diff options
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/servlet/cert')
35 files changed, 7249 insertions, 7356 deletions
diff --git a/pki/base/common/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java b/pki/base/common/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java index 63ac96e18..47b3c9f1e 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java +++ b/pki/base/common/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.cert; + import java.io.IOException; import java.math.BigInteger; import java.security.cert.CertificateException; @@ -67,9 +68,10 @@ import com.netscape.cms.servlet.common.CMSTemplate; import com.netscape.cms.servlet.common.CMSTemplateParams; import com.netscape.cms.servlet.common.ECMSGWException; + /** * Revoke a certificate with a CMC-formatted revocation request - * + * * @version $Revision$, $Date$ */ public class CMCRevReqServlet extends CMSServlet { @@ -82,7 +84,7 @@ public class CMCRevReqServlet extends CMSServlet { // revocation templates. private final static String TPL_FILE = "revocationResult.template"; public static final String CRED_CMC = "cmcRequest"; - + private ICertificateRepository mCertDB = null; private String mFormPath = null; private IRequestQueue mQueue = null; @@ -91,26 +93,29 @@ public class CMCRevReqServlet extends CMSServlet { private final static String REVOKE = "revoke"; private final static String ON_HOLD = "on-hold"; private final static int ON_HOLD_REASON = 6; - private final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST = "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_5"; - private final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED = "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED_7"; - - // http params + private final static String + LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST = + "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_5"; + private final static String + LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED = + "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED_7"; + + // http params public static final String SERIAL_NO = TOKEN_CERT_SERIAL; public static final String REASON_CODE = "reasonCode"; public static final String CHALLENGE_PHRASE = "challengePhrase"; // request attributes public static final String SERIALNO_ARRAY = "serialNoArray"; - + public CMCRevReqServlet() { super(); } - /** + /** * initialize the servlet. - * - * @param sc servlet configuration, read from the web.xml file - */ + * @param sc servlet configuration, read from the web.xml file + */ public void init(ServletConfig sc) throws ServletException { super.init(sc); @@ -121,65 +126,61 @@ public class CMCRevReqServlet extends CMSServlet { mTemplates.remove(CMSRequest.SUCCESS); if (mAuthority instanceof ICertificateAuthority) { - mCertDB = ((ICertificateAuthority) mAuthority) - .getCertificateRepository(); + mCertDB = ((ICertificateAuthority) mAuthority).getCertificateRepository(); } if (mAuthority instanceof ICertAuthority) { - mPublisherProcessor = ((ICertAuthority) mAuthority) - .getPublisherProcessor(); + mPublisherProcessor = ((ICertAuthority) mAuthority).getPublisherProcessor(); } mQueue = mAuthority.getRequestQueue(); if (mOutputTemplatePath != null) mFormPath = mOutputTemplatePath; } - /** - * Process the HTTP request. - * - * <ul> - * <li>http.param cmcRequest the base-64 encoded CMC request - * </ul> - * - * @param cmsReq the object holding the request and response information + + /** + * Process the HTTP request. + * + * <ul> + * <li>http.param cmcRequest the base-64 encoded CMC request + * </ul> + * @param cmsReq the object holding the request and response information */ protected void process(CMSRequest cmsReq) throws EBaseException { String cmcAgentSerialNumber = null; IArgBlock httpParams = cmsReq.getHttpParams(); HttpServletRequest req = cmsReq.getHttpReq(); - HttpServletResponse resp = cmsReq.getHttpResp(); - + HttpServletResponse resp = cmsReq.getHttpResp(); + CMSTemplate form = null; Locale[] locale = new Locale[1]; - CMS.debug("**** mFormPath = " + mFormPath); +CMS.debug("**** mFormPath = "+mFormPath); try { form = getTemplate(mFormPath, req, locale); } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE")); - throw new ECMSGWException( - CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE")); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE")); + throw new ECMSGWException(CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE")); } EBaseException error = null; IArgBlock header = CMS.createArgBlock(); IArgBlock ctx = CMS.createArgBlock(); CMSTemplateParams argSet = new CMSTemplateParams(header, ctx); + String cmc = (String) httpParams.get(CRED_CMC); if (cmc == null) { - throw new EMissingCredential(CMS.getUserMessage( - "CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_CMC)); + throw new EMissingCredential( + CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_CMC)); } IAuthToken authToken = authenticate(cmsReq); AuthzToken authzToken = null; try { - authzToken = authorize(mAclMethod, authToken, mAuthzResourceName, - "revoke"); + authzToken = authorize(mAclMethod, authToken, mAuthzResourceName, "revoke"); } catch (Exception e) { // do nothing for now } @@ -189,10 +190,10 @@ public class CMCRevReqServlet extends CMSServlet { return; } - // IAuthToken authToken = getAuthToken(cmsReq); - // Object subject = authToken.get(CMCAuth.TOKEN_CERT_SERIAL); - // Object uid = authToken.get("uid"); - // =========================== + //IAuthToken authToken = getAuthToken(cmsReq); + //Object subject = authToken.get(CMCAuth.TOKEN_CERT_SERIAL); + //Object uid = authToken.get("uid"); + //=========================== String authMgr = AuditFormat.NOAUTH; BigInteger[] serialNoArray = null; @@ -200,38 +201,36 @@ public class CMCRevReqServlet extends CMSServlet { serialNoArray = authToken.getInBigIntegerArray(TOKEN_CERT_SERIAL); } - Integer reasonCode = Integer.valueOf(0); - if (authToken != null) { + Integer reasonCode = Integer.valueOf(0); + if (authToken != null) { reasonCode = authToken.getInInteger(REASON_CODE); } - RevocationReason reason = RevocationReason.fromInt(reasonCode - .intValue()); + RevocationReason reason = RevocationReason.fromInt(reasonCode.intValue()); String comments = ""; Date invalidityDate = null; String revokeAll = null; int verifiedRecordCount = 0; int totalRecordCount = 0; - + if (serialNoArray != null) { totalRecordCount = serialNoArray.length; verifiedRecordCount = serialNoArray.length; } - + X509CertImpl[] certs = null; - // for audit log. + //for audit log. String initiative = null; if (mAuthMgr != null && mAuthMgr.equals("CMCAuth")) { // request is from agent if (authToken != null) { - authMgr = authToken - .getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME); + authMgr = authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME); String agentID = authToken.getInString("userid"); - initiative = AuditFormat.FROMAGENT + " agentID: " + agentID - + " authenticated by " + authMgr; + initiative = AuditFormat.FROMAGENT + " agentID: " + agentID + + " authenticated by " + authMgr; } } else { initiative = AuditFormat.FROMUSER; @@ -242,29 +241,24 @@ public class CMCRevReqServlet extends CMSServlet { certs = new X509CertImpl[serialNoArray.length]; for (int i = 0; i < serialNoArray.length; i++) { - certs[i] = ((ICertificateAuthority) mAuthority) - .getCertificateRepository().getX509Certificate( - serialNoArray[i]); + certs[i] = ((ICertificateAuthority) mAuthority).getCertificateRepository().getX509Certificate(serialNoArray[i]); } } else if (mAuthority instanceof IRegistrationAuthority) { IRequest getCertsChallengeReq = null; - getCertsChallengeReq = mQueue - .newRequest(GETCERTS_FOR_CHALLENGE_REQUEST); + getCertsChallengeReq = mQueue.newRequest( + GETCERTS_FOR_CHALLENGE_REQUEST); getCertsChallengeReq.setExtData(SERIALNO_ARRAY, serialNoArray); mQueue.processRequest(getCertsChallengeReq); RequestStatus status = getCertsChallengeReq.getRequestStatus(); if (status == RequestStatus.COMPLETE) { - certs = getCertsChallengeReq - .getExtDataInCertArray(IRequest.OLD_CERTS); - header.addStringValue("request", getCertsChallengeReq - .getRequestId().toString()); + certs = getCertsChallengeReq.getExtDataInCertArray(IRequest.OLD_CERTS); + header.addStringValue("request", getCertsChallengeReq.getRequestId().toString()); mRequestID = getCertsChallengeReq.getRequestId().toString(); } else { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_FAIL_GET_CERT_CHALL_PWRD")); + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_FAIL_GET_CERT_CHALL_PWRD")); } } @@ -274,23 +268,23 @@ public class CMCRevReqServlet extends CMSServlet { for (int i = 0; i < serialNoArray.length; i++) { IArgBlock rarg = CMS.createArgBlock(); - rarg.addBigIntegerValue("serialNumber", serialNoArray[i], 16); - rarg.addStringValue("subject", certs[i].getSubjectDN() - .toString()); - rarg.addLongValue("validNotBefore", certs[i].getNotBefore() - .getTime() / 1000); - rarg.addLongValue("validNotAfter", certs[i].getNotAfter() - .getTime() / 1000); - // argSet.addRepeatRecord(rarg); + rarg.addBigIntegerValue("serialNumber", + serialNoArray[i], 16); + rarg.addStringValue("subject", + certs[i].getSubjectDN().toString()); + rarg.addLongValue("validNotBefore", + certs[i].getNotBefore().getTime() / 1000); + rarg.addLongValue("validNotAfter", + certs[i].getNotAfter().getTime() / 1000); + //argSet.addRepeatRecord(rarg); } revokeAll = "(|(certRecordId=" + serialNoArray[0].toString() + "))"; - cmcAgentSerialNumber = authToken - .getInString(IAuthManager.CRED_SSL_CLIENT_CERT); - process(argSet, header, reasonCode.intValue(), invalidityDate, - initiative, req, resp, verifiedRecordCount, revokeAll, - totalRecordCount, comments, locale[0], cmcAgentSerialNumber); - + cmcAgentSerialNumber= authToken.getInString(IAuthManager.CRED_SSL_CLIENT_CERT); + process(argSet, header, reasonCode.intValue(), invalidityDate, initiative, req, resp, + verifiedRecordCount, revokeAll, totalRecordCount, + comments, locale[0],cmcAgentSerialNumber); + } else { header.addIntegerValue("totalRecordCount", 0); header.addIntegerValue("verifiedRecordCount", 0); @@ -299,56 +293,54 @@ public class CMCRevReqServlet extends CMSServlet { try { ServletOutputStream out = resp.getOutputStream(); - if ((serialNoArray == null) || (serialNoArray.length == 0)) { + if ((serialNoArray== null) || (serialNoArray.length == 0)) { cmsReq.setStatus(CMSRequest.ERROR); - EBaseException ee = new EBaseException( - "No matched certificate is found"); + EBaseException ee = new EBaseException("No matched certificate is found"); cmsReq.setError(ee); } else { String xmlOutput = req.getParameter("xml"); if (xmlOutput != null && xmlOutput.equals("true")) { - outputXML(resp, argSet); + outputXML(resp, argSet); } else { - resp.setContentType("text/html"); - form.renderOutput(out, argSet); - cmsReq.setStatus(CMSRequest.SUCCESS); + resp.setContentType("text/html"); + form.renderOutput(out, argSet); + cmsReq.setStatus(CMSRequest.SUCCESS); } } } catch (IOException e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_ERR_STREAM_TEMPLATE", - e.toString())); - throw new ECMSGWException( - CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE")); + CMS.getLogMessage("ADMIN_SRVLT_ERR_STREAM_TEMPLATE", e.toString())); + throw new ECMSGWException(CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE")); } } /** * get cert to revoke from agent. */ - private BigInteger getCertFromAgent(IArgBlock httpParams, - X509Certificate[] certContainer) throws EBaseException { + private BigInteger getCertFromAgent( + IArgBlock httpParams, X509Certificate[] certContainer) + throws EBaseException { BigInteger serialno = null; X509Certificate cert = null; // get serial no serialno = httpParams.getValueAsBigInteger(SERIAL_NO, null); if (serialno == null) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_MISSING_SERIALNO_FOR_REVOKE")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_MISSING_SERIALNO_FOR_REVOKE")); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_MISSING_SERIALNO_FOR_REVOKE")); + CMS.getUserMessage("CMS_GW_MISSING_SERIALNO_FOR_REVOKE")); } // get cert from db if we're cert authority. if (mAuthority instanceof ICertificateAuthority) { cert = getX509Certificate(serialno); if (cert == null) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_INVALID_CERT_FOR_REVOCATION")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_INVALID_CERT_FOR_REVOCATION")); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_INVALID_CERT_FOR_REVOCATION")); + CMS.getUserMessage("CMS_GW_INVALID_CERT_FOR_REVOCATION")); } } certContainer[0] = cert; @@ -358,21 +350,23 @@ public class CMCRevReqServlet extends CMSServlet { /** * Revoke the specified certificate */ - private BigInteger getCertFromAuthMgr(AuthToken authToken, - X509Certificate[] certContainer) throws EBaseException { - X509CertImpl cert = authToken.getInCert(AuthToken.TOKEN_CERT); + private BigInteger getCertFromAuthMgr( + AuthToken authToken, X509Certificate[] certContainer) + throws EBaseException { + X509CertImpl cert = + authToken.getInCert(AuthToken.TOKEN_CERT); if (cert == null) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_MISSING_CERTS_REVOKE_FROM_AUTHMGR")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_MISSING_CERTS_REVOKE_FROM_AUTHMGR")); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_MISSING_CERTS_REVOKE_FROM_AUTHMGR")); + CMS.getUserMessage("CMS_GW_MISSING_CERTS_REVOKE_FROM_AUTHMGR")); } - if (mAuthority instanceof ICertificateAuthority && !isCertFromCA(cert)) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_INVALID_CERT_FOR_REVOCATION")); + if (mAuthority instanceof ICertificateAuthority && + !isCertFromCA(cert)) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_INVALID_CERT_FOR_REVOCATION")); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_INVALID_CERT_FOR_REVOCATION")); + CMS.getUserMessage("CMS_GW_INVALID_CERT_FOR_REVOCATION")); } certContainer[0] = cert; BigInteger serialno = ((X509Certificate) cert).getSerialNumber(); @@ -381,23 +375,25 @@ public class CMCRevReqServlet extends CMSServlet { } /** - * get cert to revoke from ssl + * get cert to revoke from ssl */ - private BigInteger getCertFromSSL(HttpServletRequest req, - X509CertImpl[] certContainer) throws EBaseException { + private BigInteger getCertFromSSL( + HttpServletRequest req, X509CertImpl[] certContainer) + throws EBaseException { X509Certificate cert = getSSLClientCertificate(req); if (cert == null) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_MISSING_CERTS_REVOKE_FROM_SSL")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_MISSING_CERTS_REVOKE_FROM_SSL")); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_MISSING_CERTS_REVOKE_FROM_SSL")); + CMS.getUserMessage("CMS_GW_MISSING_CERTS_REVOKE_FROM_SSL")); } - if (mAuthority instanceof ICertificateAuthority && !isCertFromCA(cert)) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_INVALID_CERT_FOR_REVOCATION", "")); + if (mAuthority instanceof ICertificateAuthority && + !isCertFromCA(cert)) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_INVALID_CERT_FOR_REVOCATION", "")); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_INVALID_CERT_FOR_REVOCATION")); + CMS.getUserMessage("CMS_GW_INVALID_CERT_FOR_REVOCATION")); } BigInteger serialno = ((X509Certificate) cert).getSerialNumber(); @@ -410,52 +406,56 @@ public class CMCRevReqServlet extends CMSServlet { * Process cert status change request using the Certificate Management * protocol using CMS (CMC) * <P> - * + * * (Certificate Request - an "EE" cert status change request) * <P> - * + * * (Certificate Request Processed - an "EE" cert status change request) * <P> - * + * * <ul> - * <li>signed.audit LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST used - * when a cert status change request (e. g. - "revocation") is made (before + * <li>signed.audit LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST used when + * a cert status change request (e. g. - "revocation") is made (before * approval process) - * <li>signed.audit - * LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED used when a - * certificate status is changed (revoked, expired, on-hold, off-hold) + * <li>signed.audit LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED + * used when a certificate status is changed (revoked, expired, on-hold, + * off-hold) * </ul> - * * @param argSet CMS template parameters * @param header argument block - * @param reason revocation reason (0 - Unspecified, 1 - Key compromised, 2 - * - CA key compromised; should not be used, 3 - Affiliation - * changed, 4 - Certificate superceded, 5 - Cessation of - * operation, or 6 - Certificate is on hold) + * @param reason revocation reason (0 - Unspecified, 1 - Key compromised, + * 2 - CA key compromised; should not be used, 3 - Affiliation changed, + * 4 - Certificate superceded, 5 - Cessation of operation, or + * 6 - Certificate is on hold) * @param invalidityDate certificate validity date * @param initiative string containing the audit format * @param req HTTP servlet request * @param resp HTTP servlet response * @param verifiedRecordCount number of verified records - * @param revokeAll string containing information on all of the certificates - * to be revoked + * @param revokeAll string containing information on all of the + * certificates to be revoked * @param totalRecordCount total number of records (verified and unverified) * @param comments string containing certificate comments * @param locale the system locale * @exception EBaseException an error has occurred */ private void process(CMSTemplateParams argSet, IArgBlock header, - int reason, Date invalidityDate, String initiative, - HttpServletRequest req, HttpServletResponse resp, - int verifiedRecordCount, String revokeAll, int totalRecordCount, - String comments, Locale locale, String cmcAgentSerialNumber) - throws EBaseException { + int reason, Date invalidityDate, + String initiative, + HttpServletRequest req, + HttpServletResponse resp, + int verifiedRecordCount, + String revokeAll, + int totalRecordCount, + String comments, + Locale locale,String cmcAgentSerialNumber) + throws EBaseException { String eeSerialNumber = null; - if (cmcAgentSerialNumber != null) { + if(cmcAgentSerialNumber!=null) { eeSerialNumber = cmcAgentSerialNumber; - } else { - X509CertImpl sslCert = (X509CertImpl) getSSLClientCertificate(req); - if (sslCert != null) { + }else{ + X509CertImpl sslCert = ( X509CertImpl ) getSSLClientCertificate( req ); + if( sslCert != null ) { eeSerialNumber = sslCert.getSerialNumber().toString(); } } @@ -463,11 +463,11 @@ public class CMCRevReqServlet extends CMSServlet { boolean auditRequest = true; String auditMessage = null; String auditSubjectID = auditSubjectID(); - String auditRequesterID = auditRequesterID(req); - String auditSerialNumber = auditSerialNumber(eeSerialNumber); - String auditRequestType = auditRequestType(reason); + String auditRequesterID = auditRequesterID( req ); + String auditSerialNumber = auditSerialNumber( eeSerialNumber ); + String auditRequestType = auditRequestType( reason ); String auditApprovalStatus = ILogger.SIGNED_AUDIT_EMPTY_VALUE; - String auditReasonNum = String.valueOf(reason); + String auditReasonNum = String.valueOf( reason ); try { int count = 0; @@ -496,9 +496,8 @@ public class CMCRevReqServlet extends CMSServlet { } if (mAuthority instanceof ICertificateAuthority) { - ICertRecordList list = (ICertRecordList) mCertDB - .findCertRecordsInList(revokeAll, null, - totalRecordCount); + ICertRecordList list = (ICertRecordList) mCertDB.findCertRecordsInList( + revokeAll, null, totalRecordCount); Enumeration e = list.getCertRecords(0, totalRecordCount - 1); while (e != null && e.hasMoreElements()) { @@ -507,18 +506,18 @@ public class CMCRevReqServlet extends CMSServlet { IArgBlock rarg = CMS.createArgBlock(); rarg.addBigIntegerValue("serialNumber", - cert.getSerialNumber(), 16); + cert.getSerialNumber(), 16); if (rec.getStatus().equals(ICertRecord.STATUS_REVOKED)) { - rarg.addStringValue("error", "Certificate " - + cert.getSerialNumber().toString() - + " is already revoked."); + rarg.addStringValue("error", "Certificate " + + cert.getSerialNumber().toString() + + " is already revoked."); } else { oldCertsV.addElement(cert); - RevokedCertImpl revCertImpl = new RevokedCertImpl( - cert.getSerialNumber(), CMS.getCurrentDate(), - entryExtn); + RevokedCertImpl revCertImpl = + new RevokedCertImpl(cert.getSerialNumber(), + CMS.getCurrentDate(), entryExtn); revCertImplsV.addElement(revCertImpl); count++; @@ -530,48 +529,42 @@ public class CMCRevReqServlet extends CMSServlet { } else if (mAuthority instanceof IRegistrationAuthority) { String reqIdStr = null; - if (mRequestID != null && mRequestID.length() > 0) + if (mRequestID != null && mRequestID.length() > 0) reqIdStr = mRequestID; Vector serialNumbers = new Vector(); if (revokeAll != null && revokeAll.length() > 0) { - for (int i = revokeAll.indexOf('='); i < revokeAll.length() - && i > -1; i = revokeAll.indexOf('=', i)) { + for (int i = revokeAll.indexOf('='); + i < revokeAll.length() && i > -1; + i = revokeAll.indexOf('=', i)) { if (i > -1) { i++; - while (i < revokeAll.length() - && revokeAll.charAt(i) == ' ') { + while (i < revokeAll.length() && revokeAll.charAt(i) == ' ') { i++; } String legalDigits = "0123456789"; int j = i; - while (j < revokeAll.length() - && legalDigits.indexOf(revokeAll.charAt(j)) != -1) { + while (j < revokeAll.length() && + legalDigits.indexOf(revokeAll.charAt(j)) != -1) { j++; } if (j > i) { - serialNumbers.addElement(revokeAll.substring(i, - j)); + serialNumbers.addElement(revokeAll.substring(i, j)); } } } } - if (reqIdStr != null && reqIdStr.length() > 0 - && serialNumbers.size() > 0) { - IRequest certReq = mRequestQueue.findRequest(new RequestId( - reqIdStr)); - X509CertImpl[] certs = certReq - .getExtDataInCertArray(IRequest.OLD_CERTS); + if (reqIdStr != null && reqIdStr.length() > 0 && serialNumbers.size() > 0) { + IRequest certReq = mRequestQueue.findRequest(new RequestId(reqIdStr)); + X509CertImpl[] certs = certReq.getExtDataInCertArray(IRequest.OLD_CERTS); for (int i = 0; i < certs.length; i++) { boolean addToList = false; for (int j = 0; j < serialNumbers.size(); j++) { - if (certs[i] - .getSerialNumber() - .toString() - .equals((String) serialNumbers.elementAt(j))) { + if (certs[i].getSerialNumber().toString().equals( + (String) serialNumbers.elementAt(j))) { addToList = true; break; } @@ -580,11 +573,11 @@ public class CMCRevReqServlet extends CMSServlet { IArgBlock rarg = CMS.createArgBlock(); rarg.addBigIntegerValue("serialNumber", - certs[i].getSerialNumber(), 16); + certs[i].getSerialNumber(), 16); oldCertsV.addElement(certs[i]); - RevokedCertImpl revCertImpl = new RevokedCertImpl( - certs[i].getSerialNumber(), + RevokedCertImpl revCertImpl = + new RevokedCertImpl(certs[i].getSerialNumber(), CMS.getCurrentDate(), entryExtn); revCertImplsV.addElement(revCertImpl); @@ -597,18 +590,17 @@ public class CMCRevReqServlet extends CMSServlet { String b64eCert = req.getParameter("b64eCertificate"); if (b64eCert != null) { - byte[] certBytes = com.netscape.osutil.OSUtil - .AtoB(b64eCert); + byte[] certBytes = com.netscape.osutil.OSUtil.AtoB(b64eCert); X509CertImpl cert = new X509CertImpl(certBytes); IArgBlock rarg = CMS.createArgBlock(); rarg.addBigIntegerValue("serialNumber", - cert.getSerialNumber(), 16); + cert.getSerialNumber(), 16); oldCertsV.addElement(cert); - RevokedCertImpl revCertImpl = new RevokedCertImpl( - cert.getSerialNumber(), CMS.getCurrentDate(), - entryExtn); + RevokedCertImpl revCertImpl = + new RevokedCertImpl(cert.getSerialNumber(), + CMS.getCurrentDate(), entryExtn); revCertImplsV.addElement(revCertImpl); count++; @@ -628,13 +620,17 @@ public class CMCRevReqServlet extends CMSServlet { revCertImpls[i] = (RevokedCertImpl) revCertImplsV.elementAt(i); } - IRequest revReq = mQueue.newRequest(IRequest.REVOCATION_REQUEST); + IRequest revReq = + mQueue.newRequest(IRequest.REVOCATION_REQUEST); // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, - auditSubjectID, ILogger.SUCCESS, auditRequesterID, - auditSerialNumber, auditRequestType); + LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, + auditSerialNumber, + auditRequestType); audit(auditMessage); @@ -664,35 +660,30 @@ public class CMCRevReqServlet extends CMSServlet { Integer result = revReq.getExtDataInInteger(IRequest.RESULT); if (result.equals(IRequest.RES_ERROR)) { - String[] svcErrors = revReq - .getExtDataInStringArray(IRequest.SVCERRORS); + String[] svcErrors = + revReq.getExtDataInStringArray(IRequest.SVCERRORS); if (svcErrors != null && svcErrors.length > 0) { for (int i = 0; i < svcErrors.length; i++) { String err = svcErrors[i]; if (err != null) { - // cmsReq.setErrorDescription(err); + //cmsReq.setErrorDescription(err); for (int j = 0; j < count; j++) { if (oldCerts[j] != null) { - mLogger.log( - ILogger.EV_AUDIT, - ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.DOREVOKEFORMAT, - new Object[] { - revReq.getRequestId(), - initiative, - "completed with error: " - + err, - oldCerts[j] - .getSubjectDN(), - oldCerts[j] - .getSerialNumber() - .toString(16), - RevocationReason - .fromInt(reason) - .toString() }); + mLogger.log(ILogger.EV_AUDIT, + ILogger.S_OTHER, + AuditFormat.LEVEL, + AuditFormat.DOREVOKEFORMAT, + new Object[] { + revReq.getRequestId(), + initiative, + "completed with error: " + + err, + oldCerts[j].getSubjectDN(), + oldCerts[j].getSerialNumber().toString(16), + RevocationReason.fromInt(reason).toString()} + ); } } } @@ -704,27 +695,24 @@ public class CMCRevReqServlet extends CMSServlet { // audit log the success. for (int j = 0; j < count; j++) { if (oldCerts[j] != null) { - mLogger.log( - ILogger.EV_AUDIT, - ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.DOREVOKEFORMAT, - new Object[] { - revReq.getRequestId(), - initiative, - "completed", - oldCerts[j].getSubjectDN(), - oldCerts[j].getSerialNumber().toString( - 16), - RevocationReason.fromInt(reason) - .toString() }); + mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, + AuditFormat.LEVEL, + AuditFormat.DOREVOKEFORMAT, + new Object[] { + revReq.getRequestId(), + initiative, + "completed", + oldCerts[j].getSubjectDN(), + oldCerts[j].getSerialNumber().toString(16), + RevocationReason.fromInt(reason).toString()} + ); } } header.addStringValue("revoked", "yes"); - Integer updateCRLResult = revReq - .getExtDataInInteger(IRequest.CRL_UPDATE_STATUS); + Integer updateCRLResult = + revReq.getExtDataInInteger(IRequest.CRL_UPDATE_STATUS); if (updateCRLResult != null) { header.addStringValue("updateCRL", "yes"); @@ -732,98 +720,92 @@ public class CMCRevReqServlet extends CMSServlet { header.addStringValue("updateCRLSuccess", "yes"); } else { header.addStringValue("updateCRLSuccess", "no"); - String crlError = revReq - .getExtDataInString(IRequest.CRL_UPDATE_ERROR); + String crlError = + revReq.getExtDataInString(IRequest.CRL_UPDATE_ERROR); if (crlError != null) - header.addStringValue("updateCRLError", crlError); + header.addStringValue("updateCRLError", + crlError); } // let known crl publishing status too. - Integer publishCRLResult = revReq - .getExtDataInInteger(IRequest.CRL_PUBLISH_STATUS); + Integer publishCRLResult = + revReq.getExtDataInInteger(IRequest.CRL_PUBLISH_STATUS); if (publishCRLResult != null) { if (publishCRLResult.equals(IRequest.RES_SUCCESS)) { header.addStringValue("publishCRLSuccess", "yes"); } else { header.addStringValue("publishCRLSuccess", "no"); - String publError = revReq - .getExtDataInString(IRequest.CRL_PUBLISH_ERROR); + String publError = + revReq.getExtDataInString(IRequest.CRL_PUBLISH_ERROR); if (publError != null) header.addStringValue("publishCRLError", - publError); + publError); } } } if (mAuthority instanceof ICertificateAuthority) { // let known update and publish status of all crls. - Enumeration otherCRLs = ((ICertificateAuthority) mAuthority) - .getCRLIssuingPoints(); + Enumeration otherCRLs = + ((ICertificateAuthority) mAuthority).getCRLIssuingPoints(); while (otherCRLs.hasMoreElements()) { - ICRLIssuingPoint crl = (ICRLIssuingPoint) otherCRLs - .nextElement(); + ICRLIssuingPoint crl = (ICRLIssuingPoint) + otherCRLs.nextElement(); String crlId = crl.getId(); if (crlId.equals(ICertificateAuthority.PROP_MASTER_CRL)) continue; String updateStatusStr = crl.getCrlUpdateStatusStr(); - Integer updateResult = revReq - .getExtDataInInteger(updateStatusStr); + Integer updateResult = revReq.getExtDataInInteger(updateStatusStr); if (updateResult != null) { if (updateResult.equals(IRequest.RES_SUCCESS)) { - CMS.debug("CMCRevReqServlet: " - + CMS.getLogMessage( - "ADMIN_SRVLT_ADDING_HEADER", - updateStatusStr)); + CMS.debug("CMCRevReqServlet: " + CMS.getLogMessage("ADMIN_SRVLT_ADDING_HEADER", + updateStatusStr)); header.addStringValue(updateStatusStr, "yes"); } else { - String updateErrorStr = crl - .getCrlUpdateErrorStr(); + String updateErrorStr = crl.getCrlUpdateErrorStr(); - CMS.debug("CMCRevReqServlet: " - + CMS.getLogMessage( - "ADMIN_SRVLT_ADDING_HEADER_NO", - updateStatusStr)); + CMS.debug("CMCRevReqServlet: " + CMS.getLogMessage("ADMIN_SRVLT_ADDING_HEADER_NO", + updateStatusStr)); header.addStringValue(updateStatusStr, "no"); - String error = revReq - .getExtDataInString(updateErrorStr); + String error = + revReq.getExtDataInString(updateErrorStr); if (error != null) - header.addStringValue(updateErrorStr, error); + header.addStringValue(updateErrorStr, + error); } - String publishStatusStr = crl - .getCrlPublishStatusStr(); - Integer publishResult = revReq - .getExtDataInInteger(publishStatusStr); + String publishStatusStr = crl.getCrlPublishStatusStr(); + Integer publishResult = + revReq.getExtDataInInteger(publishStatusStr); if (publishResult == null) continue; if (publishResult.equals(IRequest.RES_SUCCESS)) { header.addStringValue(publishStatusStr, "yes"); } else { - String publishErrorStr = crl - .getCrlPublishErrorStr(); + String publishErrorStr = + crl.getCrlPublishErrorStr(); header.addStringValue(publishStatusStr, "no"); - String error = revReq - .getExtDataInString(publishErrorStr); + String error = + revReq.getExtDataInString(publishErrorStr); if (error != null) - header.addStringValue(publishErrorStr, - error); + header.addStringValue( + publishErrorStr, error); } } } } - if (mPublisherProcessor != null - && mPublisherProcessor.ldapEnabled()) { + if (mPublisherProcessor != null && mPublisherProcessor.ldapEnabled()) { header.addStringValue("dirEnabled", "yes"); - Integer[] ldapPublishStatus = revReq - .getExtDataInIntegerArray("ldapPublishStatus"); + Integer[] ldapPublishStatus = + revReq.getExtDataInIntegerArray("ldapPublishStatus"); int certsToUpdate = 0; int certsUpdated = 0; @@ -839,11 +821,12 @@ public class CMCRevReqServlet extends CMSServlet { header.addIntegerValue("certsToUpdate", certsToUpdate); // add crl publishing status. - String publError = revReq - .getExtDataInString(IRequest.CRL_PUBLISH_ERROR); + String publError = + revReq.getExtDataInString(IRequest.CRL_PUBLISH_ERROR); if (publError != null) { - header.addStringValue("crlPublishError", publError); + header.addStringValue("crlPublishError", + publError); } } else { header.addStringValue("dirEnabled", "no"); @@ -856,32 +839,27 @@ public class CMCRevReqServlet extends CMSServlet { // audit log the pending for (int j = 0; j < count; j++) { if (oldCerts[j] != null) { - mLogger.log( - ILogger.EV_AUDIT, - ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.DOREVOKEFORMAT, - new Object[] { - revReq.getRequestId(), - initiative, - "pending", - oldCerts[j].getSubjectDN(), - oldCerts[j].getSerialNumber().toString( - 16), - RevocationReason.fromInt(reason) - .toString() }); + mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, + AuditFormat.LEVEL, + AuditFormat.DOREVOKEFORMAT, + new Object[] { + revReq.getRequestId(), + initiative, + "pending", + oldCerts[j].getSubjectDN(), + oldCerts[j].getSerialNumber().toString(16), + RevocationReason.fromInt(reason).toString()} + ); } } } else { - Vector errors = revReq - .getExtDataInStringVector(IRequest.ERRORS); + Vector errors = revReq.getExtDataInStringVector(IRequest.ERRORS); StringBuffer errorStr = new StringBuffer(); if (errors != null && errors.size() > 0) { for (int ii = 0; ii < errors.size(); ii++) { - errorStr.append(errors.elementAt(ii)); - ; + errorStr.append(errors.elementAt(ii));; } } header.addStringValue("error", errorStr.toString()); @@ -889,20 +867,17 @@ public class CMCRevReqServlet extends CMSServlet { // audit log the error for (int j = 0; j < count; j++) { if (oldCerts[j] != null) { - mLogger.log( - ILogger.EV_AUDIT, - ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.DOREVOKEFORMAT, - new Object[] { - revReq.getRequestId(), - initiative, - stat.toString(), - oldCerts[j].getSubjectDN(), - oldCerts[j].getSerialNumber().toString( - 16), - RevocationReason.fromInt(reason) - .toString() }); + mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, + AuditFormat.LEVEL, + AuditFormat.DOREVOKEFORMAT, + new Object[] { + revReq.getRequestId(), + initiative, + stat.toString(), + oldCerts[j].getSubjectDN(), + oldCerts[j].getSerialNumber().toString(16), + RevocationReason.fromInt(reason).toString()} + ); } } } @@ -911,17 +886,17 @@ public class CMCRevReqServlet extends CMSServlet { // if and only if "auditApprovalStatus" is // "complete", "revoked", or "canceled" if ((auditApprovalStatus.equals(RequestStatus.COMPLETE_STRING)) - || (auditApprovalStatus - .equals(RequestStatus.REJECTED_STRING)) - || (auditApprovalStatus - .equals(RequestStatus.CANCELED_STRING))) { - auditMessage = CMS - .getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, - auditSubjectID, ILogger.SUCCESS, - auditRequesterID, auditSerialNumber, - auditRequestType, auditReasonNum, - auditApprovalStatus); + || (auditApprovalStatus.equals(RequestStatus.REJECTED_STRING)) + || (auditApprovalStatus.equals(RequestStatus.CANCELED_STRING))) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, + auditSerialNumber, + auditRequestType, + auditReasonNum, + auditApprovalStatus); audit(auditMessage); } @@ -931,9 +906,12 @@ public class CMCRevReqServlet extends CMSServlet { // store a "CERT_STATUS_CHANGE_REQUEST" failure // message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, - auditSubjectID, ILogger.FAILURE, auditRequesterID, - auditSerialNumber, auditRequestType); + LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditSerialNumber, + auditRequestType); audit(auditMessage); } else { @@ -942,17 +920,18 @@ public class CMCRevReqServlet extends CMSServlet { // if and only if "auditApprovalStatus" is // "complete", "revoked", or "canceled" if ((auditApprovalStatus.equals(RequestStatus.COMPLETE_STRING)) - || (auditApprovalStatus - .equals(RequestStatus.REJECTED_STRING)) - || (auditApprovalStatus - .equals(RequestStatus.CANCELED_STRING))) { - auditMessage = CMS - .getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, - auditSubjectID, ILogger.FAILURE, - auditRequesterID, auditSerialNumber, - auditRequestType, auditReasonNum, - auditApprovalStatus); + || (auditApprovalStatus.equals(RequestStatus.REJECTED_STRING)) + || (auditApprovalStatus.equals(RequestStatus.CANCELED_STRING))) + { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditSerialNumber, + auditRequestType, + auditReasonNum, + auditApprovalStatus); audit(auditMessage); } @@ -966,9 +945,12 @@ public class CMCRevReqServlet extends CMSServlet { // store a "CERT_STATUS_CHANGE_REQUEST" failure // message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, - auditSubjectID, ILogger.FAILURE, auditRequesterID, - auditSerialNumber, auditRequestType); + LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditSerialNumber, + auditRequestType); audit(auditMessage); } else { @@ -977,17 +959,18 @@ public class CMCRevReqServlet extends CMSServlet { // if and only if "auditApprovalStatus" is // "complete", "revoked", or "canceled" if ((auditApprovalStatus.equals(RequestStatus.COMPLETE_STRING)) - || (auditApprovalStatus - .equals(RequestStatus.REJECTED_STRING)) - || (auditApprovalStatus - .equals(RequestStatus.CANCELED_STRING))) { - auditMessage = CMS - .getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, - auditSubjectID, ILogger.FAILURE, - auditRequesterID, auditSerialNumber, - auditRequestType, auditReasonNum, - auditApprovalStatus); + || (auditApprovalStatus.equals(RequestStatus.REJECTED_STRING)) + || (auditApprovalStatus.equals(RequestStatus.CANCELED_STRING))) + { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditSerialNumber, + auditRequestType, + auditReasonNum, + auditApprovalStatus); audit(auditMessage); } @@ -996,16 +979,18 @@ public class CMCRevReqServlet extends CMSServlet { throw e; } catch (IOException e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERROR_MARKING_CERT_REVOKED", - e.toString())); + CMS.getLogMessage("CMSGW_ERROR_MARKING_CERT_REVOKED", e.toString())); if (auditRequest) { // store a "CERT_STATUS_CHANGE_REQUEST" failure // message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, - auditSubjectID, ILogger.FAILURE, auditRequesterID, - auditSerialNumber, auditRequestType); + LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditSerialNumber, + auditRequestType); audit(auditMessage); } else { @@ -1014,32 +999,35 @@ public class CMCRevReqServlet extends CMSServlet { // if and only if "auditApprovalStatus" is // "complete", "revoked", or "canceled" if ((auditApprovalStatus.equals(RequestStatus.COMPLETE_STRING)) - || (auditApprovalStatus - .equals(RequestStatus.REJECTED_STRING)) - || (auditApprovalStatus - .equals(RequestStatus.CANCELED_STRING))) { - auditMessage = CMS - .getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, - auditSubjectID, ILogger.FAILURE, - auditRequesterID, auditSerialNumber, - auditRequestType, auditReasonNum, - auditApprovalStatus); + || (auditApprovalStatus.equals(RequestStatus.REJECTED_STRING)) + || (auditApprovalStatus.equals(RequestStatus.CANCELED_STRING))) + { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditSerialNumber, + auditRequestType, + auditReasonNum, + auditApprovalStatus); audit(auditMessage); } } - throw new ECMSGWException( - CMS.getLogMessage("CMSGW_ERROR_MARKING_CERT_REVOKED")); + throw new ECMSGWException(CMS.getLogMessage("CMSGW_ERROR_MARKING_CERT_REVOKED")); } catch (Exception e) { if (auditRequest) { // store a "CERT_STATUS_CHANGE_REQUEST" failure // message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, - auditSubjectID, ILogger.FAILURE, auditRequesterID, - auditSerialNumber, auditRequestType); + LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditSerialNumber, + auditRequestType); audit(auditMessage); } else { @@ -1048,17 +1036,18 @@ public class CMCRevReqServlet extends CMSServlet { // if and only if "auditApprovalStatus" is // "complete", "revoked", or "canceled" if ((auditApprovalStatus.equals(RequestStatus.COMPLETE_STRING)) - || (auditApprovalStatus - .equals(RequestStatus.REJECTED_STRING)) - || (auditApprovalStatus - .equals(RequestStatus.CANCELED_STRING))) { - auditMessage = CMS - .getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, - auditSubjectID, ILogger.FAILURE, - auditRequesterID, auditSerialNumber, - auditRequestType, auditReasonNum, - auditApprovalStatus); + || (auditApprovalStatus.equals(RequestStatus.REJECTED_STRING)) + || (auditApprovalStatus.equals(RequestStatus.CANCELED_STRING))) + { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditSerialNumber, + auditRequestType, + auditReasonNum, + auditApprovalStatus); audit(auditMessage); } @@ -1072,11 +1061,11 @@ public class CMCRevReqServlet extends CMSServlet { /** * Signed Audit Log Requester ID - * - * This method is called to obtain the "RequesterID" for a signed audit log - * message. + * + * This method is called to obtain the "RequesterID" for + * a signed audit log message. * <P> - * + * * @param req HTTP request * @return id string containing the signed audit log message RequesterID */ @@ -1102,11 +1091,11 @@ public class CMCRevReqServlet extends CMSServlet { /** * Signed Audit Log Serial Number - * + * * This method is called to obtain the serial number of the certificate * whose status is to be changed for a signed audit log message. * <P> - * + * * @param eeSerialNumber a string containing the un-normalized serialNumber * @return id string containing the signed audit log message RequesterID */ @@ -1124,8 +1113,8 @@ public class CMCRevReqServlet extends CMSServlet { // convert it to hexadecimal serialNumber = "0x" - + Integer.toHexString(Integer.valueOf(serialNumber) - .intValue()); + + Integer.toHexString( + Integer.valueOf(serialNumber).intValue()); } else { serialNumber = ILogger.SIGNED_AUDIT_EMPTY_VALUE; } @@ -1135,11 +1124,11 @@ public class CMCRevReqServlet extends CMSServlet { /** * Signed Audit Log Request Type - * - * This method is called to obtain the "Request Type" for a signed audit log - * message. + * + * This method is called to obtain the "Request Type" for + * a signed audit log message. * <P> - * + * * @param reason an integer denoting the revocation reason * @return string containing REVOKE or ON_HOLD */ @@ -1161,3 +1150,4 @@ public class CMCRevReqServlet extends CMSServlet { return requestType; } } + diff --git a/pki/base/common/src/com/netscape/cms/servlet/cert/ChallengeRevocationServlet1.java b/pki/base/common/src/com/netscape/cms/servlet/cert/ChallengeRevocationServlet1.java index 807f0493a..8dff27685 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/cert/ChallengeRevocationServlet1.java +++ b/pki/base/common/src/com/netscape/cms/servlet/cert/ChallengeRevocationServlet1.