diff options
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/authentication/SSLclientCertAuthentication.java')
-rw-r--r-- | pki/base/common/src/com/netscape/cms/authentication/SSLclientCertAuthentication.java | 160 |
1 files changed, 77 insertions, 83 deletions
diff --git a/pki/base/common/src/com/netscape/cms/authentication/SSLclientCertAuthentication.java b/pki/base/common/src/com/netscape/cms/authentication/SSLclientCertAuthentication.java index 00bf88c3b..3092d00a1 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/SSLclientCertAuthentication.java +++ b/pki/base/common/src/com/netscape/cms/authentication/SSLclientCertAuthentication.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.authentication; + import java.security.Principal; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; @@ -46,14 +47,15 @@ import com.netscape.certsrv.property.IDescriptor; import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.usrgrp.Certificates; + /** - * Certificate server SSL client authentication. - * + * Certificate server SSL client authentication. + * * @author Christina Fu - * <P> - * + * <P> + * */ -public class SSLclientCertAuthentication implements IAuthManager, +public class SSLclientCertAuthentication implements IAuthManager, IProfileAuthenticator { /* result auth token attributes */ @@ -84,20 +86,19 @@ public class SSLclientCertAuthentication implements IAuthManager, /** * initializes the SSLClientCertAuthentication auth manager * <p> - * called by AuthSubsystem init() method, when initializing all available - * authentication managers. - * + * called by AuthSubsystem init() method, when initializing + * all available authentication managers. * @param name The name of this authentication manager instance. * @param implName The name of the authentication manager plugin. * @param config The configuration store for this authentication manager. */ public void init(String name, String implName, IConfigStore config) - throws EBaseException { + throws EBaseException { mName = name; mImplName = implName; mConfig = config; } - + /** * Gets the name of this authentication manager. */ @@ -111,7 +112,7 @@ public class SSLclientCertAuthentication implements IAuthManager, public String getImplName() { return mImplName; } - + public boolean isSSLClientRequired() { return true; } @@ -119,34 +120,33 @@ public class SSLclientCertAuthentication implements IAuthManager, /** * authenticates user by certificate * <p> - * called by other subsystems or their servlets to authenticate users - * - * @param authCred - authentication credential that contains an - * usrgrp.Certificates of the user (agent) + * called by other subsystems or their servlets to authenticate + * users + * @param authCred - authentication credential that contains + * an usrgrp.Certificates of the user (agent) * @return the authentication token that contains the following - * + * * @exception EMissingCredential If a required credential for this - * authentication manager is missing. + * authentication manager is missing. * @exception EInvalidCredentials If credentials cannot be authenticated. * @exception EBaseException If an internal error occurred. * @see com.netscape.certsrv.authentication.AuthToken * @see com.netscape.certsrv.usrgrp.Certificates */ public IAuthToken authenticate(IAuthCredentials authCred) - throws EMissingCredential, EInvalidCredentials, EBaseException { - + throws EMissingCredential, EInvalidCredentials, EBaseException { + CMS.debug("SSLclientCertAuthentication: start"); - CMS.debug("authenticator instance name is " + getName()); + CMS.debug("authenticator instance name is "+getName()); // force SSL handshake SessionContext context = SessionContext.getExistingContext(); - ISSLClientCertProvider provider = (ISSLClientCertProvider) context - .get("sslClientCertProvider"); + ISSLClientCertProvider provider = (ISSLClientCertProvider) + context.get("sslClientCertProvider"); if (provider == null) { CMS.debug("SSLclientCertAuthentication: No SSL Client Cert Provider Found"); - throw new EInvalidCredentials( - CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } CMS.debug("SSLclientCertAuthentication: got provider"); CMS.debug("SSLclientCertAuthentication: retrieving client certificate"); @@ -154,8 +154,7 @@ public class SSLclientCertAuthentication implements IAuthManager, if (allCerts == null) { CMS.debug("SSLclientCertAuthentication: No SSL Client Certs Found"); - throw new EInvalidCredentials( - CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } CMS.debug("SSLclientCertAuthentication: got certificates"); @@ -174,7 +173,7 @@ public class SSLclientCertAuthentication implements IAuthManager, // find out which one is the leaf cert clientCert = ci[i]; - byte[] extBytes = clientCert.getExtensionValue("2.5.29.19"); + byte [] extBytes = clientCert.getExtensionValue("2.5.29.19"); // try to see if this is a leaf cert // look for BasicConstraint extension if (extBytes == null) { @@ -187,46 +186,42 @@ public class SSLclientCertAuthentication implements IAuthManager, // so it's not likely to be a leaf cert, // however, check the isCA field regardless try { - BasicConstraintsExtension bce = new BasicConstraintsExtension( - true, extBytes); - if (bce != null) { - if (!(Boolean) bce.get("is_ca")) { - CMS.debug("SSLclientCertAuthentication: authenticate: found CA cert in chain"); - break; - } // else found a ca cert, continue - } - } catch (Exception e) { - CMS.debug("SSLclientCertAuthentication: authenticate: exception:" - + e.toString()); - throw new EInvalidCredentials( - CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - } - } + BasicConstraintsExtension bce = + new BasicConstraintsExtension(true, extBytes); + if (bce != null) { + if (!