diff options
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/servlet/cert/RenewalServlet.java')
-rw-r--r-- | pki/base/common/src/com/netscape/cms/servlet/cert/RenewalServlet.java | 523 |
1 files changed, 0 insertions, 523 deletions
diff --git a/pki/base/common/src/com/netscape/cms/servlet/cert/RenewalServlet.java b/pki/base/common/src/com/netscape/cms/servlet/cert/RenewalServlet.java deleted file mode 100644 index 223121577..000000000 --- a/pki/base/common/src/com/netscape/cms/servlet/cert/RenewalServlet.java +++ /dev/null @@ -1,523 +0,0 @@ -// --- BEGIN COPYRIGHT BLOCK --- -// This program is free software; you can redistribute it and/or modify -// it under the terms of the GNU General Public License as published by -// the Free Software Foundation; version 2 of the License. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -// GNU General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -// -// (C) 2007 Red Hat, Inc. -// All rights reserved. -// --- END COPYRIGHT BLOCK --- -package com.netscape.cms.servlet.cert; - -import java.io.IOException; -import java.math.BigInteger; -import java.security.cert.CertificateException; -import java.security.cert.X509Certificate; -import java.util.Calendar; -import java.util.Date; -import java.util.Enumeration; -import java.util.Vector; - -import javax.servlet.ServletConfig; -import javax.servlet.ServletException; -import javax.servlet.http.HttpServletRequest; - -import netscape.security.extensions.CertInfo; -import netscape.security.x509.CertificateSerialNumber; -import netscape.security.x509.CertificateValidity; -import netscape.security.x509.X509CertImpl; -import netscape.security.x509.X509CertInfo; - -import com.netscape.certsrv.apps.CMS; -import com.netscape.certsrv.authentication.AuthToken; -import com.netscape.certsrv.authentication.IAuthSubsystem; -import com.netscape.certsrv.authentication.IAuthToken; -import com.netscape.certsrv.authorization.AuthzToken; -import com.netscape.certsrv.authorization.EAuthzAccessDenied; -import com.netscape.certsrv.base.EBaseException; -import com.netscape.certsrv.base.IArgBlock; -import com.netscape.certsrv.base.MetaInfo; -import com.netscape.certsrv.ca.ICertificateAuthority; -import com.netscape.certsrv.dbs.certdb.ICertRecord; -import com.netscape.certsrv.logging.AuditFormat; -import com.netscape.certsrv.logging.ILogger; -import com.netscape.certsrv.request.IRequest; -import com.netscape.certsrv.request.RequestStatus; -import com.netscape.cms.servlet.base.CMSServlet; -import com.netscape.cms.servlet.common.CMSRequest; -import com.netscape.cms.servlet.common.ECMSGWException; -import com.netscape.cms.servlet.common.ICMSTemplateFiller; - -/** - * Certificate Renewal - * - * @version $Revision$, $Date$ - */ -public class RenewalServlet extends CMSServlet { - /** - * - */ - private static final long serialVersionUID = -3094124661102395244L; - - // renewal templates. - public static final String RENEWAL_SUCCESS_TEMPLATE = "RenewalSuccess.template"; - - // http params - public static final String CERT_TYPE = "certType"; - public static final String SERIAL_NO = "serialNo"; - // XXX can't do pkcs10 cause it's got no serial no. - // (unless put serial no in pki attributes) - // public static final String PKCS10 = "pkcs10"; - public static final String IMPORT_CERT = "importCert"; - - private String mRenewalSuccessTemplate = RENEWAL_SUCCESS_TEMPLATE; - private ICMSTemplateFiller mRenewalSuccessFiller = new ImportCertsTemplateFiller(); - - public RenewalServlet() { - super(); - } - - /** - * initialize the servlet. This servlet makes use of the - * template file "RenewalSuccess.template" to render the - * response - * - * @param sc servlet configuration, read from the web.xml file - */ - public void init(ServletConfig sc) throws ServletException { - super.init(sc); - // override success template. has same info as enrollment. - mTemplates.remove(CMSRequest.SUCCESS); - try { - mRenewalSuccessTemplate = sc.getInitParameter( - PROP_SUCCESS_TEMPLATE); - if (mRenewalSuccessTemplate == null) - mRenewalSuccessTemplate = RENEWAL_SUCCESS_TEMPLATE; - String fillername = - sc.getInitParameter(PROP_SUCCESS_TEMPLATE_FILLER); - - if (fillername != null) { - ICMSTemplateFiller filler = newFillerObject(fillername); - - if (filler != null) - mRenewalSuccessFiller = filler; - } - } catch (Exception e) { - // this should never happen. - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_IMP_INIT_SERV_ERR", e.toString(), - mId)); - } - - } - - /** - * Process the HTTP request. - * - * @param cmsReq the object holding the request and response information - */ - protected void process(CMSRequest cmsReq) - throws EBaseException { - long startTime = CMS.getCurrentDate().getTime(); - IArgBlock httpParams = cmsReq.getHttpParams(); - HttpServletRequest httpReq = cmsReq.getHttpReq(); - - // renewal requires either: - // - coming from ee: - // - old cert from ssl client auth - // - old certs from auth manager - // - coming from agent or trusted RA: - // - serial no of cert to be renewed. - - BigInteger old_serial_no = null; - X509CertImpl old_cert = null; - X509CertImpl renewed_cert = null; - Date notBefore = null; - Date notAfter = null; - boolean doSaveAuthToken = false; - - IAuthToken authToken = authenticate(cmsReq); - - AuthzToken authzToken = null; - - try { - authzToken = authorize(mAclMethod, authToken, - mAuthzResourceName, "renew"); - } catch (EAuthzAccessDenied e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); - } catch (Exception e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); - } - - if (authzToken == null) { - cmsReq.setStatus(CMSRequest.UNAUTHORIZED); - return; - } - - String authMgr = AuditFormat.NOAUTH; - - if (authToken != null && !mAuthMgr.equals("sslClientCertAuthMgr")) { - authMgr = - authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME); - } - - // coming from agent - if (mAuthMgr != null && mAuthMgr.equals(IAuthSubsystem.CERTUSERDB_AUTHMGR_ID)) { - X509Certificate[] cert = new X509Certificate[1]; - - old_serial_no = getCertFromAgent(httpParams, cert); - old_cert = (X509CertImpl) cert[0]; - - // optional validity params from input. - int beginYear = httpParams.getValueAsInt("beginYear", -1); - int beginMonth = httpParams.getValueAsInt("beginMonth", -1); - int beginDate = httpParams.getValueAsInt("beginDate", -1); - int endYear = httpParams.getValueAsInt("endYear", -1); - int endMonth = httpParams.getValueAsInt("endMonth", -1); - int endDate = httpParams.getValueAsInt("endDate", -1); - - if (beginYear != -1 && beginMonth != -1 && beginDate != -1 && - endYear != -1 && endMonth != -1 && endDate != -1) { - Calendar calendar = Calendar.getInstance(); - calendar.set(beginYear, beginMonth, beginDate); - notBefore = calendar.getTime(); - calendar.set(endYear, endMonth, endDate); - notAfter = calendar.getTime(); - } - } // coming from client - else { - // from auth manager - X509CertImpl[] cert = new X509CertImpl[1]; - - old_serial_no = getCertFromAuthMgr(authToken, cert); - old_cert = cert[0]; - } - - IRequest req = null; - - try { - // get ready to send request to request queue. - X509CertInfo new_certInfo = null; - - req = mRequestQueue.newRequest(IRequest.RENEWAL_REQUEST); - req.setExtData(IRequest.OLD_SERIALS, new BigInteger[] { old_serial_no }); - if (old_cert != null) { - req.setExtData(IRequest.OLD_CERTS, - new X509CertImpl[] { old_cert } - ); - // create new certinfo from old_cert contents. - X509CertInfo old_certInfo = (X509CertInfo) - ((X509CertImpl) old_cert).get( - X509CertImpl.NAME + "." + X509CertImpl.INFO); - - new_certInfo = new X509CertInfo(old_certInfo.getEncodedInfo()); - } else { - // if no old cert (came from RA agent) create new cert info - // (serializable) to pass through policies. And set the old - // serial number to pick up. - new_certInfo = new CertInfo(); - new_certInfo.set(X509CertInfo.SERIAL_NUMBER, - new