrs; protected String userid = null; protected String currentTokenOperation; @@ -155,7 +163,7 @@ public class TPSProcessor { TokenRecord tokenRecord = getTokenRecord(); - if(tokenRecord == null) { + if (tokenRecord == null) { throw new NullPointerException("TPSProcessor.setSelectedTokenType: Can't find token record for token!"); } tokenRecord.setType(selectedTokenType); @@ -750,6 +758,20 @@ public class TPSProcessor { CMS.debug(auditMsg); throw new EBaseException(auditMsg); } + return getAuthentication(authId); + } + + public TPSAuthenticator getAuthentication(String authId) + throws EBaseException { + CMS.debug("TPSProcessor.getAuthentication"); + String auditMsg = null; + + if (authId.isEmpty()) { + auditMsg = "TPSProcessor.getAuthentication: missing parameters: authId"; + CMS.debug(auditMsg); + throw new EBaseException(auditMsg); + } + IConfigStore configStore = CMS.getConfigStore(); TPSSubsystem subsystem = (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID); @@ -765,9 +787,48 @@ public class TPSProcessor { throw new EBaseException(auditMsg); } authInst.setAuthCredName(authCredName); + + // set ldapStringAttrs for later processing + String authLdapStringAttrs = "auths.instance." + authId + ".ldapStringAttributes"; + CMS.debug("TPSProcessor.getAuthentication: getting config: " + + authLdapStringAttrs); + String authLdapStringAttributes = configStore.getString(authLdapStringAttrs, ""); + if (authLdapStringAttributes != null && !authLdapStringAttributes.equals("")) { + auditMsg = "TPSProcessor.getAuthentication: got ldapStringAttributes... setting up"; + CMS.debug(auditMsg); + ldapStringAttrs = Arrays.asList(authLdapStringAttributes.split(",")); + } else { + // not set is okay + auditMsg = "TPSProcessor.getAuthentication: config param not set:" + authLdapStringAttributes; + CMS.debug(auditMsg); + } + return authInst; } + + public void processAuthentication(String op, TPSAuthenticator userAuth, String cuid, TokenRecord tokenRecord) + throws EBaseException, TPSException, IOException { + IAuthCredentials userCred; + String method = "TPSProcessor:processAuthentication:"; + String opPrefix; + if (op.equals(TPSEngine.FORMAT_OP)) + opPrefix = TPSEngine.OP_FORMAT_PREFIX; + else if (op.equals(TPSEngine.ENROLL_OP)) + opPrefix = TPSEngine.OP_ENROLL_PREFIX; + else + opPrefix = TPSEngine.OP_PIN_RESET_PREFIX; + + userCred = requestUserId(op, cuid, userAuth, beginMsg.getExtensions()); + userid = (String) userCred.get(userAuth.getAuthCredName()); + CMS.debug(method + op + " userCred (attempted) userid=" + userid); + tokenRecord.setUserID(userid); + authToken = authenticateUser(op, userAuth, userCred); + userid = authToken.getInString("userid"); + tokenRecord.setUserID(userid); + CMS.debug(method + " auth token userid=" + userid); + } + /** * authenticateUser authenticates a user using specified authentication * @@ -782,9 +843,7 @@ public class TPSProcessor { TPSAuthenticator userAuth, IAuthCredentials userCred) throws EBaseException, TPSException { - /** - * TODO: isExternalReg is not handled until decision made - */ + String auditMsg = null; CMS.debug("TPSProcessor.authenticateUser"); if (op.isEmpty() || userAuth == null || userCred == null) { @@ -796,12 +855,17 @@ public class TPSProcessor { try { // Authenticate user - IAuthToken aToken = auth.authenticate(userCred); - if (aToken != null) { + authToken = auth.authenticate(userCred); + if (authToken != null) { CMS.debug("TPSProcessor.authenticateUser: authentication success"); - return aToken; + Enumeration<String> n = authToken.getElements(); + while (n.hasMoreElements()) { + String name = n.nextElement(); + CMS.debug("TPSProcessor.authenticateUser: got authToken val name:" + name); + } + return authToken; } else { - CMS.debug("TPSProcessor.authenticateUser: authentication failure with aToken null"); + CMS.debug("TPSProcessor.authenticateUser: authentication failure with authToken