summaryrefslogtreecommitdiffstats
path: root/pki/base/common/src/com/netscape/cms/servlet/cert/HashEnrollServlet.java
diff options
context:
space:
mode:
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/servlet/cert/HashEnrollServlet.java')
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/cert/HashEnrollServlet.java836
1 files changed, 425 insertions, 411 deletions
diff --git a/pki/base/common/src/com/netscape/cms/servlet/cert/HashEnrollServlet.java b/pki/base/common/src/com/netscape/cms/servlet/cert/HashEnrollServlet.java
index 0922f8821..645cb831b 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/cert/HashEnrollServlet.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/cert/HashEnrollServlet.java
@@ -17,6 +17,7 @@
// --- END COPYRIGHT BLOCK ---
package com.netscape.cms.servlet.cert;
+
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
@@ -84,9 +85,10 @@ import com.netscape.cms.servlet.common.CMSTemplateParams;
import com.netscape.cms.servlet.common.ECMSGWException;
import com.netscape.cms.servlet.common.ICMSTemplateFiller;
+
/**
* performs face-to-face enrollment.
- *
+ *
* @version $Revision$, $Date$
*/
public class HashEnrollServlet extends CMSServlet {
@@ -98,9 +100,10 @@ public class HashEnrollServlet extends CMSServlet {
public final static String ADMIN_ENROLL_SERVLET_ID = "adminEnroll";
// enrollment templates.
- public static final String ENROLL_SUCCESS_TEMPLATE = "/ra/HashEnrollSuccess.template";
+ public static final String
+ ENROLL_SUCCESS_TEMPLATE = "/ra/HashEnrollSuccess.template";
- // http params
+ // http params
public static final String OLD_CERT_TYPE = "csrCertType";
public static final String CERT_TYPE = "certType";
// same as in ConfigConstant.java
@@ -120,7 +123,8 @@ public class HashEnrollServlet extends CMSServlet {
private boolean mAuthTokenOverride = true;
private String mEnrollSuccessTemplate = null;
- private ICMSTemplateFiller mEnrollSuccessFiller = new ImportCertsTemplateFiller();
+ private ICMSTemplateFiller
+ mEnrollSuccessFiller = new ImportCertsTemplateFiller();
ICertificateAuthority mCa = null;
ICertificateRepository mRepository = null;
@@ -131,7 +135,6 @@ public class HashEnrollServlet extends CMSServlet {
/**
* initialize the servlet.
- *
* @param sc servlet configuration, read from the web.xml file
*/
public void init(ServletConfig sc) throws ServletException {
@@ -139,17 +142,17 @@ public class HashEnrollServlet extends CMSServlet {
// override success template to allow direct import of keygen certs.
mTemplates.remove(CMSRequest.SUCCESS);
try {
- mEnrollSuccessTemplate = sc
- .getInitParameter(CMSServlet.PROP_SUCCESS_TEMPLATE);
+ mEnrollSuccessTemplate = sc.getInitParameter(
+ CMSServlet.PROP_SUCCESS_TEMPLATE);
if (mEnrollSuccessTemplate == null)
mEnrollSuccessTemplate = ENROLL_SUCCESS_TEMPLATE;
- String fillername = sc
- .getInitParameter(PROP_SUCCESS_TEMPLATE_FILLER);
+ String fillername =
+ sc.getInitParameter(PROP_SUCCESS_TEMPLATE_FILLER);
if (fillername != null) {
ICMSTemplateFiller filler = newFillerObject(fillername);
- if (filler != null)
+ if (filler != null)
mEnrollSuccessFiller = filler;
}
@@ -158,18 +161,20 @@ public class HashEnrollServlet extends CMSServlet {
init_testbed_hack(mConfig);
} catch (Exception e) {
- // this should never happen.
- log(ILogger.LL_FAILURE, CMS.getLogMessage(
- "CMSGW_IMP_INIT_SERV_ERR", e.toString(), mId));
+ // this should never happen.
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSGW_IMP_INIT_SERV_ERR", e.toString(), mId));
}
}
+
/**
- * Process the HTTP request.
- *
+ * Process the HTTP request.
+ *
* @param cmsReq the object holding the request and response information
*/
- protected void process(CMSRequest cmsReq) throws EBaseException {
+ protected void process(CMSRequest cmsReq)
+ throws EBaseException {
IArgBlock httpParams = cmsReq.getHttpParams();
HttpServletRequest httpReq = cmsReq.getHttpReq();
HttpServletResponse httpResp = cmsReq.getHttpResp();
@@ -187,8 +192,8 @@ public class HashEnrollServlet extends CMSServlet {
IConfigStore configStore = CMS.getConfigStore();
String val = configStore.getString("hashDirEnrollment.name");
- IAuthSubsystem authSS = (IAuthSubsystem) CMS
- .getSubsystem(CMS.SUBSYSTEM_AUTH);
+ IAuthSubsystem authSS = (IAuthSubsystem)
+ CMS.getSubsystem(CMS.SUBSYSTEM_AUTH);
IAuthManager authMgr = authSS.get(val);
HashAuthentication mgr = (HashAuthentication) authMgr;
@@ -221,15 +226,14 @@ public class HashEnrollServlet extends CMSServlet {
certType = httpParams.getValueAsString(OLD_CERT_TYPE, null);
if (certType == null) {
certType = httpParams.getValueAsString(CERT_TYPE, "client");
- } else {
- ;
- }
+ } else {;
+ }
- processX509(cmsReq);
+ processX509(cmsReq);
}
-
+
private void printError(CMSRequest cmsReq, String errorCode)
- throws EBaseException {
+ throws EBaseException {
IArgBlock httpParams = cmsReq.getHttpParams();
HttpServletRequest httpReq = cmsReq.getHttpReq();
HttpServletResponse httpResp = cmsReq.getHttpResp();
@@ -249,10 +253,9 @@ public class HashEnrollServlet extends CMSServlet {
form = getTemplate(formPath, httpReq, locale);
} catch (IOException e) {
log(ILogger.LL_FAILURE,
- CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", formPath,
- e.toString()));
- cmsReq.setError(new ECMSGWException(CMS
- .getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")));
+ CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", formPath, e.toString()));
+ cmsReq.setError(new ECMSGWException(
+ CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")));
cmsReq.setStatus(CMSRequest.ERROR);
return;
}
@@ -264,15 +267,16 @@ public class HashEnrollServlet extends CMSServlet {
cmsReq.setStatus(CMSRequest.SUCCESS);
} catch (IOException e) {
log(ILogger.LL_FAILURE,
- CMS.getLogMessage("CMSGW_ERR_BAD_SERV_OUT_STREAM",
- e.toString()));
- cmsReq.setError(new ECMSGWException(CMS
- .getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")));
+ CMS.getLogMessage("CMSGW_ERR_BAD_SERV_OUT_STREAM",
+ e.toString()));
+ cmsReq.setError(new ECMSGWException(
+ CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")));
cmsReq.setStatus(CMSRequest.ERROR);
}
}
- protected void processX509(CMSRequest cmsReq) throws EBaseException {
+ protected void processX509(CMSRequest cmsReq)
+ throws EBaseException {
IArgBlock httpParams = cmsReq.getHttpParams();
HttpServletRequest httpReq = cmsReq.getHttpReq();
@@ -280,16 +284,19 @@ public class HashEnrollServlet extends CMSServlet {
IRequest req = mRequestQueue.newRequest(IRequest.ENROLLMENT_REQUEST);
/*
- * === certAuth based enroll === "certAuthEnroll" is on.
- * "certauthEnrollType can be one of the three: single - it's for single
- * cert enrollment dual - it's for dual certs enrollment encryption -
- * getting the encryption cert only via authentication of the signing
- * cert (crmf or keyGenInfo)
+ * === certAuth based enroll ===
+ * "certAuthEnroll" is on.