CertificateSerialNumber(old_serial_no)); - } - - if (notBefore == null || notAfter == null) { - notBefore = new Date(0); - notAfter = new Date(0); - } - new_certInfo.set(X509CertInfo.VALIDITY, - new CertificateValidity(notBefore, notAfter)); - req.setExtData(IRequest.CERT_INFO, new X509CertInfo[] { new_certInfo } - ); - } catch (CertificateException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERROR_SETTING_RENEWAL_VALIDITY_1", e.toString())); - throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_SETTING_RENEWAL_VALIDITY_ERROR")); - } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERROR_SETTING_RENEWAL_VALIDITY_1", e.toString())); - throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_SETTING_RENEWAL_VALIDITY_ERROR")); - } - - saveHttpHeaders(httpReq, req); - saveHttpParams(httpParams, req); - if (doSaveAuthToken) - saveAuthToken(authToken, req); - cmsReq.setIRequest(req); - - // send request to request queue. - mRequestQueue.processRequest(req); - - // for audit log - String initiative = null; - String agentID = null; - - if (mAuthMgr != null && mAuthMgr.equals(IAuthSubsystem.CERTUSERDB_AUTHMGR_ID)) { - agentID = authToken.getInString("userid"); - initiative = AuditFormat.FROMAGENT + " agentID: " + agentID; - } else { - // request is from eegateway, so fromUser. - initiative = AuditFormat.FROMUSER; - } - - // check resulting status - RequestStatus status = req.getRequestStatus(); - - if (status != RequestStatus.COMPLETE) { - cmsReq.setIRequestStatus(); - // audit log the status - if (status == RequestStatus.REJECTED) { - Vector<String> messages = req.getExtDataInStringVector(IRequest.ERRORS); - - if (messages != null) { - Enumeration<String> msgs = messages.elements(); - StringBuffer wholeMsg = new StringBuffer(); - - while (msgs.hasMoreElements()) { - wholeMsg.append("\n"); - wholeMsg.append(msgs.nextElement()); - } - - mLogger.log(ILogger.EV_AUDIT, - ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.RENEWALFORMAT, - new Object[] { - req.getRequestId(), - initiative, - authMgr, - status.toString(), - old_cert.getSubjectDN(), - old_cert.getSerialNumber().toString(16), - "violation: " + - wholeMsg.toString() } - // wholeMsg}, - // ILogger.L_MULTILINE - ); - } else { // no policy violation, from agent - mLogger.log(ILogger.EV_AUDIT, - ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.RENEWALFORMAT, - new Object[] { - req.getRequestId(), - initiative, - authMgr, - status.toString(), - old_cert.getSubjectDN(), - old_cert.getSerialNumber().toString(16), - "" } - ); - } - } else { // other imcomplete status - mLogger.log(ILogger.EV_AUDIT, - ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.RENEWALFORMAT, - new Object[] { - req.getRequestId(), - initiative, - authMgr, - status.toString(), - old_cert.getSubjectDN(), - old_cert.getSerialNumber().toString(16), - "" } - ); - } - return; - } - - // service error - Integer result = req.getExtDataInInteger(IRequest.RESULT); - - CMS.debug( - "RenewalServlet: Result for request " + req.getRequestId() + " is " + result); - if (result.equals(IRequest.RES_ERROR)) { - CMS.debug( - "RenewalServlet: Result for request " + req.getRequestId() + " is error."); - - cmsReq.setStatus(CMSRequest.ERROR); - cmsReq.setError(req.getExtDataInString(IRequest.ERROR)); - String[] svcErrors = - req.getExtDataInStringArray(IRequest.SVCERRORS); - - if (svcErrors != null && svcErrors.length > 0) { - for (int i = 0; i < svcErrors.length; i++) { - String err = svcErrors[i]; - - if (err != null) { - //System.out.println( - //"revocation servlet: setting error description "+ - //err.toString()); - cmsReq.setErrorDescription(err); - mLogger.log(ILogger.EV_AUDIT, - ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.RENEWALFORMAT, - new Object[] { - req.getRequestId(), - initiative, - authMgr, - "completed with error: " + - err, - old_cert.getSubjectDN(), - old_cert.getSerialNumber().toString(16), - "" } - ); - - } - } - } - return; - } - - // success. - X509CertImpl[] certs = req.getExtDataInCertArray(IRequest.ISSUED_CERTS); - - renewed_cert = certs[0]; - respondSuccess(cmsReq, renewed_cert); - long endTime = CMS.getCurrentDate().getTime(); - - mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.RENEWALFORMAT, - new Object[] { - req.getRequestId(), - initiative, - authMgr, - "completed", - old_cert.getSubjectDN(), - old_cert.getSerialNumber().toString(16), - "new serial number: 0x" + - renewed_cert.getSerialNumber().toString(16) + " time: " + (endTime - startTime) } - ); - - return; - } - - private void respondSuccess( - CMSRequest cmsReq, X509CertImpl renewed_cert) - throws EBaseException { - cmsReq.setResult(new X509CertImpl[] { renewed_cert } - ); - cmsReq.setStatus(CMSRequest.SUCCESS); - - // check if cert should be imported. - // browser must have input type set to nav or cartman since - // there's no other way to tell - - IArgBlock httpParams = cmsReq.getHttpParams(); - - if (checkImportCertToNav(cmsReq.getHttpResp(), - httpParams, renewed_cert)) { - return; - } else { - try { - renderTemplate(cmsReq, - mRenewalSuccessTemplate, mRenewalSuccessFiller); - } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGE_ERROR_DISPLAY_TEMPLATE_1", - mRenewalSuccessTemplate, e.toString())); - throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); - } - } - return; - } - - protected BigInteger getRenewedCert(ICertRecord certRec) - throws EBaseException { - BigInteger renewedCert = null; - String serial = null; - MetaInfo meta = certRec.getMetaInfo(); - - if (meta == null) { - log(ILogger.LL_INFO, - "no meta info in cert serial 0x" + certRec.getSerialNumber().toString(16)); - return null; - } - serial = (String) meta.get(ICertRecord.META_RENEWED_CERT); - if (serial == null) { - log(ILogger.LL_INFO, - "no renewed cert in cert 0x" + certRec.getSerialNumber().toString(16)); - return null; - } - renewedCert = new BigInteger(serial); - log(ILogger.LL_INFO, - "renewed cert serial 0x" + renewedCert.toString(16) + "found for 0x" + - certRec.getSerialNumber().toString(16)); - return renewedCert; - } - - /** - * get certs to renew from agent. - */ - private BigInteger getCertFromAgent( - IArgBlock httpParams, X509Certificate[] certContainer) - throws EBaseException { - BigInteger serialno = null; - X509Certificate cert = null; - - // get serial no - serialno = httpParams.getValueAsBigInteger(SERIAL_NO, null); - if (serialno == null) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_MISSING_SERIALNO_FOR_RENEW")); - throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_MISSING_SERIALNO_FOR_RENEW")); - } - // get cert from db if we're cert authority. - if (mAuthority instanceof ICertificateAuthority) { - cert = getX509Certificate(serialno); - if (cert == null) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_MISSING_SERIALNO_FOR_RENEW_1", serialno.toString(16))); - throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_INVALID_CERT_FOR_RENEWAL")); - } - } - certContainer[0] = cert; - return serialno; - } - - /** - * get cert to renew from auth manager - */ - private BigInteger getCertFromAuthMgr( - IAuthToken authToken, X509Certificate[] certContainer) - throws EBaseException { - X509CertImpl cert = - authToken.getInCert(AuthToken.TOKEN_CERT); - - if (cert == null) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_MISSING_CERTS_RENEW_FROM_AUTHMGR")); - throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_MISSING_CERTS_RENEW_FROM_AUTHMGR")); - } - if (mAuthority instanceof ICertificateAuthority && - !isCertFromCA(cert)) { - log(ILogger.LL_FAILURE, "certficate from auth manager for " + - " renewal is not from this ca."); - throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_INVALID_CERT_FOR_RENEWAL")); - } - certContainer[0] = cert; - BigInteger serialno = ((X509Certificate) cert).getSerialNumber(); - - return serialno; - } - -} |