summaryrefslogtreecommitdiffstats
path: root/pki/base/common/src/com/netscape/cms/profile/common/CAEnrollProfile.java
diff options
context:
space:
mode:
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/profile/common/CAEnrollProfile.java')
-rw-r--r--pki/base/common/src/com/netscape/cms/profile/common/CAEnrollProfile.java252
1 files changed, 252 insertions, 0 deletions
diff --git a/pki/base/common/src/com/netscape/cms/profile/common/CAEnrollProfile.java b/pki/base/common/src/com/netscape/cms/profile/common/CAEnrollProfile.java
new file mode 100644
index 000000000..c3b2a5ddc
--- /dev/null
+++ b/pki/base/common/src/com/netscape/cms/profile/common/CAEnrollProfile.java
@@ -0,0 +1,252 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.common;
+
+
+import java.security.cert.*;
+import java.math.*;
+import java.util.*;
+import java.io.*;
+import com.netscape.certsrv.base.*;
+import com.netscape.certsrv.connector.*;
+import com.netscape.certsrv.profile.*;
+import com.netscape.certsrv.authority.*;
+import com.netscape.certsrv.request.*;
+import com.netscape.certsrv.ca.*;
+import com.netscape.certsrv.property.*;
+import com.netscape.certsrv.authentication.*;
+import com.netscape.certsrv.apps.*;
+import com.netscape.certsrv.logging.*;
+
+import netscape.security.x509.*;
+import netscape.security.util.*;
+import netscape.security.pkcs.*;
+
+import java.security.*;
+import org.mozilla.jss.asn1.*;
+import org.mozilla.jss.pkix.primitive.*;
+import org.mozilla.jss.pkix.crmf.*;
+
+
+/**
+ * This class implements a Certificate Manager enrollment
+ * profile.
+ *
+ * @version $Revision$, $Date$
+ */
+public class CAEnrollProfile extends EnrollProfile {
+
+ private final static String
+ LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST =
+ "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4";
+
+
+ public CAEnrollProfile() {
+ super();
+ }
+
+ public IAuthority getAuthority() {
+ IAuthority authority = (IAuthority)
+ CMS.getSubsystem(CMS.SUBSYSTEM_CA);
+
+ if (authority == null)
+ return null;
+ return authority;
+ }
+
+ public X500Name getIssuerName() {
+ ICertificateAuthority ca = (ICertificateAuthority)
+ CMS.getSubsystem(CMS.SUBSYSTEM_CA);
+ X500Name issuerName = ca.getX500Name();
+
+ return issuerName;
+ }
+
+ public void execute(IRequest request)
+ throws EProfileException {
+
+ long startTime = CMS.getCurrentDate().getTime();
+
+ if (!isEnable()) {
+ CMS.debug("CAEnrollProfile: Profile Not Enabled");
+ throw new EProfileException("Profile Not Enabled");
+ }
+
+ String auditMessage = null;
+ String auditSubjectID = auditSubjectID();
+ String auditRequesterID = auditRequesterID(request);
+ String auditArchiveID = ILogger.UNIDENTIFIED;
+
+
+ String id = request.getRequestId().toString();
+ if (id != null) {
+ auditArchiveID = id.trim();
+ }
+
+ CMS.debug("CAEnrollProfile: execute reqId=" +
+ request.getRequestId().toString());
+ ICertificateAuthority ca = (ICertificateAuthority) getAuthority();
+ ICAService caService = (ICAService) ca.getCAService();
+
+ if (caService == null) {
+ throw new EProfileException("No CA Service");
+ }
+
+ // if PKI Archive Option present, send this request
+ // to DRM
+ byte optionsData[] = request.getExtDataInByteArray(REQUEST_ARCHIVE_OPTIONS);
+
+ // do not archive keys for renewal requests
+ if ((optionsData != null) && (!request.getRequestType().equals(IRequest.RENEWAL_REQUEST))) {