+ * "certauthEnrollType can be one of the three:
+ * single - it's for single cert enrollment
+ * dual - it's for dual certs enrollment
+ * encryption - getting the encryption cert only via
+ * authentication of the signing cert
+ * (crmf or keyGenInfo)
*/
boolean certAuthEnroll = false;
- String certAuthEnrollOn = httpParams.getValueAsString("certauthEnroll",
- null);
+ String certAuthEnrollOn =
+ httpParams.getValueAsString("certauthEnroll", null);
X509CertInfo new_certInfo = null;
if ((certAuthEnrollOn != null) && (certAuthEnrollOn.equals("on"))) {
@@ -300,8 +307,8 @@ public class HashEnrollServlet extends CMSServlet {
String certauthEnrollType = null;
if (certAuthEnroll == true) {
- certauthEnrollType = httpParams.getValueAsString(
- "certauthEnrollType", null);
+ certauthEnrollType =
+ httpParams.getValueAsString("certauthEnrollType", null);
if (certauthEnrollType != null) {
if (certauthEnrollType.equals("dual")) {
CMS.debug("HashEnrollServlet: certauthEnrollType is dual");
@@ -310,22 +317,20 @@ public class HashEnrollServlet extends CMSServlet {
} else if (certauthEnrollType.equals("single")) {
CMS.debug("HashEnrollServlet: certauthEnrollType is single");
} else {
- log(ILogger.LL_FAILURE, CMS.getLogMessage(
- "CMSGW_INVALID_CERTAUTH_ENROLL_TYPE_1",
- certauthEnrollType));
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSGW_INVALID_CERTAUTH_ENROLL_TYPE_1", certauthEnrollType));
throw new ECMSGWException(
- CMS.getUserMessage("CMS_GW_INVALID_CERTAUTH_ENROLL_TYPE"));
+ CMS.getUserMessage("CMS_GW_INVALID_CERTAUTH_ENROLL_TYPE"));
}
} else {
log(ILogger.LL_FAILURE,
- CMS.getLogMessage("CMSGW_MISSING_CERTAUTH_ENROLL_TYPE"));
+ CMS.getLogMessage("CMSGW_MISSING_CERTAUTH_ENROLL_TYPE"));
throw new ECMSGWException(
- CMS.getUserMessage("CMS_GW_MISSING_CERTAUTH_ENROLL_TYPE"));
+ CMS.getUserMessage("CMS_GW_MISSING_CERTAUTH_ENROLL_TYPE"));
}
}
- String challengePassword = httpParams.getValueAsString(
- "challengePassword", "");
+ String challengePassword = httpParams.getValueAsString("challengePassword", "");
cmsReq.setIRequest(req);
saveHttpHeaders(httpReq, req);
@@ -335,8 +340,8 @@ public class HashEnrollServlet extends CMSServlet {
AuthzToken authzToken = null;
try {
- authzToken = authorize(mAclMethod, token, mAuthzResourceName,
- "import");
+ authzToken = authorize(mAclMethod, token,
+ mAuthzResourceName, "import");
} catch (Exception e) {
// do nothing for now
}
@@ -351,43 +356,41 @@ public class HashEnrollServlet extends CMSServlet {
String certBasedOldSubjectDN = null;
BigInteger certBasedOldSerialNum = null;
- // check if request was authenticated, if so set authtoken & certInfo.
- // also if authenticated, take certInfo from authToken.
+ // check if request was authenticated, if so set authtoken & certInfo.
+ // also if authenticated, take certInfo from authToken.
X509CertInfo certInfo = null;
if (certAuthEnroll == true) {
sslClientCert = getSSLClientCertificate(httpReq);
if (sslClientCert == null) {
- log(ILogger.LL_FAILURE,
- CMS.getLogMessage("CMSGW_MISSING_SSL_CLIENT_CERT"));
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_MISSING_SSL_CLIENT_CERT"));
throw new ECMSGWException(
- CMS.getUserMessage("CMS_GW_MISSING_SSL_CLIENT_CERT"));
+ CMS.getUserMessage("CMS_GW_MISSING_SSL_CLIENT_CERT"));
}
- certBasedOldSubjectDN = (String) sslClientCert.getSubjectDN()
- .toString();
- certBasedOldSerialNum = (BigInteger) sslClientCert
- .getSerialNumber();
+ certBasedOldSubjectDN = (String) sslClientCert.getSubjectDN().toString();
+ certBasedOldSerialNum = (BigInteger) sslClientCert.getSerialNumber();
try {
- certInfo = (X509CertInfo) ((X509CertImpl) sslClientCert)
- .get(X509CertImpl.NAME + "." + X509CertImpl.INFO);
+ certInfo = (X509CertInfo)
+ ((X509CertImpl) sslClientCert).get(
+ X509CertImpl.NAME + "." + X509CertImpl.INFO);
} catch (CertificateParsingException ex) {
log(ILogger.LL_FAILURE,
- CMS.getLogMessage("CMSGW_MISSING_CERTINFO_ENCRYPT_CERT"));
- throw new ECMSGWException(CMS.getUserMessage(
- getLocale(httpReq), "CMS_GW_MISSING_CERTINFO"));
+ CMS.getLogMessage("CMSGW_MISSING_CERTINFO_ENCRYPT_CERT"));
+ throw new ECMSGWException(
+ CMS.getUserMessage(getLocale(httpReq), "CMS_GW_MISSING_CERTINFO"));
}
} else {
certInfo = CMS.getDefaultX509CertInfo();
}
- X509CertInfo[] certInfoArray = new X509CertInfo[] { certInfo };
+ X509CertInfo[] certInfoArray = new X509CertInfo[] {certInfo};
- // AuthToken authToken = access.getAuthToken();
+ //AuthToken authToken = access.getAuthToken();
IConfigStore configStore = CMS.getConfigStore();
String val = configStore.getString("hashDirEnrollment.name");
- IAuthSubsystem authSS = (IAuthSubsystem) CMS
- .getSubsystem(CMS.SUBSYSTEM_AUTH);
+ IAuthSubsystem authSS = (IAuthSubsystem)
+ CMS.getSubsystem(CMS.SUBSYSTEM_AUTH);
IAuthManager authMgr1 = authSS.get(val);
HashAuthentication mgr = (HashAuthentication) authMgr1;
String pageID = httpParams.getValueAsString("pageID", null);
@@ -402,22 +405,24 @@ public class HashEnrollServlet extends CMSServlet {
cmsReq.setStatus(CMSRequest.SUCCESS);
return;
} else {
- authMgr = authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME);
- // don't store agent token in request.
- // agent currently used for bulk issuance.
+ authMgr =
+ authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME);
+ // don't store agent token in request.
+ // agent currently used for bulk issuance.
