1 files changed, 0 insertions, 1241 deletions

diff --git a/pki/base/common/src/com/netscape/cms/servlet/cert/HashEnrollServlet.java b/pki/base/common/src/com/netscape/cms/servlet/cert/HashEnrollServlet.java
deleted file mode 100644
index 5e6207e1a..000000000
--- a/pki/base/common/src/com/netscape/cms/servlet/cert/HashEnrollServlet.java
+++ /dev/null
@@ -1,1241 +0,0 @@
-// --- BEGIN COPYRIGHT BLOCK ---
-// This program is free software; you can redistribute it and/or modify
-// it under the terms of the GNU General Public License as published by
-// the Free Software Foundation; version 2 of the License.
-//
-// This program is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-// GNU General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-//
-// (C) 2007 Red Hat, Inc.
-// All rights reserved.
-// --- END COPYRIGHT BLOCK ---
-package com.netscape.cms.servlet.cert;
-
-import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.math.BigInteger;
-import java.security.InvalidKeyException;
-import java.security.cert.CertificateException;
-import java.security.cert.CertificateParsingException;
-import java.security.cert.X509Certificate;
-import java.util.Date;
-import java.util.Enumeration;
-import java.util.Locale;
-import java.util.Vector;
-
-import javax.servlet.ServletConfig;
-import javax.servlet.ServletException;
-import javax.servlet.ServletOutputStream;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import netscape.security.util.ObjectIdentifier;
-import netscape.security.x509.CertificateExtensions;
-import netscape.security.x509.CertificateSubjectName;
-import netscape.security.x509.CertificateValidity;
-import netscape.security.x509.CertificateVersion;
-import netscape.security.x509.CertificateX509Key;
-import netscape.security.x509.Extension;
-import netscape.security.x509.KeyUsageExtension;
-import netscape.security.x509.X500Name;
-import netscape.security.x509.X509CertImpl;
-import netscape.security.x509.X509CertInfo;
-import netscape.security.x509.X509Key;
-
-import org.mozilla.jss.asn1.INTEGER;
-import org.mozilla.jss.asn1.InvalidBERException;
-import org.mozilla.jss.asn1.SEQUENCE;
-import org.mozilla.jss.pkix.crmf.CertReqMsg;
-import org.mozilla.jss.pkix.crmf.CertRequest;
-import org.mozilla.jss.pkix.crmf.CertTemplate;
-import org.mozilla.jss.pkix.primitive.Name;
-import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo;
-
-import com.netscape.certsrv.apps.CMS;
-import com.netscape.certsrv.authentication.AuthToken;
-import com.netscape.certsrv.authentication.IAuthManager;
-import com.netscape.certsrv.authentication.IAuthSubsystem;
-import com.netscape.certsrv.authentication.IAuthToken;
-import com.netscape.certsrv.authorization.AuthzToken;
-import com.netscape.certsrv.base.EBaseException;
-import com.netscape.certsrv.base.IArgBlock;
-import com.netscape.certsrv.base.IConfigStore;
-import com.netscape.certsrv.ca.ICertificateAuthority;
-import com.netscape.certsrv.dbs.certdb.ICertRecord;
-import com.netscape.certsrv.dbs.certdb.ICertRecordList;
-import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
-import com.netscape.certsrv.logging.AuditFormat;
-import com.netscape.certsrv.logging.ILogger;
-import com.netscape.certsrv.request.IRequest;
-import com.netscape.certsrv.request.RequestStatus;
-import com.netscape.cms.authentication.HashAuthentication;
-import com.netscape.cms.servlet.base.CMSServlet;
-import com.netscape.cms.servlet.common.CMSRequest;
-import com.netscape.cms.servlet.common.CMSTemplate;
-import com.netscape.cms.servlet.common.CMSTemplateParams;
-import com.netscape.cms.servlet.common.ECMSGWException;
-import com.netscape.cms.servlet.common.ICMSTemplateFiller;
-
-/**
- * performs face-to-face enrollment.
- * 
- * @version $Revision$, $Date$
- */
-public class HashEnrollServlet extends CMSServlet {
-    /**
-     *
-     */
-    private static final long serialVersionUID = 5532936020515258333L;
-
-    public final static String ADMIN_ENROLL_SERVLET_ID = "adminEnroll";
-
-    // enrollment templates.
-    public static final String ENROLL_SUCCESS_TEMPLATE = "/ra/HashEnrollSuccess.template";
-
-    // http params 
-    public static final String OLD_CERT_TYPE = "csrCertType";
-    public static final String CERT_TYPE = "certType";
-    // same as in ConfigConstant.java
-    public static final String REQUEST_FORMAT = "reqFormat";
-    public static final String REQUEST_CONTENT = "requestContent";
-    public static final String SUBJECT_KEYGEN_INFO = "subjectKeyGenInfo";
-    public static final String CRMF_REQUEST = "CRMFRequest";
-    public static final String SUBJECT_NAME = "subject";
-    public static final String CRMF_REQID = "crmfReqId";
-    public static final String CHALLENGE_PASSWORD = "challengePhrase";
-
-    private static final String CERT_AUTH_DUAL = "dual";
-    private static final String CERT_AUTH_ENCRYPTION = "encryption";
-    private static final String CERT_AUTH_SINGLE = "single";
-    private static final String CLIENT_ISSUER = "clientIssuer";
-    public static final String TPL_ERROR_FILE = "/ra/GenErrorHashDirEnroll.template";
-
-    private boolean mAuthTokenOverride = true;
-    private String mEnrollSuccessTemplate = null;
-    private ICMSTemplateFiller mEnrollSuccessFiller = new ImportCertsTemplateFiller();
-
-    ICertificateAuthority mCa = null;
-    ICertificateRepository mRepository = null;
-
-    public HashEnrollServlet() {
-        super();
-    }
-
-    /**
-     * initialize the servlet.
-     * 
-     * @param sc servlet configuration, read from the web.xml file
-     */
-    public void init(ServletConfig sc) throws ServletException {
-        super.init(sc);
-        // override success template to allow direct import of keygen certs.
-        mTemplates.remove(CMSRequest.SUCCESS);
-        try {
-            mEnrollSuccessTemplate = sc.getInitParameter(
-                        CMSServlet.PROP_SUCCESS_TEMPLATE);
-            if (mEnrollSuccessTemplate == null)
-                mEnrollSuccessTemplate = ENROLL_SUCCESS_TEMPLATE;
-            String fillername =
-                    sc.getInitParameter(PROP_SUCCESS_TEMPLATE_FILLER);
-
-            if (fillername != null) {
-                ICMSTemplateFiller filler = newFillerObject(fillername);
-
-                if (filler != null)
-                    mEnrollSuccessFiller = filler;
-            }
-
-            // cfu
-            mCa = (ICertificateAuthority) CMS.getSubsystem("ca");
-
-            init_testbed_hack(mConfig);
-        } catch (Exception e) {
-            // this should never happen. 