null"); throw new TPSException("TPS error user authentication failed.", TPSStatus.STATUS_ERROR_LOGIN); } @@ -1249,14 +1313,126 @@ public class TPSProcessor { CMS.debug(method + ": done for cuid:" + cuid); } + /* + * processExternalRegAttrs : + * - retrieve from authToken relevant attributes for externalReg + * - parse the multi-valued attributes + * @returns ExternalRegAttrs + */ + ExternalRegAttrs processExternalRegAttrs(/*IAuthToken authToken,*/String authId) throws EBaseException { + String method = "processExternalRegAttrs"; + String configName; + String tVal; + String[] vals; + ExternalRegAttrs erAttrs = new ExternalRegAttrs(authId); + IConfigStore configStore = CMS.getConfigStore(); + + CMS.debug(method + ": getting from authToken:" + + erAttrs.ldapAttrNameTokenType); + vals = authToken.getInStringArray(erAttrs.ldapAttrNameTokenType); + if (vals == null) { + // get the default externalReg tokenType + configName = "externalReg.default.tokenType"; + tVal = configStore.getString(configName, + "externalRegAddToToken"); + CMS.debug(method + ": set default tokenType:" + tVal); + } else { + CMS.debug(method + ": retrieved tokenType:" + vals[0]); + } + erAttrs.setTokenType(vals[0]); + + CMS.debug(method + ": getting from authToken:" + + erAttrs.ldapAttrNameTokenCUID); + vals = authToken.getInStringArray(erAttrs.ldapAttrNameTokenCUID); + if (vals != null) { + CMS.debug(method + ": retrieved cuid:" + vals[0]); + erAttrs.setTokenCUID(vals[0]); + } + + /* + * certs to be recovered for this user + * - multi-valued + */ + CMS.debug(method + ": getting from authToken:" + + erAttrs.ldapAttrNameCertsToRecover); + vals = authToken.getInStringArray(erAttrs.ldapAttrNameCertsToRecover); + if (vals != null) { + for (String val : vals) { + CMS.debug(method + ": retrieved certsToRecover:" + val); + /* + * Each cert is represented as + * (serial#, caID, keyID, drmID) + * e.g. + * (1234, ca1, 81, drm1) + * note: numbers above are in decimal + */ + String[] items = val.split(","); + ExternalRegCertToRecover erCert = + new ExternalRegCertToRecover(); + for (int i = 0; i < items.length; i++) { + if (i == 0) + erCert.setSerial(new BigInteger(items[i])); + else if (i == 1) + erCert.setCaConn(items[i]); + else if (i == 2) + erCert.setKeyid(new BigInteger(items[i])); + else if (i == 3) + erCert.setKraConn(items[i]); + } + erAttrs.addCertToRecover(erCert); + } + } + + /* + * certs to be deleted for this user + * - multi-valued + * TODO: decide if we need CertsToDelete or not + * + CMS.debug(method + ": getting from authToken:" + + erAttrs.ldapAttrNameCertsToDelete); + vals = authToken.getInStringArray(erAttrs.ldapAttrNameCertsToDelete); + if (vals != null) { + for (String val : vals) { + CMS.debug(method + ": retrieved certsToDelete:" + val); + + // Each cert is represented as + // (serial#, caID, revokeOnDelete) + // e.g. + // (234, ca1, true) + // note: number above is in decimal + + String[] items = val.split(","); + ExternalRegCertToDelete erCert = + new ExternalRegCertToDelete(); + for (int i = 0; i < items.length; i++) { + if (i == 0) + erCert.setSerial(new BigInteger(items[i])); + else if (i == 1) + erCert.setCaConn(items[i]); + else if (i == 2) { + if (items[i].equals("true")) + erCert.setRevoke(true); + else + erCert.setRevoke(false); + } + } + erAttrs.addCertsToDelete(erCert); + } + } + */ + + return erAttrs; + } + protected void format(boolean skipAuth) throws TPSException, IOException { + IConfigStore configStore = CMS.getConfigStore(); + String configName = null; String auditMsg = null; String appletVersion = null; TPSSubsystem tps = (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID); - boolean isExternalReg = false; AppletInfo appletInfo = null; TokenRecord tokenRecord = null; try { @@ -1306,8 +1482,97 @@ public class TPSProcessor { IAuthCredentials userCred = new com.netscape.certsrv.authentication.AuthCredentials(); if (isExternalReg) { - //ToDo, do