diff options
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/authentication')
17 files changed, 1807 insertions, 1770 deletions
diff --git a/pki/base/common/src/com/netscape/cms/authentication/AVAPattern.java b/pki/base/common/src/com/netscape/cms/authentication/AVAPattern.java index e0a37eb4b..1b76f77a6 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/AVAPattern.java +++ b/pki/base/common/src/com/netscape/cms/authentication/AVAPattern.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.authentication; - import java.io.IOException; import java.io.PushbackReader; import java.io.StringReader; @@ -36,24 +35,27 @@ import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.authentication.EAuthException; import com.netscape.certsrv.authentication.ECompSyntaxErr; - /** - * class for parsing a DN pattern used to construct a certificate - * subject name from ldap attributes and dn.<p> + * class for parsing a DN pattern used to construct a certificate subject name + * from ldap attributes and dn. + * <p> + * + * dnpattern is a string representing a subject name pattern to formulate from + * the directory attributes and entry dn. If empty or not set, the ldap entry DN + * will be used as the certificate subject name. + * <p> * - * dnpattern is a string representing a subject name pattern to formulate from - * the directory attributes and entry dn. If empty or not set, the - * ldap entry DN will be used as the certificate subject name. <p> + * The syntax is * - * The syntax is * <pre> - * dnPattern := rdnPattern *[ "," rdnPattern ] - * rdnPattern := avaPattern *[ "+" avaPattern ] + * dnPattern := rdnPattern *[ "," rdnPattern ] + * rdnPattern := avaPattern *[ "+" avaPattern ] * avaPattern := name "=" value | - * name "=" "$attr" "." attrName [ "." attrNumber ] | - * name "=" "$dn" "." attrName [ "." attrNumber ] | - * "$dn" "." "$rdn" "." number + * name "=" "$attr" "." attrName [ "." attrNumber ] | + * name "=" "$dn" "." attrName [ "." attrNumber ] | + * "$dn" "." "$rdn" "." number * </pre> + * * <pre> * Example1: <i>E=$attr.mail.1, CN=$attr.cn, OU=$dn.ou.2, O=$dn.o, C=US </i> * Ldap entry: dn: UID=jjames, OU=IS, OU=people, O=acme.org @@ -80,11 +82,12 @@ import com.netscape.certsrv.authentication.ECompSyntaxErr; * E = the first 'mail' ldap attribute value in user's entry. <br> * CN = the (first) 'cn' ldap attribute value in the user's entry. <br> * OU = the second 'ou' value in the user's entry DN. note multiple AVAs - * in a RDN in this example. <br> + * in a RDN in this example. <br> * O = the (first) 'o' value in the user's entry DN. <br> * C = the string "US" * <p> * </pre> + * * <pre> * Example3: <i>CN=$attr.cn, $rdn.2, O=$dn.o, C=US</i> * Ldap entry: dn: UID=jjames, OU=IS+OU=people, O=acme.org @@ -109,15 +112,16 @@ import com.netscape.certsrv.authentication.ECompSyntaxErr; * <p> * CN = the (first) 'cn' ldap attribute value in the user's entry. <br> * OU = the second 'ou' value in the user's entry DN followed by the - * first 'ou' value in the user's entry. note multiple AVAs - * in a RDN in this example. <br> + * first 'ou' value in the user's entry. note multiple AVAs + * in a RDN in this example. <br> * O = the (first) 'o' value in the user's entry DN. <br> * C = the string "US" * <p> * </pre> - * If an attribute or subject DN component does not exist the attribute - * is skipped. - * + * + * If an attribute or subject DN component does not exist the attribute is + * skipped. + * * @version $Revision$, $Date$ */ class AVAPattern { @@ -130,8 +134,7 @@ class AVAPattern { private static final char[] endChars = new char[] { '+', ',' }; - private static final LdapV3DNStrConverter mLdapDNStrConverter = - new LdapV3DNStrConverter(); + private static final LdapV3DNStrConverter mLdapDNStrConverter = new LdapV3DNStrConverter(); /* ldap attributes needed by this AVA (to retrieve from ldap) */ protected String[] mLdapAttrs = null; @@ -140,7 +143,7 @@ class AVAPattern { protected String mType = null; /* the attribute in the AVA pair */ - protected String mAttr = null; + protected String mAttr = null; /* value - could be name of an ldap attribute or entry dn attribute. */ protected String mValue = null; @@ -150,262 +153,288 @@ class AVAPattern { protected String mTestDN = null; - public AVAPattern(String component) - throws EAuthException { - if (component == null || component.length() == 0) - throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", component)); + public AVAPattern(String component) throws EAuthException { + if (component == null || component.length() == 0) + throw new ECompSyntaxErr(CMS.getUserMessage( + "CMS_AUTHENTICATION_COMPONENT_SYNTAX", component)); parse(new PushbackReader(new StringReader(component))); } - public AVAPattern(PushbackReader in) - throws EAuthException { + public AVAPattern(PushbackReader in) throws EAuthException { parse(in); } - private void parse(PushbackReader in) - throws EAuthException { + private void parse(PushbackReader in) throws EAuthException { int c; // mark ava beginning. // skip spaces - //System.out.println("============ AVAPattern Begin ==========="); - //System.out.println("skip spaces"); + // System.out.println("============ AVAPattern Begin ==========="); + // System.out.println("skip spaces"); try { - while ((c = in.read()) == ' ' || c == '\t') {//System.out.println("spaces read "+(char)c); + while ((c = in.read()) == ' ' || c == '\t') {// System.out.println("spaces read "+(char)c); ; } } catch (IOException e) { - throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", "All blank")); + throw new ECompSyntaxErr(CMS.getUserMessage( + "CMS_AUTHENTICATION_COMPONENT_SYNTAX", "All blank")); } - if (c == -1) - throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", "All blank")); + if (c == -1) + throw new ECompSyntaxErr(CMS.getUserMessage( + "CMS_AUTHENTICATION_COMPONENT_SYNTAX", "All blank")); - // $rdn "." number syntax. + // $rdn "." number syntax. if (c == '$') { - //System.out.println("$rdn syntax"); + // System.out.println("$rdn syntax"); mType = TYPE_RDN; try { - if (in.read() != 'r' || - in.read() != 'd' || - in.read() != 'n' || - in.read() != '.') - throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", "Invalid $ syntax, expecting $rdn")); + if (in.read() != 'r' || in.read() != 'd' || in.read() != 'n' + || in.read() != '.') + throw new ECompSyntaxErr(CMS.getUserMessage( + "CMS_AUTHENTICATION_COMPONENT_SYNTAX", + "Invalid $ syntax, expecting $rdn")); } catch (IOException e) { - throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", "Invalid $ syntax, expecting $rdn")); + throw new ECompSyntaxErr(CMS.getUserMessage( + "CMS_AUTHENTICATION_COMPONENT_SYNTAX", + "Invalid $ syntax, expecting $rdn")); } StringBuffer rdnNumberBuf = new StringBuffer(); try { while ((c = in.read()) != ',' && c != -1 && c != '+') { - //System.out.println("rdnNumber read "+(char)c); + // System.out.println("rdnNumber read "+(char)c); rdnNumberBuf.append((char) c); } if (c != -1) // either ',' or '+' in.unread(c); } catch (IOException e) { - throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); + throw new EAuthException(CMS.getUserMessage( + "CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); } String rdnNumber = rdnNumberBuf.toString().trim(); - if (rdnNumber.length() == 0) - throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", "$rdn number not set in ava pattern")); + if (rdnNumber.length() == 0) + throw new ECompSyntaxErr(CMS.getUserMessage( + "CMS_AUTHENTICATION_COMPONENT_SYNTAX", + "$rdn number not set in ava pattern")); try { mElement = Integer.parseInt(rdnNumber) - 1; } catch (NumberFormatException e) { - throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", "Invalid $rdn number in ava pattern")); + throw new ECompSyntaxErr(CMS.getUserMessage( + "CMS_AUTHENTICATION_COMPONENT_SYNTAX", + "Invalid $rdn number in ava pattern")); } return; } - // name "=" ... syntax. + // name "=" ... syntax. - // read name - //System.out.println("reading name"); + // read name + // System.out.println("reading name"); - StringBuffer attrBuf = new StringBuffer(); + StringBuffer attrBuf = new StringBuffer(); try { while (c != '=' && c != -1 && c != ',' && c != '+') { attrBuf.append((char) c); c = in.read(); - //System.out.println("name read "+(char)c); - } - if (c == ',' || c == '+') + // System.out.println("name read "+(char)c); + } + if (c == ',' || c == '+') in.unread(c); } catch (IOException e) { - throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); + throw new EAuthException(CMS.getUserMessage( + "CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); } if (c != '=') - throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", "Missing \"=\" in ava pattern")); + throw new ECompSyntaxErr(CMS.getUserMessage( + "CMS_AUTHENTICATION_COMPONENT_SYNTAX", + "Missing \"=\" in ava pattern")); - // read value - //System.out.println("reading value"); + // read value + // System.out.println("reading value"); - // skip spaces - //System.out.println("skip spaces for value"); + // skip spaces + // System.out.println("skip spaces for value"); try { - while ((c = in.read()) == ' ' || c == '\t') {//System.out.println("spaces2 read "+(char)c); + while ((c = in.read()) == ' ' || c == '\t') {// System.out.println("spaces2 read "+(char)c); ; } } catch (IOException e) { - throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); + throw new EAuthException(CMS.getUserMessage( + "CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); } - if (c == -1) - throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", "no value after = in ava pattern")); + if (c == -1) + throw new ECompSyntaxErr(CMS.getUserMessage( + "CMS_AUTHENTICATION_COMPONENT_SYNTAX", + "no value after = in ava pattern")); if (c == '$') { - // check for $dn or $attr + // check for $dn or $attr try { c = in.read(); - //System.out.println("check $dn or $attr read "+(char)c); + // System.out.println("check $dn or $attr read "+(char)c); } catch (IOException e) { - throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); + throw new EAuthException(CMS.getUserMessage( + "CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); } - if (c == -1) - throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", - "expecting $dn or $attr in ava pattern")); + if (c == -1) + throw new ECompSyntaxErr(CMS.getUserMessage( + "CMS_AUTHENTICATION_COMPONENT_SYNTAX", + "expecting $dn or $attr in ava pattern")); if (c == 'a') { try { - if (in.read() != 't' || - in.read() != 't' || - in.read() != 'r' || - in.read() != '.') - throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", - "expecting $attr in ava pattern")); + if (in.read() != 't' || in.read() != 't' + || in.read() != 'r' || in.read() != '.') + throw new ECompSyntaxErr(CMS.getUserMessage( + "CMS_AUTHENTICATION_COMPONENT_SYNTAX", + "expecting $attr in ava pattern")); } catch (IOException e) { - throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); + throw new EAuthException(CMS.getUserMessage( + "CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); } mType = TYPE_ATTR; - //System.out.println("---- mtype $attr"); + // System.out.println("---- mtype $attr"); } else if (c == 'd') { try { - if (in.read() != 'n' || - in.read() != '.') - throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", - "expecting $dn in ava pattern")); + if (in.read() != 'n' || in.read() != '.') + throw new ECompSyntaxErr(CMS.getUserMessage( + "CMS_AUTHENTICATION_COMPONENT_SYNTAX", + "expecting $dn in ava pattern")); } catch (IOException e) { - throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); + throw new EAuthException(CMS.getUserMessage( + "CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); } mType = TYPE_DN; - //System.out.println("----- mtype $dn"); + // System.out.println("----- mtype $dn"); } else { - throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", - "unknown keyword. expecting $dn or $attr.")); + throw new ECompSyntaxErr(CMS.getUserMessage( + "CMS_AUTHENTICATION_COMPONENT_SYNTAX", + "unknown keyword. expecting $dn or $attr.")); } - // get attr name of dn pattern from above. + // get attr name of dn pattern from above. String attrName = attrBuf.toString().trim(); - //System.out.println("----- attrName "+attrName); - if (attrName.length() == 0) - throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", "attribute name expected")); - try { - ObjectIdentifier attrOid = - mLdapDNStrConverter.parseAVAKeyword(attrName); + // System.out.println("----- attrName "+attrName); + if (attrName.length() == 0) + throw new ECompSyntaxErr(CMS.getUserMessage( + "CMS_AUTHENTICATION_COMPONENT_SYNTAX", + "attribute name expected")); + try { + ObjectIdentifier attrOid = mLdapDNStrConverter + .parseAVAKeyword(attrName); - mAttr = mLdapDNStrConverter.encodeOID(attrOid); - //System.out.println("----- mAttr "+mAttr); + mAttr = mLdapDNStrConverter.encodeOID(attrOid); + // System.out.println("----- mAttr "+mAttr); } catch (IOException e) { - throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", e.getMessage())); + throw new ECompSyntaxErr(CMS.getUserMessage( + "CMS_AUTHENTICATION_COMPONENT_SYNTAX", e.getMessage())); } // get dn or attribute from ldap search. StringBuffer valueBuf = new StringBuffer(); try { - while ((c = in.read()) != ',' && - c != -1 && c != '.' && c != '+') { - //System.out.println("mValue read "+(char)c); + while ((c = in.read()) != ',' && c != -1 && c != '.' + && c != '+') { + // System.out.println("mValue read "+(char)c); valueBuf.append((char) c); } if (c == '+' || c == ',') // either ',' or '+' - in.unread(c); // pushback last , or + + in.unread(c); // pushback last , or + } catch (IOException e) { - throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); + throw new EAuthException(CMS.getUserMessage( + "CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); } mValue = valueBuf.toString().trim(); - if (mValue.length() == 0) - throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", - "$dn or $attr attribute name expected")); - //System.out.println("----- mValue "+mValue); + if (mValue.length() == 0) + throw new ECompSyntaxErr(CMS.getUserMessage( + "CMS_AUTHENTICATION_COMPONENT_SYNTAX", + "$dn or $attr attribute name expected")); + // System.out.println("----- mValue "+mValue); - // get nth dn or attribute from ldap search. + // get nth dn or attribute from ldap search. if (c == '.') { StringBuffer attrNumberBuf = new StringBuffer(); try { while ((c = in.read()) != ',' && c != -1 && c != '+') { - //System.out.println("mElement read "+(char)c); + // System.out.println("mElement read "+(char)c); attrNumberBuf.append((char) c); } if (c != -1) // either ',' or '+' - in.unread(c); // pushback last , or + + in.unread(c); // pushback last , or + } catch (IOException e) { - throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); + throw new EAuthException(CMS.getUserMessage( + "CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); } String attrNumber = attrNumberBuf.toString().trim(); - if (attrNumber.length() == 0) - throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", - "nth element $dn or $attr expected")); + if (attrNumber.length() == 0) + throw new ECompSyntaxErr(CMS.getUserMessage( + "CMS_AUTHENTICATION_COMPONENT_SYNTAX", + "nth element $dn or $attr expected")); try { mElement = Integer.parseInt(attrNumber) - 1; } catch (NumberFormatException e) { - throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", - "Invalid format in nth element $dn or $attr")); + throw new ECompSyntaxErr(CMS.getUserMessage( + "CMS_AUTHENTICATION_COMPONENT_SYNTAX", + "Invalid format in nth element $dn or $attr")); } } - //System.out.println("----- mElement "+mElement); + // System.out.println("----- mElement "+mElement); } else { // value is constant. treat as regular ava. mType = TYPE_CONSTANT; - //System.out.println("----- mType constant"); - // parse ava value. + // System.out.println("----- mType constant"); + // parse ava value. StringBuffer valueBuf = new StringBuffer(); valueBuf.append((char) c); try { - while ((c = in.read()) != ',' && - c != -1) { + while ((c = in.read()) != ',' && c != -1) { valueBuf.append((char) c); } if (c == '+' || c == ',') { // either ',' or '+' in.unread(c); // pushback last , or + } } catch (IOException e) { - throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", e.getMessage())); + throw new ECompSyntaxErr(CMS.getUserMessage( + "CMS_AUTHENTICATION_COMPONENT_SYNTAX", e.getMessage())); } - try { - AVA ava = mLdapDNStrConverter.parseAVA(attrBuf + "=" + valueBuf); + try { + AVA ava = mLdapDNStrConverter + .parseAVA(attrBuf + "=" + valueBuf); mValue = ava.toLdapDNString(); - //System.out.println("----- mValue "+mValue); + // System.out.println("----- mValue "+mValue); } catch (IOException e) { - throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", e.getMessage())); + throw new ECompSyntaxErr(CMS.getUserMessage( + "CMS_AUTHENTICATION_COMPONENT_SYNTAX", e.getMessage())); } } } - public String formAVA(LDAPEntry entry) - throws EAuthException { - if (mType == TYPE_CONSTANT) + public String formAVA(LDAPEntry entry) throws EAuthException { + if (mType == TYPE_CONSTANT) return mValue; if (mType == TYPE_RDN) { String dn = entry.getDN(); - if (mTestDN != null) + if (mTestDN != null) dn = mTestDN; - //System.out.println("AVAPattern Using dn "+mTestDN); + // System.out.println("AVAPattern Using dn "+mTestDN); String[] rdns = LDAPDN.explodeDN(dn, false); - if (mElement >= rdns.length) + if (mElement >= rdns.length) return null; return rdns[mElement]; } @@ -413,9 +442,9 @@ class AVAPattern { if (mType == TYPE_DN) { String dn = entry.getDN(); - if (mTestDN != null) + if (mTestDN != null) dn = mTestDN; - //System.out.println("AVAPattern Using dn "+mTestDN); + // System.out.println("AVAPattern Using dn "+mTestDN); String[] rdns = LDAPDN.explodeDN(dn, false); String value = null; int nFound = -1; @@ -426,14 +455,14 @@ class AVAPattern { for (int j = 0; j < avas.length; j++) { String[] exploded = explodeAVA(avas[j]); - if (exploded[0].equalsIgnoreCase(mValue) && - ++nFound == mElement) { + if (exploded[0].equalsIgnoreCase(mValue) + && ++nFound == mElement) { value = exploded[1]; break; } } } - if (value == null) + if (value == null) return null; return mAttr + "=" + value; } @@ -441,7 +470,7 @@ class AVAPattern { if (mType == TYPE_ATTR) { LDAPAttribute ldapAttr = entry.getAttribute(mValue); - if (ldapAttr == null) + if (ldapAttr == null) return null; String value = null; Enumeration ldapValues = ldapAttr.getStringValues(); @@ -454,7 +483,7 @@ class AVAPattern { break; } } - if (value == null) + if (value == null) return null; String v = escapeLdapString(value); @@ -474,8 +503,8 @@ class AVAPattern { for (int i = 0; i < c.length; i++) { // escape special characters that directory does not. - if ((c[i] == ',' || c[i] == '=' || c[i] == '+' || c[i] == '<' || - c[i] == '>' || c[i] == '#' || c[i] == ';')) { + if ((c[i] == ',' || c[i] == '=' || c[i] == '+' || c[i] == '<' + || c[i] == '>' || c[i] == '#' || c[i] == ';')) { if (i == 0 || c[i - 1] != '\\') { newc[j++] = '\\'; newc[j++] = c[i]; @@ -484,17 +513,17 @@ class AVAPattern { else if (c[i] == '\\') { int k = i + 1; - if (i == len - 1 || - (c[k] == ',' || c[k] == '=' || c[k] == '+' || c[k] == '<' || - c[k] == '>' || c[k] == '#' || c[k] == ';')) { + if (i == len - 1 + || (c[k] == ',' || c[k] == '=' || c[k] == '+' + || c[k] == '<' || c[k] == '>' || c[k] == '#' || c[k] == ';')) { newc[j++] = '\\'; newc[j++] = c[i]; } } // escape QUOTATION else if (c[i] == '"') { - if ((i == 0 && c[len - 1] != '"') || - (i == len - 1 && c[0] != '"') || - (i > 0 && i < len - 1)) { + if ((i == 0 && c[len - 1] != '"') + || (i == len - 1 && c[0] != '"') + || (i > 0 && i < len - 1)) { newc[j++] = '\\'; newc[j++] = c[i]; } @@ -512,20 +541,19 @@ class AVAPattern { } /** - * Explode RDN into AVAs. - * Does not handle escaped '+' - * Java ldap library does not yet support multiple avas per rdn. - * If RDN is malformed returns empty array. + * Explode RDN into AVAs. Does not handle escaped '+' Java ldap library does + * not yet support multiple avas per rdn. If RDN is malformed returns empty + * array. */ public static String[] explodeRDN(String rdn) { int plus = rdn.indexOf('+'); - if (plus == -1) + if (plus == -1) return new String[] { rdn }; Vector avas = new Vector(); StringTokenizer token = new StringTokenizer(rdn, "+"); - while (token.hasMoreTokens()) + while (token.hasMoreTokens()) avas.addElement(token.nextToken()); String[] theAvas = new String[avas.size()]; @@ -534,17 +562,15 @@ class AVAPattern { } /** - * Explode AVA into name and value. - * Does not handle escaped '=' - * If AVA is malformed empty array is returned. + * Explode AVA into name and value. Does not handle escaped '=' If AVA is + * malformed empty array is returned. */ public static String[] explodeAVA(String ava) { int equals = ava.indexOf('='); - if (equals == -1) + if (equals == -1) return null; - return new String[] { - ava.substring(0, equals).trim(), ava.substring(equals + 1).trim()}; + return new String[] { ava.substring(0, equals).trim(), + ava.substring(equals + 1).trim() }; } } - diff --git a/pki/base/common/src/com/netscape/cms/authentication/AgentCertAuthentication.java b/pki/base/common/src/com/netscape/cms/authentication/AgentCertAuthentication.java index 0b8bad8f3..23bc2b23b 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/AgentCertAuthentication.java +++ b/pki/base/common/src/com/netscape/cms/authentication/AgentCertAuthentication.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.authentication; - import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.util.Enumeration; @@ -48,16 +47,14 @@ import com.netscape.certsrv.usrgrp.ICertUserLocator; import com.netscape.certsrv.usrgrp.IUGSubsystem; import com.netscape.certsrv.usrgrp.IUser; - /** - * Certificate server agent authentication. - * Maps a SSL client authenticate certificate to a user (agent) entry in the - * internal database. + * Certificate server agent authentication. Maps a SSL client authenticate + * certificate to a user (agent) entry in the internal database. * <P> - * + * * @version $Revision$, $Date$ */ -public class AgentCertAuthentication implements IAuthManager, +public class AgentCertAuthentication implements IAuthManager, IProfileAuthenticator { /* result auth token attributes */ @@ -91,14 +88,15 @@ public class AgentCertAuthentication implements IAuthManager, /** * initializes the CertUserDBAuthentication auth manager * <p> - * called by AuthSubsystem init() method, when initializing - * all available authentication managers. + * called by AuthSubsystem init() method, when initializing all available + * authentication managers. + * * @param name The name of this authentication manager instance. * @param implName The name of the authentication manager plugin. * @param config The configuration store for this authentication manager. */ public void init(String name, String implName, IConfigStore config) - throws EBaseException { + throws EBaseException { mName = name; mImplName = implName; mConfig = config; @@ -106,7 +104,7 @@ public class AgentCertAuthentication implements IAuthManager, mUGSub = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG); mCULocator = mUGSub.getCertUserLocator(); } - + /** * Gets the name of this authentication manager. */ @@ -120,7 +118,7 @@ public class AgentCertAuthentication implements IAuthManager, public String getImplName() { return mImplName; } - + public boolean isSSLClientRequired() { return true; } @@ -128,33 +126,35 @@ public class AgentCertAuthentication implements IAuthManager, /** * authenticates user(agent) by certificate * <p> - * called by other subsystems or their servlets to authenticate - * users (agents) - * @param authCred - authentication credential that contains - * an usrgrp.Certificates of the user (agent) + * called by other subsystems or their servlets to authenticate users + * (agents) + * + * @param authCred - authentication credential that contains an + * usrgrp.Certificates of the user (agent) * @return the authentication token that contains the following - * + * * @exception EMissingCredential If a required credential for this - * authentication manager is missing. + * authentication manager is missing. * @exception EInvalidCredentials If credentials cannot be authenticated. * @exception EBaseException If an internal error occurred. * @see com.netscape.certsrv.authentication.AuthToken * @see com.netscape.certsrv.usrgrp.Certificates */ public IAuthToken authenticate(IAuthCredentials authCred) - throws EMissingCredential, EInvalidCredentials, EBaseException { - + throws EMissingCredential, EInvalidCredentials, EBaseException { + CMS.debug("AgentCertAuthentication: start"); - CMS.debug("authenticator instance name is "+getName()); + CMS.debug("authenticator instance name is " + getName()); // force SSL handshake SessionContext context = SessionContext.getExistingContext(); - ISSLClientCertProvider provider = (ISSLClientCertProvider) - context.get("sslClientCertProvider"); + ISSLClientCertProvider provider = (ISSLClientCertProvider) context + .get("sslClientCertProvider"); if (provider == null) { CMS.debug("AgentCertAuthentication: No SSL Client Cert Provider Found"); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + throw new EInvalidCredentials( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } CMS.debug("AgentCertAuthenticator: got provider"); CMS.debug("AgentCertAuthenticator: retrieving client certificate"); @@ -162,7 +162,8 @@ public class AgentCertAuthentication implements IAuthManager, if (allCerts == null) { CMS.debug("AgentCertAuthentication: No SSL Client Certs Found"); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + throw new EInvalidCredentials( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } CMS.debug("AgentCertAuthenticator: got certificates"); @@ -185,15 +186,16 @@ public class AgentCertAuthentication implements IAuthManager, // check if certificate(s) is revoked boolean checkRevocation = true; try { - checkRevocation = mConfig.getBoolean("checkRevocation", true); + checkRevocation = mConfig.getBoolean("checkRevocation", true); } catch (EBaseException e) { - // do nothing; default to true + // do nothing; default to true } if (checkRevocation) { - if (CMS.isRevoked(ci)) { - CMS.debug("AgentCertAuthentication: certificate revoked"); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - } + if (CMS.isRevoked(ci)) { + CMS.debug("AgentCertAuthentication: certificate revoked"); + throw new EInvalidCredentials( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + } } // map cert to user @@ -203,33 +205,39 @@ public class AgentCertAuthentication implements IAuthManager, try { user = (IUser) mCULocator.locateUser(certs); } catch (EUsrGrpException e) { - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + throw new EInvalidCredentials( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } catch (netscape.ldap.LDAPException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", - e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INTERNAL_ERROR", e.toString())); } - // any unexpected error occurs like internal db down, + // any unexpected error occurs like internal db down, // UGSubsystem only returns null for user. if (user == null) { - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + throw new EInvalidCredentials( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } // get group name from configuration file IConfigStore sconfig = CMS.getConfigStore(); String groupname = ""; try { - groupname = sconfig.getString("auths.instance."