-            log(ILogger.LL_FAILURE,
-                    CMS.getLogMessage("CMSGW_IMP_INIT_SERV_ERR", e.toString(), mId));
-        }
-    }
-
-    /**
-     * Process the HTTP request.
-     * 
-     * @param cmsReq the object holding the request and response information
-     */
-    protected void process(CMSRequest cmsReq)
-            throws EBaseException {
-        IArgBlock httpParams = cmsReq.getHttpParams();
-        HttpServletRequest httpReq = cmsReq.getHttpReq();
-        String certType = null;
-
-        String reqHost = httpReq.getRemoteHost();
-
-        String host = httpParams.getValueAsString("hostname", null);
-
-        if (host == null || !host.equals(reqHost)) {
-            printError(cmsReq, "0");
-            cmsReq.setStatus(CMSRequest.SUCCESS);
-            return;
-        }
-
-        IConfigStore configStore = CMS.getConfigStore();
-        String val = configStore.getString("hashDirEnrollment.name");
-        IAuthSubsystem authSS = (IAuthSubsystem)
-                CMS.getSubsystem(CMS.SUBSYSTEM_AUTH);
-        IAuthManager authMgr = authSS.get(val);
-        HashAuthentication mgr = (HashAuthentication) authMgr;
-
-        Date date = new Date();
-        long currTime = date.getTime();
-        long timeout = mgr.getTimeout(reqHost);
-        long lastlogin = mgr.getLastLogin(reqHost);
-        long diff = currTime - lastlogin;
-
-        boolean enable = mgr.isEnable(reqHost);
-
-        if (!enable) {
-            printError(cmsReq, "0");
-            cmsReq.setStatus(CMSRequest.SUCCESS);
-            return;
-        }
-        if (lastlogin == 0)
-            mgr.setLastLogin(reqHost, currTime);
-        else if (diff > timeout) {
-            mgr.disable(reqHost);
-            printError(cmsReq, "2");
-            cmsReq.setStatus(CMSRequest.SUCCESS);
-            return;
-        }
-
-        mgr.setLastLogin(reqHost, currTime);
-
-        // support Enterprise 3.5.1 server where CERT_TYPE=csrCertType
-        // instead of certType
-        certType = httpParams.getValueAsString(OLD_CERT_TYPE, null);
-        if (certType == null) {
-            certType = httpParams.getValueAsString(CERT_TYPE, "client");
-        } else {
-            ;
-        }
-
-        processX509(cmsReq);
-    }
-
-    private void printError(CMSRequest cmsReq, String errorCode)
-            throws EBaseException {
-        HttpServletRequest httpReq = cmsReq.getHttpReq();
-        HttpServletResponse httpResp = cmsReq.getHttpResp();
-        IArgBlock header = CMS.createArgBlock();
-        IArgBlock fixed = CMS.createArgBlock();
-        CMSTemplateParams argSet = new CMSTemplateParams(header, fixed);
-
-        mTemplates.remove(CMSRequest.SUCCESS);
-        header.addStringValue("authority", "Registration Manager");
-        header.addStringValue("errorCode", errorCode);
-        String formPath = TPL_ERROR_FILE;
-
-        CMSTemplate form = null;
-        Locale[] locale = new Locale[1];
-
-        try {
-            form = getTemplate(formPath, httpReq, locale);
-        } catch (IOException e) {
-            log(ILogger.LL_FAILURE,
-                    CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", formPath, e.toString()));
-            cmsReq.setError(new ECMSGWException(
-                    CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")));
-            cmsReq.setStatus(CMSRequest.ERROR);
-            return;
-        }
-        try {
-            ServletOutputStream out = httpResp.getOutputStream();
-
-            httpResp.setContentType("text/html");
-            form.renderOutput(out, argSet);
-            cmsReq.setStatus(CMSRequest.SUCCESS);
-        } catch (IOException e) {
-            log(ILogger.LL_FAILURE,
-                    CMS.getLogMessage("CMSGW_ERR_BAD_SERV_OUT_STREAM",
-                            e.toString()));
-            cmsReq.setError(new ECMSGWException(
-                    CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")));
-            cmsReq.setStatus(CMSRequest.ERROR);
-        }
-    }
-
-    protected void processX509(CMSRequest cmsReq)
-            throws EBaseException {
-        IArgBlock httpParams = cmsReq.getHttpParams();
-        HttpServletRequest httpReq = cmsReq.getHttpReq();
-
-        // create enrollment request in request queue.
-        IRequest req = mRequestQueue.newRequest(IRequest.ENROLLMENT_REQUEST);
-
-        /*
-         * === certAuth based enroll ===
-         * "certAuthEnroll" is on.
-         * "certauthEnrollType can be one of the three:
-         *		 single - it's for single cert enrollment 
-         *		 dual - it's for dual certs enrollment
-         *		 encryption - getting the encryption cert only via
-         *                    authentication of the signing cert
-         *                    (crmf or keyGenInfo)
-         */
-        boolean certAuthEnroll = false;
-
-        String certAuthEnrollOn =
-                httpParams.getValueAsString("certauthEnroll", null);
-
-        if ((certAuthEnrollOn != null) && (certAuthEnrollOn.equals("on"))) {
-            certAuthEnroll = true;
-            CMS.debug("HashEnrollServlet: certAuthEnroll is on");
-        }
-
-        String certauthEnrollType = null;
-
-        if (certAuthEnroll == true) {
-            certauthEnrollType =
-                    httpParams.getValueAsString("certauthEnrollType", null);
-            if (certauthEnrollType != null) {
-                if (certauthEnrollType.equals("dual")) {
-                    CMS.debug("HashEnrollServlet: certauthEnrollType is dual");
-                } else if (certauthEnrollType.equals("encryption")) {
-                    CMS.debug("HashEnrollServlet: certauthEnrollType is encryption");
-                } else if (certauthEnrollType.equals("single")) {
-                    CMS.debug("HashEnrollServlet: certauthEnrollType is single");
-                } else {
-                    log(ILogger.LL_FAILURE,
-                            CMS.getLogMessage("CMSGW_INVALID_CERTAUTH_ENROLL_TYPE_1", certauthEnrollType));
-                    throw new ECMSGWException(
-                            CMS.getUserMessage("CMS_GW_INVALID_CERTAUTH_ENROLL_TYPE"));
-                }
-            } else {
-                log(ILogger.LL_FAILURE,
-                        CMS.getLogMessage("CMSGW_MISSING_CERTAUTH_ENROLL_TYPE"));
-                throw new ECMSGWException(
-                        CMS.getUserMessage("CMS_GW_MISSING_CERTAUTH_ENROLL_TYPE"));
-            }
-        }
-
-        String challengePassword = httpParams.getValueAsString("challengePassword", "");
-
-        cmsReq.setIRequest(req);
-        saveHttpHeaders(httpReq, req);
-        saveHttpParams(httpParams, req);
-        IAuthToken token = authenticate(cmsReq);
-
-        AuthzToken authzToken = null;
-
-        try {
-            authzToken = authorize(mAclMethod, token,
-                        mAuthzResourceName, "import");
-        } catch (Exception e) {
-            // do nothing for now
-        }
-
-        if (authzToken == null) {
-            cmsReq.setStatus(CMSRequest.UNAUTHORIZED);
-            return;
-        }
-
-        X509Certificate sslClientCert = null;
-        // cert auth enroll
-        String certBasedOldSubjectDN = null;
-        BigInteger certBasedOldSerialNum = null;
-
-        // check if request was authenticated, if so set authtoken & certInfo. 