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.cert; + import java.io.IOException; import java.math.BigInteger; import java.security.cert.CertificateException; @@ -65,11 +66,11 @@ import com.netscape.cms.servlet.common.CMSTemplate; import com.netscape.cms.servlet.common.CMSTemplateParams; import com.netscape.cms.servlet.common.ECMSGWException; + /** - * Takes the certificate info (serial number) and optional challenge phrase, - * creates a revocation request and submits it to the authority subsystem for - * processing - * + * Takes the certificate info (serial number) and optional challenge phrase, creates a + * revocation request and submits it to the authority subsystem for processing + * * @version $Revision$, $Date$ */ public class ChallengeRevocationServlet1 extends CMSServlet { @@ -88,7 +89,7 @@ public class ChallengeRevocationServlet1 extends CMSServlet { private IPublisherProcessor mPublisherProcessor = null; private String mRequestID = null; - // http params + // http params public static final String SERIAL_NO = TOKEN_CERT_SERIAL; public static final String REASON_CODE = "reasonCode"; public static final String CHALLENGE_PHRASE = "challengePhrase"; @@ -101,10 +102,10 @@ public class ChallengeRevocationServlet1 extends CMSServlet { } /** - * Initialize the servlet. This servlet uses the file - * revocationResult.template for the response - * - * @param sc servlet configuration, read from the web.xml file + * Initialize the servlet. This servlet uses the file + * revocationResult.template for the response + * + * @param sc servlet configuration, read from the web.xml file */ public void init(ServletConfig sc) throws ServletException { super.init(sc); @@ -115,27 +116,26 @@ public class ChallengeRevocationServlet1 extends CMSServlet { mTemplates.remove(CMSRequest.SUCCESS); if (mAuthority instanceof ICertificateAuthority) { - mCertDB = ((ICertificateAuthority) mAuthority) - .getCertificateRepository(); + mCertDB = ((ICertificateAuthority) mAuthority).getCertificateRepository(); } if (mAuthority instanceof ICertAuthority) { - mPublisherProcessor = ((ICertAuthority) mAuthority) - .getPublisherProcessor(); + mPublisherProcessor = ((ICertAuthority) mAuthority).getPublisherProcessor(); } mQueue = mAuthority.getRequestQueue(); } - /** - * Process the HTTP request. + /** + * Process the HTTP request. * <ul> * <li>http.param REASON_CODE the revocation reason - * <li>http.param b64eCertificate the base-64 encoded certificate to revoke + * <li>http.param b64eCertificate the base-64 encoded certificate to revoke * </ul> - * + * * @param cmsReq the object holding the request and response information */ - protected void process(CMSRequest cmsReq) throws EBaseException { + protected void process(CMSRequest cmsReq) + throws EBaseException { IArgBlock httpParams = cmsReq.getHttpParams(); HttpServletRequest req = cmsReq.getHttpReq(); HttpServletResponse resp = cmsReq.getHttpResp(); @@ -146,10 +146,8 @@ public class ChallengeRevocationServlet1 extends CMSServlet { try { form = getTemplate(mFormPath, req, locale); } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE")); - throw new ECMSGWException( - CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE")); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE")); + throw new ECMSGWException(CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE")); } EBaseException error = null; @@ -161,40 +159,37 @@ public class ChallengeRevocationServlet1 extends CMSServlet { // for audit log IAuthToken authToken = authenticate(cmsReq); String authMgr = AuditFormat.NOAUTH; - + BigInteger[] serialNoArray = null; if (authToken != null) { serialNoArray = authToken.getInBigIntegerArray(SERIAL_NO); } // set revocation reason, default to unspecified if not set. - int reasonCode = httpParams.getValueAsInt(REASON_CODE, 0); - // header.addIntegerValue("reason", reasonCode); + int reasonCode = + httpParams.getValueAsInt(REASON_CODE, 0); + // header.addIntegerValue("reason", reasonCode); RevocationReason reason = RevocationReason.fromInt(reasonCode); String comments = req.getParameter(IRequest.REQUESTOR_COMMENTS); Date invalidityDate = null; String revokeAll = null; - int totalRecordCount = (serialNoArray != null) ? serialNoArray.length - : 0; - int verifiedRecordCount = (serialNoArray != null) ? serialNoArray.length - : 0; + int totalRecordCount = (serialNoArray != null)? serialNoArray.length:0; + int verifiedRecordCount = (serialNoArray != null)? serialNoArray.length:0; X509CertImpl[] certs = null; - // for audit log. + //for audit log. String initiative = null; - if (mAuthMgr != null - && mAuthMgr.equals(IAuthSubsystem.CERTUSERDB_AUTHMGR_ID)) { + if (mAuthMgr != null && mAuthMgr.equals(IAuthSubsystem.CERTUSERDB_AUTHMGR_ID)) { // request is from agent if (authToken != null) { - authMgr = authToken - .getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME); + authMgr = authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME); String agentID = authToken.getInString("userid"); - initiative = AuditFormat.FROMAGENT + " agentID: " + agentID - + " authenticated by " + authMgr; + initiative = AuditFormat.FROMAGENT + " agentID: " + agentID + + " authenticated by " + authMgr; } } else { initiative = AuditFormat.FROMUSER; @@ -203,11 +198,11 @@ public class ChallengeRevocationServlet1 extends CMSServlet { AuthzToken authzToken = null; try { - authzToken = authorize(mAclMethod, authToken, mAuthzResourceName, - "revoke"); + authzToken = authorize(mAclMethod, authToken, + mAuthzResourceName, "revoke"); } catch (Exception e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); } if (authzToken == null) { @@ -220,29 +215,24 @@ public class ChallengeRevocationServlet1 extends CMSServlet { certs = new X509CertImpl[serialNoArray.length]; for (int i = 0; i < serialNoArray.length; i++) { - certs[i] = ((ICertificateAuthority) mAuthority) - .getCertificateRepository().getX509Certificate( - serialNoArray[i]); + certs[i] = ((ICertificateAuthority) mAuthority).getCertificateRepository().getX509Certificate(serialNoArray[i]); } } else if (mAuthority instanceof IRegistrationAuthority) { IRequest getCertsChallengeReq = null; - getCertsChallengeReq = mQueue - .newRequest(GETCERTS_FOR_CHALLENGE_REQUEST); + getCertsChallengeReq = mQueue.newRequest( + GETCERTS_FOR_CHALLENGE_REQUEST); getCertsChallengeReq.setExtData(SERIALNO_ARRAY, serialNoArray); mQueue.processRequest(getCertsChallengeReq); RequestStatus status = getCertsChallengeReq.getRequestStatus(); if (status == RequestStatus.COMPLETE) { - certs = getCertsChallengeReq - .getExtDataInCertArray(IRequest.OLD_CERTS); - header.addStringValue("request", getCertsChallengeReq - .getRequestId().toString()); + certs = getCertsChallengeReq.getExtDataInCertArray(IRequest.OLD_CERTS); + header.addStringValue("request", getCertsChallengeReq.getRequestId().toString()); mRequestID = getCertsChallengeReq.getRequestId().toString(); } else { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_FAIL_GET_CERT_CHALL_PWRD")); + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_FAIL_GET_CERT_CHALL_PWRD")); } } @@ -252,20 +242,21 @@ public class ChallengeRevocationServlet1 extends CMSServlet { for (int i = 0; i < serialNoArray.length; i++) { IArgBlock rarg = CMS.createArgBlock(); - rarg.addBigIntegerValue("serialNumber", serialNoArray[i], 16); - rarg.addStringValue("subject", certs[i].getSubjectDN() - .toString()); - rarg.addLongValue("validNotBefore", certs[i].getNotBefore() - .getTime() / 1000); - rarg.addLongValue("validNotAfter", certs[i].getNotAfter() - .getTime() / 1000); - // argSet.addRepeatRecord(rarg); + rarg.addBigIntegerValue("serialNumber", + serialNoArray[i], 16); + rarg.addStringValue("subject", + certs[i].getSubjectDN().toString()); + rarg.addLongValue("validNotBefore", + certs[i].getNotBefore().getTime() / 1000); + rarg.addLongValue("validNotAfter", + certs[i].getNotAfter().getTime() / 1000); + //argSet.addRepeatRecord(rarg); } revokeAll = "(|(certRecordId=" + serialNoArray[0].toString() + "))"; - process(argSet, header, reasonCode, invalidityDate, initiative, - req, resp, verifiedRecordCount, revokeAll, - totalRecordCount, comments, locale[0]); + process(argSet, header, reasonCode, invalidityDate, initiative, req, resp, + verifiedRecordCount, revokeAll, totalRecordCount, + comments, locale[0]); } else { header.addIntegerValue("totalRecordCount", 0); header.addIntegerValue("verifiedRecordCount", 0); @@ -274,11 +265,10 @@ public class ChallengeRevocationServlet1 extends CMSServlet { try { ServletOutputStream out = resp.getOutputStream(); - if (serialNoArray == null) { - CMS.debug("ChallengeRevcationServlet1::process() - " - + " serialNoArray is null!"); - EBaseException ee = new EBaseException( - "No matched certificate is found"); + if( serialNoArray == null ) { + CMS.debug( "ChallengeRevcationServlet1::process() - " + + " serialNoArray is null!" ); + EBaseException ee = new EBaseException( "No matched certificate is found" ); cmsReq.setError(ee); return; @@ -286,34 +276,37 @@ public class ChallengeRevocationServlet1 extends CMSServlet { if (serialNoArray.length == 0) { cmsReq.setStatus(CMSRequest.ERROR); - EBaseException ee = new EBaseException( - "No matched certificate is found"); + EBaseException ee = new EBaseException("No matched certificate is found"); cmsReq.setError(ee); } else { String xmlOutput = req.getParameter("xml"); if (xmlOutput != null && xmlOutput.equals("true")) { - outputXML(resp, argSet); + outputXML(resp, argSet); } else { - resp.setContentType("text/html"); - form.renderOutput(out, argSet); - cmsReq.setStatus(CMSRequest.SUCCESS); + resp.setContentType("text/html"); + form.renderOutput(out, argSet); + cmsReq.setStatus(CMSRequest.SUCCESS); } } } catch (IOException e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_ERR_STREAM_TEMPLATE", - e.toString())); - throw new ECMSGWException( - CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE")); + CMS.getLogMessage("ADMIN_SRVLT_ERR_STREAM_TEMPLATE", e.toString())); + throw new ECMSGWException(CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE")); } } private void process(CMSTemplateParams argSet, IArgBlock header, - int reason, Date invalidityDate, String initiative, - HttpServletRequest req, HttpServletResponse resp, - int verifiedRecordCount, String revokeAll, int totalRecordCount, - String comments, Locale locale) throws EBaseException { + int reason, Date invalidityDate, + String initiative, + HttpServletRequest req, + HttpServletResponse resp, + int verifiedRecordCount, + String revokeAll, + int totalRecordCount, + String comments, + Locale locale) + throws EBaseException { try { int count = 0; Vector oldCertsV = new Vector(); @@ -341,9 +334,8 @@ public class ChallengeRevocationServlet1 extends CMSServlet { } if (mAuthority instanceof ICertificateAuthority) { - ICertRecordList list = (ICertRecordList) mCertDB - .findCertRecordsInList(revokeAll, null, - totalRecordCount); + ICertRecordList list = (ICertRecordList) mCertDB.findCertRecordsInList( + revokeAll, null, totalRecordCount); Enumeration e = list.getCertRecords(0, totalRecordCount - 1); while (e != null && e.hasMoreElements()) { @@ -352,18 +344,18 @@ public class ChallengeRevocationServlet1 extends CMSServlet { IArgBlock rarg = CMS.createArgBlock(); rarg.addBigIntegerValue("serialNumber", - cert.getSerialNumber(), 16); + cert.getSerialNumber(), 16); if (rec.getStatus().equals(ICertRecord.STATUS_REVOKED)) { - rarg.addStringValue("error", "Certificate " - + cert.getSerialNumber().toString() - + " is already revoked."); + rarg.addStringValue("error", "Certificate " + + cert.getSerialNumber().toString() + + " is already revoked."); } else { oldCertsV.addElement(cert); - RevokedCertImpl revCertImpl = new RevokedCertImpl( - cert.getSerialNumber(), CMS.getCurrentDate(), - entryExtn); + RevokedCertImpl revCertImpl = + new RevokedCertImpl(cert.getSerialNumber(), + CMS.getCurrentDate(), entryExtn); revCertImplsV.addElement(revCertImpl); count++; @@ -375,48 +367,42 @@ public class ChallengeRevocationServlet1 extends CMSServlet { } else if (mAuthority instanceof IRegistrationAuthority) { String reqIdStr = null; - if (mRequestID != null && mRequestID.length() > 0) + if (mRequestID != null && mRequestID.length() > 0) reqIdStr = mRequestID; Vector serialNumbers = new Vector(); if (revokeAll != null && revokeAll.length() > 0) { - for (int i = revokeAll.indexOf('='); i < revokeAll.length() - && i > -1; i = revokeAll.indexOf('=', i)) { + for (int i = revokeAll.indexOf('='); + i < revokeAll.length() && i > -1; + i = revokeAll.indexOf('=', i)) { if (i > -1) { i++; - while (i < revokeAll.length() - && revokeAll.charAt(i) == ' ') { + while (i < revokeAll.length() && revokeAll.charAt(i) == ' ') { i++; } String legalDigits = "0123456789"; int j = i; - while (j < revokeAll.length() - && legalDigits.indexOf(revokeAll.charAt(j)) != -1) { + while (j < revokeAll.length() && + legalDigits.indexOf(revokeAll.charAt(j)) != -1) { j++; } if (j > i) { - serialNumbers.addElement(revokeAll.substring(i, - j)); + serialNumbers.addElement(revokeAll.substring(i, j)); } } } } - if (reqIdStr != null && reqIdStr.length() > 0 - && serialNumbers.size() > 0) { - IRequest certReq = mRequestQueue.findRequest(new RequestId( - reqIdStr)); - X509CertImpl[] certs = certReq - .getExtDataInCertArray(IRequest.OLD_CERTS); + if (reqIdStr != null && reqIdStr.length() > 0 && serialNumbers.size() > 0) { + IRequest certReq = mRequestQueue.findRequest(new RequestId(reqIdStr)); + X509CertImpl[] certs = certReq.getExtDataInCertArray(IRequest.OLD_CERTS); for (int i = 0; i < certs.length; i++) { boolean addToList = false; for (int j = 0; j < serialNumbers.size(); j++) { - if (certs[i] - .getSerialNumber() - .toString() - .equals((String) serialNumbers.elementAt(j))) { + if (certs[i].getSerialNumber().toString().equals( + (String) serialNumbers.elementAt(j))) { addToList = true; break; } @@ -425,11 +411,11 @@ public class ChallengeRevocationServlet1 extends CMSServlet { IArgBlock rarg = CMS.createArgBlock(); rarg.addBigIntegerValue("serialNumber", - certs[i].getSerialNumber(), 16); + certs[i].getSerialNumber(), 16); oldCertsV.addElement(certs[i]); - RevokedCertImpl revCertImpl = new RevokedCertImpl( - certs[i].getSerialNumber(), + RevokedCertImpl revCertImpl = + new RevokedCertImpl(certs[i].getSerialNumber(), CMS.getCurrentDate(), entryExtn); revCertImplsV.addElement(revCertImpl); @@ -442,18 +428,17 @@ public class ChallengeRevocationServlet1 extends CMSServlet { String b64eCert = req.getParameter("b64eCertificate"); if (b64eCert != null) { - byte[] certBytes = com.netscape.osutil.OSUtil - .AtoB(b64eCert); + byte[] certBytes = com.netscape.osutil.OSUtil.AtoB(b64eCert); X509CertImpl cert = new X509CertImpl(certBytes); IArgBlock rarg = CMS.createArgBlock(); rarg.addBigIntegerValue("serialNumber", - cert.getSerialNumber(), 16); + cert.getSerialNumber(), 16); oldCertsV.addElement(cert); - RevokedCertImpl revCertImpl = new RevokedCertImpl( - cert.getSerialNumber(), CMS.getCurrentDate(), - entryExtn); + RevokedCertImpl revCertImpl = + new RevokedCertImpl(cert.getSerialNumber(), + CMS.getCurrentDate(), entryExtn); revCertImplsV.addElement(revCertImpl); count++; @@ -473,7 +458,8 @@ public class ChallengeRevocationServlet1 extends CMSServlet { revCertImpls[i] = (RevokedCertImpl) revCertImplsV.elementAt(i); } - IRequest revReq = mQueue.newRequest(IRequest.REVOCATION_REQUEST); + IRequest revReq = + mQueue.newRequest(IRequest.REVOCATION_REQUEST); revReq.setExtData(IRequest.CERT_INFO, revCertImpls); revReq.setExtData(IRequest.REQ_TYPE, IRequest.REVOCATION_REQUEST); @@ -492,35 +478,30 @@ public class ChallengeRevocationServlet1 extends CMSServlet { Integer result = revReq.getExtDataInInteger(IRequest.RESULT); if (result.equals(IRequest.RES_ERROR)) { - String[] svcErrors = revReq - .getExtDataInStringArray(IRequest.SVCERRORS); + String[] svcErrors = + revReq.getExtDataInStringArray(IRequest.SVCERRORS); if (svcErrors != null && svcErrors.length > 0) { for (int i = 0; i < svcErrors.length; i++) { String err = svcErrors[i]; if (err != null) { - // cmsReq.setErrorDescription(err); + //cmsReq.setErrorDescription(err); for (int j = 0; j < count; j++) { if (oldCerts[j] != null) { - mLogger.log( - ILogger.EV_AUDIT, - ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.DOREVOKEFORMAT, - new Object[] { - revReq.getRequestId(), - initiative, - "completed with error: " - + err, - oldCerts[j] - .getSubjectDN(), - oldCerts[j] - .getSerialNumber() - .toString(16), - RevocationReason - .fromInt(reason) - .toString() }); + mLogger.log(ILogger.EV_AUDIT, + ILogger.S_OTHER, + AuditFormat.LEVEL, + AuditFormat.DOREVOKEFORMAT, + new Object[] { + revReq.getRequestId(), + initiative, + "completed with error: " + + err, + oldCerts[j].getSubjectDN(), + oldCerts[j].getSerialNumber().toString(16), + RevocationReason.fromInt(reason).toString()} + ); } } } @@ -532,27 +513,24 @@ public class ChallengeRevocationServlet1 extends CMSServlet { // audit log the success. for (int j = 0; j < count; j++) { if (oldCerts[j] != null) { - mLogger.log( - ILogger.EV_AUDIT, - ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.DOREVOKEFORMAT, - new Object[] { - revReq.getRequestId(), - initiative, - "completed", - oldCerts[j].getSubjectDN(), - oldCerts[j].getSerialNumber().toString( - 16), - RevocationReason.fromInt(reason) - .toString() }); + mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, + AuditFormat.LEVEL, + AuditFormat.DOREVOKEFORMAT, + new Object[] { + revReq.getRequestId(), + initiative, + "completed", + oldCerts[j].getSubjectDN(), + oldCerts[j].getSerialNumber().toString(16), + RevocationReason.fromInt(reason).toString()} + ); } } header.addStringValue("revoked", "yes"); - Integer updateCRLResult = revReq - .getExtDataInInteger(IRequest.CRL_UPDATE_STATUS); + Integer updateCRLResult = + revReq.getExtDataInInteger(IRequest.CRL_UPDATE_STATUS); if (updateCRLResult != null) { header.addStringValue("updateCRL", "yes"); @@ -560,98 +538,92 @@ public class ChallengeRevocationServlet1 extends CMSServlet { header.addStringValue("updateCRLSuccess", "yes"); } else { header.addStringValue("updateCRLSuccess", "no"); - String crlError = revReq - .getExtDataInString(IRequest.CRL_UPDATE_ERROR); + String crlError = + revReq.getExtDataInString(IRequest.CRL_UPDATE_ERROR); if (crlError != null) - header.addStringValue("updateCRLError", crlError); + header.addStringValue("updateCRLError", + crlError); } // let known crl publishing status too. - Integer publishCRLResult = revReq - .getExtDataInInteger(IRequest.CRL_PUBLISH_STATUS); + Integer publishCRLResult = + revReq.getExtDataInInteger(IRequest.CRL_PUBLISH_STATUS); if (publishCRLResult != null) { if (publishCRLResult.equals(IRequest.RES_SUCCESS)) { header.addStringValue("publishCRLSuccess", "yes"); } else { header.addStringValue("publishCRLSuccess", "no"); - String publError = revReq - .getExtDataInString(IRequest.CRL_PUBLISH_ERROR); + String publError = + revReq.getExtDataInString(IRequest.CRL_PUBLISH_ERROR); if (publError != null) header.addStringValue("publishCRLError", - publError); + publError); } } } if (mAuthority instanceof ICertificateAuthority) { // let known update and publish status of all crls. - Enumeration otherCRLs = ((ICertificateAuthority) mAuthority) - .getCRLIssuingPoints(); + Enumeration otherCRLs = + ((ICertificateAuthority) mAuthority).getCRLIssuingPoints(); while (otherCRLs.hasMoreElements()) { - ICRLIssuingPoint crl = (ICRLIssuingPoint) otherCRLs - .nextElement(); + ICRLIssuingPoint crl = (ICRLIssuingPoint) + otherCRLs.nextElement(); String crlId = crl.getId(); if (crlId.equals(ICertificateAuthority.PROP_MASTER_CRL)) continue; String updateStatusStr = crl.getCrlUpdateStatusStr(); - Integer updateResult = revReq - .getExtDataInInteger(updateStatusStr); + Integer updateResult = revReq.getExtDataInInteger(updateStatusStr); if (updateResult != null) { if (updateResult.equals(IRequest.RES_SUCCESS)) { - CMS.debug("ChallengeRevcationServlet1: " - + CMS.getLogMessage( - "ADMIN_SRVLT_ADDING_HEADER", - updateStatusStr)); + CMS.debug("ChallengeRevcationServlet1: " + CMS.getLogMessage("ADMIN_SRVLT_ADDING_HEADER", + updateStatusStr)); header.addStringValue(updateStatusStr, "yes"); } else { - String updateErrorStr = crl - .getCrlUpdateErrorStr(); + String updateErrorStr = crl.getCrlUpdateErrorStr(); - CMS.debug("ChallengeRevcationServlet1: " - + CMS.getLogMessage( - "ADMIN_SRVLT_ADDING_HEADER_NO", - updateStatusStr)); + CMS.debug("ChallengeRevcationServlet1: " + CMS.getLogMessage("ADMIN_SRVLT_ADDING_HEADER_NO", + updateStatusStr)); header.addStringValue(updateStatusStr, "no"); - String error = revReq - .getExtDataInString(updateErrorStr); + String error = + revReq.getExtDataInString(updateErrorStr); if (error != null) - header.addStringValue(updateErrorStr, error); + header.addStringValue(updateErrorStr, + error); } - String publishStatusStr = crl - .getCrlPublishStatusStr(); - Integer publishResult = revReq - .getExtDataInInteger(publishStatusStr); + String publishStatusStr = crl.getCrlPublishStatusStr(); + Integer publishResult = + revReq.getExtDataInInteger(publishStatusStr); if (publishResult == null) continue; if (publishResult.equals(IRequest.RES_SUCCESS)) { header.addStringValue(publishStatusStr, "yes"); } else { - String publishErrorStr = crl - .getCrlPublishErrorStr(); + String publishErrorStr = + crl.getCrlPublishErrorStr(); header.addStringValue(publishStatusStr, "no"); - String error = revReq - .getExtDataInString(publishErrorStr); + String error = + revReq.getExtDataInString(publishErrorStr); if (error != null) - header.addStringValue(publishErrorStr, - error); + header.addStringValue( + publishErrorStr, error); } } } } - if (mPublisherProcessor != null - && mPublisherProcessor.ldapEnabled()) { + if (mPublisherProcessor != null && mPublisherProcessor.ldapEnabled()) { header.addStringValue("dirEnabled", "yes"); - Integer[] ldapPublishStatus = revReq - .getExtDataInIntegerArray("ldapPublishStatus"); + Integer[] ldapPublishStatus = + revReq.getExtDataInIntegerArray("ldapPublishStatus"); int certsToUpdate = 0; int certsUpdated = 0; @@ -667,11 +639,12 @@ public class ChallengeRevocationServlet1 extends CMSServlet { header.addIntegerValue("certsToUpdate", certsToUpdate); // add crl publishing status. - String publError = revReq - .getExtDataInString(IRequest.CRL_PUBLISH_ERROR); + String publError = + revReq.getExtDataInString(IRequest.CRL_PUBLISH_ERROR); if (publError != null) { - header.addStringValue("crlPublishError", publError); + header.addStringValue("crlPublishError", + publError); } } else { header.addStringValue("dirEnabled", "no"); @@ -684,26 +657,22 @@ public class ChallengeRevocationServlet1 extends CMSServlet { // audit log the pending for (int j = 0; j < count; j++) { if (oldCerts[j] != null) { - mLogger.log( - ILogger.EV_AUDIT, - ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.DOREVOKEFORMAT, - new Object[] { - revReq.getRequestId(), - initiative, - "pending", - oldCerts[j].getSubjectDN(), - oldCerts[j].getSerialNumber().toString( - 16), - RevocationReason.fromInt(reason) - .toString() }); + mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, + AuditFormat.LEVEL, + AuditFormat.DOREVOKEFORMAT, + new Object[] { + revReq.getRequestId(), + initiative, + "pending", + oldCerts[j].getSubjectDN(), + oldCerts[j].getSerialNumber().toString(16), + RevocationReason.fromInt(reason).toString()} + ); } } } else { - Vector errors = revReq - .getExtDataInStringVector(IRequest.ERRORS); + Vector errors = revReq.getExtDataInStringVector(IRequest.ERRORS); StringBuffer errorStr = new StringBuffer(); if (errors != null && errors.size() > 0) { @@ -716,20 +685,17 @@ public class ChallengeRevocationServlet1 extends CMSServlet { // audit log the error for (int j = 0; j < count; j++) { if (oldCerts[j] != null) { - mLogger.log( - ILogger.EV_AUDIT, - ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.DOREVOKEFORMAT, - new Object[] { - revReq.getRequestId(), - initiative, - stat.toString(), - oldCerts[j].getSubjectDN(), - oldCerts[j].getSerialNumber().toString( - 16), - RevocationReason.fromInt(reason) - .toString() }); + mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, + AuditFormat.LEVEL, + AuditFormat.DOREVOKEFORMAT, + new Object[] { + revReq.getRequestId(), + initiative, + stat.toString(), + oldCerts[j].getSubjectDN(), + oldCerts[j].getSerialNumber().toString(16), + RevocationReason.fromInt(reason).toString()} + ); } } } @@ -740,10 +706,8 @@ public class ChallengeRevocationServlet1 extends CMSServlet { throw e; } catch (IOException e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERROR_MARKING_CERT_REVOKED", - e.toString())); - throw new ECMSGWException( - CMS.getLogMessage("CMSGW_ERROR_MARKING_CERT_REVOKED")); + CMS.getLogMessage("CMSGW_ERROR_MARKING_CERT_REVOKED", e.toString())); + throw new ECMSGWException(CMS.getLogMessage("CMSGW_ERROR_MARKING_CERT_REVOKED")); } catch (Exception e) { e.printStackTrace(); } @@ -751,3 +715,4 @@ public class ChallengeRevocationServlet1 extends CMSServlet { return; } } + diff --git a/pki/base/common/src/com/netscape/cms/servlet/cert/CloneRedirect.java b/pki/base/common/src/com/netscape/cms/servlet/cert/CloneRedirect.java index b6fd03e97..88abe80e5 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/cert/CloneRedirect.java +++ b/pki/base/common/src/com/netscape/cms/servlet/cert/CloneRedirect.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.cert; + import java.io.IOException; import java.util.Locale; @@ -38,11 +39,12 @@ import com.netscape.cms.servlet.common.CMSTemplate; import com.netscape.cms.servlet.common.CMSTemplateParams; import com.netscape.cms.servlet.common.ECMSGWException; + /** - * Redirect a request to the Master. This servlet is used in a clone when a - * requested service (such as CRL) is not available. It redirects the user to - * the master. - * + * Redirect a request to the Master. This servlet is used in + * a clone when a requested service (such as CRL) is not available. + * It redirects the user to the master. + * * @version $Revision$, $Date$ */ public class CloneRedirect extends CMSServlet { @@ -69,8 +71,7 @@ public class CloneRedirect extends CMSServlet { /** * Initialize the servlet. - * - * @param sc servlet configuration, read from the web.xml file + * @param sc servlet configuration, read from the web.xml file */ public void init(ServletConfig sc) throws ServletException { super.init(sc); @@ -82,9 +83,8 @@ public class CloneRedirect extends CMSServlet { if (authConfig != null) { try { - mNewUrl = authConfig - .getString(PROP_REDIRECT_URL, - "*** master URL unavailable, check your configuration ***"); + mNewUrl = authConfig.getString(PROP_REDIRECT_URL, + "*** master URL unavailable, check your configuration ***"); } catch (EBaseException e) { // do nothing } @@ -93,8 +93,8 @@ public class CloneRedirect extends CMSServlet { if (mAuthority instanceof ICertificateAuthority) mCA = (ICertificateAuthority) mAuthority; - - // override success to do output with our own template. + + // override success to do output with our own template. mTemplates.remove(CMSRequest.SUCCESS); } @@ -117,32 +117,29 @@ public class CloneRedirect extends CMSServlet { try { form = getTemplate(mFormPath, req, locale); } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE")); throw new ECMSGWException( CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE")); } - CMS.debug("CloneRedirect: " - + CMS.getLogMessage("ADMIN_SRVLT_ADD_MASTER_URL", mNewUrl)); + CMS.debug("CloneRedirect: " + CMS.getLogMessage("ADMIN_SRVLT_ADD_MASTER_URL", mNewUrl)); header.addStringValue("masterURL", mNewUrl); try { ServletOutputStream out = resp.getOutputStream(); String xmlOutput = req.getParameter("xml"); - if (xmlOutput != null && xmlOutput.equals("true")) { - outputXML(resp, argSet); - } else { - resp.setContentType("text/html"); - form.renderOutput(out, argSet); - cmsReq.setStatus(CMSRequest.SUCCESS); - } + if (xmlOutput != null && xmlOutput.equals("true")) { + outputXML(resp, argSet); + } else { + resp.setContentType("text/html"); + form.renderOutput(out, argSet); + cmsReq.setStatus(CMSRequest.SUCCESS); + } } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_ERR_STREAM_TEMPLATE", - e.toString())); - throw new ECMSGWException( - CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("ADMIN_SRVLT_ERR_STREAM_TEMPLATE", e.toString())); + throw new ECMSGWException(CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE")); } } @@ -150,11 +147,13 @@ public class CloneRedirect extends CMSServlet { * Display information about redirecting to the master's URL info */ private void process(CMSTemplateParams argSet, IArgBlock header, - HttpServletRequest req, HttpServletResponse resp, - String signatureAlgorithm, Locale locale) throws EBaseException { + HttpServletRequest req, + HttpServletResponse resp, + String signatureAlgorithm, + Locale locale) + throws EBaseException { - CMS.debug("CloneRedirect: " - + CMS.getLogMessage("ADMIN_SRVLT_ADD_MASTER_URL", mNewUrl)); + CMS.debug("CloneRedirect: " + CMS.getLogMessage("ADMIN_SRVLT_ADD_MASTER_URL", mNewUrl)); header.addStringValue("masterURL", mNewUrl); return; } diff --git a/pki/base/common/src/com/netscape/cms/servlet/cert/DirAuthServlet.java b/pki/base/common/src/com/netscape/cms/servlet/cert/DirAuthServlet.java index 405148466..0ccf7f18e 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/cert/DirAuthServlet.java +++ b/pki/base/common/src/com/netscape/cms/servlet/cert/DirAuthServlet.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.cert; + import java.io.IOException; import java.util.Date; import java.util.Locale; @@ -44,9 +45,10 @@ import com.netscape.cms.servlet.common.CMSTemplate; import com.netscape.cms.servlet.common.CMSTemplateParams; import com.netscape.cms.servlet.common.ECMSGWException; + /** * 'Face-to-face' certificate enrollment. - * + * * @version $Revision$, $Date$ */ public class DirAuthServlet extends CMSServlet { @@ -62,15 +64,15 @@ public class DirAuthServlet extends CMSServlet { super(); } - /** + /** * initialize the servlet. - * * @param sc servlet configuration, read from the web.xml file */ public void init(ServletConfig sc) throws ServletException { super.init(sc); try { - mFormPath = sc.getInitParameter(PROP_SUCCESS_TEMPLATE); + mFormPath = sc.getInitParameter( + PROP_SUCCESS_TEMPLATE); if (mFormPath == null) mFormPath = TPL_FILE; } catch (Exception e) { @@ -79,13 +81,15 @@ public class DirAuthServlet extends CMSServlet { mTemplates.remove(CMSRequest.SUCCESS); } - /** + + /** * Process the HTTP request. This servlet reads configuration information - * from the hashDirEnrollment configuration substore - * + * from the hashDirEnrollment configuration substore + * * @param cmsReq the object holding the request and response information */ - protected void process(CMSRequest cmsReq) throws EBaseException { + protected void process(CMSRequest cmsReq) + throws EBaseException { HttpServletRequest httpReq = cmsReq.getHttpReq(); HttpServletResponse httpResp = cmsReq.getHttpResp(); @@ -95,10 +99,9 @@ public class DirAuthServlet extends CMSServlet { IArgBlock args = cmsReq.getHttpParams(); if (!(mAuthority instanceof IRegistrationAuthority)) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_CA_FROM_RA_NOT_IMP")); - cmsReq.setError(new ECMSGWException(CMS - .getLogMessage("CMSGW_NOT_YET_IMPLEMENTED"))); + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_CA_FROM_RA_NOT_IMP")); + cmsReq.setError(new ECMSGWException( + CMS.getLogMessage("CMSGW_NOT_YET_IMPLEMENTED"))); cmsReq.setStatus(CMSRequest.ERROR); return; } @@ -109,10 +112,10 @@ public class DirAuthServlet extends CMSServlet { try { form = getTemplate(mFormPath, httpReq, locale); } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE")); - cmsReq.setError(new ECMSGWException(CMS - .getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE"))); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE")); + cmsReq.setError(new ECMSGWException( + CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE"))); cmsReq.setStatus(CMSRequest.ERROR); return; } @@ -126,8 +129,8 @@ public class DirAuthServlet extends CMSServlet { AuthzToken authzToken = null; try { - authzToken = authorize(mAclMethod, authToken, mAuthzResourceName, - "submit"); + authzToken = authorize(mAclMethod, authToken, + mAuthzResourceName, "submit"); } catch (Exception e) { // do nothing for now } @@ -139,8 +142,7 @@ public class DirAuthServlet extends CMSServlet { IConfigStore configStore = CMS.getConfigStore(); String val = configStore.getString("hashDirEnrollment.name"); - IAuthSubsystem authSS = (IAuthSubsystem) CMS - .getSubsystem(CMS.SUBSYSTEM_AUTH); + IAuthSubsystem authSS = (IAuthSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTH); IAuthManager authMgr = authSS.get(val); HashAuthentication mgr = (HashAuthentication) authMgr; @@ -164,7 +166,7 @@ public class DirAuthServlet extends CMSServlet { printError(cmsReq, "2"); cmsReq.setStatus(CMSRequest.SUCCESS); return; - } + } mgr.setLastLogin(reqHost, currTime); @@ -174,12 +176,11 @@ public class DirAuthServlet extends CMSServlet { mgr.addAuthToken(pageID, authToken); - header.addStringValue("pageID", pageID); + header.addStringValue("pageID", pageID); header.addStringValue("uid", uid); - header.addStringValue("fingerprint", - mgr.hashFingerprint(reqHost, pageID, uid)); + header.addStringValue("fingerprint", mgr.hashFingerprint(reqHost, pageID, uid)); header.addStringValue("hostname", reqHost); - + try { ServletOutputStream out = httpResp.getOutputStream(); @@ -187,11 +188,10 @@ public class DirAuthServlet extends CMSServlet { form.renderOutput(out, argSet); cmsReq.setStatus(CMSRequest.SUCCESS); } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_ERR_STREAM_TEMPLATE", - e.toString())); - cmsReq.setError(new ECMSGWException(CMS - .getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE"))); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("ADMIN_SRVLT_ERR_STREAM_TEMPLATE", e.toString())); + cmsReq.setError(new ECMSGWException( + CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE"))); cmsReq.setStatus(CMSRequest.ERROR); } cmsReq.setStatus(CMSRequest.SUCCESS); @@ -199,7 +199,7 @@ public class DirAuthServlet extends CMSServlet { } private void printError(CMSRequest cmsReq, String errorCode) - throws EBaseException { + throws EBaseException { IArgBlock httpParams = cmsReq.getHttpParams(); HttpServletRequest httpReq = cmsReq.getHttpReq(); HttpServletResponse httpResp = cmsReq.getHttpResp(); @@ -218,10 +218,10 @@ public class DirAuthServlet extends CMSServlet { try { form = getTemplate(formPath, httpReq, locale); } catch (IOException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "ADMIN_SRVLT_ERR_GET_TEMPLATE", formPath, e.toString())); - cmsReq.setError(new ECMSGWException(CMS - .getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE"))); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("ADMIN_SRVLT_ERR_GET_TEMPLATE", formPath, e.toString())); + cmsReq.setError(new ECMSGWException( + CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE"))); cmsReq.setStatus(CMSRequest.ERROR); return; } @@ -234,10 +234,9 @@ public class DirAuthServlet extends CMSServlet { cmsReq.setStatus(CMSRequest.SUCCESS); } catch (IOException e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_ERR_STREAM_TEMPLATE", - e.toString())); - cmsReq.setError(new ECMSGWException(CMS - .getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE"))); + CMS.getLogMessage("ADMIN_SRVLT_ERR_STREAM_TEMPLATE", e.toString())); + cmsReq.setError(new ECMSGWException( + CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE"))); cmsReq.setStatus(CMSRequest.ERROR); } } diff --git a/pki/base/common/src/com/netscape/cms/servlet/cert/DisableEnrollResult.java b/pki/base/common/src/com/netscape/cms/servlet/cert/DisableEnrollResult.java index 380bb9d7f..9f3533123 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/cert/DisableEnrollResult.java +++ b/pki/base/common/src/com/netscape/cms/servlet/cert/DisableEnrollResult.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.cert; + import java.io.IOException; import java.security.cert.X509Certificate; import java.util.Locale; @@ -44,9 +45,10 @@ import com.netscape.cms.servlet.common.CMSTemplate; import com.netscape.cms.servlet.common.CMSTemplateParams; import com.netscape.cms.servlet.common.ECMSGWException; + /** * For Face-to-face enrollment, disable EE enrollment feature - * + * * @version $Revision$, $Date$ * @see com.netscape.cms.servlet.cert.EnableEnrollResult */ @@ -80,7 +82,8 @@ public class DisableEnrollResult extends CMSServlet { /** * Services the request */ - protected void process(CMSRequest cmsReq) throws EBaseException { + protected void process(CMSRequest cmsReq) + throws EBaseException { HttpServletRequest httpReq = cmsReq.getHttpReq(); HttpServletResponse httpResp = cmsReq.getHttpResp(); @@ -89,8 +92,8 @@ public class DisableEnrollResult extends CMSServlet { AuthzToken authzToken = null; try { - authzToken = authorize(mAclMethod, token, mAuthzResourceName, - "disable"); + authzToken = authorize(mAclMethod, token, + mAuthzResourceName, "disable"); } catch (Exception e) { // do nothing for now } @@ -109,10 +112,9 @@ public class DisableEnrollResult extends CMSServlet { IArgBlock args = cmsReq.getHttpParams(); if (!(mAuthority instanceof IRegistrationAuthority)) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_CA_FROM_RA_NOT_IMP")); - cmsReq.setError(new ECMSGWException(CMS - .getLogMessage("CMSGW_NOT_YET_IMPLEMENTED"))); + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_CA_FROM_RA_NOT_IMP")); + cmsReq.setError(new ECMSGWException( + CMS.getLogMessage("CMSGW_NOT_YET_IMPLEMENTED"))); cmsReq.setStatus(CMSRequest.ERROR); return; } @@ -123,10 +125,10 @@ public class DisableEnrollResult extends CMSServlet { try { form = getTemplate(mFormPath, httpReq, locale); } catch (IOException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "ADMIN_SRVLT_ERR_GET_TEMPLATE", mFormPath, e.toString())); - cmsReq.setError(new ECMSGWException(CMS - .getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR"))); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("ADMIN_SRVLT_ERR_GET_TEMPLATE", mFormPath, e.toString())); + cmsReq.setError(new ECMSGWException( + CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR"))); cmsReq.setStatus(CMSRequest.ERROR); return; } @@ -137,8 +139,7 @@ public class DisableEnrollResult extends CMSServlet { IConfigStore configStore = CMS.getConfigStore(); String val = configStore.getString("hashDirEnrollment.name"); - IAuthSubsystem authSS = (IAuthSubsystem) CMS - .getSubsystem(CMS.SUBSYSTEM_AUTH); + IAuthSubsystem authSS = (IAuthSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTH); IAuthManager authMgr = authSS.get(val); HashAuthentication mgr = (HashAuthentication) authMgr; @@ -161,11 +162,10 @@ public class DisableEnrollResult extends CMSServlet { form.renderOutput(out, argSet); cmsReq.setStatus(CMSRequest.SUCCESS); } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_ERR_STREAM_TEMPLATE", - e.toString())); - cmsReq.setError(new ECMSGWException(CMS - .getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR"))); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("ADMIN_SRVLT_ERR_STREAM_TEMPLATE", e.toString())); + cmsReq.setError(new ECMSGWException( + CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR"))); cmsReq.setStatus(CMSRequest.ERROR); } cmsReq.setStatus(CMSRequest.SUCCESS); diff --git a/pki/base/common/src/com/netscape/cms/servlet/cert/DisplayBySerial.java b/pki/base/common/src/com/netscape/cms/servlet/cert/DisplayBySerial.java index 62a1f5e90..61cadc4aa 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/cert/DisplayBySerial.java +++ b/pki/base/common/src/com/netscape/cms/servlet/cert/DisplayBySerial.