+ getName() +".agentGroup", - ""); + groupname = sconfig.getString("auths.instance." + getName() + + ".agentGroup", ""); } catch (EBaseException ee) { } if (!groupname.equals("")) { - CMS.debug("check if "+user.getUserID()+" is in group "+groupname); - IUGSubsystem uggroup = (IUGSubsystem)CMS.getSubsystem(CMS.SUBSYSTEM_UG); + CMS.debug("check if " + user.getUserID() + " is in group " + + groupname); + IUGSubsystem uggroup = (IUGSubsystem) CMS + .getSubsystem(CMS.SUBSYSTEM_UG); if (!uggroup.isMemberOf(user, groupname)) { - CMS.debug(user.getUserID()+" is not in this group "+groupname); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHORIZATION_ERROR")); + CMS.debug(user.getUserID() + " is not in this group " + + groupname); + throw new EInvalidCredentials( + CMS.getUserMessage("CMS_AUTHORIZATION_ERROR")); } } authToken.set(TOKEN_USERDN, user.getUserDN()); @@ -237,7 +245,7 @@ public class AgentCertAuthentication implements IAuthManager, authToken.set(TOKEN_USERID, user.getUserID()); authToken.set(TOKEN_UID, user.getUserID()); authToken.set(TOKEN_GROUP, groupname); - authToken.set(CRED_CERT, certs); + authToken.set(CRED_CERT, certs); CMS.debug("AgentCertAuthentication: authenticated " + user.getUserDN()); @@ -245,11 +253,12 @@ public class AgentCertAuthentication implements IAuthManager, } /** - * get the list of authentication credential attribute names - * required by this authentication manager. Generally used by - * the servlets that handle agent operations to authenticate its - * users. It calls this method to know which are the - * required credentials from the user (e.g. Javascript form data) + * get the list of authentication credential attribute names required by + * this authentication manager. Generally used by the servlets that handle + * agent operations to authenticate its users. It calls this method to know + * which are the required credentials from the user (e.g. Javascript form + * data) + * * @return attribute names in Vector */ public String[] getRequiredCreds() { @@ -257,15 +266,15 @@ public class AgentCertAuthentication implements IAuthManager, } /** - * get the list of configuration parameter names - * required by this authentication manager. Generally used by - * the Certificate Server Console to display the table for - * configuration purposes. CertUserDBAuthentication is currently not - * exposed in this case, so this method is not to be used. - * @return configuration parameter names in Hashtable of Vectors - * where each hashtable entry's key is the substore name, value is a - * Vector of parameter names. If no substore, the parameter name - * is the Hashtable key itself, with value same as key. + * get the list of configuration parameter names required by this + * authentication manager. Generally used by the Certificate Server Console + * to display the table for configuration purposes. CertUserDBAuthentication + * is currently not exposed in this case, so this method is not to be used. + * + * @return configuration parameter names in Hashtable of Vectors where each + * hashtable entry's key is the substore name, value is a Vector of + * parameter names. If no substore, the parameter name is the + * Hashtable key itself, with value same as key. */ public String[] getConfigParams() { return (mConfigParams); @@ -278,8 +287,8 @@ public class AgentCertAuthentication implements IAuthManager, } /** - * gets the configuretion substore used by this authentication - * manager + * gets the configuretion substore used by this authentication manager + * * @return configuration store */ public IConfigStore getConfigStore() { @@ -289,7 +298,7 @@ public class AgentCertAuthentication implements IAuthManager, // Profile-related methods public void init(IProfile profile, IConfigStore config) - throws EProfileException { + throws EProfileException { } /** @@ -318,14 +327,13 @@ public class AgentCertAuthentication implements IAuthManager, } /** - * Retrieves the descriptor of the given value - * parameter by name. + * Retrieves the descriptor of the given value parameter by name. */ public IDescriptor getValueDescriptor(Locale locale, String name) { return null; } public void populate(IAuthToken token, IRequest request) - throws EProfileException { + throws EProfileException { } } diff --git a/pki/base/common/src/com/netscape/cms/authentication/CMCAuth.java b/pki/base/common/src/com/netscape/cms/authentication/CMCAuth.java index fef68c1cb..f61d0a89f 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/CMCAuth.java +++ b/pki/base/common/src/com/netscape/cms/authentication/CMCAuth.java @@ -20,7 +20,6 @@ package com.netscape.cms.authentication; - /////////////////////// // import statements // /////////////////////// @@ -101,157 +100,150 @@ import com.netscape.cmsutil.util.Utils; /** * UID/CMC authentication plug-in * <P> - * + * * @version $Revision$, $Date$ */ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, IProfileAuthenticator { - //////////////////////// + // ////////////////////// // default parameters // - //////////////////////// - - - - ///////////////////////////// + // ////////////////////// + + // /////////////////////////// // IAuthManager parameters // - ///////////////////////////// - + // /////////////////////////// + /* authentication plug-in configuration store */ private IConfigStore mConfig; private static final String HEADER = "-----BEGIN NEW CERTIFICATE REQUEST-----"; private static final String TRAILER = "-----END NEW CERTIFICATE REQUEST-----"; - public static final String TOKEN_CERT_SERIAL = "certSerialToRevoke"; + public static final String TOKEN_CERT_SERIAL = "certSerialToRevoke"; public static final String REASON_CODE = "reasonCode"; /* authentication plug-in name */ private String mImplName = null; - + /* authentication plug-in instance name */ private String mName = null; - + /* authentication plug-in fields */ - - - - /* Holds authentication plug-in fields accepted by this implementation. - * This list is passed to the configuration console so configuration - * for instances of this implementation can be configured through the - * console. + + /* + * Holds authentication plug-in fields accepted by this implementation. This + * list is passed to the configuration console so configuration for + * instances of this implementation can be configured through the console. */ - protected static String[] mConfigParams = - new String[] {}; - + protected static String[] mConfigParams = new String[] {}; + /* authentication plug-in values */ - + /* authentication plug-in properties */ - - + /* required credentials to authenticate. UID and CMC are strings. */ public static final String CRED_CMC = "cmcRequest"; - + protected static String[] mRequiredCreds = {}; - - //////////////////////////////////// + + // ////////////////////////////////// // IExtendedPluginInfo parameters // - //////////////////////////////////// - + // ////////////////////////////////// + /* Vector of extendedPluginInfo strings */ protected static Vector mExtendedPluginInfo = null; - //public static final String AGENT_AUTHMGR_ID = "agentAuthMgr"; - //public static final String AGENT_PLUGIN_ID = "agentAuthPlugin"; - - + // public static final String AGENT_AUTHMGR_ID = "agentAuthMgr"; + // public static final String AGENT_PLUGIN_ID = "agentAuthPlugin"; + /* actual help messages */ static { mExtendedPluginInfo = new Vector(); - - mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TEXT + - ";Authenticate the CMC request. The signer must be an agent. The \"Authentication Instance ID\" must be named \"CMCAuth\""); - mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TOKEN + - ";configuration-authentication"); + + mExtendedPluginInfo + .add(IExtendedPluginInfo.HELP_TEXT + + ";Authenticate the CMC request. The signer must be an agent. The \"Authentication Instance ID\" must be named \"CMCAuth\""); + mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TOKEN + + ";configuration-authentication"); } - - /////////////////////// + + // ///////////////////// // Logger parameters // - /////////////////////// - + // ///////////////////// + /* the system's logger */ private ILogger mLogger = CMS.getLogger(); - + /* signed audit parameters */ private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); - private final static String SIGNED_AUDIT_ENROLLMENT_REQUEST_TYPE = - "enrollment"; - private final static String SIGNED_AUDIT_REVOCATION_REQUEST_TYPE = - "revocation"; - private final static String - LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY = - "LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY_5"; - - ///////////////////// + private final static String SIGNED_AUDIT_ENROLLMENT_REQUEST_TYPE = "enrollment"; + private final static String SIGNED_AUDIT_REVOCATION_REQUEST_TYPE = "revocation"; + private final static String LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY = "LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY_5"; + + // /////////////////// // default methods // - ///////////////////// - + // /////////////////// + /** * Default constructor, initialization must follow. */ public CMCAuth() { } - - ////////////////////////// + + // //////////////////////// // IAuthManager methods // - ////////////////////////// - + // //////////////////////// + /** * Initializes the CMCAuth authentication plug-in. * <p> + * * @param name The name for this authentication plug-in instance. * @param implName The name of the authentication plug-in. * @param config - The configuration store for this instance. * @exception EBaseException If an error occurs during initialization. */ public void init(String name, String implName, IConfigStore config) - throws EBaseException { + throws EBaseException { mName = name; mImplName = implName; mConfig = config; - + log(ILogger.LL_INFO, "Initialization complete!"); } - + /** - * Authenticates user by their CMC; - * resulting AuthToken sets a TOKEN_SUBJECT for the subject name. + * Authenticates user by their CMC; resulting AuthToken sets a TOKEN_SUBJECT + * for the subject name. * <P> - * + * * <ul> - * <li>signed.audit LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY - * used when CMC (agent-pre-signed) cert requests or revocation requests - * are submitted and signature is verified + * <li>signed.audit LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY used + * when CMC (agent-pre-signed) cert requests or revocation requests are + * submitted and signature is verified * </ul> + * * @param authCred Authentication credentials, CRED_UID and CRED_CMC. * @return an AuthToken - * @exception com.netscape.certsrv.authentication.EMissingCredential - * If a required authentication credential is missing. - * @exception com.netscape.certsrv.authentication.EInvalidCredentials - * If credentials failed authentication. - * @exception com.netscape.certsrv.base.EBaseException - * If an internal error occurred. + * @exception com.netscape.certsrv.authentication.EMissingCredential If a + * required authentication credential is missing. + * @exception com.netscape.certsrv.authentication.EInvalidCredentials If + * credentials failed authentication. + * @exception com.netscape.certsrv.base.EBaseException If an internal error + * occurred. * @see com.netscape.certsrv.authentication.AuthToken */ - public IAuthToken authenticate(IAuthCredentials authCred) throws EMissingCredential, EInvalidCredentials, EBaseException { + public IAuthToken authenticate(IAuthCredentials authCred) + throws EMissingCredential, EInvalidCredentials, EBaseException { String auditMessage = null; String auditSubjectID = auditSubjectID(); String auditReqType = ILogger.UNIDENTIFIED; String auditCertSubject = ILogger.UNIDENTIFIED; String auditSignerInfo = ILogger.UNIDENTIFIED; - + // ensure that any low-level exceptions are reported // to the signed audit log and stored as failures try { // get the CMC. - Object argblock = (Object)(authCred.getArgBlock()); + Object argblock = (Object) (authCred.getArgBlock()); Object returnVal = null; if (argblock == null) { returnVal = authCred.get("cert_request"); @@ -266,140 +258,125 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, if (cmc == null) { // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.FAILURE, - auditReqType, - auditCertSubject, - auditSignerInfo ); + LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, + auditSubjectID, ILogger.FAILURE, auditReqType, + auditCertSubject, auditSignerInfo); - audit( auditMessage ); + audit(auditMessage); throw new EMissingCredential(CMS.getUserMessage( - "CMS_AUTHENTICATION_NULL_CREDENTIAL",CRED_CMC)); + "CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_CMC)); } if (cmc.equals("")) { - log(ILogger.LL_FAILURE, - "cmc : attempted login with empty CMC."); + log(ILogger.LL_FAILURE, "cmc : attempted login with empty CMC."); // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.FAILURE, - auditReqType, - auditCertSubject, - auditSignerInfo ); + LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, + auditSubjectID, ILogger.FAILURE, auditReqType, + auditCertSubject, auditSignerInfo); - audit( auditMessage ); + audit(auditMessage); - throw new EInvalidCredentials(CMS.getUserMessage( - "CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + throw new EInvalidCredentials( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } - + // authenticate by checking CMC. - + // everything OK. // now formulate the certificate info. // set the subject name at a minimum. // set anything else like version, extensions, etc. // if nothing except subject name is set the rest of // cert info will be filled in by policies and CA defaults. - + AuthToken authToken = new AuthToken(this); - + try { String asciiBASE64Blob; - + int startIndex = cmc.indexOf(HEADER); int endIndex = cmc.indexOf(TRAILER); - if (startIndex!= -1 && endIndex!=-1) { + if (startIndex != -1 && endIndex != -1) { startIndex = startIndex + HEADER.length(); - asciiBASE64Blob=cmc.substring(startIndex, endIndex); - }else + asciiBASE64Blob = cmc.substring(startIndex, endIndex); + } else asciiBASE64Blob = cmc; - byte[] cmcBlob = CMS.AtoB(asciiBASE64Blob); - ByteArrayInputStream cmcBlobIn= new - ByteArrayInputStream(cmcBlob); - - org.mozilla.jss.pkix.cms.ContentInfo cmcReq = - (org.mozilla.jss.pkix.cms.ContentInfo) - org.mozilla.jss.pkix.cms.ContentInfo.getTemplate().decode( - cmcBlobIn); - - if(!cmcReq.getContentType().equals( - org.mozilla.jss.pkix.cms.ContentInfo.SIGNED_DATA) || - !cmcReq.hasContent()) { + ByteArrayInputStream cmcBlobIn = new ByteArrayInputStream( + cmcBlob); + + org.mozilla.jss.pkix.cms.ContentInfo cmcReq = (org.mozilla.jss.pkix.cms.ContentInfo) org.mozilla.jss.pkix.cms.ContentInfo + .getTemplate().decode(cmcBlobIn); + + if (!cmcReq.getContentType().equals( + org.mozilla.jss.pkix.cms.ContentInfo.SIGNED_DATA) + || !cmcReq.hasContent()) { // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.FAILURE, - auditReqType, - auditCertSubject, - auditSignerInfo ); + LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, + auditSubjectID, ILogger.FAILURE, auditReqType, + auditCertSubject, auditSignerInfo); - audit( auditMessage ); + audit(auditMessage); // throw new ECMSGWException(CMSGWResources.NO_CMC_CONTENT); throw new EBaseException("NO_CMC_CONTENT"); } - - SignedData cmcFullReq = (SignedData) - cmcReq.getInterpretedContent(); - + + SignedData cmcFullReq = (SignedData) cmcReq + .getInterpretedContent(); + IConfigStore cmc_config = CMS.getConfigStore(); - boolean checkSignerInfo = - cmc_config.getBoolean("cmc.signerInfo.verify", true); + boolean checkSignerInfo = cmc_config.getBoolean( + "cmc.signerInfo.verify", true); String userid = "defUser"; String uid = "defUser"; if (checkSignerInfo) { - IAuthToken agentToken = verifySignerInfo(authToken,cmcFullReq); + IAuthToken agentToken = verifySignerInfo(authToken, + cmcFullReq); userid = agentToken.getInString("userid"); uid = agentToken.getInString("cn"); } else { CMS.debug("CMCAuth: authenticate() signerInfo verification bypassed"); } // reset value of auditSignerInfo - if( uid != null ) { + if (uid != null) { auditSignerInfo = uid.trim(); } EncapsulatedContentInfo ci = cmcFullReq.getContentInfo(); - + OBJECT_IDENTIFIER id = ci.getContentType(); - if (!id.equals(OBJECT_IDENTIFIER.id_cct_PKIData) || - !ci.hasContent()) { + if (!id.equals(OBJECT_IDENTIFIER.id_cct_PKIData) + || !ci.hasContent()) { // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.FAILURE, - auditReqType, - auditCertSubject, - auditSignerInfo ); + LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, + auditSubjectID, ILogger.FAILURE, auditReqType, + auditCertSubject, auditSignerInfo); - audit( auditMessage ); + audit(auditMessage); - // throw new ECMSGWException( + // throw new ECMSGWException( // CMSGWResources.NO_PKIDATA); throw new EBaseException("NO_PKIDATA"); } - + OCTET_STRING content = ci.getContent(); - - ByteArrayInputStream s = new - ByteArrayInputStream(content.toByteArray()); + + ByteArrayInputStream s = new ByteArrayInputStream( + content.toByteArray()); PKIData pkiData = (PKIData) (new PKIData.Template()).decode(s); - + SEQUENCE reqSequence = pkiData.getReqSequence(); - + int numReqs = reqSequence.size(); if (numReqs == 0) { @@ -413,15 +390,14 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, if (controlSize > 0) { for (int i = 0; i < controlSize; i++) { - TaggedAttribute taggedAttribute = - (TaggedAttribute) controlSequence.elementAt(i); + TaggedAttribute taggedAttribute = (TaggedAttribute) controlSequence + .elementAt(i); OBJECT_IDENTIFIER type = taggedAttribute.getType(); - if( type.equals( - OBJECT_IDENTIFIER.id_cmc_revokeRequest)) { + if (type.equals(OBJECT_IDENTIFIER.id_cmc_revokeRequest)) { // if( i ==1 ) { - // taggedAttribute.getType() == - // OBJECT_IDENTIFIER.id_cmc_revokeRequest + // taggedAttribute.getType() == + // OBJECT_IDENTIFIER.id_cmc_revokeRequest // } SET values = taggedAttribute.getValues(); @@ -430,50 +406,49 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, bigIntArray = new BigInteger[numVals]; for (int j = 0; j < numVals; j++) { - // serialNumber INTEGER - + // serialNumber INTEGER + // SEQUENCE RevRequest = (SEQUENCE) - // values.elementAt(j); - byte[] encoded = ASN1Util.encode( - values.elementAt(j)); - org.mozilla.jss.asn1.ASN1Template - template = new - org.mozilla.jss.pkix.cmmf.RevRequest.Template(); - org.mozilla.jss.pkix.cmmf.RevRequest - revRequest = - (org.mozilla.jss.pkix.cmmf.RevRequest) - ASN1Util.decode(template, encoded); - + // values.elementAt(j); + byte[] encoded = ASN1Util.encode(values + .elementAt(j)); + org.mozilla.jss.asn1.ASN1Template template = new org.mozilla.jss.pkix.cmmf.RevRequest.Template(); + org.mozilla.jss.pkix.cmmf.RevRequest revRequest = (org.mozilla.jss.pkix.cmmf.RevRequest) ASN1Util + .decode(template, encoded); + // SEQUENCE RevRequest = (SEQUENCE) - // ASN1Util.decode( - // SEQUENCE.getTemplate(), - // ASN1Util.encode( - // values.elementAt(j))); + // ASN1Util.decode( + // SEQUENCE.getTemplate(), + // ASN1Util.encode( + // values.elementAt(j))); // SEQUENCE RevRequest = - // values.elementAt(j); + // values.elementAt(j); // int revReqSize = RevRequest.size(); // if( revReqSize > 3 ) { - // INTEGER serialNumber = - // new INTEGER((long)0); + // INTEGER serialNumber = + // new INTEGER((long)0); // } INTEGER temp = revRequest.getSerialNumber(); int temp2 = temp.intValue(); - + bigIntArray[j] = temp; - authToken.set(TOKEN_CERT_SERIAL,bigIntArray); - - long reasonCode = revRequest.getReason().getValue(); - Integer IntObject = Integer.valueOf((int)reasonCode); - authToken.set(REASON_CODE,IntObject); - - authToken.set("uid",uid); - authToken.set("userid",userid); + authToken.set(TOKEN_CERT_SERIAL, + bigIntArray); + + long reasonCode = revRequest.getReason() + .getValue(); + Integer IntObject = Integer + .valueOf((int) reasonCode); + authToken.set(REASON_CODE, IntObject); + + authToken.set("uid", uid); + authToken.set("userid", userid); } } } - + } } else { // enrollment request @@ -486,52 +461,50 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, for (int i = 0; i < numReqs; i++) { // decode message. - TaggedRequest taggedRequest = - (TaggedRequest) reqSequence.elementAt(i); + TaggedRequest taggedRequest = (TaggedRequest) reqSequence + .elementAt(i); TaggedRequest.Type type = taggedRequest.getType(); if (type.equals(TaggedRequest.PKCS10)) { CMS.debug("CMCAuth: in PKCS10"); - TaggedCertificationRequest tcr = - taggedRequest.getTcr(); + TaggedCertificationRequest tcr = taggedRequest + .getTcr(); int p10Id = tcr.getBodyPartID().intValue(); reqIdArray[i] = String.valueOf(p10Id); - CertificationRequest p10 = - tcr.getCertificationRequest(); + CertificationRequest p10 = tcr + .getCertificationRequest(); // transfer to sun class - ByteArrayOutputStream ostream = - new ByteArrayOutputStream(); + ByteArrayOutputStream ostream = new ByteArrayOutputStream(); p10.encode(ostream); try { - PKCS10 pkcs10 = - new PKCS10(ostream.toByteArray()); + PKCS10 pkcs10 = new PKCS10( + ostream.toByteArray()); // xxx do we need to do anything else? - X509CertInfo certInfo = - CMS.getDefaultX509CertInfo(); + X509CertInfo certInfo = CMS + .getDefaultX509CertInfo(); // fillPKCS10(certInfo,pkcs10,authToken,null); // authToken.set( - // pkcs10.getSubjectPublicKeyInfo()); + // pkcs10.getSubjectPublicKeyInfo()); X500Name tempName = pkcs10.getSubjectName(); // reset value of auditCertSubject - if( tempName != null ) { - auditCertSubject = - tempName.toString().trim(); - if( auditCertSubject.equals( "" ) ) { - auditCertSubject = - ILogger.SIGNED_AUDIT_EMPTY_VALUE; + if (tempName != null) { + auditCertSubject = tempName.toString() + .trim(); + if (auditCertSubject.equals("")) { + auditCertSubject = ILogger.SIGNED_AUDIT_EMPTY_VALUE; } authToken.set(AuthToken.TOKEN_CERT_SUBJECT, - tempName.toString()); + tempName.toString()); } authToken.set("uid", uid); @@ -540,67 +513,67 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, certInfoArray[i] = certInfo; } catch (Exception e) { // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.FAILURE, - auditReqType, - auditCertSubject, - auditSignerInfo ); + auditMessage = CMS + .getLogMessage( + LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, + auditSubjectID, + ILogger.FAILURE, auditReqType, + auditCertSubject, + auditSignerInfo); - audit( auditMessage ); + audit(auditMessage); - //throw new ECMSGWException( - //CMSGWResources.ERROR_PKCS101, e.toString()); + // throw new ECMSGWException( + // CMSGWResources.ERROR_PKCS101, e.toString()); - e.printStackTrace(); + e.printStackTrace(); throw new EBaseException(e.toString()); } } else if (type.equals(TaggedRequest.CRMF)) { CMS.debug("CMCAuth: in CRMF"); try { - CertReqMsg crm = - taggedRequest.getCrm(); + CertReqMsg crm = taggedRequest.getCrm(); CertRequest certReq = crm.getCertReq(); INTEGER reqID = certReq.getCertReqId(); reqIdArray[i] = reqID.toString(); - CertTemplate template = certReq.getCertTemplate(); + CertTemplate template = certReq + .getCertTemplate(); Name name = template.getSubject(); // xxx do we need to do anything else? - X509CertInfo certInfo = - CMS.getDefaultX509CertInfo(); + X509CertInfo certInfo = CMS + .getDefaultX509CertInfo(); // reset value of auditCertSubject - if( name != null ) { + if (name != null) { String ss = name.getRFC1485(); auditCertSubject = ss; - if( auditCertSubject.equals( "" ) ) { - auditCertSubject = - ILogger.SIGNED_AUDIT_EMPTY_VALUE; + if (auditCertSubject.equals("")) { + auditCertSubject = ILogger.SIGNED_AUDIT_EMPTY_VALUE; } - authToken.set(AuthToken.TOKEN_CERT_SUBJECT, ss); + authToken.set(AuthToken.TOKEN_CERT_SUBJECT, + ss); authToken.set("uid", uid); authToken.set("userid", userid); } certInfoArray[i] = certInfo; } catch (Exception e) { // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.FAILURE, - auditReqType, - auditCertSubject, - auditSignerInfo ); + auditMessage = CMS + .getLogMessage( + LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, + auditSubjectID, + ILogger.FAILURE, auditReqType, + auditCertSubject, + auditSignerInfo); - audit( auditMessage ); + audit(auditMessage); - //throw new ECMSGWException( - //CMSGWResources.ERROR_PKCS101, e.toString()); + // throw new ECMSGWException( + // CMSGWResources.ERROR_PKCS101, e.toString()); e.printStackTrace(); throw new EBaseException(e.toString()); @@ -608,141 +581,129 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, } // authToken.set(AgentAuthentication.CRED_CERT, new - // com.netscape.certsrv.usrgrp.Certificates( - // x509Certs)); + // com.netscape.certsrv.usrgrp.Certificates( + // x509Certs)); } } } catch (Exception e) { // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.FAILURE, - auditReqType, - auditCertSubject, - auditSignerInfo ); + LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, + auditSubjectID, ILogger.FAILURE, auditReqType, + auditCertSubject, auditSignerInfo); - audit( auditMessage ); + audit(auditMessage); - //Debug.printStackTrace(e); - throw new EInvalidCredentials(CMS.getUserMessage( - "CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + // Debug.printStackTrace(e); + throw new EInvalidCredentials( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } - + // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.SUCCESS, - auditReqType, - auditCertSubject, - auditSignerInfo ); + LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, + auditSubjectID, ILogger.SUCCESS, auditReqType, + auditCertSubject, auditSignerInfo); - audit( auditMessage ); + audit(auditMessage); return authToken; - } catch( EMissingCredential eAudit1 ) { + } catch (EMissingCredential eAudit1) { // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.FAILURE, - auditReqType, - auditCertSubject, - auditSignerInfo ); + LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, + auditSubjectID, ILogger.FAILURE, auditReqType, + auditCertSubject, auditSignerInfo); - audit( auditMessage ); + audit(auditMessage); // rethrow the specific exception to be handled later throw eAudit1; - } catch( EInvalidCredentials eAudit2 ) { + } catch (EInvalidCredentials eAudit2) { // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.FAILURE, - auditReqType, - auditCertSubject, - auditSignerInfo ); + LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, + auditSubjectID, ILogger.FAILURE, auditReqType, + auditCertSubject, auditSignerInfo); - audit( auditMessage ); + audit(auditMessage); // rethrow the specific exception to be handled later throw eAudit2; - } catch( EBaseException eAudit3 ) { + } catch (EBaseException eAudit3) { // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.FAILURE, - auditReqType, - auditCertSubject, - auditSignerInfo ); + LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, + auditSubjectID, ILogger.FAILURE, auditReqType, + auditCertSubject, auditSignerInfo); - audit( auditMessage ); + audit(auditMessage); // rethrow the specific exception to be handled later throw eAudit3; } } - + /** - * Returns a list of configuration parameter names. - * The list is passed to the configuration console so instances of - * this implementation can be configured through the console. + * Returns a list of configuration parameter names. The list is passed to + * the configuration console so instances of this implementation can be + * configured through the console. * <p> + * * @return String array of configuration parameter names. */ public String[] getConfigParams() { return (mConfigParams); } - + /** - * gets the configuration substore used by this authentication - * plug-in + * gets the configuration substore used by this authentication plug-in * <p> + * * @return configuration store */ public IConfigStore getConfigStore() { return mConfig; } - + /** * gets the plug-in name of this authentication plug-in. */ public String getImplName() { return mImplName; } - + /** * gets the name of this authentication plug-in instance */ public String getName() { return mName; } - + /** * get the list of required credentials. * <p> + * * @return list of required credentials as strings. */ public String[] getRequiredCreds() { return (mRequiredCreds); } - + /** * prepares for shutdown. */ public void shutdown() { } - - ///////////////////////////////// + + // /////////////////////////////// // IExtendedPluginInfo methods // - ///////////////////////////////// - + // /////////////////////////////// + /** * Activate the help system. * <p> + * * @return help messages */ public String[] getExtendedPluginInfo() { @@ -755,14 +716,15 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, } return s; } - - //////////////////// + + // ////////////////// // Logger methods // - //////////////////// - + // ////////////////// + /** * Logs a message for this class in the system log file. * <p> + * * @param level The log level. * @param msg The message to log. * @see com.netscape.certsrv.logging.ILogger @@ -770,46 +732,48 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, protected void log(int level, String msg) { if (mLogger == null) return; - mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHENTICATION, - level, "CMC Authentication: " + msg); + mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHENTICATION, level, + "CMC Authentication: " + msg); } - - protected IAuthToken verifySignerInfo(AuthToken authToken,SignedData cmcFullReq) throws EInvalidCredentials { - + + protected IAuthToken verifySignerInfo(AuthToken authToken, + SignedData cmcFullReq) throws EInvalidCredentials { + EncapsulatedContentInfo ci = cmcFullReq.getContentInfo(); OBJECT_IDENTIFIER id = ci.getContentType(); OCTET_STRING content = ci.getContent(); - + try { - ByteArrayInputStream s = new ByteArrayInputStream(content.toByteArray()); + ByteArrayInputStream s = new ByteArrayInputStream( + content.toByteArray()); PKIData pkiData = (PKIData) (new PKIData.Template()).decode(s); - + SET dais = cmcFullReq.getDigestAlgorithmIdentifiers(); int numDig = dais.size(); Hashtable digs = new Hashtable(); - //if request key is used for signing, there MUST be only one signerInfo - //object in the signedData object. + // if request key is used for signing, there MUST be only one + // signerInfo + // object in the signedData object. for (int i = 0; i < numDig; i++) { - AlgorithmIdentifier dai = - (AlgorithmIdentifier) dais.elementAt(i); - String name = - DigestAlgorithm.fromOID(dai.getOID()).toString(); - - MessageDigest md = - MessageDigest.getInstance(name); - + AlgorithmIdentifier dai = (AlgorithmIdentifier) dais + .elementAt(i); + String name = DigestAlgorithm.fromOID(dai.getOID()).toString(); + + MessageDigest md = MessageDigest.getInstance(name); + byte[] digest = md.digest(content.toByteArray()); digs.put(name, digest); } - + SET sis = cmcFullReq.getSignerInfos(); int numSis = sis.size(); - + for (int i = 0; i < numSis; i++) { - org.mozilla.jss.pkix.cms.SignerInfo si = (org.mozilla.jss.pkix.cms.SignerInfo) sis.elementAt(i); - + org.mozilla.jss.pkix.cms.SignerInfo si = (org.mozilla.jss.pkix.cms.SignerInfo) sis + .elementAt(i); + String name = si.getDigestAlgorithm().toString(); byte[] digest = (byte[]) digs.get(name); @@ -819,13 +783,15 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, pkiData.encode((OutputStream) ostream); digest = md.digest(ostream.toByteArray()); - + } - // signed by previously certified signature key + // signed by previously certified signature key SignerIdentifier sid = si.getSignerIdentifier(); - if (sid.getType().equals(SignerIdentifier.ISSUER_AND_SERIALNUMBER)) { - IssuerAndSerialNumber issuerAndSerialNumber = sid.getIssuerAndSerialNumber(); + if (sid.getType().equals( + SignerIdentifier.ISSUER_AND_SERIALNUMBER)) { + IssuerAndSerialNumber issuerAndSerialNumber = sid + .getIssuerAndSerialNumber(); // find from the certs in the signedData java.security.cert.X509Certificate cert = null; @@ -833,30 +799,37 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, SET certs = cmcFullReq.getCertificates(); int numCerts = certs.size(); java.security.cert.X509Certificate[] x509Certs = new java.security.cert.X509Certificate[1]; - byte[] certByteArray = new byte[0]; - for (int j = 0; j < numCerts; j++) { - Certificate certJss = (Certificate) certs.elementAt(j); + byte[] certByteArray = new byte[0]; + for (int j = 0; j < numCerts; j++) { + Certificate certJss = (Certificate) certs + .elementAt(j); CertificateInfo certI = certJss.getInfo(); Name issuer = certI.getIssuer(); - + byte[] issuerB = ASN1Util.encode(issuer); - INTEGER sn = certI.getSerialNumber(); - // if this cert is the signer cert, not a cert in the chain - if (new String(issuerB).equals(new String(ASN1Util.encode(issuerAndSerialNumber.getIssuer()))) - && sn.toString().equals(issuerAndSerialNumber.getSerialNumber().toString()) ) - { - ByteArrayOutputStream os = new - ByteArrayOutputStream(); + INTEGER sn = certI.getSerialNumber(); + // if this cert is the signer cert, not a cert in + // the chain + if (new String(issuerB) + .equals(new String(ASN1Util + .encode(issuerAndSerialNumber + .getIssuer()))) + && sn.toString().equals( + issuerAndSerialNumber + .getSerialNumber() + .toString())) { + ByteArrayOutputStream os = new ByteArrayOutputStream(); certJss.encode(os); - certByteArray = os.toByteArray(); - - X509CertImpl tempcert = new X509CertImpl(os.toByteArray()); + certByteArray = os.toByteArray(); + + X509CertImpl tempcert = new X509CertImpl( + os.toByteArray()); cert = tempcert; x509Certs[0] = cert; - // xxx validate the cert length - + // xxx validate the cert length + } } CMS.debug("CMCAuth: start checking signature"); @@ -874,52 +847,63 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, } else if (alg.equals("DSA")) { keyType = PrivateKey.DSA; } - PK11PubKey pubK = PK11PubKey.fromRaw(keyType, ((X509Key) signKey).getKey()); + PK11PubKey pubK = PK11PubKey.fromRaw(keyType, + ((X509Key) signKey).getKey()); CMS.debug("CMCAuth: verifying signature with public key"); si.verify(digest, id, pubK); } CMS.debug("CMCAuth: finished checking signature"); - // verify signer's certificate using the revocator - CryptoManager cm = CryptoManager.getInstance(); - if( ! cm.isCertValid( certByteArray, true,CryptoManager.CertUsage.SSLClient) ) - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - - // authenticate signer's certificate using the userdb - IAuthSubsystem authSS = (IAuthSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTH); - - IAuthManager agentAuth = authSS.getAuthManager(IAuthSubsystem.CERTUSERDB_AUTHMGR_ID);//AGENT_AUTHMGR_ID); - IAuthCredentials agentCred = new com.netscape.certsrv.authentication.AuthCredentials(); - - agentCred.set(IAuthManager.CRED_SSL_CLIENT_CERT, x509Certs); - - IAuthToken tempToken = agentAuth.authenticate(agentCred); - netscape.security.x509.X500Name tempPrincipal = (X500Name) x509Certs[0].getSubjectDN(); - String CN = (String) tempPrincipal.getCommonName();//tempToken.get("userid"); - - BigInteger agentCertSerial = x509Certs[0].getSerialNumber(); - authToken.set(IAuthManager.CRED_SSL_CLIENT_CERT,agentCertSerial.toString()); - tempToken.set("cn",CN); + // verify signer's certificate using the revocator + CryptoManager cm = CryptoManager.getInstance(); + if (!cm.isCertValid(certByteArray, true, + CryptoManager.CertUsage.SSLClient)) + throw new EInvalidCredentials( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + + // authenticate signer's certificate using the userdb + IAuthSubsystem authSS = (IAuthSubsystem) CMS + .getSubsystem(CMS.SUBSYSTEM_AUTH); + + IAuthManager agentAuth = authSS + .getAuthManager(IAuthSubsystem.CERTUSERDB_AUTHMGR_ID);// AGENT_AUTHMGR_ID); + IAuthCredentials agentCred = new com.netscape.certsrv.authentication.AuthCredentials(); + + agentCred.set(IAuthManager.CRED_SSL_CLIENT_CERT, + x509Certs); + + IAuthToken tempToken = agentAuth + .authenticate(agentCred); + netscape.security.x509.X500Name tempPrincipal = (X500Name) x509Certs[0] + .getSubjectDN(); + String CN = (String) tempPrincipal.getCommonName();// tempToken.get("userid"); + + BigInteger agentCertSerial = x509Certs[0] + .getSerialNumber(); + authToken.set(IAuthManager.CRED_SSL_CLIENT_CERT, + agentCertSerial.toString()); + tempToken.set("cn", CN); return tempToken; - + } // find from internaldb if it's ca. (ra does not have that.) // find from internaldb usrgrp info - + // find from certDB - si.verify(digest, id); - - } // + si.verify(digest, id); + + } // } - }catch (InvalidBERException e) { + } catch (InvalidBERException e) { CMS.debug("CMCAuth: " + e.toString()); } catch (IOException e) { CMS.debug("CMCAuth: " + e.toString()); } catch (Exception e) { - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + throw new EInvalidCredentials( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } return (IAuthToken) null; - + } public String[] getExtendedPluginInfo(Locale locale) { @@ -929,22 +913,20 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, // Profile-related methods public void init(IProfile profile, IConfigStore config) - throws EProfileException { + throws EProfileException { } /** * Retrieves the localizable name of this policy. */ - public String getName(Locale locale) - { + public String getName(Locale locale) { return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_CMS_SIGN_NAME"); } /** * Retrieves the localizable description of this policy. */ - public String getText(Locale locale) - { + public String getText(Locale locale) { return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_CMS_SIGN_TEXT"); } @@ -962,19 +944,18 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, } /** - * Retrieves the descriptor of the given value - * parameter by name. + * Retrieves the descriptor of the given value parameter by name. */ public IDescriptor getValueDescriptor(Locale locale, String name) { if (name.equals(CRED_CMC)) { return new Descriptor(IDescriptor.STRING_LIST, null, null, - "CMC request"); + "CMC request"); } return null; } public void populate(IAuthToken token, IRequest request) - throws EProfileException { + throws EProfileException { request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME, token.getInString(AuthToken.TOKEN_CERT_SUBJECT)); } @@ -985,10 +966,10 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, /** * Signed Audit Log - * + * * This method is called to store messages to the signed audit log. * <P> - * + * * @param msg signed audit log message */ private void audit(String msg) { @@ -999,20 +980,17 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, return; } - mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, - null, - ILogger.S_SIGNED_AUDIT, - ILogger.LL_SECURITY, - msg); + mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, null, + ILogger.S_SIGNED_AUDIT, ILogger.LL_SECURITY, msg); } /** * Signed Audit Log Subject ID - * - * This method is called to obtain the "SubjectID" for - * a signed audit log message. + * + * This method is called to obtain the "SubjectID" for a signed audit log + * message. * <P> - * + * * @return id string containing the signed audit log message SubjectID */ private String auditSubjectID() { @@ -1027,8 +1005,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, SessionContext auditContext = SessionContext.getExistingContext(); if (auditContext != null) { - subjectID = (String) - auditContext.get(SessionContext.USER_ID); + subjectID = (String) auditContext.get(SessionContext.USER_ID); if (subjectID != null) { subjectID = subjectID.trim(); @@ -1042,4 +1019,3 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, return subjectID; } } - diff --git a/pki/base/common/src/com/netscape/cms/authentication/Crypt.java b/pki/base/common/src/com/netscape/cms/authentication/Crypt.java index 950120399..975a81dac 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/Crypt.java +++ b/pki/base/common/src/com/netscape/cms/authentication/Crypt.java @@ -17,151 +17,92 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.authentication; - public class Crypt { // Static data: - static byte[] - IP = // Initial permutation - { - 58, 50, 42, 34, 26, 18, 10, 2, - 60, 52, 44, 36, 28, 20, 12, 4, - 62, 54, 46, 38, 30, 22, 14, 6, - 64, 56, 48, 40, 32, 24, 16, 8, - 57, 49, 41, 33, 25, 17, 9, 1, - 59, 51, 43, 35, 27, 19, 11, 3, - 61, 53, 45, 37, 29, 21, 13, 5, - 63, 55, 47, 39, 31, 23, 15, 7 - }, - FP = // Final permutation, FP = IP^(-1) - { - 40, 8, 48, 16, 56, 24, 64, 32, - 39, 7, 47, 15, 55, 23, 63, 31, - 38, 6, 46, 14, 54, 22, 62, 30, - 37, 5, 45, 13, 53, 21, 61, 29, - 36, 4, 44, 12, 52, 20, 60, 28, - 35, 3, 43, 11, 51, 19, 59, 27, - 34, 2, 42, 10, 50, 18, 58, 26, - 33, 1, 41, 9, 49, 17, 57, 25 - }, - // Permuted-choice 1 from the key bits to yield C and D. - // Note that bits 8,16... are left out: - // They are intended for a parity check. - PC1_C = - { - 57, 49, 41, 33, 25, 17, 9, - 1, 58, 50, 42, 34, 26, 18, - 10, 2, 59, 51, 43, 35, 27, - 19, 11, 3, 60, 52, 44, 36 - }, - PC1_D = - { - 63, 55, 47, 39, 31, 23, 15, - 7, 62, 54, 46, 38, 30, 22, - 14, 6, 61, 53, 45, 37, 29, - 21, 13, 5, 28, 20, 12, 4 - }, - shifts = // Sequence of shifts used for the key schedule. - { - 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1 - }, - // Permuted-choice 2, to pick out the bits from - // the CD array that generate the key schedule. - PC2_C = - { - 14, 17, 11, 24, 1, 5, - 3, 28, 15, 6, 21, 10, - 23, 19, 12, 4, 26, 8, - 16, 7, 27, 20, 13, 2 - }, - PC2_D = - { - 41, 52, 31, 37, 47, 55, - 30, 40, 51, 45, 33, 48, - 44, 49, 39, 56, 34, 53, - 46, 42, 50, 36, 29, 32 - }, - e2 = // The E-bit selection table. (see E below) - { - 32, 1, 2, 3, 4, 5, - 4, 5, 6, 7, 8, 9, - 8, 9, 10, 11, 12, 13, - 12, 13, 14, 15, 16, 17, - 16, 17, 18, 19, 20, 21, - 20, 21, 22, 23, 24, 25, - 24, 25, 26, 27, 28, 29, - 28, 29, 30, 31, 32, 1 - }, - // P is a permutation on the selected combination of - // the current L and key. - P = - { - 16, 7, 20, 21, - 29, 12, 28, 17, - 1, 15, 23, 26, - 5, 18, 31, 10, - 2, 8, 24, 14, - 32, 27, 3, 9, - 19, 13, 30, 6, - 22, 11, 4, 25 - }; - // The 8 selection functions. For some reason, they gave a 0-origin + static byte[] IP = // Initial permutation + { 58, 50, 42, 34, 26, 18, 10, 2, 60, 52, 44, 36, 28, 20, 12, 4, 62, 54, 46, + 38, 30, 22, 14, 6, 64, 56, 48, 40, 32, 24, 16, 8, 57, 49, 41, 33, + 25, 17, 9, 1, 59, 51, 43, 35, 27, 19, 11, 3, 61, 53, 45, 37, 29, + 21, 13, 5, 63, 55, 47, 39, 31, 23, 15, 7 }, + FP = // Final permutation, FP = IP^(-1) + { 40, 8, 48, 16, 56, 24, 64, 32, 39, 7, 47, 15, 55, 23, 63, 31, 38, + 6, 46, 14, 54, 22, 62, 30, 37, 5, 45, 13, 53, 21, 61, 29, + 36, 4, 44, 12, 52, 20, 60, 28, 35, 3, 43, 11, 51, 19, 59, + 27, 34, 2, 42, 10, 50, 18, 58, 26, 33, 1, 41, 9, 49, 17, + 57, 25 }, + // Permuted-choice 1 from the key bits to yield C and D. + // Note that bits 8,16... are left out: + // They are intended for a parity check. + PC1_C = { 57, 49, 41, 33, 25, 17, 9, 1, 58, 50, 42, 34, 26, 18, 10, + 2, 59, 51, 43, 35, 27, 19, 11, 3, 60, 52, 44, 36 }, + PC1_D = { 63, 55, 47, 39, 31, 23, 15, 7, 62, 54, 46, 38, 30, 22, + 14, 6, 61, 53, 45, 37, 29, 21, 13, 5, 28, 20, 12, 4 }, + shifts = // Sequence of shifts used for the key schedule. + { 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1 }, + // Permuted-choice 2, to pick out the bits from + // the CD array that generate the key schedule. + PC2_C = { 14, 17, 11, 24, 1, 5, 3, 28, 15, 6, 21, 10, 23, 19, 12, + 4, 26, 8, 16, 7, 27, 20, 13, 2 }, PC2_D = { 41, 52, 31, 37, + 47, 55, 30, 40, 51, 45, 33, 48, 44, 49, 39, 56, 34, 53, 46, + 42, 50, 36, 29, 32 }, e2 = // The E-bit selection table. + // (see E below) + { 32, 1, 2, 3, 4, 5, 4, 5, 6, 7, 8, 9, 8, 9, 10, 11, 12, 13, 12, + 13, 14, 15, 16, 17, 16, 17, 18, 19, 20, 21, 20, 21, 22, 23, + 24, 25, 24, 25, 26, 27, 28, 29, 28, 29, 30, 31, 32, 1 }, + // P is a permutation on the selected combination of + // the current L and key. + P = { 16, 7, 20, 21, 29, 12, 28, 17, 1, 15, 23, 26, 5, 18, 31, 10, + 2, 8, 24, 14, 32, 27, 3, 9, 19, 13, 30, 6, 22, 11, 4, 25 }; + // The 8 selection functions. For some reason, they gave a 0-origin // index, unlike everything else. - static byte[][] S = - { - { - 14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7, - 0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8, - 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0, - 15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13 - }, { - 15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10, - 3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5, - 0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15, - 13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9 - }, { - 10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8, - 13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1, - 13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7, - 1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12 - }, { - 7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15, - 13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9, - 10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4, - 3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14 - }, { - 2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9, - 14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6, - 4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14, - 11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3 - }, { - 12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11, - 10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8, - 9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6, - 4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13 - }, { - 4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1, - 13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6, - 1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2, - 6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12 - }, { - 13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7, - 1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2, - 7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8, - 2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11 - } - }; + static byte[][] S = { + { 14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7, 0, 15, 7, + 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8, 4, 1, 14, 8, + 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0, 15, 12, 8, 2, 4, + 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13 }, + { 15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10, 3, 13, 4, + 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5, 0, 14, 7, 11, + 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15, 13, 8, 10, 1, 3, + 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9 }, + { 10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8, 13, 7, 0, + 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1, 13, 6, 4, 9, 8, + 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7, 1, 10, 13, 0, 6, 9, + 8, 7, 4, 15, 14, 3, 11, 5, 2, 12 }, + { 7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15, 13, 8, 11, + 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9, 10, 6, 9, 0, 12, + 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4, 3, 15, 0, 6, 10, 1, + 13, 8, 9, 4, 5, 11, 12, 7, 2, 14 }, + { 2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9, 14, 11, 2, + 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6, 4, 2, 1, 11, 10, + 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14, 11, 8, 12, 7, 1, 14, + 2, 13, 6, 15, 0, 9, 10, 4, 5, 3 }, + { 12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11, 10, 15, 4, + 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8, 9, 14, 15, 5, 2, + 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6, 4, 3, 2, 12, 9, 5, 15, + 10, 11, 14, 1, 7, 6, 0, 8, 13 }, + { 4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1, 13, 0, 11, + 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6, 1, 4, 11, 13, + 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2, 6, 11, 13, 8, 1, 4, + 10, 7, 9, 5, 0, 15, 14, 2, 3, 12 }, + { 13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7, 1, 15, 13, + 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2, 7, 11, 4, 1, 9, + 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8, 2, 1, 14, 7, 4, 10, + 8, 13, 15, 12, 9, 0, 3, 5, 6, 11 } }; // Dynamic data: - byte[] C = new byte[28], // The C and D arrays used to - D = new byte[28], // calculate the key schedule. - E = new byte[48], // The E bit-selection table. - L = new byte[32], // The current block, - R = new byte[32], // divided into two halves. - tempL = new byte[32], - f = new byte[32], - preS = new byte[48]; // The combination of the key and + byte[] C = new byte[28], // The C and D arrays used to + D = new byte[28], // calculate the key schedule. + E = new byte[48], // The E bit-selection table. + L = new byte[32], // The current block, + R = new byte[32], // divided into two halves. + tempL = new byte[32], f = new byte[32], preS = new byte[48]; // The + // combination + // of + // the + // key + // and // the input, before selection. - // The key schedule. Generated from the key. + // The key schedule. Generated from the key. byte[][] KS = new byte[16][48]; // Object fields: @@ -169,17 +110,17 @@ public class Crypt { // Public methods: /** - * Create Crypt object with no passwd or salt set. Must use setPasswd() - * and setSalt() before getEncryptedPasswd(). + * Create Crypt object with no passwd or salt set. Must use setPasswd() and + * setSalt() before getEncryptedPasswd(). */ public Crypt() { Passwd = Salt = Encrypt = ""; } /** - * Create a Crypt object with specified salt. Use setPasswd() before + * Create a Crypt object with specified salt. Use setPasswd() before * getEncryptedPasswd(). - * + * * @param salt the salt string for encryption */ public Crypt(String salt) { @@ -189,10 +130,9 @@ public class Crypt { } /** - * Create a Crypt object with specified passwd and salt (often the - * already encypted passwd). Get the encrypted result with - * getEncryptedPasswd(). - * + * Create a Crypt object with specified passwd and salt (often the already + * encypted passwd). Get the encrypted result with getEncryptedPasswd(). + * * @param passwd the passwd to encrypt * @param salt the salt string for encryption */ @@ -204,7 +144,7 @@ public class Crypt { /** * Retrieve the passwd string currently being encrypted. - * + * * @return the current passwd string */ public String getPasswd() { @@ -213,7 +153,7 @@ public class Crypt { /** * Retrieve the salt string currently being used for encryption. - * + * * @return the current salt string */ public String getSalt() { @@ -221,9 +161,9 @@ public class Crypt { } /** - * Retrieve the resulting encrypted string from the current passwd and - * salt settings. - * + * Retrieve the resulting encrypted string from the current passwd and salt + * settings. + * * @return the encrypted passwd */ public String getEncryptedPasswd() { @@ -231,9 +171,9 @@ public class Crypt { } /** - * Set a new passwd string for encryption. Use getEncryptedPasswd() to + * Set a new passwd string for encryption. Use getEncryptedPasswd() to * retrieve the new result. - * + * * @param passwd the new passwd string */ public void setPasswd(String passwd) { @@ -242,9 +182,9 @@ public class Crypt { } /** - * Set a new salt string for encryption. Use getEncryptedPasswd() to + * Set a new salt string for encryption. Use getEncryptedPasswd() to * retrieve the new result. - * + * * @param salt the new salt string */ public void setSalt(String salt) { @@ -254,19 +194,18 @@ public class Crypt { // Internal crypt methods: String crypt() { - if (Salt.length() == 0) return ""; + if (Salt.length() == 0) + return ""; int i, j, pwi; byte c, temp; - byte[] block = new byte[66], - iobuf = new byte[16], - salt = new byte[2], - pw = Passwd.getBytes(), //jdk1.1 - saltbytes = Salt.getBytes(); //jdk1.1 + byte[] block = new byte[66], iobuf = new byte[16], salt = new byte[2], pw = Passwd + .getBytes(), // jdk1.1 + saltbytes = Salt.getBytes(); // jdk1.1 - // pw = new byte[Passwd.length()], //jdk1.0.2 - // saltbytes = new byte[Salt.length()]; //jdk1.0.2 - //Passwd.getBytes(0,Passwd.length(),pw,0); //jdk1.0.2 - //Salt.getBytes(0,Salt.length(),saltbytes,0); //jdk1.0.2 + // pw = new byte[Passwd.length()], //jdk1.0.2 + // saltbytes = new byte[Salt.length()]; //jdk1.0.2 + // Passwd.getBytes(0,Passwd.length(),pw,0); //jdk1.0.2 + // Salt.getBytes(0,Salt.length(),saltbytes,0); //jdk1.0.2 salt[0] = saltbytes[0]; salt[1] = (saltbytes.length > 1) ? saltbytes[1] : 0; @@ -288,8 +227,10 @@ public class Crypt { for (i = 0; i < 2; i++) { c = salt[i]; iobuf[i] = c; - if (c > 'Z') c -= 6; - if (c > '9') c -= 7; + if (c > 'Z') + c -= 6; + if (c > '9') + c -= 7; c -= '.'; for (j = 0; j < 6; j++) { if (((c >> j) & 1) != 0) { @@ -311,8 +252,10 @@ public class Crypt { c |= block[6 * i + j]; } c += '.'; - if (c > '9') c += 7; - if (c > 'Z') c += 6; + if (c > '9') + c += 7; + if (c > 'Z') + c += 6; iobuf[i + 2] = c; } @@ -320,16 +263,16 @@ public class Crypt { if (iobuf[1] == 0) iobuf[1] = iobuf[0]; - return new String(iobuf); //jdk1.1 - //return new String(iobuf,0); //jdk1.0.2 + return new String(iobuf); // jdk1.1 + // return new String(iobuf,0); //jdk1.0.2 } - void setkey(byte[] key) // Set up the key schedule from the key. + void setkey(byte[] key) // Set up the key schedule from the key. { int i, j, k; byte t; - // First, generate C and D by permuting the key. The low order bit + // First, generate C and D by permuting the key. The low order bit // of each 8-bit char is not used, so C and D are only 28 bits apiece. for (i = 0; i < 28; i++) { C[i] = key[PC1_C[i] - 1]; @@ -369,41 +312,38 @@ public class Crypt { byte k; // First, permute the bits in the input - //for (j = 0; j < 64; j++) - //{ - // L[j] = block[IP[j]-1]; - //} + // for (j = 0; j < 64; j++) + // { + // L[j] = block[IP[j]-1]; + // } for (j = 0; j < 32; j++) L[j] = block[IP[j] - 1]; for (j = 32; j < 64; j++) R[j - 32] = block[IP[j] - 1]; - // Perform an encryption operation 16 times. + // Perform an encryption operation 16 times. for (ii = 0; ii < 16; ii++) { i = ii; // Save the R array, which will be the new L. for (j = 0; j < 32; j++) tempL[j] = R[j]; - // Expand R to 48 bits using the E selector; - // exclusive-or with the current key bits. + // Expand R to 48 bits using the E selector; + // exclusive-or with the current key bits. for (j = 0; j < 48; j++) preS[j] = (byte) (R[E[j] - 1] ^ KS[i][j]); - // The pre-select bits are now considered in 8 groups of - // 6 bits each. The 8 selection functions map these 6-bit - // quantities into 4-bit quantities and the results permuted - // to make an f(R, K). The indexing into the selection functions - // is peculiar; it could be simplified by rewriting the tables. + // The pre-select bits are now considered in 8 groups of + // 6 bits each. The 8 selection functions map these 6-bit + // quantities into 4-bit quantities and the results permuted + // to make an f(R, K). The indexing into the selection functions + // is peculiar; it could be simplified by rewriting the tables. for (j = 0; j < 8; j++) { t = 6 * j; - k = S[j][ (preS[t ] << 5) + - (preS[t + 1] << 3) + - (preS[t + 2] << 2) + - (preS[t + 3] << 1) + - (preS[t + 4]) + - (preS[t + 5] << 4) ]; + k = S[j][(preS[t] << 5) + (preS[t + 1] << 3) + + (preS[t + 2] << 2) + (preS[t + 3] << 1) + + (preS[t + 4]) + (preS[t + 5] << 4)]; t = 4 * j; - f[t ] = (byte) ((k >> 3) & 1); + f[t] = (byte) ((k >> 3) & 1); f[t + 1] = (byte) ((k >> 2) & 1); f[t + 2] = (byte) ((k >> 1) & 1); f[t + 3] = (byte) ((k) & 1); @@ -430,7 +370,7 @@ public class Crypt { // The final output gets the inverse permutation of the very original. for (j = 0; j < 64; j++) { - //block[j] = L[FP[j]-1]; + // block[j] = L[FP[j]-1]; block[j] = (FP[j] > 32) ? R[FP[j] - 33] : L[FP[j] - 1]; } } diff --git a/pki/base/common/src/com/netscape/cms/authentication/DNPattern.java b/pki/base/common/src/com/netscape/cms/authentication/DNPattern.java index 1f2eb69ad..a00cc3769 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/DNPattern.java +++ b/pki/base/common/src/com/netscape/cms/authentication/DNPattern.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.authentication; - import java.io.IOException; import java.io.PushbackReader; import java.io.StringReader; @@ -28,24 +27,27 @@ import netscape.ldap.LDAPEntry; import com.netscape.certsrv.authentication.EAuthException; import com.netscape.certsrv.base.EBaseException; - /** - * class for parsing a DN pattern used to construct a certificate - * subject name from ldap attributes and dn.