-        // also if authenticated, take certInfo from authToken. 
-        X509CertInfo certInfo = null;
-
-        if (certAuthEnroll == true) {
-            sslClientCert = getSSLClientCertificate(httpReq);
-            if (sslClientCert == null) {
-                log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_MISSING_SSL_CLIENT_CERT"));
-                throw new ECMSGWException(
-                        CMS.getUserMessage("CMS_GW_MISSING_SSL_CLIENT_CERT"));
-            }
-
-            certBasedOldSubjectDN = (String) sslClientCert.getSubjectDN().toString();
-            certBasedOldSerialNum = (BigInteger) sslClientCert.getSerialNumber();
-            try {
-                certInfo = (X509CertInfo)
-                        ((X509CertImpl) sslClientCert).get(
-                                X509CertImpl.NAME + "." + X509CertImpl.INFO);
-            } catch (CertificateParsingException ex) {
-                log(ILogger.LL_FAILURE,
-                        CMS.getLogMessage("CMSGW_MISSING_CERTINFO_ENCRYPT_CERT"));
-                throw new ECMSGWException(
-                        CMS.getUserMessage(getLocale(httpReq), "CMS_GW_MISSING_CERTINFO"));
-            }
-        } else {
-            certInfo = CMS.getDefaultX509CertInfo();
-        }
-
-        X509CertInfo[] certInfoArray = new X509CertInfo[] { certInfo };
-
-        //AuthToken authToken = access.getAuthToken();
-        IConfigStore configStore = CMS.getConfigStore();
-        String val = configStore.getString("hashDirEnrollment.name");
-        IAuthSubsystem authSS = (IAuthSubsystem)
-                CMS.getSubsystem(CMS.SUBSYSTEM_AUTH);
-        IAuthManager authMgr1 = authSS.get(val);
-        HashAuthentication mgr = (HashAuthentication) authMgr1;
-        String pageID = httpParams.getValueAsString("pageID", null);
-
-        IAuthToken authToken = mgr.getAuthToken(pageID);
-
-        String authMgr = AuditFormat.NOAUTH;
-
-        if (authToken == null) {
-            printError(cmsReq, "3");
-            cmsReq.setStatus(CMSRequest.SUCCESS);
-            return;
-        } else {
-            authMgr =
-                    authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME);
-            // don't store agent token in request. 
-            // agent currently used for bulk issuance. 
-            // if (!authMgr.equals(IAuthSubsystem.CERTUSERDB_AUTHMGR_ID)) {
-            log(ILogger.LL_INFO,
-                    "Enrollment request was authenticated by " +
-                            authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME));
-            fillCertInfoFromAuthToken(certInfo, authToken);
-            // save authtoken attrs to request directly (for policy use) 
-            saveAuthToken(authToken, req);
-            // req.set(IRequest.AUTH_TOKEN, authToken);
-            // }
-        }
-
-        // support Enterprise 3.5.1 server where CERT_TYPE=csrCertType
-        // instead of certType
-        String certType = httpParams.getValueAsString(OLD_CERT_TYPE, null);
-        if (certType == null) {
-            certType = httpParams.getValueAsString(CERT_TYPE, "client");
-        } else {
-            // some policies may rely on the fact that
-            // CERT_TYPE is set. So for 3.5.1 or eariler
-            // we need to set CERT_TYPE here.
-            req.setExtData(IRequest.HTTP_PARAMS, CERT_TYPE, certType);
-        }
-
-        String crmf =
-                httpParams.getValueAsString(CRMF_REQUEST, null);
-
-        if (certAuthEnroll == true) {
-
-            fillCertInfoFromAuthToken(certInfo, authToken);
-
-            // for dual certs
-            if (certauthEnrollType.equals(CERT_AUTH_DUAL)) {
-                if (mCa == null) {
-                    log(ILogger.LL_FAILURE,
-                            CMS.getLogMessage("CMSGW_NOT_A_CA"));
-                    throw new ECMSGWException(
-                            CMS.getUserMessage("CMS_GW_NOT_A_CA"));
-                }
-
-                // first, make sure the client cert is indeed a
-                //				signing only cert
-                if ((CMS.isSigningCert((X509CertImpl) sslClientCert) ==
-                        false) ||
-                        ((CMS.isSigningCert((X509CertImpl) sslClientCert) ==
-                            true) &&
-                        (CMS.isEncryptionCert((X509CertImpl) sslClientCert) ==
-                            true))) {
-                    // either it's not a signing cert, or it's a dual cert
-                    log(ILogger.LL_FAILURE,
-                            CMS.getLogMessage("CMSGW_INVALID_CERT_TYPE"));
-                    throw new ECMSGWException(
-                            CMS.getUserMessage("CMS_GW_INVALID_CERT_TYPE"));
-                }
-                X509Key key = null;
-
-                // for signing cert
-                key = (X509Key) sslClientCert.getPublicKey();
-                try {
-                    certInfo.set(X509CertInfo.KEY, new CertificateX509Key(key));
-                } catch (CertificateException e) {
-                    log(ILogger.LL_FAILURE,
-                            CMS.getLogMessage("CMSGW_FAILED_SET_KEY_FROM_CERT_AUTH_ENROLL_1", e.toString()));
-                    throw new ECMSGWException(
-                            CMS.getUserMessage("CMS_GW_SET_KEY_FROM_CERT_AUTH_ENROLL_FAILED", e.toString()));
-                } catch (IOException e) {
-                    log(ILogger.LL_FAILURE,
-                            CMS.getLogMessage("CMSGW_FAILED_SET_KEY_FROM_CERT_AUTH_ENROLL_1", e.toString()));
-                    throw new ECMSGWException(
-                            CMS.getUserMessage("CMS_GW_SET_KEY_FROM_CERT_AUTH_ENROLL_FAILED", e.toString()));
-                }
-
-                String filter =
-                        "(&(x509cert.subject="
-                                + certBasedOldSubjectDN + ")(!(x509cert.serialNumber=" + certBasedOldSerialNum
-                                + "))(certStatus=VALID))";
-                ICertRecordList list =
-                        (ICertRecordList) mCa.getCertificateRepository().findCertRecordsInList(filter,
-                                null, 10);
-                int size = list.getSize();
-                Enumeration<ICertRecord> en = list.getCertRecords(0, size - 1);