// if (!authMgr.equals(IAuthSubsystem.CERTUSERDB_AUTHMGR_ID)) {
- log(ILogger.LL_INFO, "Enrollment request was authenticated by "
- + authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME));
+ log(ILogger.LL_INFO,
+ "Enrollment request was authenticated by " +
+ authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME));
fillCertInfoFromAuthToken(certInfo, authToken);
- // save authtoken attrs to request directly (for policy use)
+ // save authtoken attrs to request directly (for policy use)
saveAuthToken(authToken, req);
// req.set(IRequest.AUTH_TOKEN, authToken);
// }
}
// fill certInfo from input types: keygen, cmc, pkcs10 or crmf
- KeyGenInfo keyGenInfo = httpParams.getValueAsKeyGenInfo(
- SUBJECT_KEYGEN_INFO, null);
+ KeyGenInfo keyGenInfo =
+ httpParams.getValueAsKeyGenInfo(SUBJECT_KEYGEN_INFO, null);
String certType = null;
@@ -436,7 +441,8 @@ public class HashEnrollServlet extends CMSServlet {
req.setExtData(IRequest.HTTP_PARAMS, CERT_TYPE, certType);
}
- String crmf = httpParams.getValueAsString(CRMF_REQUEST, null);
+ String crmf =
+ httpParams.getValueAsString(CRMF_REQUEST, null);
if (certAuthEnroll == true) {
@@ -445,21 +451,25 @@ public class HashEnrollServlet extends CMSServlet {
// for dual certs
if (certauthEnrollType.equals(CERT_AUTH_DUAL)) {
if (mCa == null) {
- log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_NOT_A_CA"));
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSGW_NOT_A_CA"));
throw new ECMSGWException(
- CMS.getUserMessage("CMS_GW_NOT_A_CA"));
+ CMS.getUserMessage("CMS_GW_NOT_A_CA"));
}
// first, make sure the client cert is indeed a
- // signing only cert
- if ((CMS.isSigningCert((X509CertImpl) sslClientCert) == false)
- || ((CMS.isSigningCert((X509CertImpl) sslClientCert) == true) && (CMS
- .isEncryptionCert((X509CertImpl) sslClientCert) == true))) {
+ // signing only cert
+ if ((CMS.isSigningCert((X509CertImpl) sslClientCert) ==
+ false) ||
+ ((CMS.isSigningCert((X509CertImpl) sslClientCert) ==
+ true) &&
+ (CMS.isEncryptionCert((X509CertImpl) sslClientCert) ==
+ true))) {
// either it's not a signing cert, or it's a dual cert
log(ILogger.LL_FAILURE,
- CMS.getLogMessage("CMSGW_INVALID_CERT_TYPE"));
+ CMS.getLogMessage("CMSGW_INVALID_CERT_TYPE"));
throw new ECMSGWException(
- CMS.getUserMessage("CMS_GW_INVALID_CERT_TYPE"));
+ CMS.getUserMessage("CMS_GW_INVALID_CERT_TYPE"));
}
X509Key key = null;
@@ -468,27 +478,22 @@ public class HashEnrollServlet extends CMSServlet {
try {
certInfo.set(X509CertInfo.KEY, new CertificateX509Key(key));
} catch (CertificateException e) {
- log(ILogger.LL_FAILURE, CMS.getLogMessage(
- "CMSGW_FAILED_SET_KEY_FROM_CERT_AUTH_ENROLL_1",
- e.toString()));
- throw new ECMSGWException(CMS.getUserMessage(
- "CMS_GW_SET_KEY_FROM_CERT_AUTH_ENROLL_FAILED",
- e.toString()));
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSGW_FAILED_SET_KEY_FROM_CERT_AUTH_ENROLL_1", e.toString()));
+ throw new ECMSGWException(
+ CMS.getUserMessage("CMS_GW_SET_KEY_FROM_CERT_AUTH_ENROLL_FAILED", e.toString()));
} catch (IOException e) {
- log(ILogger.LL_FAILURE, CMS.getLogMessage(
- "CMSGW_FAILED_SET_KEY_FROM_CERT_AUTH_ENROLL_1",
- e.toString()));
- throw new ECMSGWException(CMS.getUserMessage(
- "CMS_GW_SET_KEY_FROM_CERT_AUTH_ENROLL_FAILED",
- e.toString()));
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSGW_FAILED_SET_KEY_FROM_CERT_AUTH_ENROLL_1", e.toString()));
+ throw new ECMSGWException(
+ CMS.getUserMessage("CMS_GW_SET_KEY_FROM_CERT_AUTH_ENROLL_FAILED", e.toString()));
}
- String filter = "(&(x509cert.subject=" + certBasedOldSubjectDN
- + ")(!(x509cert.serialNumber=" + certBasedOldSerialNum
- + "))(certStatus=VALID))";
- ICertRecordList list = (ICertRecordList) mCa
- .getCertificateRepository().findCertRecordsInList(
- filter, null, 10);
+ String filter =
+ "(&(x509cert.subject=" + certBasedOldSubjectDN + ")(!(x509cert.serialNumber=" + certBasedOldSerialNum + "))(certStatus=VALID))";
+ ICertRecordList list =
+ (ICertRecordList) mCa.getCertificateRepository().findCertRecordsInList(filter,
+ null, 10);
int size = list.getSize();
Enumeration en = list.getCertRecords(0, size - 1);
boolean gotEncCert = false;
@@ -497,8 +502,8 @@ public class HashEnrollServlet extends CMSServlet {
// pairing encryption cert not found
} else {
X509CertInfo encCertInfo = CMS.getDefaultX509CertInfo();
- X509CertInfo[] cInfoArray = new X509CertInfo[] { certInfo,
- encCertInfo };
+ X509CertInfo[] cInfoArray = new X509CertInfo[] {certInfo,
+ encCertInfo};
int i = 1;
while (en.hasMoreElements()) {
@@ -506,47 +511,37 @@ public class HashEnrollServlet extends CMSServlet {
X509CertImpl cert = record.getCertificate();
// if not encryption cert only, try next one
- if ((CMS.isEncryptionCert(cert) == false)
- || ((CMS.isEncryptionCert(cert) == true) && (CMS
- .isSigningCert(cert) == true))) {
+ if ((CMS.isEncryptionCert(cert) == false) ||
+ ((CMS.isEncryptionCert(cert) == true) &&
+ (CMS.isSigningCert(cert) == true))) {
continue;
}
key = (X509Key) cert.getPublicKey();
try {
- encCertInfo = (X509CertInfo) cert
- .get(X509CertImpl.NAME + "."
- + X509CertImpl.INFO);
+ encCertInfo = (X509CertInfo)
+ cert.get(
+ X509CertImpl.NAME + "." + X509CertImpl.INFO);
} catch (CertificateParsingException ex) {
log(ILogger.LL_FAILURE,
- CMS.getLogMessage("CMSGW_MISSING_CERTINFO_ENCRYPT_CERT"));
- throw new ECMSGWException(CMS.getUserMessage(
- getLocale(httpReq),
- "CMS_GW_MISSING_CERTINFO"));
+ CMS.getLogMessage("CMSGW_MISSING_CERTINFO_ENCRYPT_CERT"));
+ throw new ECMSGWException(
+ CMS.getUserMessage(getLocale(httpReq), "CMS_GW_MISSING_CERTINFO"));
}
try {