<p> + * class for parsing a DN pattern used to construct a certificate subject name + * from ldap attributes and dn. + * <p> * - * dnpattern is a string representing a subject name pattern to formulate from - * the directory attributes and entry dn. If empty or not set, the - * ldap entry DN will be used as the certificate subject name. <p> + * dnpattern is a string representing a subject name pattern to formulate from + * the directory attributes and entry dn. If empty or not set, the ldap entry DN + * will be used as the certificate subject name. + * <p> + * + * The syntax is * - * The syntax is * <pre> - * dnPattern := rdnPattern *[ "," rdnPattern ] - * rdnPattern := avaPattern *[ "+" avaPattern ] + * dnPattern := rdnPattern *[ "," rdnPattern ] + * rdnPattern := avaPattern *[ "+" avaPattern ] * avaPattern := name "=" value | - * name "=" "$attr" "." attrName [ "." attrNumber ] | - * name "=" "$dn" "." attrName [ "." attrNumber ] | - * "$dn" "." "$rdn" "." number + * name "=" "$attr" "." attrName [ "." attrNumber ] | + * name "=" "$dn" "." attrName [ "." attrNumber ] | + * "$dn" "." "$rdn" "." number * </pre> + * * <pre> * Example1: <i>E=$attr.mail.1, CN=$attr.cn, OU=$dn.ou.2, O=$dn.o, C=US </i> * Ldap entry: dn: UID=jjames, OU=IS, OU=people, O=acme.org @@ -72,11 +74,12 @@ import com.netscape.certsrv.base.EBaseException; * E = the first 'mail' ldap attribute value in user's entry. <br> * CN = the (first) 'cn' ldap attribute value in the user's entry. <br> * OU = the second 'ou' value in the user's entry DN. note multiple AVAs - * in a RDN in this example. <br> + * in a RDN in this example. <br> * O = the (first) 'o' value in the user's entry DN. <br> * C = the string "US" * <p> * </pre> + * * <pre> * Example3: <i>CN=$attr.cn, $rdn.2, O=$dn.o, C=US</i> * Ldap entry: dn: UID=jjames, OU=IS+OU=people, O=acme.org @@ -101,15 +104,16 @@ import com.netscape.certsrv.base.EBaseException; * <p> * CN = the (first) 'cn' ldap attribute value in the user's entry. <br> * OU = the second 'ou' value in the user's entry DN followed by the - * first 'ou' value in the user's entry. note multiple AVAs - * in a RDN in this example. <br> + * first 'ou' value in the user's entry. note multiple AVAs + * in a RDN in this example. <br> * O = the (first) 'o' value in the user's entry DN. <br> * C = the string "US" * <p> * </pre> - * If an attribute or subject DN component does not exist the attribute - * is skipped. - * + * + * If an attribute or subject DN component does not exist the attribute is + * skipped. + * * @version $Revision$, $Date$ */ public class DNPattern { @@ -125,15 +129,15 @@ public class DNPattern { protected String mTestDN = null; - /** + /** * Construct a DN pattern by parsing a pattern string. + * * @param pattern the DN pattern - * @exception EBaseException If parsing error occurs. + * @exception EBaseException If parsing error occurs. */ - public DNPattern(String pattern) - throws EAuthException { + public DNPattern(String pattern) throws EAuthException { if (pattern == null || pattern.equals("")) { - // create an attribute list that is the dn. + // create an attribute list that is the dn. mLdapAttrs = new String[] { "dn" }; } else { mPatternString = pattern; @@ -143,13 +147,11 @@ public class DNPattern { } } - public DNPattern(PushbackReader in) - throws EAuthException { + public DNPattern(PushbackReader in) throws EAuthException { parse(in); } - private void parse(PushbackReader in) - throws EAuthException { + private void parse(PushbackReader in) throws EAuthException { Vector rdnPatterns = new Vector(); RDNPattern rdnPattern = null; int lastChar = -1; @@ -160,10 +162,10 @@ public class DNPattern { try { lastChar = in.read(); } catch (IOException e) { - throw new EAuthException("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString()); + throw new EAuthException("CMS_AUTHENTICATION_INTERNAL_ERROR", + e.toString()); } - } - while (lastChar == ','); + } while (lastChar == ','); mRDNPatterns = new RDNPattern[rdnPatterns.size()]; rdnPatterns.copyInto(mRDNPatterns); @@ -173,8 +175,8 @@ public class DNPattern { for (int i = 0; i < mRDNPatterns.length; i++) { String[] rdnAttrs = mRDNPatterns[i].getLdapAttrs(); - if (rdnAttrs != null && rdnAttrs.length > 0) - for (int j = 0; j < rdnAttrs.length; j++) + if (rdnAttrs != null && rdnAttrs.length > 0) + for (int j = 0; j < rdnAttrs.length; j++) ldapAttrs.addElement(rdnAttrs[j]); } mLdapAttrs = new String[ldapAttrs.size()]; @@ -183,11 +185,11 @@ public class DNPattern { /** * Form a Ldap v3 DN string from results of a ldap search. + * * @param entry LDAPentry from a ldap search - * @return Ldap v3 DN string to use for a subject name. + * @return Ldap v3 DN string to use for a subject name. */ - public String formDN(LDAPEntry entry) - throws EAuthException { + public String formDN(LDAPEntry entry) throws EAuthException { StringBuffer formedDN = new StringBuffer(); for (int i = 0; i < mRDNPatterns.length; i++) { @@ -197,13 +199,13 @@ public class DNPattern { if (rdn != null) { if (rdn != null && rdn.length() != 0) { - if (formedDN.length() != 0) + if (formedDN.length() != 0) formedDN.append(","); formedDN.append(rdn); } } } - //System.out.println("formed DN "+formedDN.toString()); + // System.out.println("formed DN "+formedDN.toString()); return formedDN.toString(); } diff --git a/pki/base/common/src/com/netscape/cms/authentication/DirBasedAuthentication.java b/pki/base/common/src/com/netscape/cms/authentication/DirBasedAuthentication.java index 3260af6e7..02e458bc3 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/DirBasedAuthentication.java +++ b/pki/base/common/src/com/netscape/cms/authentication/DirBasedAuthentication.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.authentication; - // ldap java sdk import java.io.IOException; import java.security.cert.CertificateException; @@ -57,29 +56,28 @@ import com.netscape.certsrv.ldap.ILdapConnFactory; import com.netscape.certsrv.logging.ILogger; import com.netscape.cmsutil.util.Utils; - /** - * Abstract class for directory based authentication managers - * Uses a pattern for formulating subject names. - * The pattern is read from configuration file. + * Abstract class for directory based authentication managers Uses a pattern for + * formulating subject names. The pattern is read from configuration file. * Syntax of the pattern is described in the init() method. * * <P> + * * @version $Revision$, $Date$ */ -public abstract class DirBasedAuthentication - implements IAuthManager, IExtendedPluginInfo { +public abstract class DirBasedAuthentication implements IAuthManager, + IExtendedPluginInfo { - protected static final String USER_DN = "userDN"; + protected static final String USER_DN = "userDN"; /* configuration parameter keys */ - protected static final String PROP_LDAP = "ldap"; - protected static final String PROP_BASEDN = "basedn"; - protected static final String PROP_DNPATTERN = "dnpattern"; + protected static final String PROP_LDAP = "ldap"; + protected static final String PROP_BASEDN = "basedn"; + protected static final String PROP_DNPATTERN = "dnpattern"; protected static final String PROP_LDAPSTRINGATTRS = "ldapStringAttributes"; protected static final String PROP_LDAPBYTEATTRS = "ldapByteAttributes"; - // members + // members /* name of this authentication manager instance */ protected String mName = null; @@ -105,52 +103,57 @@ public abstract class DirBasedAuthentication /* the subject DN pattern */ protected DNPattern mPattern = null; - /* the list of LDAP attributes with string values to retrieve to - * save in the auth token including ones from the dn pattern. */ + /* + * the list of LDAP attributes with string values to retrieve to save in the + * auth token including ones from the dn pattern. + */ protected String[] mLdapStringAttrs = null; - /* the list of LDAP attributes with byte[] values to retrive to save - * in authtoken. */ + /* + * the list of LDAP attributes with byte[] values to retrive to save in + * authtoken. + */ protected String[] mLdapByteAttrs = null; - /* the combined list of LDAP attriubutes to retrieve*/ + /* the combined list of LDAP attriubutes to retrieve */ protected String[] mLdapAttrs = null; /* default dn pattern if left blank or not set in the config */ - protected static String DEFAULT_DNPATTERN = - "E=$attr.mail, CN=$attr.cn, O=$dn.o, C=$dn.c"; + protected static String DEFAULT_DNPATTERN = "E=$attr.mail, CN=$attr.cn, O=$dn.o, C=$dn.c"; /* Vector of extendedPluginInfo strings */ protected static Vector mExtendedPluginInfo = null; static { mExtendedPluginInfo = new Vector(); - mExtendedPluginInfo.add(PROP_DNPATTERN + ";string;Template for cert" + - " Subject Name. ($dn.xxx - get value from user's LDAP " + - "DN. $attr.yyy - get value from LDAP attributes in " + - "user's entry.) Default: " + DEFAULT_DNPATTERN); - mExtendedPluginInfo.add(PROP_LDAPSTRINGATTRS + ";string;" + - "Comma-separated list of LDAP attributes to copy from " + - "the user's LDAP entry into the AuthToken. e.g use " + - "'mail' to copy user's email address for subjectAltName"); - mExtendedPluginInfo.add(PROP_LDAPBYTEATTRS + ";string;" + - "Comma-separated list of binary LDAP attributes to copy" + - " from the user's LDAP entry into the AuthToken"); - mExtendedPluginInfo.add("ldap.ldapconn.host;string,required;" + - "LDAP host to connect to"); - mExtendedPluginInfo.add("ldap.ldapconn.port;number,required;" + - "LDAP port number (use 389, or 636 if SSL)"); - mExtendedPluginInfo.add("ldap.ldapconn.secureConn;boolean;" + - "Use SSL to connect to directory?"); - mExtendedPluginInfo.add("ldap.ldapconn.version;choice(3,2);" + - "LDAP protocol version"); - mExtendedPluginInfo.add("ldap.basedn;string,required;Base DN to start searching " + - "under. If your user's DN is 'uid=jsmith, o=company', you " + - "might want to use 'o=company' here"); - mExtendedPluginInfo.add("ldap.minConns;number;number of connections " + - "to keep open to directory server. Default 5."); - mExtendedPluginInfo.add("ldap.maxConns;number;when needed, connection " + - "pool can grow to this many (multiplexed) connections. Default 1000."); + mExtendedPluginInfo.add(PROP_DNPATTERN + ";string;Template for cert" + + " Subject Name. ($dn.xxx - get value from user's LDAP " + + "DN. $attr.yyy - get value from LDAP attributes in " + + "user's entry.) Default: " + DEFAULT_DNPATTERN); + mExtendedPluginInfo.add(PROP_LDAPSTRINGATTRS + ";string;" + + "Comma-separated list of LDAP attributes to copy from " + + "the user's LDAP entry into the AuthToken. e.g use " + + "'mail' to copy user's email address for subjectAltName"); + mExtendedPluginInfo.add(PROP_LDAPBYTEATTRS + ";string;" + + "Comma-separated list of binary LDAP attributes to copy" + + " from the user's LDAP entry into the AuthToken"); + mExtendedPluginInfo.add("ldap.ldapconn.host;string,required;" + + "LDAP host to connect to"); + mExtendedPluginInfo.add("ldap.ldapconn.port;number,required;" + + "LDAP port number (use 389, or 636 if SSL)"); + mExtendedPluginInfo.add("ldap.ldapconn.secureConn;boolean;" + + "Use SSL to connect to directory?"); + mExtendedPluginInfo.add("ldap.ldapconn.version;choice(3,2);" + + "LDAP protocol version"); + mExtendedPluginInfo + .add("ldap.basedn;string,required;Base DN to start searching " + + "under. If your user's DN is 'uid=jsmith, o=company', you " + + "might want to use 'o=company' here"); + mExtendedPluginInfo.add("ldap.minConns;number;number of connections " + + "to keep open to directory server. Default 5."); + mExtendedPluginInfo + .add("ldap.maxConns;number;when needed, connection " + + "pool can grow to this many (multiplexed) connections. Default 1000."); } /** @@ -163,24 +166,26 @@ public abstract class DirBasedAuthentication * Initializes the UidPwdDirBasedAuthentication auth manager. * * Takes the following configuration parameters: <br> + * * <pre> - * ldap.basedn - the ldap base dn. - * ldap.ldapconn.host - the ldap host. - * ldap.ldapconn.port - the ldap port - * ldap.ldapconn.secureConn - whether port should be secure - * ldap.minConns - minimum connections - * ldap.maxConns - max connections - * dnpattern - dn pattern. + * ldap.basedn - the ldap base dn. + * ldap.ldapconn.host - the ldap host. + * ldap.ldapconn.port - the ldap port + * ldap.ldapconn.secureConn - whether port should be secure + * ldap.minConns - minimum connections + * ldap.maxConns - max connections + * dnpattern - dn pattern. * </pre> * <p> - * <i><b>dnpattern</b></i> is a string representing a subject name pattern - * to formulate from the directory attributes and entry dn. If empty or - * not set, the ldap entry DN will be used as the certificate subject name. + * <i><b>dnpattern</b></i> is a string representing a subject name pattern + * to formulate from the directory attributes and entry dn. If empty or not + * set, the ldap entry DN will be used as the certificate subject name. * <p> - * The syntax is + * The syntax is + * * <pre> * dnpattern = SubjectNameComp *[ "," SubjectNameComp ] - * + * * SubjectNameComponent = DnComp | EntryComp | ConstantComp * DnComp = CertAttr "=" "$dn" "." DnAttr "." Num * EntryComp = CertAttr "=" "$attr" "." EntryAttr "." Num @@ -190,11 +195,12 @@ public abstract class DirBasedAuthentication * CertAttr = a Component in the Certificate Subject Name * (multiple AVA in one RDN not supported) * Num = the nth value of tha attribute in the dn or entry. - * Constant = Constant String, with any accepted ldap string value. + * Constant = Constant String, with any accepted ldap string value. * * </pre> * <p> * <b>Example:</b> + * * <pre> * dnpattern: * E=$attr.mail.1, CN=$attr.cn, OU=$attr.ou.2, O=$dn.o, C=US @@ -213,6 +219,7 @@ public abstract class DirBasedAuthentication * </pre> * <p> * The subject name formulated in the cert will be : <br> + * * <pre> * E=joesmith@acme.com, CN=Joe Smith, OU=Human Resources, O=Acme.com, C=US * @@ -229,28 +236,32 @@ public abstract class DirBasedAuthentication * @exception EBaseException If an error occurs during initialization. */ public void init(String name, String implName, IConfigStore config) - throws EBaseException { + throws EBaseException { init(name, implName, config, true); } - public void init(String name, String implName, IConfigStore config, boolean needBaseDN) - throws EBaseException { + public void init(String name, String implName, IConfigStore config, + boolean needBaseDN) throws EBaseException { mName = name; mImplName = implName; mConfig = config; /* initialize ldap server configuration */ mLdapConfig = mConfig.getSubStore(PROP_LDAP); - if (needBaseDN) mBaseDN = mLdapConfig.getString(PROP_BASEDN); - if (needBaseDN && ((mBaseDN == null) || (mBaseDN.length() == 0) || (mBaseDN.trim().equals("")))) - throw new EPropertyNotFound(CMS.getUserMessage("CMS_BASE_GET_PROPERTY_FAILED", "basedn")); + if (needBaseDN) + mBaseDN = mLdapConfig.getString(PROP_BASEDN); + if (needBaseDN + && ((mBaseDN == null) || (mBaseDN.length() == 0) || (mBaseDN + .trim().equals("")))) + throw new EPropertyNotFound(CMS.getUserMessage( + "CMS_BASE_GET_PROPERTY_FAILED", "basedn")); mConnFactory = CMS.getLdapAnonConnFactory(); mConnFactory.init(mLdapConfig); /* initialize dn pattern */ String pattern = mConfig.getString(PROP_DNPATTERN, null); - if (pattern == null || pattern.length() == 0) + if (pattern == null || pattern.length() == 0) pattern = DEFAULT_DNPATTERN; mPattern = new DNPattern(pattern); String[] patternLdapAttrs = mPattern.getLdapAttrs(); @@ -261,15 +272,15 @@ public abstract class DirBasedAuthentication if (ldapStringAttrs == null) { mLdapStringAttrs = patternLdapAttrs; } else { - StringTokenizer pAttrs = - new StringTokenizer(ldapStringAttrs, ",", false); + StringTokenizer pAttrs = new StringTokenizer(ldapStringAttrs, ",", + false); int begin = 0; if (patternLdapAttrs != null && patternLdapAttrs.length > 0) { - mLdapStringAttrs = new String[ - patternLdapAttrs.length + pAttrs.countTokens()]; - System.arraycopy(patternLdapAttrs, 0, - mLdapStringAttrs, 0, patternLdapAttrs.length); + mLdapStringAttrs = new String[patternLdapAttrs.length + + pAttrs.countTokens()]; + System.arraycopy(patternLdapAttrs, 0, mLdapStringAttrs, 0, + patternLdapAttrs.length); begin = patternLdapAttrs.length; } else { mLdapStringAttrs = new String[pAttrs.countTokens()]; @@ -285,22 +296,21 @@ public abstract class DirBasedAuthentication if (ldapByteAttrs == null) { mLdapByteAttrs = new String[0]; } else { - StringTokenizer byteAttrs = - new StringTokenizer(ldapByteAttrs, ",", false); + StringTokenizer byteAttrs = new StringTokenizer(ldapByteAttrs, ",", + false); mLdapByteAttrs = new String[byteAttrs.countTokens()]; - for (int j = 0; j < mLdapByteAttrs.length; j++) { + for (int j = 0; j < mLdapByteAttrs.length; j++) { mLdapByteAttrs[j] = ((String) byteAttrs.nextElement()).trim(); } } /* make the combined list */ - mLdapAttrs = - new String[mLdapStringAttrs.length + mLdapByteAttrs.length]; - System.arraycopy(mLdapStringAttrs, 0, mLdapAttrs, - 0, mLdapStringAttrs.length); - System.arraycopy(mLdapByteAttrs, 0, mLdapAttrs, - mLdapStringAttrs.length, mLdapByteAttrs.length); + mLdapAttrs = new String[mLdapStringAttrs.length + mLdapByteAttrs.length]; + System.arraycopy(mLdapStringAttrs, 0, mLdapAttrs, 0, + mLdapStringAttrs.length); + System.arraycopy(mLdapByteAttrs, 0, mLdapAttrs, + mLdapStringAttrs.length, mLdapByteAttrs.length); log(ILogger.LL_INFO, CMS.getLogMessage("CMS_AUTH_INIT_DONE")); } @@ -320,21 +330,22 @@ public abstract class DirBasedAuthentication } /** - * Authenticates user through LDAP by a set of credentials. - * Resulting AuthToken a TOKEN_CERTINFO field of a X509CertInfo + * Authenticates user through LDAP by a set of credentials. Resulting + * AuthToken a TOKEN_CERTINFO field of a X509CertInfo * <p> + * * @param authCred Authentication credentials, CRED_UID and CRED_PWD. * @return A AuthToken with a TOKEN_SUBJECT of X500name type. - * @exception com.netscape.certsrv.authentication.EMissingCredential - * If a required authentication credential is missing. - * @exception com.netscape.certsrv.authentication.EInvalidCredentials - * If credentials failed authentication. - * @exception com.netscape.certsrv.base.EBaseException - * If an internal error occurred. + * @exception com.netscape.certsrv.authentication.EMissingCredential If a + * required authentication credential is missing. + * @exception com.netscape.certsrv.authentication.EInvalidCredentials If + * credentials failed authentication. + * @exception com.netscape.certsrv.base.EBaseException If an internal error + * occurred. * @see com.netscape.certsrv.authentication.AuthToken */ public IAuthToken authenticate(IAuthCredentials authCred) - throws EMissingCredential, EInvalidCredentials, EBaseException { + throws EMissingCredential, EInvalidCredentials, EBaseException { String userdn = null; LDAPConnection conn = null; AuthToken authToken = new AuthToken(this); @@ -359,29 +370,31 @@ public abstract class DirBasedAuthentication // set subject name. try { - CertificateSubjectName subjectname = (CertificateSubjectName) - certInfo.get(X509CertInfo.SUBJECT); + CertificateSubjectName subjectname = (CertificateSubjectName) certInfo + .get(X509CertInfo.SUBJECT); if (subjectname != null) - authToken.set(AuthToken.TOKEN_CERT_SUBJECT, - subjectname.toString()); + authToken.set(AuthToken.TOKEN_CERT_SUBJECT, + subjectname.toString()); } // error means it's not set. catch (CertificateException e) { } catch (IOException e) { } - // set validity if any + // set validity if any try { - CertificateValidity validity = (CertificateValidity) - certInfo.get(X509CertInfo.VALIDITY); + CertificateValidity validity = (CertificateValidity) certInfo + .get(X509CertInfo.VALIDITY); if (validity != null) { - // the gets throws IOException but only if attribute - // not recognized. In these cases they are always. - authToken.set(AuthToken.TOKEN_CERT_NOTBEFORE, - (Date)validity.get(CertificateValidity.NOT_BEFORE)); - authToken.set(AuthToken.TOKEN_CERT_NOTAFTER, - (Date)validity.get(CertificateValidity.NOT_AFTER)); + // the gets throws IOException but only if attribute + // not recognized. In these cases they are always. + authToken + .set(AuthToken.TOKEN_CERT_NOTBEFORE, + (Date) validity + .get(CertificateValidity.NOT_BEFORE)); + authToken.set(AuthToken.TOKEN_CERT_NOTAFTER, + (Date) validity.get(CertificateValidity.NOT_AFTER)); } } // error means it's not set. catch (CertificateException e) { @@ -390,8 +403,8 @@ public abstract class DirBasedAuthentication // set extensions if any. try { - CertificateExtensions extensions = (CertificateExtensions) - certInfo.get(X509CertInfo.EXTENSIONS); + CertificateExtensions extensions = (CertificateExtensions) certInfo + .get(X509CertInfo.EXTENSIONS); if (extensions != null) authToken.set(AuthToken.TOKEN_CERT_EXTENSIONS, extensions); @@ -401,7 +414,7 @@ public abstract class DirBasedAuthentication } } finally { - if (conn != null) + if (conn != null) mConnFactory.returnConn(conn); } @@ -410,15 +423,16 @@ public abstract class DirBasedAuthentication /** * get the list of required credentials. + * * @return list of required credentials as strings. */ public abstract String[] getRequiredCreds(); /** - * Returns a list of configuration parameter names. - * The list is passed to the configuration console so instances of - * this implementation can be configured through the console. - * + * Returns a list of configuration parameter names. The list is passed to + * the configuration console so instances of this implementation can be + * configured through the console. + * * @return String array of configuration parameter names. */ public abstract String[] getConfigParams(); @@ -434,12 +448,14 @@ public abstract class DirBasedAuthentication } } catch (ELdapException e) { // ignore - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_SHUTDOWN_ERROR", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMS_AUTH_SHUTDOWN_ERROR", e.toString())); } } /** * Gets the configuration substore used by this authentication manager + * * @return configuration store */ public IConfigStore getConfigStore() { @@ -452,11 +468,10 @@ public abstract class DirBasedAuthentication * @param authCreds The authentication credentials. * @return The user's ldap entry dn. * @exception EInvalidCredentials If the uid and password are not valid - * @exception EBaseException If an internal error occurs. + * @exception EBaseException If an internal error occurs. */ - protected abstract String authenticate( - LDAPConnection conn, IAuthCredentials authCreds, AuthToken token) - throws EBaseException; + protected abstract String authenticate(LDAPConnection conn, + IAuthCredentials authCreds, AuthToken token) throws EBaseException; /** * Formulate the cert info. @@ -465,36 +480,34 @@ public abstract class DirBasedAuthentication * @param userdn The user's dn. * @param certinfo A certinfo object to fill. * @param token A authentication token to fill. - * @exception EBaseException If an internal error occurs. + * @exception EBaseException If an internal error occurs. */ - protected void formCertInfo(LDAPConnection conn, - String userdn, - X509CertInfo certinfo, - AuthToken token) - throws EBaseException { + protected void formCertInfo(LDAPConnection conn, String userdn, + X509CertInfo certinfo, AuthToken token) throws EBaseException { String dn = null; // get ldap attributes to retrieve. String[] attrs = getLdapAttrs(); - // retrieve the attributes. + // retrieve the attributes. try { if (conn != null) { LDAPEntry entry = null; - LDAPSearchResults results = - conn.search(userdn, LDAPv2.SCOPE_BASE, "objectclass=*", - attrs, false); + LDAPSearchResults results = conn.search(userdn, + LDAPv2.SCOPE_BASE, "objectclass=*", attrs, false); if (!results.hasMoreElements()) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_NO_ATTR_ERROR")); - throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_LDAPATTRIBUTES_NOT_FOUND")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMS_AUTH_NO_ATTR_ERROR")); + throw new EAuthException( + CMS.getUserMessage("CMS_AUTHENTICATION_LDAPATTRIBUTES_NOT_FOUND")); } entry = results.next(); - // formulate the subject dn + // formulate the subject dn try { dn = formSubjectName(entry); } catch (EBaseException e) { - //e.printStackTrace(); + // e.printStackTrace(); throw e; } // Put selected values from the entry into the token @@ -504,64 +517,73 @@ public abstract class DirBasedAuthentication } // add anything else in cert info such as validity, extensions - // (nothing now) + // (nothing now) // pack the dn into X500name and set subject name. if (dn.length() == 0) { - EBaseException ex = - new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_EMPTY_DN_FORMED", mName)); + EBaseException ex = new EAuthException(CMS.getUserMessage( + "CMS_AUTHENTICATION_EMPTY_DN_FORMED", mName)); - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_NO_DN_ERROR", ex.