-                boolean gotEncCert = false;
-
-                if (!en.hasMoreElements()) {
-                    // pairing encryption cert not found
-                } else {
-                    X509CertInfo encCertInfo = CMS.getDefaultX509CertInfo();
-                    X509CertInfo[] cInfoArray = new X509CertInfo[] { certInfo,
-                            encCertInfo };
-                    int i = 1;
-
-                    while (en.hasMoreElements()) {
-                        ICertRecord record = en.nextElement();
-                        X509CertImpl cert = record.getCertificate();
-
-                        // if not encryption cert only, try next one
-                        if ((CMS.isEncryptionCert(cert) == false) ||
-                                ((CMS.isEncryptionCert(cert) == true) &&
-                                (CMS.isSigningCert(cert) == true))) {
-                            continue;
-                        }
-
-                        key = (X509Key) cert.getPublicKey();
-                        try {
-                            encCertInfo = (X509CertInfo)
-                                    cert.get(
-                                            X509CertImpl.NAME + "." + X509CertImpl.INFO);
-
-                        } catch (CertificateParsingException ex) {
-                            log(ILogger.LL_FAILURE,
-                                    CMS.getLogMessage("CMSGW_MISSING_CERTINFO_ENCRYPT_CERT"));
-                            throw new ECMSGWException(
-                                    CMS.getUserMessage(getLocale(httpReq), "CMS_GW_MISSING_CERTINFO"));
-                        }
-
-                        try {
-                            encCertInfo.set(X509CertInfo.KEY, new CertificateX509Key(key));
-                        } catch (CertificateException e) {
-                            log(ILogger.LL_FAILURE,
-                                    CMS.getLogMessage("CMSGW_FAILED_SET_KEY_FROM_CERT_AUTH_ENROLL_1", e.toString()));
-                            throw new ECMSGWException(
-                                    CMS.getUserMessage("CMS_GW_SET_KEY_FROM_CERT_AUTH_ENROLL_FAILED", e.toString()));
-                        } catch (IOException e) {
-                            log(ILogger.LL_FAILURE,
-                                    CMS.getLogMessage("CMSGW_FAILED_SET_KEY_FROM_CERT_AUTH_ENROLL_1", e.toString()));
-                            throw new ECMSGWException(
-                                    CMS.getUserMessage("CMS_GW_SET_KEY_FROM_CERT_AUTH_ENROLL_FAILED", e.toString()));
-                        }
-                        fillCertInfoFromAuthToken(encCertInfo, authToken);
-
-                        cInfoArray[i++] = encCertInfo;
-                        certInfoArray = cInfoArray;
-                        gotEncCert = true;
-                        break;
-                    }
-                }
-
-                if (gotEncCert == false) {
-                    // encryption cert not found, bail
-                    log(ILogger.LL_FAILURE,
-                            CMS.getLogMessage("CMSGW_ENCRYPTION_CERT_NOT_FOUND"));
-                    throw new ECMSGWException(
-                            CMS.getUserMessage("CMS_GW_ENCRYPTION_CERT_NOT_FOUND"));
-                }
-            } else if (certauthEnrollType.equals(CERT_AUTH_ENCRYPTION)) {
-                // first, make sure the client cert is indeed a
-                //				signing only cert
-                if ((CMS.isSigningCert((X509CertImpl) sslClientCert) ==
-                        false) ||
-                        ((CMS.isSigningCert((X509CertImpl) sslClientCert) ==
-                            true) &&
-                        (CMS.isEncryptionCert((X509CertImpl) sslClientCert) ==
-                            true))) {
-                    // either it's not a signing cert, or it's a dual cert
-                    log(ILogger.LL_FAILURE,
-                            CMS.getLogMessage("CMSGW_INVALID_CERT_TYPE"));
-                    throw new ECMSGWException(
-                            CMS.getUserMessage("CMS_GW_INVALID_CERT_TYPE"));
-                }
-
-                /*
-                 * crmf
-                 */
-                if (crmf != null && crmf != "") {
-                    certInfoArray = fillCRMF(crmf, authToken, httpParams, req);
-                    req.setExtData(CLIENT_ISSUER,
-                            sslClientCert.getIssuerDN().toString());
-                    CMS.debug(
-                            "HashEnrollServlet: sslClientCert issuerDN = " + sslClientCert.getIssuerDN().toString());
-                } else {
-                    log(ILogger.LL_FAILURE,
-                            CMS.getLogMessage("CMSGW_MISSING_KEYGEN_INFO"));
-                    throw new ECMSGWException(CMS.getUserMessage(getLocale(httpReq),
-                            "CMS_GW_MISSING_KEYGEN_INFO"));
-                }
-            } else if (certauthEnrollType.equals(CERT_AUTH_SINGLE)) {
-                // have to be buried here to handle the issuer
-
-                if (crmf != null && crmf != "") {
-                    certInfoArray = fillCRMF(crmf, authToken, httpParams, req);
-                } else {
-                    log(ILogger.LL_FAILURE,
-                            CMS.getLogMessage("CMSGW_MISSING_KEYGEN_INFO"));
-                    throw new ECMSGWException(CMS.getUserMessage(getLocale(httpReq),
-                            "CMS_GW_MISSING_KEYGEN_INFO"));
-                }
-                req.setExtData(CLIENT_ISSUER,
-                        sslClientCert.getIssuerDN().toString());
-            }
-        } else if (crmf != null && crmf != "") {
-            certInfoArray = fillCRMF(crmf, authToken, httpParams, req);
-        } else {
-            log(ILogger.LL_FAILURE,
-                    CMS.getLogMessage("CMSGW_MISSING_KEYGEN_INFO"));
-            throw new ECMSGWException(CMS.getUserMessage(getLocale(httpReq),
-                    "CMS_GW_MISSING_KEYGEN_INFO"));
-        }
-
-        req.setExtData(IRequest.CERT_INFO, certInfoArray);
-
-        if (challengePassword != null && !challengePassword.equals("")) {
-            String pwd = hashPassword(challengePassword);
-
-            req.setExtData(CHALLENGE_PASSWORD, pwd);
-        }
-
-        // send request to request queue. 