- encCertInfo.set(X509CertInfo.KEY,
- new CertificateX509Key(key));
+ encCertInfo.set(X509CertInfo.KEY, new CertificateX509Key(key));
} catch (CertificateException e) {
- log(ILogger.LL_FAILURE,
- CMS.getLogMessage(
- "CMSGW_FAILED_SET_KEY_FROM_CERT_AUTH_ENROLL_1",
- e.toString()));
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSGW_FAILED_SET_KEY_FROM_CERT_AUTH_ENROLL_1", e.toString()));
throw new ECMSGWException(
- CMS.getUserMessage(
- "CMS_GW_SET_KEY_FROM_CERT_AUTH_ENROLL_FAILED",
- e.toString()));
+ CMS.getUserMessage("CMS_GW_SET_KEY_FROM_CERT_AUTH_ENROLL_FAILED", e.toString()));
} catch (IOException e) {
- log(ILogger.LL_FAILURE,
- CMS.getLogMessage(
- "CMSGW_FAILED_SET_KEY_FROM_CERT_AUTH_ENROLL_1",
- e.toString()));
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSGW_FAILED_SET_KEY_FROM_CERT_AUTH_ENROLL_1", e.toString()));
throw new ECMSGWException(
- CMS.getUserMessage(
- "CMS_GW_SET_KEY_FROM_CERT_AUTH_ENROLL_FAILED",
- e.toString()));
+ CMS.getUserMessage("CMS_GW_SET_KEY_FROM_CERT_AUTH_ENROLL_FAILED", e.toString()));
}
fillCertInfoFromAuthToken(encCertInfo, authToken);
@@ -560,21 +555,24 @@ public class HashEnrollServlet extends CMSServlet {
if (gotEncCert == false) {
// encryption cert not found, bail
log(ILogger.LL_FAILURE,
- CMS.getLogMessage("CMSGW_ENCRYPTION_CERT_NOT_FOUND"));
+ CMS.getLogMessage("CMSGW_ENCRYPTION_CERT_NOT_FOUND"));
throw new ECMSGWException(
- CMS.getUserMessage("CMS_GW_ENCRYPTION_CERT_NOT_FOUND"));
+ CMS.getUserMessage("CMS_GW_ENCRYPTION_CERT_NOT_FOUND"));
}
} else if (certauthEnrollType.equals(CERT_AUTH_ENCRYPTION)) {
// first, make sure the client cert is indeed a
- // signing only cert
- if ((CMS.isSigningCert((X509CertImpl) sslClientCert) == false)
- || ((CMS.isSigningCert((X509CertImpl) sslClientCert) == true) && (CMS
- .isEncryptionCert((X509CertImpl) sslClientCert) == true))) {
+ // signing only cert
+ if ((CMS.isSigningCert((X509CertImpl) sslClientCert) ==
+ false) ||
+ ((CMS.isSigningCert((X509CertImpl) sslClientCert) ==
+ true) &&
+ (CMS.isEncryptionCert((X509CertImpl) sslClientCert) ==
+ true))) {
// either it's not a signing cert, or it's a dual cert
log(ILogger.LL_FAILURE,
- CMS.getLogMessage("CMSGW_INVALID_CERT_TYPE"));
+ CMS.getLogMessage("CMSGW_INVALID_CERT_TYPE"));
throw new ECMSGWException(
- CMS.getUserMessage("CMS_GW_INVALID_CERT_TYPE"));
+ CMS.getUserMessage("CMS_GW_INVALID_CERT_TYPE"));
}
/*
@@ -582,15 +580,15 @@ public class HashEnrollServlet extends CMSServlet {
*/
if (crmf != null && crmf != "") {
certInfoArray = fillCRMF(crmf, authToken, httpParams, req);
- req.setExtData(CLIENT_ISSUER, sslClientCert.getIssuerDN()
- .toString());
- CMS.debug("HashEnrollServlet: sslClientCert issuerDN = "
- + sslClientCert.getIssuerDN().toString());
+ req.setExtData(CLIENT_ISSUER,
+ sslClientCert.getIssuerDN().toString());
+ CMS.debug(
+ "HashEnrollServlet: sslClientCert issuerDN = " + sslClientCert.getIssuerDN().toString());
} else {
- log(ILogger.LL_FAILURE,
- CMS.getLogMessage("CMSGW_MISSING_KEYGEN_INFO"));
- throw new ECMSGWException(CMS.getUserMessage(
- getLocale(httpReq), "CMS_GW_MISSING_KEYGEN_INFO"));
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSGW_MISSING_KEYGEN_INFO"));
+ throw new ECMSGWException(CMS.getUserMessage(getLocale(httpReq),
+ "CMS_GW_MISSING_KEYGEN_INFO"));
}
} else if (certauthEnrollType.equals(CERT_AUTH_SINGLE)) {
// have to be buried here to handle the issuer
@@ -598,21 +596,21 @@ public class HashEnrollServlet extends CMSServlet {
if (crmf != null && crmf != "") {
certInfoArray = fillCRMF(crmf, authToken, httpParams, req);
} else {
- log(ILogger.LL_FAILURE,
- CMS.getLogMessage("CMSGW_MISSING_KEYGEN_INFO"));
- throw new ECMSGWException(CMS.getUserMessage(
- getLocale(httpReq), "CMS_GW_MISSING_KEYGEN_INFO"));
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSGW_MISSING_KEYGEN_INFO"));
+ throw new ECMSGWException(CMS.getUserMessage(getLocale(httpReq),
+ "CMS_GW_MISSING_KEYGEN_INFO"));
}
- req.setExtData(CLIENT_ISSUER, sslClientCert.getIssuerDN()
- .toString());
+ req.setExtData(CLIENT_ISSUER,
+ sslClientCert.getIssuerDN().toString());
}
} else if (crmf != null && crmf != "") {
certInfoArray = fillCRMF(crmf, authToken, httpParams, req);
} else {
- log(ILogger.LL_FAILURE,
- CMS.getLogMessage("CMSGW_MISSING_KEYGEN_INFO"));
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSGW_MISSING_KEYGEN_INFO"));
throw new ECMSGWException(CMS.getUserMessage(getLocale(httpReq),
- "CMS_GW_MISSING_KEYGEN_INFO"));
+ "CMS_GW_MISSING_KEYGEN_INFO"));
}
req.setExtData(IRequest.CERT_INFO, certInfoArray);
@@ -623,9 +621,9 @@ public class HashEnrollServlet extends CMSServlet {
req.setExtData(CHALLENGE_PASSWORD, pwd);
}
- // send request to request queue.
+ // send request to request queue.
mRequestQueue.processRequest(req);
- // process result.
+ // process result.
// render OLD_CERT_TYPE's response differently, we
// dont want any javascript in HTML, and need to
@@ -640,28 +638,27 @@ public class HashEnrollServlet extends CMSServlet {
return;
}
- // for audit log
+ //for audit log
String initiative = null;
String agentID = null;
if (!authMgr.equals(IAuthSubsystem.CERTUSERDB_AUTHMGR_ID)) {
- // request is from eegateway, so fromUser.
+ // request is from eegateway, so fromUser.
initiative = AuditFormat.FROMUSER;
} else {
agentID = authToken.getInString("userid");
initiative = AuditFormat.FROMAGENT + " agentID: " + agentID;
- }
+ }
// if service not complete return standard templates.
RequestStatus status = req.getRequestStatus();
if (status != RequestStatus.COMPLETE) {
cmsReq.setIRequestStatus(); // set status acc. to IRequest status.