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.cert; + import java.io.ByteArrayOutputStream; import java.io.IOException; import java.math.BigInteger; @@ -66,12 +67,13 @@ import com.netscape.cms.servlet.common.CMSTemplate; import com.netscape.cms.servlet.common.CMSTemplateParams; import com.netscape.cms.servlet.common.ECMSGWException; + /** * Display detailed information about a certificate - * - * The template 'displayBySerial.template' is used to render the response for - * this servlet. - * + * + * The template 'displayBySerial.template' is used to + * render the response for this servlet. + * * @version $Revision$, $Date$ */ public class DisplayBySerial extends CMSServlet { @@ -97,29 +99,26 @@ public class DisplayBySerial extends CMSServlet { /** * initialize the servlet. - * * @param sc servlet configuration, read from the web.xml file */ public void init(ServletConfig sc) throws ServletException { super.init(sc); if (mAuthority instanceof ICertificateAuthority) { - mCertDB = ((ICertificateAuthority) mAuthority) - .getCertificateRepository(); + mCertDB = ((ICertificateAuthority) mAuthority).getCertificateRepository(); } try { - mCACerts = ((ICertAuthority) mAuthority).getCACertChain() - .getChain(); + mCACerts = ((ICertAuthority) mAuthority).getCACertChain().getChain(); } catch (Exception e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_CA_CHAIN_NOT_AVAILABLE")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_CA_CHAIN_NOT_AVAILABLE")); } // coming from ee mForm1Path = "/" + mAuthority.getId() + "/" + TPL_FILE1; - - if (mOutputTemplatePath != null) + + if (mOutputTemplatePath != null) mForm1Path = mOutputTemplatePath; - // override success and error templates to null - + // override success and error templates to null - // handle templates locally. mTemplates.remove(CMSRequest.SUCCESS); } @@ -127,8 +126,8 @@ public class DisplayBySerial extends CMSServlet { /** * Serves HTTP request. The format of this request is as follows: * <ul> - * <li>http.param serialNumber Decimal serial number of certificate to - * display (or hex if serialNumber preceded by 0x) + * <li>http.param serialNumber Decimal serial number of certificate to display + * (or hex if serialNumber preceded by 0x) * </ul> */ public void process(CMSRequest cmsReq) throws EBaseException { @@ -149,11 +148,10 @@ public class DisplayBySerial extends CMSServlet { try { authzToken = authorize(mAclMethod, authToken, - mAuthzResourceName, "read"); + mAuthzResourceName, "read"); } catch (Exception e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", - e.toString())); + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); } if (authzToken == null) { @@ -168,22 +166,17 @@ public class DisplayBySerial extends CMSServlet { form = getTemplate(mForm1Path, req, locale); } } catch (NumberFormatException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("BASE_INVALID_NUMBER_FORMAT_1", - String.valueOf(serialNumber))); + log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_INVALID_NUMBER_FORMAT_1", String.valueOf(serialNumber))); - error = new ECMSGWException( - CMS.getLogMessage("BASE_INVALID_NUMBER_FORMAT")); + error = new ECMSGWException(CMS.getLogMessage("BASE_INVALID_NUMBER_FORMAT")); } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", mForm1Path, - e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", mForm1Path, e.toString())); throw new ECMSGWException( CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE")); } catch (EDBRecordNotFoundException e) { - throw new ECMSGWException(CMS.getLogMessage( - "CMSGW_CERT_SERIAL_NOT_FOUND_1", - "0x" + serialNumber.toString(16))); + throw new ECMSGWException( + CMS.getLogMessage("CMSGW_CERT_SERIAL_NOT_FOUND_1", "0x" + serialNumber.toString(16))); } IArgBlock header = CMS.createArgBlock(); @@ -192,14 +185,15 @@ public class DisplayBySerial extends CMSServlet { try { if (serialNumber.compareTo(MINUS_ONE) > 0) { - process(argSet, header, serialNumber, req, resp, locale[0]); + process(argSet, header, serialNumber, + req, resp, locale[0]); } else { error = new ECMSGWException( - CMS.getLogMessage("CMSGW_INVALID_SERIAL_NUMBER")); + CMS.getLogMessage("CMSGW_INVALID_SERIAL_NUMBER")); } } catch (EBaseException e) { error = e; - } + } try { ServletOutputStream out = resp.getOutputStream(); @@ -207,22 +201,20 @@ public class DisplayBySerial extends CMSServlet { if (error == null) { String xmlOutput = req.getParameter("xml"); if (xmlOutput != null && xmlOutput.equals("true")) { - outputXML(resp, argSet); + outputXML(resp, argSet); } else { - resp.setContentType("text/html"); - form.renderOutput(out, argSet); - cmsReq.setStatus(CMSRequest.SUCCESS); + resp.setContentType("text/html"); + form.renderOutput(out, argSet); + cmsReq.setStatus(CMSRequest.SUCCESS); } } else { cmsReq.setStatus(CMSRequest.ERROR); cmsReq.setError(error); } } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERR_BAD_SERV_OUT_STREAM", - e.toString())); - throw new ECMSGWException( - CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERR_BAD_SERV_OUT_STREAM", e.toString())); + throw new ECMSGWException(CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE")); } } @@ -231,53 +223,55 @@ public class DisplayBySerial extends CMSServlet { * Display information about a particular certificate */ private void process(CMSTemplateParams argSet, IArgBlock header, - BigInteger seq, HttpServletRequest req, HttpServletResponse resp, - Locale locale) throws EBaseException { + BigInteger seq, HttpServletRequest req, + HttpServletResponse resp, + Locale locale) + throws EBaseException { String certType[] = new String[1]; try { ICertRecord rec = getCertRecord(seq, certType); - + if (certType[0].equalsIgnoreCase("x509")) { processX509(argSet, header, seq, req, resp, locale); return; } } catch (EBaseException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERR_DISP_BY_SERIAL", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERR_DISP_BY_SERIAL", e.toString())); throw e; } - + return; } - + private void processX509(CMSTemplateParams argSet, IArgBlock header, - BigInteger seq, HttpServletRequest req, HttpServletResponse resp, - Locale locale) throws EBaseException { + BigInteger seq, HttpServletRequest req, + HttpServletResponse resp, + Locale locale) + throws EBaseException { try { ICertRecord rec = (ICertRecord) mCertDB.readCertificateRecord(seq); - if (rec == null) { - CMS.debug("DisplayBySerial: failed to read record"); - throw new ECMSGWException( - CMS.getLogMessage("CMSGW_ERROR_ENCODING_ISSUED_CERT")); + if (rec == null) { + CMS.debug("DisplayBySerial: failed to read record"); + throw new ECMSGWException( + CMS.getLogMessage("CMSGW_ERROR_ENCODING_ISSUED_CERT")); } X509CertImpl cert = rec.getCertificate(); - if (cert == null) { - CMS.debug("DisplayBySerial: no certificate in record"); - throw new ECMSGWException( - CMS.getLogMessage("CMSGW_ERROR_ENCODING_ISSUED_CERT")); + if (cert == null) { + CMS.debug("DisplayBySerial: no certificate in record"); + throw new ECMSGWException( + CMS.getLogMessage("CMSGW_ERROR_ENCODING_ISSUED_CERT")); } try { - X509CertInfo info = (X509CertInfo) cert.get(X509CertImpl.NAME - + "." + X509CertImpl.INFO); - if (info == null) { - CMS.debug("DisplayBySerial: no info found"); - throw new ECMSGWException( - CMS.getLogMessage("CMSGW_ERROR_ENCODING_ISSUED_CERT")); + X509CertInfo info = (X509CertInfo) cert.get(X509CertImpl.NAME + "." + X509CertImpl.INFO); + if (info == null) { + CMS.debug("DisplayBySerial: no info found"); + throw new ECMSGWException( + CMS.getLogMessage("CMSGW_ERROR_ENCODING_ISSUED_CERT")); } - CertificateExtensions extensions = (CertificateExtensions) info - .get(X509CertInfo.EXTENSIONS); + CertificateExtensions extensions = (CertificateExtensions) info.get(X509CertInfo.EXTENSIONS); boolean emailCert = false; @@ -288,20 +282,16 @@ public class DisplayBySerial extends CMSServlet { if (ext instanceof NSCertTypeExtension) { NSCertTypeExtension type = (NSCertTypeExtension) ext; - if (((Boolean) type.get(NSCertTypeExtension.EMAIL)) - .booleanValue()) + if (((Boolean) type.get(NSCertTypeExtension.EMAIL)).booleanValue()) emailCert = true; } if (ext instanceof KeyUsageExtension) { - KeyUsageExtension usage = (KeyUsageExtension) ext; + KeyUsageExtension usage = + (KeyUsageExtension) ext; try { - if (((Boolean) usage - .get(KeyUsageExtension.DIGITAL_SIGNATURE)) - .booleanValue() - || ((Boolean) usage - .get(KeyUsageExtension.DATA_ENCIPHERMENT)) - .booleanValue()) + if (((Boolean) usage.get(KeyUsageExtension.DIGITAL_SIGNATURE)).booleanValue() || + ((Boolean) usage.get(KeyUsageExtension.DATA_ENCIPHERMENT)).booleanValue()) emailCert = true; } catch (ArrayIndexOutOfBoundsException e) { // bug356108: @@ -314,23 +304,16 @@ public class DisplayBySerial extends CMSServlet { header.addBooleanValue("emailCert", emailCert); boolean noCertImport = true; - MetaInfo metaInfo = (MetaInfo) rec - .get(ICertRecord.ATTR_META_INFO); + MetaInfo metaInfo = (MetaInfo) rec.get(ICertRecord.ATTR_META_INFO); if (metaInfo != null) { - String rid = (String) metaInfo - .get(ICertRecord.META_REQUEST_ID); - - if (rid != null - && mAuthority instanceof ICertificateAuthority) { - IRequest r = ((ICertificateAuthority) mAuthority) - .getRequestQueue().findRequest( - new RequestId(rid)); - String certType = r.getExtDataInString( - IRequest.HTTP_PARAMS, IRequest.CERT_TYPE); - - if (certType != null - && certType.equals(IRequest.CLIENT_CERT)) { + String rid = (String) metaInfo.get(ICertRecord.META_REQUEST_ID); + + if (rid != null && mAuthority instanceof ICertificateAuthority) { + IRequest r = ((ICertificateAuthority) mAuthority).getRequestQueue().findRequest(new RequestId(rid)); + String certType = r.getExtDataInString(IRequest.HTTP_PARAMS, IRequest.CERT_TYPE); + + if (certType != null && certType.equals(IRequest.CLIENT_CERT)) { noCertImport = false; } } @@ -338,9 +321,8 @@ public class DisplayBySerial extends CMSServlet { header.addBooleanValue("noCertImport", noCertImport); } catch (Exception e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERROR_PARSING_EXTENS", - e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERROR_PARSING_EXTENS", e.toString())); } IRevocationInfo revocationInfo = rec.getRevocationInfo(); @@ -356,8 +338,7 @@ public class DisplayBySerial extends CMSServlet { Extension ext = (Extension) enumx.nextElement(); if (ext instanceof CRLReasonExtension) { - reason = ((CRLReasonExtension) ext).getReason() - .toInt(); + reason = ((CRLReasonExtension) ext).getReason().toInt(); } } header.addIntegerValue("revocationReason", reason); @@ -366,16 +347,20 @@ public class DisplayBySerial extends CMSServlet { ICertPrettyPrint certDetails = CMS.getCertPrettyPrint(cert); - header.addStringValue("certPrettyPrint", - certDetails.toString(locale)); + header.addStringValue("certPrettyPrint", + certDetails.toString(locale)); /* - * String scheme = req.getScheme(); if (scheme.equals("http") && - * connectionIsSSL(req)) scheme = "https"; String requestURI = - * req.getRequestURI(); int i = requestURI.indexOf('?'); String - * newRequestURI = (i > -1)? requestURI.substring(0, i): requestURI; - * header.addStringValue("serviceURL", scheme +"://"+ - * req.getServerName() + ":"+ req.getServerPort() + newRequestURI); + String scheme = req.getScheme(); + if (scheme.equals("http") && connectionIsSSL(req)) + scheme = "https"; + String requestURI = req.getRequestURI(); + int i = requestURI.indexOf('?'); + String newRequestURI = + (i > -1)? requestURI.substring(0, i): requestURI; + header.addStringValue("serviceURL", scheme +"://"+ + req.getServerName() + ":"+ + req.getServerPort() + newRequestURI); */ header.addStringValue("authorityid", mAuthority.getId()); @@ -384,9 +369,8 @@ public class DisplayBySerial extends CMSServlet { try { certFingerprints = CMS.getFingerPrints(cert); } catch (Exception e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERR_DIGESTING_CERT", - e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERR_DIGESTING_CERT", e.toString())); } if (certFingerprints.length() > 0) header.addStringValue("certFingerprint", certFingerprints); @@ -394,30 +378,30 @@ public class DisplayBySerial extends CMSServlet { byte[] ba = cert.getEncoded(); // Do base 64 encoding - header.addStringValue("certChainBase64", - com.netscape.osutil.OSUtil.BtoA(ba)); + header.addStringValue("certChainBase64", com.netscape.osutil.OSUtil.BtoA(ba)); header.addStringValue("serialNumber", seq.toString(16)); /* - * String userAgent = req.getHeader("user-agent"); String agent = - * (userAgent != null)? UserInfo.getUserAgent(userAgent): ""; + String userAgent = req.getHeader("user-agent"); + String agent = + (userAgent != null)? UserInfo.getUserAgent(userAgent): ""; */ // Now formulate a PKCS#7 blob - X509CertImpl[] certsInChain = new X509CertImpl[1]; - ; + X509CertImpl[] certsInChain = new X509CertImpl[1];; if (mCACerts != null) { for (int i = 0; i < mCACerts.length; i++) { if (cert.equals(mCACerts[i])) { - certsInChain = new X509CertImpl[mCACerts.length]; + certsInChain = new + X509CertImpl[mCACerts.length]; break; } certsInChain = new X509CertImpl[mCACerts.length + 1]; } } - + // Set the EE cert certsInChain[0] = cert; - + // Set the Ca certificate chain if (mCACerts != null) { for (int i = 0; i < mCACerts.length; i++) { @@ -430,42 +414,43 @@ public class DisplayBySerial extends CMSServlet { String p7Str; try { - PKCS7 p7 = new PKCS7(new AlgorithmId[0], new ContentInfo( - new byte[0]), certsInChain, new SignerInfo[0]); + PKCS7 p7 = new PKCS7(new AlgorithmId[0], + new ContentInfo(new byte[0]), + certsInChain, + new SignerInfo[0]); ByteArrayOutputStream bos = new ByteArrayOutputStream(); - p7.encodeSignedData(bos, false); + p7.encodeSignedData(bos,false); byte[] p7Bytes = bos.toByteArray(); - p7Str = com.netscape.osutil.OSUtil.BtoA(p7Bytes); + p7Str = com.netscape.osutil.OSUtil.BtoA(p7Bytes); header.addStringValue("pkcs7ChainBase64", p7Str); } catch (Exception e) { - // p7Str = "PKCS#7 B64 Encoding error - " + e.toString() - // + "; Please contact your administrator"; - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERROR_FORMING_PKCS7_1", - e.toString())); + //p7Str = "PKCS#7 B64 Encoding error - " + e.toString() + //+ "; Please contact your administrator"; + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERROR_FORMING_PKCS7_1", e.toString())); throw new ECMSGWException( CMS.getLogMessage("CMSGW_ERROR_FORMING_PKCS7")); } } catch (EBaseException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("MSGW_ERR_DISP_BY_SERIAL", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("MSGW_ERR_DISP_BY_SERIAL", e.toString())); throw e; } catch (CertificateEncodingException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERR_ENCODE_CERT", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERR_ENCODE_CERT", e.toString())); throw new ECMSGWException( CMS.getLogMessage("CMSGW_ERROR_ENCODING_ISSUED_CERT")); } return; } - + private ICertRecord getCertRecord(BigInteger seq, String certtype[]) - throws EBaseException { + throws EBaseException { ICertRecord rec = null; - + try { rec = (ICertRecord) mCertDB.readCertificateRecord(seq); X509CertImpl x509cert = rec.getCertificate(); @@ -475,28 +460,28 @@ public class DisplayBySerial extends CMSServlet { return rec; } } catch (EBaseException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERR_DISP_BY_SERIAL", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERR_DISP_BY_SERIAL", e.toString())); throw e; } - + return rec; } private BigInteger getSerialNumber(HttpServletRequest req) - throws NumberFormatException { + throws NumberFormatException { String serialNumString = req.getParameter("serialNumber"); if (serialNumString != null) { serialNumString = serialNumString.trim(); - if (serialNumString.startsWith("0x") - || serialNumString.startsWith("0X")) { + if (serialNumString.startsWith("0x") || serialNumString.startsWith("0X")) { return new BigInteger(serialNumString.substring(2), 16); } else { - return new BigInteger(serialNumString); + return new BigInteger(serialNumString); } - } else { + } else { throw new NumberFormatException(); - } + } } } + diff --git a/pki/base/common/src/com/netscape/cms/servlet/cert/DisplayCRL.java b/pki/base/common/src/com/netscape/cms/servlet/cert/DisplayCRL.java index 7f47db5f8..3a5f3f062 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/cert/DisplayCRL.java +++ b/pki/base/common/src/com/netscape/cms/servlet/cert/DisplayCRL.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.cert; + import java.io.IOException; import java.math.BigInteger; import java.security.cert.CRLException; @@ -49,9 +50,10 @@ import com.netscape.cms.servlet.common.CMSTemplate; import com.netscape.cms.servlet.common.CMSTemplateParams; import com.netscape.cms.servlet.common.ECMSGWException; + /** * Decode the CRL and display it to the requester. - * + * * @version $Revision$, $Date$ */ public class DisplayCRL extends CMSServlet { @@ -62,8 +64,8 @@ public class DisplayCRL extends CMSServlet { private static final long serialVersionUID = 1152016798229054027L; private final static String INFO = "DisplayCRL"; private final static String TPL_FILE = "displayCRL.template"; - // private final static String E_TPL_FILE = "error.template"; - // private final static String OUT_ERROR = "errorDetails"; + //private final static String E_TPL_FILE = "error.template"; + //private final static String OUT_ERROR = "errorDetails"; private String mFormPath = null; private ICertificateAuthority mCA = null; @@ -76,10 +78,9 @@ public class DisplayCRL extends CMSServlet { } /** - * Initialize the servlet. This servlet uses the 'displayCRL.template' file - * to to render the response to the client. - * - * @param sc servlet configuration, read from the web.xml file + * Initialize the servlet. This servlet uses the 'displayCRL.template' file to + * to render the response to the client. + * @param sc servlet configuration, read from the web.xml file */ public void init(ServletConfig sc) throws ServletException { super.init(sc); @@ -95,16 +96,15 @@ public class DisplayCRL extends CMSServlet { } /** - * Process the HTTP request + * Process the HTTP request * <ul> - * <li>http.param crlIssuingPoint number - * <li>http.param crlDisplayType entireCRL or crlHeader or base64Encoded or - * deltaCRL - * <li>http.param pageStart which page to start displaying from - * <li>http.param pageSize number of entries to show per page + * <li>http.param crlIssuingPoint number + * <li>http.param crlDisplayType entireCRL or crlHeader or base64Encoded or deltaCRL + * <li>http.param pageStart which page to start displaying from + * <li>http.param pageSize number of entries to show per page * </ul> - * * @param cmsReq the Request to service. + */ public void process(CMSRequest cmsReq) throws EBaseException { HttpServletRequest req = cmsReq.getHttpReq(); @@ -115,8 +115,8 @@ public class DisplayCRL extends CMSServlet { AuthzToken authzToken = null; try { - authzToken = authorize(mAclMethod, authToken, mAuthzResourceName, - "read"); + authzToken = authorize(mAclMethod, authToken, + mAuthzResourceName, "read"); } catch (Exception e) { // do nothing for now } @@ -132,9 +132,8 @@ public class DisplayCRL extends CMSServlet { try { form = getTemplate(mFormPath, req, locale); } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE_1", mFormPath, - e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE_1", mFormPath, e.toString())); throw new ECMSGWException( CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE")); } @@ -148,25 +147,24 @@ public class DisplayCRL extends CMSServlet { String crlIssuingPointId = req.getParameter("crlIssuingPoint"); - process(argSet, header, req, resp, crlIssuingPointId, locale[0]); + process(argSet, header, req, resp, crlIssuingPointId, + locale[0]); try { ServletOutputStream out = resp.getOutputStream(); String xmlOutput = req.getParameter("xml"); - if (xmlOutput != null && xmlOutput.equals("true")) { - outputXML(resp, argSet); - } else { - resp.setContentType("text/html"); - form.renderOutput(out, argSet); - cmsReq.setStatus(CMSRequest.SUCCESS); - } + if (xmlOutput != null && xmlOutput.equals("true")) { + outputXML(resp, argSet); + } else { + resp.setContentType("text/html"); + form.renderOutput(out, argSet); + cmsReq.setStatus(CMSRequest.SUCCESS); + } } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERR_BAD_SERV_OUT_STREAM", - e.toString())); - throw new ECMSGWException( - CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERR_BAD_SERV_OUT_STREAM", e.toString())); + throw new ECMSGWException(CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE")); } } @@ -174,8 +172,10 @@ public class DisplayCRL extends CMSServlet { * Display information about a particular CRL. */ private void process(CMSTemplateParams argSet, IArgBlock header, - HttpServletRequest req, HttpServletResponse resp, - String crlIssuingPointId, Locale locale) { + HttpServletRequest req, + HttpServletResponse resp, + String crlIssuingPointId, + Locale locale) { boolean updateStatus = true; EBaseException error = null; ICRLIssuingPoint crlIP = null; @@ -189,30 +189,27 @@ public class DisplayCRL extends CMSServlet { ICRLRepository crlRepository = mCA.getCRLRepository(); try { - masterHost = CMS.getConfigStore().getString("master.ca.agent.host", - ""); - masterPort = CMS.getConfigStore().getString("master.ca.agent.port", - ""); - if (masterHost != null && masterHost.length() > 0 - && masterPort != null && masterPort.length() > 0) { + masterHost = CMS.getConfigStore().getString("master.ca.agent.host", ""); + masterPort = CMS.getConfigStore().getString("master.ca.agent.port", ""); + if (masterHost != null && masterHost.length() > 0 && + masterPort != null && masterPort.length() > 0) { clonedCA = true; ipNames = crlRepository.getIssuingPointsNames(); } } catch (EBaseException e) { } - + if (clonedCA) { if (crlIssuingPointId != null) { if (ipNames != null && ipNames.size() > 0) { int i; for (i = 0; i < ipNames.size(); i++) { - String ipName = (String) ipNames.elementAt(i); + String ipName = (String)ipNames.elementAt(i); if (crlIssuingPointId.equals(ipName)) { break; } } - if (i >= ipNames.size()) - crlIssuingPointId = null; + if (i >= ipNames.size()) crlIssuingPointId = null; } else { crlIssuingPointId = null; } @@ -229,15 +226,13 @@ public class DisplayCRL extends CMSServlet { isCRLCacheEnabled = ip.isCRLCacheEnabled(); break; } - if (!ips.hasMoreElements()) - crlIssuingPointId = null; + if (!ips.hasMoreElements()) crlIssuingPointId = null; } } } if (crlIssuingPointId == null) { header.addStringValue("error", - "Request to unspecified or non-existing CRL issuing point: " - + ipId); + "Request to unspecified or non-existing CRL issuing point: "+ipId); return; } @@ -245,43 +240,36 @@ public class DisplayCRL extends CMSServlet { String crlDisplayType = req.getParameter("crlDisplayType"); - if (crlDisplayType == null) - crlDisplayType = "cachedCRL"; + if (crlDisplayType == null) crlDisplayType = "cachedCRL"; header.addStringValue("crlDisplayType", crlDisplayType); try { - crlRecord = (ICRLIssuingPointRecord) mCA.getCRLRepository() - .readCRLIssuingPointRecord(crlIssuingPointId); + crlRecord = + (ICRLIssuingPointRecord) mCA.getCRLRepository().readCRLIssuingPointRecord(crlIssuingPointId); } catch (EBaseException e) { header.addStringValue("error", e.toString(locale)); return; } if (crlRecord == null) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGW_CRL_NOT_YET_UPDATED_1", crlIssuingPointId)); - header.addStringValue( - "error", - new ECMSGWException(CMS.getUserMessage(locale, - "CMS_GW_CRL_NOT_YET_UPDATED")).toString()); - return; + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_CRL_NOT_YET_UPDATED_1", crlIssuingPointId)); + header.addStringValue("error", + new ECMSGWException(CMS.getUserMessage(locale, "CMS_GW_CRL_NOT_YET_UPDATED")).toString()); + return; } header.addStringValue("crlIssuingPoint", crlIssuingPointId); if (crlDisplayType.equals("deltaCRL")) { if (clonedCA) { - header.addStringValue("crlNumber", crlRecord - .getDeltaCRLNumber().toString()); + header.addStringValue("crlNumber", crlRecord.getDeltaCRLNumber().toString()); } else { - header.addStringValue("crlNumber", crlIP.getDeltaCRLNumber() - .toString()); + header.addStringValue("crlNumber", crlIP.getDeltaCRLNumber().toString()); } } else { if (clonedCA) { - header.addStringValue("crlNumber", crlRecord.getCRLNumber() - .toString()); + header.addStringValue("crlNumber", crlRecord.getCRLNumber().toString()); } else { - header.addStringValue("crlNumber", crlIP.getCRLNumber() - .toString()); + header.addStringValue("crlNumber", crlIP.getCRLNumber().toString()); } } long lCRLSize = crlRecord.getCRLSize().longValue(); @@ -295,12 +283,10 @@ public class DisplayCRL extends CMSServlet { byte[] crlbytes = crlRecord.getCRL(); if (crlbytes == null) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGW_CRL_NOT_YET_UPDATED_1", crlIssuingPointId)); - header.addStringValue( - "error", - new ECMSGWException(CMS.getUserMessage(locale, - "CMS_GW_CRL_NOT_YET_UPDATED")).toString()); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_CRL_NOT_YET_UPDATED_1", crlIssuingPointId)); + header.addStringValue("error", + new ECMSGWException(CMS.getUserMessage(locale, "CMS_GW_CRL_NOT_YET_UPDATED")).toString()); return; } @@ -312,19 +298,14 @@ public class DisplayCRL extends CMSServlet { } } catch (Exception e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERR_DECODE_CRL", e.toString())); - header.addStringValue( - "error", - new ECMSGWException(CMS.getUserMessage(locale, - "CMS_GW_DECODE_CRL_FAILED")).toString()); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERR_DECODE_CRL", e.toString())); + header.addStringValue("error", + new ECMSGWException(CMS.getUserMessage(locale, "CMS_GW_DECODE_CRL_FAILED")).toString()); } } - if (crl != null - || (isCRLCacheEnabled && crlDisplayType.equals("cachedCRL"))) { - if (crlDisplayType.equals("entireCRL") - || crlDisplayType.equals("cachedCRL")) { + if (crl != null || (isCRLCacheEnabled && crlDisplayType.equals("cachedCRL"))) { + if (crlDisplayType.equals("entireCRL") || crlDisplayType.equals("cachedCRL")) { ICRLPrettyPrint crlDetails = null; if (crlDisplayType.equals("entireCRL")) { crlDetails = CMS.getCRLPrettyPrint(crl); @@ -339,29 +320,28 @@ public class DisplayCRL extends CMSServlet { long lPageStart = new Long(pageStart).longValue(); long lPageSize = new Long(pageSize).longValue(); - if (lPageStart < 1) - lPageStart = 1; + if (lPageStart < 1) lPageStart = 1; // if (lPageStart + lPageSize - lCRLSize > 1) - // lPageStart = lCRLSize - lPageSize + 1; + // lPageStart = lCRLSize - lPageSize + 1; - header.addStringValue("crlPrettyPrint", crlDetails - .toString(locale, lCRLSize, lPageStart, lPageSize)); + header.addStringValue( + "crlPrettyPrint", crlDetails.toString(locale, + lCRLSize, lPageStart, lPageSize)); header.addLongValue("pageStart", lPageStart); header.addLongValue("pageSize", lPageSize); } else { - header.addStringValue("crlPrettyPrint", - crlDetails.toString(locale)); + header.addStringValue( + "crlPrettyPrint", crlDetails.toString(locale)); } } else if (crlDisplayType.equals("crlHeader")) { ICRLPrettyPrint crlDetails = CMS.getCRLPrettyPrint(crl); - header.addStringValue("crlPrettyPrint", - crlDetails.toString(locale, lCRLSize, 0, 0)); + header.addStringValue( + "crlPrettyPrint", crlDetails.toString(locale, lCRLSize, 0, 0)); } else if (crlDisplayType.equals("base64Encoded")) { try { byte[] ba = crl.getEncoded(); - String crlBase64Encoded = com.netscape.osutil.OSUtil - .BtoA(ba); + String crlBase64Encoded = com.netscape.osutil.OSUtil.BtoA(ba); int length = crlBase64Encoded.length(); int i = 0; int j = 0; @@ -376,8 +356,7 @@ public class DisplayCRL extends CMSServlet { if (i >= length) { IArgBlock rarg = CMS.createArgBlock(); - rarg.addStringValue("crlBase64Encoded", - crlBase64Encoded.substring(j, k)); + rarg.addStringValue("crlBase64Encoded", crlBase64Encoded.substring(j, k)); argSet.addRepeatRecord(rarg); } } else { @@ -385,13 +364,11 @@ public class DisplayCRL extends CMSServlet { IArgBlock rarg = CMS.createArgBlock(); if (k > -1) { - rarg.addStringValue("crlBase64Encoded", - crlBase64Encoded.substring(j, k)); + rarg.addStringValue("crlBase64Encoded", crlBase64Encoded.substring(j, k)); i = k + 1; j = i; } else { - rarg.addStringValue("crlBase64Encoded", - crlBase64Encoded.substring(j, length)); + rarg.addStringValue("crlBase64Encoded", crlBase64Encoded.substring(j, length)); i = length; } argSet.addRepeatRecord(rarg); @@ -400,93 +377,70 @@ public class DisplayCRL extends CMSServlet { } catch (CRLException e) { } } else if (crlDisplayType.equals("deltaCRL")) { - if ((clonedCA && crlRecord.getDeltaCRLSize() != null && crlRecord - .getDeltaCRLSize().longValue() > -1) - || (crlIP != null && crlIP.isDeltaCRLEnabled())) { + if ((clonedCA && crlRecord.getDeltaCRLSize() != null && + crlRecord.getDeltaCRLSize().longValue() > -1) || + (crlIP != null && crlIP.isDeltaCRLEnabled())) { byte[] deltaCRLBytes = crlRecord.getDeltaCRL(); if (deltaCRLBytes == null) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGW_ERR_NO_DELTA_CRL", crlIssuingPointId)); - header.addStringValue("error", - "Delta CRL is not available"); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERR_NO_DELTA_CRL", crlIssuingPointId)); + header.addStringValue("error", "Delta CRL is not available"); } else { X509CRLImpl deltaCRL = null; try { deltaCRL = new X509CRLImpl(deltaCRLBytes); } catch (Exception e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGW_ERR_DECODE_DELTA_CRL", e.toString())); - header.addStringValue( - "error", - new ECMSGWException(CMS.getUserMessage( - locale, "CMS_GW_DECODE_CRL_FAILED")) - .toString()); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERR_DECODE_DELTA_CRL", e.toString())); + header.addStringValue("error", + new ECMSGWException(CMS.getUserMessage(locale, "CMS_GW_DECODE_CRL_FAILED")).toString()); } if (deltaCRL != null) { BigInteger crlNumber = crlRecord.getCRLNumber(); - BigInteger deltaNumber = crlRecord - .getDeltaCRLNumber(); - if ((clonedCA && crlNumber != null - && deltaNumber != null && deltaNumber - .compareTo(crlNumber) >= 0) - || (crlIP != null && crlIP - .isThisCurrentDeltaCRL(deltaCRL))) { + BigInteger deltaNumber = crlRecord.getDeltaCRLNumber(); + if ((clonedCA && crlNumber != null && deltaNumber != null && + deltaNumber.compareTo(crlNumber) >= 0) || + (crlIP != null && crlIP.isThisCurrentDeltaCRL(deltaCRL))) { - header.addIntegerValue("deltaCRLSize", deltaCRL - .getNumberOfRevokedCertificates()); + header.addIntegerValue("deltaCRLSize", + deltaCRL.getNumberOfRevokedCertificates()); - ICRLPrettyPrint crlDetails = CMS - .getCRLPrettyPrint(deltaCRL); + ICRLPrettyPrint crlDetails = CMS.getCRLPrettyPrint(deltaCRL); - header.addStringValue("crlPrettyPrint", - crlDetails.toString(locale, 0, 0, 0)); + header.addStringValue( + "crlPrettyPrint", crlDetails.toString(locale, 0, 0, 0)); try { byte[] ba = deltaCRL.getEncoded(); - String crlBase64Encoded = com.netscape.osutil.OSUtil - .BtoA(ba); + String crlBase64Encoded = com.netscape.osutil.OSUtil.BtoA(ba); int length = crlBase64Encoded.length(); int i = 0; int j = 0; int n = 1; while (i < length) { - int k = crlBase64Encoded.indexOf('\n', - i); + int k = crlBase64Encoded.indexOf('\n', i); if (n < 100 && k > -1) { n++; i = k + 1; if (i >= length) { - IArgBlock rarg = CMS - .createArgBlock(); + IArgBlock rarg = CMS.createArgBlock(); - rarg.addStringValue( - "crlBase64Encoded", - crlBase64Encoded - .substring(j, k)); + rarg.addStringValue("crlBase64Encoded", crlBase64Encoded.substring(j, k)); argSet.addRepeatRecord(rarg); } } else { n = 1; - IArgBlock rarg = CMS - .createArgBlock(); + IArgBlock rarg = CMS.createArgBlock(); if (k > -1) { - rarg.addStringValue( - "crlBase64Encoded", - crlBase64Encoded - .substring(j, k)); + rarg.addStringValue("crlBase64Encoded", crlBase64Encoded.substring(j, k)); i = k + 1; j = i; } else { - rarg.addStringValue( - "crlBase64Encoded", - crlBase64Encoded - .substring(j, - length)); + rarg.addStringValue("crlBase64Encoded", crlBase64Encoded.substring(j, length)); i = length; } argSet.addRepeatRecord(rarg); @@ -495,32 +449,25 @@ public class DisplayCRL extends CMSServlet { } catch (CRLException e) { } } else { - header.addStringValue("error", - "Current Delta CRL is not available."); + header.addStringValue("error", "Current Delta CRL is not available."); } } } } else { - header.addStringValue("error", - "Delta CRL is not enabled for " + crlIssuingPointId - + " issuing point"); + header.addStringValue("error", "Delta CRL is not enabled for " + + crlIssuingPointId + + " issuing point"); } } } else if (!isCRLCacheEnabled && crlDisplayType.equals("cachedCRL")) { - header.addStringValue("error", CMS.getUserMessage(locale, - "CMS_GW_CRL_CACHE_IS_NOT_ENABLED", crlIssuingPointId)); - header.addStringValue("crlPrettyPrint", CMS.getUserMessage(locale, - "CMS_GW_CRL_CACHE_IS_NOT_ENABLED", crlIssuingPointId)); + header.addStringValue("error", CMS.getUserMessage(locale, "CMS_GW_CRL_CACHE_IS_NOT_ENABLED", crlIssuingPointId)); + header.addStringValue("crlPrettyPrint", CMS.getUserMessage(locale, "CMS_GW_CRL_CACHE_IS_NOT_ENABLED", crlIssuingPointId)); } else { - header.addStringValue( - "error", - new ECMSGWException(CMS.getUserMessage(locale, - "CMS_GW_DECODE_CRL_FAILED")).toString()); - header.addStringValue( - "crlPrettyPrint", - new ECMSGWException(CMS.getUserMessage(locale, - "CMS_GW_DECODE_CRL_FAILED")).toString()); + header.addStringValue("error", + new ECMSGWException(CMS.getUserMessage(locale, "CMS_GW_DECODE_CRL_FAILED")).toString()); + header.addStringValue("crlPrettyPrint", + new ECMSGWException(CMS.getUserMessage(locale, "CMS_GW_DECODE_CRL_FAILED")).toString()); } return; } diff --git a/pki/base/common/src/com/netscape/cms/servlet/cert/DisplayHashUserEnroll.java b/pki/base/common/src/com/netscape/cms/servlet/cert/DisplayHashUserEnroll.java index 74c4ff284..6efda2bb4 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/cert/DisplayHashUserEnroll.java +++ b/pki/base/common/src/com/netscape/cms/servlet/cert/DisplayHashUserEnroll.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.cert; + import java.io.IOException; import java.util.Date; import java.util.Locale; @@ -44,10 +45,11 @@ import com.netscape.cms.servlet.common.CMSTemplate; import com.netscape.cms.servlet.common.CMSTemplateParams; import com.netscape.cms.servlet.common.ECMSGWException; + /** - * Servlet to report the status, ie, the agent-initiated user enrollment is - * enabled or disabled. - * + * Servlet to report the status, ie, the agent-initiated user + * enrollment is enabled or disabled. + * * @version $Revision$, $Date$ */ public class DisplayHashUserEnroll extends CMSServlet { @@ -70,7 +72,8 @@ public class DisplayHashUserEnroll extends CMSServlet { super.init(sc); try { - mFormPath = sc.getInitParameter(PROP_SUCCESS_TEMPLATE); + mFormPath = sc.getInitParameter( + PROP_SUCCESS_TEMPLATE); if (mFormPath == null) mFormPath = TPL_FILE; } catch (Exception e) { @@ -86,7 +89,8 @@ public class DisplayHashUserEnroll extends CMSServlet { /** * Services the request */ - protected void process(CMSRequest cmsReq) throws EBaseException { + protected void process(CMSRequest cmsReq) + throws EBaseException { HttpServletRequest httpReq = cmsReq.getHttpReq(); HttpServletResponse httpResp = cmsReq.getHttpResp(); @@ -94,8 +98,8 @@ public class DisplayHashUserEnroll extends CMSServlet { AuthzToken authzToken = null; try { - authzToken = authorize(mAclMethod, authToken, mAuthzResourceName, - "read"); + authzToken = authorize(mAclMethod, authToken, + mAuthzResourceName, "read"); } catch (Exception e) { // do nothing for now } @@ -111,10 +115,9 @@ public class DisplayHashUserEnroll extends CMSServlet { IArgBlock args = cmsReq.getHttpParams(); if (!(mAuthority instanceof IRegistrationAuthority)) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_ERR_GET_TEMPLATE")); - cmsReq.setError(new ECMSGWException(CMS - .getUserMessage("CMS_GW_NOT_YET_IMPLEMENTED"))); + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_ERR_GET_TEMPLATE")); + cmsReq.setError(new ECMSGWException( + CMS.getUserMessage("CMS_GW_NOT_YET_IMPLEMENTED"))); cmsReq.setStatus(CMSRequest.ERROR); return; } @@ -125,8 +128,7 @@ public class DisplayHashUserEnroll extends CMSServlet { IConfigStore configStore = CMS.getConfigStore(); String val = configStore.getString("hashDirEnrollment.name"); - IAuthSubsystem authSS = (IAuthSubsystem) CMS - .getSubsystem(CMS.SUBSYSTEM_AUTH); + IAuthSubsystem authSS = (IAuthSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTH); IAuthManager authMgr = authSS.get(val); HashAuthentication mgr = (HashAuthentication) authMgr; boolean isEnable = mgr.isEnable(reqHost); @@ -150,7 +152,7 @@ public class DisplayHashUserEnroll extends CMSServlet { printError(cmsReq, "2"); cmsReq.setStatus(CMSRequest.SUCCESS); return; - } + } mgr.setLastLogin(reqHost, currTime); @@ -160,10 +162,10 @@ public class DisplayHashUserEnroll extends CMSServlet { try { form = getTemplate(mFormPath, httpReq, locale); } catch (IOException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "ADMIN_SRVLT_ERR_GET_TEMPLATE", mFormPath, e.toString())); - cmsReq.setError(new ECMSGWException(CMS - .getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR"))); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("ADMIN_SRVLT_ERR_GET_TEMPLATE", mFormPath, e.toString())); + cmsReq.setError(new ECMSGWException( + CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR"))); cmsReq.setStatus(CMSRequest.ERROR); return; } @@ -175,11 +177,10 @@ public class DisplayHashUserEnroll extends CMSServlet { form.renderOutput(out, argSet); cmsReq.setStatus(CMSRequest.SUCCESS); } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERR_OUT_STREAM_TEMPLATE", - e.toString())); - cmsReq.setError(new ECMSGWException(CMS - .getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR"))); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERR_OUT_STREAM_TEMPLATE", e.toString())); + cmsReq.setError(new ECMSGWException( + CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR"))); cmsReq.setStatus(CMSRequest.ERROR); } cmsReq.setStatus(CMSRequest.SUCCESS); @@ -187,7 +188,7 @@ public class DisplayHashUserEnroll extends CMSServlet { } private void printError(CMSRequest cmsReq, String errorCode) - throws EBaseException { + throws EBaseException { IArgBlock httpParams = cmsReq.getHttpParams(); HttpServletRequest httpReq = cmsReq.getHttpReq(); HttpServletResponse httpResp = cmsReq.getHttpResp(); @@ -206,10 +207,10 @@ public class DisplayHashUserEnroll extends CMSServlet { try { form = getTemplate(formPath, httpReq, locale); } catch (IOException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "ADMIN_SRVLT_ERR_GET_TEMPLATE", formPath, e.toString())); - cmsReq.setError(new ECMSGWException(CMS - .getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR"))); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("ADMIN_SRVLT_ERR_GET_TEMPLATE", formPath, e.toString())); + cmsReq.setError(new ECMSGWException( + CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR"))); cmsReq.setStatus(CMSRequest.ERROR); return; } @@ -222,11 +223,10 @@ public class DisplayHashUserEnroll extends CMSServlet { cmsReq.setStatus(CMSRequest.SUCCESS); } catch (IOException e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERR_BAD_SERV_OUT_STREAM", "", - e.toString())); + CMS.getLogMessage("CMSGW_ERR_BAD_SERV_OUT_STREAM", "", e.toString())); - cmsReq.setError(new ECMSGWException(CMS - .getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR"))); + cmsReq.setError(new ECMSGWException( + CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR"))); cmsReq.setStatus(CMSRequest.ERROR); } } diff --git a/pki/base/common/src/com/netscape/cms/servlet/cert/DoRevoke.java b/pki/base/common/src/com/netscape/cms/servlet/cert/DoRevoke.java index dbca061ae..b333c7870 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/cert/DoRevoke.java +++ b/pki/base/common/src/com/netscape/cms/servlet/cert/DoRevoke.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.cert; + import java.io.IOException; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; @@ -70,9 +71,10 @@ import com.netscape.cms.servlet.common.CMSTemplate; import com.netscape.cms.servlet.common.CMSTemplateParams; import com.netscape.cms.servlet.common.ECMSGWException; + /** * Revoke a Certificate - * + * * @version $Revision$, $Date$ */ public class DoRevoke extends CMSServlet { @@ -96,17 +98,20 @@ public class DoRevoke extends CMSServlet { private final static String REVOKE = "revoke"; private final static String ON_HOLD = "on-hold"; private final static int ON_HOLD_REASON = 6; - private final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST = "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_5"; - private final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED = "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED_7"; + private final static String + LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST = + "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_5"; + private final static String + LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED = + "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED_7"; public DoRevoke() { super(); } /** - * initialize the servlet. This servlet uses the template file - * "revocationResult.template" to render the result - * + * initialize the servlet. This servlet uses the template + * file "revocationResult.template" to render the result * @param sc servlet configuration, read from the web.xml file */ public void init(ServletConfig sc) throws ServletException { @@ -117,15 +122,13 @@ public class DoRevoke extends CMSServlet { mUL = mUG.getCertUserLocator(); if (mAuthority instanceof ICertificateAuthority) { - mCertDB = ((ICertificateAuthority) mAuthority) - .getCertificateRepository(); + mCertDB = ((ICertificateAuthority) mAuthority).getCertificateRepository(); if (((ICertificateAuthority) mAuthority).noncesEnabled()) { mNonces = ((ICertificateAuthority) mAuthority).getNonces(); } } if (mAuthority instanceof ICertAuthority) { - mPublisherProcessor = ((ICertAuthority) mAuthority) - .getPublisherProcessor(); + mPublisherProcessor = ((ICertAuthority) mAuthority).getPublisherProcessor(); } mQueue = mAuthority.getRequestQueue(); @@ -142,20 +145,16 @@ public class DoRevoke extends CMSServlet { } /** - * Serves HTTP request. The http parameters used by this request are as - * follows: - * + * Serves HTTP request. The http parameters used by this request are as follows: * <pre> * serialNumber Serial number of certificate to revoke (in HEX) * revocationReason Revocation reason (Described below) * totalRecordCount [number] * verifiedRecordCount [number] * invalidityDate [number of seconds in Jan 1,1970] - * + * * </pre> - * * revocationReason can be one of these values: - * * <pre> * 0 = Unspecified (default) * 1 = Key compromised @@ -185,11 +184,8 @@ public class DoRevoke extends CMSServlet { try { form = getTemplate(mFormPath, req, locale); } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", mFormPath, - e.toString())); - throw new ECMSGWException( - CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE")); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", mFormPath, e.toString())); + throw new ECMSGWException(CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE")); } IArgBlock header = CMS.createArgBlock(); @@ -198,18 +194,21 @@ public class DoRevoke extends CMSServlet { try { if (req.getParameter("revocationReason") != null) { - reason = Integer.parseInt(req.getParameter("revocationReason")); + reason = Integer.parseInt(req.getParameter( + "revocationReason")); } if (req.getParameter("totalRecordCount") != null) { - totalRecordCount = Integer.parseInt(req - .getParameter("totalRecordCount")); + totalRecordCount = Integer.parseInt(req.getParameter( + "totalRecordCount")); } if (req.getParameter("verifiedRecordCount") != null) { - verifiedRecordCount = Integer.parseInt(req - .getParameter("verifiedRecordCount")); + verifiedRecordCount = Integer.parseInt( + req.getParameter( + "verifiedRecordCount")); } if (req.getParameter("invalidityDate") != null) { - long l = Long.parseLong(req.getParameter("invalidityDate")); + long l = Long.parseLong(req.getParameter( + "invalidityDate")); if (l > 0) { invalidityDate = new Date(l); @@ -227,11 +226,10 @@ public class DoRevoke extends CMSServlet { certChain[0] = cert2; IUser user = null; try { - user = (IUser) mUL.locateUser(new Certificates( - certChain)); + user = (IUser) mUL.locateUser(new Certificates(certChain)); } catch (Exception e) { - CMS.debug("DoRevoke: Failed to map certificate '" - + cert2.getSubjectDN().getName() + "' to user."); + CMS.debug("DoRevoke: Failed to map certificate '"+ + cert2.getSubjectDN().getName()+"' to user."); } if (mUG.isMemberOf(user, "Subsystem Group")) { skipNonceVerification = true; @@ -244,17 +242,15 @@ public class DoRevoke extends CMSServlet { X509Certificate cert1 = mNonces.getCertificate(nonce); if (cert1 == null) { CMS.debug("DoRevoke: Unknown nonce"); - } else if (cert1 != null && cert2 != null - && cert1.equals(cert2)) { + } else if (cert1 != null && cert2 != null && cert1.equals(cert2)) { nonceVerified = true; mNonces.removeNonce(nonce); } } else { CMS.debug("DoRevoke: Missing nonce"); } - CMS.debug("DoRevoke: nonceVerified=" + nonceVerified); - CMS.debug("DoRevoke: skipNonceVerification=" - + skipNonceVerification); + CMS.debug("DoRevoke: nonceVerified="+nonceVerified); + CMS.debug("DoRevoke: skipNonceVerification="+skipNonceVerification); if ((!nonceVerified) && (!skipNonceVerification)) { cmsReq.setStatus(CMSRequest.UNAUTHORIZED); return; @@ -265,7 +261,7 @@ public class DoRevoke extends CMSServlet { String eeSubjectDN = null; String eeSerialNumber = null; - // for audit log. + //for audit log. String initiative = null; String authMgr = AuditFormat.NOAUTH; @@ -276,51 +272,46 @@ public class DoRevoke extends CMSServlet { try { authzToken = authorize(mAclMethod, authToken, - mAuthzResourceName, "revoke"); + mAuthzResourceName, "revoke"); } catch (EAuthzAccessDenied e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", - e.toString())); + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); } catch (Exception e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", - e.toString())); + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); } if (authzToken == null) { cmsReq.setStatus(CMSRequest.UNAUTHORIZED); return; } - - if (mAuthMgr != null - && mAuthMgr.equals(IAuthSubsystem.CERTUSERDB_AUTHMGR_ID)) { + + + if (mAuthMgr != null && mAuthMgr.equals(IAuthSubsystem.CERTUSERDB_AUTHMGR_ID)) { if (authToken != null) { String serialNumber = req.getParameter("serialNumber"); X509CertImpl sslCert = (X509CertImpl) getSSLClientCertificate(req); - if (serialNumber != null) { + if (serialNumber != null) { eeSerialNumber = serialNumber; } - authMgr = authToken - .getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME); + authMgr = authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME); String agentID = authToken.getInString("userid"); - initiative = AuditFormat.FROMAGENT + " agentID: " + agentID - + " authenticated by " + authMgr; + initiative = AuditFormat.FROMAGENT + " agentID: " + agentID + + " authenticated by " + authMgr; } } else { // request is fromUser. initiative = AuditFormat.FROMUSER; - + String serialNumber = req.getParameter("serialNumber"); X509CertImpl sslCert = (X509CertImpl) getSSLClientCertificate(req); - if (serialNumber == null - || sslCert == null - || !