-        mRequestQueue.processRequest(req);
-        // process result. 
-
-        // render OLD_CERT_TYPE's response differently, we
-        // dont want any javascript in HTML, and need to
-        // override the default render.
-        if (httpParams.getValueAsString(OLD_CERT_TYPE, null) != null) {
-            try {
-                renderServerEnrollResult(cmsReq);
-                cmsReq.setStatus(CMSRequest.SUCCESS); // no default render
-            } catch (IOException ex) {
-                cmsReq.setStatus(CMSRequest.ERROR);
-            }
-            return;
-        }
-
-        //for audit log
-        String initiative = null;
-        String agentID = null;
-
-        if (!authMgr.equals(IAuthSubsystem.CERTUSERDB_AUTHMGR_ID)) {
-            // request is from eegateway, so fromUser. 
-            initiative = AuditFormat.FROMUSER;
-        } else {
-            agentID = authToken.getInString("userid");
-            initiative = AuditFormat.FROMAGENT + " agentID: " + agentID;
-        }
-
-        // if service not complete return standard templates.
-        RequestStatus status = req.getRequestStatus();
-
-        if (status != RequestStatus.COMPLETE) {
-            cmsReq.setIRequestStatus(); // set status acc. to IRequest status.
-            // audit log the status 
-            try {
-                if (status == RequestStatus.REJECTED) {
-                    Vector<String> messages = req.getExtDataInStringVector(IRequest.ERRORS);
-
-                    if (messages != null) {
-                        Enumeration<String> msgs = messages.elements();
-                        StringBuffer wholeMsg = new StringBuffer();
-
-                        while (msgs.hasMoreElements()) {
-                            wholeMsg.append("\n");
-                            wholeMsg.append(msgs.nextElement());
-                        }
-                        mLogger.log(ILogger.EV_AUDIT,
-                                ILogger.S_OTHER,
-                                AuditFormat.LEVEL,
-                                AuditFormat.ENROLLMENTFORMAT,
-                                new Object[] {
-                                        req.getRequestId(),
-                                        initiative,
-                                        authMgr,
-                                        status.toString(),
-                                        certInfo.get(X509CertInfo.SUBJECT),
-                                        " violation: " +
-                                                wholeMsg.toString() },
-                                ILogger.L_MULTILINE
-                                );
-                    } else { // no policy violation, from agent
-                        mLogger.log(ILogger.EV_AUDIT,
-                                ILogger.S_OTHER,
-                                AuditFormat.LEVEL,
-                                AuditFormat.ENROLLMENTFORMAT,
-                                new Object[] {
-                                        req.getRequestId(),
-                                        initiative,
-                                        authMgr,
-                                        status.toString(),
-                                        certInfo.get(X509CertInfo.SUBJECT), "" }
-                                );
-                    }
-                } else { // other imcomplete status 
-                    mLogger.log(ILogger.EV_AUDIT,
-                            ILogger.S_OTHER,
-                            AuditFormat.LEVEL,
-                            AuditFormat.ENROLLMENTFORMAT,
-                            new Object[] {
-                                    req.getRequestId(),
-                                    initiative,
-                                    authMgr,
-                                    status.toString(),
-                                    certInfo.get(X509CertInfo.SUBJECT), "" }
-                            );
-                }
-            } catch (IOException e) {
-                log(ILogger.LL_FAILURE,
-                        CMS.getLogMessage("CMSGW_CANT_GET_CERT_SUBJ_AUDITING", e.toString()));
-            } catch (CertificateException e) {
-                log(ILogger.LL_FAILURE,
-                        CMS.getLogMessage("CMSGW_CANT_GET_CERT_SUBJ_AUDITING", e.toString()));
-            }
-            return;
-        }
-        // if service error use standard error templates.
-        Integer result = req.getExtDataInInteger(IRequest.RESULT);
-
-        if (result.equals(IRequest.RES_ERROR)) {
-
-            cmsReq.setStatus(CMSRequest.ERROR);
-            cmsReq.setError(req.getExtDataInString(IRequest.ERROR));
-            String[] svcErrors =
-                    req.getExtDataInStringArray(IRequest.SVCERRORS);
-
-            if (svcErrors != null && svcErrors.length > 0) {
-                for (int i = 0; i < svcErrors.length; i++) {
-                    String err = svcErrors[i];
-
-                    if (err != null) {
-                        //System.out.println(
-                        //"revocation servlet: setting error description "+
-                        //err.toString());
-                        cmsReq.setErrorDescription(err);
-                        // audit log the error
-                        try {
-                            mLogger.log(ILogger.EV_AUDIT,
-                                    ILogger.S_OTHER,
-                                    AuditFormat.LEVEL,
-                                    AuditFormat.ENROLLMENTFORMAT,
-                                    new Object[] {
-                                            req.getRequestId(),
-                                            initiative,
-                                            authMgr,
-                                            "completed with error: " +
-                                                    err,
-                                            certInfo.get(X509CertInfo.SUBJECT), "" }
-                                    );
-                        } catch (IOException e) {
-                            log(ILogger.LL_FAILURE,
-                                    CMS.getLogMessage("CMSGW_CANT_GET_CERT_SUBJ_AUDITING",
-                                            e.toString()));
-                        } catch (CertificateException e) {
-                            log(ILogger.LL_FAILURE,
-                                    CMS.getLogMessage("CMSGW_CANT_GET_CERT_SUBJ_AUDITING",
-                                            e.toString()));
-                        }
-                    }
-                }
-            }
-            return;
-        }
-
-        // service success
-        cmsReq.setStatus(CMSRequest.SUCCESS);
-        X509CertImpl[] issuedCerts =
-                req.getExtDataInCertArray(IRequest.ISSUED_CERTS);
-
-        // audit log the success.
-        mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER,
-                AuditFormat.LEVEL,
-                AuditFormat.ENROLLMENTFORMAT,
-                new Object[] {
-                        req.getRequestId(),
-                        initiative,
-                        authMgr,
-                        "completed",
-                        issuedCerts[0].getSubjectDN(),
-                        "cert issued serial number: 0x" +
-                                issuedCerts[0].getSerialNumber().toString(16) }
-                );
-
-        // return cert as mime type binary if requested.