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMS_AUTH_NO_DN_ERROR", ex.toString())); throw ex; } X500Name subjectdn = new X500Name(dn); - certinfo.set(X509CertInfo.SUBJECT, - new CertificateSubjectName(subjectdn)); + certinfo.set(X509CertInfo.SUBJECT, new CertificateSubjectName( + subjectdn)); } catch (LDAPException e) { switch (e.getLDAPResultCode()) { - case LDAPException.SERVER_DOWN: - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_NO_AUTH_ATTR_ERROR")); - throw new ELdapException( - CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), "" + conn.getPort())); + case LDAPException.SERVER_DOWN: + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMS_AUTH_NO_AUTH_ATTR_ERROR")); + throw new ELdapException(CMS.getUserMessage( + "CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), "" + + conn.getPort())); case LDAPException.NO_SUCH_OBJECT: case LDAPException.LDAP_PARTIAL_RESULTS: - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_NO_USER_ENTRY_ERROR", userdn)); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMS_AUTH_NO_USER_ENTRY_ERROR", userdn)); // fall to below. default: - log(ILogger.LL_FAILURE, CMS.getLogMessage("LDAP_ERROR", e.toString())); - throw new ELdapException( - CMS.getUserMessage("CMS_LDAP_OTHER_LDAP_EXCEPTION", - e.errorCodeToString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("LDAP_ERROR", e.toString())); + throw new ELdapException(CMS.getUserMessage( + "CMS_LDAP_OTHER_LDAP_EXCEPTION", e.errorCodeToString())); } } catch (IOException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_CREATE_SUBJECT_ERROR", userdn, e.getMessage())); - throw new EFormSubjectDN(CMS.getUserMessage("CMS_AUTHENTICATION_FORM_SUBJECTDN_ERROR")); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMS_AUTH_CREATE_SUBJECT_ERROR", userdn, e.getMessage())); + throw new EFormSubjectDN( + CMS.getUserMessage("CMS_AUTHENTICATION_FORM_SUBJECTDN_ERROR")); } catch (CertificateException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_CREATE_CERTINFO_ERROR", userdn, e.getMessage())); - throw new EFormSubjectDN(CMS.getUserMessage("CMS_AUTHENTICATION_FORM_SUBJECTDN_ERROR")); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMS_AUTH_CREATE_CERTINFO_ERROR", userdn, e.getMessage())); + throw new EFormSubjectDN( + CMS.getUserMessage("CMS_AUTHENTICATION_FORM_SUBJECTDN_ERROR")); } } /** - * Copy values from the LDAPEntry into the AuthToken. The - * list of values that should be store this way is given in - * a the ldapAttributes configuration parameter. + * Copy values from the LDAPEntry into the AuthToken. The list of values + * that should be store this way is given in a the ldapAttributes + * configuration parameter. */ protected void setAuthTokenValues(LDAPEntry e, AuthToken tok) { for (int i = 0; i < mLdapStringAttrs.length; i++) setAuthTokenStringValue(mLdapStringAttrs[i], e, tok); - for (int j = 0; j < mLdapByteAttrs.length; j++) + for (int j = 0; j < mLdapByteAttrs.length; j++) setAuthTokenByteValue(mLdapByteAttrs[j], e, tok); } - protected void setAuthTokenStringValue( - String name, LDAPEntry entry, AuthToken tok) { + protected void setAuthTokenStringValue(String name, LDAPEntry entry, + AuthToken tok) { LDAPAttribute values = entry.getAttribute(name); - if (values == null) return; + if (values == null) + return; Vector v = new Vector(); Enumeration e = values.getStringValues(); @@ -577,11 +599,12 @@ public abstract class DirBasedAuthentication tok.set(name, a); } - protected void setAuthTokenByteValue( - String name, LDAPEntry entry, AuthToken tok) { + protected void setAuthTokenByteValue(String name, LDAPEntry entry, + AuthToken tok) { LDAPAttribute values = entry.getAttribute(name); - if (values == null) return; + if (values == null) + return; Vector v = new Vector(); Enumeration e = values.getByteValues(); @@ -600,6 +623,7 @@ public abstract class DirBasedAuthentication /** * Return a list of LDAP attributes with String values to retrieve. * Subclasses can override to return any set of attributes. + * * @return Array of LDAP attributes to retrieve from the directory. */ protected String[] getLdapAttrs() { @@ -609,6 +633,7 @@ public abstract class DirBasedAuthentication /** * Return a list of LDAP attributes with byte[] values to retrieve. * Subclasses can override to return any set of attributes. + * * @return Array of LDAP attributes to retrieve from the directory. */ protected String[] getLdapByteAttrs() { @@ -616,22 +641,20 @@ public abstract class DirBasedAuthentication } /** - * Formulate the subject name + * Formulate the subject name + * * @param entry The LDAP entry * @return The subject name string. * @exception EBaseException If an internal error occurs. */ - protected String formSubjectName(LDAPEntry entry) - throws EAuthException { - if (mPattern.mPatternString == null) + protected String formSubjectName(LDAPEntry entry) throws EAuthException { + if (mPattern.mPatternString == null) return entry.getDN(); - - /* - if (mTestDNString != null) { - mPattern.mTestDN = mTestDNString; - //System.out.println("Set DNPattern.mTestDN to "+mPattern.mTestDN); - } - */ + + /* + * if (mTestDNString != null) { mPattern.mTestDN = mTestDNString; + * //System.out.println("Set DNPattern.mTestDN to "+mPattern.mTestDN); } + */ String dn = mPattern.formDN(entry); @@ -641,6 +664,7 @@ public abstract class DirBasedAuthentication /** * Logs a message for this class in the system log file. + * * @param level The log level. * @param msg The message to log. * @see com.netscape.certsrv.logging.ILogger @@ -648,16 +672,15 @@ public abstract class DirBasedAuthentication protected void log(int level, String msg) { if (mLogger == null) return; - mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHENTICATION, - level, msg); + mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHENTICATION, level, + msg); } public String[] getExtendedPluginInfo(Locale locale) { String[] s = Utils.getStringArrayFromVector(mExtendedPluginInfo); return s; - + } } - diff --git a/pki/base/common/src/com/netscape/cms/authentication/FlatFileAuth.java b/pki/base/common/src/com/netscape/cms/authentication/FlatFileAuth.java index ab59c499d..67092c298 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/FlatFileAuth.java +++ b/pki/base/common/src/com/netscape/cms/authentication/FlatFileAuth.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.authentication; - // ldap java sdk import java.io.BufferedReader; import java.io.BufferedWriter; @@ -49,15 +48,13 @@ import com.netscape.certsrv.profile.IProfileAuthenticator; import com.netscape.certsrv.property.IDescriptor; import com.netscape.certsrv.request.IRequest; - /** - * This represents the authentication manager that authenticates - * user against a file where id, and password are stored. + * This represents the authentication manager that authenticates user against a + * file where id, and password are stored. * * @version $Revision$, $Date$ */ -public class FlatFileAuth - implements IProfileAuthenticator, IExtendedPluginInfo { +public class FlatFileAuth implements IProfileAuthenticator, IExtendedPluginInfo { /* configuration parameter keys */ protected static final String PROP_FILENAME = "fileName"; @@ -66,39 +63,36 @@ public class FlatFileAuth protected static final String PROP_DEFERONFAILURE = "deferOnFailure"; protected String mFilename = "config/pwfile"; - protected long mFileLastRead = 0; + protected long mFileLastRead = 0; protected String mKeyAttributes = "UID"; protected String mAuthAttrs = "PWD"; protected boolean mDeferOnFailure = true; private static final String DATE_PATTERN = "yyyy-MM-dd-HH-mm-ss"; - private static SimpleDateFormat mDateFormat = new SimpleDateFormat(DATE_PATTERN); + private static SimpleDateFormat mDateFormat = new SimpleDateFormat( + DATE_PATTERN); - protected static String[] mConfigParams = - new String[] { - PROP_FILENAME, - PROP_KEYATTRIBUTES, - PROP_AUTHATTRS, - PROP_DEFERONFAILURE - }; + protected static String[] mConfigParams = new String[] { PROP_FILENAME, + PROP_KEYATTRIBUTES, PROP_AUTHATTRS, PROP_DEFERONFAILURE }; public String[] getExtendedPluginInfo(Locale locale) { String s[] = { PROP_FILENAME + ";string;Pathname of password file", - PROP_KEYATTRIBUTES + ";string;Comma-separated list of attributes" + - " which together form a unique identifier for the user", - PROP_AUTHATTRS + ";string;Comma-separated list of attributes" + - " which are used for further authentication", - PROP_DEFERONFAILURE + ";boolean;if user is not found, defer the " + - "request to the queue for manual-authentication (true), or " + - "simply rejected the request (false)" - }; + PROP_KEYATTRIBUTES + + ";string;Comma-separated list of attributes" + + " which together form a unique identifier for the user", + PROP_AUTHATTRS + ";string;Comma-separated list of attributes" + + " which are used for further authentication", + PROP_DEFERONFAILURE + + ";boolean;if user is not found, defer the " + + "request to the queue for manual-authentication (true), or " + + "simply rejected the request (false)" }; return s; } - + /** name of this authentication manager instance */ protected String mName = null; - + protected String FFAUTH = "FlatFileAuth"; /** name of the authentication manager plugin */ @@ -109,30 +103,31 @@ public class FlatFileAuth /** system logger */ protected ILogger mLogger = CMS.getLogger(); - - /** This array is created as to include all the requested attributes - * + + /** + * This array is created as to include all the requested attributes + * */ String[] reqCreds = null; String[] authAttrs = null; String[] keyAttrs = null; - /** Hashtable of entries from Auth File. Hash index is the - * concatenation of the attributes from matchAttributes property + /** + * Hashtable of entries from Auth File. Hash index is the concatenation of + * the attributes from matchAttributes property */ protected Hashtable entries = null; /** - * Get the named property - * If the property is not set, use s as the default, and create - * a new value for the property in the config file. + * Get the named property If the property is not set, use s as the default, + * and create a new value for the property in the config file. * * @param propertyName Property name * @param s The default value of the property */ protected String getPropertyS(String propertyName, String s) - throws EBaseException { + throws EBaseException { String p; try { @@ -149,15 +144,14 @@ public class FlatFileAuth } /** - * Get the named property, - * If the property is not set, use b as the default, and create - * a new value for the property in the config file. + * Get the named property, If the property is not set, use b as the default, + * and create a new value for the property in the config file. * * @param propertyName Property name * @param b The default value of the property */ protected boolean getPropertyB(String propertyName, boolean b) - throws EBaseException { + throws EBaseException { boolean p; try { @@ -170,7 +164,7 @@ public class FlatFileAuth } public void init(String name, String implName, IConfigStore config) - throws EBaseException { + throws EBaseException { mName = name; mImplName = implName; mConfig = config; @@ -198,7 +192,8 @@ public class FlatFileAuth print("mAuthAttrs = " + mAuthAttrs); for (int i = 0; i < stringArrays.length; i++) { for (int j = 0; j < stringArrays[i].length; j++) { - print("stringArrays[" + i + "][" + j + "] = " + stringArrays[i][j]); + print("stringArrays[" + i + "][" + j + "] = " + + stringArrays[i][j]); } } @@ -207,35 +202,40 @@ public class FlatFileAuth mFileLastRead = file.lastModified(); entries = readFile(file, keyAttrs); - CMS.debug("FlatFileAuth: " + CMS.getLogMessage("CMS_AUTH_READ_ENTRIES", mFilename)); + CMS.debug("FlatFileAuth: " + + CMS.getLogMessage("CMS_AUTH_READ_ENTRIES", mFilename)); // printAllEntries(); } catch (IOException e) { - throw new EBaseException(mName + " authentication: Could not open file " + mFilename + " (" + e.getMessage() + ")"); + throw new EBaseException(mName + + " authentication: Could not open file " + mFilename + + " (" + e.getMessage() + ")"); } catch (java.lang.StringIndexOutOfBoundsException ee) { - CMS.debug("FlatFileAuth: " + CMS.getLogMessage("OPERATION_ERROR", ee.toString())); + CMS.debug("FlatFileAuth: " + + CMS.getLogMessage("OPERATION_ERROR", ee.toString())); } } /** * Log a message. + * * @param level The logging level. * @param msg The message to log. */ private void log(int level, String msg) { if (mLogger == null) return; - mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHENTICATION, - level, msg); + mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHENTICATION, level, + msg); } - + void print(String s) { CMS.debug("FlatFileAuth: " + s); } /** - * Return a string array which is the union of all the string arrays - * passed in. The strings are treated as case sensitive + * Return a string array which is the union of all the string arrays passed + * in. The strings are treated as case sensitive */ public String[] unionOfStrings(String[][] stringArrays) { @@ -257,12 +257,11 @@ public class FlatFileAuth s[i] = (String) e.nextElement(); } return s; - + } - + /** - * Split a comma-delimited String into an array of individual - * Strings. + * Split a comma-delimited String into an array of individual Strings. */ private String[] splitOnComma(String s) { print("Splitting String: " + s + " on commas"); @@ -282,8 +281,8 @@ public class FlatFileAuth } /** - * Join an array of Strings into one string, with - * the specified string between each string + * Join an array of Strings into one string, with the specified string + * between each string */ private String joinStringArray(String[] s, String sep) { @@ -298,9 +297,9 @@ public class FlatFileAuth return sb.toString(); } - private synchronized void updateFile (String key) { + private synchronized void updateFile(String key) { try { - String name = writeFile (key); + String name = writeFile(key); if (name != null) { File orgFile = new File(mFilename); long lastModified = orgFile.lastModified(); @@ -310,23 +309,28 @@ public class FlatFileAuth } else { mFileLastRead = newFile.lastModified(); } - if (orgFile.renameTo(new File(name.substring(0, name.length()-1)))) { + if (orgFile.renameTo(new File(name.substring(0, + name.length() - 1)))) { if (!newFile.renameTo(new File(mFilename))) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("RENAME_FILE_ERROR", name, mFilename)); - File file = new File(name.substring(0, name.length()-1)); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "RENAME_FILE_ERROR", name, mFilename)); + File file = new File(name.substring(0, + name.length() - 1)); file.renameTo(new File(mFilename)); } } else { - log(ILogger.LL_FAILURE, CMS.getLogMessage("RENAME_FILE_ERROR", mFilename, - name.substring(0, name.length()-1))); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "RENAME_FILE_ERROR", mFilename, + name.substring(0, name.length() - 1))); } } } catch (Exception e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("FILE_ERROR", e.getMessage())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("FILE_ERROR", e.getMessage())); } } - private String writeFile (String key) { + private String writeFile(String key) { BufferedReader reader = null; BufferedWriter writer = null; String name = null; @@ -334,9 +338,9 @@ public class FlatFileAuth boolean done = false; String line = null; try { - reader = new BufferedReader (new FileReader (mFilename)); - name = mFilename+"."+mDateFormat.format(new Date())+"~"; - writer = new BufferedWriter (new FileWriter(name)); + reader = new BufferedReader(new FileReader(mFilename)); + name = mFilename + "." + mDateFormat.format(new Date()) + "~"; + writer = new BufferedWriter(new FileWriter(name)); if (reader != null && writer != null) { while ((line = reader.readLine()) != null) { if (commentOutNextLine) { @@ -353,7 +357,8 @@ public class FlatFileAuth done = true; } } catch (Exception e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("FILE_ERROR", e.getMessage())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("FILE_ERROR", e.getMessage())); } try { @@ -365,7 +370,8 @@ public class FlatFileAuth writer.close(); } } catch (Exception e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("FILE_ERROR", e.getMessage())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("FILE_ERROR", e.getMessage())); } try { @@ -374,43 +380,45 @@ public class FlatFileAuth long s2 = 0; File f1 = new File(mFilename); File f2 = new File(name); - if (f1.exists()) s1 = f1.length(); - if (f2.exists()) s2 = f2.length(); + if (f1.exists()) + s1 = f1.length(); + if (f2.exists()) + s2 = f2.length(); if (s1 > 0 && s2 > 0 && s2 > s1) { done = true; } else { - if (f2.exists()) f2.delete(); + if (f2.exists()) + f2.delete(); name = null; } } } catch (Exception e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("FILE_ERROR", e.getMessage())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("FILE_ERROR", e.getMessage())); } return name; } - /** - * Read a file with the following format: <p><pre> + * Read a file with the following format: + * <p> + * + * <pre> * param1: valuea * param2: valueb * -blank-line- * param1: valuec * param2: valued * </pre> - * + * * @param f The file to read - * @param keys The parameters to concat together to form the hash - * key + * @param keys The parameters to concat together to form the hash key * @return a hashtable of hashtables. */ - protected Hashtable readFile(File f, String[] keys) - throws IOException { + protected Hashtable readFile(File f, String[] keys) throws IOException { log(ILogger.LL_INFO, "Reading file: " + f.getName()); - BufferedReader file = new BufferedReader( - new FileReader(f) - ); + BufferedReader file = new BufferedReader(new FileReader(f)); String line; Hashtable allusers = new Hashtable(); @@ -429,13 +437,14 @@ public class FlatFileAuth entry = new Hashtable(); } - if (colon == -1) { // no colon -> empty line signifies end of record + if (colon == -1) { // no colon -> empty line signifies end of record if (!line.trim().equals("")) { if (file != null) { file.close(); } - throw new IOException(FFAUTH + ": Parsing error, " + - "colon missing from line " + linenum + " of " + f.getName()); + throw new IOException(FFAUTH + ": Parsing error, " + + "colon missing from line " + linenum + " of " + + f.getName()); } if (entry.size() > 0) { putEntry(allusers, entry, keys); @@ -457,9 +466,7 @@ public class FlatFileAuth return allusers; } - private void putEntry(Hashtable allUsers, - Hashtable entry, - String[] keys) { + private void putEntry(Hashtable allUsers, Hashtable entry, String[] keys) { if (entry == null) { return; } @@ -497,22 +504,24 @@ public class FlatFileAuth } /** - * Compare attributes provided by the user with those in - * in flat file. - * + * Compare attributes provided by the user with those in in flat file. + * */ - private IAuthToken doAuthentication(Hashtable user, IAuthCredentials authCred) - throws EMissingCredential, EInvalidCredentials, EBaseException { + private IAuthToken doAuthentication(Hashtable user, + IAuthCredentials authCred) throws EMissingCredential, + EInvalidCredentials, EBaseException { AuthToken authToken = new AuthToken(this); for (int i = 0; i < authAttrs.length; i++) { String ffvalue = (String) user.get(authAttrs[i]); String uservalue = (String) authCred.get(authAttrs[i]); - // print("checking authentication token (" + authAttrs[i] + ": " + uservalue + " against ff value: " + ffvalue); + // print("checking authentication token (" + authAttrs[i] + ": " + + // uservalue + " against ff value: " + ffvalue); if (!ffvalue.equals(uservalue)) { - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + throw new EInvalidCredentials( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } } return authToken; @@ -530,16 +539,18 @@ public class FlatFileAuth // printAllEntries(); } } catch (Exception e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("READ_FILE_ERROR", mFilename, e.getMessage())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("READ_FILE_ERROR", mFilename, + e.getMessage())); } } /** * Authenticate the request - * + * */ public IAuthToken authenticate(IAuthCredentials authCred) - throws EMissingCredential, EInvalidCredentials, EBaseException { + throws EMissingCredential, EInvalidCredentials, EBaseException { IAuthToken authToken = null; String keyForUser = ""; @@ -550,11 +561,13 @@ public class FlatFileAuth /* Find the user in our hashtable */ for (int i = 0; i < keyAttrs.length; i++) { - print("concatenating string i=" + i + " keyAttrs[" + i + "] = " + keyAttrs[i]); + print("concatenating string i=" + i + " keyAttrs[" + i + "] = " + + keyAttrs[i]); String credential = (String) authCred.get(keyAttrs[i]); if (credential == null) { - throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", keyAttrs[i])); + throw new EMissingCredential(CMS.getUserMessage( + "CMS_AUTHENTICATION_NULL_CREDENTIAL", keyAttrs[i])); } keyForUser = keyForUser.concat((String) authCred.get(keyAttrs[i])); } @@ -566,8 +579,10 @@ public class FlatFileAuth if (user != null) { authToken = doAuthentication(user, authCred); } else { - CMS.debug("FlatFileAuth: " + CMS.getLogMessage("CMS_AUTH_USER_NOT_FOUND")); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + CMS.debug("FlatFileAuth: " + + CMS.getLogMessage("CMS_AUTH_USER_NOT_FOUND")); + throw new EInvalidCredentials( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } } catch (EInvalidCredentials e) { // If defer on failure is false, then we re-throw the exception @@ -579,7 +594,7 @@ public class FlatFileAuth } } - // if a dn was specified in the password file for this user, + // if a dn was specified in the password file for this user, // replace the requested dn with the one in the pwfile if (user != null) { String dn = (String) user.get("dn"); @@ -601,21 +616,21 @@ public class FlatFileAuth } /** - * Return a list of HTTP parameters which will be taken from the - * request posting and placed into the AuthCredentials block - * - * Note that this method will not be called until after the - * init() method is called + * Return a list of HTTP parameters which will be taken from the request + * posting and placed into the AuthCredentials block + * + * Note that this method will not be called until after the init() method is + * called */ public String[] getRequiredCreds() { print("getRequiredCreds returning: " + joinStringArray(reqCreds, ",")); return reqCreds; - + } /** - * Returns a list of configuration parameters, so the console - * can prompt the user when configuring. + * Returns a list of configuration parameters, so the console can prompt the + * user when configuring. */ public String[] getConfigParams() { return mConfigParams; @@ -640,7 +655,7 @@ public class FlatFileAuth } public void init(IProfile profile, IConfigStore config) - throws EProfileException { + throws EProfileException { } /** @@ -666,7 +681,7 @@ public class FlatFileAuth } public void populate(IAuthToken token, IRequest request) - throws EProfileException { + throws EProfileException { } /** diff --git a/pki/base/common/src/com/netscape/cms/authentication/HashAuthData.java b/pki/base/common/src/com/netscape/cms/authentication/HashAuthData.java index 19bfab699..19e4f0e30 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/HashAuthData.java +++ b/pki/base/common/src/com/netscape/cms/authentication/HashAuthData.java @@ -17,17 +17,16 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.authentication; - // java sdk imports. import java.util.Hashtable; import java.util.Vector; - /** - * The structure stores the information of which machine is enabled for - * the agent-initiated user enrollment, and whom agents enable this feature, - * and the value of the timeout. + * The structure stores the information of which machine is enabled for the + * agent-initiated user enrollment, and whom agents enable this feature, and the + * value of the timeout. * <P> + * * @version $Revision$, $Date$ */ public class HashAuthData extends Hashtable { @@ -54,7 +53,7 @@ public class HashAuthData extends Hashtable { Vector val = (Vector) get(hostname); if (val == null) { - val = new Vector(); + val = new Vector(); put(hostname, val); } val.setElementAt(agentName, 0); @@ -117,4 +116,3 @@ public class HashAuthData extends Hashtable { val.setElementAt(Long.valueOf(lastLogin), 3); } } - diff --git a/pki/base/common/src/com/netscape/cms/authentication/HashAuthentication.java b/pki/base/common/src/com/netscape/cms/authentication/HashAuthentication.java index 24a10e0a2..9875b2a38 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/HashAuthentication.java +++ b/pki/base/common/src/com/netscape/cms/authentication/HashAuthentication.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.authentication; - // ldap java sdk import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; @@ -40,11 +39,10 @@ import com.netscape.certsrv.base.IExtendedPluginInfo; import com.netscape.certsrv.logging.ILogger; import com.netscape.cmsutil.util.Utils; - /** * Hash uid/pwd directory based authentication manager * <P> - * + * * @version $Revision$, $Date$ */ public class HashAuthentication implements IAuthManager, IExtendedPluginInfo { @@ -54,8 +52,8 @@ public class HashAuthentication implements IAuthManager, IExtendedPluginInfo { public static final String CRED_FINGERPRINT = "fingerprint"; public static final String CRED_PAGEID = "pageID"; public static final String CRED_HOST = "hostname"; - protected static String[] mRequiredCreds = { CRED_UID, - CRED_PAGEID, CRED_FINGERPRINT, CRED_HOST }; + protected static String[] mRequiredCreds = { CRED_UID, CRED_PAGEID, + CRED_FINGERPRINT, CRED_HOST }; public static final long DEFAULT_TIMEOUT = 600000; private boolean mEnable = false; private long mTimeout = DEFAULT_TIMEOUT; // in milliseconds @@ -71,18 +69,17 @@ public class HashAuthentication implements IAuthManager, IExtendedPluginInfo { private ILogger mLogger = CMS.getLogger(); private static Vector mExtendedPluginInfo = null; private HashAuthData mHosts = null; - - static String[] mConfigParams = - new String[] {}; + + static String[] mConfigParams = new String[] {}; static { mExtendedPluginInfo = new Vector(); - mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TEXT + - ";Authenticate the username and password provided " + - "by the user against an LDAP directory. Works with the " + - "Dir Based Enrollment HTML form"); - mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TOKEN + - ";configuration-authrules-uidpwddirauth"); + mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TEXT + + ";Authenticate the username and password provided " + + "by the user against an LDAP directory. Works with the " + + "Dir Based Enrollment HTML form"); + mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TOKEN + + ";configuration-authrules-uidpwddirauth"); }; /** @@ -91,8 +88,8 @@ public class HashAuthentication implements IAuthManager, IExtendedPluginInfo { public HashAuthentication() { } - public void init(String name, String implName, IConfigStore config) - throws EBaseException { + public void init(String name, String implName, IConfigStore config) + throws EBaseException { mName = name; mImplName = implName; mConfig = config; @@ -102,7 +99,8 @@ public class HashAuthentication implements IAuthManager, IExtendedPluginInfo { try { mSHADigest = MessageDigest.getInstance("SHA1"); } catch (NoSuchAlgorithmException e) { - throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.getMessage())); + throw new EAuthException(CMS.getUserMessage( + "CMS_AUTHENTICATION_INTERNAL_ERROR", e.getMessage())); } } @@ -124,7 +122,7 @@ public class HashAuthentication implements IAuthManager, IExtendedPluginInfo { } public void createEntry(String host, String dn, long timeout, - String secret, long lastLogin) { + String secret, long lastLogin) { Vector v = new Vector(); v.addElement(dn); @@ -141,7 +139,7 @@ public class HashAuthentication implements IAuthManager, IExtendedPluginInfo { public String getAgentName(String hostname) { return mHosts.getAgentName(hostname); } - + public void setAgentName(String hostname, String agentName) { mHosts.setAgentName(hostname, agentName); } @@ -183,16 +181,17 @@ public class HashAuthentication implements IAuthManager, IExtendedPluginInfo { public void log(int level, String msg) { if (mLogger == null) return; - mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHENTICATION, - level, msg); + mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHENTICATION, level, + msg); } - public boolean validFingerprint(String host, String pageID, String uid, String fingerprint) { + public boolean validFingerprint(String host, String pageID, String uid, + String fingerprint) { String val = hashFingerprint(host, pageID, uid); if (val.equals(fingerprint)) return true; - return false; + return false; } public Enumeration getHosts() { @@ -200,8 +199,8 @@ public class HashAuthentication implements IAuthManager, IExtendedPluginInfo { } public String hashFingerprint(String host, String pageID, String uid) { - byte[] hash = - mSHADigest.digest((SALT + pageID + getSecret(host) + uid).getBytes()); + byte[] hash = mSHADigest.digest((SALT + pageID + getSecret(host) + uid) + .getBytes()); String b64E = com.netscape.osutil.OSUtil.BtoA(hash); return "{SHA}" + b64E; @@ -216,19 +215,20 @@ public class HashAuthentication implements IAuthManager, IExtendedPluginInfo { * @param authCreds The authentication credentials. * @return The user's ldap entry dn. * @exception EInvalidCredentials If the uid and password are not valid - * @exception EBaseException If an internal error occurs. + * @exception EBaseException If an internal error occurs. */ public IAuthToken authenticate(IAuthCredentials authCreds) - throws EBaseException { + throws EBaseException { AuthToken token = new AuthToken(this); String fingerprint = (String) authCreds.get(CRED_FINGERPRINT); String pageID = (String) authCreds.get(CRED_PAGEID); String uid = (String) authCreds.get(CRED_UID); String host = (String) authCreds.get(CRED_HOST); - if (fingerprint.equals("") || - !validFingerprint(host, pageID, uid, fingerprint)) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_INVALID_FINGER_PRINT")); + if (fingerprint.equals("") + || !validFingerprint(host, pageID, uid, fingerprint)) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMS_AUTH_INVALID_FINGER_PRINT")); throw new EAuthException("Invalid Fingerprint"); } @@ -240,6 +240,7 @@ public class HashAuthentication implements IAuthManager, IExtendedPluginInfo { /** * Returns array of required credentials for this authentication manager. + * * @return Array of required credentials. */ public String[] getRequiredCreds() { @@ -248,6 +249,7 @@ public class HashAuthentication implements IAuthManager, IExtendedPluginInfo { /** * Gets the configuration substore used by this authentication manager + * * @return configuration store */ public IConfigStore getConfigStore() { @@ -276,14 +278,13 @@ public class HashAuthentication implements IAuthManager, IExtendedPluginInfo { } /** - * Returns a list of configuration parameter names. - * The list is passed to the configuration console so instances of - * this implementation can be configured through the console. - * + * Returns a list of configuration parameter names. The list is passed to + * the configuration console so instances of this implementation can be + * configured through the console. + * * @return String array of configuration parameter names. */ public String[] getConfigParams() { return (mConfigParams); } } - diff --git a/pki/base/common/src/com/netscape/cms/authentication/PortalEnroll.java b/pki/base/common/src/com/netscape/cms/authentication/PortalEnroll.java index 56c8739a8..74a5392a1 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/PortalEnroll.java +++ b/pki/base/common/src/com/netscape/cms/authentication/PortalEnroll.