diff options
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/profile/common')
10 files changed, 3528 insertions, 0 deletions
diff --git a/pki/base/common/src/com/netscape/cms/profile/common/BasicProfile.java b/pki/base/common/src/com/netscape/cms/profile/common/BasicProfile.java new file mode 100644 index 000000000..aac1bb3c0 --- /dev/null +++ b/pki/base/common/src/com/netscape/cms/profile/common/BasicProfile.java @@ -0,0 +1,1186 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.common; + + +import java.util.*; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.common.*; +import com.netscape.certsrv.profile.*; +import com.netscape.certsrv.authority.*; +import com.netscape.certsrv.registry.*; +import com.netscape.certsrv.request.*; +import com.netscape.certsrv.authentication.*; +import com.netscape.certsrv.property.*; +import com.netscape.certsrv.apps.*; +import com.netscape.certsrv.logging.*; + + +/** + * This class implements a basic profile. + * + * @version $Revision$, $Date$ + */ +public abstract class BasicProfile implements IProfile { + + public static final String PROP_ENABLE = "enable"; + public static final String PROP_ENABLE_BY = "enableBy"; + public static final String PROP_IS_RENEWAL = "renewal"; + public static final String PROP_XML_OUTPUT = "xmlOutput"; + public static final String PROP_VISIBLE = "visible"; + public static final String PROP_INPUT_LIST = "list"; + public static final String PROP_OUTPUT_LIST = "list"; + public static final String PROP_UPDATER_LIST = "list"; + public static final String PROP_POLICY_LIST = "list"; + public static final String PROP_DEFAULT = "default"; + public static final String PROP_CONSTRAINT = "constraint"; + public static final String PROP_INPUT = "input"; + public static final String PROP_OUTPUT = "output"; + public static final String PROP_CLASS_ID = "class_id"; + public static final String PROP_INSTANCE_ID = "instance_id"; + public static final String PROP_PARAMS = "params"; + public static final String PROP_NAME = "name"; + public static final String PROP_DESC = "desc"; + public static final String PROP_NO_DEFAULT = "noDefaultImpl"; + public static final String PROP_NO_CONSTRAINT= "noConstraintImpl"; + public static final String PROP_GENERIC_EXT_DEFAULT= "genericExtDefaultImpl"; + + protected IProfileSubsystem mOwner = null; + protected IConfigStore mConfig = null; + protected IPluginRegistry mRegistry = null; + + protected Vector mInputNames = new Vector(); + protected Hashtable mInputs = new Hashtable(); + protected Vector mInputIds = new Vector(); + protected Hashtable mOutputs = new Hashtable(); + protected Vector mOutputIds = new Vector(); + protected Hashtable mUpdaters = new Hashtable(); + protected Vector mUpdaterIds = new Vector(); + protected IProfileAuthenticator mAuthenticator = null; + protected String mAuthInstanceId = null; + protected String mId = null; + protected String mAuthzAcl = ""; + + protected Hashtable mPolicySet = new Hashtable(); + + protected ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); + + public BasicProfile() { + } + + public boolean isEnable() { + try { + return mConfig.getBoolean(PROP_ENABLE, false); + } catch (EBaseException e) { + return false; + } + } + + public String isRenewal() { + try { + return mConfig.getString(PROP_IS_RENEWAL, "false"); + } catch (EBaseException e) { + return "false"; + } + } + + public String isXmlOutput() { + try { + return mConfig.getString(PROP_XML_OUTPUT, "false"); + } catch (EBaseException e) { + return "false"; + } + } + + public String getApprovedBy() { + try { + return mConfig.getString(PROP_ENABLE_BY, ""); + } catch (EBaseException e) { + return ""; + } + } + + public void setId(String id) { + mId = id; + } + + public String getId() { + return mId; + } + + public IProfileAuthenticator getAuthenticator() throws EProfileException { + try { + IAuthSubsystem authSub = (IAuthSubsystem) + CMS.getSubsystem(CMS.SUBSYSTEM_AUTH); + IProfileAuthenticator auth = (IProfileAuthenticator) + authSub.get(mAuthInstanceId); + + if (mAuthInstanceId != null && mAuthInstanceId.length() > 0 + && auth == null) { + throw new EProfileException("Cannot load " + + mAuthInstanceId); + } + return auth; + } catch (Exception e) { + if (mAuthInstanceId != null) { + throw new EProfileException("Cannot load " + + mAuthInstanceId); + } + return null; + } + } + + public String getRequestorDN(IRequest request) { + return null; + } + + public String getAuthenticatorId() { + return mAuthInstanceId; + } + + public void setAuthenticatorId(String id) { + mAuthInstanceId = id; + mConfig.putString("auth." + PROP_INSTANCE_ID, id); + } + + public String getAuthzAcl() { + return mAuthzAcl; + } + + /** + * Initializes this profile. + */ + public void init(IProfileSubsystem owner, IConfigStore config) + throws EBaseException { + CMS.debug("BasicProfile: start init"); + mOwner = owner; + mConfig = config; + + mRegistry = (IPluginRegistry) CMS.getSubsystem(CMS.SUBSYSTEM_REGISTRY); + + // Configure File Formats: + // visible + // auth.class_id=NoAuthImpl + // auth.params.x1=x1 + // input.list=i1,i2,... + // input.i1.class=com.netscape.cms.profile.input.CertReqInput + // input.i1.params.x1=x1 + // policy.list=p1,p2,... + // policy.p1.enable=true + // policy.p1.default.class=com.netscape.cms.profile.defaults.SubjectName + // policy.p1.default.params.x1=x1 + // policy.p1.default.params.x2=x2 + // policy.p1.constraint.class= ... .cms.profile.constraints.ValidityRange + // policy.p1.constraint.params.x1=x1 + // policy.p1.constraint.params.x2=x2 + + // handle profile authentication plugins + try { + mAuthInstanceId = config.getString("auth." + PROP_INSTANCE_ID, null); + mAuthzAcl = config.getString("authz.acl", ""); + } catch (EBaseException e) { + CMS.debug("BasicProfile: authentication class not found " + + e.toString()); + } + + // handle profile input plugins + IConfigStore inputStore = config.getSubStore("input"); + String input_list = inputStore.getString(PROP_INPUT_LIST, ""); + StringTokenizer input_st = new StringTokenizer(input_list, ","); + + while (input_st.hasMoreTokens()) { + String input_id = (String) input_st.nextToken(); + String inputClassId = inputStore.getString(input_id + "." + + PROP_CLASS_ID); + IPluginInfo inputInfo = mRegistry.getPluginInfo("profileInput", + inputClassId); + String inputClass = inputInfo.getClassName(); + + IProfileInput input = null; + + try { + input = (IProfileInput) + Class.forName(inputClass).newInstance(); + } catch (Exception e) { + // throw Exception + CMS.debug("BasicProfile: input plugin Class.forName " + + inputClass + " " + e.toString()); + throw new EBaseException( e.toString() ); + } + IConfigStore inputConfig = inputStore.getSubStore(input_id); + input.init(this, inputConfig); + mInputs.put(input_id, input); + mInputIds.addElement(input_id); + } + + // handle profile output plugins + IConfigStore outputStore = config.getSubStore("output"); + String output_list = outputStore.getString(PROP_OUTPUT_LIST, ""); + StringTokenizer output_st = new StringTokenizer(output_list, ","); + + while (output_st.hasMoreTokens()) { + String output_id = (String) output_st.nextToken(); + + String outputClassId = outputStore.getString(output_id + "." + + PROP_CLASS_ID); + IPluginInfo outputInfo = mRegistry.getPluginInfo("profileOutput", + outputClassId); + String outputClass = outputInfo.getClassName(); + + IProfileOutput output = null; + + try { + output = (IProfileOutput) + Class.forName(outputClass).newInstance(); + } catch (Exception e) { + // throw Exception + CMS.debug("BasicProfile: output plugin Class.forName " + + outputClass + " " + e.toString()); + throw new EBaseException( e.toString() ); + } + IConfigStore outputConfig = outputStore.getSubStore(output_id); + output.init(this, outputConfig); + mOutputs.put(output_id, output); + mOutputIds.addElement(output_id); + } + + // handle profile output plugins + IConfigStore updaterStore = config.getSubStore("updater"); + String updater_list = updaterStore.getString(PROP_UPDATER_LIST, ""); + StringTokenizer updater_st = new StringTokenizer(updater_list, ","); + + while (updater_st.hasMoreTokens()) { + String updater_id = (String) updater_st.nextToken(); + + String updaterClassId = updaterStore.getString(updater_id + "." + + PROP_CLASS_ID); + IPluginInfo updaterInfo = mRegistry.getPluginInfo("profileUpdater", + updaterClassId); + String updaterClass = updaterInfo.getClassName(); + + IProfileUpdater updater = null; + + try { + updater = (IProfileUpdater) + Class.forName(updaterClass).newInstance(); + } catch (Exception e) { + // throw Exception + CMS.debug("BasicProfile: updater plugin Class.forName " + + updaterClass + " " + e.toString()); + throw new EBaseException( e.toString() ); + } + IConfigStore updaterConfig = updaterStore.getSubStore(updater_id); + updater.init(this, updaterConfig); + mUpdaters.put(updater_id, updater); + mUpdaterIds.addElement(updater_id); + } + + // handle profile policy plugins + IConfigStore policySetStore = config.getSubStore("policyset"); + String setlist = policySetStore.getString("list", ""); + StringTokenizer st = new StringTokenizer(setlist, ","); + + while (st.hasMoreTokens()) { + String setId = (String) st.nextToken(); + + IConfigStore policyStore = policySetStore.getSubStore(setId); + String list = policyStore.getString(PROP_POLICY_LIST, ""); + StringTokenizer st1 = new StringTokenizer(list, ","); + + while (st1.hasMoreTokens()) { + String id = (String) st1.nextToken(); + + String defaultRoot = id + "." + PROP_DEFAULT; + String defaultClassId = policyStore.getString(defaultRoot + "." + + PROP_CLASS_ID); + + String constraintRoot = id + "." + PROP_CONSTRAINT; + String constraintClassId = + policyStore.getString(constraintRoot + "." + PROP_CLASS_ID); + + createProfilePolicy(setId, id, defaultClassId, + constraintClassId, false); + } + } + CMS.debug("BasicProfile: done init"); + } + + public IConfigStore getConfigStore() { + return mConfig; + } + + public Enumeration getInputNames() { + return mInputNames.elements(); + } + + public Enumeration getProfileUpdaterIds() { + return mUpdaterIds.elements(); // ordered list + } + + public IProfileUpdater getProfileUpdater(String name) { + return (IProfileUpdater) mUpdaters.get(name); + } + + public Enumeration getProfileOutputIds() { + return mOutputIds.elements(); // ordered list + } + + public IProfileOutput getProfileOutput(String name) { + return (IProfileOutput) mOutputs.get(name); + } + + public Enumeration getProfileInputIds() { + return mInputIds.elements(); // ordered list + } + + public IProfileInput getProfileInput(String name) { + return (IProfileInput) mInputs.get(name); + } + + public void addInputName(String name) { + mInputNames.addElement(name); + } + + public IDescriptor getInputDescriptor(String name) { + return null; + } + + public String getInput(String name, Locale locale, IRequest request) + throws EProfileException { + return null; + } + + public void setInput(String name, Locale locale, IRequest request, + String value) throws EProfileException { + } + + public Enumeration getProfilePolicySetIds() { + return mPolicySet.keys(); + } + + public void deleteProfilePolicy(String setId, String policyId) + throws EProfileException { + Vector policies = (Vector) mPolicySet.get(setId); + + if (policies == null) { + return; + } + try { + IConfigStore policySetSubStore = mConfig.getSubStore("policyset"); + IConfigStore policySubStore = policySetSubStore.getSubStore(setId); + + policySubStore.removeSubStore(policyId); + String list = policySubStore.getString(PROP_POLICY_LIST, null); + StringTokenizer st = new StringTokenizer(list, ","); + String newlist = ""; + StringBuffer sb = new StringBuffer(); + + while (st.hasMoreTokens()) { + String e = st.nextToken(); + + if (!e.equals(policyId)) { + sb.append(e); + sb.append(","); + } + } + newlist = sb.toString(); + if (!newlist.equals("")) { + newlist = newlist.substring(0, newlist.length() - 1); + policySubStore.putString(PROP_POLICY_LIST, newlist); + } else { + policySetSubStore.removeSubStore(setId); + } + + int size = policies.size(); + boolean found = false; + + for (int i = 0; i < size; i++) { + ProfilePolicy policy = (ProfilePolicy) policies.elementAt(i); + String id = policy.getId(); + + if (id.equals(policyId)) { + policies.removeElementAt(i); + if (size == 1) { + mPolicySet.remove(setId); + String setlist = policySetSubStore.getString(PROP_POLICY_LIST, null); + StringTokenizer st1 = new StringTokenizer(setlist, ","); + String newlist1 = ""; + + while (st1.hasMoreTokens()) { + String e = st1.nextToken(); + + if (!e.equals(setId)) + newlist1 = newlist1 + e + ","; + } + if (!newlist1.equals("")) + newlist1 = newlist1.substring(0, newlist1.length() - 1); + policySetSubStore.putString(PROP_POLICY_LIST, newlist1); + } + break; + } + } + + mConfig.putString("lastModified", + Long.toString(CMS.getCurrentDate().getTime())); + mConfig.commit(false); + } catch (Exception e) { + } + + } + + public void deleteProfileInput(String inputId) throws EProfileException { + try { + mConfig.removeSubStore("input." + inputId); + String list = mConfig.getString("input." + PROP_INPUT_LIST, null); + StringTokenizer st = new StringTokenizer(list, ","); + String newlist = ""; + StringBuffer sb = new StringBuffer(); + + while (st.hasMoreTokens()) { + String e = st.nextToken(); + + if (!e.equals(inputId)) { + sb.append(e); + sb.append(","); + } + } + newlist = sb.toString(); + if (!newlist.equals("")) + newlist = newlist.substring(0, newlist.length() - 1); + + int size = mInputIds.size(); + boolean found = false; + + for (int i = 0; i < size; i++) { + String id = (String) mInputIds.elementAt(i); + + if (id.equals(inputId)) { + mInputIds.removeElementAt(i); + break; + } + } + + mInputs.remove(inputId); + mConfig.putString("input." + PROP_INPUT_LIST, newlist); + mConfig.putString("lastModified", + Long.toString(CMS.getCurrentDate().getTime())); + mConfig.commit(false); + } catch (Exception e) { + } + } + + public void deleteProfileOutput(String outputId) throws EProfileException { + try { + mConfig.removeSubStore("output." + outputId); + String list = mConfig.getString("output." + PROP_OUTPUT_LIST, null); + StringTokenizer st = new StringTokenizer(list, ","); + String newlist = ""; + StringBuffer sb = new StringBuffer(); + + while (st.hasMoreTokens()) { + String e = st.nextToken(); + + if (!e.equals(outputId)) { + sb.append(e); + sb.append(","); + } + } + newlist = sb.toString(); + if (!newlist.equals("")) + newlist = newlist.substring(0, newlist.length() - 1); + + int size = mOutputIds.size(); + boolean found = false; + + for (int i = 0; i < size; i++) { + String id = (String) mOutputIds.elementAt(i); + + if (id.equals(outputId)) { + mOutputIds.removeElementAt(i); + break; + } + } + + mOutputs.remove(outputId); + mConfig.putString("output." + PROP_OUTPUT_LIST, newlist); + mConfig.putString("lastModified", + Long.toString(CMS.getCurrentDate().getTime())); + mConfig.commit(false); + } catch (Exception e) { + } + } + + public IProfileOutput createProfileOutput(String id, String outputId, + NameValuePairs nvps) + throws EProfileException { + return createProfileOutput(id, outputId, nvps, true); + } + + public IProfileOutput createProfileOutput(String id, String outputId, + NameValuePairs nvps, boolean createConfig) + + + throws EProfileException { + IConfigStore outputStore = mConfig.getSubStore("output"); + String output_list = null; + + try { + output_list = outputStore.getString(PROP_OUTPUT_LIST, ""); + } catch (Exception ee) { + } + + IPluginInfo outputInfo = mRegistry.getPluginInfo("profileOutput", + outputId); + + if (outputInfo == null) { + CMS.debug("Cannot find " + outputId); + throw new EProfileException("Cannot find " + outputId); + } + String outputClass = outputInfo.getClassName(); + + CMS.debug("BasicProfile: loading output class " + outputClass); + IProfileOutput output = null; + + try { + output = (IProfileOutput) + Class.forName(outputClass).newInstance(); + } catch (Exception e) { + // throw Exception + CMS.debug(e.toString()); + } + if (output == null) { + CMS.debug("BasicProfile: failed to create " + outputClass); + } else { + CMS.debug("BasicProfile: initing " + id + " output"); + + CMS.debug("BasicProfile: outputStore " + outputStore); + output.init(this, outputStore); + + mOutputs.put(id, output); + mOutputIds.addElement(id); + } + + if (createConfig) { + String list = null; + + try { + list = outputStore.getString(PROP_OUTPUT_LIST, null); + } catch (EBaseException e) { + } + if (list == null || list.equals("")) { + outputStore.putString(PROP_OUTPUT_LIST, id); + } else { + StringTokenizer st1 = new StringTokenizer(list, ","); + + while (st1.hasMoreTokens()) { + String pid = st1.nextToken(); + + if (pid.equals(id)) { + throw new EProfileException("Duplicate output id: " + id); + } + } + outputStore.putString(PROP_OUTPUT_LIST, list + "," + id); + } + String prefix = id + "."; + + outputStore.putString(prefix + "name", + outputInfo.getName(Locale.getDefault())); + outputStore.putString(prefix + "class_id", outputId); + + Enumeration enum1 = nvps.getNames(); + + while (enum1.hasMoreElements()) { + String name = (String) enum1.nextElement(); + + outputStore.putString(prefix + "params." + name, nvps.getValue(name)); + try { + if (output != null) { + output.setConfig(name, nvps.getValue(name)); + } + } catch (EBaseException e) { + CMS.debug(e.toString()); + } + } + + try { + mConfig.putString("lastModified", + Long.toString(CMS.getCurrentDate().getTime())); + mConfig.commit(false); + } catch (EBaseException e) { + CMS.debug(e.toString()); + } + } + + return output; + } + + public IProfileInput createProfileInput(String id, String inputId, + NameValuePairs nvps) + throws EProfileException { + return createProfileInput(id, inputId, nvps, true); + } + + public IProfileInput createProfileInput(String id, String inputId, + NameValuePairs nvps, boolean createConfig) + throws EProfileException { + IConfigStore inputStore = mConfig.getSubStore("input"); + + String input_list = null; + + try { + input_list = inputStore.getString(PROP_INPUT_LIST, ""); + } catch (Exception ee) { + } + + IPluginInfo inputInfo = mRegistry.getPluginInfo("profileInput", + inputId); + + if (inputInfo == null) { + CMS.debug("Cannot find " + inputId); + throw new EProfileException("Cannot find " + inputId); + } + String inputClass = inputInfo.getClassName(); + + CMS.debug("BasicProfile: loading input class " + inputClass); + IProfileInput input = null; + + try { + input = (IProfileInput) + Class.forName(inputClass).newInstance(); + } catch (Exception e) { + // throw Exception + CMS.debug(e.toString()); + } + if (input == null) { + CMS.debug("BasicProfile: failed to create " + inputClass); + } else { + CMS.debug("BasicProfile: initing " + id + " input"); + + CMS.debug("BasicProfile: inputStore " + inputStore); + input.init(this, inputStore); + + mInputs.put(id, input); + mInputIds.addElement(id); + } + + if (createConfig) { + String list = null; + + try { + list = inputStore.getString(PROP_INPUT_LIST, null); + } catch (EBaseException e) { + } + if (list == null || list.equals("")) { + inputStore.putString(PROP_INPUT_LIST, id); + } else { + StringTokenizer st1 = new StringTokenizer(list, ","); + + while (st1.hasMoreTokens()) { + String pid = st1.nextToken(); + + if (pid.equals(id)) { + throw new EProfileException("Duplicate input id: " + id); + } + } + inputStore.putString(PROP_INPUT_LIST, list + "," + id); + } + String prefix = id + "."; + + inputStore.putString(prefix + "name", + inputInfo.getName(Locale.getDefault())); + inputStore.putString(prefix + "class_id", inputId); + + Enumeration enum1 = nvps.getNames(); + + while (enum1.hasMoreElements()) { + String name = (String) enum1.nextElement(); + + inputStore.putString(prefix + "params." + name, nvps.getValue(name)); + try { + if (input != null) { + input.setConfig(name, nvps.getValue(name)); + } + } catch (EBaseException e) { + CMS.debug(e.toString()); + } + } + + try { + mConfig.putString("lastModified", + Long.toString(CMS.getCurrentDate().getTime())); + mConfig.commit(false); + } catch (EBaseException e) { + CMS.debug(e.toString()); + } + } + + return input; + } + + /** + * Creates a profile policy + */ + public IProfilePolicy createProfilePolicy(String setId, String id, + String defaultClassId, String constraintClassId) + throws EProfileException { + return createProfilePolicy(setId, id, defaultClassId, + constraintClassId, true); + } + + public IProfilePolicy createProfilePolicy(String setId, String id, + String defaultClassId, String constraintClassId, + boolean createConfig) + throws EProfileException { + + // String setId ex: policyset.set1 + // String id Id of policy : examples: p1,p2,p3 + // String defaultClassId : id of the default plugin ex: validityDefaultImpl + // String constraintClassId : if of the constraint plugin ex: basicConstraintsExtConstraintImpl + // boolean createConfig : true : being called from the console. false: being called from server startup code + + Vector policies = (Vector) mPolicySet.get(setId); + + IConfigStore policyStore = mConfig.getSubStore("policyset." + setId); + if (policies == null) { + policies = new Vector(); + mPolicySet.put(setId, policies); + if (createConfig) { + // re-create policyset.list + StringBuffer setlist =new StringBuffer(); + Enumeration keys = mPolicySet.keys(); + + while (keys.hasMoreElements()) { + String k = (String) keys.nextElement(); + + if (!(setlist.toString()).equals("")) { + setlist.append(","); + } + setlist.append(k); + } + mConfig.putString("policyset.list", setlist.toString()); + } + } else { + String ids = null; + + try { + ids = policyStore.getString(PROP_POLICY_LIST, ""); + } catch (Exception ee) { + } + + if( ids == null ) { + CMS.debug("BasicProfile::createProfilePolicy() - ids is null!" ); + return null; + } + + StringTokenizer st1 = new StringTokenizer(ids, ","); + int appearances = 0; + int appearancesTooMany = 0; + if (createConfig) + appearancesTooMany = 1; + else + appearancesTooMany = 2; + + while (st1.hasMoreTokens()) { + String pid = st1.nextToken(); + if (pid.equals(id)) { + appearances++; + if (appearances >= appearancesTooMany) { + CMS.debug("WARNING detected duplicate policy id: " + id + " Profile: " + mId); + if (createConfig) { + throw new EProfileException("Duplicate policy id: " + id); + } + } + } + } + } + + // Now make sure we aren't trying to add a policy that already exists + IConfigStore policySetStore = mConfig.getSubStore("policyset"); + String setlist = null; + try { + setlist = policySetStore.getString("list", ""); + } catch (Exception e) { + } + StringTokenizer st = new StringTokenizer(setlist, ","); + + int matches = 0; + while (st.hasMoreTokens()) { + String sId = (String) st.nextToken(); + + //Only search the setId set. Ex: encryptionCertSet + if (!sId.equals(setId)) { + continue; + } + IConfigStore pStore = policySetStore.getSubStore(sId); + + String list = null; + try { + list = pStore.getString(PROP_POLICY_LIST, ""); + } catch (Exception e) { + CMS.debug("WARNING, can't get policy id list!"); + } + + StringTokenizer st1 = new StringTokenizer(list, ","); + + while (st1.hasMoreTokens()) { + String curId = (String) st1.nextToken(); + + String defaultRoot = curId + "." + PROP_DEFAULT; + String curDefaultClassId = null; + try { + curDefaultClassId = pStore.getString(defaultRoot + "." + + PROP_CLASS_ID); + } catch(Exception e) { + CMS.debug("WARNING, can't get default plugin id!"); + } + + String constraintRoot = curId + "." + PROP_CONSTRAINT; + String curConstraintClassId = null; + try { + curConstraintClassId = pStore.getString(constraintRoot + "." + PROP_CLASS_ID); + } catch (Exception e) { + CMS.debug("WARNING, can't get constraint plugin id!"); + } + + //Disallow duplicate defaults with the following exceptions: + // noDefaultImpl, genericExtDefaultImpl + + if ((curDefaultClassId.equals(defaultClassId) && + !curDefaultClassId.equals(PROP_NO_DEFAULT) && + !curDefaultClassId.equals(PROP_GENERIC_EXT_DEFAULT)) ) { + + matches++; + if (createConfig) { + if (matches == 1) { + CMS.debug("WARNING attempt to add duplicate Policy " + defaultClassId + ":" + constraintClassId + + " Contact System Administrator."); + throw new EProfileException("Attempt to add duplicate Policy : " + defaultClassId + ":" + constraintClassId); + } + } else { + if( matches > 1) { + CMS.debug("WARNING attempt to add duplicate Policy " + defaultClassId + ":" + constraintClassId + + " Contact System Administrator."); + } + } + } + } + } + + String defaultRoot = id + "." + PROP_DEFAULT; + String constraintRoot = id + "." + PROP_CONSTRAINT; + IPluginInfo defInfo = mRegistry.getPluginInfo("defaultPolicy", + defaultClassId); + + if (defInfo == null) { + CMS.debug("BasicProfile: Cannot find " + defaultClassId); + throw new EProfileException("Cannot find " + defaultClassId); + } + String defaultClass = defInfo.getClassName(); + + CMS.debug("BasicProfile: loading default class " + defaultClass); + IPolicyDefault def = null; + + try { + def = (IPolicyDefault) + Class.forName(defaultClass).newInstance(); + } catch (Exception e) { + // throw Exception + CMS.debug("BasicProfile: default policy " + + defaultClass + " " + e.toString()); + } + if (def == null) { + CMS.debug("BasicProfile: failed to create " + defaultClass); + } else { + IConfigStore defStore = null; + + defStore = policyStore.getSubStore(defaultRoot); + def.init(this, defStore); + } + + IPluginInfo conInfo = mRegistry.getPluginInfo("constraintPolicy", + constraintClassId); + String constraintClass = conInfo.getClassName(); + IPolicyConstraint constraint = null; + + try { + constraint = (IPolicyConstraint) + Class.forName(constraintClass).newInstance(); + } catch (Exception e) { + // throw Exception + CMS.debug("BasicProfile: constraint policy " + + constraintClass + " " + e.toString()); + } + ProfilePolicy policy = null; + if (constraint == null) { + CMS.debug("BasicProfile: failed to create " + constraintClass); + } else { + IConfigStore conStore = null; + + conStore = policyStore.getSubStore(constraintRoot); + constraint.init(this, conStore); + policy = new ProfilePolicy(id, def, constraint); + policies.addElement(policy); + } + + if (createConfig) { + String list = null; + + try { + list = policyStore.getString(PROP_POLICY_LIST, null); + } catch (EBaseException e) { + } + if (list == null || list.equals("")) { + policyStore.putString(PROP_POLICY_LIST, id); + } else { + policyStore.putString(PROP_POLICY_LIST, list + "," + id); + } + policyStore.putString(id + ".default.name", + defInfo.getName(Locale.getDefault())); + policyStore.putString(id + ".default.class_id", + defaultClassId); + policyStore.putString(id + ".constraint.name", + conInfo.getName(Locale.getDefault())); + policyStore.putString(id + ".constraint.class_id", + constraintClassId); + try { + mConfig.putString("lastModified", + Long.toString(CMS.getCurrentDate().getTime())); + policyStore.commit(false); + } catch (EBaseException e) { + CMS.debug("BasicProfile: commiting config store " + + e.toString()); + } + } + + return policy; + } + + public IProfilePolicy getProfilePolicy(String setId, String id) { + Vector policies = (Vector) mPolicySet.get(setId); + + if (policies == null) + return null; + + for (int i = 0; i < policies.size(); i++) { + ProfilePolicy policy = (ProfilePolicy) policies.elementAt(i); + + if (policy.getId().equals(id)) { + return policy; + } + } + return null; + } + + public boolean isVisible() { + try { + return mConfig.getBoolean(PROP_VISIBLE, false); + } catch (EBaseException e) { + return false; + } + } + + public void setVisible(boolean v) { + mConfig.putBoolean(PROP_VISIBLE, v); + } + + /** + * Returns the profile name. + */ + public String getName(Locale locale) { + try { + return mConfig.getString(PROP_NAME, ""); + } catch (EBaseException e) { + return ""; + } + } + + public void setName(Locale locale, String name) { + mConfig.putString(PROP_NAME, name); + } + + public abstract IProfileContext createContext(); + + /** + * Creates request. + */ + public abstract IRequest[] createRequests(IProfileContext ctx, Locale locale) + throws EProfileException; + + /** + * Returns the profile description. + */ + public String getDescription(Locale locale) { + try { + return mConfig.getString(PROP_DESC, ""); + } catch (EBaseException e) { + return ""; + } + } + + public void setDescription(Locale locale, String desc) { + mConfig.putString(PROP_DESC, desc); + } + + public void populateInput(IProfileContext ctx, IRequest request) + throws EProfileException { + Enumeration ids = getProfileInputIds(); + + while (ids.hasMoreElements()) { + String id = (String) ids.nextElement(); + IProfileInput input = getProfileInput(id); + + input.populate(ctx, request); + } + } + + public Vector getPolicies(String setId) { + Vector policies = (Vector) mPolicySet.get(setId); + + return policies; + } + + /** + * Passes the request to the set of default policies that + * populate the profile information against the profile. + */ + public void populate(IRequest request) + throws EProfileException { + String setId = getPolicySetId(request); + Vector policies = getPolicies(setId); + CMS.debug("BasicProfile: populate() policy setid ="+ setId); + + for (int i = 0; i < policies.size(); i++) { + ProfilePolicy policy = (ProfilePolicy) + policies.elementAt(i); + + policy.getDefault().populate(request); + } + } + + /** + * Passes the request to the set of constraint policies + * that validate the request against the profile. + */ + public void validate(IRequest request) + throws ERejectException { + String setId = getPolicySetId(request); + CMS.debug("BasicProfile: validate start on setId="+ setId); + Vector policies = getPolicies(setId); + + for (int i = 0; i < policies.size(); i++) { + ProfilePolicy policy = (ProfilePolicy) + policies.elementAt(i); + + policy.getConstraint().validate(request); + } + CMS.debug("BasicProfile: change to pending state"); + request.setRequestStatus(RequestStatus.PENDING); + CMS.debug("BasicProfile: validate end"); + } + + public Enumeration getProfilePolicies(String setId) { + Vector policies = (Vector) mPolicySet.get(setId); + + if (policies == null) + return null; + return policies.elements(); + } + + public Enumeration getProfilePolicyIds(String setId) { + Vector policies = (Vector) mPolicySet.get(setId); + + if (policies == null) + return null; + + Vector v = new Vector(); + + for (int i = 0; i < policies.size(); i++) { + ProfilePolicy policy = (ProfilePolicy) + policies.elementAt(i); + + v.addElement(policy.getId()); + } + return v.elements(); + } + + public void execute(IRequest request) + throws EProfileException { + } + + /** + * Signed Audit Log + * + * This method is inherited by all extended "BasicProfile"s, + * and is called to store messages to the signed audit log. + * <P> + * + * @param msg signed audit log message + */ + protected void audit(String msg) { + // in this case, do NOT strip preceding/trailing whitespace + // from passed-in String parameters + + if (mSignedAuditLogger == null) { + return; + } + + mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, + null, + ILogger.S_SIGNED_AUDIT, + ILogger.LL_SECURITY, + msg); + } + + /** + * Signed Audit Log Subject ID + * + * This method is inherited by all extended "BasicProfile"s, + * and is called to obtain the "SubjectID" for + * a signed audit log message. + * <P> + * + * @return id string containing the signed audit log message SubjectID + */ + protected String auditSubjectID() { + // if no signed audit object exists, bail + if (mSignedAuditLogger == null) { + return null; + } + + String subjectID = null; + + // Initialize subjectID + SessionContext auditContext = SessionContext.getExistingContext(); + + if (auditContext != null) { + subjectID = (String) + auditContext.get(SessionContext.USER_ID); + + if (subjectID != null) { + subjectID = subjectID.trim(); + } else { + subjectID = ILogger.NONROLEUSER; + } + } else { + subjectID = ILogger.UNIDENTIFIED; + } + + return subjectID; + } +} + diff --git a/pki/base/common/src/com/netscape/cms/profile/common/CACertCAEnrollProfile.java b/pki/base/common/src/com/netscape/cms/profile/common/CACertCAEnrollProfile.java new file mode 100644 index 000000000..d525689bd --- /dev/null +++ b/pki/base/common/src/com/netscape/cms/profile/common/CACertCAEnrollProfile.java @@ -0,0 +1,147 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.common; + + +import java.security.cert.*; +import java.math.*; +import java.util.*; +import java.io.*; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.common.*; +import com.netscape.certsrv.connector.*; +import com.netscape.certsrv.profile.*; +import com.netscape.certsrv.authority.*; +import com.netscape.certsrv.request.*; +import com.netscape.certsrv.ca.*; +import com.netscape.certsrv.property.*; +import com.netscape.certsrv.authentication.*; +import com.netscape.certsrv.apps.*; +import com.netscape.certsrv.logging.*; + + +import netscape.security.x509.*; +import netscape.security.util.*; +import netscape.security.pkcs.*; + +import java.security.*; +import org.mozilla.jss.asn1.*; +import org.mozilla.jss.pkix.primitive.*; +import org.mozilla.jss.pkix.crmf.*; + + +/** + * This class implements a Certificate Manager enrollment + * profile for CA Certificates. + * + * @version $Revision$, $Date$ + */ +public class CACertCAEnrollProfile extends CAEnrollProfile + implements IProfileEx { + + /** + * Called after initialization. It populates default + * policies, inputs, and outputs. + */ + public void populate() throws EBaseException + { + // create inputs + NameValuePairs inputParams1 = new NameValuePairs(); + IProfileInput input1 = + createProfileInput("i1", "certReqInputImpl", inputParams1); + NameValuePairs inputParams2 = new NameValuePairs(); + IProfileInput input2 = + createProfileInput("i2", "submitterInfoInputImpl", inputParams2); + + // create outputs + NameValuePairs outputParams1 = new NameValuePairs(); + IProfileOutput output1 = + createProfileOutput("o1", "certOutputImpl", outputParams1); + + // create policies + IProfilePolicy policy1 = + createProfilePolicy("set1", "p1", + "userSubjectNameDefaultImpl", "noConstraintImpl"); + IPolicyDefault def1 = policy1.getDefault(); + IConfigStore defConfig1 = def1.getConfigStore(); + IPolicyConstraint con1 = policy1.getConstraint(); + IConfigStore conConfig1 = con1.getConfigStore(); + + IProfilePolicy policy2 = + createProfilePolicy("set1", "p2", + "validityDefaultImpl", "noConstraintImpl"); + IPolicyDefault def2 = policy2.getDefault(); + IConfigStore defConfig2 = def2.getConfigStore(); + defConfig2.putString("params.range","180"); + defConfig2.putString("params.startTime","0"); + IPolicyConstraint con2 = policy2.getConstraint(); + IConfigStore conConfig2 = con2.getConfigStore(); + + IProfilePolicy policy3 = + createProfilePolicy("set1", "p3", + "userKeyDefaultImpl", "noConstraintImpl"); + IPolicyDefault def3 = policy3.getDefault(); + IConfigStore defConfig3 = def3.getConfigStore(); + defConfig3.putString("params.keyType","RSA"); + defConfig3.putString("params.keyMinLength","512"); + defConfig3.putString("params.keyMaxLength","4096"); + IPolicyConstraint con3 = policy3.getConstraint(); + IConfigStore conConfig3 = con3.getConfigStore(); + + IProfilePolicy policy4 = + createProfilePolicy("set1", "p4", + "signingAlgDefaultImpl", "noConstraintImpl"); + IPolicyDefault def4 = policy4.getDefault(); + IConfigStore defConfig4 = def4.getConfigStore(); + defConfig4.putString("params.signingAlg","-"); + defConfig4.putString("params.signingAlgsAllowed", + "SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA256withEC,SHA384withEC,SHA512withEC"); + IPolicyConstraint con4 = policy4.getConstraint(); + IConfigStore conConfig4 = con4.getConfigStore(); + + // extensions + IProfilePolicy policy5 = + createProfilePolicy("set1", "p5", + "keyUsageExtDefaultImpl", "noConstraintImpl"); + IPolicyDefault def5 = policy5.getDefault(); + IConfigStore defConfig5 = def5.getConfigStore(); + defConfig5.putString("params.keyUsageCritical","true"); + defConfig5.putString("params.keyUsageCrlSign","true"); + defConfig5.putString("params.keyUsageDataEncipherment","false"); + defConfig5.putString("params.keyUsageDecipherOnly","false"); + defConfig5.putString("params.keyUsageDigitalSignature","true"); + defConfig5.putString("params.keyUsageEncipherOnly","false"); + defConfig5.putString("params.keyUsageKeyAgreement","false"); + defConfig5.putString("params.keyUsageKeyCertSign","true"); + defConfig5.putString("params.keyUsageKeyEncipherment","false"); + defConfig5.putString("params.keyUsageNonRepudiation","true"); + IPolicyConstraint con5 = policy5.getConstraint(); + IConfigStore conConfig5 = con5.getConfigStore(); + + IProfilePolicy policy6 = + createProfilePolicy("set1", "p6", + "basicConstraintsExtDefaultImpl", "noConstraintImpl"); + IPolicyDefault def6 = policy6.getDefault(); + IConfigStore defConfig6 = def6.getConfigStore(); + defConfig6.putString("params.basicConstraintsPathLen","-1"); + defConfig6.putString("params.basicConstraintsIsCA","true"); + defConfig6.putString("params.basicConstraintsPathLen","-1"); + IPolicyConstraint con6 = policy6.getConstraint(); + IConfigStore conConfig6 = con6.getConfigStore(); + } +} diff --git a/pki/base/common/src/com/netscape/cms/profile/common/CAEnrollProfile.java b/pki/base/common/src/com/netscape/cms/profile/common/CAEnrollProfile.java new file mode 100644 index 000000000..c3b2a5ddc --- /dev/null +++ b/pki/base/common/src/com/netscape/cms/profile/common/CAEnrollProfile.java @@ -0,0 +1,252 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.common; + + +import java.security.cert.