-        if (checkImportCertToNav(
-                cmsReq.getHttpResp(), httpParams, issuedCerts[0])) {
-            cmsReq.setStatus(CMSRequest.SUCCESS);
-            return;
-        }
-
-        // use success template.
-        try {
-            cmsReq.setResult(issuedCerts);
-            renderTemplate(cmsReq, mEnrollSuccessTemplate,
-                    mEnrollSuccessFiller);
-            cmsReq.setStatus(CMSRequest.SUCCESS);
-        } catch (IOException e) {
-            log(ILogger.LL_FAILURE,
-                    CMS.getLogMessage("CMSGW_TEMP_REND_ERR", mEnrollSuccessFiller.toString(), e.toString()));
-            throw new ECMSGWException(
-                    CMS.getUserMessage("CMS_GW_RETURNING_RESULT_ERROR"));
-        }
-        return;
-    }
-
-    /**
-     * fill subject name, validity, extensions from authoken if any,
-     * overriding what was in pkcs10.
-     * fill subject name, extensions from http input if not authenticated.
-     * requests not authenticated will need to be approved by an agent.
-     */
-    protected void fillCertInfoFromAuthToken(
-            X509CertInfo certInfo, IAuthToken authToken)
-            throws EBaseException {
-        // override subject, validity and extensions from auth token
-        // CA determines algorithm, version and issuer.
-        // take key from keygen, cmc, pkcs10 or crmf. 
-
-        // subject name.
-        try {
-            String subjectname =
-                    authToken.getInString(AuthToken.TOKEN_CERT_SUBJECT);
-
-            if (subjectname != null) {
-                CertificateSubjectName certSubject = (CertificateSubjectName)
-                        new CertificateSubjectName(new X500Name(subjectname));
-
-                certInfo.set(X509CertInfo.SUBJECT, certSubject);
-                log(ILogger.LL_INFO,
-                        "cert subject set to " + certSubject + " from authtoken");
-            }
-        } catch (CertificateException e) {
-            log(ILogger.LL_WARN,
-                    CMS.getLogMessage("CMSGW_ERROR_SET_SUBJECT_NAME_1", e.toString()));
-            throw new ECMSGWException(
-                    CMS.getUserMessage("CMS_GW_SET_SUBJECT_NAME_ERROR"));
-        } catch (IOException e) {
-            log(ILogger.LL_WARN,
-                    CMS.getLogMessage("CMSGW_ERROR_SET_SUBJECT_NAME_1",
-                            e.toString()));
-            throw new ECMSGWException(
-                    CMS.getUserMessage("CMS_GW_SET_SUBJECT_NAME_ERROR"));
-        }
-
-        // validity
-        try {
-            CertificateValidity validity = null;
-            Date notBefore =
-                    authToken.getInDate(AuthToken.TOKEN_CERT_NOTBEFORE);
-            Date notAfter =
-                    authToken.getInDate(AuthToken.TOKEN_CERT_NOTAFTER);
-
-            if (notBefore != null && notAfter != null) {
-                validity = new CertificateValidity(notBefore, notAfter);
-                certInfo.set(X509CertInfo.VALIDITY, validity);
-                log(ILogger.LL_INFO,
-                        "cert validity set to " + validity + " from authtoken");
-            }
-        } catch (CertificateException e) {
-            log(ILogger.LL_WARN,
-                    CMS.getLogMessage("CMSGW_ERROR_SET_VALIDITY_1",
-                            e.toString()));
-            throw new ECMSGWException(
-                    CMS.getUserMessage("CMS_GW_SET_VALIDITY_ERROR"));
-        } catch (IOException e) {
-            log(ILogger.LL_WARN,
-                    CMS.getLogMessage("CMSGW_ERROR_SET_VALIDITY_1", e.toString()));
-            throw new ECMSGWException(
-                    CMS.getUserMessage("CMS_GW_SET_VALIDITY_ERROR"));
-        }
-
-        // extensions
-        try {
-            CertificateExtensions extensions =
-                    authToken.getInCertExts(X509CertInfo.EXTENSIONS);
-
-            if (extensions != null) {
-                certInfo.set(X509CertInfo.EXTENSIONS, extensions);
-                log(ILogger.LL_INFO, "cert extensions set from authtoken");
-            }
-        } catch (CertificateException e) {
-            log(ILogger.LL_WARN,
-                    CMS.getLogMessage("CMSGW_ERROR_SET_EXTENSIONS_1", e.toString()));
-            throw new ECMSGWException(
-                    CMS.getUserMessage("CMS_GW_SET_EXTENSIONS_ERROR"));
-        } catch (IOException e) {
-            log(ILogger.LL_WARN,
-                    CMS.getLogMessage("CMSGW_ERROR_SET_EXTENSIONS_1",
-                            e.toString()));
-            throw new ECMSGWException(
-                    CMS.getUserMessage("CMS_GW_SET_EXTENSIONS_ERROR"));
-        }
-    }
-
-    protected X509CertInfo[] fillCRMF(
-            String crmf, IAuthToken authToken, IArgBlock httpParams, IRequest req)
-            throws EBaseException {
-        try {
-            byte[] crmfBlob = CMS.AtoB(crmf);
-            ByteArrayInputStream crmfBlobIn =
-                    new ByteArrayInputStream(crmfBlob);
-
-            SEQUENCE crmfMsgs = (SEQUENCE)
-                    new SEQUENCE.OF_Template(new CertReqMsg.Template()).decode(crmfBlobIn);
-
-            int nummsgs = crmfMsgs.size();
-            X509CertInfo[] certInfoArray = new X509CertInfo[nummsgs];
-
-            for (int i = 0; i < nummsgs; i++) {
-                // decode message.