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.authentication; - // ldap java sdk import java.util.Enumeration; import java.util.Locale; @@ -49,26 +48,25 @@ import com.netscape.certsrv.ldap.ELdapException; import com.netscape.certsrv.ldap.ILdapConnFactory; import com.netscape.certsrv.logging.ILogger; - /** * uid/pwd directory based authentication manager * <P> - * + * * @version $Revision$, $Date$ */ public class PortalEnroll extends DirBasedAuthentication { /* configuration parameter keys */ - protected static final String PROP_LDAPAUTH = "ldapauth"; - protected static final String PROP_AUTHTYPE = "authtype"; - protected static final String PROP_BINDDN = "bindDN"; - protected static final String PROP_BINDPW = "bindPW"; - protected static final String PROP_LDAPCONN = "ldapconn"; - protected static final String PROP_HOST = "host"; - protected static final String PROP_PORT = "port"; - protected static final String PROP_SECURECONN = "secureConn"; - protected static final String PROP_VERSION = "version"; - protected static final String PROP_OBJECTCLASS = "objectclass"; + protected static final String PROP_LDAPAUTH = "ldapauth"; + protected static final String PROP_AUTHTYPE = "authtype"; + protected static final String PROP_BINDDN = "bindDN"; + protected static final String PROP_BINDPW = "bindPW"; + protected static final String PROP_LDAPCONN = "ldapconn"; + protected static final String PROP_HOST = "host"; + protected static final String PROP_PORT = "port"; + protected static final String PROP_SECURECONN = "secureConn"; + protected static final String PROP_VERSION = "version"; + protected static final String PROP_OBJECTCLASS = "objectclass"; /* required credentials to authenticate. uid and pwd are strings. */ public static final String CRED_UID = "uid"; @@ -80,83 +78,77 @@ public class PortalEnroll extends DirBasedAuthentication { private String mObjectClass = null; private String mBindDN = null; private String mBaseDN = null; - private ILdapConnFactory mLdapFactory = null; - private LDAPConnection mLdapConn = null; + private ILdapConnFactory mLdapFactory = null; + private LDAPConnection mLdapConn = null; // contains all nested superiors' required attrs in the form of a - // vector of "required" attributes in Enumeration + // vector of "required" attributes in Enumeration Vector mRequiredAttrs = null; - + // contains all nested superiors' optional attrs in the form of a - // vector of "optional" attributes in Enumeration + // vector of "optional" attributes in Enumeration Vector mOptionalAttrs = null; // contains all the objclasses, including superiors and itself Vector mObjClasses = null; - - /* Holds configuration parameters accepted by this implementation. - * This list is passed to the configuration console so configuration - * for instances of this implementation can be configured through the - * console. + + /* + * Holds configuration parameters accepted by this implementation. This list + * is passed to the configuration console so configuration for instances of + * this implementation can be configured through the console. */ - protected static String[] mConfigParams = - new String[] { - PROP_DNPATTERN, - "ldap.ldapconn.host", - "ldap.ldapconn.port", - "ldap.ldapconn.secureConn", - "ldap.ldapconn.version", - "ldap.ldapauth.bindDN", - "ldap.ldapauth.bindPWPrompt", - "ldap.ldapauth.clientCertNickname", - "ldap.ldapauth.authtype", - "ldap.basedn", - "ldap.objectclass", - "ldap.minConns", - "ldap.maxConns", - }; - + protected static String[] mConfigParams = new String[] { PROP_DNPATTERN, + "ldap.ldapconn.host", "ldap.ldapconn.port", + "ldap.ldapconn.secureConn", "ldap.ldapconn.version", + "ldap.ldapauth.bindDN", "ldap.ldapauth.bindPWPrompt", + "ldap.ldapauth.clientCertNickname", "ldap.ldapauth.authtype", + "ldap.basedn", "ldap.objectclass", "ldap.minConns", + "ldap.maxConns", }; + /** * Default constructor, initialization must follow. */ - public PortalEnroll() - throws EBaseException { + public PortalEnroll() throws EBaseException { super(); } /** * Initializes the PortalEnrollment auth manager. * <p> + * * @param name - The name for this authentication manager instance. * @param implName - The name of the authentication manager plugin. * @param config - The configuration store for this instance. * @exception EBaseException If an error occurs during initialization. */ public void init(String name, String implName, IConfigStore config) - throws EBaseException { + throws EBaseException { super.init(name, implName, config); - + /* Get Bind DN for directory server */ mConfig = mLdapConfig.getSubStore(PROP_LDAPAUTH); mBindDN = mConfig.getString(PROP_BINDDN); - if ( (mBindDN == null) || (mBindDN.length() == 0) || (mBindDN == "")) - throw new EPropertyNotFound(CMS.getUserMessage("CMS_BASE_GET_PROPERTY_FAILED", "binddn")); - - /* Get Bind DN for directory server */ + if ((mBindDN == null) || (mBindDN.length() == 0) || (mBindDN == "")) + throw new EPropertyNotFound(CMS.getUserMessage( + "CMS_BASE_GET_PROPERTY_FAILED", "binddn")); + + /* Get Bind DN for directory server */ mBaseDN = mLdapConfig.getString(PROP_BASEDN); if ((mBaseDN == null) || (mBaseDN.length() == 0) || (mBaseDN == "")) - throw new EPropertyNotFound(CMS.getUserMessage("CMS_BASE_GET_PROPERTY_FAILED", "basedn")); - - /* Get Object clase name for enrollment */ + throw new EPropertyNotFound(CMS.getUserMessage( + "CMS_BASE_GET_PROPERTY_FAILED", "basedn")); + + /* Get Object clase name for enrollment */ mObjectClass = mLdapConfig.getString(PROP_OBJECTCLASS); - if (mObjectClass == null || mObjectClass.length() == 0) - throw new EPropertyNotFound(CMS.getUserMessage("CMS_BASE_GET_PROPERTY_FAILED", "objectclass")); + if (mObjectClass == null || mObjectClass.length() == 0) + throw new EPropertyNotFound(CMS.getUserMessage( + "CMS_BASE_GET_PROPERTY_FAILED", "objectclass")); - /* Get connect parameter */ + /* Get connect parameter */ mLdapFactory = CMS.getLdapBoundConnFactory(); mLdapFactory.init(mLdapConfig); mLdapConn = mLdapFactory.getConn(); - + log(ILogger.LL_INFO, CMS.getLogMessage("CMS_AUTH_PORTAL_INIT")); } @@ -166,48 +158,53 @@ public class PortalEnroll extends DirBasedAuthentication { * @param authCreds The authentication credentials. * @return The user's ldap entry dn. * @exception EInvalidCredentials If the uid and password are not valid - * @exception EBaseException If an internal error occurs. + * @exception EBaseException If an internal error occurs. */ - protected String authenticate(LDAPConnection conn, - IAuthCredentials authCreds, - AuthToken token) - throws EBaseException { + protected String authenticate(LDAPConnection conn, + IAuthCredentials authCreds, AuthToken token) throws EBaseException { String uid = null; String pwd = null; String dn = null; argblk = authCreds.getArgBlock(); - + // authenticate by binding to ldap server with password. try { // get the uid. uid = (String) authCreds.get(CRED_UID); if (uid == null) { - throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_UID)); + throw new EMissingCredential(CMS.getUserMessage( + "CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_UID)); } - + // get the password. pwd = (String) authCreds.get(CRED_PWD); if (pwd == null) { - throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_PWD)); + throw new EMissingCredential(CMS.getUserMessage( + "CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_PWD)); } if (pwd.equals("")) { // anonymous binding not allowed - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + throw new EInvalidCredentials( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } // get user dn. - LDAPSearchResults res = conn.search(mBaseDN, - LDAPv2.SCOPE_SUB, "(uid=" + uid + ")", null, false); + LDAPSearchResults res = conn.search(mBaseDN, LDAPv2.SCOPE_SUB, + "(uid=" + uid + ")", null, false); if (res.hasMoreElements()) { LDAPEntry entry = (LDAPEntry) res.nextElement(); - throw new EAuthUserError(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_ATTRIBUTE_VALUE", "UID already exists.")); + throw new EAuthUserError(CMS.getUserMessage( + "CMS_AUTHENTICATION_INVALID_ATTRIBUTE_VALUE", + "UID already exists.")); } else { dn = regist(token, uid); - if (dn == null) - throw new EAuthUserError(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_ATTRIBUTE_VALUE","Could not add user " + uid + ".")); + if (dn == null) + throw new EAuthUserError(CMS.getUserMessage( + "CMS_AUTHENTICATION_INVALID_ATTRIBUTE_VALUE", + "Could not add user " + uid + ".")); } // bind as user dn and pwd - authenticates user with pwd. @@ -217,47 +214,57 @@ public class PortalEnroll extends DirBasedAuthentication { token.set(CRED_UID, uid); log(ILogger.LL_INFO, "portal authentication is done"); - + return dn; } catch (ELdapException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("LDAP_ERROR", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("LDAP_ERROR", e.toString())); throw e; } catch (LDAPException e) { switch (e.getLDAPResultCode()) { - case LDAPException.NO_SUCH_OBJECT: - case LDAPException.LDAP_PARTIAL_RESULTS: - log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_ADD_USER_ERROR", conn.getHost(), Integer.toString(conn.getPort()))); - throw new - EAuthInternalError(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", "Check Configuration detail.")); + case LDAPException.NO_SUCH_OBJECT: + case LDAPException.LDAP_PARTIAL_RESULTS: + log(ILogger.LL_SECURITY, + CMS.getLogMessage("CMS_AUTH_ADD_USER_ERROR", + conn.getHost(), + Integer.toString(conn.getPort()))); + throw new EAuthInternalError(CMS.getUserMessage( + "CMS_AUTHENTICATION_INTERNAL_ERROR", + "Check Configuration detail.")); case LDAPException.INVALID_CREDENTIALS: - log(ILogger.LL_SECURITY, - CMS.getLogMessage("CMS_AUTH_BAD_PASSWORD", uid)); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + log(ILogger.LL_SECURITY, + CMS.getLogMessage("CMS_AUTH_BAD_PASSWORD", uid)); + throw new EInvalidCredentials( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); case LDAPException.SERVER_DOWN: log(ILogger.LL_FAILURE, CMS.getLogMessage("LDAP_SERVER_DOWN")); - throw new ELdapException( - CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), "" + conn.getPort())); - - default: - log(ILogger.LL_FAILURE, CMS.getLogMessage("LDAP_ERROR", e.getMessage())); - throw new ELdapException( - CMS.getUserMessage("CMS_LDAP_OTHER_LDAP_EXCEPTION", - e.errorCodeToString())); + throw new ELdapException(CMS.getUserMessage( + "CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), "" + + conn.getPort())); + + default: + log(ILogger.LL_FAILURE, + CMS.getLogMessage("LDAP_ERROR", e.getMessage())); + throw new ELdapException(CMS.getUserMessage( + "CMS_LDAP_OTHER_LDAP_EXCEPTION", e.errorCodeToString())); } } catch (EBaseException e) { - if (e.getMessage().equalsIgnoreCase(CMS.getUserMessage("CMS_BASE_ATTRIBUTE_NOT_FOUND")) == true) - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_MAKE_DN_ERROR", e.toString())); + if (e.getMessage().equalsIgnoreCase( + CMS.getUserMessage("CMS_BASE_ATTRIBUTE_NOT_FOUND")) == true) + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMS_AUTH_MAKE_DN_ERROR", + e.toString())); throw e; - } + } } /** - * Returns a list of configuration parameter names. - * The list is passed to the configuration console so instances of - * this implementation can be configured through the console. - * + * Returns a list of configuration parameter names. The list is passed to + * the configuration console so instances of this implementation can be + * configured through the console. + * * @return String array of configuration parameter names. */ public String[] getConfigParams() { @@ -266,44 +273,49 @@ public class PortalEnroll extends DirBasedAuthentication { public String[] getExtendedPluginInfo(Locale locale) { String[] s = { - PROP_DNPATTERN + ";string;Template for cert" + - " Subject Name. ($dn.xxx - get value from user's LDAP " + - "DN. $attr.yyy - get value from LDAP attributes in " + - "user's entry.) Default: " + DEFAULT_DNPATTERN, - "ldap.ldapconn.host;string,required;" + "LDAP host to connect to", - "ldap.ldapconn.port;number,required;" + "LDAP port number (default 389, or 636 if SSL)", + PROP_DNPATTERN + + ";string;Template for cert" + + " Subject Name. ($dn.xxx - get value from user's LDAP " + + "DN. $attr.yyy - get value from LDAP attributes in " + + "user's entry.) Default: " + DEFAULT_DNPATTERN, + "ldap.ldapconn.host;string,required;" + + "LDAP host to connect to", + "ldap.ldapconn.port;number,required;" + + "LDAP port number (default 389, or 636 if SSL)", "ldap.objectclass;string,required;SEE DOCUMENTATION for Object Class. " - + "Default is inetOrgPerson.", - "ldap.ldapconn.secureConn;boolean;" + "Use SSL to connect to directory?", + + "Default is inetOrgPerson.", + "ldap.ldapconn.secureConn;boolean;" + + "Use SSL to connect to directory?", "ldap.ldapconn.version;choice(3,2);" + "LDAP protocol version", "ldap.ldapauth.bindDN;string,required;DN to bind as for Directory Manager. " - + "For example 'CN=Directory Manager'", - "ldap.ldapauth.bindPWPrompt;password;Enter password used to bind as " + - "the above user", + + "For example 'CN=Directory Manager'", + "ldap.ldapauth.bindPWPrompt;password;Enter password used to bind as " + + "the above user", "ldap.ldapauth.authtype;choice(BasicAuth,SslClientAuth);" - + "How to bind to the directory (for pin removal only)", + + "How to bind to the directory (for pin removal only)", "ldap.ldapauth.clientCertNickname;string;If you want to use " - + "SSL client auth to the directory, set the client " - + "cert nickname here", - "ldap.basedn;string,required;Base DN to start searching " + - "under. If your user's DN is 'uid=jsmith, o=company', you " + - "might want to use 'o=company' here", - "ldap.minConns;number;number of connections " + - "to keep open to directory server", - "ldap.maxConns;number;when needed, connection " + - "pool can grow to this many connections", - IExtendedPluginInfo.HELP_TEXT + - ";This authentication plugin checks to see if a user " + - "exists in the directory. If not, then the user is created " + - "with the requested password.", - IExtendedPluginInfo.HELP_TOKEN + ";configuration-authrules-portalauth" - }; - + + "SSL client auth to the directory, set the client " + + "cert nickname here", + "ldap.basedn;string,required;Base DN to start searching " + + "under. If your user's DN is 'uid=jsmith, o=company', you " + + "might want to use 'o=company' here", + "ldap.minConns;number;number of connections " + + "to keep open to directory server", + "ldap.maxConns;number;when needed, connection " + + "pool can grow to this many connections", + IExtendedPluginInfo.HELP_TEXT + + ";This authentication plugin checks to see if a user " + + "exists in the directory. If not, then the user is created " + + "with the requested password.", + IExtendedPluginInfo.HELP_TOKEN + + ";configuration-authrules-portalauth" }; + return s; } /** * Returns array of required credentials for this authentication manager. + * * @return Array of required credentials. */ public String[] getRequiredCreds() { @@ -312,6 +324,7 @@ public class PortalEnroll extends DirBasedAuthentication { /** * adds a user to the directory. + * * @return dn upon success and null upon failure. * @param token authentication token * @param uid the user's id. @@ -321,7 +334,7 @@ public class PortalEnroll extends DirBasedAuthentication { /* Specify the attributes of the entry */ Vector objectclass_values = null; - + LDAPAttributeSet attrs = new LDAPAttributeSet(); LDAPAttribute attr = new LDAPAttribute("objectclass"); @@ -334,14 +347,17 @@ public class PortalEnroll extends DirBasedAuthentication { try { - /* Construct a new LDAPSchema object to hold - the schema that you want to retrieve. */ + /* + * Construct a new LDAPSchema object to hold the schema that you + * want to retrieve. + */ dirSchema = new LDAPSchema(); /* Get the schema from the Directory. Anonymous access okay. */ dirSchema.fetchSchema(mLdapConn); } catch (LDAPException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("LDAP_ERROR", e.getMessage())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("LDAP_ERROR", e.getMessage())); } // complete mRequiredAttrs, mOptionalAttrs, and mObjClasses initLdapAttrs(dirSchema, mObjectClass); @@ -367,9 +383,10 @@ public class PortalEnroll extends DirBasedAuthentication { try { attrval = (String) argblk.getValueAsString(attrname); } catch (EBaseException e) { - if (e.getMessage().equalsIgnoreCase(CMS.getUserMessage("CMS_BASE_ATTRIBUTE_NOT_FOUND")) == true) + if (e.getMessage().equalsIgnoreCase( + CMS.getUserMessage("CMS_BASE_ATTRIBUTE_NOT_FOUND")) == true) continue; - } + } CMS.debug("PortalEnroll: " + attrname + " = " + attrval); attrs.add(new LDAPAttribute(attrname, attrval)); @@ -386,17 +403,18 @@ public class PortalEnroll extends DirBasedAuthentication { while (attrnames.hasMoreElements()) { String attrname = (String) attrnames.nextElement(); String attrval = null; - + CMS.debug("PortalEnroll: attrname is: " + attrname); try { attrval = (String) argblk.getValueAsString(attrname); } catch (EBaseException e) { - if (e.getMessage().equalsIgnoreCase(CMS.getUserMessage("CMS_BASE_ATTRIBUTE_NOT_FOUND")) == true) + if (e.getMessage().equalsIgnoreCase( + CMS.getUserMessage("CMS_BASE_ATTRIBUTE_NOT_FOUND")) == true) continue; - } + } CMS.debug("PortalEnroll: " + attrname + " = " + attrval); if (attrval != null) { - attrs.add(new LDAPAttribute(attrname, attrval)); + attrs.add(new LDAPAttribute(attrname, attrval)); } } } @@ -410,22 +428,24 @@ public class PortalEnroll extends DirBasedAuthentication { mLdapConn.add(entry); } catch (LDAPException e) { if (e.getLDAPResultCode() == LDAPException.ENTRY_ALREADY_EXISTS) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("LDAP_ERROR", e.getMessage())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("LDAP_ERROR", e.getMessage())); } else - log(ILogger.LL_FAILURE, CMS.getLogMessage("LDAP_ERROR", e.getMessage())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("LDAP_ERROR", e.getMessage())); return null; } log(ILogger.LL_INFO, CMS.getLogMessage("CMS_AUTH_REGISTRATION_DONE")); - + return dn; } /* - * get the superiors of "inetOrgPerson" so the "required - * attributes", "optional qttributes", and "object classes" are complete; - * should build up - * mRequiredAttrs, mOptionalAttrs, and mObjClasses when returned + * get the superiors of "inetOrgPerson" so the "required + * attributes", "optional qttributes", and "object classes" are complete; + * should build up mRequiredAttrs, mOptionalAttrs, and mObjClasses when + * returned */ public void initLdapAttrs(LDAPSchema dirSchema, String oclass) { CMS.debug("PortalEnroll: in initLdapAttrsAttrs"); @@ -448,7 +468,8 @@ public class PortalEnroll extends DirBasedAuthentication { CMS.debug("PortalEnroll: getting superiors for: " + oclass); String superiors[] = objClass.getSuperiors(); - CMS.debug("PortalEnroll: got superiors, superiors.length=" + superiors.length); + CMS.debug("PortalEnroll: got superiors, superiors.length=" + + superiors.length); if (superiors.length == 0) return; for (int i = 0; i < superiors.length; i++) { @@ -457,8 +478,8 @@ public class PortalEnroll extends DirBasedAuthentication { initLdapAttrs(dirSchema, superiors[i]); } } catch (Exception e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("LDAP_ERROR", e.getMessage())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("LDAP_ERROR", e.getMessage())); } } } - diff --git a/pki/base/common/src/com/netscape/cms/authentication/RDNPattern.java b/pki/base/common/src/com/netscape/cms/authentication/RDNPattern.java index 1f21bc1d7..c5aeee7c8 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/RDNPattern.java +++ b/pki/base/common/src/com/netscape/cms/authentication/RDNPattern.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.authentication; - import java.io.IOException; import java.io.PushbackReader; import java.io.StringReader; @@ -29,24 +28,27 @@ import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.authentication.EAuthException; import com.netscape.certsrv.base.EBaseException; - /** - * class for parsing a DN pattern used to construct a certificate - * subject name from ldap attributes and dn.<p> + * class for parsing a DN pattern used to construct a certificate subject name + * from ldap attributes and dn. + * <p> * - * dnpattern is a string representing a subject name pattern to formulate from - * the directory attributes and entry dn. If empty or not set, the - * ldap entry DN will be used as the certificate subject name. <p> + * dnpattern is a string representing a subject name pattern to formulate from + * the directory attributes and entry dn. If empty or not set, the ldap entry DN + * will be used as the certificate subject name. + * <p> + * + * The syntax is * - * The syntax is * <pre> - * dnPattern := rdnPattern *[ "," rdnPattern ] - * rdnPattern := avaPattern *[ "+" avaPattern ] + * dnPattern := rdnPattern *[ "," rdnPattern ] + * rdnPattern := avaPattern *[ "+" avaPattern ] * avaPattern := name "=" value | - * name "=" "$attr" "." attrName [ "." attrNumber ] | - * name "=" "$dn" "." attrName [ "." attrNumber ] | - * "$dn" "." "$rdn" "." number + * name "=" "$attr" "." attrName [ "." attrNumber ] | + * name "=" "$dn" "." attrName [ "." attrNumber ] | + * "$dn" "." "$rdn" "." number * </pre> + * * <pre> * Example1: <i>E=$attr.mail.1, CN=$attr.cn, OU=$dn.ou.2, O=$dn.o, C=US </i> * Ldap entry: dn: UID=jjames, OU=IS, OU=people, O=acme.org @@ -73,11 +75,12 @@ import com.netscape.certsrv.base.EBaseException; * E = the first 'mail' ldap attribute value in user's entry. <br> * CN = the (first) 'cn' ldap attribute value in the user's entry. <br> * OU = the second 'ou' value in the user's entry DN. note multiple AVAs - * in a RDN in this example. <br> + * in a RDN in this example. <br> * O = the (first) 'o' value in the user's entry DN. <br> * C = the string "US" * <p> * </pre> + * * <pre> * Example3: <i>CN=$attr.cn, $rdn.2, O=$dn.o, C=US</i> * Ldap entry: dn: UID=jjames, OU=IS+OU=people, O=acme.org @@ -102,15 +105,16 @@ import com.netscape.certsrv.base.EBaseException; * <p> * CN = the (first) 'cn' ldap attribute value in the user's entry. <br> * OU = the second 'ou' value in the user's entry DN followed by the - * first 'ou' value in the user's entry. note multiple AVAs - * in a RDN in this example. <br> + * first 'ou' value in the user's entry. note multiple AVAs + * in a RDN in this example. <br> * O = the (first) 'o' value in the user's entry DN. <br> * C = the string "US" * <p> * </pre> - * If an attribute or subject DN component does not exist the attribute - * is skipped. - * + * + * If an attribute or subject DN component does not exist the attribute is + * skipped. + * * @version $Revision$, $Date$ */ class RDNPattern { @@ -126,15 +130,15 @@ class RDNPattern { protected String mTestDN = null; - /** + /** * Construct a DN pattern by parsing a pattern string. + * * @param pattenr the DN pattern - * @exception EBaseException If parsing error occurs. + * @exception EBaseException If parsing error occurs. */ - public RDNPattern(String pattern) - throws EAuthException { + public RDNPattern(String pattern) throws EAuthException { if (pattern == null || pattern.equals("")) { - // create an attribute list that is the dn. + // create an attribute list that is the dn. mLdapAttrs = new String[] { "dn" }; } else { mPatternString = pattern; @@ -145,16 +149,14 @@ class RDNPattern { } /** - * Construct a DN pattern from a input stream of pattern + * Construct a DN pattern from a input stream of pattern */ - public RDNPattern(PushbackReader in) - throws EAuthException { + public RDNPattern(PushbackReader in) throws EAuthException { parse(in); } - private void parse(PushbackReader in) - throws EAuthException { - //System.out.println("_________ begin rdn _________"); + private void parse(PushbackReader in) throws EAuthException { + // System.out.println("_________ begin rdn _________"); Vector avaPatterns = new Vector(); AVAPattern avaPattern = null; int lastChar; @@ -162,24 +164,25 @@ class RDNPattern { do { avaPattern = new AVAPattern(in); avaPatterns.addElement(avaPattern); - //System.out.println("added AVAPattern"+ - //" mType "+avaPattern.mType+ - //" mAttr "+avaPattern.mAttr+ - //" mValue "+avaPattern.mValue+ - //" mElement "+avaPattern.mElement); - try { - lastChar = in.read(); + // System.out.println("added AVAPattern"+ + // " mType "+avaPattern.mType+ + // " mAttr "+avaPattern.mAttr+ + // " mValue "+avaPattern.mValue+ + // " mElement "+avaPattern.mElement); + try { + lastChar = in.read(); } catch (IOException e) { - throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); + throw new EAuthException(CMS.getUserMessage( + "CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); } - } - while (lastChar == '+'); + } while (lastChar == '+'); if (lastChar != -1) { try { - in.unread(lastChar); // pushback last , + in.unread(lastChar); // pushback last , } catch (IOException e) { - throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); + throw new EAuthException(CMS.getUserMessage( + "CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); } } @@ -191,7 +194,7 @@ class RDNPattern { for (int i = 0; i < mAVAPatterns.length; i++) { String avaAttr = mAVAPatterns[i].getLdapAttr(); - if (avaAttr == null || avaAttr.length() == 0) + if (avaAttr == null || avaAttr.length() == 0) continue; ldapAttrs.addElement(avaAttr); } @@ -201,15 +204,15 @@ class RDNPattern { /** * Form a Ldap v3 DN string from results of a ldap search. + * * @param entry LDAPentry from a ldap search - * @return Ldap v3 DN string to use for a subject name. + * @return Ldap v3 DN string to use for a subject name. */ - public String formRDN(LDAPEntry entry) - throws EAuthException { + public String formRDN(LDAPEntry entry) throws EAuthException { StringBuffer formedRDN = new StringBuffer(); for (int i = 0; i < mAVAPatterns.length; i++) { - if (mTestDN != null) + if (mTestDN != null) mAVAPatterns[i].mTestDN = mTestDN; String ava = mAVAPatterns[i].formAVA(entry); @@ -219,7 +222,7 @@ class RDNPattern { formedRDN.append(ava); } } - //System.out.println("formed RDN "+formedRDN.toString()); + // System.out.println("formed RDN "+formedRDN.toString()); return formedRDN.toString(); } diff --git a/pki/base/common/src/com/netscape/cms/authentication/SSLclientCertAuthentication.java b/pki/base/common/src/com/netscape/cms/authentication/SSLclientCertAuthentication.java index 3092d00a1..00bf88c3b 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/SSLclientCertAuthentication.java +++ b/pki/base/common/src/com/netscape/cms/authentication/SSLclientCertAuthentication.