*; +import java.math.*; +import java.util.*; +import java.io.*; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.connector.*; +import com.netscape.certsrv.profile.*; +import com.netscape.certsrv.authority.*; +import com.netscape.certsrv.request.*; +import com.netscape.certsrv.ca.*; +import com.netscape.certsrv.property.*; +import com.netscape.certsrv.authentication.*; +import com.netscape.certsrv.apps.*; +import com.netscape.certsrv.logging.*; + +import netscape.security.x509.*; +import netscape.security.util.*; +import netscape.security.pkcs.*; + +import java.security.*; +import org.mozilla.jss.asn1.*; +import org.mozilla.jss.pkix.primitive.*; +import org.mozilla.jss.pkix.crmf.*; + + +/** + * This class implements a Certificate Manager enrollment + * profile. + * + * @version $Revision$, $Date$ + */ +public class CAEnrollProfile extends EnrollProfile { + + private final static String + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST = + "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4"; + + + public CAEnrollProfile() { + super(); + } + + public IAuthority getAuthority() { + IAuthority authority = (IAuthority) + CMS.getSubsystem(CMS.SUBSYSTEM_CA); + + if (authority == null) + return null; + return authority; + } + + public X500Name getIssuerName() { + ICertificateAuthority ca = (ICertificateAuthority) + CMS.getSubsystem(CMS.SUBSYSTEM_CA); + X500Name issuerName = ca.getX500Name(); + + return issuerName; + } + + public void execute(IRequest request) + throws EProfileException { + + long startTime = CMS.getCurrentDate().getTime(); + + if (!isEnable()) { + CMS.debug("CAEnrollProfile: Profile Not Enabled"); + throw new EProfileException("Profile Not Enabled"); + } + + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + String auditRequesterID = auditRequesterID(request); + String auditArchiveID = ILogger.UNIDENTIFIED; + + + String id = request.getRequestId().toString(); + if (id != null) { + auditArchiveID = id.trim(); + } + + CMS.debug("CAEnrollProfile: execute reqId=" + + request.getRequestId().toString()); + ICertificateAuthority ca = (ICertificateAuthority) getAuthority(); + ICAService caService = (ICAService) ca.getCAService(); + + if (caService == null) { + throw new EProfileException("No CA Service"); + } + + // if PKI Archive Option present, send this request + // to DRM + byte optionsData[] = request.getExtDataInByteArray(REQUEST_ARCHIVE_OPTIONS); + + // do not archive keys for renewal requests + if ((optionsData != null) && (!request.getRequestType().equals(IRequest.RENEWAL_REQUEST))) { + PKIArchiveOptions options = (PKIArchiveOptions) + toPKIArchiveOptions(optionsData); + + if (options != null) { + CMS.debug("CAEnrollProfile: execute found " + + "PKIArchiveOptions"); + try { + IConnector kraConnector = caService.getKRAConnector(); + + if (kraConnector == null) { + CMS.debug("CAEnrollProfile: KRA connector " + + "not configured"); + + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditArchiveID); + + audit(auditMessage); + + } else { + CMS.debug("CAEnrollProfile: execute send request"); + kraConnector.send(request); + + + + // check response + if (!request.isSuccess()) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditArchiveID); + + audit(auditMessage); + throw new ERejectException( + request.getError(getLocale(request))); + } + + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, + auditArchiveID); + + audit(auditMessage); + } + } catch (Exception e) { + + + if (e instanceof ERejectException) { + throw (ERejectException) e; + } + CMS.debug("CAEnrollProfile: " + e.toString()); + CMS.debug(e); + + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditArchiveID); + + audit(auditMessage); + throw new EProfileException(e.toString()); + } + } + } + + // process certificate issuance + X509CertInfo info = request.getExtDataInCertInfo(REQUEST_CERTINFO); + X509CertImpl theCert = null; + + // #615460 - added audit log (transaction) + SessionContext sc = SessionContext.getExistingContext(); + sc.put("profileId", getId()); + String setId = request.getExtDataInString("profileSetId"); + if (setId != null) { + sc.put("profileSetId", setId); + } + + try { + theCert = caService.issueX509Cert(info, getId() /* profileId */, + id /* requestId */); + } catch (EBaseException e) { + CMS.debug(e.toString()); + + throw new EProfileException(e.toString()); + } + request.setExtData(REQUEST_ISSUED_CERT, theCert); + + long endTime = CMS.getCurrentDate().getTime(); + + String initiative = AuditFormat.FROMAGENT + + " userID: " + + (String)sc.get(SessionContext.USER_ID); + String authMgr = (String)sc.get(SessionContext.AUTH_MANAGER_ID); + + ILogger logger = CMS.getLogger(); + if( logger != null ) { + logger.log( ILogger.EV_AUDIT, + ILogger.S_OTHER, AuditFormat.LEVEL, AuditFormat.FORMAT, + new Object[] { + request.getRequestType(), + request.getRequestId(), + initiative, + authMgr, + "completed", + theCert.getSubjectDN(), + "cert issued serial number: 0x" + + theCert.getSerialNumber().toString(16) + + " time: " + (endTime - startTime) } + ); + } + + request.setRequestStatus(RequestStatus.COMPLETE); + + // notifies updater plugins + Enumeration updaterIds = getProfileUpdaterIds(); + while (updaterIds.hasMoreElements()) { + String updaterId = (String)updaterIds.nextElement(); + IProfileUpdater updater = getProfileUpdater(updaterId); + updater.update(request, RequestStatus.COMPLETE); + } + + // set value for predicate value - checking in getRule + if (CMS.isEncryptionCert(theCert)) + request.setExtData("isEncryptionCert", "true"); + else + request.setExtData("isEncryptionCert", "false"); + } +} + diff --git a/pki/base/common/src/com/netscape/cms/profile/common/EnrollProfile.java b/pki/base/common/src/com/netscape/cms/profile/common/EnrollProfile.java new file mode 100644 index 000000000..b60b73c9a --- /dev/null +++ b/pki/base/common/src/com/netscape/cms/profile/common/EnrollProfile.java @@ -0,0 +1,1403 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.common; + + +import java.security.cert.CertificateException; +import java.math.*; +import java.util.*; +import java.io.*; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.profile.*; +import com.netscape.certsrv.authority.*; +import com.netscape.certsrv.request.*; +import com.netscape.certsrv.authentication.*; +import com.netscape.certsrv.apps.*; +import com.netscape.certsrv.logging.*; +import com.netscape.cmsutil.util.*; + +import netscape.security.x509.*; +import netscape.security.util.*; +import netscape.security.pkcs.*; + +import java.security.*; +import org.mozilla.jss.asn1.*; +import org.mozilla.jss.pkix.primitive.Attribute; +import org.mozilla.jss.pkix.primitive.*; +import org.mozilla.jss.pkix.primitive.AVA; +import org.mozilla.jss.pkix.crmf.*; +import org.mozilla.jss.pkix.cmc.*; +import org.mozilla.jss.pkcs10.*; +import org.mozilla.jss.CryptoManager; +import org.mozilla.jss.crypto.CryptoToken; + + +/** + * This class implements a generic enrollment profile. + * + * @version $Revision$, $Date$ + */ +public abstract class EnrollProfile extends BasicProfile + implements IEnrollProfile { + + private final static String LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST = + "LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5"; + private final static String LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION = + "LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_2"; + + private PKIData mCMCData; + public EnrollProfile() { + super(); + } + + public abstract IAuthority getAuthority(); + + public IRequestQueue getRequestQueue() { + IAuthority authority = getAuthority(); + + return authority.getRequestQueue(); + } + + public IProfileContext createContext() { + return new EnrollProfileContext(); + } + + /** + * Creates request. + */ + public IRequest[] createRequests(IProfileContext context, Locale locale) + throws EProfileException { + EnrollProfileContext ctx = (EnrollProfileContext) context; + + // determine how many requests should be created + String cert_request_type = ctx.get(CTX_CERT_REQUEST_TYPE); + String cert_request = ctx.get(CTX_CERT_REQUEST); + String is_renewal = ctx.get(CTX_RENEWAL); + Integer renewal_seq_num = 0; + + /* cert_request_type can be null for the case of CMC */ + if (cert_request_type == null) { + CMS.debug("EnrollProfile: request type is null"); + } + + int num_requests = 1; // default to 1 request + + if (cert_request_type != null && cert_request_type.startsWith("pkcs10")) { + // catch for invalid request + parsePKCS10(locale, cert_request); + } + if (cert_request_type != null && cert_request_type.startsWith("crmf")) { + CertReqMsg msgs[] = parseCRMF(locale, cert_request); + + num_requests = msgs.length; + } + if (cert_request_type != null && cert_request_type.startsWith("cmc")) { + // catch for invalid request + TaggedRequest[] msgs = parseCMC(locale, cert_request); + if (msgs == null) + return null; + else + num_requests = msgs.length; + } + + // only 1 request for renewal + if ((is_renewal != null) && (is_renewal.equals("true"))) { + num_requests = 1; + String renewal_seq_num_str = ctx.get(CTX_RENEWAL_SEQ_NUM); + if (renewal_seq_num_str != null) { + renewal_seq_num = Integer.parseInt(renewal_seq_num_str); + } else { + renewal_seq_num =0; + } + } + + + // populate requests with appropriate content + IRequest result[] = new IRequest[num_requests]; + + for (int i = 0; i < num_requests; i++) { + result[i] = createEnrollmentRequest(); + if ((is_renewal != null) && (is_renewal.equals("true"))) { + result[i].setExtData(REQUEST_SEQ_NUM,renewal_seq_num); + } else { + result[i].setExtData(REQUEST_SEQ_NUM, Integer.valueOf(i)); + } + if (locale != null) { + result[i].setExtData(REQUEST_LOCALE, locale.getLanguage()); + } + } + return result; + } + + public abstract X500Name getIssuerName(); + + public void setDefaultCertInfo(IRequest req) throws EProfileException { + // create an empty certificate template so that + // default plugins that store stuff + X509CertInfo info = new X509CertInfo(); + + // retrieve issuer name + X500Name issuerName = getIssuerName(); + + byte[] dummykey = new byte[] { + 48, 92, 48, 13, 6, 9, 42, -122, 72, -122, -9, 13, 1, 1, 1, 5, + 0, 3, 75, 0, 48, 72, 2, 65, 0, -65, 121, -119, -59, 105, 66, + -122, -78, -30, -64, 63, -47, 44, -48, -104, 103, -47, -108, + 42, -38, 46, -8, 32, 49, -29, -26, -112, -29, -86,71, 24, + -104, 78, -31, -75, -128, 90, -92, -34, -51, -125, -13, 80, 101, + -78, 39, -119, -38, 117, 28, 67, -19, -71, -124, -85, 105, -53, + -103, -59, -67, -38, -83, 118, 65, 2, 3, 1, 0, 1}; + // default values into x509 certinfo. This thing is + // not serializable by default + try { + info.set(X509CertInfo.VERSION, + new CertificateVersion(CertificateVersion.V3)); + info.set(X509CertInfo.SERIAL_NUMBER, + new CertificateSerialNumber(new BigInteger("0"))); + info.set(X509CertInfo.ISSUER, + new CertificateIssuerName(issuerName)); + info.set(X509CertInfo.KEY, + new CertificateX509Key(X509Key.parse(new DerValue(dummykey)))); + info.set(X509CertInfo.SUBJECT, + new CertificateSubjectName(issuerName)); + info.set(X509CertInfo.VALIDITY, + new CertificateValidity(new Date(), new Date())); + info.set(X509CertInfo.ALGORITHM_ID, + new CertificateAlgorithmId( + AlgorithmId.getAlgorithmId("MD5withRSA"))); + + // add default extension container + info.set(X509CertInfo.EXTENSIONS, + new CertificateExtensions()); + } catch (Exception e) { + // throw exception - add key to template + CMS.debug("EnrollProfile: Building X509CertInfo - " + e.toString()); + throw new EProfileException(e.toString()); + } + req.setExtData(REQUEST_CERTINFO, info); + } + + public IRequest createEnrollmentRequest() + throws EProfileException { + IRequest req = null; + + try { + req = getRequestQueue().newRequest("enrollment"); + + setDefaultCertInfo(req); + + // put the certificate info into request + req.setExtData(REQUEST_EXTENSIONS, + new CertificateExtensions()); + + CMS.debug("EnrollProfile: createRequest " + + req.getRequestId().toString()); + } catch (EBaseException e) { + // raise exception + CMS.debug("EnrollProfile: create new enroll request " + + e.toString()); + } + + return req; + } + + public abstract void execute(IRequest request) + throws EProfileException; + + /** + * Perform simple policy set assignment. + */ + public String getPolicySetId(IRequest req) { + Integer seq = req.getExtDataInInteger(REQUEST_SEQ_NUM); + int seq_no = seq.intValue(); // start from 0 + + int count = 0; + Enumeration setIds = getProfilePolicySetIds(); + + while (setIds.hasMoreElements()) { + String setId = (String) setIds.nextElement(); + + if (count == seq_no) { + return setId; + } + count++; + } + return null; + } + + public String getRequestorDN(IRequest request) { + X509CertInfo info = request.getExtDataInCertInfo(REQUEST_CERTINFO); + + try { + CertificateSubjectName sn = (CertificateSubjectName) + info.get(X509CertInfo.SUBJECT); + + return sn.toString(); + } catch (Exception e) { + CMS.debug("EnrollProfile: getRequestDN " + e.toString()); + } + return null; + } + + /** + * This method is called after the user submits the + * request from the end-entity page. + */ + public void submit(IAuthToken token, IRequest request) + throws EDeferException, EProfileException { + // Request Submission Logic: + // + // if (Authentication Failed) { + // return Error + // } else { + // if (No Auth Token) { + // queue request + // } else { + // process request + // } + // } + + IAuthority authority = (IAuthority) + getAuthority(); + IRequestQueue queue = authority.getRequestQueue(); + + // this profile queues request that is authenticated + // by NoAuth + try { + queue.updateRequest(request); + } catch (EBaseException e) { + // save request to disk + CMS.debug("EnrollProfile: Update request " + e.toString()); + } + + if (token == null) { + CMS.debug("EnrollProfile: auth token is null"); + CMS.debug("EnrollProfile: validating request"); + validate(request); + try { + queue.updateRequest(request); + } catch (EBaseException e) { + CMS.debug("EnrollProfile: Update request (after validation) " + e.toString()); + } + + throw new EDeferException("defer request"); + } else { + // this profile executes request that is authenticated + // by non NoAuth + CMS.debug("EnrollProfile: auth token is not null"); + validate(request); + execute(request); + } + } + + public TaggedRequest[] parseCMC(Locale locale, String certreq) + throws EProfileException { + /* cert request must not be null */ + if (certreq == null) { + CMS.debug("EnrollProfile: parseCMC() certreq null"); + throw new EProfileException( + CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST")); + } + CMS.debug("EnrollProfile: Start parseCMC(): " + certreq); + + Hashtable t1 = new Hashtable(); + TaggedRequest msgs[] = null; + + String creq = normalizeCertReq(certreq); + try { + byte data[] = CMS.AtoB(creq); + ByteArrayInputStream cmcBlobIn = + new ByteArrayInputStream(data); + + org.mozilla.jss.pkix.cms.ContentInfo cmcReq = (org.mozilla.jss.pkix.cms.ContentInfo) + org.mozilla.jss.pkix.cms.ContentInfo.getTemplate().decode(cmcBlobIn); + org.mozilla.jss.pkix.cms.SignedData cmcFullReq = (org.mozilla.jss.pkix.cms.SignedData)cmcReq.getInterpretedContent(); + org.mozilla.jss.pkix.cms.EncapsulatedContentInfo ci = cmcFullReq.getContentInfo(); + OBJECT_IDENTIFIER id = ci.getContentType(); + OCTET_STRING content = ci.getContent(); + + ByteArrayInputStream s = new ByteArrayInputStream(content.toByteArray()); + PKIData pkiData = (PKIData) (new PKIData.Template()).decode(s); + + mCMCData = pkiData; + //PKIData pkiData = (PKIData) + // (new PKIData.Template()).decode(cmcBlobIn); + SEQUENCE controlSeq = pkiData.getControlSequence(); + int numcontrols = controlSeq.size(); + SEQUENCE reqSeq = pkiData.getReqSequence(); + byte randomSeed[] = null; + SessionContext context = SessionContext.getContext(); + if (!context.containsKey("numOfControls")) { + if (numcontrols > 0) { + context.put("numOfControls", Integer.valueOf(numcontrols)); + TaggedAttribute[] attributes = new TaggedAttribute[numcontrols]; + for (int i=0; i<numcontrols; i++) { + attributes[i] = (TaggedAttribute)controlSeq.elementAt(i); + OBJECT_IDENTIFIER oid = attributes[i].getType(); + if (oid.equals(OBJECT_IDENTIFIER.id_cmc_identityProof)) { + boolean valid = verifyIdentityProof(attributes[i], + reqSeq); + if (!valid) { + SEQUENCE bpids = getRequestBpids(reqSeq); + context.put("identityProof", bpids); + return null; + } + } else if (oid.equals(OBJECT_IDENTIFIER.id_cmc_idPOPLinkRandom)) { + SET vals = attributes[i].getValues(); + OCTET_STRING ostr = + (OCTET_STRING)(ASN1Util.decode(OCTET_STRING.getTemplate(), + ASN1Util.encode(vals.elementAt(0)))); + randomSeed = ostr.toByteArray(); + } else { + context.put(attributes[i].getType(), attributes[i]); + } + } + } + } + + SEQUENCE otherMsgSeq = pkiData.getOtherMsgSequence(); + int numOtherMsgs = otherMsgSeq.size(); + if (!context.containsKey("numOfOtherMsgs")) { + context.put("numOfOtherMsgs", Integer.valueOf(numOtherMsgs)); + for (int i=0; i<numOtherMsgs; i++) { + OtherMsg omsg =(OtherMsg)(ASN1Util.decode(OtherMsg.getTemplate(), + ASN1Util.encode(otherMsgSeq.elementAt(i)))); + context.put("otherMsg"+i, omsg); + } + } + + int nummsgs = reqSeq.size(); + if (nummsgs > 0) { + msgs = new TaggedRequest[reqSeq.size()]; + SEQUENCE bpids = new SEQUENCE(); + boolean valid = true; + for (int i = 0; i < nummsgs; i++) { + msgs[i] = (TaggedRequest) reqSeq.elementAt(i); + if (!context.containsKey("POPLinkWitness")) { + if (randomSeed != null) { + valid = verifyPOPLinkWitness(randomSeed, msgs[i], bpids); + if (!valid || bpids.size() > 0) { + context.put("POPLinkWitness", bpids); + return null; + } + } + } + } + } else + return null; + + return msgs; + } catch (Exception e) { + CMS.debug("EnrollProfile: parseCMC " + e.toString()); + throw new EProfileException( + CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST")); + } + } + + private boolean verifyPOPLinkWitness(byte[] randomSeed, TaggedRequest req, + SEQUENCE bpids) { + ISharedToken tokenClass = null; + boolean sharedSecretFound = true; + String name = null; + try { + name = CMS.getConfigStore().getString("cmc.sharedSecret.class"); + } catch (EPropertyNotFound e) { + CMS.debug("EnrollProfile: Failed to find the token class in the configuration file."); + sharedSecretFound = false; + } catch (EBaseException e) { + CMS.debug("EnrollProfile: Failed to find the token class in the configuration file."); + sharedSecretFound = false; + } + + try { + tokenClass = (ISharedToken)Class.forName(name).newInstance(); + } catch (ClassNotFoundException e) { + CMS.debug("EnrollProfile: Failed to find class name: "+name); + sharedSecretFound = false; + } catch (InstantiationException e) { + CMS.debug("EnrollProfile: Failed to instantiate class: "+name); + sharedSecretFound = false; + } catch (IllegalAccessException e) { + CMS.debug("EnrollProfile: Illegal access: "+name); + sharedSecretFound = false; + } + + INTEGER reqId = null; + byte[] bv = null; + String sharedSecret = null; + if (tokenClass != null) + sharedSecret = tokenClass.getSharedToken(mCMCData); + if (req.getType().equals(TaggedRequest.PKCS10)) { + TaggedCertificationRequest tcr = req.getTcr(); + if (!sharedSecretFound) { + bpids.addElement(tcr.getBodyPartID()); + return false; + } else { + CertificationRequest creq = tcr.getCertificationRequest(); + CertificationRequestInfo cinfo = creq.getInfo(); + SET attrs = cinfo.getAttributes(); + for (int j=0; j<attrs.size(); j++) { + Attribute pkcs10Attr = (Attribute)attrs.elementAt(j); + if (pkcs10Attr.getType().equals(OBJECT_IDENTIFIER.id_cmc_idPOPLinkWitness)) { + SET witnessVal = pkcs10Attr.getValues(); + if (witnessVal.size() > 0) { + try { + OCTET_STRING str = + (OCTET_STRING)(ASN1Util.decode(OCTET_STRING.getTemplate(), + ASN1Util.encode(witnessVal.elementAt(0)))); + bv = str.toByteArray(); + return verifyDigest(sharedSecret.getBytes(), + randomSeed, bv); + } catch (InvalidBERException ex) { + return false; + } + } + } + } + + return false; + } + } else if (req.getType().equals(TaggedRequest.CRMF)) { + CertReqMsg crm = req.getCrm(); + CertRequest certReq = crm.getCertReq(); + reqId = certReq.getCertReqId(); + if (!sharedSecretFound) { + bpids.addElement(reqId); + return false; + } else { + for (int i = 0; i < certReq.numControls(); i++) { + AVA ava = certReq.controlAt(i); + + if (ava.getOID().equals(OBJECT_IDENTIFIER.id_cmc_idPOPLinkWitness)) { + ASN1Value value = ava.getValue(); + ByteArrayInputStream bis = new ByteArrayInputStream( + ASN1Util.encode(value)); + OCTET_STRING ostr = null; + try { + ostr = (OCTET_STRING) + (new OCTET_STRING.Template()).decode(bis); + bv = ostr.toByteArray(); + } catch (Exception e) { + bpids.addElement(reqId); + return false; + } + + boolean valid = verifyDigest(sharedSecret.getBytes(), + randomSeed, bv); + if (!valid) { + bpids.addElement(reqId); + return valid; + } + } + } + } + } + + return true; + } + + private boolean verifyDigest(byte[] sharedSecret, byte[] text, byte[] bv) { + byte[] key = null; + try { + MessageDigest SHA1Digest = MessageDigest.getInstance("SHA1"); + key = SHA1Digest.digest(sharedSecret); + } catch (NoSuchAlgorithmException ex) { + CMS.debug("EnrollProfile: No such algorithm for this message digest."); + return false; + } + + byte[] finalDigest = null; + try { + MessageDigest SHA1Digest = MessageDigest.getInstance("SHA1"); + HMACDigest hmacDigest = new HMACDigest(SHA1Digest, key); + hmacDigest.update(text); + finalDigest = hmacDigest.digest(); + } catch (NoSuchAlgorithmException ex) { + CMS.debug("EnrollProfile: No such algorithm for this message digest."); + return false; + } + + if (finalDigest.length != bv.length) { + CMS.debug("EnrollProfile: The length of two HMAC digest are not the same."); + return false; + } + + for (int j=0; j<bv.length; j++) { + if (bv[j] != finalDigest[j]) { + CMS.debug("EnrollProfile: The content of two HMAC digest are not the same."); + return false; + } + } + + CMS.debug("EnrollProfile: The content of two HMAC digest are the same."); + return true; + } + + private SEQUENCE getRequestBpids(SEQUENCE reqSeq) { + SEQUENCE bpids = new SEQUENCE(); + for (int i = 0; i < reqSeq.size(); i++) { + TaggedRequest req = (TaggedRequest) reqSeq.elementAt(i); + if (req.getType().equals(TaggedRequest.PKCS10)) { + TaggedCertificationRequest tcr = req.getTcr(); + bpids.addElement(tcr.getBodyPartID()); + } else if (req.getType().equals(TaggedRequest.CRMF)) { + CertReqMsg crm = req.getCrm(); + CertRequest request = crm.getCertReq(); + bpids.addElement(request.getCertReqId()); + } + } + + return bpids; + } + + private boolean verifyIdentityProof(TaggedAttribute attr, SEQUENCE reqSeq) { + SET vals = attr.getValues(); + if (vals.size() < 1) + return false; + String name = null; + try { + name = CMS.getConfigStore().getString("cmc.sharedSecret.class"); + } catch (EPropertyNotFound e) { + } catch (EBaseException e) { + } + + if (name == null) + return false; + else { + ISharedToken tokenClass = null; + try { + tokenClass = (ISharedToken)Class.forName(name).newInstance(); + } catch (ClassNotFoundException e) { + CMS.debug("EnrollProfile: Failed to find class name: "+name); + return false; + } catch (InstantiationException e) { + CMS.debug("EnrollProfile: Failed to instantiate class: "+name); + return false; + } catch (IllegalAccessException e) { + CMS.debug("EnrollProfile: Illegal access: "+name); + return false; + } + + String token = tokenClass.getSharedToken(mCMCData); + OCTET_STRING ostr = null; + try { + ostr = (OCTET_STRING)(ASN1Util.decode(OCTET_STRING.getTemplate(), + ASN1Util.encode(vals.elementAt(0)))); + } catch (InvalidBERException e) { + CMS.debug("EnrollProfile: Failed to decode the byte value."); + return false; + } + byte[] b = ostr.toByteArray(); + byte[] text = ASN1Util.encode(reqSeq); + + return verifyDigest(token.getBytes(), text, b); + } + } + + public void fillTaggedRequest(Locale locale, TaggedRequest tagreq, X509CertInfo info, + IRequest req) + throws EProfileException { + TaggedRequest.Type type = tagreq.getType(); + + if (type.equals(TaggedRequest.PKCS10)) { + try { + TaggedCertificationRequest tcr = tagreq.getTcr(); + CertificationRequest p10 = tcr.getCertificationRequest(); + ByteArrayOutputStream ostream = new ByteArrayOutputStream(); + + p10.encode(ostream); + PKCS10 pkcs10 = new PKCS10(ostream.toByteArray()); + + req.setExtData("bodyPartId", tcr.getBodyPartID()); + fillPKCS10(locale, pkcs10, info, req); + } catch (Exception e) { + CMS.debug("EnrollProfile: fillTaggedRequest " + + e.toString()); + } + } else if (type.equals(TaggedRequest.CRMF)) { + CertReqMsg crm = tagreq.getCrm(); + SessionContext context = SessionContext.getContext(); + Integer nums = (Integer)(context.get("numOfControls")); + + // check if the LRA POP Witness Control attribute exists + if (nums != null && nums.intValue() > 0) { + TaggedAttribute attr = + (TaggedAttribute)(context.get(OBJECT_IDENTIFIER.id_cmc_lraPOPWitness)); + if (attr != null) { + parseLRAPopWitness(locale, crm, attr); + } else { + CMS.debug("EnrollProfile: verify POP in CMC because LRA POP Witness control attribute doesnt exist in the