-                CertReqMsg certReqMsg = (CertReqMsg) crmfMsgs.elementAt(i);
-
-                /*
-                 if (certReqMsg.hasPop()) {
-                 try {
-                 certReqMsg.verify();
-                 } catch (ChallengeResponseException ex) {
-                 // create and save the challenge
-                 // construct the cmmf message together
-                 // in a sequence to challenge the requestor
-                 } catch (Exception e) {
-                 // failed, should only affect one request
-                 }
-                 }
-                 */
-                CertRequest certReq = certReqMsg.getCertReq();
-                INTEGER certReqId = certReq.getCertReqId();
-                int srcId = certReqId.intValue();
-
-                req.setExtData(IRequest.CRMF_REQID, String.valueOf(srcId));
-
-                CertTemplate certTemplate = certReq.getCertTemplate();
-                X509CertInfo certInfo = CMS.getDefaultX509CertInfo();
-
-                // get key
-                SubjectPublicKeyInfo spki = certTemplate.getPublicKey();
-                ByteArrayOutputStream keyout = new ByteArrayOutputStream();
-
-                spki.encode(keyout);
-                byte[] keybytes = keyout.toByteArray();
-                X509Key key = new X509Key();
-
-                key.decode(keybytes);
-                certInfo.set(X509CertInfo.KEY, new CertificateX509Key(key));
-
-                // field suggested notBefore and notAfter in CRMF
-                // Tech Support #383184
-                if (certTemplate.getNotBefore() != null || certTemplate.getNotAfter() != null) {
-                    CertificateValidity certValidity =
-                            new CertificateValidity(certTemplate.getNotBefore(), certTemplate.getNotAfter());
-
-                    certInfo.set(X509CertInfo.VALIDITY, certValidity);
-                }
-
-                if (certTemplate.hasSubject()) {
-                    Name subjectdn = certTemplate.getSubject();
-                    ByteArrayOutputStream subjectEncStream =
-                            new ByteArrayOutputStream();
-
-                    subjectdn.encode(subjectEncStream);
-                    byte[] subjectEnc = subjectEncStream.toByteArray();
-                    X500Name subject = new X500Name(subjectEnc);
-
-                    certInfo.set(X509CertInfo.SUBJECT,
-                            new CertificateSubjectName(subject));
-                } else if (authToken == null ||
-                        authToken.getInString(AuthToken.TOKEN_CERT_SUBJECT) == null) {
-                    // No subject name - error! 
-                    log(ILogger.LL_FAILURE,
-                            CMS.getLogMessage("CMSGW_MISSING_SUBJECT_NAME_FROM_AUTHTOKEN"));
-                    throw new ECMSGWException(
-                            CMS.getUserMessage("CMS_GW_MISSING_SUBJECT_NAME_FROM_AUTHTOKEN"));
-                }
-
-                // get extensions 
-                CertificateExtensions extensions = null;
-
-                try {
-                    extensions = (CertificateExtensions)
-                            certInfo.get(X509CertInfo.EXTENSIONS);
-                } catch (CertificateException e) {
-                    extensions = null;
-                } catch (IOException e) {
-                    extensions = null;
-                }
-                if (certTemplate.hasExtensions()) {
-                    // put each extension from CRMF into CertInfo. 
-                    // index by extension name, consistent with 
-                    // CertificateExtensions.parseExtension() method.
-                    if (extensions == null)
-                        extensions = new CertificateExtensions();
-                    int numexts = certTemplate.numExtensions();
-
-                    for (int j = 0; j < numexts; j++) {
-                        org.mozilla.jss.pkix.cert.Extension jssext =
-                                certTemplate.extensionAt(j);
-                        boolean isCritical = jssext.getCritical();
-                        org.mozilla.jss.asn1.OBJECT_IDENTIFIER jssoid =
-                                jssext.getExtnId();
-                        long[] numbers = jssoid.getNumbers();
-                        int[] oidNumbers = new int[numbers.length];
-
-                        for (int k = numbers.length - 1; k >= 0; k--) {
-                            oidNumbers[k] = (int) numbers[k];
-                        }
-                        ObjectIdentifier oid =
-                                new ObjectIdentifier(oidNumbers);
-                        org.mozilla.jss.asn1.OCTET_STRING jssvalue =
-                                jssext.getExtnValue();
-                        ByteArrayOutputStream jssvalueout =
-                                new ByteArrayOutputStream();
-
-                        jssvalue.encode(jssvalueout);
-                        byte[] extValue = jssvalueout.toByteArray();
-
-                        Extension ext =
-                                new Extension(oid, isCritical, extValue);
-
-                        extensions.parseExtension(ext);
-                    }
-
-                    certInfo.set(X509CertInfo.VERSION,
-                            new CertificateVersion(CertificateVersion.V3));
-                    certInfo.set(X509CertInfo.EXTENSIONS, extensions);
-
-                }
-
-                // Added a new configuration parameter 
-                // eeGateway.Enrollment.authTokenOverride=[true|false]
-                // By default, it is set to true. In most
-                // of the case, administrator would want
-                // to have the control of the subject name
-                // formulation.
-                // -- CRMFfillCert
-                if (authToken != null &&
-                        authToken.getInString(AuthToken.TOKEN_CERT_SUBJECT) != null) {
-                    // if authenticated override subect name, validity and 
-                    // extensions if any from authtoken.
-                    fillCertInfoFromAuthToken(certInfo, authToken);
-                }
-
-                certInfoArray[i] = certInfo;
-            }
-
-            do_testbed_hack(nummsgs, certInfoArray, httpParams);
-
-            return certInfoArray;
-        } catch (CertificateException e) {
-            log(ILogger.LL_FAILURE,
-                    CMS.getLogMessage("CMSGW_ERROR_CRMF_TO_CERTINFO_1", e.toString()));
-            throw new ECMSGWException(
-                    CMS.getUserMessage("CMS_GW_CRMF_TO_CERTINFO_ERROR"));
-        } catch (IOException e) {
-            log(ILogger.LL_FAILURE,
-                    CMS.getLogMessage("CMSGW_ERROR_CRMF_TO_CERTINFO_1",
-                            e.toString()));
-            throw new ECMSGWException(
-                    CMS.getUserMessage("CMS_GW_CRMF_TO_CERTINFO_ERROR"));
-        } catch (InvalidBERException e) {
-            log(ILogger.LL_FAILURE,
-                    CMS.getLogMessage("CMSGW_ERROR_CRMF_TO_CERTINFO_1", e.toString()));
-            throw new ECMSGWException(
-                    CMS.getUserMessage("CMS_GW_CRMF_TO_CERTINFO_ERROR"));
-        } catch (InvalidKeyException e) {
-            log(ILogger.LL_FAILURE,
-                    CMS.getLogMessage("CMSGW_ERROR_CRMF_TO_CERTINFO_1",
-                            e.toString()));
-            throw new ECMSGWException(
-                    CMS.getUserMessage("CMS_GW_CRMF_TO_CERTINFO_ERROR"));
-        }
-    }
-
-    protected void renderServerEnrollResult(CMSRequest cmsReq) throws
-            IOException {