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.authentication; - import java.security.Principal; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; @@ -47,15 +46,14 @@ import com.netscape.certsrv.property.IDescriptor; import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.usrgrp.Certificates; - /** - * Certificate server SSL client authentication. - * + * Certificate server SSL client authentication. + * * @author Christina Fu - * <P> - * + * <P> + * */ -public class SSLclientCertAuthentication implements IAuthManager, +public class SSLclientCertAuthentication implements IAuthManager, IProfileAuthenticator { /* result auth token attributes */ @@ -86,19 +84,20 @@ public class SSLclientCertAuthentication implements IAuthManager, /** * initializes the SSLClientCertAuthentication auth manager * <p> - * called by AuthSubsystem init() method, when initializing - * all available authentication managers. + * called by AuthSubsystem init() method, when initializing all available + * authentication managers. + * * @param name The name of this authentication manager instance. * @param implName The name of the authentication manager plugin. * @param config The configuration store for this authentication manager. */ public void init(String name, String implName, IConfigStore config) - throws EBaseException { + throws EBaseException { mName = name; mImplName = implName; mConfig = config; } - + /** * Gets the name of this authentication manager. */ @@ -112,7 +111,7 @@ public class SSLclientCertAuthentication implements IAuthManager, public String getImplName() { return mImplName; } - + public boolean isSSLClientRequired() { return true; } @@ -120,33 +119,34 @@ public class SSLclientCertAuthentication implements IAuthManager, /** * authenticates user by certificate * <p> - * called by other subsystems or their servlets to authenticate - * users - * @param authCred - authentication credential that contains - * an usrgrp.Certificates of the user (agent) + * called by other subsystems or their servlets to authenticate users + * + * @param authCred - authentication credential that contains an + * usrgrp.Certificates of the user (agent) * @return the authentication token that contains the following - * + * * @exception EMissingCredential If a required credential for this - * authentication manager is missing. + * authentication manager is missing. * @exception EInvalidCredentials If credentials cannot be authenticated. * @exception EBaseException If an internal error occurred. * @see com.netscape.certsrv.authentication.AuthToken * @see com.netscape.certsrv.usrgrp.Certificates */ public IAuthToken authenticate(IAuthCredentials authCred) - throws EMissingCredential, EInvalidCredentials, EBaseException { - + throws EMissingCredential, EInvalidCredentials, EBaseException { + CMS.debug("SSLclientCertAuthentication: start"); - CMS.debug("authenticator instance name is "+getName()); + CMS.debug("authenticator instance name is " + getName()); // force SSL handshake SessionContext context = SessionContext.getExistingContext(); - ISSLClientCertProvider provider = (ISSLClientCertProvider) - context.get("sslClientCertProvider"); + ISSLClientCertProvider provider = (ISSLClientCertProvider) context + .get("sslClientCertProvider"); if (provider == null) { CMS.debug("SSLclientCertAuthentication: No SSL Client Cert Provider Found"); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + throw new EInvalidCredentials( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } CMS.debug("SSLclientCertAuthentication: got provider"); CMS.debug("SSLclientCertAuthentication: retrieving client certificate"); @@ -154,7 +154,8 @@ public class SSLclientCertAuthentication implements IAuthManager, if (allCerts == null) { CMS.debug("SSLclientCertAuthentication: No SSL Client Certs Found"); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + throw new EInvalidCredentials( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } CMS.debug("SSLclientCertAuthentication: got certificates"); @@ -173,7 +174,7 @@ public class SSLclientCertAuthentication implements IAuthManager, // find out which one is the leaf cert clientCert = ci[i]; - byte [] extBytes = clientCert.getExtensionValue("2.5.29.19"); + byte[] extBytes = clientCert.getExtensionValue("2.5.29.19"); // try to see if this is a leaf cert // look for BasicConstraint extension if (extBytes == null) { @@ -186,42 +187,46 @@ public class SSLclientCertAuthentication implements IAuthManager, // so it's not likely to be a leaf cert, // however, check the isCA field regardless try { - BasicConstraintsExtension bce = - new BasicConstraintsExtension(true, extBytes); - if (bce != null) { - if (!(Boolean)bce.get("is_ca")) { - CMS.debug("SSLclientCertAuthentication: authenticate: found CA cert in chain"); - break; - } // else found a ca cert, continue - } - } catch (Exception e) { - CMS.debug("SSLclientCertAuthentication: authenticate: exception:"+ - e.toString()); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - } - } + BasicConstraintsExtension bce = new BasicConstraintsExtension( + true, extBytes); + if (bce != null) { + if (!(Boolean) bce.get("is_ca")) { + CMS.debug("SSLclientCertAuthentication: authenticate: found CA cert in chain"); + break; + } // else found a ca cert, continue + } + } catch (Exception e) { + CMS.debug("SSLclientCertAuthentication: authenticate: exception:" + + e.toString()); + throw new EInvalidCredentials( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + } + } } if (clientCert == null) { - CMS.debug("SSLclientCertAuthentication: authenticate: client cert not found"); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + CMS.debug("SSLclientCertAuthentication: authenticate: client cert not found"); + throw new EInvalidCredentials( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } } catch (CertificateException e) { CMS.debug(e.toString()); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + throw new EInvalidCredentials( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } // check if certificate(s) is revoked boolean checkRevocation = true; try { - checkRevocation = mConfig.getBoolean("checkRevocation", true); + checkRevocation = mConfig.getBoolean("checkRevocation", true); } catch (EBaseException e) { - // do nothing; default to true + // do nothing; default to true } if (checkRevocation) { - if (CMS.isRevoked(ci)) { - CMS.debug("SSLclientCertAuthentication: certificate revoked"); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - } + if (CMS.isRevoked(ci)) { + CMS.debug("SSLclientCertAuthentication: certificate revoked"); + throw new EInvalidCredentials( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + } } Certificates certs = new Certificates(ci); Principal p_dn = clientCert.getSubjectDN(); @@ -232,13 +237,13 @@ public class SSLclientCertAuthentication implements IAuthManager, authToken.set(TOKEN_UID, uid); authToken.set(TOKEN_USERID, uid); } -/* - authToken.set(TOKEN_USER_DN, user.getUserDN()); - authToken.set(TOKEN_USERID, user.getUserID()); - authToken.set(TOKEN_UID, user.getUserID()); - authToken.set(TOKEN_GROUP, groupname); -*/ - authToken.set(CRED_CERT, certs); + /* + * authToken.set(TOKEN_USER_DN, user.getUserDN()); + * authToken.set(TOKEN_USERID, user.getUserID()); + * authToken.set(TOKEN_UID, user.getUserID()); + * authToken.set(TOKEN_GROUP, groupname); + */ + authToken.set(CRED_CERT, certs); CMS.debug("SSLclientCertAuthentication: authenticated "); @@ -257,7 +262,8 @@ public class SSLclientCertAuthentication implements IAuthManager, String n = t.substring(0, i); if (n.equalsIgnoreCase("uid")) { String v = t.substring(i + 1); - CMS.debug("SSLclientCertAuthentication: getUidFromDN(): uid found:"+v); + CMS.debug("SSLclientCertAuthentication: getUidFromDN(): uid found:" + + v); return v; } else { continue; @@ -267,11 +273,12 @@ public class SSLclientCertAuthentication implements IAuthManager, } /** - * get the list of authentication credential attribute names - * required by this authentication manager. Generally used by - * the servlets that handle agent operations to authenticate its - * users. It calls this method to know which are the - * required credentials from the user (e.g. Javascript form data) + * get the list of authentication credential attribute names required by + * this authentication manager. Generally used by the servlets that handle + * agent operations to authenticate its users. It calls this method to know + * which are the required credentials from the user (e.g. Javascript form + * data) + * * @return attribute names in Vector */ public String[] getRequiredCreds() { @@ -279,15 +286,15 @@ public class SSLclientCertAuthentication implements IAuthManager, } /** - * get the list of configuration parameter names - * required by this authentication manager. Generally used by - * the Certificate Server Console to display the table for - * configuration purposes. CertUserDBAuthentication is currently not - * exposed in this case, so this method is not to be used. - * @return configuration parameter names in Hashtable of Vectors - * where each hashtable entry's key is the substore name, value is a - * Vector of parameter names. If no substore, the parameter name - * is the Hashtable key itself, with value same as key. + * get the list of configuration parameter names required by this + * authentication manager. Generally used by the Certificate Server Console + * to display the table for configuration purposes. CertUserDBAuthentication + * is currently not exposed in this case, so this method is not to be used. + * + * @return configuration parameter names in Hashtable of Vectors where each + * hashtable entry's key is the substore name, value is a Vector of + * parameter names. If no substore, the parameter name is the + * Hashtable key itself, with value same as key. */ public String[] getConfigParams() { return (mConfigParams); @@ -300,8 +307,8 @@ public class SSLclientCertAuthentication implements IAuthManager, } /** - * gets the configuretion substore used by this authentication - * manager + * gets the configuretion substore used by this authentication manager + * * @return configuration store */ public IConfigStore getConfigStore() { @@ -311,7 +318,7 @@ public class SSLclientCertAuthentication implements IAuthManager, // Profile-related methods public void init(IProfile profile, IConfigStore config) - throws EProfileException { + throws EProfileException { } /** @@ -340,15 +347,14 @@ public class SSLclientCertAuthentication implements IAuthManager, } /** - * Retrieves the descriptor of the given value - * parameter by name. + * Retrieves the descriptor of the given value parameter by name. */ public IDescriptor getValueDescriptor(Locale locale, String name) { return null; } public void populate(IAuthToken token, IRequest request) - throws EProfileException { + throws EProfileException { request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME, token.getInString(TOKEN_USERDN)); request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME, diff --git a/pki/base/common/src/com/netscape/cms/authentication/SharedSecret.java b/pki/base/common/src/com/netscape/cms/authentication/SharedSecret.java index 8b0a7b9b3..7a0784c53 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/SharedSecret.java +++ b/pki/base/common/src/com/netscape/cms/authentication/SharedSecret.java @@ -26,7 +26,7 @@ import com.netscape.certsrv.authentication.ISharedToken; public class SharedSecret implements ISharedToken { public SharedSecret() { - } + } public String getSharedToken(PKIData cmcdata) { return "testing"; diff --git a/pki/base/common/src/com/netscape/cms/authentication/TokenAuthentication.java b/pki/base/common/src/com/netscape/cms/authentication/TokenAuthentication.java index bb3937670..39084395d 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/TokenAuthentication.java +++ b/pki/base/common/src/com/netscape/cms/authentication/TokenAuthentication.java @@ -46,14 +46,12 @@ import com.netscape.cmsutil.http.JssSSLSocketFactory; import com.netscape.cmsutil.xml.XMLObject; /** - * Token authentication. - * Checked if the given token is valid. + * Token authentication. Checked if the given token is valid. * <P> - * + * * @version $Revision$, $Date$ */ -public class TokenAuthentication implements IAuthManager, - IProfileAuthenticator { +public class TokenAuthentication implements IAuthManager, IProfileAuthenticator { /* result auth token attributes */ public static final String TOKEN_UID = "uid"; @@ -79,21 +77,22 @@ public class TokenAuthentication implements IAuthManager, /** * initializes the TokenAuthentication auth manager * <p> - * called by AuthSubsystem init() method, when initializing - * all available authentication managers. + * called by AuthSubsystem init() method, when initializing all available + * authentication managers. + * * @param name The name of this authentication manager instance. * @param implName The name of the authentication manager plugin. * @param config The configuration store for this authentication manager. */ public void init(String name, String implName, IConfigStore config) - throws EBaseException { + throws EBaseException { mName = name; mImplName = implName; mConfig = config; mUGSub = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG); } - + /** * Gets the name of this authentication manager. */ @@ -107,7 +106,7 @@ public class TokenAuthentication implements IAuthManager, public String getImplName() { return mImplName; } - + public boolean isSSLClientRequired() { return false; } @@ -115,21 +114,22 @@ public class TokenAuthentication implements IAuthManager, /** * authenticates user(agent) by certificate * <p> - * called by other subsystems or their servlets to authenticate - * users (agents) - * @param authCred - authentication credential that contains - * an usrgrp.Certificates of the user (agent) + * called by other subsystems or their servlets to authenticate users + * (agents) + * + * @param authCred - authentication credential that contains an + * usrgrp.Certificates of the user (agent) * @return the authentication token that contains the following - * @exception EMissingCredential If a required credential for this - * authentication manager is missing. + * @exception EMissingCredential If a required credential for this + * authentication manager is missing. * @exception EInvalidCredentials If credentials cannot be authenticated. * @exception EBaseException If an internal error occurred. * @see com.netscape.certsrv.authentication.AuthToken * @see com.netscape.certsrv.usrgrp.Certificates */ public IAuthToken authenticate(IAuthCredentials authCred) - throws EMissingCredential, EInvalidCredentials, EBaseException { - + throws EMissingCredential, EInvalidCredentials, EBaseException { + CMS.debug("TokenAuthentication: start"); // force SSL handshake @@ -141,8 +141,8 @@ public class TokenAuthentication implements IAuthManager, // get group name from configuration file IConfigStore sconfig = CMS.getConfigStore(); - String sessionId = (String)authCred.get(CRED_SESSION_ID); - String givenHost = (String)authCred.get("clientHost"); + String sessionId = (String) authCred.get(CRED_SESSION_ID); + String givenHost = (String) authCred.get("clientHost"); String auth_host = sconfig.getString("securitydomain.host"); int auth_port = sconfig.getInteger("securitydomain.httpseeport"); @@ -151,7 +151,8 @@ public class TokenAuthentication implements IAuthManager, try { JssSSLSocketFactory factory = new JssSSLSocketFactory(); httpclient = new HttpClient(factory); - String content = CRED_SESSION_ID+"="+sessionId+"&hostname="+givenHost; + String content = CRED_SESSION_ID + "=" + sessionId + "&hostname=" + + givenHost; CMS.debug("TokenAuthentication: content=" + content); httpclient.connect(auth_host, auth_port); HttpRequest httprequest = new HttpRequest(); @@ -165,21 +166,23 @@ public class TokenAuthentication implements IAuthManager, HttpResponse httpresponse = httpclient.send(httprequest); c = httpresponse.getContent(); - } catch (Exception e) { - CMS.debug("TokenAuthentication authenticate Exception="+e.toString()); + } catch (Exception e) { + CMS.debug("TokenAuthentication authenticate Exception=" + + e.toString()); } if (c != null) { try { - ByteArrayInputStream bis = new ByteArrayInputStream(c.getBytes()); + ByteArrayInputStream bis = new ByteArrayInputStream( + c.getBytes()); XMLObject parser = null; try { parser = new XMLObject(bis); } catch (Exception e) { - CMS.debug( "TokenAuthentication::authenticate() - " - + "Exception="+e.toString() ); - throw new EBaseException( e.toString() ); + CMS.debug("TokenAuthentication::authenticate() - " + + "Exception=" + e.toString()); + throw new EBaseException(e.toString()); } String status = parser.getValue("Status"); @@ -195,13 +198,15 @@ public class TokenAuthentication implements IAuthManager, authToken.set(TOKEN_UID, uid); authToken.set(TOKEN_GID, gid); - if(context != null) { - CMS.debug("SessionContext.USER_ID " + uid + " SessionContext.GROUP_ID " + gid); - context.put(SessionContext.USER_ID, uid ); - context.put(SessionContext.GROUP_ID, gid ); + if (context != null) { + CMS.debug("SessionContext.USER_ID " + uid + + " SessionContext.GROUP_ID " + gid); + context.put(SessionContext.USER_ID, uid); + context.put(SessionContext.GROUP_ID, gid); } - CMS.debug("TokenAuthentication: authenticated uid="+uid+", gid="+gid); + CMS.debug("TokenAuthentication: authenticated uid=" + uid + + ", gid=" + gid); } catch (EBaseException e) { throw e; } catch (Exception e) { @@ -212,11 +217,12 @@ public class TokenAuthentication implements IAuthManager, } /** - * get the list of authentication credential attribute names - * required by this authentication manager. Generally used by - * the servlets that handle agent operations to authenticate its - * users. It calls this method to know which are the - * required credentials from the user (e.g. Javascript form data) + * get the list of authentication credential attribute names required by + * this authentication manager. Generally used by the servlets that handle + * agent operations to authenticate its users. It calls this method to know + * which are the required credentials from the user (e.g. Javascript form + * data) + * * @return attribute names in Vector */ public String[] getRequiredCreds() { @@ -224,15 +230,15 @@ public class TokenAuthentication implements IAuthManager, } /** - * get the list of configuration parameter names - * required by this authentication manager. Generally used by - * the Certificate Server Console to display the table for - * configuration purposes. CertUserDBAuthentication is currently not - * exposed in this case, so this method is not to be used. - * @return configuration parameter names in Hashtable of Vectors - * where each hashtable entry's key is the substore name, value is a - * Vector of parameter names. If no substore, the parameter name - * is the Hashtable key itself, with value same as key. + * get the list of configuration parameter names required by this + * authentication manager. Generally used by the Certificate Server Console + * to display the table for configuration purposes. CertUserDBAuthentication + * is currently not exposed in this case, so this method is not to be used. + * + * @return configuration parameter names in Hashtable of Vectors where each + * hashtable entry's key is the substore name, value is a Vector of + * parameter names. If no substore, the parameter name is the + * Hashtable key itself, with value same as key. */ public String[] getConfigParams() { return (mConfigParams); @@ -245,8 +251,8 @@ public class TokenAuthentication implements IAuthManager, } /** - * gets the configuretion substore used by this authentication - * manager + * gets the configuretion substore used by this authentication manager + * * @return configuration store */ public IConfigStore getConfigStore() { @@ -256,7 +262,7 @@ public class TokenAuthentication implements IAuthManager, // Profile-related methods public void init(IProfile profile, IConfigStore config) - throws EProfileException { + throws EProfileException { } /** @@ -288,14 +294,13 @@ public class TokenAuthentication implements IAuthManager, } /** - * Retrieves the descriptor of the given value - * parameter by name. + * Retrieves the descriptor of the given value parameter by name. */ public IDescriptor getValueDescriptor(Locale locale, String name) { return null; } public void populate(IAuthToken token, IRequest request) - throws EProfileException { + throws EProfileException { } } diff --git a/pki/base/common/src/com/netscape/cms/authentication/UdnPwdDirAuthentication.java b/pki/base/common/src/com/netscape/cms/authentication/UdnPwdDirAuthentication.java index 565bca1a4..255645c11 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/UdnPwdDirAuthentication.java +++ b/pki/base/common/src/com/netscape/cms/authentication/UdnPwdDirAuthentication.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.authentication; - // ldap java sdk import netscape.ldap.LDAPConnection; import netscape.ldap.LDAPException; @@ -33,11 +32,10 @@ import com.netscape.certsrv.base.IExtendedPluginInfo; import com.netscape.certsrv.ldap.ELdapException; import com.netscape.certsrv.logging.ILogger; - /** * udn/pwd directory based authentication manager * <P> - * + * * @version $Revision$, $Date$ */ public class UdnPwdDirAuthentication extends DirBasedAuthentication { @@ -47,30 +45,24 @@ public class UdnPwdDirAuthentication extends DirBasedAuthentication { public static final String CRED_PWD = "pwd"; protected static String[] mRequiredCreds = { CRED_UDN, CRED_PWD }; - /* Holds configuration parameters accepted by this implementation. - * This list is passed to the configuration console so configuration - * for instances of this implementation can be configured through the - * console. + /* + * Holds configuration parameters accepted by this implementation. This list + * is passed to the configuration console so configuration for instances of + * this implementation can be configured through the console. */ - protected static String[] mConfigParams = - new String[] { PROP_DNPATTERN, - PROP_LDAPSTRINGATTRS, - PROP_LDAPBYTEATTRS, - "ldap.ldapconn.host", - "ldap.ldapconn.port", - "ldap.ldapconn.secureConn", - "ldap.ldapconn.version", - "ldap.minConns", - "ldap.maxConns", - }; + protected static String[] mConfigParams = new String[] { PROP_DNPATTERN, + PROP_LDAPSTRINGATTRS, PROP_LDAPBYTEATTRS, "ldap.ldapconn.host", + "ldap.ldapconn.port", "ldap.ldapconn.secureConn", + "ldap.ldapconn.version", "ldap.minConns", "ldap.maxConns", }; static { - mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TEXT + - ";Authenticate the user distinguished name and password provided " + - "by the user against an LDAP directory. Works with the " + - "Dir Based Enrollment HTML form"); - mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TOKEN + - ";configuration-authentication"); + mExtendedPluginInfo + .add(IExtendedPluginInfo.HELP_TEXT + + ";Authenticate the user distinguished name and password provided " + + "by the user against an LDAP directory. Works with the " + + "Dir Based Enrollment HTML form"); + mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TOKEN + + ";configuration-authentication"); }; /** @@ -83,13 +75,14 @@ public class UdnPwdDirAuthentication extends DirBasedAuthentication { /** * Initializes the UdnPwdDirAuthentication auth manager. * <p> + * * @param name - The name for this authentication manager instance. * @param implName - The name of the authentication manager plugin. * @param config - The configuration store for this instance. * @exception EBaseException If an error occurs during initialization. */ public void init(String name, String implName, IConfigStore config) - throws EBaseException { + throws EBaseException { super.init(name, implName, config, false); } @@ -99,12 +92,10 @@ public class UdnPwdDirAuthentication extends DirBasedAuthentication { * @param authCreds The authentication credentials. * @return The user's ldap entry dn. * @exception EInvalidCredentials If the udn and password are not valid - * @exception EBaseException If an internal error occurs. + * @exception EBaseException If an internal error occurs. */ - protected String authenticate(LDAPConnection conn, - IAuthCredentials authCreds, - AuthToken token) - throws EBaseException { + protected String authenticate(LDAPConnection conn, + IAuthCredentials authCreds, AuthToken token) throws EBaseException { String userdn = null; // authenticate by binding to ldap server with password. @@ -112,20 +103,23 @@ public class UdnPwdDirAuthentication extends DirBasedAuthentication { // get the udn. userdn = (String) authCreds.get(CRED_UDN); if (userdn == null) { - throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_UDN)); + throw new EMissingCredential(CMS.getUserMessage( + "CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_UDN)); } - + // get the password. String pwd = (String) authCreds.get(CRED_PWD); if (pwd == null) { - throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_PWD)); + throw new EMissingCredential(CMS.getUserMessage( + "CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_PWD)); } if (pwd.equals("")) { // anonymous binding not allowed - log(ILogger.LL_FAILURE, - "user " + userdn + " attempted login with empty password."); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + log(ILogger.LL_FAILURE, "user " + userdn + + " attempted login with empty password."); + throw new EInvalidCredentials( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } // bind as user dn and pwd - authenticates user with pwd. @@ -135,43 +129,47 @@ public class UdnPwdDirAuthentication extends DirBasedAuthentication { return userdn; } catch (ELdapException e) { - log(ILogger.LL_FAILURE, - "Couldn't get ldap connection. Error: " + e.toString()); + log(ILogger.LL_FAILURE, + "Couldn't get ldap connection. Error: " + e.toString()); throw e; } catch (LDAPException e) { switch (e.getLDAPResultCode()) { - case LDAPException.NO_SUCH_OBJECT: - case LDAPException.LDAP_PARTIAL_RESULTS: - log(ILogger.LL_SECURITY, - "user " + userdn + " does not exist in ldap server host " + - conn.getHost() + ", port " + conn.getPort() + "."); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + case LDAPException.NO_SUCH_OBJECT: + case LDAPException.LDAP_PARTIAL_RESULTS: + log(ILogger.LL_SECURITY, + "user " + userdn + + " does not exist in ldap server host " + + conn.getHost() + ", port " + conn.getPort() + + "."); + throw new EInvalidCredentials( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); case LDAPException.INVALID_CREDENTIALS: - log(ILogger.LL_SECURITY, - "authenticate user " + userdn + " with bad password."); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + log(ILogger.LL_SECURITY, "authenticate user " + userdn + + " with bad password."); + throw new EInvalidCredentials( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); case LDAPException.SERVER_DOWN: log(ILogger.LL_FAILURE, "Ldap server is down."); - throw new ELdapException( - CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), "" + conn.getPort())); - - default: - log(ILogger.LL_FAILURE, - "Ldap error encountered. " + e.getMessage()); - throw new ELdapException( - CMS.getUserMessage("CMS_LDAP_OTHER_LDAP_EXCEPTION", - e.errorCodeToString())); + throw new ELdapException(CMS.getUserMessage( + "CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), "" + + conn.getPort())); + + default: + log(ILogger.LL_FAILURE, + "Ldap error encountered. " + e.getMessage()); + throw new ELdapException(CMS.getUserMessage( + "CMS_LDAP_OTHER_LDAP_EXCEPTION", e.errorCodeToString())); } - } + } } /** - * Returns a list of configuration parameter names. - * The list is passed to the configuration console so instances of - * this implementation can be configured through the console. - * + * Returns a list of configuration parameter names. The list is passed to + * the configuration console so instances of this implementation can be + * configured through the console. + * * @return String array of configuration parameter names. */ public String[] getConfigParams() { @@ -180,6 +178,7 @@ public class UdnPwdDirAuthentication extends DirBasedAuthentication { /** * Returns array of required credentials for this authentication manager. + * * @return Array of required credentials. */ public String[] getRequiredCreds() { @@ -187,4 +186,3 @@ public class UdnPwdDirAuthentication extends DirBasedAuthentication { } } - diff --git a/pki/base/common/src/com/netscape/cms/authentication/UidPwdDirAuthentication.java b/pki/base/common/src/com/netscape/cms/authentication/UidPwdDirAuthentication.java index e97fee8b6..9619e20f6 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/UidPwdDirAuthentication.java +++ b/pki/base/common/src/com/netscape/cms/authentication/UidPwdDirAuthentication.