some external Reg stuff along with authentication - tokenType = "externalRegAddToToken"; + CMS.debug("In TPSProcessor.format isExternalReg: ON"); + /* + need to reach out to the Registration DB (authid) + Entire user entry should be retrieved and parsed, if needed + The following are retrieved: + externalReg.tokenTypeAttributeName=tokenType + externalReg.certs.recoverAttributeName=certsToRecover + */ + /* + * - tokenType id NULL at this point for isExternalReg + * - loginRequest cannot be per profile(tokenType) for isExternalReg + * because of the above; now it is per instance: + * "externalReg.format.loginRequest.enable" + * "externalReg.default.tokenType" + * it is not enabled by default. + */ + configName = "externalReg.format.loginRequest.enable"; + boolean requireLoginRequest; + try { + requireLoginRequest = configStore.getBoolean(configName, false); + } catch (EBaseException e) { + CMS.debug("TPSProcessor.format: Internal Error obtaining mandatory config values. Error: " + e); + auditMsg = "TPS error getting config values from config store." + e.toString(); + tps.tdb.tdbActivity(ActivityDatabase.OP_FORMAT, tokenRecord, session.getIpAddress(), auditMsg, + "failure"); + + throw new TPSException(auditMsg, TPSStatus.STATUS_ERROR_MISCONFIGURATION); + } + if (!requireLoginRequest) { + CMS.debug("In TPSProcessor.format: no Login required"); + // get the default externalReg tokenType + configName = "externalReg.default.tokenType"; + try { + tokenType = configStore.getString(configName, + "externalRegAddToToken"); + setSelectedTokenType(tokenType); + } catch (EBaseException e) { + CMS.debug("TPSProcessor.format: Internal Error obtaining mandatory config values. Error: " + e); + auditMsg = "TPS error getting config values from config store." + e.toString(); + tps.tdb.tdbActivity(ActivityDatabase.OP_FORMAT, tokenRecord, session.getIpAddress(), auditMsg, + "failure"); + + throw new TPSException(auditMsg, TPSStatus.STATUS_ERROR_MISCONFIGURATION); + } + CMS.debug("In TPSProcessor.format: isExternalReg: setting tokenType to default first:" + + tokenType); + } else { + /* get user login and password - set in "login" */ + CMS.debug("In TPSProcessor.format: isExternalReg: calling requestUserId"); + configName = "externalReg.authId"; + String authId; + try { + authId = configStore.getString(configName); + } catch (EBaseException e) { + CMS.debug("TPSProcessor.format: Internal Error obtaining mandatory config values. Error: " + e); + auditMsg = "TPS error getting config values from config store." + e.toString(); + tps.tdb.tdbActivity(ActivityDatabase.OP_FORMAT, tokenRecord, session.getIpAddress(), auditMsg, + "failure"); + + throw new TPSException(auditMsg, TPSStatus.STATUS_ERROR_MISCONFIGURATION); + } + try { + TPSAuthenticator userAuth = + getAuthentication(authId); + + processAuthentication(TPSEngine.FORMAT_OP, userAuth, cuid, tokenRecord); + } catch (Exception e) { + // all exceptions are considered login failure + CMS.debug("TPSProcessor.format:: authentication exception thrown: " + e); + auditMsg = "authentication failed, status = STATUS_ERROR_LOGIN"; + + tps.tdb.tdbActivity(ActivityDatabase.OP_FORMAT, tokenRecord, session.getIpAddress(), auditMsg, + "failure"); + + throw new TPSException(auditMsg, + TPSStatus.STATUS_ERROR_LOGIN); + } + + ExternalRegAttrs erAttrs; + try { + erAttrs = processExternalRegAttrs(/*authToken,*/authId); + } catch (EBaseException ee) { + auditMsg = "processExternalRegAttrs: " + ee.toString(); + tps.tdb.tdbActivity(ActivityDatabase.OP_FORMAT, tokenRecord, session.getIpAddress(), auditMsg, + "failure"); + + throw new TPSException(auditMsg, TPSStatus.STATUS_ERROR_MISCONFIGURATION); + } + session.setExternalRegAttrs(erAttrs); + setSelectedTokenType(erAttrs.getTokenType()); + } } else { CMS.debug("In TPSProcessor.format isExternalReg: OFF"); /* @@ -1330,8 +1595,7 @@ public class TPSProcessor { // isExternalReg : user already authenticated earlier if (!isExternalReg) { // authenticate per profile/tokenType configuration - String configName = TPSEngine.OP_FORMAT_PREFIX + "." + tokenType + ".auth.enable"; - IConfigStore configStore = CMS.getConfigStore(); + configName = TPSEngine.OP_FORMAT_PREFIX + "." + tokenType + ".auth.enable"; boolean isAuthRequired; try { CMS.debug("TPSProcessor.format: getting config: " + configName); @@ -1349,16 +1613,7 @@ public class TPSProcessor { try { TPSAuthenticator userAuth = getAuthentication(TPSEngine.OP_FORMAT_PREFIX, tokenType); - userCred = requestUserId("format", cuid, userAuth, beginMsg.getExtensions()); - userid = (String) userCred.get(userAuth.getAuthCredName()); - CMS.debug("TPSProcessor.format: userCred (attempted) userid=" + userid); - // initialize userid first for logging purposes in case authentication fails - tokenRecord.setUserID(userid); - IAuthToken authToken = authenticateUser("format", userAuth, userCred); - userid = authToken.getInString("userid"); - tokenRecord.setUserID(userid); - CMS.debug("TPSProcessor.format:: auth token userid=" + userid); - // TODO: should check if userid match? + processAuthentication(TPSEngine.FORMAT_OP, userAuth, cuid, tokenRecord); } catch (Exception e) { // all exceptions are considered login failure CMS.debug("TPSProcessor.format:: authentication exception thrown: " + e); @@ -1373,13 +1628,7 @@ public class TPSProcessor { } // TODO: if no auth required, should wipe out existing tokenRecord entry data later? } - /** - * TODO: - * isExternalReg is not handled beyond this point until decided - */ - //Now check provided profile - checkProfileStateOK(); if (isTokenPresent) { @@ -1538,8 +1787,10 @@ public class TPSProcessor { opDefault = TPSEngine.CFG_DEF_PIN_RESET_PROFILE_RESOLVER; opPrefix = TPSEngine.OP_PIN_RESET_PREFIX; - } else{ - throw new TPSException("TPSProcessor.getResolverInstanceName: Invalid operation type, can not calculate resolver instance!",TPSStatus.STATUS_ERROR_MISCONFIGURATION); + } else { + throw new TPSException( + "TPSProcessor.getResolverInstanceName: Invalid operation type, can not calculate resolver instance!", + TPSStatus.STATUS_ERROR_MISCONFIGURATION); } String config = opPrefix + @@ -2390,61 +2641,88 @@ public class TPSProcessor { return newPin; } - protected String mapPattern(LinkedHashMap<String, String> map, String pattern) throws TPSException { - - //Right now only support one pattern to match within pattern: for instance: - // "encryption key for $userid$ , not only the one "$userid$" pattern. + /* + * mapPattern maps pattern with $...$ tokens + * e.g. + * dnpattern=cn=$auth.firstname$.$auth.lastname$,e=$auth.mail$,o=Example Org + * where from ldap, + * value of firstname is John + * value of lastname is Doe + * value of mail is JohnDoe@EXAMPLE.org + * then the returned value will be: + * John.Doe,e=JohnDoe@EXAMPLE.org,o=Example Org + * + * TODO: It could be made more efficient + */ + protected String mapPattern(LinkedHashMap<String, String> map, String inPattern) throws TPSException { - String result = null; + String result = ""; - if (pattern == null || map == null) { + if (inPattern == null || map == null) { throw new TPSException("TPSProcessor.mapPattern: Illegal input paramters!", TPSStatus.STATUS_ERROR_CONTACT_ADMIN); } final char delim = '$'; - int firstPos = 0; - int nextPos = 0; - String patternToMap = null; - String patternMapped = null; + String pattern = inPattern; + + while (true) { + String patternToMap = null; + int firstPos = 0; + int nextPos = 0; + CMS.debug("TPSProcessor.mapPattern: pattern =" + pattern); + String patternMapped = ""; + firstPos = pattern.indexOf(delim); + if (firstPos == -1) { + //no more token + break; + } + nextPos = pattern.indexOf(delim, firstPos + 1); - firstPos = pattern.indexOf(delim); - nextPos = pattern.indexOf(delim, firstPos + 1); + if ((nextPos - firstPos) <= 1) { + // return