-        HttpServletResponse httpResp = cmsReq.getHttpResp();
-
-        httpResp.setContentType("text/html");
-        ServletOutputStream out = null;
-
-        out = httpResp.getOutputStream();
-
-        // get template based on request status
-        out.println("<HTML>");
-        out.println("<TITLE>");
-        out.println("Server Enrollment");
-        out.println("</TITLE>");
-        // out.println("<BODY BGCOLOR=white>");
-
-        if (cmsReq.getIRequest().getRequestStatus().equals(RequestStatus.COMPLETE)) {
-            out.println("<H1>");
-            out.println("SUCCESS");
-            out.println("</H1>");
-            out.println("Your request is submitted and approved. Please cut and paste the certificate into your server."); // XXX - localize the message
-            out.println("<P>");
-            out.println("Request Creation Time: ");
-            out.println(cmsReq.getIRequest().getCreationTime().toString());
-            out.println("<P>");
-            out.println("Request Status: ");
-            out.println(cmsReq.getStatus().toString());
-            out.println("<P>");
-            out.println("Request ID: ");
-            out.println(cmsReq.getIRequest().getRequestId().toString());
-            out.println("<P>");
-            out.println("Certificate: ");
-            out.println("<P>");
-            out.println("<PRE>");
-            X509CertImpl certs[] =
-                    cmsReq.getIRequest().getExtDataInCertArray(IRequest.ISSUED_CERTS);
-
-            out.println(CMS.getEncodedCert(certs[0]));
-            out.println("</PRE>");
-            out.println("<P>");
-            out.println("<!HTTP_OUTPUT REQUEST_CREATION_TIME=" +
-                    cmsReq.getIRequest().getCreationTime().toString() + ">");
-            out.println("<!HTTP_OUTPUT REQUEST_STATUS=" +
-                    cmsReq.getStatus().toString() + ">");
-            out.println("<!HTTP_OUTPUT REQUEST_ID=" +
-                    cmsReq.getIRequest().getRequestId().toString() + ">");
-            out.println("<!HTTP_OUTPUT X509_CERTIFICATE=" +
-                    CMS.getEncodedCert(certs[0]) + ">");
-        } else if (cmsReq.getIRequest().getRequestStatus().equals(RequestStatus.PENDING)) {
-            out.println("<H1>");
-            out.println("PENDING");
-            out.println("</H1>");
-            out.println("Your request is submitted. You can check on the status of your request with an authorized agent or local administrator by referring to the request ID."); // XXX - localize the message
-            out.println("<P>");
-            out.println("Request Creation Time: ");
-            out.println(cmsReq.getIRequest().getCreationTime().toString());
-            out.println("<P>");
-            out.println("Request Status: ");
-            out.println(cmsReq.getStatus().toString());
-            out.println("<P>");
-            out.println("Request ID: ");
-            out.println(cmsReq.getIRequest().getRequestId().toString());
-            out.println("<P>");
-            out.println("<!HTTP_OUTPUT REQUEST_CREATION_TIME=" +
-                    cmsReq.getIRequest().getCreationTime().toString() + ">");
-            out.println("<!HTTP_OUTPUT REQUEST_STATUS=" +
-                    cmsReq.getStatus().toString() + ">");
-            out.println("<!HTTP_OUTPUT REQUEST_ID=" +
-                    cmsReq.getIRequest().getRequestId().toString() + ">");
-        } else {
-            out.println("<H1>");
-            out.println("ERROR");
-            out.println("</H1>");
-            out.println("<!INFO>");
-            out.println("Please consult your local administrator for assistance."); // XXX - localize the message
-            out.println("<!/INFO>");
-            out.println("<P>");
-            out.println("Request Status: ");
-            out.println(cmsReq.getStatus().toString());
-            out.println("<P>");
-            out.println("Error: ");
-            out.println(cmsReq.getError()); // XXX - need to parse in Locale
-            out.println("<P>");
-            out.println("<!HTTP_OUTPUT REQUEST_STATUS=" +
-                    cmsReq.getStatus().toString() + ">");
-            out.println("<!HTTP_OUTPUT ERROR=" +
-                    cmsReq.getError() + ">");
-        }
-
-        /**
-         * // include all the input data
-         * IArgBlock args = cmsReq.getHttpParams();
-         * Enumeration ele = args.getElements();
-         * while (ele.hasMoreElements()) {
-         * String eleT = (String)ele.nextElement();
-         * out.println("<!HTTP_INPUT " + eleT + "=" +
-         * args.get(eleT) + ">");
-         * }
-         **/
-
-        out.println("</HTML>");
-    }
-
-    // XXX ALERT !! 
-    // Remove the following and calls to them when we bundle a cartman 
-    // later than alpha1. 
-    // These are here to cover up problem in cartman where the 
-    // key usage extension always ends up being digital signature only 
-    // and for rsa-ex ends up having no bits set.
-
-    private boolean mIsTestBed = false;
-
-    private void init_testbed_hack(IConfigStore config)
-            throws EBaseException {
-        mIsTestBed = config.getBoolean("isTestBed", true);
-    }
-
-    private void do_testbed_hack(
-            int nummsgs, X509CertInfo[] certinfo, IArgBlock httpParams)
-            throws EBaseException {
-        if (!mIsTestBed)
-            return;
-
-        // get around bug in cartman - bits are off by one byte.
-        for (int i = 0; i < certinfo.length; i++) {
-            try {
-                X509CertInfo cert = certinfo[i];
-                CertificateExtensions exts = (CertificateExtensions)
-                        cert.get(CertificateExtensions.NAME);
-
-                if (exts == null) {
-                    // should not happen.
-                    continue;
-                }
-                KeyUsageExtension ext = (KeyUsageExtension)
-                        exts.get(KeyUsageExtension.NAME);
-
-                if (ext == null)
-                    // should not happen 
-                    continue;
-                byte[] value = ext.getExtensionValue();
-
-                if (value[0] == 0x03 && value[1] == 0x02 && value[2] == 0x07) {
-                    byte[] newvalue = new byte[value.length + 1];
-
-                    newvalue[0] = 0x03;
-                    newvalue[1] = 0x03;
-                    newvalue[2] = 0x07;
-                    newvalue[3] = value[3];
-                    // force encryption certs to have digitial signature 
-                    // set too so smime can find the cert for encryption.
-                    if (value[3] == 0x20) {
-
-                        /*
-                         newvalue[3] = 0x3f;
-                         newvalue[4] = (byte)0x80;
-                         */
-                        if (httpParams.getValueAsBoolean(
-                                "dual-use-hack", true)) {
-                            newvalue[3] = (byte) 0xE0; // same as rsa-dual-use.
-                        }
-                    }
-                    newvalue[4] = 0;
-                    KeyUsageExtension newext =
-                            new KeyUsageExtension(Boolean.valueOf(true),
-                                    (Object) newvalue);
-
-                    exts.delete(KeyUsageExtension.NAME);
-                    exts.set(KeyUsageExtension.NAME, newext);
-                }
-            } catch (IOException e) {
-                // should never happen 
-                continue;
-            } catch (CertificateException e) {
-                // should never happen 
-                continue;
-            }
-        }
-
-    }
-}