- // audit log the status
+ // audit log the status
try {
if (status == RequestStatus.REJECTED) {
- Vector messages = req
- .getExtDataInStringVector(IRequest.ERRORS);
+ Vector messages = req.getExtDataInStringVector(IRequest.ERRORS);
if (messages != null) {
Enumeration msgs = messages.elements();
@@ -671,42 +668,52 @@ public class HashEnrollServlet extends CMSServlet {
wholeMsg.append("\n");
wholeMsg.append(msgs.nextElement());
}
- mLogger.log(
- ILogger.EV_AUDIT,
- ILogger.S_OTHER,
- AuditFormat.LEVEL,
- AuditFormat.ENROLLMENTFORMAT,
- new Object[] { req.getRequestId(), initiative,
- authMgr, status.toString(),
- certInfo.get(X509CertInfo.SUBJECT),
- " violation: " + wholeMsg.toString() },
- ILogger.L_MULTILINE);
+ mLogger.log(ILogger.EV_AUDIT,
+ ILogger.S_OTHER,
+ AuditFormat.LEVEL,
+ AuditFormat.ENROLLMENTFORMAT,
+ new Object[] {
+ req.getRequestId(),
+ initiative,
+ authMgr,
+ status.toString(),
+ certInfo.get(X509CertInfo.SUBJECT),
+ " violation: " +
+ wholeMsg.toString()},
+ ILogger.L_MULTILINE
+ );
} else { // no policy violation, from agent
- mLogger.log(
- ILogger.EV_AUDIT,
- ILogger.S_OTHER,
- AuditFormat.LEVEL,
- AuditFormat.ENROLLMENTFORMAT,
- new Object[] { req.getRequestId(), initiative,
- authMgr, status.toString(),
- certInfo.get(X509CertInfo.SUBJECT), "" });
- }
- } else { // other imcomplete status
- mLogger.log(
- ILogger.EV_AUDIT,
+ mLogger.log(ILogger.EV_AUDIT,
ILogger.S_OTHER,
AuditFormat.LEVEL,
AuditFormat.ENROLLMENTFORMAT,
- new Object[] { req.getRequestId(), initiative,
- authMgr, status.toString(),
- certInfo.get(X509CertInfo.SUBJECT), "" });
+ new Object[] {
+ req.getRequestId(),
+ initiative,
+ authMgr,
+ status.toString(),
+ certInfo.get(X509CertInfo.SUBJECT), ""}
+ );
+ }
+ } else { // other imcomplete status
+ mLogger.log(ILogger.EV_AUDIT,
+ ILogger.S_OTHER,
+ AuditFormat.LEVEL,
+ AuditFormat.ENROLLMENTFORMAT,
+ new Object[] {
+ req.getRequestId(),
+ initiative,
+ authMgr,
+ status.toString(),
+ certInfo.get(X509CertInfo.SUBJECT), ""}
+ );
}
} catch (IOException e) {
- log(ILogger.LL_FAILURE, CMS.getLogMessage(
- "CMSGW_CANT_GET_CERT_SUBJ_AUDITING", e.toString()));
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSGW_CANT_GET_CERT_SUBJ_AUDITING", e.toString()));
} catch (CertificateException e) {
- log(ILogger.LL_FAILURE, CMS.getLogMessage(
- "CMSGW_CANT_GET_CERT_SUBJ_AUDITING", e.toString()));
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSGW_CANT_GET_CERT_SUBJ_AUDITING", e.toString()));
}
return;
}
@@ -717,35 +724,39 @@ public class HashEnrollServlet extends CMSServlet {
cmsReq.setStatus(CMSRequest.ERROR);
cmsReq.setError(req.getExtDataInString(IRequest.ERROR));
- String[] svcErrors = req
- .getExtDataInStringArray(IRequest.SVCERRORS);
+ String[] svcErrors =
+ req.getExtDataInStringArray(IRequest.SVCERRORS);
if (svcErrors != null && svcErrors.length > 0) {
for (int i = 0; i < svcErrors.length; i++) {
String err = svcErrors[i];
if (err != null) {
- // System.out.println(
- // "revocation servlet: setting error description "+
- // err.toString());
+ //System.out.println(
+ //"revocation servlet: setting error description "+
+ //err.toString());
cmsReq.setErrorDescription(err);
// audit log the error
try {
- mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER,
- AuditFormat.LEVEL,
- AuditFormat.ENROLLMENTFORMAT, new Object[] {
- req.getRequestId(), initiative,
- authMgr,
- "completed with error: " + err,
- certInfo.get(X509CertInfo.SUBJECT),
- "" });
+ mLogger.log(ILogger.EV_AUDIT,
+ ILogger.S_OTHER,
+ AuditFormat.LEVEL,
+ AuditFormat.ENROLLMENTFORMAT,
+ new Object[] {
+ req.getRequestId(),
+ initiative,
+ authMgr,
+ "completed with error: " +
+ err,
+ certInfo.get(X509CertInfo.SUBJECT), ""}
+ );
} catch (IOException e) {
- log(ILogger.LL_FAILURE, CMS.getLogMessage(
- "CMSGW_CANT_GET_CERT_SUBJ_AUDITING",
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSGW_CANT_GET_CERT_SUBJ_AUDITING",
e.toString()));
} catch (CertificateException e) {
- log(ILogger.LL_FAILURE, CMS.getLogMessage(
- "CMSGW_CANT_GET_CERT_SUBJ_AUDITING",
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSGW_CANT_GET_CERT_SUBJ_AUDITING",
e.toString()));
}
}
@@ -756,143 +767,144 @@ public class HashEnrollServlet extends CMSServlet {
// service success
cmsReq.setStatus(CMSRequest.SUCCESS);
- X509CertImpl[] issuedCerts = req
- .getExtDataInCertArray(IRequest.ISSUED_CERTS);
+ X509CertImpl[] issuedCerts =
+ req.getExtDataInCertArray(IRequest.ISSUED_CERTS);
// audit log the success.
- mLogger.log(
- ILogger.EV_AUDIT,
- ILogger.S_OTHER,
- AuditFormat.LEVEL,
- AuditFormat.ENROLLMENTFORMAT,
- new Object[] {
- req.getRequestId(),
- initiative,
- authMgr,
- "completed",
- issuedCerts[0].getSubjectDN(),
- "cert issued serial number: 0x"
- + issuedCerts[0].getSerialNumber().toString(16) });
+ mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER,
+ AuditFormat.LEVEL,
+ AuditFormat.ENROLLMENTFORMAT,
+ new Object[] {
+ req.getRequestId(),
+ initiative,
+ authMgr,
+ "completed",
+ issuedCerts[0].getSubjectDN(),
+ "cert issued serial number: 0x" +
+ issuedCerts[0].getSerialNumber().toString(16)}
+ );
// return cert as mime type binary if requested.
- if (checkImportCertToNav(cmsReq.getHttpResp(), httpParams,
- issuedCerts[0])) {
+ if (checkImportCertToNav(
+ cmsReq.getHttpResp(), httpParams, issuedCerts[0])) {
cmsReq.setStatus(CMSRequest.SUCCESS);
return;
}
-
+
// use success template.
try {
- cmsReq.setResult(issuedCerts);
- renderTemplate(cmsReq, mEnrollSuccessTemplate, mEnrollSuccessFiller);
- cmsReq.setStatus(CMSRequest.SUCCESS);
+ cmsReq.setResult(issuedCerts);
+ renderTemplate(cmsReq, mEnrollSuccessTemplate,
+ mEnrollSuccessFiller);
+ cmsReq.setStatus(CMSRequest.SUCCESS);
} catch (IOException e) {
- log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_TEMP_REND_ERR",
- mEnrollSuccessFiller.toString(), e.toString()));
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSGW_TEMP_REND_ERR", mEnrollSuccessFiller.toString(), e.toString()));
throw new ECMSGWException(
- CMS.getUserMessage("CMS_GW_RETURNING_RESULT_ERROR"));
+ CMS.getUserMessage("CMS_GW_RETURNING_RESULT_ERROR"));
}
return;
}
/**
- * fill subject name, validity, extensions from authoken if any, overriding
- * what was in pkcs10. fill subject name, extensions from http input if not
- * authenticated. requests not authenticated will need to be approved by an
- * agent.
+ * fill subject name, validity, extensions from authoken if any,
+ * overriding what was in pkcs10.
+ * fill subject name, extensions from http input if not authenticated.
+ * requests not authenticated will need to be approved by an agent.
*/
- protected void fillCertInfoFromAuthToken(X509CertInfo certInfo,
- IAuthToken authToken) throws EBaseException {
+ protected void fillCertInfoFromAuthToken(
+ X509CertInfo certInfo, IAuthToken authToken)
+ throws EBaseException {
// override subject, validity and extensions from auth token
// CA determines algorithm, version and issuer.
- // take key from keygen, cmc, pkcs10 or crmf.
+ // take key from keygen, cmc, pkcs10 or crmf.
// subject name.