pattern; + break; // no more pattern to match + } - if ((nextPos - firstPos) <= 1) { - return pattern; - } + patternToMap = pattern.substring(firstPos + 1, nextPos); - patternToMap = pattern.substring(firstPos + 1, nextPos); + CMS.debug("TPSProcessor.mapPattern: patternTo map: " + patternToMap); - CMS.debug("TPSProcessor.mapPattern: patternTo map: " + patternToMap); + String piece1 = ""; + if (firstPos >= 1) + piece1 = pattern.substring(0, firstPos); - String piece1 = ""; - if (firstPos >= 1) - piece1 = pattern.substring(0, firstPos); + String piece2 = ""; + if (nextPos < (pattern.length() - 1)) + piece2 = pattern.substring(nextPos + 1); - String piece2 = ""; - if (nextPos < (pattern.length() - 1)) - piece2 = pattern.substring(nextPos + 1); + for (Map.Entry<String, String> entry : map.entrySet()) { + String key = entry.getKey(); - for (Map.Entry<String, String> entry : map.entrySet()) { - String key = entry.getKey(); + String value = entry.getValue(); + CMS.debug("TPSProcessor.mapPattern: Exposed: key: " + key + " Param: " + value); - String value = entry.getValue(); - CMS.debug("TPSProcessor.mapPattern: Exposed: key: " + key + " Param: " + value); + if (key.equalsIgnoreCase(patternToMap)) { + CMS.debug("TPSProcessor.mapPattern: found match: key: " + key + " mapped to: " + value); + patternMapped = value; + CMS.debug("TPSProcessor.mapPattern: pattern mapped: " + patternMapped); + break; + } - if (key.equals(patternToMap)) { - CMS.debug("TPSProcessor.mapPattern: found match: key: " + key + " mapped to: " + value); - patternMapped = value; - break; } + // if patternMapped wasn't mapped, it will be "" + result = (piece1 + patternMapped + piece2); + pattern = result; } - result = piece1 + patternMapped + piece2; - - CMS.debug("TPSProcessor.mapPattern: returning: " + result); - return result; + if (result.equals("")) { + CMS.debug("TPSProcessor.mapPattern: returning: " + inPattern); + return (inPattern); + } else { + CMS.debug("TPSProcessor.mapPattern: returning: " + result); + return result; + } } @@ -2540,13 +2818,12 @@ public class TPSProcessor { protected void checkAndAuthenticateUser(AppletInfo appletInfo, String tokenType) throws TPSException { IAuthCredentials userCred; - IAuthToken authToken; TokenRecord tokenRecord = getTokenRecord(); String method = "checkAndAuthenticateUser"; String opPrefix = null; - if(TPSEngine.ENROLL_OP.equals( currentTokenOperation)) { + if (TPSEngine.ENROLL_OP.equals(currentTokenOperation)) { opPrefix = TPSEngine.OP_ENROLL_PREFIX; } else if (TPSEngine.FORMAT_OP.equals(currentTokenOperation)) { opPrefix = TPSEngine.OP_FORMAT_PREFIX; @@ -2554,7 +2831,6 @@ public class TPSProcessor { opPrefix = TPSEngine.OP_PIN_RESET_PREFIX; } - if (!isExternalReg) { // authenticate per profile/tokenType configuration String configName = opPrefix + "." + tokenType + ".auth.enable"; @@ -2574,25 +2850,13 @@ public class TPSProcessor { TPSStatus.STATUS_ERROR_MISCONFIGURATION); } - - CMS.debug(method + ": opPrefox: " + opPrefix); if (isAuthRequired) { try { TPSAuthenticator userAuth = getAuthentication(opPrefix, tokenType); - userCred = requestUserId(TPSEngine.ENROLL_OP, appletInfo.getCUIDhexString(), userAuth, - beginMsg.getExtensions()); - userid = (String) userCred.get(userAuth.getAuthCredName()); - CMS.debug("TPSEnrollProcessor.checkAndAuthenticateUser: userCred (attempted) userid=" + userid); - // initialize userid first for logging purposes in case authentication fails - tokenRecord.setUserID(userid); - authToken = authenticateUser(TPSEngine.ENROLL_OP, userAuth, userCred); - userid = authToken.getInString("userid"); - tokenRecord.setUserID(userid); - CMS.debug("TPSProcessor.checkAndAuthenticateUser: auth passed: userid: " - + authToken.get("userid")); + processAuthentication(TPSEngine.ENROLL_OP, userAuth, appletInfo.getCUIDhexString(), tokenRecord); } catch (Exception e) { // all exceptions are considered login failure |