CMC request."); + verifyPOP(locale, crm); + } + } else { + CMS.debug("EnrollProfile: verify POP in CMC because LRA POP Witness control attribute doesnt exist in the CMC request."); + verifyPOP(locale, crm); + } + + fillCertReqMsg(locale, crm, info, req); + } else { + throw new EProfileException( + CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST")); + } + } + + private void parseLRAPopWitness(Locale locale, CertReqMsg crm, + TaggedAttribute attr) throws EProfileException { + SET vals = attr.getValues(); + boolean donePOP = false; + INTEGER reqId = null; + if (vals.size() > 0) { + LraPopWitness lraPop = null; + try { + lraPop = (LraPopWitness)(ASN1Util.decode(LraPopWitness.getTemplate(), + ASN1Util.encode(vals.elementAt(0)))); + } catch (InvalidBERException e) { + throw new EProfileException( + CMS.getUserMessage(locale, "CMS_PROFILE_ENCODING_ERROR")); + } + + SEQUENCE bodyIds = lraPop.getBodyIds(); + reqId = crm.getCertReq().getCertReqId(); + + for (int i=0; i<bodyIds.size(); i++) { + INTEGER num = (INTEGER)(bodyIds.elementAt(i)); + if (num.toString().equals(reqId.toString())) { + donePOP = true; + CMS.debug("EnrollProfile: skip POP for request: "+reqId.toString()+ " because LRA POP Witness control is found."); + break; + } + } + } + + if (!donePOP) { + CMS.debug("EnrollProfile: not skip POP for request: "+reqId.toString()+" because this request id is not part of the body list in LRA Pop witness control."); + verifyPOP(locale, crm); + } + } + + public CertReqMsg[] parseCRMF(Locale locale, String certreq) + throws EProfileException { + + /* cert request must not be null */ + if (certreq == null) { + CMS.debug("EnrollProfile: parseCRMF() certreq null"); + throw new EProfileException( + CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST")); + } + CMS.debug("EnrollProfile: Start parseCRMF(): " + certreq); + + CertReqMsg msgs[] = null; + String creq = normalizeCertReq(certreq); + try { + byte data[] = CMS.AtoB(creq); + ByteArrayInputStream crmfBlobIn = + new ByteArrayInputStream(data); + SEQUENCE crmfMsgs = (SEQUENCE) + new SEQUENCE.OF_Template(new + CertReqMsg.Template()).decode(crmfBlobIn); + int nummsgs = crmfMsgs.size(); + + if (nummsgs <= 0) + return null; + msgs = new CertReqMsg[crmfMsgs.size()]; + for (int i = 0; i < nummsgs; i++) { + msgs[i] = (CertReqMsg) crmfMsgs.elementAt(i); + } + return msgs; + } catch (Exception e) { + CMS.debug("EnrollProfile: parseCRMF " + e.toString()); + throw new EProfileException( + CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST")); + } + } + + private static final OBJECT_IDENTIFIER PKIARCHIVEOPTIONS_OID = + new OBJECT_IDENTIFIER(new long[] {1, 3, 6, 1, 5, 5, 7, 5, 1, 4} + ); + + protected PKIArchiveOptions getPKIArchiveOptions(AVA ava) { + ASN1Value archVal = ava.getValue(); + ByteArrayInputStream bis = new ByteArrayInputStream( + ASN1Util.encode(archVal)); + PKIArchiveOptions archOpts = null; + + try { + archOpts = (PKIArchiveOptions) + (new PKIArchiveOptions.Template()).decode(bis); + } catch (Exception e) { + CMS.debug("EnrollProfile: getPKIArchiveOptions " + e.toString()); + } + return archOpts; + } + + public PKIArchiveOptions toPKIArchiveOptions(byte options[]) { + ByteArrayInputStream bis = new ByteArrayInputStream(options); + PKIArchiveOptions archOpts = null; + + try { + archOpts = (PKIArchiveOptions) + (new PKIArchiveOptions.Template()).decode(bis); + } catch (Exception e) { + CMS.debug("EnrollProfile: toPKIArchiveOptions " + e.toString()); + } + return archOpts; + } + + public byte[] toByteArray(PKIArchiveOptions options) { + return ASN1Util.encode(options); + } + + public void fillCertReqMsg(Locale locale, CertReqMsg certReqMsg, X509CertInfo info, + IRequest req) + throws EProfileException { + try { + CMS.debug("Start parseCertReqMsg "); + CertRequest certReq = certReqMsg.getCertReq(); + req.setExtData("bodyPartId", certReq.getCertReqId()); + // handle PKIArchiveOption (key archival) + for (int i = 0; i < certReq.numControls(); i++) { + AVA ava = certReq.controlAt(i); + + if (ava.getOID().equals(PKIARCHIVEOPTIONS_OID)) { + PKIArchiveOptions opt = getPKIArchiveOptions(ava); + + //req.set(REQUEST_ARCHIVE_OPTIONS, opt); + req.setExtData(REQUEST_ARCHIVE_OPTIONS, + toByteArray(opt)); + } + } + + CertTemplate certTemplate = certReq.getCertTemplate(); + + // parse key + SubjectPublicKeyInfo spki = certTemplate.getPublicKey(); + ByteArrayOutputStream keyout = new ByteArrayOutputStream(); + + spki.encode(keyout); + byte[] keybytes = keyout.toByteArray(); + X509Key key = new X509Key(); + + key.decode(keybytes); + + // XXX - kmccarth - this may simply undo the decoding above + // but for now it's unclear whether X509Key + // changest the format when decoding. + CertificateX509Key certKey = new CertificateX509Key(key); + ByteArrayOutputStream certKeyOut = new ByteArrayOutputStream(); + certKey.encode(certKeyOut); + req.setExtData(REQUEST_KEY, certKeyOut.toByteArray()); + + // parse validity + if (certTemplate.getNotBefore() != null || + certTemplate.getNotAfter() != null) { + CMS.debug("EnrollProfile: requested notBefore: " + certTemplate.getNotBefore()); + CMS.debug("EnrollProfile: requested notAfter: " + certTemplate.getNotAfter()); + CMS.debug("EnrollProfile: current CA time: " + new Date()); + CertificateValidity certValidity = new CertificateValidity( + certTemplate.getNotBefore(), certTemplate.getNotAfter()); + ByteArrayOutputStream certValidityOut = + new ByteArrayOutputStream(); + certValidity.encode(certValidityOut); + req.setExtData(REQUEST_VALIDITY, certValidityOut.toByteArray()); + } else { + CMS.debug("EnrollProfile: validity not supplied"); + } + + // parse subject + if (certTemplate.hasSubject()) { + Name subjectdn = certTemplate.getSubject(); + ByteArrayOutputStream subjectEncStream = + new ByteArrayOutputStream(); + + subjectdn.encode(subjectEncStream); + byte[] subjectEnc = subjectEncStream.toByteArray(); + X500Name subject = new X500Name(subjectEnc); + + //info.set(X509CertInfo.SUBJECT, + // new CertificateSubjectName(subject)); + + req.setExtData(REQUEST_SUBJECT_NAME, + new CertificateSubjectName(subject)); + try { + String subjectCN = subject.getCommonName(); + if (subjectCN == null) subjectCN = ""; + req.setExtData(REQUEST_SUBJECT_NAME+".cn", subjectCN); + } catch (Exception ee) { + req.setExtData(REQUEST_SUBJECT_NAME+".cn", ""); + } + try { + String subjectUID = subject.getUserID(); + if (subjectUID == null) subjectUID = ""; + req.setExtData(REQUEST_SUBJECT_NAME+".uid", subjectUID); + } catch (Exception ee) { + req.setExtData(REQUEST_SUBJECT_NAME+".uid", ""); + } + } + + // parse extensions + CertificateExtensions extensions = null; + + // try { + extensions = req.getExtDataInCertExts(REQUEST_EXTENSIONS); + // } catch (CertificateException e) { + // extensions = null; + // } catch (IOException e) { + // extensions = null; + // } + if (certTemplate.hasExtensions()) { + // put each extension from CRMF into CertInfo. + // index by extension name, consistent with + // CertificateExtensions.parseExtension() method. + if (extensions == null) + extensions = new CertificateExtensions(); + int numexts = certTemplate.numExtensions(); + + for (int j = 0; j < numexts; j++) { + org.mozilla.jss.pkix.cert.Extension jssext = + certTemplate.extensionAt(j); + boolean isCritical = jssext.getCritical(); + org.mozilla.jss.asn1.OBJECT_IDENTIFIER jssoid = + jssext.getExtnId(); + long[] numbers = jssoid.getNumbers(); + int[] oidNumbers = new int[numbers.length]; + + for (int k = numbers.length - 1; k >= 0; k--) { + oidNumbers[k] = (int) numbers[k]; + } + ObjectIdentifier oid = + new ObjectIdentifier(oidNumbers); + org.mozilla.jss.asn1.OCTET_STRING jssvalue = + jssext.getExtnValue(); + ByteArrayOutputStream jssvalueout = + new ByteArrayOutputStream(); + + jssvalue.encode(jssvalueout); + byte[] extValue = jssvalueout.toByteArray(); + + Extension ext = + new Extension(oid, isCritical, extValue); + + extensions.parseExtension(ext); + } + // info.set(X509CertInfo.EXTENSIONS, extensions); + req.setExtData(REQUEST_EXTENSIONS, extensions); + + } + } catch (IOException e) { + CMS.debug("EnrollProfile: fillCertReqMsg " + e.toString()); + throw new EProfileException( + CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST")); + } catch (InvalidKeyException e) { + CMS.debug("EnrollProfile: fillCertReqMsg " + e.toString()); + throw new EProfileException( + CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST")); + // } catch (CertificateException e) { + // CMS.debug("EnrollProfile: fillCertReqMsg " + e.toString()); + // throw new EProfileException(e.toString()); + } + } + + public PKCS10 parsePKCS10(Locale locale, String certreq) + throws EProfileException { + /* cert request must not be null */ + if (certreq == null) { + CMS.debug("EnrollProfile:parsePKCS10() certreq null"); + throw new EProfileException( + CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST")); + } + CMS.debug("Start parsePKCS10(): " + certreq); + + // trim header and footer + String creq = normalizeCertReq(certreq); + + // parse certificate into object + byte data[] = CMS.AtoB(creq); + PKCS10 pkcs10 = null; + CryptoManager cm = null; + CryptoToken savedToken = null; + boolean sigver = true; + + try { + cm = CryptoManager.getInstance(); + sigver = CMS.getConfigStore().getBoolean("ca.requestVerify.enabled", true); + if (sigver) { + CMS.debug("EnrollProfile: parsePKCS10: signature verification enabled"); + String tokenName = CMS.getConfigStore().getString("ca.requestVerify.token", + "Internal Key Storage Token"); + savedToken = cm.getThreadToken(); + CryptoToken signToken = cm.getTokenByName(tokenName); + CMS.debug("EnrollProfile: parsePKCS10 setting thread token"); + cm.setThreadToken(signToken); + pkcs10 = new PKCS10(data); + } else { + CMS.debug("EnrollProfile: parsePKCS10: signature verification disabled"); + pkcs10 = new PKCS10(data, sigver); + } + } catch (Exception e) { + CMS.debug("EnrollProfile: parsePKCS10 " + e.toString()); + throw new EProfileException( + CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST")); + } finally { + if (sigver) { + CMS.debug("EnrollProfile: parsePKCS10 restoring thread token"); + cm.setThreadToken(savedToken); + } + } + + return pkcs10; + } + + public void fillPKCS10(Locale locale, PKCS10 pkcs10, X509CertInfo info, IRequest req) + throws EProfileException { + X509Key key = pkcs10.getSubjectPublicKeyInfo(); + + try { + CertificateX509Key certKey = new CertificateX509Key(key); + ByteArrayOutputStream certKeyOut = new ByteArrayOutputStream(); + certKey.encode(certKeyOut); + req.setExtData(IEnrollProfile.REQUEST_KEY, certKeyOut.toByteArray()); + + req.setExtData(EnrollProfile.REQUEST_SUBJECT_NAME, + new CertificateSubjectName(pkcs10.getSubjectName())); + try { + String subjectCN = pkcs10.getSubjectName().getCommonName(); + if (subjectCN == null) subjectCN = ""; + req.setExtData(REQUEST_SUBJECT_NAME+".cn", subjectCN); + } catch (Exception ee) { + req.setExtData(REQUEST_SUBJECT_NAME+".cn", ""); + } + try { + String subjectUID = pkcs10.getSubjectName().getUserID(); + if (subjectUID == null) subjectUID = ""; + req.setExtData(REQUEST_SUBJECT_NAME+".uid", subjectUID); + } catch (Exception ee) { + req.setExtData(REQUEST_SUBJECT_NAME+".uid", ""); + } + + info.set(X509CertInfo.KEY, certKey); + + PKCS10Attributes p10Attrs = pkcs10.getAttributes(); + if (p10Attrs != null) { + PKCS10Attribute p10Attr = (PKCS10Attribute) + (p10Attrs.getAttribute(CertificateExtensions.NAME)); + if (p10Attr != null && p10Attr.getAttributeId().equals( + PKCS9Attribute.EXTENSION_REQUEST_OID)) { CMS.debug("Found PKCS10 extension"); + Extensions exts0 = (Extensions) + (p10Attr.getAttributeValue()); + DerOutputStream extOut = new DerOutputStream(); + + exts0.encode(extOut); + byte[] extB = extOut.toByteArray(); + DerInputStream extIn = new DerInputStream(extB); + CertificateExtensions exts = new CertificateExtensions(extIn); + if (exts != null) { + CMS.debug("Set extensions " + exts); + // info.set(X509CertInfo.EXTENSIONS, exts); + req.setExtData(REQUEST_EXTENSIONS, exts); + } + } else { + CMS.debug("PKCS10 extension Not Found"); + } + } + + CMS.debug("Finish parsePKCS10 - " + pkcs10.getSubjectName()); + } catch (IOException e) { + CMS.debug("EnrollProfile: fillPKCS10 " + e.toString()); + throw new EProfileException( + CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST")); + } catch (CertificateException e) { + CMS.debug("EnrollProfile: fillPKCS10 " + e.toString()); + throw new EProfileException( + CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST")); + } + } + + + // for