diff options
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/servlet/cert/RevocationServlet.java')
-rw-r--r-- | pki/base/common/src/com/netscape/cms/servlet/cert/RevocationServlet.java | 202 |
1 files changed, 102 insertions, 100 deletions
diff --git a/pki/base/common/src/com/netscape/cms/servlet/cert/RevocationServlet.java b/pki/base/common/src/com/netscape/cms/servlet/cert/RevocationServlet.java index 9b39acc74..6142d6857 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/cert/RevocationServlet.java +++ b/pki/base/common/src/com/netscape/cms/servlet/cert/RevocationServlet.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.cert; - import java.io.IOException; import java.math.BigInteger; import java.security.cert.CertificateEncodingException; @@ -57,10 +56,9 @@ import com.netscape.cms.servlet.common.CMSTemplate; import com.netscape.cms.servlet.common.CMSTemplateParams; import com.netscape.cms.servlet.common.ECMSGWException; - /** * Perform the first step in revoking a certificate - * + * * @version $Revision$, $Date$ */ public class RevocationServlet extends CMSServlet { @@ -72,11 +70,11 @@ public class RevocationServlet extends CMSServlet { // revocation templates. private final static String TPL_FILE = "reasonToRevoke.template"; - // http params + // http params public static final String SERIAL_NO = "serialNo"; - // XXX can't do pkcs10 cause it's got no serial no. + // XXX can't do pkcs10 cause it's got no serial no. // (unless put serial no in pki attributes) - // public static final String PKCS10 = "pkcs10"; + // public static final String PKCS10 = "pkcs10"; public static final String REASON_CODE = "reasonCode"; private String mFormPath = null; @@ -85,15 +83,14 @@ public class RevocationServlet extends CMSServlet { private Random mRandom = null; private Nonces mNonces = null; - public RevocationServlet() { super(); } /** - * initialize the servlet. This servlet uses - * the template file "reasonToRevoke.template" to render the - * result. + * initialize the servlet. This servlet uses the template file + * "reasonToRevoke.template" to render the result. + * * @param sc servlet configuration, read from the web.xml file */ public void init(ServletConfig sc) throws ServletException { @@ -103,8 +100,7 @@ public class RevocationServlet extends CMSServlet { mFormPath = "/" + TPL_FILE; try { - mFormPath = sc.getInitParameter( - PROP_SUCCESS_TEMPLATE); + mFormPath = sc.getInitParameter(PROP_SUCCESS_TEMPLATE); if (mFormPath == null) mFormPath = "/" + TPL_FILE; @@ -115,7 +111,7 @@ public class RevocationServlet extends CMSServlet { } } - // set to false by revokeByDN=false in web.xml + // set to false by revokeByDN=false in web.xml mRevokeByDN = false; String tmp = sc.getInitParameter(PROP_REVOKEBYDN); @@ -127,28 +123,26 @@ public class RevocationServlet extends CMSServlet { } } - /** - * Process the HTTP request. Note that this servlet does not - * actually perform the certificate revocation. This is the first - * step in the multi-step revocation process. (the next step is - * in the ReasonToRevoke servlet. - * + * Process the HTTP request. Note that this servlet does not actually + * perform the certificate revocation. This is the first step in the + * multi-step revocation process. (the next step is in the ReasonToRevoke + * servlet. + * * @param cmsReq the object holding the request and response information */ - protected void process(CMSRequest cmsReq) - throws EBaseException { + protected void process(CMSRequest cmsReq) throws EBaseException { IArgBlock httpParams = cmsReq.getHttpParams(); HttpServletRequest httpReq = cmsReq.getHttpReq(); HttpServletResponse httpResp = cmsReq.getHttpResp(); - // revocation requires either: - // - coming from ee: - // - old cert from ssl client auth - // - old certs from auth manager - // - coming from agent or trusted RA: - // - serial no of cert to be revoked. - + // revocation requires either: + // - coming from ee: + // - old cert from ssl client auth + // - old certs from auth manager + // - coming from agent or trusted RA: + // - serial no of cert to be revoked. + BigInteger old_serial_no = null; X509CertImpl old_cert = null; String revokeAll = null; @@ -159,10 +153,11 @@ public class RevocationServlet extends CMSServlet { try { form = getTemplate(mFormPath, httpReq, locale); } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", mFormPath, e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", mFormPath, + e.toString())); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); + CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); } IArgBlock header = CMS.createArgBlock(); @@ -174,45 +169,50 @@ public class RevocationServlet extends CMSServlet { AuthzToken authzToken = null; try { - authzToken = authorize(mAclMethod, authToken, - mAuthzResourceName, "submit"); + authzToken = authorize(mAclMethod, authToken, mAuthzResourceName, + "submit"); } catch (EAuthzAccessDenied e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); } catch (Exception e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); } if (authzToken == null) { cmsReq.setStatus(CMSRequest.UNAUTHORIZED); return; } - - // coming from agent - if (mAuthMgr != null && mAuthMgr.equals(IAuthSubsystem.CERTUSERDB_AUTHMGR_ID)) { + + // coming from agent + if (mAuthMgr != null + && mAuthMgr.equals(IAuthSubsystem.CERTUSERDB_AUTHMGR_ID)) { X509Certificate[] cert = new X509Certificate[1]; old_serial_no = getCertFromAgent(httpParams, cert); old_cert = (X509CertImpl) cert[0]; } // coming from client else { - // from auth manager + // from auth manager X509CertImpl[] cert = new X509CertImpl[1]; - + old_serial_no = getCertFromAuthMgr(authToken, cert); old_cert = cert[0]; } - header.addStringValue("serialNumber", old_cert.getSerialNumber().toString(16)); - header.addStringValue("serialNumberDecimal", old_cert.getSerialNumber().toString()); - // header.addStringValue("subject", old_cert.getSubjectDN().toString()); - // header.addLongValue("validNotBefore", old_cert.getNotBefore().getTime()/1000); - // header.addLongValue("validNotAfter", old_cert.getNotAfter().getTime()/1000); + header.addStringValue("serialNumber", old_cert.getSerialNumber() + .toString(16)); + header.addStringValue("serialNumberDecimal", old_cert.getSerialNumber() + .toString()); + // header.addStringValue("subject", old_cert.getSubjectDN().toString()); + // header.addLongValue("validNotBefore", + // old_cert.getNotBefore().getTime()/1000); + // header.addLongValue("validNotAfter", + // old_cert.getNotAfter().getTime()/1000); if (mNonces != null) { long n = mRandom.nextLong(); - long m = mNonces.addNonce(n, (X509Certificate)old_cert); + long m = mNonces.addNonce(n, (X509Certificate) old_cert); if ((n + m) != 0) { header.addStringValue("nonce", Long.toString(m)); } @@ -222,19 +222,20 @@ public class RevocationServlet extends CMSServlet { X509CertImpl[] certsToRevoke = null; if (mAuthority instanceof ICertificateAuthority) { - certsToRevoke = ((ICertificateAuthority) mAuthority).getCertificateRepository().getX509Certificates( - old_cert.getSubjectDN().toString(), - ICertificateRepository.ALL_UNREVOKED_CERTS); + certsToRevoke = ((ICertificateAuthority) mAuthority) + .getCertificateRepository().getX509Certificates( + old_cert.getSubjectDN().toString(), + ICertificateRepository.ALL_UNREVOKED_CERTS); } else if (mAuthority instanceof IRegistrationAuthority) { IRequest req = mRequestQueue.newRequest(IRequest.GETCERTS_REQUEST); - String filter = "(&(" + ICertRecord.ATTR_X509CERT + "." + - X509CertInfo.SUBJECT + "=" + - old_cert.getSubjectDN().toString() + ")(|(" + - ICertRecord.ATTR_CERT_STATUS + "=" + - ICertRecord.STATUS_VALID + ")(" + - ICertRecord.ATTR_CERT_STATUS + "=" + - ICertRecord.STATUS_EXPIRED + ")))"; + String filter = "(&(" + ICertRecord.ATTR_X509CERT + "." + + X509CertInfo.SUBJECT + "=" + + old_cert.getSubjectDN().toString() + ")(|(" + + ICertRecord.ATTR_CERT_STATUS + "=" + + ICertRecord.STATUS_VALID + ")(" + + ICertRecord.ATTR_CERT_STATUS + "=" + + ICertRecord.STATUS_EXPIRED + ")))"; req.setExtData(IRequest.CERT_FILTER, filter); mRequestQueue.processRequest(req); @@ -248,7 +249,8 @@ public class RevocationServlet extends CMSServlet { String name = (String) enum1.nextElement(); if (name.equals(IRequest.OLD_CERTS)) { - X509CertImpl[] certs = req.getExtDataInCertArray(IRequest.OLD_CERTS); + X509CertImpl[] certs = req + .getExtDataInCertArray(IRequest.OLD_CERTS); certsToRevoke = certs; } @@ -262,18 +264,20 @@ public class RevocationServlet extends CMSServlet { if (certsToRevoke != null && certsToRevoke.length > 0) { for (int i = 0; i < certsToRevoke.length; i++) { - if (old_cert.getSerialNumber().equals(certsToRevoke[i].getSerialNumber())) { + if (old_cert.getSerialNumber().equals( + certsToRevoke[i].getSerialNumber())) { authorized = true; break; } } } - if (!noInfo && (certsToRevoke == null || certsToRevoke.length == 0 || - (!authorized))) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CA_CERT_ALREADY_REVOKED_1", old_serial_no.toString(16))); - throw new ECMSGWException(CMS.getUserMessage("CMS_GW_CERT_ALREADY_REVOKED")); + if (!noInfo + && (certsToRevoke == null || certsToRevoke.length == 0 || (!authorized))) { + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CA_CERT_ALREADY_REVOKED_1", old_serial_no.toString(16))); + throw new ECMSGWException( + CMS.getUserMessage("CMS_GW_CERT_ALREADY_REVOKED")); } if (!mRevokeByDN || noInfo) { @@ -283,7 +287,8 @@ public class RevocationServlet extends CMSServlet { byte[] ba = old_cert.getEncoded(); // Do base 64 encoding - header.addStringValue("b64eCertificate", com.netscape.osutil.OSUtil.BtoA(ba)); + header.addStringValue("b64eCertificate", + com.netscape.osutil.OSUtil.BtoA(ba)); } catch (CertificateEncodingException e) { } } @@ -295,16 +300,16 @@ public class RevocationServlet extends CMSServlet { for (int i = 0; i < certsToRevoke.length; i++) { IArgBlock rarg = CMS.createArgBlock(); - rarg.addStringValue("serialNumber", - certsToRevoke[i].getSerialNumber().toString(16)); - rarg.addStringValue("serialNumberDecimal", - certsToRevoke[i].getSerialNumber().toString()); - rarg.addStringValue("subject", - certsToRevoke[i].getSubjectDN().toString()); - rarg.addLongValue("validNotBefore", - certsToRevoke[i].getNotBefore().getTime() / 1000); - rarg.addLongValue("validNotAfter", - certsToRevoke[i].getNotAfter().getTime() / 1000); + rarg.addStringValue("serialNumber", certsToRevoke[i] + .getSerialNumber().toString(16)); + rarg.addStringValue("serialNumberDecimal", certsToRevoke[i] + .getSerialNumber().toString()); + rarg.addStringValue("subject", certsToRevoke[i].getSubjectDN() + .toString()); + rarg.addLongValue("validNotBefore", certsToRevoke[i] + .getNotBefore().getTime() / 1000); + rarg.addLongValue("validNotAfter", certsToRevoke[i] + .getNotAfter().getTime() / 1000); argSet.addRepeatRecord(rarg); } } else { @@ -313,7 +318,7 @@ public class RevocationServlet extends CMSServlet { } // set revocation reason, default to unspecified if not set. - int reasonCode = httpParams.getValueAsInt(REASON_CODE, 0); + int reasonCode = httpParams.getValueAsInt(REASON_CODE, 0); header.addIntegerValue("reason", reasonCode); @@ -324,10 +329,11 @@ public class RevocationServlet extends CMSServlet { form.renderOutput(out, argSet); cmsReq.setStatus(CMSRequest.SUCCESS); } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERR_OUT_STREAM_TEMPLATE", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERR_OUT_STREAM_TEMPLATE", + e.toString())); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); + CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); } return; @@ -336,29 +342,28 @@ public class RevocationServlet extends CMSServlet { /** * get cert to revoke from agent. */ - private BigInteger getCertFromAgent( - IArgBlock httpParams, X509Certificate[] certContainer) - throws EBaseException { + private BigInteger getCertFromAgent(IArgBlock httpParams, + X509Certificate[] certContainer) throws EBaseException { BigInteger serialno = null; X509Certificate cert = null; // get serial no serialno = httpParams.getValueAsBigInteger(SERIAL_NO, null); if (serialno == null) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_MISSING_SERIALNO_FOR_REVOKE")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_MISSING_SERIALNO_FOR_REVOKE")); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_MISSING_SERIALNO_FOR_REVOKE")); + CMS.getUserMessage("CMS_GW_MISSING_SERIALNO_FOR_REVOKE")); } // get cert from db if we're cert authority. if (mAuthority instanceof ICertificateAuthority) { cert = getX509Certificate(serialno); if (cert == null) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_INVALID_CERT_FOR_REVOCATION")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_INVALID_CERT_FOR_REVOCATION")); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_INVALID_CERT_FOR_REVOCATION")); + CMS.getUserMessage("CMS_GW_INVALID_CERT_FOR_REVOCATION")); } } certContainer[0] = cert; @@ -368,23 +373,21 @@ public class RevocationServlet extends CMSServlet { /** * get cert to revoke from auth manager */ - private BigInteger getCertFromAuthMgr( - IAuthToken authToken, X509Certificate[] certContainer) - throws EBaseException { - X509CertImpl cert = - authToken.getInCert(AuthToken.TOKEN_CERT); + private BigInteger getCertFromAuthMgr(IAuthToken authToken, + X509Certificate[] certContainer) throws EBaseException { + X509CertImpl cert = authToken.getInCert(AuthToken.TOKEN_CERT); if (cert == null) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_MISSING_CERTS_REVOKE_FROM_AUTHMGR")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_MISSING_CERTS_REVOKE_FROM_AUTHMGR")); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_MISSING_CERTS_REVOKE_FROM_AUTHMGR")); + CMS.getUserMessage("CMS_GW_MISSING_CERTS_REVOKE_FROM_AUTHMGR")); } - if (mAuthority instanceof ICertificateAuthority && - !isCertFromCA(cert)) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_INVALID_CERT_FOR_REVOCATION")); + if (mAuthority instanceof ICertificateAuthority && !isCertFromCA(cert)) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_INVALID_CERT_FOR_REVOCATION")); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_INVALID_CERT_FOR_REVOCATION")); + CMS.getUserMessage("CMS_GW_INVALID_CERT_FOR_REVOCATION")); } certContainer[0] = cert; BigInteger serialno = ((X509Certificate) cert).getSerialNumber(); @@ -393,4 +396,3 @@ public class RevocationServlet extends CMSServlet { } } - |