(serialNumber.equals(sslCert.getSerialNumber() - .toString(16)))) { + if (serialNumber == null || sslCert == null || + !(serialNumber.equals(sslCert.getSerialNumber().toString(16)))) { authorized = false; } else { eeSubjectDN = sslCert.getSubjectDN().toString(); @@ -331,25 +322,29 @@ public class DoRevoke extends CMSServlet { if (authorized) { process(argSet, header, reason, invalidityDate, initiative, - req, resp, verifiedRecordCount, revokeAll, - totalRecordCount, eeSerialNumber, eeSubjectDN, - comments, locale[0]); + req, resp, verifiedRecordCount, revokeAll, + totalRecordCount, eeSerialNumber, eeSubjectDN, + comments, locale[0]); } } catch (NumberFormatException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("BASE_INVALID_NUMBER_FORMAT")); - error = new EBaseException( - CMS.getLogMessage("BASE_INVALID_NUMBER_FORMAT")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("BASE_INVALID_NUMBER_FORMAT")); + error = new EBaseException(CMS.getLogMessage("BASE_INVALID_NUMBER_FORMAT")); } catch (EBaseException e) { error = e; } /* - * catch (Exception e) { noError = false; - * header.addStringValue(OUT_ERROR, MessageFormatter.getLocalizedString( - * errorlocale[0], BaseResources.class.getName(), - * BaseResources.INTERNAL_ERROR_1, e.toString())); } + catch (Exception e) { + noError = false; + header.addStringValue(OUT_ERROR, + MessageFormatter.getLocalizedString( + errorlocale[0], + BaseResources.class.getName(), + BaseResources.INTERNAL_ERROR_1, + e.toString())); + } */ try { @@ -358,11 +353,11 @@ public class DoRevoke extends CMSServlet { if (error == null && authorized) { String xmlOutput = req.getParameter("xml"); if (xmlOutput != null && xmlOutput.equals("true")) { - outputXML(resp, argSet); + outputXML(resp, argSet); } else { - resp.setContentType("text/html"); - form.renderOutput(out, argSet); - cmsReq.setStatus(CMSRequest.SUCCESS); + resp.setContentType("text/html"); + form.renderOutput(out, argSet); + cmsReq.setStatus(CMSRequest.SUCCESS); } } else if (!authorized) { cmsReq.setStatus(CMSRequest.UNAUTHORIZED); @@ -371,63 +366,67 @@ public class DoRevoke extends CMSServlet { cmsReq.setError(error); } } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERR_OUT_STREAM_TEMPLATE", - e.toString())); - throw new ECMSGWException( - CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERR_OUT_STREAM_TEMPLATE", e.toString())); + throw new ECMSGWException(CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE")); } } /** * Process cert status change request * <P> - * - * (Certificate Request - either an "agent" cert status change request, or - * an "EE" cert status change request) + * + * (Certificate Request - either an "agent" cert status change request, + * or an "EE" cert status change request) * <P> - * - * (Certificate Request Processed - either an "agent" cert status change - * request, or an "EE" cert status change request) + * + * (Certificate Request Processed - either an "agent" cert status change + * request, or an "EE" cert status change request) * <P> - * + * * <ul> - * <li>signed.audit LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST used - * when a cert status change request (e. g. - "revocation") is made (before + * <li>signed.audit LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST used when + * a cert status change request (e. g. - "revocation") is made (before * approval process) - * <li>signed.audit - * LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED used when a - * certificate status is changed (revoked, expired, on-hold, off-hold) + * <li>signed.audit LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED + * used when a certificate status is changed (revoked, expired, on-hold, + * off-hold) * </ul> - * * @param argSet CMS template parameters * @param header argument block - * @param reason revocation reason (0 - Unspecified, 1 - Key compromised, 2 - * - CA key compromised; should not be used, 3 - Affiliation - * changed, 4 - Certificate superceded, 5 - Cessation of - * operation, or 6 - Certificate is on hold) + * @param reason revocation reason (0 - Unspecified, 1 - Key compromised, + * 2 - CA key compromised; should not be used, 3 - Affiliation changed, + * 4 - Certificate superceded, 5 - Cessation of operation, or + * 6 - Certificate is on hold) * @param invalidityDate certificate validity date * @param initiative string containing the audit format * @param req HTTP servlet request * @param resp HTTP servlet response * @param verifiedRecordCount number of verified records - * @param revokeAll string containing information on all of the certificates - * to be revoked + * @param revokeAll string containing information on all of the + * certificates to be revoked * @param totalRecordCount total number of records (verified and unverified) - * @param eeSerialNumber string containing the end-entity certificate serial - * number + * @param eeSerialNumber string containing the end-entity certificate + * serial number * @param eeSubjectDN string containing the end-entity certificate subject - * distinguished name (DN) + * distinguished name (DN) * @param comments string containing certificate comments * @param locale the system locale * @exception EBaseException an error has occurred */ private void process(CMSTemplateParams argSet, IArgBlock header, - int reason, Date invalidityDate, String initiative, - HttpServletRequest req, HttpServletResponse resp, - int verifiedRecordCount, String revokeAll, int totalRecordCount, - String eeSerialNumber, String eeSubjectDN, String comments, - Locale locale) throws EBaseException { + int reason, Date invalidityDate, + String initiative, + HttpServletRequest req, + HttpServletResponse resp, + int verifiedRecordCount, + String revokeAll, + int totalRecordCount, + String eeSerialNumber, + String eeSubjectDN, + String comments, + Locale locale) + throws EBaseException { boolean auditRequest = true; String auditMessage = null; String auditSubjectID = auditSubjectID(); @@ -437,8 +436,7 @@ public class DoRevoke extends CMSServlet { String auditApprovalStatus = ILogger.SIGNED_AUDIT_EMPTY_VALUE; String auditReasonNum = String.valueOf(reason); - CMS.debug("DoRevoke: eeSerialNumber: " + eeSerialNumber - + " auditSerialNumber: " + auditSerialNumber); + CMS.debug("DoRevoke: eeSerialNumber: " + eeSerialNumber + " auditSerialNumber: " + auditSerialNumber); long startTime = CMS.getCurrentDate().getTime(); try { @@ -481,54 +479,47 @@ public class DoRevoke extends CMSServlet { IArgBlock rarg = CMS.createArgBlock(); // we do not want to revoke the CA certificate accidentially - if (xcert != null - && isSystemCertificate(xcert.getSerialNumber())) { - CMS.debug("DoRevoke: skipped revocation request for system certificate " - + xcert.getSerialNumber()); + if (xcert != null && isSystemCertificate(xcert.getSerialNumber())) { + CMS.debug("DoRevoke: skipped revocation request for system certificate " + xcert.getSerialNumber()); continue; } - + if (xcert != null) { - rarg.addStringValue("serialNumber", xcert - .getSerialNumber().toString(16)); - - if (eeSerialNumber != null - && (eeSerialNumber.equals(xcert - .getSerialNumber().toString())) - && rec.getStatus().equals( - ICertRecord.STATUS_REVOKED)) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CA_CERTIFICATE_ALREADY_REVOKED_1", xcert - .getSerialNumber().toString(16))); + rarg.addStringValue("serialNumber", + xcert.getSerialNumber().toString(16)); + + if (eeSerialNumber != null && + (eeSerialNumber.equals(xcert.getSerialNumber().toString())) && + rec.getStatus().equals(ICertRecord.STATUS_REVOKED)) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CA_CERTIFICATE_ALREADY_REVOKED_1", xcert.getSerialNumber().toString(16))); // store a message in the signed audit log file - auditMessage = CMS - .getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, - auditSubjectID, ILogger.FAILURE, - auditRequesterID, - auditSerialNumber, auditRequestType); + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditSerialNumber, + auditRequestType); audit(auditMessage); - throw new ECMSGWException( - CMS.getLogMessage("CMSGW_UNAUTHORIZED")); - } else if (rec.getStatus().equals( - ICertRecord.STATUS_REVOKED)) { - rarg.addStringValue("error", "Certificate 0x" - + xcert.getSerialNumber().toString(16) - + " is already revoked."); - } else if (eeSubjectDN != null - && (!eeSubjectDN.equals(xcert.getSubjectDN() - .toString()))) { - rarg.addStringValue("error", "Certificate 0x" - + xcert.getSerialNumber().toString(16) - + " belongs to different subject."); + throw new ECMSGWException(CMS.getLogMessage("CMSGW_UNAUTHORIZED")); + } else if (rec.getStatus().equals(ICertRecord.STATUS_REVOKED)) { + rarg.addStringValue("error", "Certificate 0x" + + xcert.getSerialNumber().toString(16) + + " is already revoked."); + } else if (eeSubjectDN != null && + (!eeSubjectDN.equals(xcert.getSubjectDN().toString()))) { + rarg.addStringValue("error", "Certificate 0x" + + xcert.getSerialNumber().toString(16) + + " belongs to different subject."); } else { oldCertsV.addElement(xcert); - RevokedCertImpl revCertImpl = new RevokedCertImpl( - xcert.getSerialNumber(), + RevokedCertImpl revCertImpl = + new RevokedCertImpl(xcert.getSerialNumber(), CMS.getCurrentDate(), entryExtn); revCertImplsV.addElement(revCertImpl); @@ -544,67 +535,57 @@ public class DoRevoke extends CMSServlet { Vector serialNumbers = new Vector(); if (revokeAll != null && revokeAll.length() > 0) { - for (int i = revokeAll.indexOf('='); i < revokeAll.length() - && i > -1; i = revokeAll.indexOf('=', i)) { + for (int i = revokeAll.indexOf('='); + i < revokeAll.length() && i > -1; + i = revokeAll.indexOf('=', i)) { if (i > -1) { i++; - while (i < revokeAll.length() - && revokeAll.charAt(i) == ' ') { + while (i < revokeAll.length() && revokeAll.charAt(i) == ' ') { i++; } // xxxx decimal serial number? String legalDigits = "0123456789"; int j = i; - while (j < revokeAll.length() - && legalDigits.indexOf(revokeAll.charAt(j)) != -1) { + while (j < revokeAll.length() && legalDigits.indexOf(revokeAll.charAt(j)) != -1) { j++; } if (j > i) { - serialNumbers.addElement(revokeAll.substring(i, - j)); + serialNumbers.addElement(revokeAll.substring(i, j)); } } } } - if (reqIdStr != null && reqIdStr.length() > 0 - && serialNumbers.size() > 0) { - IRequest certReq = mRequestQueue.findRequest(new RequestId( - reqIdStr)); - X509CertImpl[] certs = certReq - .getExtDataInCertArray(IRequest.OLD_CERTS); + if (reqIdStr != null && reqIdStr.length() > 0 && serialNumbers.size() > 0) { + IRequest certReq = mRequestQueue.findRequest(new RequestId(reqIdStr)); + X509CertImpl[] certs = certReq.getExtDataInCertArray(IRequest.OLD_CERTS); boolean authorized = false; for (int i = 0; i < certs.length; i++) { boolean addToList = false; - for (int j = 0; j < serialNumbers.size(); j++) { - // xxxxx serial number in decimal? - if (certs[i] - .getSerialNumber() - .toString() - .equals((String) serialNumbers.elementAt(j)) - && eeSubjectDN != null - && eeSubjectDN.equals(certs[i] - .getSubjectDN().toString())) { + for (int j = 0; j < serialNumbers.size(); + j++) { + //xxxxx serial number in decimal? + if (certs[i].getSerialNumber().toString().equals((String) serialNumbers.elementAt(j)) && + eeSubjectDN != null && eeSubjectDN.equals(certs[i].getSubjectDN().toString())) { addToList = true; break; } } - if (eeSerialNumber != null - && eeSerialNumber.equals(certs[i] - .getSerialNumber().toString())) { + if (eeSerialNumber != null && + eeSerialNumber.equals(certs[i].getSerialNumber().toString())) { authorized = true; } if (addToList) { IArgBlock rarg = CMS.createArgBlock(); - rarg.addStringValue("serialNumber", certs[i] - .getSerialNumber().toString(16)); + rarg.addStringValue("serialNumber", + certs[i].getSerialNumber().toString(16)); oldCertsV.addElement(certs[i]); - RevokedCertImpl revCertImpl = new RevokedCertImpl( - certs[i].getSerialNumber(), + RevokedCertImpl revCertImpl = + new RevokedCertImpl(certs[i].getSerialNumber(), CMS.getCurrentDate(), entryExtn); revCertImplsV.addElement(revCertImpl); @@ -615,38 +596,38 @@ public class DoRevoke extends CMSServlet { } if (!authorized) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_REQ_AUTH_REVOKED_CERT")); + CMS.getLogMessage("CMSGW_REQ_AUTH_REVOKED_CERT")); // store a message in the signed audit log file - auditMessage = CMS - .getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, - auditSubjectID, ILogger.FAILURE, - auditRequesterID, auditSerialNumber, - auditRequestType); + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditSerialNumber, + auditRequestType); audit(auditMessage); - throw new ECMSGWException( - CMS.getLogMessage("CMSGW_UNAUTHORIZED")); + throw new ECMSGWException(CMS.getLogMessage("CMSGW_UNAUTHORIZED")); } } else { String b64eCert = req.getParameter("b64eCertificate"); if (b64eCert != null) { - // BASE64Decoder decoder = new BASE64Decoder(); - // byte[] certBytes = decoder.decodeBuffer(b64eCert); + // BASE64Decoder decoder = new BASE64Decoder(); + // byte[] certBytes = decoder.decodeBuffer(b64eCert); byte[] certBytes = CMS.AtoB(b64eCert); X509CertImpl cert = new X509CertImpl(certBytes); IArgBlock rarg = CMS.createArgBlock(); - rarg.addStringValue("serialNumber", cert - .getSerialNumber().toString(16)); + rarg.addStringValue("serialNumber", + cert.getSerialNumber().toString(16)); oldCertsV.addElement(cert); - RevokedCertImpl revCertImpl = new RevokedCertImpl( - cert.getSerialNumber(), CMS.getCurrentDate(), - entryExtn); + RevokedCertImpl revCertImpl = + new RevokedCertImpl(cert.getSerialNumber(), + CMS.getCurrentDate(), entryExtn); revCertImplsV.addElement(revCertImpl); count++; @@ -655,26 +636,27 @@ public class DoRevoke extends CMSServlet { } } } - if (count == 0) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_REV_CERTS_ZERO")); + if (count == 0) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_REV_CERTS_ZERO")); // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, - auditSubjectID, ILogger.FAILURE, auditRequesterID, - auditSerialNumber, auditRequestType); + LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditSerialNumber, + auditRequestType); audit(auditMessage); - throw new ECMSGWException( - CMS.getLogMessage("CMSGW_REVOCATION_ERROR_CERT_NOT_FOUND")); + throw new ECMSGWException(CMS.getLogMessage("CMSGW_REVOCATION_ERROR_CERT_NOT_FOUND")); } header.addIntegerValue("totalRecordCount", count); X509CertImpl[] oldCerts = new X509CertImpl[count]; - // Certificate[] oldCerts = new Certificate[count]; + //Certificate[] oldCerts = new Certificate[count]; RevokedCertImpl[] revCertImpls = new RevokedCertImpl[count]; for (int i = 0; i < count; i++) { @@ -682,29 +664,32 @@ public class DoRevoke extends CMSServlet { revCertImpls[i] = (RevokedCertImpl) revCertImplsV.elementAt(i); } - IRequest revReq = mQueue.newRequest(IRequest.REVOCATION_REQUEST); + IRequest revReq = + mQueue.newRequest(IRequest.REVOCATION_REQUEST); // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, - auditSubjectID, ILogger.SUCCESS, auditRequesterID, - auditSerialNumber, auditRequestType); + LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, + auditSerialNumber, + auditRequestType); audit(auditMessage); revReq.setExtData(IRequest.CERT_INFO, revCertImpls); revReq.setExtData(IRequest.REQ_TYPE, IRequest.REVOCATION_REQUEST); - if (initiative.equals(AuditFormat.FROMUSER)) - revReq.setExtData(IRequest.REQUESTOR_TYPE, - IRequest.REQUESTOR_EE); + if(initiative.equals(AuditFormat.FROMUSER)) + revReq.setExtData(IRequest.REQUESTOR_TYPE, IRequest.REQUESTOR_EE); else - revReq.setExtData(IRequest.REQUESTOR_TYPE, - IRequest.REQUESTOR_AGENT); + revReq.setExtData(IRequest.REQUESTOR_TYPE, IRequest.REQUESTOR_AGENT); revReq.setExtData(IRequest.OLD_CERTS, oldCerts); if (comments != null) { revReq.setExtData(IRequest.REQUESTOR_COMMENTS, comments); } - revReq.setExtData(IRequest.REVOKED_REASON, Integer.valueOf(reason)); + revReq.setExtData(IRequest.REVOKED_REASON, + Integer.valueOf(reason)); // change audit processing from "REQUEST" to "REQUEST_PROCESSED" // to distinguish which type of signed audit log message to save @@ -722,44 +707,38 @@ public class DoRevoke extends CMSServlet { // The SVC_PENDING check has been added for the Cloned CA request // that is meant for the Master CA. From Clone's point of view // the request is complete - if ((stat == RequestStatus.COMPLETE) - || ((type.equals(IRequest.CLA_CERT4CRL_REQUEST)) && (stat == RequestStatus.SVC_PENDING))) { - // audit log the error + if ((stat == RequestStatus.COMPLETE) || ((type.equals(IRequest.CLA_CERT4CRL_REQUEST)) && (stat == RequestStatus.SVC_PENDING))) { + // audit log the error Integer result = revReq.getExtDataInInteger(IRequest.RESULT); if (result.equals(IRequest.RES_ERROR)) { - String[] svcErrors = revReq - .getExtDataInStringArray(IRequest.SVCERRORS); + String[] svcErrors = + revReq.getExtDataInStringArray(IRequest.SVCERRORS); if (svcErrors != null && svcErrors.length > 0) { for (int i = 0; i < svcErrors.length; i++) { String err = svcErrors[i]; if (err != null) { - // cmsReq.setErrorDescription(err); + //cmsReq.setErrorDescription(err); for (int j = 0; j < count; j++) { if (oldCerts[j] instanceof X509CertImpl) { X509CertImpl cert = (X509CertImpl) oldCerts[j]; if (oldCerts[j] != null) { - mLogger.log( - ILogger.EV_AUDIT, - ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.DOREVOKEFORMAT, - new Object[] { - revReq.getRequestId(), - initiative, - "completed with error: " - + err, - cert.getSubjectDN(), - cert.getSerialNumber() - .toString( - 16), - RevocationReason - .fromInt( - reason) - .toString() }); + mLogger.log(ILogger.EV_AUDIT, + ILogger.S_OTHER, + AuditFormat.LEVEL, + AuditFormat.DOREVOKEFORMAT, + new Object[] { + revReq.getRequestId(), + initiative, + "completed with error: " + + err, + cert.getSubjectDN(), + cert.getSerialNumber().toString(16), + RevocationReason.fromInt(reason).toString()} + ); } } } @@ -770,24 +749,26 @@ public class DoRevoke extends CMSServlet { // store a message in the signed audit log file // if and only if "auditApprovalStatus" is // "complete", "revoked", or "canceled" - if ((auditApprovalStatus - .equals(RequestStatus.COMPLETE_STRING)) - || (auditApprovalStatus - .equals(RequestStatus.REJECTED_STRING)) - || (auditApprovalStatus - .equals(RequestStatus.CANCELED_STRING))) { - auditMessage = CMS - .getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, - auditSubjectID, ILogger.FAILURE, - auditRequesterID, auditSerialNumber, - auditRequestType, auditReasonNum, - auditApprovalStatus); + if ((auditApprovalStatus.equals( + RequestStatus.COMPLETE_STRING)) || + (auditApprovalStatus.equals( + RequestStatus.REJECTED_STRING)) || + (auditApprovalStatus.equals( + RequestStatus.CANCELED_STRING))) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditSerialNumber, + auditRequestType, + auditReasonNum, + auditApprovalStatus); audit(auditMessage); } - return; + return; } long endTime = CMS.getCurrentDate().getTime(); @@ -798,29 +779,25 @@ public class DoRevoke extends CMSServlet { if (oldCerts[j] instanceof X509CertImpl) { X509CertImpl cert = (X509CertImpl) oldCerts[j]; - mLogger.log( - ILogger.EV_AUDIT, - ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.DOREVOKEFORMAT, - new Object[] { - revReq.getRequestId(), - initiative, - "completed", - cert.getSubjectDN(), - cert.getSerialNumber().toString(16), - RevocationReason.fromInt(reason) - .toString() - + " time: " - + (endTime - startTime) }); + mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, + AuditFormat.LEVEL, + AuditFormat.DOREVOKEFORMAT, + new Object[] { + revReq.getRequestId(), + initiative, + "completed", + cert.getSubjectDN(), + cert.getSerialNumber().toString(16), + RevocationReason.fromInt(reason).toString() + " time: " + (endTime - startTime)} + ); } } } header.addStringValue("revoked", "yes"); - Integer updateCRLResult = revReq - .getExtDataInInteger(IRequest.CRL_UPDATE_STATUS); + Integer updateCRLResult = + revReq.getExtDataInInteger(IRequest.CRL_UPDATE_STATUS); if (updateCRLResult != null) { header.addStringValue("updateCRL", "yes"); @@ -828,99 +805,92 @@ public class DoRevoke extends CMSServlet { header.addStringValue("updateCRLSuccess", "yes"); } else { header.addStringValue("updateCRLSuccess", "no"); - String crlError = revReq - .getExtDataInString(IRequest.CRL_UPDATE_ERROR); + String crlError = + revReq.getExtDataInString(IRequest.CRL_UPDATE_ERROR); - if (crlError != null) - header.addStringValue("updateCRLError", crlError); + if (crlError != null) + header.addStringValue("updateCRLError", + crlError); } // let known crl publishing status too. - Integer publishCRLResult = revReq - .getExtDataInInteger(IRequest.CRL_PUBLISH_STATUS); + Integer publishCRLResult = + revReq.getExtDataInInteger(IRequest.CRL_PUBLISH_STATUS); if (publishCRLResult != null) { if (publishCRLResult.equals(IRequest.RES_SUCCESS)) { header.addStringValue("publishCRLSuccess", "yes"); } else { header.addStringValue("publishCRLSuccess", "no"); - String publError = revReq - .getExtDataInString(IRequest.CRL_PUBLISH_ERROR); + String publError = + revReq.getExtDataInString(IRequest.CRL_PUBLISH_ERROR); - if (publError != null) - header.addStringValue("publishCRLError", - publError); + if (publError != null) + header.addStringValue("publishCRLError", + publError); } } } if (mAuthority instanceof ICertificateAuthority) { - // let known update and publish status of all crls. - Enumeration otherCRLs = ((ICertificateAuthority) mAuthority) - .getCRLIssuingPoints(); + // let known update and publish status of all crls. + Enumeration otherCRLs = + ((ICertificateAuthority) mAuthority).getCRLIssuingPoints(); while (otherCRLs.hasMoreElements()) { - ICRLIssuingPoint crl = (ICRLIssuingPoint) otherCRLs - .nextElement(); + ICRLIssuingPoint crl = (ICRLIssuingPoint) + otherCRLs.nextElement(); String crlId = crl.getId(); if (crlId.equals(ICertificateAuthority.PROP_MASTER_CRL)) continue; String updateStatusStr = crl.getCrlUpdateStatusStr(); - Integer updateResult = revReq - .getExtDataInInteger(updateStatusStr); + Integer updateResult = revReq.getExtDataInInteger(updateStatusStr); if (updateResult != null) { if (updateResult.equals(IRequest.RES_SUCCESS)) { - CMS.debug("DoRevoke: " - + CMS.getLogMessage( - "ADMIN_SRVLT_ADDING_HEADER", - updateStatusStr)); + CMS.debug("DoRevoke: " + CMS.getLogMessage("ADMIN_SRVLT_ADDING_HEADER", updateStatusStr)); header.addStringValue(updateStatusStr, "yes"); } else { - String updateErrorStr = crl - .getCrlUpdateErrorStr(); + String updateErrorStr = crl.getCrlUpdateErrorStr(); - CMS.debug("DoRevoke: " - + CMS.getLogMessage( - "ADMIN_SRVLT_ADDING_HEADER_NO", - updateStatusStr)); + CMS.debug("DoRevoke: " + CMS.getLogMessage("ADMIN_SRVLT_ADDING_HEADER_NO", + updateStatusStr)); header.addStringValue(updateStatusStr, "no"); - String error = revReq - .getExtDataInString(updateErrorStr); + String error = + revReq.getExtDataInString(updateErrorStr); - if (error != null) - header.addStringValue(updateErrorStr, error); + if (error != null) + header.addStringValue(updateErrorStr, + error); } - String publishStatusStr = crl - .getCrlPublishStatusStr(); - Integer publishResult = revReq - .getExtDataInInteger(publishStatusStr); + String publishStatusStr = crl.getCrlPublishStatusStr(); + Integer publishResult = + revReq.getExtDataInInteger(publishStatusStr); - if (publishResult == null) + if (publishResult == null) continue; if (publishResult.equals(IRequest.RES_SUCCESS)) { header.addStringValue(publishStatusStr, "yes"); } else { - String publishErrorStr = crl - .getCrlPublishErrorStr(); + String publishErrorStr = + crl.getCrlPublishErrorStr(); header.addStringValue(publishStatusStr, "no"); - String error = revReq - .getExtDataInString(publishErrorStr); + String error = + revReq.getExtDataInString(publishErrorStr); - if (error != null) - header.addStringValue(publishErrorStr, - error); + if (error != null) + header.addStringValue( + publishErrorStr, error); } } } } - if (mPublisherProcessor != null - && mPublisherProcessor.ldapEnabled()) { + if (mPublisherProcessor != null && mPublisherProcessor.ldapEnabled()) { header.addStringValue("dirEnabled", "yes"); - Integer[] ldapPublishStatus = revReq - .getExtDataInIntegerArray("ldapPublishStatus"); + Integer[] ldapPublishStatus = + revReq.getExtDataInIntegerArray("ldapPublishStatus"); int certsToUpdate = 0; int certsUpdated = 0; @@ -935,12 +905,13 @@ public class DoRevoke extends CMSServlet { header.addIntegerValue("certsUpdated", certsUpdated); header.addIntegerValue("certsToUpdate", certsToUpdate); - // add crl publishing status. - String publError = revReq - .getExtDataInString(IRequest.CRL_PUBLISH_ERROR); + // add crl publishing status. + String publError = + revReq.getExtDataInString(IRequest.CRL_PUBLISH_ERROR); if (publError != null) { - header.addStringValue("crlPublishError", publError); + header.addStringValue("crlPublishError", + publError); } } else { header.addStringValue("dirEnabled", "no"); @@ -948,14 +919,12 @@ public class DoRevoke extends CMSServlet { header.addStringValue("error", null); } else { - if (stat == RequestStatus.PENDING - || stat == RequestStatus.REJECTED) { + if (stat == RequestStatus.PENDING || stat == RequestStatus.REJECTED) { header.addStringValue("revoked", stat.toString()); } else { header.addStringValue("revoked", "no"); } - Vector errors = revReq - .getExtDataInStringVector(IRequest.ERRORS); + Vector errors = revReq.getExtDataInStringVector(IRequest.ERRORS); if (errors != null) { StringBuffer errInfo = new StringBuffer(); for (int i = 0; i < errors.size(); i++) { @@ -976,19 +945,17 @@ public class DoRevoke extends CMSServlet { if (oldCerts[j] instanceof X509CertImpl) { X509CertImpl cert = (X509CertImpl) oldCerts[j]; - mLogger.log( - ILogger.EV_AUDIT, - ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.DOREVOKEFORMAT, - new Object[] { - revReq.getRequestId(), - initiative, - stat.toString(), - cert.getSubjectDN(), - cert.getSerialNumber().toString(16), - RevocationReason.fromInt(reason) - .toString() }); + mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, + AuditFormat.LEVEL, + AuditFormat.DOREVOKEFORMAT, + new Object[] { + revReq.getRequestId(), + initiative, + stat.toString(), + cert.getSubjectDN(), + cert.getSerialNumber().toString(16), + RevocationReason.fromInt(reason).toString()} + ); } } } @@ -998,17 +965,18 @@ public class DoRevoke extends CMSServlet { // if and only if "auditApprovalStatus" is // "complete", "revoked", or "canceled" if ((auditApprovalStatus.equals(RequestStatus.COMPLETE_STRING)) - || (auditApprovalStatus - .equals(RequestStatus.REJECTED_STRING)) - || (auditApprovalStatus - .equals(RequestStatus.CANCELED_STRING))) { - auditMessage = CMS - .getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, - auditSubjectID, ILogger.SUCCESS, - auditRequesterID, auditSerialNumber, - auditRequestType, auditReasonNum, - auditApprovalStatus); + || (auditApprovalStatus.equals(RequestStatus.REJECTED_STRING)) + || (auditApprovalStatus.equals(RequestStatus.CANCELED_STRING)) + ) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, + auditSerialNumber, + auditRequestType, + auditReasonNum, + auditApprovalStatus); audit(auditMessage); } @@ -1018,9 +986,12 @@ public class DoRevoke extends CMSServlet { // store a "CERT_STATUS_CHANGE_REQUEST" failure // message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, - auditSubjectID, ILogger.FAILURE, auditRequesterID, - auditSerialNumber, auditRequestType); + LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditSerialNumber, + auditRequestType); audit(auditMessage); } else { @@ -1028,18 +999,21 @@ public class DoRevoke extends CMSServlet { // message in the signed audit log file // if and only if "auditApprovalStatus" is // "complete", "revoked", or "canceled" - if ((auditApprovalStatus.equals(RequestStatus.COMPLETE_STRING)) - || (auditApprovalStatus - .equals(RequestStatus.REJECTED_STRING)) - || (auditApprovalStatus - .equals(RequestStatus.CANCELED_STRING))) { - auditMessage = CMS - .getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, - auditSubjectID, ILogger.FAILURE, - auditRequesterID, auditSerialNumber, - auditRequestType, auditReasonNum, - auditApprovalStatus); + if ((auditApprovalStatus.equals( + RequestStatus.COMPLETE_STRING)) || + (auditApprovalStatus.equals( + RequestStatus.REJECTED_STRING)) || + (auditApprovalStatus.equals( + RequestStatus.CANCELED_STRING))) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditSerialNumber, + auditRequestType, + auditReasonNum, + auditApprovalStatus); audit(auditMessage); } @@ -1053,9 +1027,12 @@ public class DoRevoke extends CMSServlet { // store a "CERT_STATUS_CHANGE_REQUEST" failure // message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, - auditSubjectID, ILogger.FAILURE, auditRequesterID, - auditSerialNumber, auditRequestType); + LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditSerialNumber, + auditRequestType); audit(auditMessage); } else { @@ -1063,18 +1040,21 @@ public class DoRevoke extends CMSServlet { // message in the signed audit log file // if and only if "auditApprovalStatus" is // "complete", "revoked", or "canceled" - if ((auditApprovalStatus.equals(RequestStatus.COMPLETE_STRING)) - || (auditApprovalStatus - .equals(RequestStatus.REJECTED_STRING)) - || (auditApprovalStatus - .equals(RequestStatus.CANCELED_STRING))) { - auditMessage = CMS - .getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, - auditSubjectID, ILogger.FAILURE, - auditRequesterID, auditSerialNumber, - auditRequestType, auditReasonNum, - auditApprovalStatus); + if ((auditApprovalStatus.equals( + RequestStatus.COMPLETE_STRING)) || + (auditApprovalStatus.equals( + RequestStatus.REJECTED_STRING)) || + (auditApprovalStatus.equals( + RequestStatus.CANCELED_STRING))) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditSerialNumber, + auditRequestType, + auditReasonNum, + auditApprovalStatus); audit(auditMessage); } @@ -1082,17 +1062,19 @@ public class DoRevoke extends CMSServlet { throw e; } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERROR_MARKING_CERT_REVOKED_1", - e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERROR_MARKING_CERT_REVOKED_1", e.toString())); if (auditRequest) { // store a "CERT_STATUS_CHANGE_REQUEST" failure // message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, - auditSubjectID, ILogger.FAILURE, auditRequesterID, - auditSerialNumber, auditRequestType); + LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditSerialNumber, + auditRequestType); audit(auditMessage); } else { @@ -1100,25 +1082,27 @@ public class DoRevoke extends CMSServlet { // message in the signed audit log file // if and only if "auditApprovalStatus" is // "complete", "revoked", or "canceled" - if ((auditApprovalStatus.equals(RequestStatus.COMPLETE_STRING)) - || (auditApprovalStatus - .equals(RequestStatus.REJECTED_STRING)) - || (auditApprovalStatus - .equals(RequestStatus.CANCELED_STRING))) { - auditMessage = CMS - .getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, - auditSubjectID, ILogger.FAILURE, - auditRequesterID, auditSerialNumber, - auditRequestType, auditReasonNum, - auditApprovalStatus); + if ((auditApprovalStatus.equals( + RequestStatus.COMPLETE_STRING)) || + (auditApprovalStatus.equals( + RequestStatus.REJECTED_STRING)) || + (auditApprovalStatus.equals( + RequestStatus.CANCELED_STRING))) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditSerialNumber, + auditRequestType, + auditReasonNum, + auditApprovalStatus); audit(auditMessage); } } - throw new ECMSGWException( - CMS.getLogMessage("CMSGW_ERROR_MARKING_CERT_REVOKED")); + throw new ECMSGWException(CMS.getLogMessage("CMSGW_ERROR_MARKING_CERT_REVOKED")); } return; @@ -1126,11 +1110,11 @@ public class DoRevoke extends CMSServlet { /** * Signed Audit Log Requester ID - * - * This method is called to obtain the "RequesterID" for a signed audit log - * message. + * + * This method is called to obtain the "RequesterID" for + * a signed audit log message. * <P> - * + * * @param req HTTP request * @return id string containing the signed audit log message RequesterID */ @@ -1156,11 +1140,11 @@ public class DoRevoke extends CMSServlet { /** * Signed Audit Log Serial Number - * + * * This method is called to obtain the serial number of the certificate * whose status is to be changed for a signed audit log message. * <P> - * + * * @param eeSerialNumber a string containing the un-normalized serialNumber * @return id string containing the signed audit log message RequesterID */ @@ -1179,28 +1163,30 @@ public class DoRevoke extends CMSServlet { // find out if the value is hex or decimal int value = -1; - - // try int - try { - value = Integer.parseInt(serialNumber, 10); + + //try int + try { + value = Integer.parseInt(serialNumber,10); } catch (NumberFormatException e) { } - - // try hex - if (value == -1) { + + //try hex + if( value == -1) { try { - value = Integer.parseInt(serialNumber, 16); + value = Integer.parseInt(serialNumber,16); } catch (NumberFormatException e) { } } // give up if it isn't hex or dec - if (value == -1) { + if ( value == -1) { throw new NumberFormatException(); } // convert it to hexadecimal - serialNumber = "0x" + Integer.toHexString(value); + serialNumber = "0x" + + Integer.toHexString( + value); } else { serialNumber = ILogger.SIGNED_AUDIT_EMPTY_VALUE; } @@ -1210,11 +1196,11 @@ public class DoRevoke extends CMSServlet { /** * Signed Audit Log Request Type - * - * This method is called to obtain the "Request Type" for a signed audit log - * message. + * + * This method is called to obtain the "Request Type" for + * a signed audit log message. * <P> - * + * * @param reason an integer denoting the revocation reason * @return string containing REVOKE or ON_HOLD */ @@ -1236,3 +1222,4 @@ public class DoRevoke extends CMSServlet { return requestType; } } + diff --git a/pki/base/common/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java b/pki/base/common/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java index d29f795b8..ce074a051 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java +++ b/pki/base/common/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.cert; + import java.io.IOException; import java.io.OutputStream; import java.util.Date; @@ -62,9 +63,10 @@ import com.netscape.cms.servlet.common.CMSTemplate; import com.netscape.cms.servlet.common.CMSTemplateParams; import com.netscape.cms.servlet.common.ECMSGWException; + /** * Revoke a Certificate - * + * * @version $Revision$, $Date$ */ public class DoRevokeTPS extends CMSServlet { @@ -87,17 +89,20 @@ public class DoRevokeTPS extends CMSServlet { private final static String REVOKE = "revoke"; private final static String ON_HOLD = "on-hold"; private final static int ON_HOLD_REASON = 6; - private final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST = "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_5"; - private final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED = "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED_7"; + private final static String + LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST = + "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_5"; + private final static String + LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED = + "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED_7"; public DoRevokeTPS() { super(); } /** - * initialize the servlet. This servlet uses the template file - * "revocationResult.template" to render the result - * + * initialize the servlet. This servlet uses the template + * file "revocationResult.template" to render the result * @param sc servlet configuration, read from the web.xml file */ public void init(ServletConfig sc) throws ServletException { @@ -105,12 +110,10 @@ public class DoRevokeTPS extends CMSServlet { mFormPath = "/" + mAuthority.getId() + "/" + TPL_FILE; if (mAuthority instanceof ICertificateAuthority) { - mCertDB = ((ICertificateAuthority) mAuthority) - .getCertificateRepository(); + mCertDB = ((ICertificateAuthority) mAuthority).getCertificateRepository(); } if (mAuthority instanceof ICertAuthority) { - mPublisherProcessor = ((ICertAuthority) mAuthority) - .getPublisherProcessor(); + mPublisherProcessor = ((ICertAuthority) mAuthority).getPublisherProcessor(); } mQueue = mAuthority.getRequestQueue(); @@ -128,20 +131,16 @@ public class DoRevokeTPS extends CMSServlet { } /** - * Serves HTTP request. The http parameters used by this request are as - * follows: - * + * Serves HTTP request. The http parameters used by this request are as follows: * <pre> * serialNumber Serial number of certificate to revoke (in HEX) * revocationReason Revocation reason (Described below) * totalRecordCount [number] * verifiedRecordCount [number] * invalidityDate [number of seconds in Jan 1,1970] - * + * * </pre> - * * revocationReason can be one of these values: - * * <pre> * 0 = Unspecified (default) * 1 = Key compromised @@ -172,15 +171,11 @@ public class DoRevokeTPS extends CMSServlet { try { form = getTemplate(mFormPath, req, locale); } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", mFormPath, - e.toString())); - throw new ECMSGWException( - CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE")); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", mFormPath, e.toString())); + throw new ECMSGWException(CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE")); } catch (Exception e) { - CMS.debug("DoRevokeTPS getTemplate failed"); - throw new EBaseException( - CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE")); + CMS.debug("DoRevokeTPS getTemplate failed"); + throw new EBaseException(CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE")); } CMS.debug("DoRevokeTPS after getTemplate"); @@ -190,14 +185,16 @@ public class DoRevokeTPS extends CMSServlet { try { if (req.getParameter("revocationReason") != null) { - reason = Integer.parseInt(req.getParameter("revocationReason")); + reason = Integer.parseInt(req.getParameter( + "revocationReason")); } if (req.getParameter("totalRecordCount") != null) { - totalRecordCount = Integer.parseInt(req - .getParameter("totalRecordCount")); + totalRecordCount = Integer.parseInt(req.getParameter( + "totalRecordCount")); } if (req.getParameter("invalidityDate") != null) { - long l = Long.parseLong(req.getParameter("invalidityDate")); + long l = Long.parseLong(req.getParameter( + "invalidityDate")); if (l > 0) { invalidityDate = new Date(l); @@ -206,7 +203,7 @@ public class DoRevokeTPS extends CMSServlet { revokeAll = req.getParameter("revokeAll"); String comments = req.getParameter(IRequest.REQUESTOR_COMMENTS); - // for audit log. + //for audit log. String initiative = null; String authMgr = AuditFormat.NOAUTH; @@ -215,31 +212,27 @@ public class DoRevokeTPS extends CMSServlet { try { authzToken = authorize(mAclMethod, authToken, - mAuthzResourceName, "revoke"); + mAuthzResourceName, "revoke"); } catch (EAuthzAccessDenied e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", - e.toString())); + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); } catch (Exception e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", - e.toString())); + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); } if (authzToken == null) { cmsReq.setStatus(CMSRequest.UNAUTHORIZED); return; } - - if (mAuthMgr != null - && mAuthMgr.equals(IAuthSubsystem.CERTUSERDB_AUTHMGR_ID)) { + + if (mAuthMgr != null && mAuthMgr.equals(IAuthSubsystem.CERTUSERDB_AUTHMGR_ID)) { if (authToken != null) { - authMgr = authToken - .getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME); + authMgr = authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME); String agentID = authToken.getInString("userid"); - initiative = AuditFormat.FROMAGENT + " agentID: " + agentID - + " authenticated by " + authMgr; + initiative = AuditFormat.FROMAGENT + " agentID: " + agentID + + " authenticated by " + authMgr; } } else { CMS.debug("DoRevokeTPS: Missing authentication manager"); @@ -248,15 +241,13 @@ public class DoRevokeTPS extends CMSServlet { } if (authorized) { - process(argSet, header, reason, invalidityDate, initiative, - req, resp, revokeAll, totalRecordCount, comments, - locale[0]); + process(argSet, header, reason, invalidityDate, initiative, req, + resp, revokeAll, totalRecordCount, comments, locale[0]); } } catch (NumberFormatException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("BASE_INVALID_NUMBER_FORMAT")); - error = new EBaseException( - CMS.getLogMessage("BASE_INVALID_NUMBER_FORMAT")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("BASE_INVALID_NUMBER_FORMAT")); + error = new EBaseException(CMS.getLogMessage("BASE_INVALID_NUMBER_FORMAT")); } catch (EBaseException e) { error = e; } @@ -269,10 +260,10 @@ public class DoRevokeTPS extends CMSServlet { errorString = "error=unauthorized"; } else if (error != null) { o_status = "status=3"; - errorString = "error=" + error.toString(); + errorString = "error="+error.toString(); } - String pp = o_status + "\n" + errorString; + String pp = o_status+"\n"+errorString; byte[] b = pp.getBytes(); resp.setContentType("text/html"); resp.setContentLength(b.length); @@ -280,57 +271,59 @@ public class DoRevokeTPS extends CMSServlet { os.write(b); os.flush(); } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERR_OUT_STREAM_TEMPLATE", - e.toString())); - throw new ECMSGWException( - CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERR_OUT_STREAM_TEMPLATE", e.toString())); + throw new ECMSGWException(CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE")); } } /** * Process cert status change request * <P> - * - * (Certificate Request - either an "agent" cert status change request, or - * an "EE" cert status change request) + * + * (Certificate Request - either an "agent" cert status change request, + * or an "EE" cert status change request) * <P> - * - * (Certificate Request Processed - either an "agent" cert status change - * request, or an "EE" cert status change request) + * + * (Certificate Request Processed - either an "agent" cert status change + * request, or an "EE" cert status change request) * <P> - * + * * <ul> - * <li>signed.audit LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST used - * when a cert status change request (e. g. - "revocation") is made (before + * <li>signed.audit LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST used when + * a cert status change request (e. g. - "revocation") is made (before * approval process) - * <li>signed.audit - * LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED used when a - * certificate status is changed (revoked, expired, on-hold, off-hold) + * <li>signed.audit LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED + * used when a certificate status is changed (revoked, expired, on-hold, + * off-hold) * </ul> - * * @param argSet CMS template parameters * @param header argument block - * @param reason revocation reason (0 - Unspecified, 1 - Key compromised, 2 - * - CA key compromised; should not be used, 3 - Affiliation - * changed, 4 - Certificate superceded, 5 - Cessation of - * operation, or 6 - Certificate is on hold) + * @param reason revocation reason (0 - Unspecified, 1 - Key compromised, + * 2 - CA key compromised; should not be used, 3 - Affiliation changed, + * 4 - Certificate superceded, 5 - Cessation of operation, or + * 6 - Certificate is on hold) * @param invalidityDate certificate validity date * @param initiative string containing the audit format * @param req HTTP servlet request * @param resp HTTP servlet response - * @param revokeAll string containing information on all of the certificates - * to be revoked + * @param revokeAll string containing information on all of the + * certificates to be revoked * @param totalRecordCount total number of records (verified and unverified) * @param comments string containing certificate comments * @param locale the system locale * @exception EBaseException an error has occurred */ private void process(CMSTemplateParams argSet, IArgBlock header, - int reason, Date invalidityDate, String initiative, - HttpServletRequest req, HttpServletResponse resp, String revokeAll, - int totalRecordCount, String comments, Locale locale) - throws EBaseException { + int reason, Date invalidityDate, + String initiative, + HttpServletRequest req, + HttpServletResponse resp, + String revokeAll, + int totalRecordCount, + String comments, + Locale locale) + throws EBaseException { boolean auditRequest = true; String auditMessage = null; String auditSubjectID = auditSubjectID(); @@ -340,20 +333,21 @@ public class DoRevokeTPS extends CMSServlet { String auditApprovalStatus = ILogger.SIGNED_AUDIT_EMPTY_VALUE; String auditReasonNum = String.valueOf(reason); + if (revokeAll != null) { - CMS.debug("DoRevokeTPS.process revokeAll" + revokeAll); + CMS.debug("DoRevokeTPS.process revokeAll" + revokeAll); - String serial = ""; + String serial = ""; String[] tokens; tokens = revokeAll.split("="); if (tokens.length == 2) { serial = tokens[1]; - // remove the trailing paren + //remove the trailing paren if (serial.endsWith(")")) { - serial = serial.substring(0, serial.length() - 1); + serial = serial.substring(0,serial.length() -1); } - auditSerialNumber = serial; + auditSerialNumber = serial; } } @@ -399,36 +393,30 @@ public class DoRevokeTPS extends CMSServlet { } X509CertImpl xcert = rec.getCertificate(); IArgBlock rarg = CMS.createArgBlock(); - + // we do not want to revoke the CA certificate accidentially - if (xcert != null - && isSystemCertificate(xcert.getSerialNumber())) { - CMS.debug("DoRevokeTPS: skipped revocation request for system certificate " - + xcert.getSerialNumber()); + if (xcert != null && isSystemCertificate(xcert.getSerialNumber())) { + CMS.debug("DoRevokeTPS: skipped revocation request for system certificate " + xcert.getSerialNumber()); badCertsRequested = true; continue; } if (xcert != null) { - rarg.addStringValue("serialNumber", xcert.getSerialNumber() - .toString(16)); + rarg.addStringValue("serialNumber", + xcert.getSerialNumber().toString(16)); if (rec.getStatus().equals(ICertRecord.STATUS_REVOKED)) { alreadyRevokedCertFound = true; - CMS.debug("Certificate 0x" - + xcert.getSerialNumber().toString(16) - + " has been revoked."); + CMS.debug("Certificate 0x"+xcert.getSerialNumber().toString(16) + " has been revoked."); } else { oldCertsV.addElement(xcert); - RevokedCertImpl revCertImpl = new RevokedCertImpl( - xcert.getSerialNumber(), CMS.getCurrentDate(), - entryExtn); + RevokedCertImpl revCertImpl = + new RevokedCertImpl(xcert.getSerialNumber(), + CMS.getCurrentDate(), entryExtn); revCertImplsV.addElement(revCertImpl); - CMS.debug("Certificate 0x" - + xcert.getSerialNumber().toString(16) - + " is going to be revoked."); + CMS.debug("Certificate 0x"+xcert.getSerialNumber().toString(16)+" is going to be revoked."); count++; } } else { @@ -436,37 +424,40 @@ public class DoRevokeTPS extends CMSServlet { } } - if (count == 0) { + if (count == 0) { // Situation where no certs were reoked here, but some certs // requested happened to be already revoked. Don't return error. - if (alreadyRevokedCertFound == true - && badCertsRequested == false) { - CMS.debug("Only have previously revoked certs in the list."); - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, - auditSubjectID, ILogger.SUCCESS, auditRequesterID, - auditSerialNumber, auditRequestType); - - audit(auditMessage); - return; + if (alreadyRevokedCertFound == true && badCertsRequested == false) { + CMS.debug("Only have previously revoked certs in the list."); + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, + auditSerialNumber, + auditRequestType); + + audit(auditMessage); + return; } - + errorString = "error=No certificates are revoked."; o_status = "status=2"; - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_REV_CERTS_ZERO")); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_REV_CERTS_ZERO")); // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, - auditSubjectID, ILogger.FAILURE, auditRequesterID, - auditSerialNumber, auditRequestType); + LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditSerialNumber, + auditRequestType); audit(auditMessage); - throw new ECMSGWException( - CMS.getLogMessage("CMSGW_ERROR_MARKING_CERT_REVOKED")); + throw new ECMSGWException(CMS.getLogMessage("CMSGW_ERROR_MARKING_CERT_REVOKED")); } X509CertImpl[] oldCerts = new X509CertImpl[count]; @@ -477,30 +468,33 @@ public class DoRevokeTPS extends CMSServlet { revCertImpls[i] = (RevokedCertImpl) revCertImplsV.elementAt(i); } - IRequest revReq = mQueue.newRequest(IRequest.REVOCATION_REQUEST); + IRequest revReq = + mQueue.newRequest(IRequest.REVOCATION_REQUEST); // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, - auditSubjectID, ILogger.SUCCESS, auditRequesterID, - auditSerialNumber, auditRequestType); + LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, + auditSerialNumber, + auditRequestType); audit(auditMessage); revReq.setExtData(IRequest.CERT_INFO, revCertImpls); revReq.setExtData(IRequest.REQ_TYPE, IRequest.REVOCATION_REQUEST); - if (initiative.equals(AuditFormat.FROMUSER)) { - revReq.setExtData(IRequest.REQUESTOR_TYPE, - IRequest.REQUESTOR_EE); + if(initiative.equals(AuditFormat.FROMUSER)) { + revReq.setExtData(IRequest.REQUESTOR_TYPE, IRequest.REQUESTOR_EE); } else { - revReq.setExtData(IRequest.REQUESTOR_TYPE, - IRequest.REQUESTOR_AGENT); + revReq.setExtData(IRequest.REQUESTOR_TYPE, IRequest.REQUESTOR_AGENT); } revReq.setExtData(IRequest.OLD_CERTS, oldCerts); if (comments != null) { revReq.setExtData(IRequest.REQUESTOR_COMMENTS, comments); } - revReq.setExtData(IRequest.REVOKED_REASON, Integer.valueOf(reason)); + revReq.setExtData(IRequest.REVOKED_REASON, + Integer.valueOf(reason)); // change audit processing from "REQUEST" to "REQUEST_PROCESSED" // to distinguish which type of signed audit log message to save @@ -518,44 +512,38 @@ public class DoRevokeTPS extends CMSServlet { // The SVC_PENDING check has been added for the Cloned CA request // that is meant for the Master CA. From Clone's point of view // the request is complete - if ((stat == RequestStatus.COMPLETE) - || ((type.equals(IRequest.CLA_CERT4CRL_REQUEST)) && (stat == RequestStatus.SVC_PENDING))) { - // audit log the error + if ((stat == RequestStatus.COMPLETE) || ((type.equals(IRequest.CLA_CERT4CRL_REQUEST)) && (stat == RequestStatus.SVC_PENDING))) { + // audit log the error Integer result = revReq.getExtDataInInteger(IRequest.RESULT); if (result.equals(IRequest.RES_ERROR)) { - String[] svcErrors = revReq - .getExtDataInStringArray(IRequest.SVCERRORS); + String[] svcErrors = + revReq.getExtDataInStringArray(IRequest.SVCERRORS); if (svcErrors != null && svcErrors.length > 0) { for (int i = 0; i < svcErrors.length; i++) { String err = svcErrors[i]; if (err != null) { - // cmsReq.setErrorDescription(err); + //cmsReq.setErrorDescription(err); for (int j = 0; j < count; j++) { if (oldCerts[j] instanceof X509CertImpl) { X509CertImpl cert = (X509CertImpl) oldCerts[j]; if (oldCerts[j] != null) { - mLogger.log( - ILogger.EV_AUDIT, - ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.DOREVOKEFORMAT, - new Object[] { - revReq.getRequestId(), - initiative, - "completed with error: " - + err, - cert.getSubjectDN(), - cert.getSerialNumber() - .toString( - 16), - RevocationReason - .fromInt( - reason) - .toString() }); + mLogger.log(ILogger.EV_AUDIT, + ILogger.S_OTHER, + AuditFormat.LEVEL, + AuditFormat.DOREVOKEFORMAT, + new Object[] { + revReq.getRequestId(), + initiative, + "completed with error: " + + err, + cert.getSubjectDN(), + cert.getSerialNumber().toString(16), + RevocationReason.fromInt(reason).toString()} + ); } } } @@ -566,24 +554,26 @@ public class DoRevokeTPS extends CMSServlet { // store a message in the signed audit log file // if and only if "auditApprovalStatus" is // "complete", "revoked", or "canceled" - if ((auditApprovalStatus - .equals(RequestStatus.COMPLETE_STRING)) - || (auditApprovalStatus - .equals(RequestStatus.REJECTED_STRING)) - || (auditApprovalStatus - .equals(RequestStatus.CANCELED_STRING))) { - auditMessage = CMS - .getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, - auditSubjectID, ILogger.FAILURE, - auditRequesterID, auditSerialNumber, - auditRequestType, auditReasonNum, - auditApprovalStatus); + if ((auditApprovalStatus.equals( + RequestStatus.COMPLETE_STRING)) || + (auditApprovalStatus.equals( + RequestStatus.REJECTED_STRING)) || + (auditApprovalStatus.equals( + RequestStatus.CANCELED_STRING))) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditSerialNumber, + auditRequestType, + auditReasonNum, + auditApprovalStatus); audit(auditMessage); } - return; + return; } long endTime = CMS.getCurrentDate().getTime(); @@ -594,103 +584,93 @@ public class DoRevokeTPS extends CMSServlet { if (oldCerts[j] instanceof X509CertImpl) { X509CertImpl cert = (X509CertImpl) oldCerts[j]; - mLogger.log( - ILogger.EV_AUDIT, - ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.DOREVOKEFORMAT, - new Object[] { - revReq.getRequestId(), - initiative, - "completed", - cert.getSubjectDN(), - cert.getSerialNumber().toString(16), - RevocationReason.fromInt(reason) - .toString() - + " time: " - + (endTime - startTime) }); + mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, + AuditFormat.LEVEL, + AuditFormat.DOREVOKEFORMAT, + new Object[] { + revReq.getRequestId(), + initiative, + "completed", + cert.getSubjectDN(), + cert.getSerialNumber().toString(16), + RevocationReason.fromInt(reason).toString() + " time: " + (endTime - startTime)} + ); } } } header.addStringValue("revoked", "yes"); - Integer updateCRLResult = revReq - .getExtDataInInteger(IRequest.CRL_UPDATE_STATUS); + Integer updateCRLResult = + revReq.getExtDataInInteger(IRequest.CRL_UPDATE_STATUS); if (updateCRLResult != null) { if (!updateCRLResult.equals(IRequest.RES_SUCCESS)) { o_status = "status=3"; - if (revReq - .getExtDataInString(IRequest.CRL_UPDATE_ERROR) != null) { + if (revReq.getExtDataInString(IRequest.CRL_UPDATE_ERROR) != null) { errorString = "error=Update CRL Error."; // 3 means miscellaneous } } // let known crl publishing status too. - Integer publishCRLResult = revReq - .getExtDataInInteger(IRequest.CRL_PUBLISH_STATUS); + Integer publishCRLResult = + revReq.getExtDataInInteger(IRequest.CRL_PUBLISH_STATUS); if (publishCRLResult != null) { if (!publishCRLResult.equals(IRequest.RES_SUCCESS)) { - String publError = revReq - .getExtDataInString(IRequest.CRL_PUBLISH_ERROR); + String publError = + revReq.getExtDataInString(IRequest.CRL_PUBLISH_ERROR); o_status = "status=3"; if (publError != null) { - errorString = "error=" + publError; + errorString = "error="+publError; } } } } if (mAuthority instanceof ICertificateAuthority) { - // let known update and publish status of all crls. - Enumeration otherCRLs = ((ICertificateAuthority) mAuthority) - .getCRLIssuingPoints(); + // let known update and publish status of all crls. + Enumeration otherCRLs = + ((ICertificateAuthority) mAuthority).getCRLIssuingPoints(); while (otherCRLs.hasMoreElements()) { - ICRLIssuingPoint crl = (ICRLIssuingPoint) otherCRLs - .nextElement(); + ICRLIssuingPoint crl = (ICRLIssuingPoint) + otherCRLs.nextElement(); String crlId = crl.getId(); if (crlId.equals(ICertificateAuthority.PROP_MASTER_CRL)) continue; String updateStatusStr = crl.getCrlUpdateStatusStr(); - Integer updateResult = revReq - .getExtDataInInteger(updateStatusStr); + Integer updateResult = revReq.getExtDataInInteger(updateStatusStr); if (updateResult != null) { if (!updateResult.equals(IRequest.RES_SUCCESS)) { - String updateErrorStr = crl - .getCrlUpdateErrorStr(); + String updateErrorStr = crl.getCrlUpdateErrorStr(); - CMS.debug("DoRevoke: " - + CMS.getLogMessage( - "ADMIN_SRVLT_ADDING_HEADER_NO", - updateStatusStr)); - String error = revReq - .getExtDataInString(updateErrorStr); + CMS.debug("DoRevoke: " + CMS.getLogMessage("ADMIN_SRVLT_ADDING_HEADER_NO", + updateStatusStr)); + String error = + revReq.getExtDataInString(updateErrorStr); o_status = "status=3"; - if (error != null) { - errorString = "error=" + error; + if (error != null) { + errorString = "error="+error; } } - String publishStatusStr = crl - .getCrlPublishStatusStr(); - Integer publishResult = revReq - .getExtDataInInteger(publishStatusStr); + String publishStatusStr = crl.getCrlPublishStatusStr(); + Integer publishResult = + revReq.getExtDataInInteger(publishStatusStr); - if (publishResult == null) + if (publishResult == null) continue; if (!publishResult.equals(IRequest.RES_SUCCESS)) { - String publishErrorStr = crl - .getCrlPublishErrorStr(); + String publishErrorStr = + crl.getCrlPublishErrorStr(); - String error = revReq - .getExtDataInString(publishErrorStr); + String error = + revReq.getExtDataInString(publishErrorStr); o_status = "status=3"; if (error != null) { @@ -701,11 +681,10 @@ public class DoRevokeTPS extends CMSServlet { } } - if (mPublisherProcessor != null - && mPublisherProcessor.ldapEnabled()) { + if (mPublisherProcessor != null && mPublisherProcessor.ldapEnabled()) { header.addStringValue("dirEnabled", "yes"); - Integer[] ldapPublishStatus = revReq - .getExtDataInIntegerArray("ldapPublishStatus"); + Integer[] ldapPublishStatus = + revReq.getExtDataInIntegerArray("ldapPublishStatus"); int certsToUpdate = 0; int certsUpdated = 0; @@ -718,30 +697,27 @@ public class DoRevokeTPS extends CMSServlet { } } - // add crl publishing status. - String publError = revReq - .getExtDataInString(IRequest.CRL_PUBLISH_ERROR); + // add crl publishing status. + String publError = + revReq.getExtDataInString(IRequest.CRL_PUBLISH_ERROR); if (publError != null) { - errorString = "error=" + publError; + errorString = "error="+publError; o_status = "status=3"; } - } else if (mPublisherProcessor == null - && mPublisherProcessor.ldapEnabled()) { + } else if (mPublisherProcessor == null && mPublisherProcessor.ldapEnabled()) { errorString = "error=LDAP publishing not enabled."; o_status = "status=3"; } } else { - if (stat == RequestStatus.PENDING - || stat == RequestStatus.REJECTED) { + if (stat == RequestStatus.PENDING || stat == RequestStatus.REJECTED) { o_status = "status=2"; - errorString = "error=" + stat.toString(); + errorString = "error="+stat.toString(); } else { o_status = "status=2"; errorString = "error=Undefined request status"; } - Vector errors = revReq - .getExtDataInStringVector(IRequest.ERRORS); + Vector errors = revReq.getExtDataInStringVector(IRequest.ERRORS); if (errors != null) { StringBuffer errInfo = new StringBuffer(); @@ -766,19 +742,17 @@ public class DoRevokeTPS extends CMSServlet { if (oldCerts[j] instanceof X509CertImpl) { X509CertImpl cert = (X509CertImpl) oldCerts[j]; - mLogger.log( - ILogger.EV_AUDIT, - ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.DOREVOKEFORMAT, - new Object[] { - revReq.getRequestId(), - initiative, - stat.toString(), - cert.getSubjectDN(), - cert.getSerialNumber().toString(16), - RevocationReason.fromInt(reason) - .toString() }); + mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, + AuditFormat.LEVEL, + AuditFormat.DOREVOKEFORMAT, + new Object[] { + revReq.getRequestId(), + initiative, + stat.toString(), + cert.getSubjectDN(), + cert.getSerialNumber().toString(16), + RevocationReason.fromInt(reason).toString()} + ); } } } @@ -788,17 +762,18 @@ public class DoRevokeTPS extends CMSServlet { // if and only if "auditApprovalStatus" is // "complete", "revoked", or "canceled" if ((auditApprovalStatus.equals(RequestStatus.COMPLETE_STRING)) - || (auditApprovalStatus - .equals(RequestStatus.REJECTED_STRING)) - || (auditApprovalStatus - .equals(RequestStatus.CANCELED_STRING))) { - auditMessage = CMS - .getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, - auditSubjectID, ILogger.SUCCESS, - auditRequesterID, auditSerialNumber, - auditRequestType, auditReasonNum, - auditApprovalStatus); + || (auditApprovalStatus.equals(RequestStatus.REJECTED_STRING)) + || (auditApprovalStatus.equals(RequestStatus.CANCELED_STRING)) + ) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, + auditSerialNumber, + auditRequestType, + auditReasonNum, + auditApprovalStatus); audit(auditMessage); } @@ -809,9 +784,12 @@ public class DoRevokeTPS extends CMSServlet { // store a "CERT_STATUS_CHANGE_REQUEST" failure // message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, - auditSubjectID, ILogger.FAILURE, auditRequesterID, - auditSerialNumber, auditRequestType); + LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditSerialNumber, + auditRequestType); audit(auditMessage); } else { @@ -819,18 +797,21 @@ public class DoRevokeTPS extends CMSServlet { // message in the signed audit log file // if and only if "auditApprovalStatus" is // "complete", "revoked", or "canceled" - if ((auditApprovalStatus.equals(RequestStatus.COMPLETE_STRING)) - || (auditApprovalStatus - .equals(RequestStatus.REJECTED_STRING)) - || (auditApprovalStatus - .equals(RequestStatus.CANCELED_STRING))) { - auditMessage = CMS - .getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, - auditSubjectID, ILogger.FAILURE, - auditRequesterID, auditSerialNumber, - auditRequestType, auditReasonNum, - auditApprovalStatus); + if ((auditApprovalStatus.equals( + RequestStatus.COMPLETE_STRING)) || + (auditApprovalStatus.equals( + RequestStatus.REJECTED_STRING)) || + (auditApprovalStatus.equals( + RequestStatus.CANCELED_STRING))) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditSerialNumber, + auditRequestType, + auditReasonNum, + auditApprovalStatus); audit(auditMessage); } @@ -838,17 +819,19 @@ public class DoRevokeTPS extends CMSServlet { throw e; } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERROR_MARKING_CERT_REVOKED_1", - e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERROR_MARKING_CERT_REVOKED_1", e.toString())); if (auditRequest) { // store a "CERT_STATUS_CHANGE_REQUEST" failure // message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, - auditSubjectID, ILogger.FAILURE, auditRequesterID, - auditSerialNumber, auditRequestType); + LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditSerialNumber, + auditRequestType); audit(auditMessage); } else { @@ -856,25 +839,27 @@ public class DoRevokeTPS extends CMSServlet { // message in the signed audit log file // if and only if "auditApprovalStatus" is // "complete", "revoked", or "canceled" - if ((auditApprovalStatus.equals(RequestStatus.COMPLETE_STRING)) - || (auditApprovalStatus - .equals(RequestStatus.REJECTED_STRING)) - || (auditApprovalStatus - .equals(RequestStatus.CANCELED_STRING))) { - auditMessage = CMS - .getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, - auditSubjectID, ILogger.FAILURE, - auditRequesterID, auditSerialNumber, - auditRequestType, auditReasonNum, - auditApprovalStatus); + if ((auditApprovalStatus.equals( + RequestStatus.COMPLETE_STRING)) || + (auditApprovalStatus.equals( + RequestStatus.REJECTED_STRING)) || + (auditApprovalStatus.equals( + RequestStatus.CANCELED_STRING))) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditSerialNumber, + auditRequestType, + auditReasonNum, + auditApprovalStatus); audit(auditMessage); } } - throw new ECMSGWException( - CMS.getLogMessage("CMSGW_ERROR_MARKING_CERT_REVOKED")); + throw new ECMSGWException(CMS.getLogMessage("CMSGW_ERROR_MARKING_CERT_REVOKED")); } return; @@ -882,11 +867,11 @@ public class DoRevokeTPS extends CMSServlet { /** * Signed Audit Log Requester ID - * - * This method is called to obtain the "RequesterID" for a signed audit log - * message. + * + * This method is called to obtain the "RequesterID" for + * a signed audit log message. * <P> - * + * * @param req HTTP request * @return id string containing the signed audit log message RequesterID */ @@ -912,11 +897,11 @@ public class DoRevokeTPS extends CMSServlet { /** * Signed Audit Log Serial Number - * + * * This method is called to obtain the serial number of the certificate * whose status is to be changed for a signed audit log message. * <P> - * + * * @param eeSerialNumber a string containing the un-normalized serialNumber * @return id string containing the signed audit log message RequesterID */ @@ -934,8 +919,8 @@ public class DoRevokeTPS extends CMSServlet { // convert it to hexadecimal serialNumber = "0x" - + Integer.toHexString(Integer.valueOf(serialNumber) - .intValue()); + + Integer.toHexString( + Integer.valueOf(serialNumber).intValue()); } else { serialNumber = ILogger.SIGNED_AUDIT_EMPTY_VALUE; } @@ -945,11 +930,11 @@ public class DoRevokeTPS extends CMSServlet { /** * Signed Audit Log Request Type - * - * This method is called to obtain the "Request Type" for a signed audit log - * message. + * + * This method is called to obtain the "Request Type" for + * a signed audit log message. * <P> - * + * * @param reason an integer denoting the revocation reason * @return string containing REVOKE or ON_HOLD */ @@ -971,3 +956,4 @@ public class DoRevokeTPS extends CMSServlet { return requestType; } } + diff --git a/pki/base/common/src/com/netscape/cms/servlet/cert/DoUnrevoke.java b/pki/base/common/src/com/netscape/cms/servlet/cert/DoUnrevoke.java index 688134788..e17910451 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/cert/DoUnrevoke.java +++ b/pki/base/common/src/com/netscape/cms/servlet/cert/DoUnrevoke.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.cert; + import java.io.IOException; import java.math.BigInteger; import java.util.Enumeration; @@ -55,10 +56,11 @@ import com.netscape.cms.servlet.common.CMSTemplate; import com.netscape.cms.servlet.common.CMSTemplateParams; import com.netscape.cms.servlet.common.ECMSGWException; + /** - * 'Unrevoke' a certificate. (For certificates that are on-hold only, take them - * off-hold) - * + * 'Unrevoke' a certificate. (For certificates that are on-hold only, + * take them off-hold) + * * @version $Revision$, $Date$ */ public class DoUnrevoke extends CMSServlet { @@ -78,28 +80,29 @@ public class DoUnrevoke extends CMSServlet { private final static String OFF_HOLD = "off-hold"; private final static int OFF_HOLD_REASON = 6; - private final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST = "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_5"; - private final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED = "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED_7"; - + private final static String + LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST = + "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_5"; + private final static String + LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED = + "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED_7"; + public DoUnrevoke() { super(); } /** * initialize the servlet. - * * @param sc servlet configuration, read from the web.xml file */ public void init(ServletConfig sc) throws ServletException { super.init(sc); mFormPath = "/" + mAuthority.getId() + "/" + TPL_FILE; if (mAuthority instanceof ICertificateAuthority) { - mCertDB = ((ICertificateAuthority) mAuthority) - .getCertificateRepository(); + mCertDB = ((ICertificateAuthority) mAuthority).getCertificateRepository(); } if (mAuthority instanceof ICertAuthority) { - mPublisherProcessor = ((ICertAuthority) mAuthority) - .getPublisherProcessor(); + mPublisherProcessor = ((ICertAuthority) mAuthority).getPublisherProcessor(); } mQueue = mAuthority.getRequestQueue(); @@ -109,14 +112,14 @@ public class DoUnrevoke extends CMSServlet { } /** - * Process the HTTP request. + * Process the HTTP request. * <ul> - * <li>http.param serialNumber Decimal serial number of certificate to - * unrevoke. The certificate must be revoked with a revovcation reason 'on - * hold' for this operation to succeed. The serial number may be expressed - * as a hex number by prefixing '0x' to the serialNumber string + * <li>http.param serialNumber Decimal serial number of certificate to unrevoke. The + * certificate must be revoked with a revovcation reason 'on hold' for this + * operation to succeed. The serial number may be expressed as a hex number by + * prefixing '0x' to the serialNumber string * </ul> - * + * * @param cmsReq the object holding the request and response information */ public void process(CMSRequest cmsReq) throws EBaseException { @@ -133,10 +136,10 @@ public class DoUnrevoke extends CMSServlet { try { form = getTemplate(mFormPath, req, locale); } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", e.toString())); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); + CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); } IArgBlock header = CMS.createArgBlock(); @@ -146,34 +149,32 @@ public class DoUnrevoke extends CMSServlet { try { serialNumber = getSerialNumbers(req); - // for audit log. + //for audit log. IAuthToken authToken = authenticate(cmsReq); String authMgr = AuditFormat.NOAUTH; - + if (authToken != null) { - authMgr = authToken - .getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME); - } else { - CMS.debug("DoUnrevoke::process() - authToken is null!"); + authMgr = + authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME); + } else { + CMS.debug( "DoUnrevoke::process() - authToken is null!" ); return; } String agentID = authToken.getInString("userid"); String initiative = AuditFormat.FROMAGENT + " agentID: " + agentID - + " authenticated by " + authMgr; + + " authenticated by " + authMgr; AuthzToken authzToken = null; try { authzToken = authorize(mAclMethod, authToken, - mAuthzResourceName, "unrevoke"); + mAuthzResourceName, "unrevoke"); } catch (EAuthzAccessDenied e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", - e.toString())); + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); } catch (Exception e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", - e.toString())); + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); } if (authzToken == null) { @@ -181,14 +182,11 @@ public class DoUnrevoke extends CMSServlet { return; } - process(argSet, header, serialNumber, req, resp, locale[0], - initiative); + process(argSet, header, serialNumber, req, resp, locale[0], initiative); } catch (NumberFormatException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_INVALID_SERIAL_NUM_FORMAT")); - error = new EBaseException(CMS.getUserMessage(getLocale(req), - "CMS_BASE_INVALID_NUMBER_FORMAT")); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_INVALID_SERIAL_NUM_FORMAT")); + error = new EBaseException(CMS.getUserMessage(getLocale(req),"CMS_BASE_INVALID_NUMBER_FORMAT")); } catch (EBaseException e) { error = e; } @@ -199,46 +197,44 @@ public class DoUnrevoke extends CMSServlet { if (error == null) { String xmlOutput = req.getParameter("xml"); if (xmlOutput != null && xmlOutput.equals("true")) { - outputXML(resp, argSet); + outputXML(resp, argSet); } else { - resp.setContentType("text/html"); - form.renderOutput(out, argSet); - cmsReq.setStatus(CMSRequest.SUCCESS); + resp.setContentType("text/html"); + form.renderOutput(out, argSet); + cmsReq.setStatus(CMSRequest.SUCCESS); } } else { cmsReq.setStatus(CMSRequest.ERROR); cmsReq.setError(error); } } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_ERR_STREAM_TEMPLATE", - e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("ADMIN_SRVLT_ERR_STREAM_TEMPLATE", e.toString())); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); + CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); } } + /** * Process X509 cert status change request * <P> - * - * (Certificate Request - an "agent" cert status change request to take a - * certificate off-hold) + * + * (Certificate Request - an "agent" cert status change request to take + * a certificate off-hold) * <P> - * - * (Certificate Request Processed - an "agent" cert status change request to - * take a certificate off-hold) + * + * (Certificate Request Processed - an "agent" cert status change request + * to take a certificate off-hold) * <P> - * + * * <ul> - * <li>signed.audit LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST used - * when a cert status change request (e. g. - "revocation") is made (before + * <li>signed.audit LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST used when + * a cert status change request (e. g. - "revocation") is made (before * approval process) - * <li>signed.audit - * LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED used when a - * certificate status is changed (taken off-hold) + * <li>signed.audit LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED + * used when a certificate status is changed (taken off-hold) * </ul> - * * @param argSet CMS template parameters * @param header argument block * @param serialNumbers the serial number of the certificate @@ -249,15 +245,16 @@ public class DoUnrevoke extends CMSServlet { * @exception EBaseException an error has occurred */ private void process(CMSTemplateParams argSet, IArgBlock header, - BigInteger[] serialNumbers, HttpServletRequest req, - HttpServletResponse resp, Locale locale, String initiative) - throws EBaseException { + BigInteger[] serialNumbers, + HttpServletRequest req, + HttpServletResponse resp, + Locale locale, String initiative) + throws EBaseException { boolean auditRequest = true; String auditMessage = null; String auditSubjectID = auditSubjectID(); String auditRequesterID = auditRequesterID(req); - String auditSerialNumber = auditSerialNumber(serialNumbers[0] - .toString()); + String auditSerialNumber = auditSerialNumber(serialNumbers[0].toString()); String auditRequestType = OFF_HOLD; String auditApprovalStatus = ILogger.SIGNED_AUDIT_EMPTY_VALUE; String auditReasonNum = String.valueOf(OFF_HOLD_REASON); @@ -265,34 +262,32 @@ public class DoUnrevoke extends CMSServlet { try { StringBuffer snList = new StringBuffer(); - // certs are for old cloning and they should be removed as soon as - // possible + // certs are for old cloning and they should be removed as soon as possible X509CertImpl[] certs = new X509CertImpl[serialNumbers.length]; for (int i = 0; i < serialNumbers.length; i++) { - certs[i] = (X509CertImpl) getX509Certificate(serialNumbers[i]); - if (snList.length() > 0) - snList.append(", "); + certs[i] = (X509CertImpl)getX509Certificate(serialNumbers[i]); + if (snList.length() > 0) snList.append(", "); snList.append("0x"); snList.append(serialNumbers[i].toString(16)); } header.addStringValue("serialNumber", snList.toString()); - IRequest unrevReq = mQueue - .newRequest(IRequest.UNREVOCATION_REQUEST); + IRequest unrevReq = mQueue.newRequest(IRequest.UNREVOCATION_REQUEST); // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, - auditSubjectID, ILogger.SUCCESS, auditRequesterID, - auditSerialNumber, auditRequestType); + LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, + auditSerialNumber, + auditRequestType); audit(auditMessage); - unrevReq.setExtData(IRequest.REQ_TYPE, - IRequest.UNREVOCATION_REQUEST); + unrevReq.setExtData(IRequest.REQ_TYPE, IRequest.UNREVOCATION_REQUEST); unrevReq.setExtData(IRequest.OLD_SERIALS, serialNumbers); - unrevReq.setExtData(IRequest.REQUESTOR_TYPE, - IRequest.REQUESTOR_AGENT); + unrevReq.setExtData(IRequest.REQUESTOR_TYPE, IRequest.REQUESTOR_AGENT); // change audit processing from "REQUEST" to "REQUEST_PROCESSED" // to distinguish which type of signed audit log message to save @@ -307,8 +302,7 @@ public class DoUnrevoke extends CMSServlet { RequestStatus status = unrevReq.getRequestStatus(); String type = unrevReq.getRequestType(); - if ((status == RequestStatus.COMPLETE) - || ((type.equals(IRequest.CLA_UNCERT4CRL_REQUEST)) && (status == RequestStatus.SVC_PENDING))) { + if ((status == RequestStatus.COMPLETE) || ((type.equals(IRequest.CLA_UNCERT4CRL_REQUEST)) && (status == RequestStatus.SVC_PENDING))) { Integer result = unrevReq.getExtDataInInteger(IRequest.RESULT); @@ -316,11 +310,15 @@ public class DoUnrevoke extends CMSServlet { header.addStringValue("unrevoked", "yes"); if (certs[0] != null) { mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.DOUNREVOKEFORMAT, new Object[] { - unrevReq.getRequestId(), initiative, - "completed", certs[0].getSubjectDN(), - "0x" + serialNumbers[0].toString(16) }); + AuditFormat.LEVEL, + AuditFormat.DOUNREVOKEFORMAT, + new Object[] { + unrevReq.getRequestId(), + initiative, + "completed", + certs[0].getSubjectDN(), + "0x" + serialNumbers[0].toString(16)} + ); } } else { header.addStringValue("unrevoked", "no"); @@ -329,61 +327,60 @@ public class DoUnrevoke extends CMSServlet { if (error != null) { header.addStringValue("error", error); if (certs[0] != null) { - mLogger.log( - ILogger.EV_AUDIT, - ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.DOUNREVOKEFORMAT, - new Object[] { - unrevReq.getRequestId(), - initiative, - "completed with error: " + error, - certs[0].getSubjectDN(), - "0x" - + serialNumbers[0] - .toString(16) }); + mLogger.log(ILogger.EV_AUDIT, + ILogger.S_OTHER, + AuditFormat.LEVEL, + AuditFormat.DOUNREVOKEFORMAT, + new Object[] { + unrevReq.getRequestId(), + initiative, + "completed with error: " + + error, + certs[0].getSubjectDN(), + "0x" + serialNumbers[0].toString(16)} + ); } /****************************************************/ - - /* IMPORTANT: In the event that the following */ - - /* "throw error;" statement is */ - - /* uncommented, uncomment the following */ - - /* signed audit log message, also!!! */ - + + /* IMPORTANT: In the event that the following */ + + /* "throw error;" statement is */ + + /* uncommented, uncomment the following */ + + /* signed audit log message, also!!! */ + /****************************************************/ - // // store a message in the signed audit log file - // // if and only if "auditApprovalStatus" is - // // "complete", "revoked", or "canceled" - // if( ( auditApprovalStatus.equals( - // RequestStatus.COMPLETE_STRING ) ) || - // ( auditApprovalStatus.equals( - // RequestStatus.REJECTED_STRING ) ) || - // ( auditApprovalStatus.equals( - // RequestStatus.CANCELED_STRING ) ) ) { - // auditMessage = CMS.getLogMessage( - // LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, - // auditSubjectID, - // ILogger.FAILURE, - // auditRequesterID, - // auditSerialNumber, - // auditRequestType, - // auditReasonNum, - // auditApprovalStatus ); + // // store a message in the signed audit log file + // // if and only if "auditApprovalStatus" is + // // "complete", "revoked", or "canceled" + // if( ( auditApprovalStatus.equals( + // RequestStatus.COMPLETE_STRING ) ) || + // ( auditApprovalStatus.equals( + // RequestStatus.REJECTED_STRING ) ) || + // ( auditApprovalStatus.equals( + // RequestStatus.CANCELED_STRING ) ) ) { + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, + // auditSubjectID, + // ILogger.FAILURE, + // auditRequesterID, + // auditSerialNumber, + // auditRequestType, + // auditReasonNum, + // auditApprovalStatus ); // - // audit( auditMessage ); - // } + // audit( auditMessage ); + // } - // throw error; + // throw error; } } - Integer updateCRLResult = unrevReq - .getExtDataInInteger(IRequest.CRL_UPDATE_STATUS); + Integer updateCRLResult = + unrevReq.getExtDataInInteger(IRequest.CRL_UPDATE_STATUS); if (updateCRLResult != null) { header.addStringValue("updateCRL", "yes"); @@ -391,90 +388,91 @@ public class DoUnrevoke extends CMSServlet { header.addStringValue("updateCRLSuccess", "yes"); } else { header.addStringValue("updateCRLSuccess", "no"); - String crlError = unrevReq - .getExtDataInString(IRequest.CRL_UPDATE_ERROR); + String crlError = + unrevReq.getExtDataInString(IRequest.CRL_UPDATE_ERROR); - if (crlError != null) - header.addStringValue("updateCRLError", crlError); + if (crlError != null) + header.addStringValue("updateCRLError", + crlError); } // let known crl publishing status too. - Integer publishCRLResult = unrevReq - .getExtDataInInteger(IRequest.CRL_PUBLISH_STATUS); + Integer publishCRLResult = + unrevReq.getExtDataInInteger(IRequest.CRL_PUBLISH_STATUS); if (publishCRLResult != null) { if (publishCRLResult.equals(IRequest.RES_SUCCESS)) { header.addStringValue("publishCRLSuccess", "yes"); } else { header.addStringValue("publishCRLSuccess", "no"); - String publError = unrevReq - .getExtDataInString(IRequest.CRL_PUBLISH_ERROR); + String publError = + unrevReq.getExtDataInString(IRequest.CRL_PUBLISH_ERROR); - if (publError != null) - header.addStringValue("publishCRLError", - publError); + if (publError != null) + header.addStringValue("publishCRLError", + publError); } } } - // let known update and publish status of all crls. - Enumeration otherCRLs = ((ICertificateAuthority) mAuthority) - .getCRLIssuingPoints(); + // let known update and publish status of all crls. + Enumeration otherCRLs = + ((ICertificateAuthority) mAuthority).getCRLIssuingPoints(); while (otherCRLs.hasMoreElements()) { - ICRLIssuingPoint crl = (ICRLIssuingPoint) otherCRLs - .nextElement(); + ICRLIssuingPoint crl = (ICRLIssuingPoint) + otherCRLs.nextElement(); String crlId = crl.getId(); if (crlId.equals(ICertificateAuthority.PROP_MASTER_CRL)) continue; String updateStatusStr = crl.getCrlUpdateStatusStr(); - Integer updateResult = unrevReq - .getExtDataInInteger(updateStatusStr); + Integer updateResult = unrevReq.getExtDataInInteger(updateStatusStr); if (updateResult != null) { if (updateResult.equals(IRequest.RES_SUCCESS)) { - CMS.debug("DoUnrevoke: adding header " - + updateStatusStr + " yes "); + CMS.debug("DoUnrevoke: adding header " + + updateStatusStr + " yes "); header.addStringValue(updateStatusStr, "yes"); } else { String updateErrorStr = crl.getCrlUpdateErrorStr(); - CMS.debug("DoUnrevoke: adding header " - + updateStatusStr + " no "); + CMS.debug("DoUnrevoke: adding header " + + updateStatusStr + " no "); header.addStringValue(updateStatusStr, "no"); - String error = unrevReq - .getExtDataInString(updateErrorStr); + String error = + unrevReq.getExtDataInString(updateErrorStr); - if (error != null) - header.addStringValue(updateErrorStr, error); + if (error != null) + header.addStringValue( + updateErrorStr, error); } String publishStatusStr = crl.getCrlPublishStatusStr(); - Integer publishResult = unrevReq - .getExtDataInInteger(publishStatusStr); + Integer publishResult = + unrevReq.getExtDataInInteger(publishStatusStr); - if (publishResult == null) + if (publishResult == null) continue; if (publishResult.equals(IRequest.RES_SUCCESS)) { header.addStringValue(publishStatusStr, "yes"); } else { - String publishErrorStr = crl - .getCrlPublishErrorStr(); + String publishErrorStr = + crl.getCrlPublishErrorStr(); header.addStringValue(publishStatusStr, "no"); - String error = unrevReq - .getExtDataInString(publishErrorStr); + String error = + unrevReq.getExtDataInString(publishErrorStr); - if (error != null) - header.addStringValue(publishErrorStr, error); + if (error != null) + header.addStringValue( + publishErrorStr, error); } } } - if (mPublisherProcessor != null - && mPublisherProcessor.ldapEnabled()) { + if (mPublisherProcessor != null && mPublisherProcessor.ldapEnabled()) { header.addStringValue("dirEnabled", "yes"); - Integer[] ldapPublishStatus = unrevReq - .getExtDataInIntegerArray("ldapPublishStatus"); + Integer[] ldapPublishStatus = + unrevReq.getExtDataInIntegerArray("ldapPublishStatus"); if (ldapPublishStatus != null) { if (ldapPublishStatus[0] == IRequest.RES_SUCCESS) { @@ -492,20 +490,30 @@ public class DoUnrevoke extends CMSServlet { header.addStringValue("unrevoked", "pending"); if (certs[0] != null) { mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, - AuditFormat.LEVEL, AuditFormat.DOUNREVOKEFORMAT, - new Object[] { unrevReq.getRequestId(), initiative, - "pending", certs[0].getSubjectDN(), - "0x" + serialNumbers[0].toString(16) }); + AuditFormat.LEVEL, + AuditFormat.DOUNREVOKEFORMAT, + new Object[] { + unrevReq.getRequestId(), + initiative, + "pending", + certs[0].getSubjectDN(), + "0x" + serialNumbers[0].toString(16)} + ); } } else { header.addStringValue("error", "Request Status.Error"); header.addStringValue("unrevoked", "no"); if (certs[0] != null) { mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, - AuditFormat.LEVEL, AuditFormat.DOUNREVOKEFORMAT, - new Object[] { unrevReq.getRequestId(), initiative, - status.toString(), certs[0].getSubjectDN(), - "0x" + serialNumbers[0].toString(16) }); + AuditFormat.LEVEL, + AuditFormat.DOUNREVOKEFORMAT, + new Object[] { + unrevReq.getRequestId(), + initiative, + status.toString(), + certs[0].getSubjectDN(), + "0x" + serialNumbers[0].toString(16)} + ); } } @@ -513,17 +521,18 @@ public class DoUnrevoke extends CMSServlet { // if and only if "auditApprovalStatus" is // "complete", "revoked", or "canceled" if ((auditApprovalStatus.equals(RequestStatus.COMPLETE_STRING)) - || (auditApprovalStatus - .equals(RequestStatus.REJECTED_STRING)) - || (auditApprovalStatus - .equals(RequestStatus.CANCELED_STRING))) { - auditMessage = CMS - .getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, - auditSubjectID, ILogger.SUCCESS, - auditRequesterID, auditSerialNumber, - auditRequestType, auditReasonNum, - auditApprovalStatus); + || (auditApprovalStatus.equals(RequestStatus.REJECTED_STRING)) + || (auditApprovalStatus.equals(RequestStatus.CANCELED_STRING)) + ) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, + auditSerialNumber, + auditRequestType, + auditReasonNum, + auditApprovalStatus); audit(auditMessage); } @@ -533,9 +542,12 @@ public class DoUnrevoke extends CMSServlet { // store a "CERT_STATUS_CHANGE_REQUEST" failure // message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, - auditSubjectID, ILogger.FAILURE, auditRequesterID, - auditSerialNumber, auditRequestType); + LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditSerialNumber, + auditRequestType); audit(auditMessage); } else { @@ -543,18 +555,21 @@ public class DoUnrevoke extends CMSServlet { // message in the signed audit log file // if and only if "auditApprovalStatus" is // "complete", "revoked", or "canceled" - if ((auditApprovalStatus.equals(RequestStatus.COMPLETE_STRING)) - || (auditApprovalStatus - .equals(RequestStatus.REJECTED_STRING)) - || (auditApprovalStatus - .equals(RequestStatus.CANCELED_STRING))) { - auditMessage = CMS - .getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, - auditSubjectID, ILogger.FAILURE, - auditRequesterID, auditSerialNumber, - auditRequestType, auditReasonNum, - auditApprovalStatus); + if ((auditApprovalStatus.equals( + RequestStatus.COMPLETE_STRING)) || + (auditApprovalStatus.equals( + RequestStatus.REJECTED_STRING)) || + (auditApprovalStatus.equals( + RequestStatus.CANCELED_STRING))) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditSerialNumber, + auditRequestType, + auditReasonNum, + auditApprovalStatus); audit(auditMessage); } @@ -565,7 +580,7 @@ public class DoUnrevoke extends CMSServlet { } private BigInteger[] getSerialNumbers(HttpServletRequest req) - throws NumberFormatException { + throws NumberFormatException { String serialNumString = req.getParameter("serialNumber"); StringTokenizer snList = new StringTokenizer(serialNumString, " "); @@ -586,7 +601,7 @@ public class DoUnrevoke extends CMSServlet { biList.addElement(bi); } else { throw new NumberFormatException(); - } + } } if (biList.size() < 1) { throw new NumberFormatException(); @@ -602,11 +617,11 @@ public class DoUnrevoke extends CMSServlet { /** * Signed Audit Log Requester ID - * - * This method is called to obtain the "RequesterID" for a signed audit log - * message. + * + * This method is called to obtain the "RequesterID" for + * a signed audit log message. * <P> - * + * * @param req HTTP request * @return id string containing the signed audit log message RequesterID */ @@ -632,11 +647,11 @@ public class DoUnrevoke extends CMSServlet { /** * Signed Audit Log Serial Number - * + * * This method is called to obtain the serial number of the certificate * whose status is to be changed for a signed audit log message. * <P> - * + * * @param eeSerialNumber a string containing the un-normalized serialNumber * @return id string containing the signed audit log message RequesterID */ @@ -654,8 +669,8 @@ public class DoUnrevoke extends CMSServlet { // convert it to hexadecimal serialNumber = "0x" - + Integer.toHexString(Integer.valueOf(serialNumber) - .intValue()); + + Integer.toHexString( + Integer.valueOf(serialNumber).intValue()); } else { serialNumber = ILogger.SIGNED_AUDIT_EMPTY_VALUE; } @@ -663,3 +678,4 @@ public class DoUnrevoke extends CMSServlet { return serialNumber; } } + diff --git a/pki/base/common/src/com/netscape/cms/servlet/cert/DoUnrevokeTPS.java b/pki/base/common/src/com/netscape/cms/servlet/cert/DoUnrevokeTPS.java index 18eb0fc34..8f46ee9c3 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/cert/DoUnrevokeTPS.java +++ b/pki/base/common/src/com/netscape/cms/servlet/cert/DoUnrevokeTPS.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.cert; + import java.io.IOException; import java.io.OutputStream; import java.math.BigInteger; @@ -54,10 +55,11 @@ import com.netscape.cms.servlet.common.CMSRequest; import com.netscape.cms.servlet.common.CMSTemplate; import com.netscape.cms.servlet.common.ECMSGWException; + /** - * 'Unrevoke' a certificate. (For certificates that are on-hold only, take them - * off-hold) - * + * 'Unrevoke' a certificate. (For certificates that are on-hold only, + * take them off-hold) + * * @version $Revision$, $Date$ */ public class DoUnrevokeTPS extends CMSServlet { @@ -79,28 +81,29 @@ public class DoUnrevokeTPS extends CMSServlet { private final static String OFF_HOLD = "off-hold"; private final static int OFF_HOLD_REASON = 6; - private final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST = "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_5"; - private final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED = "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED_7"; - + private final static String + LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST = + "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_5"; + private final static String + LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED = + "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED_7"; + public DoUnrevokeTPS() { super(); } /** * initialize the servlet. - * * @param sc servlet configuration, read from the web.xml file */ public void init(ServletConfig sc) throws ServletException { super.init(sc); mFormPath = "/" + mAuthority.getId() + "/" + TPL_FILE; if (mAuthority instanceof ICertificateAuthority) { - mCertDB = ((ICertificateAuthority) mAuthority) - .getCertificateRepository(); + mCertDB = ((ICertificateAuthority) mAuthority).getCertificateRepository(); } if (mAuthority instanceof ICertAuthority) { - mPublisherProcessor = ((ICertAuthority) mAuthority) - .getPublisherProcessor(); + mPublisherProcessor = ((ICertAuthority) mAuthority).getPublisherProcessor(); } mQueue = mAuthority.getRequestQueue(); @@ -109,14 +112,14 @@ public class DoUnrevokeTPS extends CMSServlet { } /** - * Process the HTTP request. + * Process the HTTP request. * <ul> - * <li>http.param serialNumber Decimal serial number of certificate to - * unrevoke. The certificate must be revoked with a revovcation reason 'on - * hold' for this operation to succeed. The serial number may be expressed - * as a hex number by prefixing '0x' to the serialNumber string + * <li>http.param serialNumber Decimal serial number of certificate to unrevoke. The + * certificate must be revoked with a revovcation reason 'on hold' for this + * operation to succeed. The serial number may be expressed as a hex number by + * prefixing '0x' to the serialNumber string * </ul> - * + * * @param cmsReq the object holding the request and response information */ public void process(CMSRequest cmsReq) throws EBaseException { @@ -130,52 +133,53 @@ public class DoUnrevokeTPS extends CMSServlet { Locale[] locale = new Locale[1]; - /* - * try { form = getTemplate(mFormPath, req, locale); } catch - * (IOException e) { log(ILogger.LL_FAILURE, - * CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", e.toString())); throw new - * ECMSGWException( - * CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); } - */ +/* + try { + form = getTemplate(mFormPath, req, locale); + } catch (IOException e) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", e.toString())); + throw new ECMSGWException( + CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); + } +*/ try { serialNumbers = getSerialNumbers(req); - // for audit log. + //for audit log. IAuthToken authToken = authenticate(cmsReq); String authMgr = AuditFormat.NOAUTH; - + if (authToken != null) { - authMgr = authToken - .getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME); - } else { - CMS.debug("DoUnrevokeTPS::process() - authToken is null!"); + authMgr = + authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME); + } else { + CMS.debug( "DoUnrevokeTPS::process() - authToken is null!" ); return; - } + } String agentID = authToken.getInString("userid"); String initiative = AuditFormat.FROMAGENT + " agentID: " + agentID - + " authenticated by " + authMgr; + + " authenticated by " + authMgr; AuthzToken authzToken = null; try { authzToken = authorize(mAclMethod, authToken, - mAuthzResourceName, "unrevoke"); + mAuthzResourceName, "unrevoke"); } catch (EAuthzAccessDenied e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", - e.toString())); + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); } catch (Exception e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", - e.toString())); + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); } if (authzToken == null) { cmsReq.setStatus(CMSRequest.UNAUTHORIZED); o_status = "status=3"; errorString = "error=unauthorized"; - String pp = o_status + "\n" + errorString; + String pp = o_status+"\n"+errorString; byte[] b = pp.getBytes(); resp.setContentType("text/html"); resp.setContentLength(b.length); @@ -187,10 +191,8 @@ public class DoUnrevokeTPS extends CMSServlet { process(serialNumbers, req, resp, locale[0], initiative); } catch (NumberFormatException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_INVALID_SERIAL_NUM_FORMAT")); - error = new EBaseException(CMS.getUserMessage(getLocale(req), - "CMS_BASE_INVALID_NUMBER_FORMAT")); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_INVALID_SERIAL_NUM_FORMAT")); + error = new EBaseException(CMS.getUserMessage(getLocale(req),"CMS_BASE_INVALID_NUMBER_FORMAT")); } catch (EBaseException e) { error = e; } catch (IOException e) { @@ -204,10 +206,10 @@ public class DoUnrevokeTPS extends CMSServlet { errorString = "error="; } else { o_status = "status=3"; - errorString = "error=" + error.toString(); + errorString = "error="+error.toString(); } - String pp = o_status + "\n" + errorString; + String pp = o_status+"\n"+errorString; byte[] b = pp.getBytes(); resp.setContentType("text/html"); resp.setContentLength(b.length); @@ -215,35 +217,33 @@ public class DoUnrevokeTPS extends CMSServlet { os.write(b); os.flush(); } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_ERR_STREAM_TEMPLATE", - e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("ADMIN_SRVLT_ERR_STREAM_TEMPLATE", e.toString())); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); + CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); } } + /** * Process X509 cert status change request * <P> - * - * (Certificate Request - an "agent" cert status change request to take a - * certificate off-hold) + * + * (Certificate Request - an "agent" cert status change request to take + * a certificate off-hold) * <P> - * - * (Certificate Request Processed - an "agent" cert status change request to - * take a certificate off-hold) + * + * (Certificate Request Processed - an "agent" cert status change request + * to take a certificate off-hold) * <P> - * + * * <ul> - * <li>signed.audit LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST used - * when a cert status change request (e. g. - "revocation") is made (before + * <li>signed.audit LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST used when + * a cert status change request (e. g. - "revocation") is made (before * approval process) - * <li>signed.audit - * LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED used when a - * certificate status is changed (taken off-hold) + * <li>signed.audit LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED + * used when a certificate status is changed (taken off-hold) * </ul> - * * @param serialNumbers the serial number of the certificate * @param req HTTP servlet request * @param resp HTTP servlet response @@ -251,15 +251,16 @@ public class DoUnrevokeTPS extends CMSServlet { * @param initiative string containing the audit format * @exception EBaseException an error has occurred */ - private void process(BigInteger[] serialNumbers, HttpServletRequest req, - HttpServletResponse resp, Locale locale, String initiative) - throws EBaseException { + private void process(BigInteger[] serialNumbers, + HttpServletRequest req, + HttpServletResponse resp, + Locale locale, String initiative) + throws EBaseException { boolean auditRequest = true; String auditMessage = null; String auditSubjectID = auditSubjectID(); String auditRequesterID = auditRequesterID(req); - String auditSerialNumber = auditSerialNumber(serialNumbers[0] - .toString()); + String auditSerialNumber = auditSerialNumber(serialNumbers[0].toString()); String auditRequestType = OFF_HOLD; String auditApprovalStatus = ILogger.SIGNED_AUDIT_EMPTY_VALUE; String auditReasonNum = String.valueOf(OFF_HOLD_REASON); @@ -267,32 +268,30 @@ public class DoUnrevokeTPS extends CMSServlet { try { String snList = ""; - // certs are for old cloning and they should be removed as soon as - // possible + // certs are for old cloning and they should be removed as soon as possible X509CertImpl[] certs = new X509CertImpl[serialNumbers.length]; for (int i = 0; i < serialNumbers.length; i++) { - certs[i] = (X509CertImpl) getX509Certificate(serialNumbers[i]); - if (snList.length() > 0) - snList += ", "; + certs[i] = (X509CertImpl)getX509Certificate(serialNumbers[i]); + if (snList.length() > 0) snList += ", "; snList += "0x" + serialNumbers[i].toString(16); } - IRequest unrevReq = mQueue - .newRequest(IRequest.UNREVOCATION_REQUEST); + IRequest unrevReq = mQueue.newRequest(IRequest.UNREVOCATION_REQUEST); // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, - auditSubjectID, ILogger.SUCCESS, auditRequesterID, - auditSerialNumber, auditRequestType); + LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, + auditSerialNumber, + auditRequestType); audit(auditMessage); - unrevReq.setExtData(IRequest.REQ_TYPE, - IRequest.UNREVOCATION_REQUEST); + unrevReq.setExtData(IRequest.REQ_TYPE, IRequest.UNREVOCATION_REQUEST); unrevReq.setExtData(IRequest.OLD_SERIALS, serialNumbers); - unrevReq.setExtData(IRequest.REQUESTOR_TYPE, - IRequest.REQUESTOR_AGENT); + unrevReq.setExtData(IRequest.REQUESTOR_TYPE, IRequest.REQUESTOR_AGENT); // change audit processing from "REQUEST" to "REQUEST_PROCESSED" // to distinguish which type of signed audit log message to save @@ -307,125 +306,125 @@ public class DoUnrevokeTPS extends CMSServlet { RequestStatus status = unrevReq.getRequestStatus(); String type = unrevReq.getRequestType(); - if ((status == RequestStatus.COMPLETE) - || ((type.equals(IRequest.CLA_UNCERT4CRL_REQUEST)) && (status == RequestStatus.SVC_PENDING))) { + if ((status == RequestStatus.COMPLETE) || ((type.equals(IRequest.CLA_UNCERT4CRL_REQUEST)) && (status == RequestStatus.SVC_PENDING))) { Integer result = unrevReq.getExtDataInInteger(IRequest.RESULT); if (result != null && result.equals(IRequest.RES_SUCCESS)) { if (certs[0] != null) { mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.DOUNREVOKEFORMAT, new Object[] { - unrevReq.getRequestId(), initiative, - "completed", certs[0].getSubjectDN(), - "0x" + serialNumbers[0].toString(16) }); + AuditFormat.LEVEL, + AuditFormat.DOUNREVOKEFORMAT, + new Object[] { + unrevReq.getRequestId(), + initiative, + "completed", + certs[0].getSubjectDN(), + "0x" + serialNumbers[0].toString(16)} + ); } } else { String error = unrevReq.getExtDataInString(IRequest.ERROR); if (error != null) { o_status = "status=3"; - errorString = "error=" + error; + errorString = "error="+error; if (certs[0] != null) { - mLogger.log( - ILogger.EV_AUDIT, - ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.DOUNREVOKEFORMAT, - new Object[] { - unrevReq.getRequestId(), - initiative, - "completed with error: " + error, - certs[0].getSubjectDN(), - "0x" - + serialNumbers[0] - .toString(16) }); + mLogger.log(ILogger.EV_AUDIT, + ILogger.S_OTHER, + AuditFormat.LEVEL, + AuditFormat.DOUNREVOKEFORMAT, + new Object[] { + unrevReq.getRequestId(), + initiative, + "completed with error: " + + error, + certs[0].getSubjectDN(), + "0x" + serialNumbers[0].toString(16)} + ); } } } - Integer updateCRLResult = unrevReq - .getExtDataInInteger(IRequest.CRL_UPDATE_STATUS); + Integer updateCRLResult = + unrevReq.getExtDataInInteger(IRequest.CRL_UPDATE_STATUS); if (updateCRLResult != null) { if (!updateCRLResult.equals(IRequest.RES_SUCCESS)) { - String crlError = unrevReq - .getExtDataInString(IRequest.CRL_UPDATE_ERROR); + String crlError = + unrevReq.getExtDataInString(IRequest.CRL_UPDATE_ERROR); if (crlError != null) { o_status = "status=3"; - errorString = "error=" + crlError; + errorString = "error="+crlError; } } // let known crl publishing status too. - Integer publishCRLResult = unrevReq - .getExtDataInInteger(IRequest.CRL_PUBLISH_STATUS); + Integer publishCRLResult = + unrevReq.getExtDataInInteger(IRequest.CRL_PUBLISH_STATUS); if (publishCRLResult != null) { if (!publishCRLResult.equals(IRequest.RES_SUCCESS)) { - String publError = unrevReq - .getExtDataInString(IRequest.CRL_PUBLISH_ERROR); + String publError = + unrevReq.getExtDataInString(IRequest.CRL_PUBLISH_ERROR); if (publError != null) { o_status = "status=3"; - errorString = "error=" + publError; + errorString = "error="+publError; } } } } - // let known update and publish status of all crls. - Enumeration otherCRLs = ((ICertificateAuthority) mAuthority) - .getCRLIssuingPoints(); + // let known update and publish status of all crls. + Enumeration otherCRLs = + ((ICertificateAuthority) mAuthority).getCRLIssuingPoints(); while (otherCRLs.hasMoreElements()) { - ICRLIssuingPoint crl = (ICRLIssuingPoint) otherCRLs - .nextElement(); + ICRLIssuingPoint crl = (ICRLIssuingPoint) + otherCRLs.nextElement(); String crlId = crl.getId(); if (crlId.equals(ICertificateAuthority.PROP_MASTER_CRL)) continue; String updateStatusStr = crl.getCrlUpdateStatusStr(); - Integer updateResult = unrevReq - .getExtDataInInteger(updateStatusStr); + Integer updateResult = unrevReq.getExtDataInInteger(updateStatusStr); if (updateResult != null) { if (!updateResult.equals(IRequest.RES_SUCCESS)) { String updateErrorStr = crl.getCrlUpdateErrorStr(); - String error = unrevReq - .getExtDataInString(updateErrorStr); + String error = + unrevReq.getExtDataInString(updateErrorStr); if (error != null) { o_status = "status=3"; - errorString = "error=" + error; + errorString = "error="+error; } } String publishStatusStr = crl.getCrlPublishStatusStr(); - Integer publishResult = unrevReq - .getExtDataInInteger(publishStatusStr); + Integer publishResult = + unrevReq.getExtDataInInteger(publishStatusStr); - if (publishResult == null) + if (publishResult == null) continue; if (!publishResult.equals(IRequest.RES_SUCCESS)) { - String publishErrorStr = crl - .getCrlPublishErrorStr(); + String publishErrorStr = + crl.getCrlPublishErrorStr(); - String error = unrevReq - .getExtDataInString(publishErrorStr); + String error = + unrevReq.getExtDataInString(publishErrorStr); if (error != null) { o_status = "status=3"; - errorString = "error=" + error; + errorString = "error="+error; } } } } - if (mPublisherProcessor != null - && mPublisherProcessor.ldapEnabled()) { - Integer[] ldapPublishStatus = unrevReq - .getExtDataInIntegerArray("ldapPublishStatus"); + if (mPublisherProcessor != null && mPublisherProcessor.ldapEnabled()) { + Integer[] ldapPublishStatus = + unrevReq.getExtDataInIntegerArray("ldapPublishStatus"); if (ldapPublishStatus != null) { if (ldapPublishStatus[0] != IRequest.RES_SUCCESS) { @@ -433,21 +432,25 @@ public class DoUnrevokeTPS extends CMSServlet { errorString = "error=Problem in publishing to LDAP"; } } - } else if (mPublisherProcessor == null - || (!mPublisherProcessor.ldapEnabled())) { + } else if (mPublisherProcessor == null || (! mPublisherProcessor.ldapEnabled())) { o_status = "status=3"; errorString = "error=LDAP Publisher not enabled"; } } else if (status == RequestStatus.PENDING) { o_status = "status=2"; - errorString = "error=" + status.toString(); + errorString = "error="+status.toString(); if (certs[0] != null) { mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, - AuditFormat.LEVEL, AuditFormat.DOUNREVOKEFORMAT, - new Object[] { unrevReq.getRequestId(), initiative, - "pending", certs[0].getSubjectDN(), - "0x" + serialNumbers[0].toString(16) }); + AuditFormat.LEVEL, + AuditFormat.DOUNREVOKEFORMAT, + new Object[] { + unrevReq.getRequestId(), + initiative, + "pending", + certs[0].getSubjectDN(), + "0x" + serialNumbers[0].toString(16)} + ); } } else { o_status = "status=2"; @@ -455,10 +458,15 @@ public class DoUnrevokeTPS extends CMSServlet { if (certs[0] != null) { mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, - AuditFormat.LEVEL, AuditFormat.DOUNREVOKEFORMAT, - new Object[] { unrevReq.getRequestId(), initiative, - status.toString(), certs[0].getSubjectDN(), - "0x" + serialNumbers[0].toString(16) }); + AuditFormat.LEVEL, + AuditFormat.DOUNREVOKEFORMAT, + new Object[] { + unrevReq.getRequestId(), + initiative, + status.toString(), + certs[0].getSubjectDN(), + "0x" + serialNumbers[0].toString(16)} + ); } } @@ -466,17 +474,18 @@ public class DoUnrevokeTPS extends CMSServlet { // if and only if "auditApprovalStatus" is // "complete", "revoked", or "canceled" if ((auditApprovalStatus.equals(RequestStatus.COMPLETE_STRING)) - || (auditApprovalStatus - .equals(RequestStatus.REJECTED_STRING)) - || (auditApprovalStatus - .equals(RequestStatus.CANCELED_STRING))) { - auditMessage = CMS - .getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, - auditSubjectID, ILogger.SUCCESS, - auditRequesterID, auditSerialNumber, - auditRequestType, auditReasonNum, - auditApprovalStatus); + || (auditApprovalStatus.equals(RequestStatus.REJECTED_STRING)) + || (auditApprovalStatus.equals(RequestStatus.CANCELED_STRING)) + ) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, + auditSerialNumber, + auditRequestType, + auditReasonNum, + auditApprovalStatus); audit(auditMessage); } @@ -486,9 +495,12 @@ public class DoUnrevokeTPS extends CMSServlet { // store a "CERT_STATUS_CHANGE_REQUEST" failure // message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, - auditSubjectID, ILogger.FAILURE, auditRequesterID, - auditSerialNumber, auditRequestType); + LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditSerialNumber, + auditRequestType); audit(auditMessage); } else { @@ -496,18 +508,21 @@ public class DoUnrevokeTPS extends CMSServlet { // message in the signed audit log file // if and only if "auditApprovalStatus" is // "complete", "revoked", or "canceled" - if ((auditApprovalStatus.equals(RequestStatus.COMPLETE_STRING)) - || (auditApprovalStatus - .equals(RequestStatus.REJECTED_STRING)) - || (auditApprovalStatus - .equals(RequestStatus.CANCELED_STRING))) { - auditMessage = CMS - .getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, - auditSubjectID, ILogger.FAILURE, - auditRequesterID, auditSerialNumber, - auditRequestType, auditReasonNum, - auditApprovalStatus); + if ((auditApprovalStatus.equals( + RequestStatus.COMPLETE_STRING)) || + (auditApprovalStatus.equals( + RequestStatus.REJECTED_STRING)) || + (auditApprovalStatus.equals( + RequestStatus.CANCELED_STRING))) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditSerialNumber, + auditRequestType, + auditReasonNum, + auditApprovalStatus); audit(auditMessage); } @@ -518,7 +533,7 @@ public class DoUnrevokeTPS extends CMSServlet { } private BigInteger[] getSerialNumbers(HttpServletRequest req) - throws NumberFormatException { + throws NumberFormatException { String serialNumString = req.getParameter("serialNumber"); StringTokenizer snList = new StringTokenizer(serialNumString, " "); @@ -539,7 +554,7 @@ public class DoUnrevokeTPS extends CMSServlet { biList.addElement(bi); } else { throw new NumberFormatException(); - } + } } if (biList.size() < 1) { throw new NumberFormatException(); @@ -555,11 +570,11 @@ public class DoUnrevokeTPS extends CMSServlet { /** * Signed Audit Log Requester ID - * - * This method is called to obtain the "RequesterID" for a signed audit log - * message. + * + * This method is called to obtain the "RequesterID" for + * a signed audit log message. * <P> - * + * * @param req HTTP request * @return id string containing the signed audit log message RequesterID */ @@ -585,11 +600,11 @@ public class DoUnrevokeTPS extends CMSServlet { /** * Signed Audit Log Serial Number - * + * * This method is called to obtain the serial number of the certificate * whose status is to be changed for a signed audit log message. * <P> - * + * * @param eeSerialNumber a string containing the un-normalized serialNumber * @return id string containing the signed audit log message RequesterID */ @@ -607,8 +622,8 @@ public class DoUnrevokeTPS extends CMSServlet { // convert it to hexadecimal serialNumber = "0x" - + Integer.toHexString(Integer.valueOf(serialNumber) - .intValue()); + + Integer.toHexString( + Integer.valueOf(serialNumber).intValue()); } else { serialNumber = ILogger.SIGNED_AUDIT_EMPTY_VALUE; } @@ -616,3 +631,4 @@ public class DoUnrevokeTPS extends CMSServlet { return serialNumber; } } + diff --git a/pki/base/common/src/com/netscape/cms/servlet/cert/EnableEnrollResult.java b/pki/base/common/src/com/netscape/cms/servlet/cert/EnableEnrollResult.java index 0335837d7..b1d894268 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/cert/EnableEnrollResult.java +++ b/pki/base/common/src/com/netscape/cms/servlet/cert/EnableEnrollResult.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.cert; + import java.io.IOException; import java.security.cert.X509Certificate; import java.util.Locale; @@ -45,9 +46,10 @@ import com.netscape.cms.servlet.common.CMSTemplate; import com.netscape.cms.servlet.common.CMSTemplateParams; import com.netscape.cms.servlet.common.ECMSGWException; + /** * For Face-to-face enrollment, enable EE enrollment feature - * + * * @version $Revision$, $Date$ * @see com.netscape.cms.servlet.cert.DisableEnrollResult */ @@ -85,7 +87,8 @@ public class EnableEnrollResult extends CMSServlet { /** * Services the request */ - protected void process(CMSRequest cmsReq) throws EBaseException { + protected void process(CMSRequest cmsReq) + throws EBaseException { HttpServletRequest httpReq = cmsReq.getHttpReq(); HttpServletResponse httpResp = cmsReq.getHttpResp(); @@ -94,8 +97,8 @@ public class EnableEnrollResult extends CMSServlet { AuthzToken authzToken = null; try { - authzToken = authorize(mAclMethod, authToken, mAuthzResourceName, - "enable"); + authzToken = authorize(mAclMethod, authToken, + mAuthzResourceName, "enable"); } catch (Exception e) { // do nothing for now } @@ -114,10 +117,9 @@ public class EnableEnrollResult extends CMSServlet { IArgBlock args = cmsReq.getHttpParams(); if (!(mAuthority instanceof IRegistrationAuthority)) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_CA_FROM_RA_NOT_IMP")); - cmsReq.setError(new ECMSGWException(CMS - .getUserMessage("CMS_GW_NOT_YET_IMPLEMENTED"))); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_CA_FROM_RA_NOT_IMP")); + cmsReq.setError(new ECMSGWException( + CMS.getUserMessage("CMS_GW_NOT_YET_IMPLEMENTED"))); cmsReq.setStatus(CMSRequest.ERROR); return; } @@ -128,11 +130,10 @@ public class EnableEnrollResult extends CMSServlet { try { form = getTemplate(mFormPath, httpReq, locale); } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", mFormPath, - e.toString())); - cmsReq.setError(new ECMSGWException(CMS - .getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR"))); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", mFormPath, e.toString())); + cmsReq.setError(new ECMSGWException( + CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR"))); cmsReq.setStatus(CMSRequest.ERROR); return; } @@ -148,8 +149,7 @@ public class EnableEnrollResult extends CMSServlet { header.addStringValue("machineName", machine); header.addStringValue("port", port); String val = configStore.getString("hashDirEnrollment.name"); - IAuthSubsystem authSS = (IAuthSubsystem) CMS - .getSubsystem(CMS.SUBSYSTEM_AUTH); + IAuthSubsystem authSS = (IAuthSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTH); IAuthManager authMgr = authSS.get(val); HashAuthentication mgr = (HashAuthentication) authMgr; @@ -162,7 +162,7 @@ public class EnableEnrollResult extends CMSServlet { String timeout = args.getValueAsString("timeout", "600"); mgr.createEntry(host, dn, Long.parseLong(timeout) * 1000, - random.nextLong() + "", 0); + random.nextLong() + "", 0); header.addStringValue("code", "0"); } @@ -173,10 +173,10 @@ public class EnableEnrollResult extends CMSServlet { form.renderOutput(out, argSet); cmsReq.setStatus(CMSRequest.SUCCESS); } catch (IOException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGW_ERR_STREAM_TEMPLATE", e.toString())); - cmsReq.setError(new ECMSGWException(CMS - .getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR"))); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERR_STREAM_TEMPLATE", e.toString())); + cmsReq.setError(new ECMSGWException( + CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR"))); cmsReq.setStatus(CMSRequest.ERROR); } cmsReq.setStatus(CMSRequest.SUCCESS); diff --git a/pki/base/common/src/com/netscape/cms/servlet/cert/EnrollServlet.java b/pki/base/common/src/com/netscape/cms/servlet/cert/EnrollServlet.java index e58aeb8e3..ee64cb948 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/cert/EnrollServlet.java +++ b/pki/base/common/src/com/netscape/cms/servlet/cert/EnrollServlet.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.cert; + import java.io.IOException; import java.math.BigInteger; import java.security.cert.CertificateEncodingException; @@ -76,9 +77,10 @@ import com.netscape.cms.servlet.processors.KeyGenProcessor; import com.netscape.cms.servlet.processors.PKCS10Processor; import com.netscape.cms.servlet.processors.PKIProcessor; + /** * Submit a Certificate Enrollment request - * + * * @version $Revision$, $Date$ */ public class EnrollServlet extends CMSServlet { @@ -90,9 +92,10 @@ public class EnrollServlet extends CMSServlet { public final static String ADMIN_ENROLL_SERVLET_ID = "caadminEnroll"; // enrollment templates. - public static final String ENROLL_SUCCESS_TEMPLATE = "EnrollSuccess.template"; + public static final String + ENROLL_SUCCESS_TEMPLATE = "EnrollSuccess.template"; - // http params + // http params public static final String OLD_CERT_TYPE = "csrCertType"; public static final String CERT_TYPE = "certType"; // same as in ConfigConstant.java @@ -115,7 +118,8 @@ public class EnrollServlet extends CMSServlet { private boolean mAuthTokenOverride = true; private String mEnrollSuccessTemplate = null; - private ICMSTemplateFiller mEnrollSuccessFiller = new ImportCertsTemplateFiller(); + private ICMSTemplateFiller + mEnrollSuccessFiller = new ImportCertsTemplateFiller(); ICertificateAuthority mCa = null; ICertificateRepository mRepository = null; @@ -123,46 +127,56 @@ public class EnrollServlet extends CMSServlet { private boolean enforcePop = false; private String auditServiceID = ILogger.UNIDENTIFIED; - private final static String ADMIN_CA_ENROLLMENT_SERVLET = "caadminEnroll"; - private final static String AGENT_CA_BULK_ENROLLMENT_SERVLET = "cabulkissuance"; - private final static String AGENT_RA_BULK_ENROLLMENT_SERVLET = "rabulkissuance"; - private final static String EE_CA_CERT_BASED_ENROLLMENT_SERVLET = "cacertbasedenrollment"; - private final static String EE_CA_ENROLLMENT_SERVLET = "caenrollment"; - private final static String EE_RA_CERT_BASED_ENROLLMENT_SERVLET = "racertbasedenrollment"; - private final static String EE_RA_ENROLLMENT_SERVLET = "raenrollment"; + private final static String ADMIN_CA_ENROLLMENT_SERVLET = + "caadminEnroll"; + private final static String AGENT_CA_BULK_ENROLLMENT_SERVLET = + "cabulkissuance"; + private final static String AGENT_RA_BULK_ENROLLMENT_SERVLET = + "rabulkissuance"; + private final static String EE_CA_CERT_BASED_ENROLLMENT_SERVLET = + "cacertbasedenrollment"; + private final static String EE_CA_ENROLLMENT_SERVLET = + "caenrollment"; + private final static String EE_RA_CERT_BASED_ENROLLMENT_SERVLET = + "racertbasedenrollment"; + private final static String EE_RA_ENROLLMENT_SERVLET = + "raenrollment"; private final static byte EOL[] = { Character.LINE_SEPARATOR }; - private final static String[] SIGNED_AUDIT_AUTOMATED_REJECTION_REASON = new String[] { - - /* 0 */"automated non-profile cert request rejection: " - + "unable to render OLD_CERT_TYPE response", - - /* 1 */"automated non-profile cert request rejection: " - + "unable to complete handleEnrollAuditLog() method", - - /* 2 */"automated non-profile cert request rejection: " - + "unable to render success template", - - /* 3 */"automated non-profile cert request rejection: " - + "indeterminate reason for inability to process " - + "cert request due to an EBaseException" }; - private final static String LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST = "LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST_5"; - private final static String LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED = "LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED_5"; - + private final static String[] + SIGNED_AUDIT_AUTOMATED_REJECTION_REASON = new String[] { + + /* 0 */ "automated non-profile cert request rejection: " + + "unable to render OLD_CERT_TYPE response", + + /* 1 */ "automated non-profile cert request rejection: " + + "unable to complete handleEnrollAuditLog() method", + + /* 2 */ "automated non-profile cert request rejection: " + + "unable to render success template", + + /* 3 */ "automated non-profile cert request rejection: " + + "indeterminate reason for inability to process " + + "cert request due to an EBaseException" + }; + private final static String + LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST = + "LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST_5"; + private final static String + LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED = + "LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED_5"; + private static final String HEADER = "-----BEGIN NEW CERTIFICATE REQUEST-----"; private static final String TRAILER = "-----END NEW CERTIFICATE REQUEST-----"; - + public EnrollServlet() { super(); } /** - * initialize the servlet. - * <p> - * the following parameters are read from the servlet config: - * <ul> - * <li>CMSServlet.PROP_ID - ID for signed audit log messages - * <li>CMSServlet.PROP_SUCCESS_TEMPLATE - success template file - * + * initialize the servlet.<p> + * the following parameters are read from the servlet config: + * <ul><li>CMSServlet.PROP_ID - ID for signed audit log messages + * <li>CMSServlet.PROP_SUCCESS_TEMPLATE - success template file * @param sc servlet configuration, read from the web.xml file */ public void init(ServletConfig sc) throws ServletException { @@ -173,8 +187,8 @@ public class EnrollServlet extends CMSServlet { try { IConfigStore configStore = CMS.getConfigStore(); - String PKI_Subsystem = configStore.getString("subsystem.0.id", - null); + String PKI_Subsystem = configStore.getString( "subsystem.0.id", + null ); // CMS 6.1 began utilizing the "Certificate Profiles" framework // instead of the legacy "Certificate Policies" framework. @@ -185,49 +199,51 @@ public class EnrollServlet extends CMSServlet { // framework would be deprecated and disabled by default // (see Bugzilla Bug #472597). // - // NOTE: The "Certificate Policies" framework ONLY applied to - // to CA, KRA, and legacy RA (pre-CMS 7.0) subsystems. + // NOTE: The "Certificate Policies" framework ONLY applied to + // to CA, KRA, and legacy RA (pre-CMS 7.0) subsystems. // - // Further, the "EnrollServlet.java" servlet is ONLY - // used by the CA for the following: + // Further, the "EnrollServlet.java" servlet is ONLY + // used by the CA for the following: // - // SERVLET-NAME URL-PATTERN - // ==================================================== - // caadminEnroll ca/admin/ca/adminEnroll.html - // cabulkissuance ca/agent/ca/bulkissuance.html - // cacertbasedenrollment ca/certbasedenrollment.html - // caenrollment ca/enrollment.html + // SERVLET-NAME URL-PATTERN + // ==================================================== + // caadminEnroll ca/admin/ca/adminEnroll.html + // cabulkissuance ca/agent/ca/bulkissuance.html + // cacertbasedenrollment ca/certbasedenrollment.html + // caenrollment ca/enrollment.html // - // The "EnrollServlet.java" servlet is NOT used by - // the KRA. + // The "EnrollServlet.java" servlet is NOT used by + // the KRA. // - if (PKI_Subsystem.trim().equalsIgnoreCase("ca")) { + if( PKI_Subsystem.trim().equalsIgnoreCase( "ca" ) ) { String policyStatus = PKI_Subsystem.trim().toLowerCase() - + "." + "Policy" + "." - + IPolicyProcessor.PROP_ENABLE; - - if (configStore.getBoolean(policyStatus, true) == true) { - // NOTE: If "<subsystem>.Policy.enable=<boolean>" - // is missing, then the referenced instance - // existed prior to this name=value pair - // existing in its 'CS.cfg' file, and thus - // we err on the side that the user may - // still need to use the policy framework. - CMS.debug("EnrollServlet::init Certificate " - + "Policy Framework (deprecated) " - + "is ENABLED"); + + "." + "Policy" + + "." + IPolicyProcessor.PROP_ENABLE; + + if( configStore.getBoolean( policyStatus, true ) == true ) { + // NOTE: If "<subsystem>.Policy.enable=<boolean>" + // is missing, then the referenced instance + // existed prior to this name=value pair + // existing in its 'CS.cfg' file, and thus + // we err on the side that the user may + // still need to use the policy framework. + CMS.debug( "EnrollServlet::init Certificate " + + "Policy Framework (deprecated) " + + "is ENABLED" ); } else { - // CS 8.1 Default: <subsystem>.Policy.enable=false - CMS.debug("EnrollServlet::init Certificate " - + "Policy Framework (deprecated) " - + "is DISABLED"); + // CS 8.1 Default: <subsystem>.Policy.enable=false + CMS.debug( "EnrollServlet::init Certificate " + + "Policy Framework (deprecated) " + + "is DISABLED" ); return; } } - } catch (EBaseException e) { - throw new ServletException("EnrollServlet::init - " - + "EBaseException: " + "Unable to initialize " - + "Certificate Policy Framework " + "(deprecated)"); + } catch( EBaseException e ) { + throw new ServletException( "EnrollServlet::init - " + + "EBaseException: " + + "Unable to initialize " + + "Certificate Policy Framework " + + "(deprecated)" ); } // override success template to allow direct import of keygen certs. @@ -238,36 +254,37 @@ public class EnrollServlet extends CMSServlet { String id = sc.getInitParameter(CMSServlet.PROP_ID); if (id != null) { - if (!