try {
- String subjectname = authToken
- .getInString(AuthToken.TOKEN_CERT_SUBJECT);
+ String subjectname =
+ authToken.getInString(AuthToken.TOKEN_CERT_SUBJECT);
if (subjectname != null) {
- CertificateSubjectName certSubject = (CertificateSubjectName) new CertificateSubjectName(
- new X500Name(subjectname));
+ CertificateSubjectName certSubject = (CertificateSubjectName)
+ new CertificateSubjectName(new X500Name(subjectname));
certInfo.set(X509CertInfo.SUBJECT, certSubject);
- log(ILogger.LL_INFO, "cert subject set to " + certSubject
- + " from authtoken");
+ log(ILogger.LL_INFO,
+ "cert subject set to " + certSubject + " from authtoken");
}
} catch (CertificateException e) {
- log(ILogger.LL_WARN,
- CMS.getLogMessage("CMSGW_ERROR_SET_SUBJECT_NAME_1",
- e.toString()));
+ log(ILogger.LL_WARN,
+ CMS.getLogMessage("CMSGW_ERROR_SET_SUBJECT_NAME_1", e.toString()));
throw new ECMSGWException(
- CMS.getUserMessage("CMS_GW_SET_SUBJECT_NAME_ERROR"));
+ CMS.getUserMessage("CMS_GW_SET_SUBJECT_NAME_ERROR"));
} catch (IOException e) {
- log(ILogger.LL_WARN,
- CMS.getLogMessage("CMSGW_ERROR_SET_SUBJECT_NAME_1",
- e.toString()));
+ log(ILogger.LL_WARN,
+ CMS.getLogMessage("CMSGW_ERROR_SET_SUBJECT_NAME_1",
+ e.toString()));
throw new ECMSGWException(
- CMS.getUserMessage("CMS_GW_SET_SUBJECT_NAME_ERROR"));
+ CMS.getUserMessage("CMS_GW_SET_SUBJECT_NAME_ERROR"));
}
// validity
try {
CertificateValidity validity = null;
- Date notBefore = authToken
- .getInDate(AuthToken.TOKEN_CERT_NOTBEFORE);
- Date notAfter = authToken.getInDate(AuthToken.TOKEN_CERT_NOTAFTER);
+ Date notBefore =
+ authToken.getInDate(AuthToken.TOKEN_CERT_NOTBEFORE);
+ Date notAfter =
+ authToken.getInDate(AuthToken.TOKEN_CERT_NOTAFTER);
if (notBefore != null && notAfter != null) {
validity = new CertificateValidity(notBefore, notAfter);
certInfo.set(X509CertInfo.VALIDITY, validity);
- log(ILogger.LL_INFO, "cert validity set to " + validity
- + " from authtoken");
+ log(ILogger.LL_INFO,
+ "cert validity set to " + validity + " from authtoken");
}
} catch (CertificateException e) {
- log(ILogger.LL_WARN,
- CMS.getLogMessage("CMSGW_ERROR_SET_VALIDITY_1",
- e.toString()));
+ log(ILogger.LL_WARN,
+ CMS.getLogMessage("CMSGW_ERROR_SET_VALIDITY_1",
+ e.toString()));
throw new ECMSGWException(
- CMS.getUserMessage("CMS_GW_SET_VALIDITY_ERROR"));
+ CMS.getUserMessage("CMS_GW_SET_VALIDITY_ERROR"));
} catch (IOException e) {
- log(ILogger.LL_WARN,
- CMS.getLogMessage("CMSGW_ERROR_SET_VALIDITY_1",
- e.toString()));
+ log(ILogger.LL_WARN,
+ CMS.getLogMessage("CMSGW_ERROR_SET_VALIDITY_1", e.toString()));
throw new ECMSGWException(
- CMS.getUserMessage("CMS_GW_SET_VALIDITY_ERROR"));
+ CMS.getUserMessage("CMS_GW_SET_VALIDITY_ERROR"));
}
-
+
// extensions
try {
- CertificateExtensions extensions = authToken
- .getInCertExts(X509CertInfo.EXTENSIONS);
+ CertificateExtensions extensions =
+ authToken.getInCertExts(X509CertInfo.EXTENSIONS);
if (extensions != null) {
certInfo.set(X509CertInfo.EXTENSIONS, extensions);
log(ILogger.LL_INFO, "cert extensions set from authtoken");
}
} catch (CertificateException e) {
- log(ILogger.LL_WARN,
- CMS.getLogMessage("CMSGW_ERROR_SET_EXTENSIONS_1",
- e.toString()));
+ log(ILogger.LL_WARN,
+ CMS.getLogMessage("CMSGW_ERROR_SET_EXTENSIONS_1", e.toString()));
throw new ECMSGWException(
- CMS.getUserMessage("CMS_GW_SET_EXTENSIONS_ERROR"));
+ CMS.getUserMessage("CMS_GW_SET_EXTENSIONS_ERROR"));
} catch (IOException e) {
- log(ILogger.LL_WARN,
- CMS.getLogMessage("CMSGW_ERROR_SET_EXTENSIONS_1",
- e.toString()));
+ log(ILogger.LL_WARN,
+ CMS.getLogMessage("CMSGW_ERROR_SET_EXTENSIONS_1",
+ e.toString()));
throw new ECMSGWException(
- CMS.getUserMessage("CMS_GW_SET_EXTENSIONS_ERROR"));
+ CMS.getUserMessage("CMS_GW_SET_EXTENSIONS_ERROR"));
}
}
- protected X509CertInfo[] fillCRMF(String crmf, IAuthToken authToken,
- IArgBlock httpParams, IRequest req) throws EBaseException {
+ protected X509CertInfo[] fillCRMF(
+ String crmf, IAuthToken authToken, IArgBlock httpParams, IRequest req)
+ throws EBaseException {
try {
byte[] crmfBlob = CMS.AtoB(crmf);
- ByteArrayInputStream crmfBlobIn = new ByteArrayInputStream(crmfBlob);
-
- SEQUENCE crmfMsgs = (SEQUENCE) new SEQUENCE.OF_Template(
- new CertReqMsg.Template()).decode(crmfBlobIn);
+ ByteArrayInputStream crmfBlobIn =
+ new ByteArrayInputStream(crmfBlob);
+
+ SEQUENCE crmfMsgs = (SEQUENCE)
+ new SEQUENCE.OF_Template(new CertReqMsg.Template()).decode(crmfBlobIn);
int nummsgs = crmfMsgs.size();
X509CertInfo[] certInfoArray = new X509CertInfo[nummsgs];
@@ -902,11 +914,17 @@ public class HashEnrollServlet extends CMSServlet {
CertReqMsg certReqMsg = (CertReqMsg) crmfMsgs.elementAt(i);
/*
- * if (certReqMsg.hasPop()) { try { certReqMsg.verify(); } catch
- * (ChallengeResponseException ex) { // create and save the
- * challenge // construct the cmmf message together // in a
- * sequence to challenge the requestor } catch (Exception e) {
- * // failed, should only affect one request } }
+ if (certReqMsg.hasPop()) {
+ try {
+ certReqMsg.verify();
+ } catch (ChallengeResponseException ex) {
+ // create and save the challenge
+ // construct the cmmf message together
+ // in a sequence to challenge the requestor
+ } catch (Exception e) {
+ // failed, should only affect one request
+ }
+ }
*/
CertRequest certReq = certReqMsg.getCertReq();
INTEGER certReqId = certReq.getCertReqId();
@@ -930,94 +948,95 @@ public class HashEnrollServlet extends CMSServlet {
// field suggested notBefore and notAfter in CRMF
// Tech Support #383184
- if (certTemplate.getNotBefore() != null
- || certTemplate.getNotAfter() != null) {
- CertificateValidity certValidity = new CertificateValidity(
- certTemplate.getNotBefore(),
- certTemplate.getNotAfter());
+ if (certTemplate.getNotBefore() != null || certTemplate.getNotAfter() != null) {
+ CertificateValidity certValidity = new CertificateValidity(certTemplate.getNotBefore(), certTemplate.getNotAfter());
- certInfo.set(X509CertInfo.VALIDITY, certValidity);
+ certInfo.set(X509CertInfo.VALIDITY, certValidity);
}
if (certTemplate.hasSubject()) {
Name subjectdn = certTemplate.getSubject();
- ByteArrayOutputStream subjectEncStream = new ByteArrayOutputStream();
+ ByteArrayOutputStream subjectEncStream =
+ new ByteArrayOutputStream();
subjectdn.encode(subjectEncStream);
byte[] subjectEnc = subjectEncStream.toByteArray();
X500Name subject = new X500Name(subjectEnc);
- certInfo.set(X509CertInfo.SUBJECT,
- new CertificateSubjectName(subject));
- } else if (authToken == null
- || authToken.getInString(AuthToken.TOKEN_CERT_SUBJECT) == null) {
- // No subject name - error!
- log(ILogger.LL_FAILURE,
- CMS.getLogMessage("CMSGW_MISSING_SUBJECT_NAME_FROM_AUTHTOKEN"));
+ certInfo.set(X509CertInfo.SUBJECT,
+ new CertificateSubjectName(subject));
+ } else if (authToken == null ||
+ authToken.getInString(AuthToken.TOKEN_CERT_SUBJECT) == null) {
+ // No subject name - error!