netkey + public void fillNSNKEY(Locale locale, String sn, String skey, X509CertInfo info, IRequest req) + throws EProfileException { + + try { + //cfu - is the algorithm going to be replaced by the policy? + X509Key key = new X509Key(); + key.decode(CMS.AtoB(skey)); + + info.set(X509CertInfo.KEY, new CertificateX509Key(key)); + // req.set(EnrollProfile.REQUEST_SUBJECT_NAME, + // new CertificateSubjectName(new + // X500Name("CN="+sn))); + req.setExtData("screenname", sn); + // keeping "aoluid" to be backward compatible + req.setExtData("aoluid", sn); + req.setExtData("uid", sn); + CMS.debug("EnrollPrifile: fillNSNKEY(): uid="+sn); + + } catch (Exception e) { + CMS.debug("EnrollProfile: fillNSNKEY(): "+e.toString()); + throw new EProfileException( + CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST")); + } + } + + // for house key + public void fillNSHKEY(Locale locale, String tcuid, String skey, X509CertInfo info, IRequest req) + throws EProfileException { + + try { + //cfu - is the algorithm going to be replaced by the policy? + X509Key key = new X509Key(); + key.decode(CMS.AtoB(skey)); + + info.set(X509CertInfo.KEY, new CertificateX509Key(key)); + // req.set(EnrollProfile.REQUEST_SUBJECT_NAME, + // new CertificateSubjectName(new + // X500Name("CN="+sn))); + req.setExtData("tokencuid", tcuid); + + CMS.debug("EnrollPrifile: fillNSNKEY(): tokencuid="+tcuid); + + } catch (Exception e) { + CMS.debug("EnrollProfile: fillNSHKEY(): "+e.toString()); + throw new EProfileException( + CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST")); + } + } + + + public DerInputStream parseKeyGen(Locale locale, String certreq) + throws EProfileException { + byte data[] = CMS.AtoB(certreq); + + DerInputStream derIn = new DerInputStream(data); + + return derIn; + } + + public void fillKeyGen(Locale locale, DerInputStream derIn, X509CertInfo info, IRequest req + ) + throws EProfileException { + try { + + /* get SPKAC Algorithm & Signature */ + DerValue derSPKACContent[] = derIn.getSequence(3); + AlgorithmId mAlgId = AlgorithmId.parse(derSPKACContent[1]); + byte mSignature[] = derSPKACContent[2].getBitString(); + + /* get PKAC SPKI & Challenge */ + byte mPKAC[] = derSPKACContent[0].toByteArray(); + + derIn = new DerInputStream(mPKAC); + DerValue derPKACContent[] = derIn.getSequence(2); + + DerValue mDerSPKI = derPKACContent[0]; + X509Key mSPKI = X509Key.parse(derPKACContent[0]); + + String mChallenge; + DerValue mDerChallenge = derPKACContent[1]; + + if (mDerChallenge.length() != 0) + mChallenge = derPKACContent[1].getIA5String(); + + CertificateX509Key certKey = new CertificateX509Key(mSPKI); + ByteArrayOutputStream certKeyOut = new ByteArrayOutputStream(); + certKey.encode(certKeyOut); + req.setExtData(IEnrollProfile.REQUEST_KEY, certKeyOut.toByteArray()); + info.set(X509CertInfo.KEY, certKey); + } catch (IOException e) { + CMS.debug("EnrollProfile: fillKeyGen " + e.toString()); + throw new EProfileException( + CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST")); + } catch (CertificateException e) { + CMS.debug("EnrollProfile: fillKeyGen " + e.toString()); + throw new EProfileException( + CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST")); + } + } + + public String normalizeCertReq(String s) { + if (s == null) { + return s; + } + s = s.replaceAll("-----BEGIN CERTIFICATE REQUEST-----", ""); + s = s.replaceAll("-----BEGIN NEW CERTIFICATE REQUEST-----", ""); + s = s.replaceAll("-----END CERTIFICATE REQUEST-----", ""); + s = s.replaceAll("-----END NEW CERTIFICATE REQUEST-----", ""); + + StringBuffer sb = new StringBuffer(); + StringTokenizer st = new StringTokenizer(s, "\r\n "); + + while (st.hasMoreTokens()) { + String nextLine = st.nextToken(); + + nextLine = nextLine.trim(); + if (nextLine.equals("-----BEGIN CERTIFICATE REQUEST-----")) + continue; + if (nextLine.equals("-----BEGIN NEW CERTIFICATE REQUEST-----")) + continue; + if (nextLine.equals("-----END CERTIFICATE REQUEST-----")) + continue; + if (nextLine.equals("-----END NEW CERTIFICATE REQUEST-----")) + continue; + sb.append(nextLine); + } + return sb.toString(); + } + + public Locale getLocale(IRequest request) { + Locale locale = null; + String language = request.getExtDataInString( + EnrollProfile.REQUEST_LOCALE); + if (language != null) { + locale = new Locale(language); + } + return locale; + } + + /** + * Populate input + * <P> + * + * (either all "agent" profile cert requests NOT made through a connector, + * or all "EE" profile cert requests NOT made through a connector) + * <P> + * + * <ul> + * <li>signed.audit LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST used when a + * profile cert request is made (before approval process) + * </ul> + * @param ctx profile context + * @param request the certificate request + * @exception EProfileException an error related to this profile has + * occurred + */ + public void populateInput(IProfileContext ctx, IRequest request) + throws EProfileException { + super.populateInput(ctx, request); + } + + public void populate(IRequest request) + throws EProfileException { + super.populate(request); + + } + + /** + * Passes the request to the set of constraint policies + * that validate the request against the profile. + */ + public void validate(IRequest request) + throws ERejectException { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + String auditRequesterID = auditRequesterID(request); + String auditProfileID = auditProfileID(); + String auditCertificateSubjectName = ILogger.SIGNED_AUDIT_EMPTY_VALUE; + String subject = null; + + // try { + X509CertInfo info = request.getExtDataInCertInfo(REQUEST_CERTINFO); + + try { + CertificateSubjectName sn = (CertificateSubjectName) + info.get(X509CertInfo.SUBJECT); + + // if the cert subject name is NOT MISSING, retrieve the + // actual "auditCertificateSubjectName" and "normalize" it + if (sn != null) { + subject = sn.toString(); + if (subject != null) { + // NOTE: This is ok even if the cert subject name + // is "" (empty)! + auditCertificateSubjectName = subject.trim(); + } + } + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, + auditProfileID, + auditCertificateSubjectName); + + audit(auditMessage); + } catch (CertificateException e) { + CMS.debug("EnrollProfile: populate " + e.toString()); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditProfileID, + auditCertificateSubjectName); + + audit(auditMessage); + } catch (IOException e) { + CMS.debug("EnrollProfile: populate " + e.toString()); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditProfileID, + auditCertificateSubjectName); + + audit(auditMessage); + } + + super.validate(request); + Object key = null; + + try { + key = info.get(X509CertInfo.KEY); + } catch (CertificateException e) { + } catch (IOException e) { + } + + if (key == null) { + Locale locale = getLocale(request); + + throw new ERejectException(CMS.getUserMessage( + locale, "CMS_PROFILE_EMPTY_KEY")); + } + + try { + CMS.debug("EnrollProfile certInfo : " + info); + } catch (NullPointerException e) { + // do nothing + } + } + + /** + * Signed Audit Log Requester ID + * + * This method is inherited by all extended "EnrollProfile"s, + * and is called to obtain the "RequesterID" for + * a signed audit log message. + * <P> + * + * @param request the actual request + * @return id string containing the signed audit log message RequesterID + */ + protected String auditRequesterID(IRequest request) { + // if no signed audit object exists, bail + if (mSignedAuditLogger == null) { + return null; + } + + String requesterID = ILogger.UNIDENTIFIED; + + if (request != null) { + // overwrite "requesterID" if and only if "id" != null + String id = request.getRequestId().toString(); + + if (id != null) { + requesterID = id.trim(); + } + } + + return requesterID; + } + + /** + * Signed Audit Log Profile ID + * + * This method is inherited by all extended "EnrollProfile"s, + * and is called to obtain the "ProfileID" for + * a signed audit log message. + * <P> + * + * @return id string containing the signed audit log message ProfileID + */ + protected String auditProfileID() { + // if no signed audit object exists, bail + if (mSignedAuditLogger == null) { + return null; + } + + String profileID = getId(); + + if (profileID != null) { + profileID = profileID.trim(); + } else { + profileID = ILogger.UNIDENTIFIED; + } + + return profileID; + } + + public void verifyPOP(Locale locale, CertReqMsg certReqMsg) + throws EProfileException { + CMS.debug("EnrollProfile ::in verifyPOP"); + + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + if (!certReqMsg.hasPop()) { + return; + } + ProofOfPossession pop = certReqMsg.getPop(); + ProofOfPossession.Type popType = pop.getType(); + + if (popType != ProofOfPossession.SIGNATURE) { + return; + } + + try { + CryptoManager cm = CryptoManager.getInstance(); + String tokenName = CMS.getConfigStore().getString("ca.requestVerify.token", + "Internal Key Storage Token"); + CryptoToken verifyToken = cm.getTokenByName(tokenName); + if (tokenName.equals("Internal Key Storage Token")) { + //use internal token + CMS.debug("POP verification using internal token"); + certReqMsg.verify(); + } else { + CMS.debug("POP verification using token:"+ tokenName); + certReqMsg.verify(verifyToken); + } + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION, + auditSubjectID, + ILogger.SUCCESS ); + audit( auditMessage ); + } catch (Exception e) { + + CMS.debug("Failed POP verify! "+e.toString()); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION, + auditSubjectID, + ILogger.FAILURE ); + + audit( auditMessage ); + + throw new EProfileException(CMS.getUserMessage(locale, + "CMS_POP_VERIFICATION_ERROR")); + } + } +} + diff --git a/pki/base/common/src/com/netscape/cms/profile/common/EnrollProfileContext.java b/pki/base/common/src/com/netscape/cms/profile/common/EnrollProfileContext.java new file mode 100644 index 000000000..dd994e83a --- /dev/null +++ b/pki/base/common/src/com/netscape/cms/profile/common/EnrollProfileContext.java @@ -0,0 +1,36 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.common; + + +import java.util.*; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.request.*; +import com.netscape.certsrv.profile.*; + + +/** + * This class implements an enrollment profile context + * that carries information for request creation. + * + * @version $Revision$, $Date$ + */ +public class EnrollProfileContext extends ProfileContext + implements IProfileContext { + +} diff --git a/pki/base/common/src/com/netscape/cms/profile/common/ProfileContext.java b/pki/base/common/src/com/netscape/cms/profile/common/ProfileContext.java new file mode 100644 index 000000000..12bbaa783 --- /dev/null +++ b/pki/base/common/src/com/netscape/cms/profile/common/ProfileContext.java @@ -0,0 +1,41 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.common; + + +import java.util.*; + +import com.netscape.certsrv.profile.*; + + +/** + * This class implements the profile context. + * + * @version $Revision$, $Date$ + */ +public class ProfileContext implements IProfileContext { + private Hashtable m_Attrs = new Hashtable(); + + public void set(String name, String value) { + m_Attrs.put(name, value); + } + + public String get(String name) { + return (String) m_Attrs.get(name); + } +} diff --git a/pki/base/common/src/com/netscape/cms/profile/common/ProfilePolicy.java b/pki/base/common/src/com/netscape/cms/profile/common/ProfilePolicy.java new file mode 100644 index 000000000..bf9594fa7 --- /dev/null +++ b/pki/base/common/src/com/netscape/cms/profile/common/ProfilePolicy.java @@ -0,0 +1,53 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.common; + + +import com.netscape.certsrv.profile.*; + + +/** + * This class implements a profile policy that + * contains a default policy and a constraint + * policy. + * + * @version $Revision$, $Date$ + */ +public class ProfilePolicy implements IProfilePolicy { + private String mId = null; + private IPolicyDefault mDefault = null; + private IPolicyConstraint mConstraint = null; + + public ProfilePolicy(String id, IPolicyDefault def, IPolicyConstraint constraint) { + mId = id; + mDefault = def; + mConstraint = constraint; + } + + public String getId() { + return mId; + } + + public IPolicyDefault getDefault() { + return mDefault; + } + + public IPolicyConstraint getConstraint() { + return mConstraint; + } +} diff --git a/pki/base/common/src/com/netscape/cms/profile/common/RAEnrollProfile.java b/pki/base/common/src/com/netscape/cms/profile/common/RAEnrollProfile.java new file mode 100644 index 000000000..cd980c5c2 --- /dev/null +++ b/pki/base/common/src/com/netscape/cms/profile/common/RAEnrollProfile.java @@ -0,0 +1,138 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.common; + + +import java.security.cert.