+ PKIArchiveOptions options = (PKIArchiveOptions)
+ toPKIArchiveOptions(optionsData);
+
+ if (options != null) {
+ CMS.debug("CAEnrollProfile: execute found " +
+ "PKIArchiveOptions");
+ try {
+ IConnector kraConnector = caService.getKRAConnector();
+
+ if (kraConnector == null) {
+ CMS.debug("CAEnrollProfile: KRA connector " +
+ "not configured");
+
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
+ auditSubjectID,
+ ILogger.FAILURE,
+ auditRequesterID,
+ auditArchiveID);
+
+ audit(auditMessage);
+
+ } else {
+ CMS.debug("CAEnrollProfile: execute send request");
+ kraConnector.send(request);
+
+
+
+ // check response
+ if (!request.isSuccess()) {
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
+ auditSubjectID,
+ ILogger.FAILURE,
+ auditRequesterID,
+ auditArchiveID);
+
+ audit(auditMessage);
+ throw new ERejectException(
+ request.getError(getLocale(request)));
+ }
+
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
+ auditSubjectID,
+ ILogger.SUCCESS,
+ auditRequesterID,
+ auditArchiveID);
+
+ audit(auditMessage);
+ }
+ } catch (Exception e) {
+
+
+ if (e instanceof ERejectException) {
+ throw (ERejectException) e;
+ }
+ CMS.debug("CAEnrollProfile: " + e.toString());
+ CMS.debug(e);
+
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
+ auditSubjectID,
+ ILogger.FAILURE,
+ auditRequesterID,
+ auditArchiveID);
+
+ audit(auditMessage);
+ throw new EProfileException(e.toString());
+ }
+ }
+ }
+
+ // process certificate issuance
+ X509CertInfo info = request.getExtDataInCertInfo(REQUEST_CERTINFO);
+ X509CertImpl theCert = null;
+
+ // #615460 - added audit log (transaction)
+ SessionContext sc = SessionContext.getExistingContext();
+ sc.put("profileId", getId());
+ String setId = request.getExtDataInString("profileSetId");
+ if (setId != null) {
+ sc.put("profileSetId", setId);
+ }
+
+ try {
+ theCert = caService.issueX509Cert(info, getId() /* profileId */,
+ id /* requestId */);
+ } catch (EBaseException e) {
+ CMS.debug(e.toString());
+
+ throw new EProfileException(e.toString());
+ }
+ request.setExtData(REQUEST_ISSUED_CERT, theCert);
+
+ long endTime = CMS.getCurrentDate().getTime();
+
+ String initiative = AuditFormat.FROMAGENT
+ + " userID: "
+ + (String)sc.get(SessionContext.USER_ID);
+ String authMgr = (String)sc.get(SessionContext.AUTH_MANAGER_ID);
+
+ ILogger logger = CMS.getLogger();
+ if( logger != null ) {
+ logger.log( ILogger.EV_AUDIT,
+ ILogger.S_OTHER, AuditFormat.LEVEL, AuditFormat.FORMAT,
+ new Object[] {
+ request.getRequestType(),
+ request.getRequestId(),
+ initiative,
+ authMgr,
+ "completed",
+ theCert.getSubjectDN(),
+ "cert issued serial number: 0x" +
+ theCert.getSerialNumber().toString(16) +
+ " time: " + (endTime - startTime) }
+ );
+ }
+
+ request.setRequestStatus(RequestStatus.COMPLETE);
+
+ // notifies updater plugins
+ Enumeration updaterIds = getProfileUpdaterIds();
+ while (updaterIds.hasMoreElements()) {
+ String updaterId = (String)updaterIds.nextElement();
+ IProfileUpdater updater = getProfileUpdater(updaterId);
+ updater.update(request, RequestStatus.COMPLETE);
+ }
+
+ // set value for predicate value - checking in getRule
+ if (CMS.isEncryptionCert(theCert))
+ request.setExtData("isEncryptionCert", "true");
+ else
+ request.setExtData("isEncryptionCert", "false");
+ }
+}
+
generated by cgit (git 2.34.1) at 2024-04-25 13:09:22 +0000