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSGW_MISSING_SUBJECT_NAME_FROM_AUTHTOKEN"));
throw new ECMSGWException(
- CMS.getUserMessage("CMS_GW_MISSING_SUBJECT_NAME_FROM_AUTHTOKEN"));
+ CMS.getUserMessage("CMS_GW_MISSING_SUBJECT_NAME_FROM_AUTHTOKEN"));
}
- // get extensions
+ // get extensions
CertificateExtensions extensions = null;
try {
- extensions = (CertificateExtensions) certInfo
- .get(X509CertInfo.EXTENSIONS);
+ extensions = (CertificateExtensions)
+ certInfo.get(X509CertInfo.EXTENSIONS);
} catch (CertificateException e) {
extensions = null;
} catch (IOException e) {
extensions = null;
}
if (certTemplate.hasExtensions()) {
- // put each extension from CRMF into CertInfo.
- // index by extension name, consistent with
+ // put each extension from CRMF into CertInfo.
+ // index by extension name, consistent with
// CertificateExtensions.parseExtension() method.
- if (extensions == null)
+ if (extensions == null)
extensions = new CertificateExtensions();
int numexts = certTemplate.numExtensions();
for (int j = 0; j < numexts; j++) {
- org.mozilla.jss.pkix.cert.Extension jssext = certTemplate
- .extensionAt(j);
+ org.mozilla.jss.pkix.cert.Extension jssext =
+ certTemplate.extensionAt(j);
boolean isCritical = jssext.getCritical();
- org.mozilla.jss.asn1.OBJECT_IDENTIFIER jssoid = jssext
- .getExtnId();
+ org.mozilla.jss.asn1.OBJECT_IDENTIFIER jssoid =
+ jssext.getExtnId();
long[] numbers = jssoid.getNumbers();
int[] oidNumbers = new int[numbers.length];
for (int k = numbers.length - 1; k >= 0; k--) {
oidNumbers[k] = (int) numbers[k];
}
- ObjectIdentifier oid = new ObjectIdentifier(oidNumbers);
- org.mozilla.jss.asn1.OCTET_STRING jssvalue = jssext
- .getExtnValue();
- ByteArrayOutputStream jssvalueout = new ByteArrayOutputStream();
+ ObjectIdentifier oid =
+ new ObjectIdentifier(oidNumbers);
+ org.mozilla.jss.asn1.OCTET_STRING jssvalue =
+ jssext.getExtnValue();
+ ByteArrayOutputStream jssvalueout =
+ new ByteArrayOutputStream();
jssvalue.encode(jssvalueout);
byte[] extValue = jssvalueout.toByteArray();
- Extension ext = new Extension(oid, isCritical, extValue);
+ Extension ext =
+ new Extension(oid, isCritical, extValue);
extensions.parseExtension(ext);
}
- certInfo.set(X509CertInfo.VERSION, new CertificateVersion(
- CertificateVersion.V3));
+ certInfo.set(X509CertInfo.VERSION,
+ new CertificateVersion(CertificateVersion.V3));
certInfo.set(X509CertInfo.EXTENSIONS, extensions);
}
- // Added a new configuration parameter
+ // Added a new configuration parameter
// eeGateway.Enrollment.authTokenOverride=[true|false]
// By default, it is set to true. In most
// of the case, administrator would want
// to have the control of the subject name
// formulation.
// -- CRMFfillCert
- if (authToken != null
- && authToken.getInString(AuthToken.TOKEN_CERT_SUBJECT) != null) {
- // if authenticated override subect name, validity and
+ if (authToken != null &&
+ authToken.getInString(AuthToken.TOKEN_CERT_SUBJECT) != null) {
+ // if authenticated override subect name, validity and
// extensions if any from authtoken.
fillCertInfoFromAuthToken(certInfo, authToken);
}
@@ -1029,34 +1048,32 @@ public class HashEnrollServlet extends CMSServlet {
return certInfoArray;
} catch (CertificateException e) {
- log(ILogger.LL_FAILURE,
- CMS.getLogMessage("CMSGW_ERROR_CRMF_TO_CERTINFO_1",
- e.toString()));
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSGW_ERROR_CRMF_TO_CERTINFO_1", e.toString()));
throw new ECMSGWException(
- CMS.getUserMessage("CMS_GW_CRMF_TO_CERTINFO_ERROR"));
+ CMS.getUserMessage("CMS_GW_CRMF_TO_CERTINFO_ERROR"));
} catch (IOException e) {
- log(ILogger.LL_FAILURE,
- CMS.getLogMessage("CMSGW_ERROR_CRMF_TO_CERTINFO_1",
- e.toString()));
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSGW_ERROR_CRMF_TO_CERTINFO_1",
+ e.toString()));
throw new ECMSGWException(
- CMS.getUserMessage("CMS_GW_CRMF_TO_CERTINFO_ERROR"));
+ CMS.getUserMessage("CMS_GW_CRMF_TO_CERTINFO_ERROR"));
} catch (InvalidBERException e) {
- log(ILogger.LL_FAILURE,
- CMS.getLogMessage("CMSGW_ERROR_CRMF_TO_CERTINFO_1",
- e.toString()));
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSGW_ERROR_CRMF_TO_CERTINFO_1", e.toString()));
throw new ECMSGWException(
- CMS.getUserMessage("CMS_GW_CRMF_TO_CERTINFO_ERROR"));
+ CMS.getUserMessage("CMS_GW_CRMF_TO_CERTINFO_ERROR"));
} catch (InvalidKeyException e) {
- log(ILogger.LL_FAILURE,
- CMS.getLogMessage("CMSGW_ERROR_CRMF_TO_CERTINFO_1",
- e.toString()));
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSGW_ERROR_CRMF_TO_CERTINFO_1",
+ e.toString()));
throw new ECMSGWException(
- CMS.getUserMessage("CMS_GW_CRMF_TO_CERTINFO_ERROR"));
+ CMS.getUserMessage("CMS_GW_CRMF_TO_CERTINFO_ERROR"));
}
}
- protected void renderServerEnrollResult(CMSRequest cmsReq)
- throws IOException {
+ protected void renderServerEnrollResult(CMSRequest cmsReq) throws
+ IOException {
HttpServletResponse httpResp = cmsReq.getHttpResp();
httpResp.setContentType("text/html");
@@ -1071,16 +1088,11 @@ public class HashEnrollServlet extends CMSServlet {
out.println("</TITLE>");
// out.println("<BODY BGCOLOR=white>");
- if (cmsReq.getIRequest().getRequestStatus()
- .equals(RequestStatus.COMPLETE)) {
+ if (cmsReq.getIRequest().getRequestStatus().equals(RequestStatus.COMPLETE)) {
out.println("<H1>");
out.println("SUCCESS");
out.println("</H1>");
- out.println("Your request is submitted and approved. Please cut and paste the certificate into your server."); // XXX
- // -
- // localize
- // the
- // message
+ out.println("Your request is submitted and approved. Please cut and paste the certificate into your server."); // XXX - localize the message
out.println("<P>");
out.println("Request Creation Time: ");
out.println(cmsReq.getIRequest().getCreationTime().toString());
@@ -1094,30 +1106,25 @@ public class HashEnrollServlet extends CMSServlet {
out.println("Certificate: ");
out.println("<P>");
out.println("<PRE>");
- X509CertImpl certs[] = cmsReq.getIRequest().getExtDataInCertArray(
- IRequest.ISSUED_CERTS);
+ X509CertImpl certs[] =
+ cmsReq.getIRequest().getExtDataInCertArray(IRequest.ISSUED_CERTS);
out.println(CMS.getEncodedCert(certs[0]));
out.println("</PRE>");
out.println("<P>");
- out.println("<!HTTP_OUTPUT REQUEST_CREATION_TIME="
- + cmsReq.getIRequest().getCreationTime().toString() + ">");
- out.println("<!HTTP_OUTPUT REQUEST_STATUS="
- + cmsReq.getStatus().toString() + ">");
- out.println("<!HTTP_OUTPUT REQUEST_ID="
- + cmsReq.getIRequest().getRequestId().toString() + ">");