(auditServiceID.equals(ADMIN_CA_ENROLLMENT_SERVLET)) - && !(auditServiceID - .equals(AGENT_CA_BULK_ENROLLMENT_SERVLET)) - && !(auditServiceID - .equals(AGENT_RA_BULK_ENROLLMENT_SERVLET)) - && !(auditServiceID - .equals(EE_CA_CERT_BASED_ENROLLMENT_SERVLET)) - && !(auditServiceID - .equals(EE_CA_ENROLLMENT_SERVLET)) - && !(auditServiceID - .equals(EE_RA_CERT_BASED_ENROLLMENT_SERVLET)) - && !(auditServiceID - .equals(EE_RA_ENROLLMENT_SERVLET))) { + if (!(auditServiceID.equals( + ADMIN_CA_ENROLLMENT_SERVLET)) + && !(auditServiceID.equals( + AGENT_CA_BULK_ENROLLMENT_SERVLET)) + && !(auditServiceID.equals( + AGENT_RA_BULK_ENROLLMENT_SERVLET)) + && !(auditServiceID.equals( + EE_CA_CERT_BASED_ENROLLMENT_SERVLET)) + && !(auditServiceID.equals( + EE_CA_ENROLLMENT_SERVLET)) + && !(auditServiceID.equals( + EE_RA_CERT_BASED_ENROLLMENT_SERVLET)) + && !(auditServiceID.equals( + EE_RA_ENROLLMENT_SERVLET))) { auditServiceID = ILogger.UNIDENTIFIED; } else { auditServiceID = id.trim(); } } - mEnrollSuccessTemplate = sc - .getInitParameter(CMSServlet.PROP_SUCCESS_TEMPLATE); + mEnrollSuccessTemplate = sc.getInitParameter( + CMSServlet.PROP_SUCCESS_TEMPLATE); if (mEnrollSuccessTemplate == null) mEnrollSuccessTemplate = ENROLL_SUCCESS_TEMPLATE; - String fillername = sc - .getInitParameter(PROP_SUCCESS_TEMPLATE_FILLER); + String fillername = sc.getInitParameter( + PROP_SUCCESS_TEMPLATE_FILLER); if (fillername != null) { ICMSTemplateFiller filler = newFillerObject(fillername); - if (filler != null) + if (filler != null) mEnrollSuccessFiller = filler; } @@ -276,10 +293,10 @@ public class EnrollServlet extends CMSServlet { init_testbed_hack(mConfig); } catch (Exception e) { - // this should never happen. - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_IMP_INIT_SERV_ERR", - e.toString(), mId)); + // this should never happen. + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_IMP_INIT_SERV_ERR", + e.toString(), mId)); } } catch (ServletException eAudit1) { // rethrow caught exception @@ -287,61 +304,64 @@ public class EnrollServlet extends CMSServlet { } } - /** - * XXX (SHOULD CHANGE TO READ FROM Servletconfig) Getter method to see if - * Proof of Posession checking is enabled. this value is set in the CMS.cfg - * filem with the parameter "enrollment.enforcePop". It defaults to false - * - * @return true if user is required to Prove that they possess the private - * key corresponding to the public key in the certificate request - * they are submitting - */ + + /** + * XXX (SHOULD CHANGE TO READ FROM Servletconfig) + * Getter method to see if Proof of Posession checking is enabled. + * this value is set in the CMS.cfg filem with the parameter + * "enrollment.enforcePop". It defaults to false + * @return true if user is required to Prove that they possess the + * private key corresponding to the public key in the certificate + * request they are submitting + */ public boolean getEnforcePop() { return enforcePop; } /** - * Process the HTTP request. - * <UL> - * <LI>If the request is coming through the admin port, it is only allowed - * to continue if 'admin enrollment' is enabled in the CMS.cfg file - * <LI>If the CMS.cfg parameter useThreadNaming is true, the current thread - * is renamed with more information about the current request ID - * <LI>The request is preprocessed, then processed further in one of the - * cert request processor classes: KeyGenProcessor, PKCS10Processor, - * CMCProcessor, CRMFProcessor - * </UL> - * + * Process the HTTP request. + * <UL><LI>If the request is coming through the admin port, it is only + * allowed to continue if 'admin enrollment' is enabled in the CMS.cfg file + * <LI>If the CMS.cfg parameter useThreadNaming is true, the current thread is + * renamed with more information about the current request ID + * <LI>The request is preprocessed, then processed further in one + * of the cert request processor classes: KeyGenProcessor, PKCS10Processor, + * CMCProcessor, CRMFProcessor + * </UL> + * * @param cmsReq the object holding the request and response information */ - protected void process(CMSRequest cmsReq) throws EBaseException { + protected void process(CMSRequest cmsReq) + throws EBaseException { // SPECIAL CASE: // if it is adminEnroll servlet,check if it's enabled - if (mId.equals(ADMIN_ENROLL_SERVLET_ID) - && !CMSGateway.getEnableAdminEnroll()) { - log(ILogger.LL_SECURITY, - CMS.getLogMessage("ADMIN_SRVLT_ENROLL_ACCESS_AFTER_SETUP")); - throw new ECMSGWException(CMS.getUserMessage( - "CMS_GW_REDIRECTING_ADMINENROLL_ERROR", - "Attempt to access adminEnroll after already setup.")); + if (mId.equals(ADMIN_ENROLL_SERVLET_ID) && + !CMSGateway.getEnableAdminEnroll()) { + log(ILogger.LL_SECURITY, + CMS.getLogMessage("ADMIN_SRVLT_ENROLL_ACCESS_AFTER_SETUP")); + throw new ECMSGWException( + CMS.getUserMessage("CMS_GW_REDIRECTING_ADMINENROLL_ERROR", "Attempt to access adminEnroll after already setup.")); } - processX509(cmsReq); + processX509(cmsReq); } private boolean getCertAuthEnrollStatus(IArgBlock httpParams) { /* - * === certAuth based enroll === "certAuthEnroll" is on. - * "certauthEnrollType can be one of the three: single - it's for single - * cert enrollment dual - it's for dual certs enrollment encryption - - * getting the encryption cert only via authentication of the signing - * cert (crmf or keyGenInfo) + * === certAuth based enroll === + * "certAuthEnroll" is on. + * "certauthEnrollType can be one of the three: + * single - it's for single cert enrollment + * dual - it's for dual certs enrollment + * encryption - getting the encryption cert only via + * authentication of the signing cert + * (crmf or keyGenInfo) */ boolean certAuthEnroll = false; - String certAuthEnrollOn = httpParams.getValueAsString("certauthEnroll", - null); + String certAuthEnrollOn = + httpParams.getValueAsString("certauthEnroll", null); if ((certAuthEnrollOn != null) && (certAuthEnrollOn.equals("on"))) { certAuthEnroll = true; @@ -352,14 +372,14 @@ public class EnrollServlet extends CMSServlet { } - private String getCertAuthEnrollType(IArgBlock httpParams, - boolean certAuthEnroll) throws EBaseException { + private String getCertAuthEnrollType(IArgBlock httpParams, boolean certAuthEnroll) + throws EBaseException { String certauthEnrollType = null; if (certAuthEnroll == true) { - certauthEnrollType = httpParams.getValueAsString( - "certauthEnrollType", null); + certauthEnrollType = + httpParams.getValueAsString("certauthEnrollType", null); if (certauthEnrollType != null) { if (certauthEnrollType.equals("dual")) { CMS.debug("EnrollServlet: certauthEnrollType is dual"); @@ -368,50 +388,54 @@ public class EnrollServlet extends CMSServlet { } else if (certauthEnrollType.equals("single")) { CMS.debug("EnrollServlet: certauthEnrollType is single"); } else { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGW_INVALID_CERTAUTH_ENROLL_TYPE_1", - certauthEnrollType)); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_INVALID_CERTAUTH_ENROLL_TYPE_1", certauthEnrollType)); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_INVALID_CERTAUTH_ENROLL_TYPE")); + CMS.getUserMessage("CMS_GW_INVALID_CERTAUTH_ENROLL_TYPE")); } } else { log(ILogger.LL_FAILURE, - CMS.getLogMessage("MSGW_MISSING_CERTAUTH_ENROLL_TYPE")); + CMS.getLogMessage("MSGW_MISSING_CERTAUTH_ENROLL_TYPE")); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_MISSING_CERTAUTH_ENROLL_TYPE")); + CMS.getUserMessage("CMS_GW_MISSING_CERTAUTH_ENROLL_TYPE")); } } - + return certauthEnrollType; - + } private boolean checkClientCertSigningOnly(X509Certificate sslClientCert) - throws EBaseException { - if ((CMS.isSigningCert((X509CertImpl) sslClientCert) == false) - || ((CMS.isSigningCert((X509CertImpl) sslClientCert) == true) && (CMS - .isEncryptionCert((X509CertImpl) sslClientCert) == true))) { + throws EBaseException { + if ((CMS.isSigningCert((X509CertImpl) sslClientCert) == + false) || + ((CMS.isSigningCert((X509CertImpl) sslClientCert) == + true) && + (CMS.isEncryptionCert((X509CertImpl) sslClientCert) == + true))) { // either it's not a signing cert, or it's a dual cert log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_INVALID_CERT_TYPE")); + CMS.getLogMessage("CMSGW_INVALID_CERT_TYPE")); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_INVALID_CERT_TYPE")); + CMS.getUserMessage("CMS_GW_INVALID_CERT_TYPE")); } return true; } - - private X509CertInfo[] handleCertAuthDual(X509CertInfo certInfo, - IAuthToken authToken, X509Certificate sslClientCert, - ICertificateAuthority mCa, String certBasedOldSubjectDN, - BigInteger certBasedOldSerialNum) throws EBaseException { - + + private X509CertInfo[] handleCertAuthDual(X509CertInfo certInfo, IAuthToken authToken, X509Certificate sslClientCert, + ICertificateAuthority mCa, String certBasedOldSubjectDN, + BigInteger certBasedOldSerialNum) + throws EBaseException { + CMS.debug("EnrollServlet: In handleCertAuthDual!"); - + if (mCa == null) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_NOT_A_CA")); - throw new ECMSGWException(CMS.getUserMessage("CMS_GW_NOT_A_CA")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_NOT_A_CA")); + throw new ECMSGWException( + CMS.getUserMessage("CMS_GW_NOT_A_CA")); } // first, make sure the client cert is indeed a @@ -433,28 +457,21 @@ public class EnrollServlet extends CMSServlet { try { certInfo.set(X509CertInfo.KEY, new CertificateX509Key(key)); } catch (CertificateException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGW_FAILED_SET_KEY_FROM_CERT_AUTH_ENROLL_1", - e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_FAILED_SET_KEY_FROM_CERT_AUTH_ENROLL_1", e.toString())); throw new ECMSGWException( - CMS.getUserMessage( - "CMS_GW_SET_KEY_FROM_CERT_AUTH_ENROLL_FAILED", - e.toString())); + CMS.getUserMessage("CMS_GW_SET_KEY_FROM_CERT_AUTH_ENROLL_FAILED", e.toString())); } catch (IOException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGW_FAILED_SET_KEY_FROM_CERT_AUTH_ENROLL_IO", - e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_FAILED_SET_KEY_FROM_CERT_AUTH_ENROLL_IO", e.toString())); throw new ECMSGWException( - CMS.getUserMessage( - "CMS_GW_SET_KEY_FROM_CERT_AUTH_ENROLL_FAILED", - e.toString())); + CMS.getUserMessage("CMS_GW_SET_KEY_FROM_CERT_AUTH_ENROLL_FAILED", e.toString())); } - String filter = "(&(x509cert.subject=" + certBasedOldSubjectDN - + ")(!(x509cert.serialNumber=" + certBasedOldSerialNum - + "))(certStatus=VALID))"; - ICertRecordList list = (ICertRecordList) mCa.getCertificateRepository() - .findCertRecordsInList(filter, null, 10); + String filter = + "(&(x509cert.subject=" + certBasedOldSubjectDN + ")(!(x509cert.serialNumber=" + certBasedOldSerialNum + "))(certStatus=VALID))"; + ICertRecordList list = + (ICertRecordList) mCa.getCertificateRepository().findCertRecordsInList(filter, null, 10); int size = list.getSize(); Enumeration en = list.getCertRecords(0, size - 1); boolean gotEncCert = false; @@ -467,8 +484,8 @@ public class EnrollServlet extends CMSServlet { // pairing encryption cert not found } else { X509CertInfo encCertInfo = CMS.getDefaultX509CertInfo(); - X509CertInfo[] cInfoArray = new X509CertInfo[] { certInfo, - encCertInfo }; + X509CertInfo[] cInfoArray = new X509CertInfo[] {certInfo, + encCertInfo}; int i = 1; boolean encCertFound = false; @@ -478,9 +495,9 @@ public class EnrollServlet extends CMSServlet { X509CertImpl cert = record.getCertificate(); // if not encryption cert only, try next one - if ((CMS.isEncryptionCert(cert) == false) - || ((CMS.isEncryptionCert(cert) == true) && (CMS - .isSigningCert(cert) == true))) { + if ((CMS.isEncryptionCert(cert) == false) || + ((CMS.isEncryptionCert(cert) == true) && + (CMS.isSigningCert(cert) == true))) { CMS.debug("EnrollServlet: Not encryption only cert, will try next one."); continue; @@ -491,33 +508,29 @@ public class EnrollServlet extends CMSServlet { encCertFound = true; try { - encCertInfo = (X509CertInfo) cert.get(X509CertImpl.NAME - + "." + X509CertImpl.INFO); + encCertInfo = (X509CertInfo) + cert.get( + X509CertImpl.NAME + "." + X509CertImpl.INFO); } catch (CertificateParsingException ex) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_MISSING_CERTINFO_ENCRYPT_CERT")); + CMS.getLogMessage("CMSGW_MISSING_CERTINFO_ENCRYPT_CERT")); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_MISSING_CERTINFO")); + CMS.getUserMessage("CMS_GW_MISSING_CERTINFO")); } try { - encCertInfo.set(X509CertInfo.KEY, new CertificateX509Key( - key)); + encCertInfo.set(X509CertInfo.KEY, new CertificateX509Key(key)); } catch (CertificateException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGW_FAILED_SET_KEY_FROM_CERT_AUTH_ENROLL_1", - e.toString())); - throw new ECMSGWException(CMS.getUserMessage( - "CMS_GW_SET_KEY_FROM_CERT_AUTH_ENROLL_FAILED", - e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_FAILED_SET_KEY_FROM_CERT_AUTH_ENROLL_1", e.toString())); + throw new ECMSGWException( + CMS.getUserMessage("CMS_GW_SET_KEY_FROM_CERT_AUTH_ENROLL_FAILED", e.toString())); } catch (IOException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGW_FAILED_SET_KEY_FROM_CERT_AUTH_ENROLL_1", - e.toString())); - throw new ECMSGWException(CMS.getUserMessage( - "CMS_GW_SET_KEY_FROM_CERT_AUTH_ENROLL_FAILED", - e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_FAILED_SET_KEY_FROM_CERT_AUTH_ENROLL_1", e.toString())); + throw new ECMSGWException( + CMS.getUserMessage("CMS_GW_SET_KEY_FROM_CERT_AUTH_ENROLL_FAILED", e.toString())); } CMS.debug("EnrollServlet: About to fillCertInfoFromAuthToken!"); @@ -532,17 +545,16 @@ public class EnrollServlet extends CMSServlet { return null; } - CMS.debug("EnrollServlet: returning cInfoArray of length " - + cInfoArray.length); + CMS.debug("EnrollServlet: returning cInfoArray of length " + cInfoArray.length); return cInfoArray; - } + } } - private boolean handleEnrollAuditLog(IRequest req, CMSRequest cmsReq, - String authMgr, IAuthToken authToken, X509CertInfo certInfo, - long startTime) throws EBaseException { - // for audit log + private boolean handleEnrollAuditLog(IRequest req, CMSRequest cmsReq, String authMgr, IAuthToken authToken, + X509CertInfo certInfo, long startTime) + throws EBaseException { + //for audit log String initiative = null; String agentID = null; @@ -553,7 +565,7 @@ public class EnrollServlet extends CMSServlet { } else { agentID = authToken.getInString("userid"); initiative = AuditFormat.FROMAGENT + " agentID: " + agentID; - } + } // if service not complete return standard templates. RequestStatus status = req.getRequestStatus(); @@ -563,8 +575,7 @@ public class EnrollServlet extends CMSServlet { // audit log the status try { if (status == RequestStatus.REJECTED) { - Vector messages = req - .getExtDataInStringVector(IRequest.ERRORS); + Vector messages = req.getExtDataInStringVector(IRequest.ERRORS); if (messages != null) { Enumeration msgs = messages.elements(); @@ -574,48 +585,55 @@ public class EnrollServlet extends CMSServlet { wholeMsg.append("\n"); wholeMsg.append(msgs.nextElement()); } - mLogger.log( - ILogger.EV_AUDIT, - ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.ENROLLMENTFORMAT, - new Object[] { req.getRequestId(), initiative, - authMgr, status.toString(), - certInfo.get(X509CertInfo.SUBJECT), - " violation: " + wholeMsg.toString() }); + mLogger.log(ILogger.EV_AUDIT, + ILogger.S_OTHER, + AuditFormat.LEVEL, + AuditFormat.ENROLLMENTFORMAT, + new Object[] { + req.getRequestId(), + initiative, + authMgr, + status.toString(), + certInfo.get(X509CertInfo.SUBJECT), + " violation: " + + wholeMsg.toString()} + ); } else { // no policy violation, from agent - mLogger.log( - ILogger.EV_AUDIT, - ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.ENROLLMENTFORMAT, - new Object[] { req.getRequestId(), initiative, - authMgr, status.toString(), - certInfo.get(X509CertInfo.SUBJECT), "" }); - } - } else { // other imcomplete status - long endTime = CMS.getCurrentDate().getTime(); - - mLogger.log( - ILogger.EV_AUDIT, + mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, AuditFormat.LEVEL, AuditFormat.ENROLLMENTFORMAT, new Object[] { - req.getRequestId(), - initiative, - authMgr, - status.toString(), - certInfo.get(X509CertInfo.SUBJECT) - + " time: " + (endTime - startTime), - "" }); + req.getRequestId(), + initiative, + authMgr, + status.toString(), + certInfo.get(X509CertInfo.SUBJECT), ""} + ); + } + } else { // other imcomplete status + long endTime = CMS.getCurrentDate().getTime(); + + mLogger.log(ILogger.EV_AUDIT, + ILogger.S_OTHER, + AuditFormat.LEVEL, + AuditFormat.ENROLLMENTFORMAT, + new Object[] { + req.getRequestId(), + initiative, + authMgr, + status.toString(), + certInfo.get(X509CertInfo.SUBJECT) + " time: " + (endTime - startTime), ""} + ); } } catch (IOException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGW_CANT_GET_CERT_SUBJ_AUDITING", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_CANT_GET_CERT_SUBJ_AUDITING", + e.toString())); } catch (CertificateException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGW_CANT_GET_CERT_SUBJ_AUDITING", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_CANT_GET_CERT_SUBJ_AUDITING", + e.toString())); } return false; } @@ -626,35 +644,40 @@ public class EnrollServlet extends CMSServlet { cmsReq.setStatus(CMSRequest.ERROR); cmsReq.setError(req.getExtDataInString(IRequest.ERROR)); - String[] svcErrors = req - .getExtDataInStringArray(IRequest.SVCERRORS); + String[] svcErrors = + req.getExtDataInStringArray(IRequest.SVCERRORS); if (svcErrors != null && svcErrors.length > 0) { for (int i = 0; i < svcErrors.length; i++) { String err = svcErrors[i]; if (err != null) { - // System.out.println( - // "revocation servlet: setting error description "+ - // err.toString()); + //System.out.println( + //"revocation servlet: setting error description "+ + //err.toString()); cmsReq.setErrorDescription(err); // audit log the error try { - mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.ENROLLMENTFORMAT, new Object[] { - req.getRequestId(), initiative, - authMgr, - "completed with error: " + err, - certInfo.get(X509CertInfo.SUBJECT), - "" }); + mLogger.log(ILogger.EV_AUDIT, + ILogger.S_OTHER, + AuditFormat.LEVEL, + AuditFormat.ENROLLMENTFORMAT, + new Object[] { + req.getRequestId(), + initiative, + authMgr, + "completed with error: " + + err, + certInfo.get(X509CertInfo.SUBJECT), "" + } + ); } catch (IOException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGW_CANT_GET_CERT_SUBJ_AUDITING", + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_CANT_GET_CERT_SUBJ_AUDITING", e.toString())); } catch (CertificateException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGW_CANT_GET_CERT_SUBJ_AUDITING", + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_CANT_GET_CERT_SUBJ_AUDITING", e.toString())); } @@ -672,29 +695,29 @@ public class EnrollServlet extends CMSServlet { /** * Process X509 certificate enrollment request * <P> - * + * * (Certificate Request - either an "admin" cert request for an admin - * certificate, an "agent" cert request for "bulk enrollment", or an "EE" - * standard cert request) + * certificate, an "agent" cert request for "bulk enrollment", or + * an "EE" standard cert request) * <P> - * + * * (Certificate Request Processed - either an automated "admin" non-profile - * based CA admin cert acceptance, an automated "admin" non-profile based CA - * admin cert rejection, an automated "EE" non-profile based cert - * acceptance, or an automated "EE" non-profile based cert rejection) + * based CA admin cert acceptance, an automated "admin" non-profile based + * CA admin cert rejection, an automated "EE" non-profile based cert + * acceptance, or an automated "EE" non-profile based cert rejection) * <P> - * + * * <ul> - * <li>signed.audit LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST used when - * a non-profile cert request is made (before approval process) + * <li>signed.audit LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST used when a + * non-profile cert request is made (before approval process) * <li>signed.audit LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED used when a * certificate request has just been through the approval process * </ul> - * * @param cmsReq a certificate enrollment request * @exception EBaseException an error has occurred */ - protected void processX509(CMSRequest cmsReq) throws EBaseException { + protected void processX509(CMSRequest cmsReq) + throws EBaseException { String auditMessage = null; String auditSubjectID = auditSubjectID(); String auditRequesterID = ILogger.UNIDENTIFIED; @@ -712,7 +735,7 @@ public class EnrollServlet extends CMSServlet { IConfigStore configStore = CMS.getConfigStore(); - /* XXX shouldn't we read this from ServletConfig at init time? */ + /* XXX shouldn't we read this from ServletConfig at init time? */ enforcePop = configStore.getBoolean("enrollment.enforcePop", false); CMS.debug("EnrollServlet: enforcePop " + enforcePop); @@ -722,21 +745,19 @@ public class EnrollServlet extends CMSServlet { startTime = CMS.getCurrentDate().getTime(); httpParams = cmsReq.getHttpParams(); httpReq = cmsReq.getHttpReq(); - if (mAuthMgr != null) { + if (mAuthMgr != null) { authToken = authenticate(cmsReq); } try { authzToken = authorize(mAclMethod, authToken, - mAuthzResourceName, "submit"); + mAuthzResourceName, "submit"); } catch (EAuthzAccessDenied e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", - e.toString())); + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); } catch (Exception e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", - e.toString())); + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); } if (authzToken == null) { @@ -744,12 +765,15 @@ public class EnrollServlet extends CMSServlet { // store a message in the signed audit log file // (either an "admin" cert request for an admin certificate, - // an "agent" cert request for "bulk enrollment", or - // an "EE" standard cert request) + // an "agent" cert request for "bulk enrollment", or + // an "EE" standard cert request) auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, - auditSubjectID, ILogger.FAILURE, auditRequesterID, - auditServiceID, auditCertificateSubjectName); + LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditServiceID, + auditCertificateSubjectName); audit(auditMessage); @@ -769,23 +793,27 @@ public class EnrollServlet extends CMSServlet { } try { - if (CMS.getConfigStore().getBoolean("useThreadNaming", false)) { - String currentName = Thread.currentThread().getName(); - - Thread.currentThread().setName( - currentName + "-request-" - + req.getRequestId().toString() + "-" - + (new Date()).getTime()); + if (CMS.getConfigStore().getBoolean("useThreadNaming", false)) { + String currentName = Thread.currentThread().getName(); + + Thread.currentThread().setName(currentName + + "-request-" + + req.getRequestId().toString() + + "-" + + (new Date()).getTime()); } } catch (Exception e) { } /* - * === certAuth based enroll === "certAuthEnroll" is on. - * "certauthEnrollType can be one of the three: single - it's for - * single cert enrollment dual - it's for dual certs enrollment - * encryption - getting the encryption cert only via authentication - * of the signing cert (crmf or keyGenInfo) + * === certAuth based enroll === + * "certAuthEnroll" is on. + * "certauthEnrollType can be one of the three: + * single - it's for single cert enrollment + * dual - it's for dual certs enrollment + * encryption - getting the encryption cert only via + * authentication of the signing cert + * (crmf or keyGenInfo) */ boolean certAuthEnroll = false; String certauthEnrollType = null; @@ -795,17 +823,20 @@ public class EnrollServlet extends CMSServlet { try { if (certAuthEnroll == true) { certauthEnrollType = getCertAuthEnrollType(httpParams, - certAuthEnroll); + certAuthEnroll); } } catch (ECMSGWException e) { // store a message in the signed audit log file // (either an "admin" cert request for an admin certificate, - // an "agent" cert request for "bulk enrollment", or - // an "EE" standard cert request) + // an "agent" cert request for "bulk enrollment", or + // an "EE" standard cert request) auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, - auditSubjectID, ILogger.FAILURE, auditRequesterID, - auditServiceID, auditCertificateSubjectName); + LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditServiceID, + auditCertificateSubjectName); audit(auditMessage); @@ -815,7 +846,7 @@ public class EnrollServlet extends CMSServlet { CMS.debug("EnrollServlet: In EnrollServlet.processX509!"); CMS.debug("EnrollServlet: certAuthEnroll " + certAuthEnroll); CMS.debug("EnrollServlet: certauthEnrollType " + certauthEnrollType); - + String challengePassword = httpParams.getValueAsString( "challengePassword", ""); @@ -830,91 +861,96 @@ public class EnrollServlet extends CMSServlet { BigInteger certBasedOldSerialNum = null; // check if request was authenticated, if so set authtoken & - // certInfo. also if authenticated, take certInfo from authToken. + // certInfo. also if authenticated, take certInfo from authToken. certInfo = null; if (certAuthEnroll == true) { sslClientCert = getSSLClientCertificate(httpReq); if (sslClientCert == null) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_MISSING_SSL_CLIENT_CERT")); + CMS.getLogMessage("CMSGW_MISSING_SSL_CLIENT_CERT")); // store a message in the signed audit log file // (either an "admin" cert request for an admin certificate, - // an "agent" cert request for "bulk enrollment", or - // an "EE" standard cert request) + // an "agent" cert request for "bulk enrollment", or + // an "EE" standard cert request) auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, - auditSubjectID, ILogger.FAILURE, auditRequesterID, - auditServiceID, auditCertificateSubjectName); + LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditServiceID, + auditCertificateSubjectName); audit(auditMessage); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_MISSING_SSL_CLIENT_CERT")); + CMS.getUserMessage("CMS_GW_MISSING_SSL_CLIENT_CERT")); } - certBasedOldSubjectDN = (String) sslClientCert.getSubjectDN() - .toString(); - certBasedOldSerialNum = (BigInteger) sslClientCert - .getSerialNumber(); + certBasedOldSubjectDN = (String) + sslClientCert.getSubjectDN().toString(); + certBasedOldSerialNum = (BigInteger) + sslClientCert.getSerialNumber(); - CMS.debug("EnrollServlet: certBasedOldSubjectDN " - + certBasedOldSubjectDN); - CMS.debug("EnrollServlet: certBasedOldSerialNum " - + certBasedOldSerialNum); + CMS.debug("EnrollServlet: certBasedOldSubjectDN " + certBasedOldSubjectDN); + CMS.debug("EnrollServlet: certBasedOldSerialNum " + certBasedOldSerialNum); // if the cert subject name is NOT MISSING, retrieve the // actual "auditCertificateSubjectName" and "normalize" it if (certBasedOldSubjectDN != null) { - // NOTE: This is ok even if the cert subject name - // is "" (empty)! + // NOTE: This is ok even if the cert subject name + // is "" (empty)! auditCertificateSubjectName = certBasedOldSubjectDN.trim(); } try { - certInfo = (X509CertInfo) ((X509CertImpl) sslClientCert) - .get(X509CertImpl.NAME + "." + X509CertImpl.INFO); + certInfo = (X509CertInfo) + ((X509CertImpl) sslClientCert).get( + X509CertImpl.NAME + "." + X509CertImpl.INFO); } catch (CertificateParsingException ex) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_MISSING_CERTINFO")); + CMS.getLogMessage("CMSGW_MISSING_CERTINFO")); // store a message in the signed audit log file // (either an "admin" cert request for an admin certificate, - // an "agent" cert request for "bulk enrollment", or - // an "EE" standard cert request) + // an "agent" cert request for "bulk enrollment", or + // an "EE" standard cert request) auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, - auditSubjectID, ILogger.FAILURE, auditRequesterID, - auditServiceID, auditCertificateSubjectName); + LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditServiceID, + auditCertificateSubjectName); audit(auditMessage); - throw new ECMSGWException(CMS.getUserMessage( - getLocale(httpReq), "CMS_GW_MISSING_CERTINFO")); + throw new ECMSGWException( + CMS.getUserMessage(getLocale(httpReq), "CMS_GW_MISSING_CERTINFO")); } } else { CMS.debug("EnrollServlet: No CertAuthEnroll."); certInfo = CMS.getDefaultX509CertInfo(); } - X509CertInfo[] certInfoArray = new X509CertInfo[] { certInfo }; + X509CertInfo[] certInfoArray = new X509CertInfo[] {certInfo}; X509CertInfo authCertInfo = null; String authMgr = AuditFormat.NOAUTH; // if authentication if (authToken != null) { - authMgr = authToken - .getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME); - // don't store agent token in request. - // agent currently used for bulk issuance. + authMgr = + authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME); + // don't store agent token in request. + // agent currently used for bulk issuance. // if (!authMgr.equals(AuthSubsystem.CERTUSERDB_AUTHMGR_ID)) { - log(ILogger.LL_INFO, - "Enrollment request was authenticated by " - + authToken - .getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME)); + log(ILogger.LL_INFO, + "Enrollment request was authenticated by " + + authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME)); - PKIProcessor.fillCertInfoFromAuthToken(certInfo, authToken); + PKIProcessor.fillCertInfoFromAuthToken(certInfo, + authToken); // save authtoken attrs to request directly // (for policy use) saveAuthToken(authToken, req); @@ -926,21 +962,24 @@ public class EnrollServlet extends CMSServlet { if (certAuthEnroll == true) { // log(ILogger.LL_DEBUG, - // "just gotten subjectDN and serialNumber " + - // "from ssl client cert"); + // "just gotten subjectDN and serialNumber " + + // "from ssl client cert"); if (authToken == null) { // authToken is null, can't match to anyone; bail! - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERR_PROCESS_ENROLL_NO_AUTH")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERR_PROCESS_ENROLL_NO_AUTH")); // store a message in the signed audit log file // (either an "admin" cert request for an admin certificate, - // an "agent" cert request for "bulk enrollment", or - // an "EE" standard cert request) + // an "agent" cert request for "bulk enrollment", or + // an "EE" standard cert request) auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, - auditSubjectID, ILogger.FAILURE, auditRequesterID, - auditServiceID, auditCertificateSubjectName); + LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditServiceID, + auditCertificateSubjectName); audit(auditMessage); @@ -986,40 +1025,40 @@ public class EnrollServlet extends CMSServlet { // ok, if the above fails, it could // be a PKCS10 with header pkcs10 = httpParams.getValueAsPKCS10(PKCS10_REQUEST, - false, null); + false, null); // e.printStackTrace(); } } - // pkcs10 = httpParams.getValuePKCS10(PKCS10_REQUEST, null); + //pkcs10 = httpParams.getValuePKCS10(PKCS10_REQUEST, null); } else { try { // coming from server cut & paste blob. - pkcs10 = httpParams.getValueAsPKCS10(PKCS10_REQUEST, false, - null); + pkcs10 = httpParams.getValueAsPKCS10(PKCS10_REQUEST, + false, null); } catch (Exception ex) { ex.printStackTrace(); } } - + String cmc = null; - String asciiBASE64Blob = httpParams.getValueAsString(CMC_REQUEST, - null); - - if (asciiBASE64Blob != null) { - int startIndex = asciiBASE64Blob.indexOf(HEADER); - int endIndex = asciiBASE64Blob.indexOf(TRAILER); - if (startIndex != -1 && endIndex != -1) { - startIndex = startIndex + HEADER.length(); - cmc = asciiBASE64Blob.substring(startIndex, endIndex); - } else - cmc = asciiBASE64Blob; - CMS.debug("EnrollServlet: cmc " + cmc); + String asciiBASE64Blob = httpParams.getValueAsString(CMC_REQUEST, null); + + if(asciiBASE64Blob!=null) + { + int startIndex = asciiBASE64Blob.indexOf(HEADER); + int endIndex = asciiBASE64Blob.indexOf(TRAILER); + if (startIndex!= -1 && endIndex!=-1) { + startIndex = startIndex + HEADER.length(); + cmc=asciiBASE64Blob.substring(startIndex, endIndex); + }else + cmc = asciiBASE64Blob; + CMS.debug("EnrollServlet: cmc " + cmc); } - + String crmf = httpParams.getValueAsString(CRMF_REQUEST, null); - + CMS.debug("EnrollServlet: crmf " + crmf); if (certAuthEnroll == true) { @@ -1029,24 +1068,27 @@ public class EnrollServlet extends CMSServlet { // for dual certs if (certauthEnrollType.equals(CERT_AUTH_DUAL)) { - CMS.debug("EnrollServlet: Attempting CERT_AUTH_DUAL"); + CMS.debug("EnrollServlet: Attempting CERT_AUTH_DUAL"); boolean gotEncCert = false; X509CertInfo[] cInfoArray = null; try { cInfoArray = handleCertAuthDual(certInfo, authToken, - sslClientCert, mCa, certBasedOldSubjectDN, - certBasedOldSerialNum); + sslClientCert, mCa, + certBasedOldSubjectDN, + certBasedOldSerialNum); } catch (ECMSGWException e) { // store a message in the signed audit log file // (either an "admin" cert request for an admin - // certificate, an "agent" cert request for - // "bulk enrollment", or an "EE" standard cert request) + // certificate, an "agent" cert request for + // "bulk enrollment", or an "EE" standard cert request) auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, - auditSubjectID, ILogger.FAILURE, - auditRequesterID, auditServiceID, - auditCertificateSubjectName); + LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditServiceID, + auditCertificateSubjectName); audit(auditMessage); @@ -1054,8 +1096,7 @@ public class EnrollServlet extends CMSServlet { } if (cInfoArray != null && cInfoArray.length != 0) { - CMS.debug("EnrollServlet: cInfoArray Length " - + cInfoArray.length); + CMS.debug("EnrollServlet: cInfoArray Length " + cInfoArray.length); certInfoArray = cInfoArray; gotEncCert = true; @@ -1064,22 +1105,25 @@ public class EnrollServlet extends CMSServlet { if (gotEncCert == false) { // encryption cert not found, bail log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ENCRYPTION_CERT_NOT_FOUND")); + CMS.getLogMessage( + "CMSGW_ENCRYPTION_CERT_NOT_FOUND")); // store a message in the signed audit log file // (either an "admin" cert request for an admin - // certificate, an "agent" cert request for - // "bulk enrollment", or an "EE" standard cert request) + // certificate, an "agent" cert request for + // "bulk enrollment", or an "EE" standard cert request) auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, - auditSubjectID, ILogger.FAILURE, - auditRequesterID, auditServiceID, - auditCertificateSubjectName); + LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditServiceID, + auditCertificateSubjectName); audit(auditMessage); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_ENCRYPTION_CERT_NOT_FOUND")); + CMS.getUserMessage("CMS_GW_ENCRYPTION_CERT_NOT_FOUND")); } } else if (certauthEnrollType.equals(CERT_AUTH_ENCRYPTION)) { @@ -1093,13 +1137,15 @@ public class EnrollServlet extends CMSServlet { } catch (ECMSGWException e) { // store a message in the signed audit log file // (either an "admin" cert request for an admin - // certificate, an "agent" cert request for - // "bulk enrollment", or an "EE" standard cert request) + // certificate, an "agent" cert request for + // "bulk enrollment", or an "EE" standard cert request) auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, - auditSubjectID, ILogger.FAILURE, - auditRequesterID, auditServiceID, - auditCertificateSubjectName); + LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditServiceID, + auditCertificateSubjectName); audit(auditMessage); @@ -1110,47 +1156,49 @@ public class EnrollServlet extends CMSServlet { * either crmf or keyGenInfo */ if (keyGenInfo != null) { - KeyGenProcessor keyGenProc = new KeyGenProcessor( - cmsReq, this); + KeyGenProcessor keyGenProc = new KeyGenProcessor(cmsReq, + this); - keyGenProc.fillCertInfo(null, certInfo, authToken, - httpParams); + keyGenProc.fillCertInfo(null, certInfo, + authToken, httpParams); - req.setExtData(CLIENT_ISSUER, sslClientCert - .getIssuerDN().toString()); - CMS.debug("EnrollServlet: sslClientCert issuerDN = " - + sslClientCert.getIssuerDN().toString()); + req.setExtData(CLIENT_ISSUER, + sslClientCert.getIssuerDN().toString()); + CMS.debug("EnrollServlet: sslClientCert issuerDN = " + + sslClientCert.getIssuerDN().toString()); } else if (crmf != null && crmf != "") { - CRMFProcessor crmfProc = new CRMFProcessor(cmsReq, - this, enforcePop); + CRMFProcessor crmfProc = new CRMFProcessor(cmsReq, this, enforcePop); certInfoArray = crmfProc.fillCertInfoArray(crmf, - authToken, httpParams, req); - - req.setExtData(CLIENT_ISSUER, sslClientCert - .getIssuerDN().toString()); - CMS.debug("EnrollServlet: sslClientCert issuerDN = " - + sslClientCert.getIssuerDN().toString()); + authToken, + httpParams, + req); + + req.setExtData(CLIENT_ISSUER, + sslClientCert.getIssuerDN().toString()); + CMS.debug("EnrollServlet: sslClientCert issuerDN = " + + sslClientCert.getIssuerDN().toString()); } else { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_CANT_PROCESS_ENROLL_REQ") - + CMS.getLogMessage("CMSGW_MISSING_KEYGEN_INFO")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_CANT_PROCESS_ENROLL_REQ") + + CMS.getLogMessage("CMSGW_MISSING_KEYGEN_INFO")); // store a message in the signed audit log file // (either an "admin" cert request for an admin - // certificate, an "agent" cert request for - // "bulk enrollment", or an "EE" standard cert request) + // certificate, an "agent" cert request for + // "bulk enrollment", or an "EE" standard cert request) auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, - auditSubjectID, ILogger.FAILURE, - auditRequesterID, auditServiceID, - auditCertificateSubjectName); + LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditServiceID, + auditCertificateSubjectName); audit(auditMessage); - throw new ECMSGWException(CMS.getUserMessage( - getLocale(httpReq), - "CMS_GW_MISSING_KEYGEN_INFO")); + throw new ECMSGWException( + CMS.getUserMessage(getLocale(httpReq), "CMS_GW_MISSING_KEYGEN_INFO")); } } else if (certauthEnrollType.equals(CERT_AUTH_SINGLE)) { @@ -1158,52 +1206,55 @@ public class EnrollServlet extends CMSServlet { // have to be buried here to handle the issuer if (keyGenInfo != null) { - KeyGenProcessor keyGenProc = new KeyGenProcessor( - cmsReq, this); + KeyGenProcessor keyGenProc = new KeyGenProcessor(cmsReq, + this); - keyGenProc.fillCertInfo(null, certInfo, authToken, - httpParams); + keyGenProc.fillCertInfo(null, certInfo, + authToken, httpParams); } else if (pkcs10 != null) { - PKCS10Processor pkcs10Proc = new PKCS10Processor( - cmsReq, this); + PKCS10Processor pkcs10Proc = new PKCS10Processor(cmsReq, + this); - pkcs10Proc.fillCertInfo(pkcs10, certInfo, authToken, - httpParams); + pkcs10Proc.fillCertInfo(pkcs10, certInfo, + authToken, httpParams); } else if (cmc != null && cmc != "") { - CMCProcessor cmcProc = new CMCProcessor(cmsReq, this, - enforcePop); + CMCProcessor cmcProc = new CMCProcessor(cmsReq, this, enforcePop); certInfoArray = cmcProc.fillCertInfoArray(cmc, - authToken, httpParams, req); + authToken, + httpParams, + req); } else if (crmf != null && crmf != "") { - CRMFProcessor crmfProc = new CRMFProcessor(cmsReq, - this, enforcePop); + CRMFProcessor crmfProc = new CRMFProcessor(cmsReq, this, enforcePop); certInfoArray = crmfProc.fillCertInfoArray(crmf, - authToken, httpParams, req); + authToken, + httpParams, + req); } else { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_CANT_PROCESS_ENROLL_REQ") - + CMS.getLogMessage("CMSGW_MISSING_KEYGEN_INFO")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_CANT_PROCESS_ENROLL_REQ") + + CMS.getLogMessage("CMSGW_MISSING_KEYGEN_INFO")); // store a message in the signed audit log file // (either an "admin" cert request for an admin - // certificate, an "agent" cert request for - // "bulk enrollment", or an "EE" standard cert request) + // certificate, an "agent" cert request for + // "bulk enrollment", or an "EE" standard cert request) auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, - auditSubjectID, ILogger.FAILURE, - auditRequesterID, auditServiceID, - auditCertificateSubjectName); + LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditServiceID, + auditCertificateSubjectName); audit(auditMessage); - throw new ECMSGWException(CMS.getUserMessage( - getLocale(httpReq), - "CMS_GW_MISSING_KEYGEN_INFO")); + throw new