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.authentication; - // ldap java sdk import java.util.Enumeration; import java.util.Locale; @@ -47,46 +46,38 @@ import com.netscape.certsrv.property.Descriptor; import com.netscape.certsrv.property.IDescriptor; import com.netscape.certsrv.request.IRequest; - /** * uid/pwd directory based authentication manager * <P> - * + * * @version $Revision$, $Date$ */ -public class UidPwdDirAuthentication extends DirBasedAuthentication - implements IProfileAuthenticator { +public class UidPwdDirAuthentication extends DirBasedAuthentication implements + IProfileAuthenticator { /* required credentials to authenticate. uid and pwd are strings. */ public static final String CRED_UID = "uid"; public static final String CRED_PWD = "pwd"; protected static String[] mRequiredCreds = { CRED_UID, CRED_PWD }; - /* Holds configuration parameters accepted by this implementation. - * This list is passed to the configuration console so configuration - * for instances of this implementation can be configured through the - * console. + /* + * Holds configuration parameters accepted by this implementation. This list + * is passed to the configuration console so configuration for instances of + * this implementation can be configured through the console. */ - protected static String[] mConfigParams = - new String[] { PROP_DNPATTERN, - PROP_LDAPSTRINGATTRS, - PROP_LDAPBYTEATTRS, - "ldap.ldapconn.host", - "ldap.ldapconn.port", - "ldap.ldapconn.secureConn", - "ldap.ldapconn.version", - "ldap.basedn", - "ldap.minConns", - "ldap.maxConns", - }; + protected static String[] mConfigParams = new String[] { PROP_DNPATTERN, + PROP_LDAPSTRINGATTRS, PROP_LDAPBYTEATTRS, "ldap.ldapconn.host", + "ldap.ldapconn.port", "ldap.ldapconn.secureConn", + "ldap.ldapconn.version", "ldap.basedn", "ldap.minConns", + "ldap.maxConns", }; static { - mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TEXT + - ";Authenticate the username and password provided " + - "by the user against an LDAP directory. Works with the " + - "Dir Based Enrollment HTML form"); - mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TOKEN + - ";configuration-authrules-uidpwddirauth"); + mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TEXT + + ";Authenticate the username and password provided " + + "by the user against an LDAP directory. Works with the " + + "Dir Based Enrollment HTML form"); + mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TOKEN + + ";configuration-authrules-uidpwddirauth"); }; /** @@ -102,12 +93,10 @@ public class UidPwdDirAuthentication extends DirBasedAuthentication * @param authCreds The authentication credentials. * @return The user's ldap entry dn. * @exception EInvalidCredentials If the uid and password are not valid - * @exception EBaseException If an internal error occurs. + * @exception EBaseException If an internal error occurs. */ - protected String authenticate(LDAPConnection conn, - IAuthCredentials authCreds, - AuthToken token) - throws EBaseException { + protected String authenticate(LDAPConnection conn, + IAuthCredentials authCreds, AuthToken token) throws EBaseException { String userdn = null; String uid = null; @@ -117,36 +106,42 @@ public class UidPwdDirAuthentication extends DirBasedAuthentication uid = (String) authCreds.get(CRED_UID); CMS.debug("Authenticating UID=" + uid); if (uid == null) { - throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_UID)); + throw new EMissingCredential(CMS.getUserMessage( + "CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_UID)); } - + // get the password. String pwd = (String) authCreds.get(CRED_PWD); if (pwd == null) { - throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL",CRED_PWD)); + throw new EMissingCredential(CMS.getUserMessage( + "CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_PWD)); } if (pwd.equals("")) { // anonymous binding not allowed - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_EMPTY_PASSWORD", uid)); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMS_AUTH_EMPTY_PASSWORD", uid)); + throw new EInvalidCredentials( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } // get user dn. - CMS.debug("Authenticating: Searching for UID=" + uid + - " base DN=" + mBaseDN); - LDAPSearchResults res = conn.search(mBaseDN, - LDAPv2.SCOPE_SUB, "(uid=" + uid + ")", null, false); + CMS.debug("Authenticating: Searching for UID=" + uid + " base DN=" + + mBaseDN); + LDAPSearchResults res = conn.search(mBaseDN, LDAPv2.SCOPE_SUB, + "(uid=" + uid + ")", null, false); if (res.hasMoreElements()) { - //LDAPEntry entry = (LDAPEntry)res.nextElement(); + // LDAPEntry entry = (LDAPEntry)res.nextElement(); LDAPEntry entry = res.next(); userdn = entry.getDN(); CMS.debug("Authenticating: Found User DN=" + userdn); } else { - log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_USER_NOT_EXIST", uid)); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + log(ILogger.LL_SECURITY, + CMS.getLogMessage("CMS_AUTH_USER_NOT_EXIST", uid)); + throw new EInvalidCredentials( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } // bind as user dn and pwd - authenticates user with pwd. @@ -156,38 +151,44 @@ public class UidPwdDirAuthentication extends DirBasedAuthentication return userdn; } catch (ELdapException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CANNOT_CONNECT_LDAP", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CANNOT_CONNECT_LDAP", e.toString())); throw e; } catch (LDAPException e) { switch (e.getLDAPResultCode()) { - case LDAPException.NO_SUCH_OBJECT: - case LDAPException.LDAP_PARTIAL_RESULTS: - log(ILogger.LL_SECURITY, CMS.getLogMessage("USER_NOT_EXIST", uid)); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + case LDAPException.NO_SUCH_OBJECT: + case LDAPException.LDAP_PARTIAL_RESULTS: + log(ILogger.LL_SECURITY, + CMS.getLogMessage("USER_NOT_EXIST", uid)); + throw new EInvalidCredentials( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); case LDAPException.INVALID_CREDENTIALS: - log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_BAD_PASSWORD", uid)); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + log(ILogger.LL_SECURITY, + CMS.getLogMessage("CMS_AUTH_BAD_PASSWORD", uid)); + throw new EInvalidCredentials( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); case LDAPException.SERVER_DOWN: log(ILogger.LL_FAILURE, CMS.getLogMessage("LDAP_SERVER_DOWN")); - throw new ELdapException( - CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), "" + conn.getPort())); - - default: - log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.getMessage())); - throw new ELdapException( - CMS.getUserMessage("CMS_LDAP_OTHER_LDAP_EXCEPTION", - e.errorCodeToString())); + throw new ELdapException(CMS.getUserMessage( + "CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), "" + + conn.getPort())); + + default: + log(ILogger.LL_FAILURE, + CMS.getLogMessage("OPERATION_ERROR", e.getMessage())); + throw new ELdapException(CMS.getUserMessage( + "CMS_LDAP_OTHER_LDAP_EXCEPTION", e.errorCodeToString())); } - } + } } /** - * Returns a list of configuration parameter names. - * The list is passed to the configuration console so instances of - * this implementation can be configured through the console. - * + * Returns a list of configuration parameter names. The list is passed to + * the configuration console so instances of this implementation can be + * configured through the console. + * * @return String array of configuration parameter names. */ public String[] getConfigParams() { @@ -196,6 +197,7 @@ public class UidPwdDirAuthentication extends DirBasedAuthentication /** * Returns array of required credentials for this authentication manager. + * * @return Array of required credentials. */ public String[] getRequiredCreds() { @@ -203,9 +205,9 @@ public class UidPwdDirAuthentication extends DirBasedAuthentication } // Profile-related methods - + public void init(IProfile profile, IConfigStore config) - throws EProfileException { + throws EProfileException { } /** @@ -243,23 +245,22 @@ public class UidPwdDirAuthentication extends DirBasedAuthentication } /** - * Retrieves the descriptor of the given value - * parameter by name. + * Retrieves the descriptor of the given value parameter by name. */ public IDescriptor getValueDescriptor(Locale locale, String name) { - if (name.equals(CRED_UID)) { + if (name.equals(CRED_UID)) { return new Descriptor(IDescriptor.STRING, null, null, CMS.getUserMessage(locale, "CMS_AUTHENTICATION_LDAP_UID")); } else if (name.equals(CRED_PWD)) { return new Descriptor(IDescriptor.PASSWORD, null, null, CMS.getUserMessage(locale, "CMS_AUTHENTICATION_LDAP_PWD")); - + } return null; } - public void populate(IAuthToken token, IRequest request) - throws EProfileException { + public void populate(IAuthToken token, IRequest request) + throws EProfileException { request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME, token.getInString(USER_DN)); } diff --git a/pki/base/common/src/com/netscape/cms/authentication/UidPwdPinDirAuthentication.java b/pki/base/common/src/com/netscape/cms/authentication/UidPwdPinDirAuthentication.java index 116054181..6bc32edbd 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/UidPwdPinDirAuthentication.java +++ b/pki/base/common/src/com/netscape/cms/authentication/UidPwdPinDirAuthentication.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.authentication; - // ldap java sdk import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; @@ -53,15 +52,14 @@ import com.netscape.certsrv.property.Descriptor; import com.netscape.certsrv.property.IDescriptor; import com.netscape.certsrv.request.IRequest; - /** * uid/pwd/pin directory based authentication manager * <P> - * + * * @version $Revision$, $Date$ */ public class UidPwdPinDirAuthentication extends DirBasedAuthentication - implements IExtendedPluginInfo, IProfileAuthenticator { + implements IExtendedPluginInfo, IProfileAuthenticator { /* required credentials to authenticate. uid and pwd are strings. */ public static final String CRED_UID = "uid"; @@ -79,54 +77,43 @@ public class UidPwdPinDirAuthentication extends DirBasedAuthentication protected static final byte SENTINEL_MD5 = 1; protected static final byte SENTINEL_NONE = 0x2d; - /* Holds configuration parameters accepted by this implementation. - * This list is passed to the configuration console so configuration - * for instances of this implementation can be configured through the - * console. + /* + * Holds configuration parameters accepted by this implementation. This list + * is passed to the configuration console so configuration for instances of + * this implementation can be configured through the console. */ - protected static String[] mConfigParams = - new String[] { PROP_REMOVE_PIN, - PROP_PIN_ATTR, - PROP_DNPATTERN, - PROP_LDAPSTRINGATTRS, - PROP_LDAPBYTEATTRS, - "ldap.ldapconn.host", - "ldap.ldapconn.port", - "ldap.ldapconn.secureConn", - "ldap.ldapconn.version", - "ldap.ldapauth.bindDN", - "ldap.ldapauth.bindPWPrompt", - "ldap.ldapauth.clientCertNickname", - "ldap.ldapauth.authtype", - "ldap.basedn", - "ldap.minConns", - "ldap.maxConns", - }; + protected static String[] mConfigParams = new String[] { PROP_REMOVE_PIN, + PROP_PIN_ATTR, PROP_DNPATTERN, PROP_LDAPSTRINGATTRS, + PROP_LDAPBYTEATTRS, "ldap.ldapconn.host", "ldap.ldapconn.port", + "ldap.ldapconn.secureConn", "ldap.ldapconn.version", + "ldap.ldapauth.bindDN", "ldap.ldapauth.bindPWPrompt", + "ldap.ldapauth.clientCertNickname", "ldap.ldapauth.authtype", + "ldap.basedn", "ldap.minConns", "ldap.maxConns", }; static { - mExtendedPluginInfo.add( - PROP_REMOVE_PIN + ";boolean;SEE DOCUMENTATION for pin removal"); - mExtendedPluginInfo.add( - PROP_PIN_ATTR + ";string;directory attribute to use for pin (default 'pin')"); - mExtendedPluginInfo.add( - "ldap.ldapauth.bindDN;string;DN to bind as for pin removal. " - + "For example 'CN=PinRemoval User'"); - mExtendedPluginInfo.add( - "ldap.ldapauth.bindPWPrompt;password;Enter password used to bind as " + - "the above user"); - mExtendedPluginInfo.add( - "ldap.ldapauth.clientCertNickname;string;If you want to use " - + "SSL client auth to the directory, set the client " - + "cert nickname here"); - mExtendedPluginInfo.add( - "ldap.ldapauth.authtype;choice(BasicAuth,SslClientAuth),required;" - + "How to bind to the directory (for pin removal only)"); + mExtendedPluginInfo.add(PROP_REMOVE_PIN + + ";boolean;SEE DOCUMENTATION for pin removal"); + mExtendedPluginInfo.add(PROP_PIN_ATTR + + ";string;directory attribute to use for pin (default 'pin')"); + mExtendedPluginInfo + .add("ldap.ldapauth.bindDN;string;DN to bind as for pin removal. " + + "For example 'CN=PinRemoval User'"); + mExtendedPluginInfo + .add("ldap.ldapauth.bindPWPrompt;password;Enter password used to bind as " + + "the above user"); + mExtendedPluginInfo + .add("ldap.ldapauth.clientCertNickname;string;If you want to use " + + "SSL client auth to the directory, set the client " + + "cert nickname here"); + mExtendedPluginInfo + .add("ldap.ldapauth.authtype;choice(BasicAuth,SslClientAuth),required;" + + "How to bind to the directory (for pin removal only)"); mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TEXT - + ";Authenticate the username, password and pin provided " - + "by the user against an LDAP directory. Works with the " - + "Dir/Pin Based Enrollment HTML form"); - mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TOKEN + - ";configuration-authrules-uidpwdpindirauth"); + + ";Authenticate the username, password and pin provided " + + "by the user against an LDAP directory. Works with the " + + "Dir/Pin Based Enrollment HTML form"); + mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TOKEN + + ";configuration-authrules-uidpwdpindirauth"); } @@ -135,12 +122,12 @@ public class UidPwdPinDirAuthentication extends DirBasedAuthentication protected MessageDigest mSHADigest = null; protected MessageDigest mMD5Digest = null; - private String mBindDN = null; - private String mBindPassword = null; + private String mBindDN = null; + private String mBindPassword = null; - private ILdapConnFactory removePinLdapFactory = null; - private LDAPConnection removePinLdapConnection = null; - private IConfigStore removePinLdapConfigStore = null; + private ILdapConnFactory removePinLdapFactory = null; + private LDAPConnection removePinLdapConnection = null; + private IConfigStore removePinLdapConfigStore = null; /** * Default constructor, initialization must follow. @@ -149,13 +136,11 @@ public class UidPwdPinDirAuthentication extends DirBasedAuthentication super(); } - public void init(String name, String implName, IConfigStore config) - throws EBaseException { + public void init(String name, String implName, IConfigStore config) + throws EBaseException { super.init(name, implName, config); - mRemovePin = - config.getBoolean(PROP_REMOVE_PIN, DEF_REMOVE_PIN); - mPinAttr = - config.getString(PROP_PIN_ATTR, DEF_PIN_ATTR); + mRemovePin = config.getBoolean(PROP_REMOVE_PIN, DEF_REMOVE_PIN); + mPinAttr = config.getString(PROP_PIN_ATTR, DEF_PIN_ATTR); if (mPinAttr.equals("")) { mPinAttr = DEF_PIN_ATTR; } @@ -166,18 +151,19 @@ public class UidPwdPinDirAuthentication extends DirBasedAuthentication removePinLdapFactory.init(removePinLdapConfigStore); removePinLdapConnection = removePinLdapFactory.getConn(); } - + try { mSHADigest = MessageDigest.getInstance("SHA1"); mMD5Digest = MessageDigest.getInstance("MD5"); } catch (NoSuchAlgorithmException e) { - throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.getMessage())); + throw new EAuthException(CMS.getUserMessage( + "CMS_AUTHENTICATION_INTERNAL_ERROR", e.getMessage())); } } protected void verifyPassword(String Password) { - } + } /** * Authenticates a user based on its uid, pwd, pin in the directory. @@ -185,66 +171,74 @@ public class UidPwdPinDirAuthentication extends DirBasedAuthentication * @param authCreds The authentication credentials with uid, pwd, pin. * @return The user's ldap entry dn. * @exception EInvalidCredentials If the uid and password are not valid - * @exception EBaseException If an internal error occurs. + * @exception EBaseException If an internal error occurs. */ - protected String authenticate(LDAPConnection conn, - IAuthCredentials authCreds, - AuthToken token) - throws EBaseException { + protected String authenticate(LDAPConnection conn, + IAuthCredentials authCreds, AuthToken token) throws EBaseException { String userdn = null; - String uid = null; - String pwd = null; - String pin = null; + String uid = null; + String pwd = null; + String pin = null; try { // get the uid. uid = (String) authCreds.get(CRED_UID); if (uid == null) { - throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_UID)); + throw new EMissingCredential(CMS.getUserMessage( + "CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_UID)); } - + // get the password. pwd = (String) authCreds.get(CRED_PWD); if (pwd == null) { - throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_PWD)); + throw new EMissingCredential(CMS.getUserMessage( + "CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_PWD)); } if (pwd.equals("")) { // anonymous binding not allowed - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_EMPTY_PASSWORD", uid)); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMS_AUTH_EMPTY_PASSWORD", uid)); + throw new EInvalidCredentials( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } // get the pin. pin = (String) authCreds.get(CRED_PIN); if (pin == null) { - throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_PIN)); + throw new EMissingCredential(CMS.getUserMessage( + "CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_PIN)); } if (pin.equals("")) { // empty pin not allowed - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_EMPTY_PIN", uid)); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMS_AUTH_EMPTY_PIN", uid)); + throw new EInvalidCredentials( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } // get user dn. - LDAPSearchResults res = conn.search(mBaseDN, - LDAPv2.SCOPE_SUB, "(uid=" + uid + ")", null, false); + LDAPSearchResults res = conn.search(mBaseDN, LDAPv2.SCOPE_SUB, + "(uid=" + uid + ")", null, false); if (res.hasMoreElements()) { LDAPEntry entry = (LDAPEntry) res.nextElement(); userdn = entry.getDN(); } else { - log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_USER_NOT_EXIST", uid)); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + log(ILogger.LL_SECURITY, + CMS.getLogMessage("CMS_AUTH_USER_NOT_EXIST", uid)); + throw new EInvalidCredentials( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } // bind as user dn and pwd - authenticates user with pwd. conn.authenticate(userdn, pwd); - log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_AUTHENTICATED", uid)); + log(ILogger.LL_SECURITY, + CMS.getLogMessage("CMS_AUTH_AUTHENTICATED", uid)); // log(ILogger.LL_SECURITY, "found user : " + userdn); - // check pin. + // check pin. checkpin(conn, userdn, uid, pin); // set uid in the token. @@ -252,132 +246,151 @@ public class UidPwdPinDirAuthentication extends DirBasedAuthentication return userdn; } catch (ELdapException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CANNOT_CONNECT_LDAP", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CANNOT_CONNECT_LDAP", e.toString())); throw e; } catch (LDAPException e) { switch (e.getLDAPResultCode()) { - case LDAPException.NO_SUCH_OBJECT: - case LDAPException.LDAP_PARTIAL_RESULTS: - log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_USER_NOT_EXIST", uid)); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + case LDAPException.NO_SUCH_OBJECT: + case LDAPException.LDAP_PARTIAL_RESULTS: + log(ILogger.LL_SECURITY, + CMS.getLogMessage("CMS_AUTH_USER_NOT_EXIST", uid)); + throw new EInvalidCredentials( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); case LDAPException.INVALID_CREDENTIALS: - log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_BAD_PASSWORD", uid)); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + log(ILogger.LL_SECURITY, + CMS.getLogMessage("CMS_AUTH_BAD_PASSWORD", uid)); + throw new EInvalidCredentials( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); case LDAPException.SERVER_DOWN: log(ILogger.LL_SECURITY, CMS.getLogMessage("LDAP_SERVER_DOWN")); - throw new ELdapException( - CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), "" + conn.getPort())); - - default: - log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.getMessage())); - throw new ELdapException( - CMS.getUserMessage("CMS_LDAP_OTHER_LDAP_EXCEPTION", - e.errorCodeToString())); + throw new ELdapException(CMS.getUserMessage( + "CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), "" + + conn.getPort())); + + default: + log(ILogger.LL_FAILURE, + CMS.getLogMessage("OPERATION_ERROR", e.getMessage())); + throw new ELdapException(CMS.getUserMessage( + "CMS_LDAP_OTHER_LDAP_EXCEPTION", e.errorCodeToString())); } - } + } } - protected void checkpin(LDAPConnection conn, String userdn, - String uid, String pin) - throws EBaseException, LDAPException { + protected void checkpin(LDAPConnection conn, String userdn, String uid, + String pin) throws EBaseException, LDAPException { LDAPSearchResults res = null; LDAPEntry entry = null; // get pin. - res = conn.search(userdn, LDAPv2.SCOPE_BASE, - "(objectclass=*)", new String[] { mPinAttr }, false); + res = conn.search(userdn, LDAPv2.SCOPE_BASE, "(objectclass=*)", + new String[] { mPinAttr }, false); if (res.hasMoreElements()) { entry = (LDAPEntry) res.nextElement(); } else { - log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_NO_ENTRY_RETURNED", uid, userdn)); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + log(ILogger.LL_SECURITY, CMS.getLogMessage( + "CMS_AUTH_NO_ENTRY_RETURNED", uid, userdn)); + throw new EInvalidCredentials( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } LDAPAttribute pinAttr = entry.getAttribute(mPinAttr); if (pinAttr == null) { - log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_NO_PIN_FOUND", uid)); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + log(ILogger.LL_SECURITY, + CMS.getLogMessage("CMS_AUTH_NO_PIN_FOUND", uid)); + throw new EInvalidCredentials( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } Enumeration pinValues = pinAttr.getByteValues(); if (!pinValues.hasMoreElements()) { - log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_NO_PIN_FOUND", uid)); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + log(ILogger.LL_SECURITY, + CMS.getLogMessage("CMS_AUTH_NO_PIN_FOUND", uid)); + throw new EInvalidCredentials( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } - byte[] entrypin = (byte[]) pinValues.nextElement(); + byte[] entrypin = (byte[]) pinValues.nextElement(); // compare value digest. if (entrypin == null || entrypin.length < 2) { - log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_NO_PIN_FOUND", uid)); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + log(ILogger.LL_SECURITY, + CMS.getLogMessage("CMS_AUTH_NO_PIN_FOUND", uid)); + throw new EInvalidCredentials( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } - + byte hashtype = entrypin[0]; byte[] pinDigest = null; String toBeDigested = userdn + pin; if (hashtype == SENTINEL_SHA) { - + pinDigest = mSHADigest.digest(toBeDigested.getBytes()); } else if (hashtype == SENTINEL_MD5) { pinDigest = mMD5Digest.digest(toBeDigested.getBytes()); } else if (hashtype == SENTINEL_NONE) { pinDigest = toBeDigested.getBytes(); } else { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_UKNOWN_ENCODING_TYPE", mPinAttr, "*", userdn)); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMS_AUTH_UKNOWN_ENCODING_TYPE", mPinAttr, "*", userdn)); + throw new EInvalidCredentials( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } if (pinDigest.length != (entrypin.length - 1)) { - log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_LENGTH_NOT_MATCHED", uid)); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + log(ILogger.LL_SECURITY, + CMS.getLogMessage("CMS_AUTH_LENGTH_NOT_MATCHED", uid)); + throw new EInvalidCredentials( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } int i; for (i = 0; i < (entrypin.length - 1); i++) { - if (pinDigest[i] != entrypin[i + 1]) + if (pinDigest[i] != entrypin[i + 1]) break; } if (i != (entrypin.length - 1)) { - log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_BAD_PASSWORD", uid)); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + log(ILogger.LL_SECURITY, + CMS.getLogMessage("CMS_AUTH_BAD_PASSWORD", uid)); + throw new EInvalidCredentials( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } // pin ok. remove pin if so configured // Note that this means that a policy may reject this request later, // but the user will not be able to enroll again as his pin is gone. - + // We remove the pin using a different connection which is bound as // a more privileged user. if (mRemovePin) { try { - removePinLdapConnection.modify(userdn, - new LDAPModification( - LDAPModification.DELETE, - new LDAPAttribute(mPinAttr, entrypin))); + removePinLdapConnection.modify(userdn, new LDAPModification( + LDAPModification.DELETE, new LDAPAttribute(mPinAttr, + entrypin))); } catch (LDAPException e) { - log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_CANT_REMOVE_PIN", userdn)); + log(ILogger.LL_SECURITY, + CMS.getLogMessage("CMS_AUTH_CANT_REMOVE_PIN", userdn)); } } } /** - * Returns a list of configuration parameter names. - * The list is passed to the configuration console so instances of - * this implementation can be configured through the console. - * + * Returns a list of configuration parameter names. The list is passed to + * the configuration console so instances of this implementation can be + * configured through the console. + * * @return String array of configuration parameter names. */ public String[] getConfigParams() { @@ -386,6 +399,7 @@ public class UidPwdPinDirAuthentication extends DirBasedAuthentication /** * Returns array of required credentials for this authentication manager. + * * @return Array of required credentials. */ public String[] getRequiredCreds() { @@ -395,21 +409,23 @@ public class UidPwdPinDirAuthentication extends DirBasedAuthentication // Profile-related methods public void init(IProfile profile, IConfigStore config) - throws EProfileException { + throws EProfileException { } /** * Retrieves the localizable name of this policy. */ public String getName(Locale locale) { - return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_LDAP_UID_PIN_NAME"); + return CMS.getUserMessage(locale, + "CMS_AUTHENTICATION_LDAP_UID_PIN_NAME"); } /** * Retrieves the localizable description of this policy. */ public String getText(Locale locale) { - return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_LDAP_UID_PIN_TEXT"); + return CMS.getUserMessage(locale, + "CMS_AUTHENTICATION_LDAP_UID_PIN_TEXT"); } /** @@ -434,8 +450,7 @@ public class UidPwdPinDirAuthentication extends DirBasedAuthentication } /** - * Retrieves the descriptor of the given value - * parameter by name. + * Retrieves the descriptor of the given value parameter by name. */ public IDescriptor getValueDescriptor(Locale locale, String name) { if (name.equals(CRED_UID)) { @@ -453,7 +468,7 @@ public class UidPwdPinDirAuthentication extends DirBasedAuthentication } public void populate(IAuthToken token, IRequest request) - throws EProfileException { + throws EProfileException { request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME, token.getInString(USER_DN)); } @@ -462,4 +477,3 @@ public class UidPwdPinDirAuthentication extends DirBasedAuthentication return false; } } - |