- out.println("<!HTTP_OUTPUT X509_CERTIFICATE="
- + CMS.getEncodedCert(certs[0]) + ">");
- } else if (cmsReq.getIRequest().getRequestStatus()
- .equals(RequestStatus.PENDING)) {
+ out.println("<!HTTP_OUTPUT REQUEST_CREATION_TIME=" +
+ cmsReq.getIRequest().getCreationTime().toString() + ">");
+ out.println("<!HTTP_OUTPUT REQUEST_STATUS=" +
+ cmsReq.getStatus().toString() + ">");
+ out.println("<!HTTP_OUTPUT REQUEST_ID=" +
+ cmsReq.getIRequest().getRequestId().toString() + ">");
+ out.println("<!HTTP_OUTPUT X509_CERTIFICATE=" +
+ CMS.getEncodedCert(certs[0]) + ">");
+ } else if (cmsReq.getIRequest().getRequestStatus().equals(RequestStatus.PENDING)) {
out.println("<H1>");
out.println("PENDING");
out.println("</H1>");
- out.println("Your request is submitted. You can check on the status of your request with an authorized agent or local administrator by referring to the request ID."); // XXX
- // -
- // localize
- // the
- // message
+ out.println("Your request is submitted. You can check on the status of your request with an authorized agent or local administrator by referring to the request ID."); // XXX - localize the message
out.println("<P>");
out.println("Request Creation Time: ");
out.println(cmsReq.getIRequest().getCreationTime().toString());
@@ -1128,22 +1135,18 @@ public class HashEnrollServlet extends CMSServlet {
out.println("Request ID: ");
out.println(cmsReq.getIRequest().getRequestId().toString());
out.println("<P>");
- out.println("<!HTTP_OUTPUT REQUEST_CREATION_TIME="
- + cmsReq.getIRequest().getCreationTime().toString() + ">");
- out.println("<!HTTP_OUTPUT REQUEST_STATUS="
- + cmsReq.getStatus().toString() + ">");
- out.println("<!HTTP_OUTPUT REQUEST_ID="
- + cmsReq.getIRequest().getRequestId().toString() + ">");
+ out.println("<!HTTP_OUTPUT REQUEST_CREATION_TIME=" +
+ cmsReq.getIRequest().getCreationTime().toString() + ">");
+ out.println("<!HTTP_OUTPUT REQUEST_STATUS=" +
+ cmsReq.getStatus().toString() + ">");
+ out.println("<!HTTP_OUTPUT REQUEST_ID=" +
+ cmsReq.getIRequest().getRequestId().toString() + ">");
} else {
out.println("<H1>");
out.println("ERROR");
out.println("</H1>");
out.println("<!INFO>");
- out.println("Please consult your local administrator for assistance."); // XXX
- // -
- // localize
- // the
- // message
+ out.println("Please consult your local administrator for assistance."); // XXX - localize the message
out.println("<!/INFO>");
out.println("<P>");
out.println("Request Status: ");
@@ -1152,55 +1155,62 @@ public class HashEnrollServlet extends CMSServlet {
out.println("Error: ");
out.println(cmsReq.getError()); // XXX - need to parse in Locale
out.println("<P>");
- out.println("<!HTTP_OUTPUT REQUEST_STATUS="
- + cmsReq.getStatus().toString() + ">");
- out.println("<!HTTP_OUTPUT ERROR=" + cmsReq.getError() + ">");
+ out.println("<!HTTP_OUTPUT REQUEST_STATUS=" +
+ cmsReq.getStatus().toString() + ">");
+ out.println("<!HTTP_OUTPUT ERROR=" +
+ cmsReq.getError() + ">");
}
/**
- * // include all the input data IArgBlock args =
- * cmsReq.getHttpParams(); Enumeration ele = args.getElements(); while
- * (ele.hasMoreElements()) { String eleT = (String)ele.nextElement();
- * out.println("<!HTTP_INPUT " + eleT + "=" + args.get(eleT) + ">"); }
+ // include all the input data
+ IArgBlock args = cmsReq.getHttpParams();
+ Enumeration ele = args.getElements();
+ while (ele.hasMoreElements()) {
+ String eleT = (String)ele.nextElement();
+ out.println("<!HTTP_INPUT " + eleT + "=" +
+ args.get(eleT) + ">");
+ }
**/
out.println("</HTML>");
}
- // XXX ALERT !!
- // Remove the following and calls to them when we bundle a cartman
- // later than alpha1.
- // These are here to cover up problem in cartman where the
- // key usage extension always ends up being digital signature only
+ // XXX ALERT !!
+ // Remove the following and calls to them when we bundle a cartman
+ // later than alpha1.
+ // These are here to cover up problem in cartman where the
+ // key usage extension always ends up being digital signature only
// and for rsa-ex ends up having no bits set.
private boolean mIsTestBed = false;
- private void init_testbed_hack(IConfigStore config) throws EBaseException {
+ private void init_testbed_hack(IConfigStore config)
+ throws EBaseException {
mIsTestBed = config.getBoolean("isTestBed", true);
}
- private void do_testbed_hack(int nummsgs, X509CertInfo[] certinfo,
- IArgBlock httpParams) throws EBaseException {
- if (!mIsTestBed)
+ private void do_testbed_hack(
+ int nummsgs, X509CertInfo[] certinfo, IArgBlock httpParams)
+ throws EBaseException {
+ if (!mIsTestBed)
return;
- // get around bug in cartman - bits are off by one byte.
+ // get around bug in cartman - bits are off by one byte.
for (int i = 0; i < certinfo.length; i++) {
try {
X509CertInfo cert = certinfo[i];
- CertificateExtensions exts = (CertificateExtensions) cert
- .get(CertificateExtensions.NAME);
+ CertificateExtensions exts = (CertificateExtensions)
+ cert.get(CertificateExtensions.NAME);
if (exts == null) {
// should not happen.
continue;
}
- KeyUsageExtension ext = (KeyUsageExtension) exts
- .get(KeyUsageExtension.NAME);
+ KeyUsageExtension ext = (KeyUsageExtension)
+ exts.get(KeyUsageExtension.NAME);
- if (ext == null)
- // should not happen
+ if (ext == null)
+ // should not happen
continue;
byte[] value = ext.getExtensionValue();
@@ -1211,32 +1221,36 @@ public class HashEnrollServlet extends CMSServlet {
newvalue[1] = 0x03;
newvalue[2] = 0x07;
newvalue[3] = value[3];
- // force encryption certs to have digitial signature
+ // force encryption certs to have digitial signature
// set too so smime can find the cert for encryption.
if (value[3] == 0x20) {
/*
- * newvalue[3] = 0x3f; newvalue[4] = (byte)0x80;
+ newvalue[3] = 0x3f;
+ newvalue[4] = (byte)0x80;
*/
- if (httpParams.getValueAsBoolean("dual-use-hack", true)) {
+ if (httpParams.getValueAsBoolean(
+ "dual-use-hack", true)) {
newvalue[3] = (byte) 0xE0; // same as rsa-dual-use.
}
}
newvalue[4] = 0;
- KeyUsageExtension newext = new KeyUsageExtension(
- Boolean.valueOf(true), (Object) newvalue);
+ KeyUsageExtension newext =
+ new KeyUsageExtension(Boolean.valueOf(true),
+ (Object) newvalue);
exts.delete(KeyUsageExtension.NAME);
exts.set(KeyUsageExtension.NAME, newext);
}
} catch (IOException e) {
- // should never happen
+ // should never happen
continue;
} catch (CertificateException e) {
- // should never happen
+ // should never happen
continue;
}
}
}
}
+
generated by cgit (git 2.34.1) at 2024-07-03 11:04:41 +0000