*; +import java.math.*; +import java.util.*; +import java.io.*; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.profile.*; +import com.netscape.certsrv.authority.*; +import com.netscape.certsrv.request.*; +import com.netscape.certsrv.connector.*; +import com.netscape.certsrv.property.*; +import com.netscape.certsrv.authentication.*; +import com.netscape.certsrv.ra.*; +import com.netscape.certsrv.apps.*; + +import netscape.security.x509.*; +import netscape.security.util.*; +import netscape.security.pkcs.*; + +import java.security.*; +import org.mozilla.jss.asn1.*; +import org.mozilla.jss.pkix.primitive.*; +import org.mozilla.jss.pkix.crmf.*; + + +/** + * This class implements a Registration Manager + * enrollment profile. + * + * @version $Revision$, $Date$ + */ +public class RAEnrollProfile extends EnrollProfile { + + public RAEnrollProfile() { + super(); + } + + public IAuthority getAuthority() { + IAuthority authority = (IAuthority) + CMS.getSubsystem(CMS.SUBSYSTEM_RA); + + if (authority == null) + return null; + return authority; + } + + public X500Name getIssuerName() { + IRegistrationAuthority ra = (IRegistrationAuthority) + CMS.getSubsystem(CMS.SUBSYSTEM_RA); + X500Name issuerName = ra.getX500Name(); + + return issuerName; + } + + public void execute(IRequest request) + throws EProfileException { + + + if (!isEnable()) { + CMS.debug("CAEnrollProfile: Profile Not Enabled"); + throw new EProfileException("Profile Not Enabled"); + } + + IRegistrationAuthority ra = + (IRegistrationAuthority) getAuthority(); + IRAService raService = (IRAService) ra.getRAService(); + + if (raService == null) { + throw new EProfileException("No RA Service"); + } + + + IRequestQueue queue = ra.getRequestQueue(); + + // send request to CA + try { + IConnector caConnector = raService.getCAConnector(); + + if (caConnector == null) { + CMS.debug("RAEnrollProfile: CA connector not configured"); + } else { + caConnector.send(request); + // check response + if (!request.isSuccess()) { + CMS.debug("RAEnrollProfile error talking to CA setting req status to SVC_PENDING"); + + request.setRequestStatus(RequestStatus.SVC_PENDING); + + try { + queue.updateRequest(request); + } catch (EBaseException e) { + CMS.debug("RAEnrollProfile: Update request " + e.toString()); + } + throw new ERejectException( + request.getError(getLocale(request))); + } + } + } catch (Exception e) { + CMS.debug("RAEnrollProfile: " + e.toString()); + throw new EProfileException(e.toString()); + } + + // request handling + Enumeration names = ra.getRequestListenerNames(); + + if (names != null) { + while (names.hasMoreElements()) { + String name = (String) names.nextElement(); + + CMS.debug("CAEnrollProfile: listener " + name); + IRequestListener listener = ra.getRequestListener(name); + + if (listener != null) { + listener.accept(request); + } + } + } + } +} diff --git a/pki/base/common/src/com/netscape/cms/profile/common/ServerCertCAEnrollProfile.java b/pki/base/common/src/com/netscape/cms/profile/common/ServerCertCAEnrollProfile.java new file mode 100644 index 000000000..c83f05746 --- /dev/null +++ b/pki/base/common/src/com/netscape/cms/profile/common/ServerCertCAEnrollProfile.java @@ -0,0 +1,135 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.common; + + +import java.security.cert.*; +import java.math.*; +import java.util.*; +import java.io.*; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.common.*; +import com.netscape.certsrv.connector.*; +import com.netscape.certsrv.profile.*; +import com.netscape.certsrv.authority.*; +import com.netscape.certsrv.request.*; +import com.netscape.certsrv.ca.*; +import com.netscape.certsrv.property.*; +import com.netscape.certsrv.authentication.*; +import com.netscape.certsrv.apps.*; +import com.netscape.certsrv.logging.*; + +import netscape.security.x509.*; +import netscape.security.util.*; +import netscape.security.pkcs.*; + +import java.security.*; +import org.mozilla.jss.asn1.*; +import org.mozilla.jss.pkix.primitive.*; +import org.mozilla.jss.pkix.crmf.*; + + +/** + * This class implements a Certificate Manager enrollment + * profile for Server Certificates. + * + * @version $Revision$, $Date$ + */ +public class ServerCertCAEnrollProfile extends CAEnrollProfile + implements IProfileEx { + + /** + * Called after initialization. It populates default + * policies, inputs, and outputs. + */ + public void populate() throws EBaseException + { + // create inputs + NameValuePairs inputParams1 = new NameValuePairs(); + IProfileInput input1 = + createProfileInput("i1", "certReqInputImpl", inputParams1); + NameValuePairs inputParams2 = new NameValuePairs(); + IProfileInput input2 = + createProfileInput("i2", "submitterInfoInputImpl", inputParams2); + + // create outputs + NameValuePairs outputParams1 = new NameValuePairs(); + IProfileOutput output1 = + createProfileOutput("o1", "certOutputImpl", outputParams1); + + IProfilePolicy policy1 = + createProfilePolicy("set1", "p1", + "userSubjectNameDefaultImpl", "noConstraintImpl"); + IPolicyDefault def1 = policy1.getDefault(); + IConfigStore defConfig1 = def1.getConfigStore(); + IPolicyConstraint con1 = policy1.getConstraint(); + IConfigStore conConfig1 = con1.getConfigStore(); + + IProfilePolicy policy2 = + createProfilePolicy("set1", "p2", + "validityDefaultImpl", "noConstraintImpl"); + IPolicyDefault def2 = policy2.getDefault(); + IConfigStore defConfig2 = def2.getConfigStore(); + defConfig2.putString("params.range","180"); + defConfig2.putString("params.startTime","0"); + IPolicyConstraint con2 = policy2.getConstraint(); + IConfigStore conConfig2 = con2.getConfigStore(); + + IProfilePolicy policy3 = + createProfilePolicy("set1", "p3", + "userKeyDefaultImpl", "noConstraintImpl"); + IPolicyDefault def3 = policy3.getDefault(); + IConfigStore defConfig3 = def3.getConfigStore(); + defConfig3.putString("params.keyType","RSA"); + defConfig3.putString("params.keyMinLength","512"); + defConfig3.putString("params.keyMaxLength","4096"); + IPolicyConstraint con3 = policy3.getConstraint(); + IConfigStore conConfig3 = con3.getConfigStore(); + + IProfilePolicy policy4 = + createProfilePolicy("set1", "p4", + "signingAlgDefaultImpl", "noConstraintImpl"); + IPolicyDefault def4 = policy4.getDefault(); + IConfigStore defConfig4 = def4.getConfigStore(); + defConfig4.putString("params.signingAlg","-"); + defConfig4.putString("params.signingAlgsAllowed", + "SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC"); + IPolicyConstraint con4 = policy4.getConstraint(); + IConfigStore conConfig4 = con4.getConfigStore(); + + IProfilePolicy policy5 = + createProfilePolicy("set1", "p5", + "keyUsageExtDefaultImpl", "noConstraintImpl"); + IPolicyDefault def5 = policy5.getDefault(); + IConfigStore defConfig5 = def5.getConfigStore(); + defConfig5.putString("params.keyUsageCritical","true"); + defConfig5.putString("params.keyUsageCrlSign","false"); + defConfig5.putString("params.keyUsageDataEncipherment","true"); + defConfig5.putString("params.keyUsageDecipherOnly","false"); + defConfig5.putString("params.keyUsageDigitalSignature","true"); + defConfig5.putString("params.keyUsageEncipherOnly","false"); + defConfig5.putString("params.keyUsageKeyAgreement","false"); + defConfig5.putString("params.keyUsageKeyCertSign","false"); + defConfig5.putString("params.keyUsageKeyEncipherment","true"); + defConfig5.putString("params.keyUsageNonRepudiation","true"); + IPolicyConstraint con5 = policy5.getConstraint(); + IConfigStore conConfig5 = con5.getConfigStore(); + + } + +} diff --git a/pki/base/common/src/com/netscape/cms/profile/common/UserCertCAEnrollProfile.java b/pki/base/common/src/com/netscape/cms/profile/common/UserCertCAEnrollProfile.java new file mode 100644 index 000000000..a6acf111e --- /dev/null +++ b/pki/base/common/src/com/netscape/cms/profile/common/UserCertCAEnrollProfile.java @@ -0,0 +1,137 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.common; + + +import java.security.cert.*; +import java.math.*; +import java.util.*; +import java.io.*; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.common.*; +import com.netscape.certsrv.connector.*; +import com.netscape.certsrv.profile.*; +import com.netscape.certsrv.authority.*; +import com.netscape.certsrv.request.*; +import com.netscape.certsrv.ca.*; +import com.netscape.certsrv.property.*; +import com.netscape.certsrv.authentication.*; +import com.netscape.certsrv.apps.*; +import com.netscape.certsrv.logging.*; + +import netscape.security.x509.*; +import netscape.security.util.*; +import netscape.security.pkcs.*; + +import java.security.*; +import org.mozilla.jss.asn1.*; +import org.mozilla.jss.pkix.primitive.*; +import org.mozilla.jss.pkix.crmf.*; + + +/** + * This class implements a Certificate Manager enrollment + * profile for User Certificates. + * + * @version $Revision$, $Date$ + */ +public class UserCertCAEnrollProfile extends CAEnrollProfile + implements IProfileEx { + + /** + * Called after initialization. It populates default + * policies, inputs, and outputs. + */ + public void populate() throws EBaseException + { + // create inputs + NameValuePairs inputParams1 = new NameValuePairs(); + IProfileInput input1 = + createProfileInput("i1", "keyGenInputImpl", inputParams1); + NameValuePairs inputParams2 = new NameValuePairs(); + IProfileInput input2 = + createProfileInput("i2", "subjectNameInputImpl", inputParams2); + NameValuePairs inputParams3 = new NameValuePairs(); + IProfileInput input3 = + createProfileInput("i3", "submitterInfoInputImpl", inputParams2); + + // create outputs + NameValuePairs outputParams1 = new NameValuePairs(); + IProfileOutput output1 = + createProfileOutput("o1", "certOutputImpl", outputParams1); + + // create policies + IProfilePolicy policy1 = + createProfilePolicy("set1", "p1", + "userSubjectNameDefaultImpl", "noConstraintImpl"); + IPolicyDefault def1 = policy1.getDefault(); + IConfigStore defConfig1 = def1.getConfigStore(); + IPolicyConstraint con1 = policy1.getConstraint(); + IConfigStore conConfig1 = con1.getConfigStore(); + + IProfilePolicy policy2 = + createProfilePolicy("set1", "p2", + "validityDefaultImpl", "noConstraintImpl"); + IPolicyDefault def2 = policy2.getDefault(); + IConfigStore defConfig2 = def2.getConfigStore(); + defConfig2.putString("params.range","180"); + defConfig2.putString("params.startTime","0"); + IPolicyConstraint con2 = policy2.getConstraint(); + IConfigStore conConfig2 = con2.getConfigStore(); + + IProfilePolicy policy3 = + createProfilePolicy("set1", "p3", + "userKeyDefaultImpl", "noConstraintImpl"); + IPolicyDefault def3 = policy3.getDefault(); + IConfigStore defConfig3 = def3.getConfigStore(); + defConfig3.putString("params.keyType","RSA"); + defConfig3.putString("params.keyMinLength","512"); + defConfig3.putString("params.keyMaxLength","4096"); + IPolicyConstraint con3 = policy3.getConstraint(); + IConfigStore conConfig3 = con3.getConfigStore(); + + IProfilePolicy policy4 = + createProfilePolicy("set1", "p4", + "signingAlgDefaultImpl", "noConstraintImpl"); + IPolicyDefault def4 = policy4.getDefault(); + IConfigStore defConfig4 = def4.getConfigStore(); + defConfig4.putString("params.signingAlg","-"); + defConfig4.putString("params.signingAlgsAllowed", + "SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC"); + IPolicyConstraint con4 = policy4.getConstraint(); + IConfigStore conConfig4 = con4.getConfigStore(); + + IProfilePolicy policy5 = + createProfilePolicy("set1", "p5", + "keyUsageExtDefaultImpl", "noConstraintImpl"); + IPolicyDefault def5 = policy5.getDefault(); + IConfigStore defConfig5 = def5.getConfigStore(); + defConfig5.putString("params.keyUsageCritical","true"); + defConfig5.putString("params.keyUsageCrlSign","false"); + defConfig5.putString("params.keyUsageDataEncipherment","false"); + defConfig5.putString("params.keyUsageDecipherOnly","false"); + defConfig5.putString("params.keyUsageDigitalSignature","true"); + defConfig5.putString("params.keyUsageEncipherOnly","false"); + defConfig5.putString("params.keyUsageKeyAgreement","false"); + defConfig5.putString("params.keyUsageKeyCertSign","false"); + defConfig5.putString("params.keyUsageKeyEncipherment","true"); + defConfig5.putString("params.keyUsageNonRepudiation","true"); + IPolicyConstraint con5 = policy5.getConstraint(); + IConfigStore conConfig5 = con5.getConfigStore(); + } +} |