(Boolean)bce.get("is_ca")) { + CMS.debug("SSLclientCertAuthentication: authenticate: found CA cert in chain"); + break; + } // else found a ca cert, continue + } + } catch (Exception e) { + CMS.debug("SSLclientCertAuthentication: authenticate: exception:"+ + e.toString()); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + } + } } if (clientCert == null) { - CMS.debug("SSLclientCertAuthentication: authenticate: client cert not found"); - throw new EInvalidCredentials( - CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + CMS.debug("SSLclientCertAuthentication: authenticate: client cert not found"); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } } catch (CertificateException e) { CMS.debug(e.toString()); - throw new EInvalidCredentials( - CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } // check if certificate(s) is revoked boolean checkRevocation = true; try { - checkRevocation = mConfig.getBoolean("checkRevocation", true); + checkRevocation = mConfig.getBoolean("checkRevocation", true); } catch (EBaseException e) { - // do nothing; default to true + // do nothing; default to true } if (checkRevocation) { - if (CMS.isRevoked(ci)) { - CMS.debug("SSLclientCertAuthentication: certificate revoked"); - throw new EInvalidCredentials( - CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - } + if (CMS.isRevoked(ci)) { + CMS.debug("SSLclientCertAuthentication: certificate revoked"); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + } } Certificates certs = new Certificates(ci); Principal p_dn = clientCert.getSubjectDN(); @@ -237,13 +232,13 @@ public class SSLclientCertAuthentication implements IAuthManager, authToken.set(TOKEN_UID, uid); authToken.set(TOKEN_USERID, uid); } - /* - * authToken.set(TOKEN_USER_DN, user.getUserDN()); - * authToken.set(TOKEN_USERID, user.getUserID()); - * authToken.set(TOKEN_UID, user.getUserID()); - * authToken.set(TOKEN_GROUP, groupname); - */ - authToken.set(CRED_CERT, certs); +/* + authToken.set(TOKEN_USER_DN, user.getUserDN()); + authToken.set(TOKEN_USERID, user.getUserID()); + authToken.set(TOKEN_UID, user.getUserID()); + authToken.set(TOKEN_GROUP, groupname); +*/ + authToken.set(CRED_CERT, certs); CMS.debug("SSLclientCertAuthentication: authenticated "); @@ -262,8 +257,7 @@ public class SSLclientCertAuthentication implements IAuthManager, String n = t.substring(0, i); if (n.equalsIgnoreCase("uid")) { String v = t.substring(i + 1); - CMS.debug("SSLclientCertAuthentication: getUidFromDN(): uid found:" - + v); + CMS.debug("SSLclientCertAuthentication: getUidFromDN(): uid found:"+v); return v; } else { continue; @@ -273,12 +267,11 @@ public class SSLclientCertAuthentication implements IAuthManager, } /** - * get the list of authentication credential attribute names required by - * this authentication manager. Generally used by the servlets that handle - * agent operations to authenticate its users. It calls this method to know - * which are the required credentials from the user (e.g. Javascript form - * data) - * + * get the list of authentication credential attribute names + * required by this authentication manager. Generally used by + * the servlets that handle agent operations to authenticate its + * users. It calls this method to know which are the + * required credentials from the user (e.g. Javascript form data) * @return attribute names in Vector */ public String[] getRequiredCreds() { @@ -286,15 +279,15 @@ public class SSLclientCertAuthentication implements IAuthManager, } /** - * get the list of configuration parameter names required by this - * authentication manager. Generally used by the Certificate Server Console - * to display the table for configuration purposes. CertUserDBAuthentication - * is currently not exposed in this case, so this method is not to be used. - * - * @return configuration parameter names in Hashtable of Vectors where each - * hashtable entry's key is the substore name, value is a Vector of - * parameter names. If no substore, the parameter name is the - * Hashtable key itself, with value same as key. + * get the list of configuration parameter names + * required by this authentication manager. Generally used by + * the Certificate Server Console to display the table for + * configuration purposes. CertUserDBAuthentication is currently not + * exposed in this case, so this method is not to be used. + * @return configuration parameter names in Hashtable of Vectors + * where each hashtable entry's key is the substore name, value is a + * Vector of parameter names. If no substore, the parameter name + * is the Hashtable key itself, with value same as key. */ public String[] getConfigParams() { return (mConfigParams); @@ -307,8 +300,8 @@ public class SSLclientCertAuthentication implements IAuthManager, } /** - * gets the configuretion substore used by this authentication manager - * + * gets the configuretion substore used by this authentication + * manager * @return configuration store */ public IConfigStore getConfigStore() { @@ -318,7 +311,7 @@ public class SSLclientCertAuthentication implements IAuthManager, // Profile-related methods public void init(IProfile profile, IConfigStore config) - throws EProfileException { + throws EProfileException { } /** @@ -347,14 +340,15 @@ public class SSLclientCertAuthentication implements IAuthManager, } /** - * Retrieves the descriptor of the given value parameter by name. + * Retrieves the descriptor of the given value + * parameter by name. */ public IDescriptor getValueDescriptor(Locale locale, String name) { return null; } public void populate(IAuthToken token, IRequest request) - throws EProfileException { + throws EProfileException { request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME, token.getInString(TOKEN_USERDN)); request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME, |