ECMSGWException( + CMS.getUserMessage(getLocale(httpReq), "CMS_GW_MISSING_KEYGEN_INFO")); } - req.setExtData(CLIENT_ISSUER, sslClientCert.getIssuerDN() - .toString()); + req.setExtData(CLIENT_ISSUER, + sslClientCert.getIssuerDN().toString()); } } else if (keyGenInfo != null) { @@ -1216,63 +1267,63 @@ public class EnrollServlet extends CMSServlet { CMS.debug("EnrollServlet: Trying PKCS10 with no cert auth."); PKCS10Processor pkcs10Proc = new PKCS10Processor(cmsReq, this); - pkcs10Proc - .fillCertInfo(pkcs10, certInfo, authToken, httpParams); + pkcs10Proc.fillCertInfo(pkcs10, certInfo, authToken, httpParams); } else if (cmc != null) { CMS.debug("EnrollServlet: Trying CMC with no cert auth."); - CMCProcessor cmcProc = new CMCProcessor(cmsReq, this, - enforcePop); + CMCProcessor cmcProc = new CMCProcessor(cmsReq, this, enforcePop); certInfoArray = cmcProc.fillCertInfoArray(cmc, authToken, - httpParams, req); + httpParams, req); } else if (crmf != null && crmf != "") { CMS.debug("EnrollServlet: Trying CRMF with no cert auth."); - CRMFProcessor crmfProc = new CRMFProcessor(cmsReq, this, - enforcePop); + CRMFProcessor crmfProc = new CRMFProcessor(cmsReq, this, enforcePop); certInfoArray = crmfProc.fillCertInfoArray(crmf, authToken, - httpParams, req); + httpParams, req); } else { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_CANT_PROCESS_ENROLL_REQ") - + CMS.getLogMessage("CMSGW_MISSING_KEYGEN_INFO")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_CANT_PROCESS_ENROLL_REQ") + + CMS.getLogMessage("CMSGW_MISSING_KEYGEN_INFO")); // store a message in the signed audit log file // (either an "admin" cert request for an admin certificate, - // an "agent" cert request for "bulk enrollment", or - // an "EE" standard cert request) + // an "agent" cert request for "bulk enrollment", or + // an "EE" standard cert request) auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, - auditSubjectID, ILogger.FAILURE, auditRequesterID, - auditServiceID, auditCertificateSubjectName); + LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditServiceID, + auditCertificateSubjectName); audit(auditMessage); - throw new ECMSGWException(CMS.getUserMessage( - getLocale(httpReq), "CMS_GW_MISSING_KEYGEN_INFO")); + throw new ECMSGWException(CMS.getUserMessage(getLocale(httpReq), "CMS_GW_MISSING_KEYGEN_INFO")); } - // if ca, fill in default signing alg here + // if ca, fill in default signing alg here + try { - ICertificateAuthority caSub = (ICertificateAuthority) CMS - .getSubsystem("ca"); - if (certInfoArray != null && caSub != null) { - for (int ix = 0; ix < certInfoArray.length; ix++) { - X509CertInfo ci = (X509CertInfo) certInfoArray[ix]; - String defaultSig = caSub.getDefaultAlgorithm(); - AlgorithmId algid = AlgorithmId.get(defaultSig); - ci.set(X509CertInfo.ALGORITHM_ID, - new CertificateAlgorithmId(algid)); - } + ICertificateAuthority caSub = + (ICertificateAuthority) CMS.getSubsystem("ca"); + if (certInfoArray != null && caSub != null) { + for (int ix = 0; ix < certInfoArray.length; ix++) { + X509CertInfo ci = (X509CertInfo)certInfoArray[ix]; + String defaultSig = caSub.getDefaultAlgorithm(); + AlgorithmId algid = AlgorithmId.get(defaultSig); + ci.set(X509CertInfo.ALGORITHM_ID, + new CertificateAlgorithmId(algid)); } + } } catch (Exception e) { - CMS.debug("Failed to set signing alg to certinfo " - + e.toString()); + CMS.debug("Failed to set signing alg to certinfo " + e.toString()); } req.setExtData(IRequest.CERT_INFO, certInfoArray); + if (challengePassword != null && !challengePassword.equals("")) { String pwd = hashPassword(challengePassword); @@ -1281,24 +1332,30 @@ public class EnrollServlet extends CMSServlet { // store a message in the signed audit log file // (either an "admin" cert request for an admin certificate, - // an "agent" cert request for "bulk enrollment", or - // an "EE" standard cert request) + // an "agent" cert request for "bulk enrollment", or + // an "EE" standard cert request) auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, - auditSubjectID, ILogger.SUCCESS, auditRequesterID, - auditServiceID, auditCertificateSubjectName); + LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, + auditServiceID, + auditCertificateSubjectName); audit(auditMessage); } catch (EBaseException eAudit1) { // store a message in the signed audit log file // (either an "admin" cert request for an admin certificate, - // an "agent" cert request for "bulk enrollment", or - // an "EE" standard cert request) + // an "agent" cert request for "bulk enrollment", or + // an "EE" standard cert request) auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, - auditSubjectID, ILogger.FAILURE, auditRequesterID, - auditServiceID, auditCertificateSubjectName); + LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditServiceID, + auditCertificateSubjectName); audit(auditMessage); @@ -1310,9 +1367,9 @@ public class EnrollServlet extends CMSServlet { // ensure that any low-level exceptions are reported // to the signed audit log and stored as failures try { - // send request to request queue. + // send request to request queue. mRequestQueue.processRequest(req); - // process result. + // process result. // render OLD_CERT_TYPE's response differently, we // do not want any javascript in HTML, and need to @@ -1322,18 +1379,20 @@ public class EnrollServlet extends CMSServlet { renderServerEnrollResult(cmsReq); cmsReq.setStatus(CMSRequest.SUCCESS); // no default render - issuedCerts = cmsReq.getIRequest().getExtDataInCertArray( - IRequest.ISSUED_CERTS); + issuedCerts = + cmsReq.getIRequest().getExtDataInCertArray( + IRequest.ISSUED_CERTS); for (int i = 0; i < issuedCerts.length; i++) { // (automated "agent" cert request processed - // - "accepted") + // - "accepted") auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, - auditSubjectID, ILogger.SUCCESS, - auditRequesterID, - ILogger.SIGNED_AUDIT_ACCEPTANCE, - auditInfoCertValue(issuedCerts[i])); + LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, + ILogger.SIGNED_AUDIT_ACCEPTANCE, + auditInfoCertValue(issuedCerts[i])); audit(auditMessage); } @@ -1342,10 +1401,12 @@ public class EnrollServlet extends CMSServlet { // (automated "agent" cert request processed - "rejected") auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, - auditSubjectID, ILogger.FAILURE, auditRequesterID, - ILogger.SIGNED_AUDIT_REJECTION, - SIGNED_AUDIT_AUTOMATED_REJECTION_REASON[0]); + LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + ILogger.SIGNED_AUDIT_REJECTION, + SIGNED_AUDIT_AUTOMATED_REJECTION_REASON[0]); audit(auditMessage); } @@ -1353,16 +1414,19 @@ public class EnrollServlet extends CMSServlet { return; } - boolean completed = handleEnrollAuditLog(req, cmsReq, mAuthMgr, - authToken, certInfo, startTime); + boolean completed = handleEnrollAuditLog(req, cmsReq, + mAuthMgr, authToken, + certInfo, startTime); if (completed == false) { // (automated "agent" cert request processed - "rejected") auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, - auditSubjectID, ILogger.FAILURE, auditRequesterID, - ILogger.SIGNED_AUDIT_REJECTION, - SIGNED_AUDIT_AUTOMATED_REJECTION_REASON[1]); + LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + ILogger.SIGNED_AUDIT_REJECTION, + SIGNED_AUDIT_AUTOMATED_REJECTION_REASON[1]); audit(auditMessage); @@ -1387,34 +1451,38 @@ public class EnrollServlet extends CMSServlet { // audit log the success. long endTime = CMS.getCurrentDate().getTime(); - mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, AuditFormat.LEVEL, - AuditFormat.ENROLLMENTFORMAT, - new Object[] { - req.getRequestId(), - initiative, - mAuthMgr, - "completed", - issuedCerts[0].getSubjectDN(), - "cert issued serial number: 0x" - + issuedCerts[0].getSerialNumber() - .toString(16) + " time: " - + (endTime - startTime) }); + mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, + AuditFormat.LEVEL, + AuditFormat.ENROLLMENTFORMAT, + new Object[] + { req.getRequestId(), + initiative, + mAuthMgr, + "completed", + issuedCerts[0].getSubjectDN(), + "cert issued serial number: 0x" + + issuedCerts[0].getSerialNumber().toString(16) + + " time: " + + (endTime - startTime) } + ); // handle initial admin enrollment if in adminEnroll mode. checkAdminEnroll(cmsReq, issuedCerts); // return cert as mime type binary if requested. - if (checkImportCertToNav(cmsReq.getHttpResp(), httpParams, - issuedCerts[0])) { + if (checkImportCertToNav(cmsReq.getHttpResp(), + httpParams, issuedCerts[0])) { cmsReq.setStatus(CMSRequest.SUCCESS); for (int i = 0; i < issuedCerts.length; i++) { // (automated "agent" cert request processed - "accepted") auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, - auditSubjectID, ILogger.SUCCESS, auditRequesterID, - ILogger.SIGNED_AUDIT_ACCEPTANCE, - auditInfoCertValue(issuedCerts[i])); + LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, + ILogger.SIGNED_AUDIT_ACCEPTANCE, + auditInfoCertValue(issuedCerts[i])); audit(auditMessage); } @@ -1424,46 +1492,53 @@ public class EnrollServlet extends CMSServlet { // use success template. try { - cmsReq.setResult(issuedCerts); - renderTemplate(cmsReq, mEnrollSuccessTemplate, - mEnrollSuccessFiller); - cmsReq.setStatus(CMSRequest.SUCCESS); + cmsReq.setResult(issuedCerts); + renderTemplate(cmsReq, mEnrollSuccessTemplate, + mEnrollSuccessFiller); + cmsReq.setStatus(CMSRequest.SUCCESS); for (int i = 0; i < issuedCerts.length; i++) { // (automated "agent" cert request processed - "accepted") auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, - auditSubjectID, ILogger.SUCCESS, auditRequesterID, - ILogger.SIGNED_AUDIT_ACCEPTANCE, - auditInfoCertValue(issuedCerts[i])); + LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, + ILogger.SIGNED_AUDIT_ACCEPTANCE, + auditInfoCertValue(issuedCerts[i])); audit(auditMessage); } } catch (IOException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGW_TEMP_REND_ERR", mEnrollSuccessFiller.toString(), + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_TEMP_REND_ERR", + mEnrollSuccessFiller.toString(), e.toString())); // (automated "agent" cert request processed - "rejected") auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, - auditSubjectID, ILogger.FAILURE, auditRequesterID, - ILogger.SIGNED_AUDIT_REJECTION, - SIGNED_AUDIT_AUTOMATED_REJECTION_REASON[2]); + LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + ILogger.SIGNED_AUDIT_REJECTION, + SIGNED_AUDIT_AUTOMATED_REJECTION_REASON[2]); audit(auditMessage); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_RETURNING_RESULT_ERROR")); + CMS.getUserMessage("CMS_GW_RETURNING_RESULT_ERROR")); } } catch (EBaseException eAudit1) { // store a message in the signed audit log file // (automated "agent" cert request processed - "rejected") auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, - auditSubjectID, ILogger.FAILURE, auditRequesterID, - ILogger.SIGNED_AUDIT_REJECTION, - SIGNED_AUDIT_AUTOMATED_REJECTION_REASON[3]); + LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + ILogger.SIGNED_AUDIT_REJECTION, + SIGNED_AUDIT_AUTOMATED_REJECTION_REASON[3]); audit(auditMessage); @@ -1474,21 +1549,20 @@ public class EnrollServlet extends CMSServlet { } /** - * check if this is first enroll from admin enroll. If so disable admin - * enroll from here on. + * check if this is first enroll from admin enroll. + * If so disable admin enroll from here on. */ - protected void checkAdminEnroll(CMSRequest cmsReq, - X509CertImpl[] issuedCerts) throws EBaseException { + protected void checkAdminEnroll(CMSRequest cmsReq, X509CertImpl[] issuedCerts) + throws EBaseException { // this is special case, get the admin certificate - if (mAuthMgr != null - && mAuthMgr.equals(IAuthSubsystem.PASSWDUSERDB_AUTHMGR_ID)) { + if (mAuthMgr != null && mAuthMgr.equals(IAuthSubsystem.PASSWDUSERDB_AUTHMGR_ID)) { addAdminAgent(cmsReq, issuedCerts); CMSGateway.disableAdminEnroll(); } } - protected void addAdminAgent(CMSRequest cmsReq, X509CertImpl[] issuedCerts) - throws EBaseException { + protected void addAdminAgent(CMSRequest cmsReq, X509CertImpl[] issuedCerts) + throws EBaseException { String userid = cmsReq.getHttpParams().getValueAsString("uid"); IUGSubsystem ug = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG); @@ -1498,12 +1572,14 @@ public class EnrollServlet extends CMSServlet { try { ug.addUserCert(adminuser); } catch (netscape.ldap.LDAPException e) { - CMS.debug("EnrollServlet: Cannot add admin's certificate to its entry in the " - + "user group database. Error " + e); - throw new ECMSGWException(CMS.getUserMessage( - "CMS_GW_ADDING_ADMIN_CERT_ERROR", e.toString())); + CMS.debug( + "EnrollServlet: Cannot add admin's certificate to its entry in the " + + "user group database. Error " + e); + throw new ECMSGWException( + CMS.getUserMessage("CMS_GW_ADDING_ADMIN_CERT_ERROR", e.toString())); } - IGroup agentGroup = ug.getGroupFromName(CA_AGENT_GROUP); + IGroup agentGroup = + ug.getGroupFromName(CA_AGENT_GROUP); if (agentGroup != null) { // add user to the group if necessary @@ -1511,22 +1587,23 @@ public class EnrollServlet extends CMSServlet { agentGroup.addMemberName(userid); ug.modifyGroup(agentGroup); mLogger.log(ILogger.EV_AUDIT, ILogger.S_USRGRP, - AuditFormat.LEVEL, AuditFormat.ADDUSERGROUPFORMAT, - new Object[] { userid, userid, CA_AGENT_GROUP }); + AuditFormat.LEVEL, AuditFormat.ADDUSERGROUPFORMAT, + new Object[] {userid, userid, CA_AGENT_GROUP} + ); } } else { - String msg = "Cannot add admin to the " + CA_AGENT_GROUP - + " group: Group does not exist."; + String msg = "Cannot add admin to the " + + CA_AGENT_GROUP + + " group: Group does not exist."; CMS.debug("EnrollServlet: " + msg); - throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_ADDING_ADMIN_ERROR")); + throw new ECMSGWException(CMS.getUserMessage("CMS_GW_ADDING_ADMIN_ERROR")); } } - protected void renderServerEnrollResult(CMSRequest cmsReq) - throws IOException { + protected void renderServerEnrollResult(CMSRequest cmsReq) throws + IOException { HttpServletResponse httpResp = cmsReq.getHttpResp(); httpResp.setContentType("text/html"); @@ -1541,16 +1618,11 @@ public class EnrollServlet extends CMSServlet { out.println("</TITLE>"); // out.println("<BODY BGCOLOR=white>"); - if (cmsReq.getIRequest().getRequestStatus() - .equals(RequestStatus.COMPLETE)) { + if (cmsReq.getIRequest().getRequestStatus().equals(RequestStatus.COMPLETE)) { out.println("<H1>"); out.println("SUCCESS"); out.println("</H1>"); - out.println("Your request is submitted and approved. Please cut and paste the certificate into your server."); // XXX - // - - // localize - // the - // message + out.println("Your request is submitted and approved. Please cut and paste the certificate into your server."); // XXX - localize the message out.println("<P>"); out.println("Request Creation Time: "); out.println(cmsReq.getIRequest().getCreationTime().toString()); @@ -1564,30 +1636,25 @@ public class EnrollServlet extends CMSServlet { out.println("Certificate: "); out.println("<P>"); out.println("<PRE>"); - X509CertImpl certs[] = cmsReq.getIRequest().getExtDataInCertArray( - IRequest.ISSUED_CERTS); + X509CertImpl certs[] = + cmsReq.getIRequest().getExtDataInCertArray(IRequest.ISSUED_CERTS); out.println(CMS.getEncodedCert(certs[0])); out.println("</PRE>"); out.println("<P>"); - out.println("<!HTTP_OUTPUT REQUEST_CREATION_TIME=" - + cmsReq.getIRequest().getCreationTime().toString() + ">"); - out.println("<!HTTP_OUTPUT REQUEST_STATUS=" - + cmsReq.getStatus().toString() + ">"); - out.println("<!HTTP_OUTPUT REQUEST_ID=" - + cmsReq.getIRequest().getRequestId().toString() + ">"); - out.println("<!HTTP_OUTPUT X509_CERTIFICATE=" - + CMS.getEncodedCert(certs[0]) + ">"); - } else if (cmsReq.getIRequest().getRequestStatus() - .equals(RequestStatus.PENDING)) { + out.println("<!HTTP_OUTPUT REQUEST_CREATION_TIME=" + + cmsReq.getIRequest().getCreationTime().toString() + ">"); + out.println("<!HTTP_OUTPUT REQUEST_STATUS=" + + cmsReq.getStatus().toString() + ">"); + out.println("<!HTTP_OUTPUT REQUEST_ID=" + + cmsReq.getIRequest().getRequestId().toString() + ">"); + out.println("<!HTTP_OUTPUT X509_CERTIFICATE=" + + CMS.getEncodedCert(certs[0]) + ">"); + } else if (cmsReq.getIRequest().getRequestStatus().equals(RequestStatus.PENDING)) { out.println("<H1>"); out.println("PENDING"); out.println("</H1>"); - out.println("Your request is submitted. You can check on the status of your request with an authorized agent or local administrator by referring to the request ID."); // XXX - // - - // localize - // the - // message + out.println("Your request is submitted. You can check on the status of your request with an authorized agent or local administrator by referring to the request ID."); // XXX - localize the message out.println("<P>"); out.println("Request Creation Time: "); out.println(cmsReq.getIRequest().getCreationTime().toString()); @@ -1598,22 +1665,18 @@ public class EnrollServlet extends CMSServlet { out.println("Request ID: "); out.println(cmsReq.getIRequest().getRequestId().toString()); out.println("<P>"); - out.println("<!HTTP_OUTPUT REQUEST_CREATION_TIME=" - + cmsReq.getIRequest().getCreationTime().toString() + ">"); - out.println("<!HTTP_OUTPUT REQUEST_STATUS=" - + cmsReq.getStatus().toString() + ">"); - out.println("<!HTTP_OUTPUT REQUEST_ID=" - + cmsReq.getIRequest().getRequestId().toString() + ">"); + out.println("<!HTTP_OUTPUT REQUEST_CREATION_TIME=" + + cmsReq.getIRequest().getCreationTime().toString() + ">"); + out.println("<!HTTP_OUTPUT REQUEST_STATUS=" + + cmsReq.getStatus().toString() + ">"); + out.println("<!HTTP_OUTPUT REQUEST_ID=" + + cmsReq.getIRequest().getRequestId().toString() + ">"); } else { out.println("<H1>"); out.println("ERROR"); out.println("</H1>"); out.println("<!INFO>"); - out.println("Please consult your local administrator for assistance."); // XXX - // - - // localize - // the - // message + out.println("Please consult your local administrator for assistance."); // XXX - localize the message out.println("<!/INFO>"); out.println("<P>"); out.println("Request Status: "); @@ -1622,55 +1685,62 @@ public class EnrollServlet extends CMSServlet { out.println("Error: "); out.println(cmsReq.getError()); // XXX - need to parse in Locale out.println("<P>"); - out.println("<!HTTP_OUTPUT REQUEST_STATUS=" - + cmsReq.getStatus().toString() + ">"); - out.println("<!HTTP_OUTPUT ERROR=" + cmsReq.getError() + ">"); + out.println("<!HTTP_OUTPUT REQUEST_STATUS=" + + cmsReq.getStatus().toString() + ">"); + out.println("<!HTTP_OUTPUT ERROR=" + + cmsReq.getError() + ">"); } /** - * // include all the input data ArgBlock args = cmsReq.getHttpParams(); - * Enumeration ele = args.getElements(); while (ele.hasMoreElements()) { - * String eleT = (String)ele.nextElement(); out.println("<!HTTP_INPUT " - * + eleT + "=" + args.get(eleT) + ">"); } + // include all the input data + ArgBlock args = cmsReq.getHttpParams(); + Enumeration ele = args.getElements(); + while (ele.hasMoreElements()) { + String eleT = (String)ele.nextElement(); + out.println("<!HTTP_INPUT " + eleT + "=" + + args.get(eleT) + ">"); + } **/ out.println("</HTML>"); } - // XXX ALERT !! - // Remove the following and calls to them when we bundle a cartman - // later than alpha1. - // These are here to cover up problem in cartman where the - // key usage extension always ends up being digital signature only + // XXX ALERT !! + // Remove the following and calls to them when we bundle a cartman + // later than alpha1. + // These are here to cover up problem in cartman where the + // key usage extension always ends up being digital signature only // and for rsa-ex ends up having no bits set. private boolean mIsTestBed = false; - private void init_testbed_hack(IConfigStore config) throws EBaseException { + private void init_testbed_hack(IConfigStore config) + throws EBaseException { mIsTestBed = config.getBoolean("isTestBed", true); } - private void do_testbed_hack(int nummsgs, X509CertInfo[] certinfo, - IArgBlock httpParams) throws EBaseException { - if (!mIsTestBed) + private void do_testbed_hack( + int nummsgs, X509CertInfo[] certinfo, IArgBlock httpParams) + throws EBaseException { + if (!mIsTestBed) return; - // get around bug in cartman - bits are off by one byte. + // get around bug in cartman - bits are off by one byte. for (int i = 0; i < certinfo.length; i++) { try { X509CertInfo cert = certinfo[i]; - CertificateExtensions exts = (CertificateExtensions) cert - .get(CertificateExtensions.NAME); + CertificateExtensions exts = (CertificateExtensions) + cert.get(CertificateExtensions.NAME); if (exts == null) { // should not happen. continue; } - KeyUsageExtension ext = (KeyUsageExtension) exts - .get(KeyUsageExtension.NAME); + KeyUsageExtension ext = (KeyUsageExtension) + exts.get(KeyUsageExtension.NAME); - if (ext == null) - // should not happen + if (ext == null) + // should not happen continue; byte[] value = ext.getExtensionValue(); @@ -1681,30 +1751,33 @@ public class EnrollServlet extends CMSServlet { newvalue[1] = 0x03; newvalue[2] = 0x07; newvalue[3] = value[3]; - // force encryption certs to have digitial signature + // force encryption certs to have digitial signature // set too so smime can find the cert for encryption. if (value[3] == 0x20) { /* - * newvalue[3] = 0x3f; newvalue[4] = (byte)0x80; + newvalue[3] = 0x3f; + newvalue[4] = (byte)0x80; */ - if (httpParams.getValueAsBoolean("dual-use-hack", true)) { + if (httpParams.getValueAsBoolean( + "dual-use-hack", true)) { newvalue[3] = (byte) 0xE0; // same as rsa-dual-use. } } newvalue[4] = 0; - KeyUsageExtension newext = new KeyUsageExtension( - Boolean.valueOf(true), (Object) newvalue); + KeyUsageExtension newext = + new KeyUsageExtension(Boolean.valueOf(true), + (Object) newvalue); exts.delete(KeyUsageExtension.NAME); exts.set(KeyUsageExtension.NAME, newext); } } catch (IOException e) { - // should never happen + // should never happen continue; } catch (CertificateException e) { - // should never happen + // should never happen continue; } } @@ -1713,11 +1786,11 @@ public class EnrollServlet extends CMSServlet { /** * Signed Audit Log Info Certificate Value - * + * * This method is called to obtain the certificate from the passed in * "X509CertImpl" for a signed audit log message. * <P> - * + * * @param x509cert an X509CertImpl * @return cert string containing the certificate */ @@ -1770,3 +1843,4 @@ public class EnrollServlet extends CMSServlet { } } } + diff --git a/pki/base/common/src/com/netscape/cms/servlet/cert/GetBySerial.java b/pki/base/common/src/com/netscape/cms/servlet/cert/GetBySerial.java index e80b5a7ef..a723cb52d 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/cert/GetBySerial.java +++ b/pki/base/common/src/com/netscape/cms/servlet/cert/GetBySerial.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.cert; + import java.io.ByteArrayOutputStream; import java.io.IOException; import java.math.BigInteger; @@ -57,6 +58,7 @@ import com.netscape.cms.servlet.common.ECMSGWException; import com.netscape.cms.servlet.common.ICMSTemplateFiller; import com.netscape.cmsutil.crypto.CryptoUtil; + /** * Retrieve certificate by serial number. * @@ -81,17 +83,17 @@ public class GetBySerial extends CMSServlet { super(); } - /** + /** * Initialize the servlet. This servlet uses the template file - * "ImportCert.template" to import the cert to the users browser, if that is - * what the user requested - * + * "ImportCert.template" to import the cert to the users browser, + * if that is what the user requested * @param sc servlet configuration, read from the web.xml file */ public void init(ServletConfig sc) throws ServletException { super.init(sc); try { - mImportTemplate = sc.getInitParameter(PROP_SUCCESS_TEMPLATE); + mImportTemplate = sc.getInitParameter( + PROP_SUCCESS_TEMPLATE); mIETemplate = sc.getInitParameter("importCertTemplate"); if (mImportTemplate == null) mImportTemplate = IMPORT_CERT_TEMPLATE; @@ -100,12 +102,11 @@ public class GetBySerial extends CMSServlet { } mImportTemplateFiller = new ImportCertsTemplateFiller(); - // override success and error templates to null - + // override success and error templates to null - // handle templates locally. mTemplates.remove(CMSRequest.SUCCESS); - ICertificateAuthority mCa = (ICertificateAuthority) CMS - .getSubsystem("ca"); + ICertificateAuthority mCa = (ICertificateAuthority) CMS.getSubsystem("ca"); if (mCa == null) { return; } @@ -114,11 +115,11 @@ public class GetBySerial extends CMSServlet { } /** - * Process the HTTP request. + * Process the HTTP request. * <ul> - * <li>http.param serialNumber serial number of certificate in HEX + * <li>http.param serialNumber serial number of certificate in HEX * </ul> - * + * * @param cmsReq the object holding the request and response information */ public void process(CMSRequest cmsReq) throws EBaseException { @@ -134,14 +135,14 @@ public class GetBySerial extends CMSServlet { AuthzToken authzToken = null; try { - authzToken = authorize(mAclMethod, authToken, mAuthzResourceName, - "import"); + authzToken = authorize(mAclMethod, authToken, + mAuthzResourceName, "import"); } catch (EAuthzAccessDenied e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); } catch (Exception e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); } if (authzToken == null) { @@ -159,22 +160,20 @@ public class GetBySerial extends CMSServlet { serialNo = null; } if (serial == null || serialNo == null) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_INVALID_SERIAL_NUMBER")); - cmsReq.setError(new ECMSGWException(CMS - .getUserMessage("CMS_GW_INVALID_SERIAL_NUMBER"))); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_INVALID_SERIAL_NUMBER")); + cmsReq.setError(new ECMSGWException( + CMS.getUserMessage("CMS_GW_INVALID_SERIAL_NUMBER"))); cmsReq.setStatus(CMSRequest.ERROR); return; } ICertRecord certRecord = (ICertRecord) getCertRecord(serialNo); if (certRecord == null) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_CERT_SERIAL_NOT_FOUND_1", - serialNo.toString(16))); - cmsReq.setError(new ECMSGWException(CMS.getUserMessage( - "CMS_GW_CERT_SERIAL_NOT_FOUND", - "0x" + serialNo.toString(16)))); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_CERT_SERIAL_NOT_FOUND_1", serialNo.toString(16))); + cmsReq.setError(new ECMSGWException( + CMS.getUserMessage("CMS_GW_CERT_SERIAL_NOT_FOUND", "0x" + serialNo.toString(16)))); cmsReq.setStatus(CMSRequest.ERROR); return; } @@ -182,41 +181,37 @@ public class GetBySerial extends CMSServlet { // if RA, needs requestOwner to match // first, find the user's group if (authToken != null) { - String group = authToken.getInString("group"); - - if ((group != null) && (group != "")) { - CMS.debug("GetBySerial process: auth group=" + group); - if (group.equals("Registration Manager Agents")) { - boolean groupMatched = false; - // find the cert record's orig. requestor's group - MetaInfo metai = certRecord.getMetaInfo(); - if (metai != null) { - String reqId = (String) metai - .get(ICertRecord.META_REQUEST_ID); - RequestId rid = new RequestId(reqId); - IRequest creq = mReqQ.findRequest(rid); - if (creq != null) { - String reqOwner = creq.getRequestOwner(); - if (reqOwner != null) { - CMS.debug("GetBySerial process: req owner=" - + reqOwner); - if (reqOwner.equals(group)) - groupMatched = true; - } - } - } - if (groupMatched == false) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGW_CERT_SERIAL_NOT_FOUND_1", - serialNo.toString(16))); - cmsReq.setError(new ECMSGWException(CMS.getUserMessage( - "CMS_GW_CERT_SERIAL_NOT_FOUND", - "0x" + serialNo.toString(16)))); - cmsReq.setStatus(CMSRequest.ERROR); - return; - } + String group = authToken.getInString("group"); + + if ((group != null) && (group != "")) { + CMS.debug("GetBySerial process: auth group="+group); + if (group.equals("Registration Manager Agents")) { + boolean groupMatched = false; + // find the cert record's orig. requestor's group + MetaInfo metai = certRecord.getMetaInfo(); + if (metai != null) { + String reqId = (String) metai.get(ICertRecord.META_REQUEST_ID); + RequestId rid = new RequestId(reqId); + IRequest creq = mReqQ.findRequest(rid); + if (creq != null) { + String reqOwner = creq.getRequestOwner(); + if (reqOwner != null) { + CMS.debug("GetBySerial process: req owner="+reqOwner); + if (reqOwner.equals(group)) + groupMatched = true; + } } + } + if (groupMatched == false) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_CERT_SERIAL_NOT_FOUND_1", serialNo.toString(16))); + cmsReq.setError(new ECMSGWException( + CMS.getUserMessage("CMS_GW_CERT_SERIAL_NOT_FOUND", "0x" + serialNo.toString(16)))); + cmsReq.setStatus(CMSRequest.ERROR); + return; + } } + } } X509CertImpl cert = certRecord.getCertificate(); @@ -229,8 +224,7 @@ public class GetBySerial extends CMSServlet { IArgBlock ctx = CMS.createArgBlock(); Locale[] locale = new Locale[1]; CMSTemplateParams argSet = new CMSTemplateParams(header, ctx); - ICertificateAuthority ca = (ICertificateAuthority) CMS - .getSubsystem("ca"); + ICertificateAuthority ca = (ICertificateAuthority)CMS.getSubsystem("ca"); CertificateChain cachain = ca.getCACertChain(); X509Certificate[] cacerts = cachain.getChain(); X509CertImpl[] userChain = new X509CertImpl[cacerts.length + 1]; @@ -241,8 +235,8 @@ public class GetBySerial extends CMSServlet { } userChain[0] = cert; - PKCS7 p7 = new PKCS7(new AlgorithmId[0], new ContentInfo( - new byte[0]), userChain, new SignerInfo[0]); + PKCS7 p7 = new PKCS7(new AlgorithmId[0], + new ContentInfo(new byte[0]), userChain, new SignerInfo[0]); ByteArrayOutputStream bos = new ByteArrayOutputStream(); try { @@ -252,9 +246,8 @@ public class GetBySerial extends CMSServlet { byte[] p7Bytes = bos.toByteArray(); String p7Str = CMS.BtoA(p7Bytes); - - header.addStringValue("pkcs7", - CryptoUtil.normalizeCertStr(p7Str)); + + header.addStringValue("pkcs7", CryptoUtil.normalizeCertStr(p7Str)); try { CMSTemplate form = getTemplate(mIETemplate, req, locale); ServletOutputStream out = response.getOutputStream(); @@ -263,22 +256,21 @@ public class GetBySerial extends CMSServlet { form.renderOutput(out, argSet); return; } catch (Exception ee) { - CMS.debug("GetBySerial process: Exception=" + ee.toString()); + CMS.debug("GetBySerial process: Exception="+ee.toString()); } - } // browser is IE - + } //browser is IE + MetaInfo metai = certRecord.getMetaInfo(); String crmfReqId = null; if (metai != null) { crmfReqId = (String) metai.get(ICertRecord.META_CRMF_REQID); - if (crmfReqId != null) + if (crmfReqId != null) cmsReq.setResult(IRequest.CRMF_REQID, crmfReqId); } - if (crmfReqId == null - && checkImportCertToNav(cmsReq.getHttpResp(), - cmsReq.getHttpParams(), cert)) { + if (crmfReqId == null && checkImportCertToNav( + cmsReq.getHttpResp(), cmsReq.getHttpParams(), cert)) { cmsReq.setStatus(CMSRequest.SUCCESS); return; } @@ -291,20 +283,19 @@ public class GetBySerial extends CMSServlet { cmsReq.setStatus(CMSRequest.SUCCESS); // XXX follow request in cert record to set certtype, which will - // import cert only if it's client. For now assume "client" if + // import cert only if it's client. For now assume "client" if // someone clicked to import this cert. cmsReq.getHttpParams().set("certType", "client"); try { renderTemplate(cmsReq, mImportTemplate, mImportTemplateFiller); } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE")); - throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE")); + throw new ECMSGWException(CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); } } - + return; } } + diff --git a/pki/base/common/src/com/netscape/cms/servlet/cert/GetCAChain.java b/pki/base/common/src/com/netscape/cms/servlet/cert/GetCAChain.java index fc393b490..facf501cd 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/cert/GetCAChain.java +++ b/pki/base/common/src/com/netscape/cms/servlet/cert/GetCAChain.java @@ -15,9 +15,10 @@ // (C) 2007 Red Hat, Inc. // All rights reserved. // --- END COPYRIGHT BLOCK --- -package com.netscape.cms.servlet.cert; + package com.netscape.cms.servlet.cert; -import java.io.ByteArrayOutputStream; + + import java.io.ByteArrayOutputStream; import java.io.IOException; import java.security.cert.CertificateEncodingException; import java.security.cert.X509Certificate; @@ -48,242 +49,236 @@ import com.netscape.cms.servlet.common.CMSTemplate; import com.netscape.cms.servlet.common.CMSTemplateParams; import com.netscape.cms.servlet.common.ECMSGWException; -/** - * Retrieve the Certificates comprising the CA Chain for this CA. - * - * @version $Revision$, $Date$ - */ -public class GetCAChain extends CMSServlet { - /** - * - */ - private static final long serialVersionUID = -8189048155415074581L; - private final static String TPL_FILE = "displayCaCert.template"; - private String mFormPath = null; - - public GetCAChain() { - super(); - } - - /** - * initialize the servlet. - * - * @param sc servlet configuration, read from the web.xml file - */ - public void init(ServletConfig sc) throws ServletException { - super.init(sc); - - // override success to display own output. - mTemplates.remove(CMSRequest.SUCCESS); - // coming from ee - mFormPath = "/" + mAuthority.getId() + "/" + TPL_FILE; - } - - /** - * Process the HTTP request. - * <ul> - * <li>http.param op 'downloadBIN' - return the binary certificate chain - * <li>http.param op 'displayIND' - display pretty-print of certificate - * chain components - * </ul> - * - * @param cmsReq the object holding the request and response information - */ - protected void process(CMSRequest cmsReq) throws EBaseException { - HttpServletRequest httpReq = cmsReq.getHttpReq(); - HttpServletResponse httpResp = cmsReq.getHttpResp(); - - IAuthToken authToken = authenticate(cmsReq); - - // Construct an ArgBlock - IArgBlock args = cmsReq.getHttpParams(); - - // Get the operation code - String op = null; - - op = args.getValueAsString("op", null); - if (op == null) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_NO_OPTIONS_SELECTED")); - throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_NO_OPTIONS_SELECTED")); - } - - cmsReq.setStatus(CMSRequest.SUCCESS); - - AuthzToken authzToken = null; - if (op.startsWith("download")) { - try { - authzToken = authorize(mAclMethod, authToken, - mAuthzResourceName, "download"); - } catch (EAuthzAccessDenied e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", - e.toString())); - } catch (Exception e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", - e.toString())); - } - - if (authzToken == null) { - cmsReq.setStatus(CMSRequest.UNAUTHORIZED); - return; - } - - downloadChain(op, args, httpReq, httpResp, cmsReq); - } else if (op.startsWith("display")) { - try { - authzToken = mAuthz.authorize(mAclMethod, authToken, - mAuthzResourceName, "read"); - } catch (EAuthzAccessDenied e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", - e.toString())); - } catch (Exception e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", - e.toString())); - } - - if (authzToken == null) { - cmsReq.setStatus(CMSRequest.UNAUTHORIZED); - return; - } - - displayChain(op, args, httpReq, httpResp, cmsReq); - } else { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_INVALID_OPTIONS_CA_CHAIN")); - throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_INVALID_OPTIONS_SELECTED")); - } - // cmsReq.setResult(null); - return; - } - - private void downloadChain(String op, IArgBlock args, - HttpServletRequest httpReq, HttpServletResponse httpResp, - CMSRequest cmsReq) throws EBaseException { - - /* check browser info ? */ - - /* check if pkcs7 will work for both nav and ie */ - - byte[] bytes = null; - - /* - * Some IE actions - IE doesn't want PKCS7 for "download" CA Cert. This - * means that we can only hand out the root CA, and not the whole chain. + /** + * Retrieve the Certificates comprising the CA Chain for this CA. + * + * @version $Revision$, $Date$ + */ + public class GetCAChain extends CMSServlet { + /** + * */ - - if (clientIsMSIE(httpReq) - && (op.equals("download") || op.equals("downloadBIN"))) { - X509Certificate[] caCerts = ((ICertAuthority) mAuthority) - .getCACertChain().getChain(); - - try { - bytes = caCerts[0].getEncoded(); - } catch (CertificateEncodingException e) { - cmsReq.setStatus(CMSRequest.ERROR); - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGW_ERROR_GETTING_CACERT_ENCODED", e.toString())); - throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_GETTING_CA_CERT_ERROR")); - } - } else { - CertificateChain certChain = ((ICertAuthority) mAuthority) - .getCACertChain(); - - if (certChain == null) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_CA_CHAIN_EMPTY")); - throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_CA_CHAIN_EMPTY")); - } - - try { - ByteArrayOutputStream encoded = new ByteArrayOutputStream(); - - certChain.encode(encoded, false); - bytes = encoded.toByteArray(); - } catch (IOException e) { - cmsReq.setStatus(CMSRequest.ERROR); - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERROR_ENCODING_CA_CHAIN_1", - e.toString())); - throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_ENCODING_CA_CHAIN_ERROR")); - } - } - - String mimeType = null; - - if (op.equals("downloadBIN")) { - mimeType = "application/octet-stream"; - } else { - try { - mimeType = args.getValueAsString("mimeType"); - } catch (EBaseException e) { - mimeType = "application/octet-stream"; - } - } - - try { - if (op.equals("downloadBIN")) { - // file suffixes changed to comply with RFC 5280 - // requirements for AIA extensions - if (clientIsMSIE(httpReq)) { - httpResp.setHeader("Content-disposition", - "attachment; filename=ca.cer"); - } else { - httpResp.setHeader("Content-disposition", - "attachment; filename=ca.p7c"); - } - } - httpResp.setContentType(mimeType); - httpResp.getOutputStream().write(bytes); - httpResp.setContentLength(bytes.length); - httpResp.getOutputStream().flush(); - } catch (IOException e) { - cmsReq.setStatus(CMSRequest.ERROR); - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERROR_DISPLAYING_CACHAIN_1", - e.toString())); - throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_DISPLAYING_CACHAIN_ERROR")); - } - } - - private void displayChain(String op, IArgBlock args, - HttpServletRequest httpReq, HttpServletResponse httpResp, - CMSRequest cmsReq) throws EBaseException { - String outputString = null; - - CertificateChain certChain = ((ICertAuthority) mAuthority) - .getCACertChain(); - - if (certChain == null) { - cmsReq.setStatus(CMSRequest.ERROR); - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_CA_CHAIN_NOT_AVAILABLE")); - throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_CA_CHAIN_NOT_AVAILABLE")); - } - - CMSTemplate form = null; - Locale[] locale = new Locale[1]; - - if (mOutputTemplatePath != null) - mFormPath = mOutputTemplatePath; + private static final long serialVersionUID = -8189048155415074581L; + private final static String TPL_FILE = "displayCaCert.template"; + private String mFormPath = null; + + public GetCAChain() { + super(); + } + + /** + * initialize the servlet. + * @param sc servlet configuration, read from the web.xml file + */ + public void init(ServletConfig sc) throws ServletException { + super.init(sc); + + // override success to display own output. + mTemplates.remove(CMSRequest.SUCCESS); + // coming from ee + mFormPath = "/" + mAuthority.getId() + "/" + TPL_FILE; + } + + /** + * Process the HTTP request. + * <ul> + * <li>http.param op 'downloadBIN' - return the binary certificate chain + * <li>http.param op 'displayIND' - display pretty-print of certificate chain components + * </ul> + * @param cmsReq the object holding the request and response information + */ + protected void process(CMSRequest cmsReq) + throws EBaseException { + HttpServletRequest httpReq = cmsReq.getHttpReq(); + HttpServletResponse httpResp = cmsReq.getHttpResp(); + + IAuthToken authToken = authenticate(cmsReq); + + // Construct an ArgBlock + IArgBlock args = cmsReq.getHttpParams(); + + // Get the operation code + String op = null; + + op = args.getValueAsString("op", null); + if (op == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_NO_OPTIONS_SELECTED")); + throw new ECMSGWException( + CMS.getUserMessage("CMS_GW_NO_OPTIONS_SELECTED")); + } + + cmsReq.setStatus(CMSRequest.SUCCESS); + + AuthzToken authzToken = null; + + if (op.startsWith("download")) { + try { + authzToken = authorize(mAclMethod, authToken, + mAuthzResourceName, "download"); + } catch (EAuthzAccessDenied e) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); + } catch (Exception e) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); + } + + if (authzToken == null) { + cmsReq.setStatus(CMSRequest.UNAUTHORIZED); + return; + } + + downloadChain(op, args, httpReq, httpResp, cmsReq); + } else if (op.startsWith("display")) { + try { + authzToken = mAuthz.authorize(mAclMethod, authToken, + mAuthzResourceName, "read"); + } catch (EAuthzAccessDenied e) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); + } catch (Exception e) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); + } + + if (authzToken == null) { + cmsReq.setStatus(CMSRequest.UNAUTHORIZED); + return; + } + + displayChain(op, args, httpReq, httpResp, cmsReq); + } else { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_INVALID_OPTIONS_CA_CHAIN")); + throw new ECMSGWException( + CMS.getUserMessage("CMS_GW_INVALID_OPTIONS_SELECTED")); + } + // cmsReq.setResult(null); + return; + } + + private void downloadChain(String op, + IArgBlock args, + HttpServletRequest httpReq, + HttpServletResponse httpResp, + CMSRequest cmsReq) + throws EBaseException { + + /* check browser info ? */ + + /* check if pkcs7 will work for both nav and ie */ + + byte[] bytes = null; + + /* + * Some IE actions - IE doesn't want PKCS7 for "download" CA Cert. + * This means that we can only hand out the root CA, and not + * the whole chain. + */ + + if (clientIsMSIE(httpReq) && (op.equals("download") || op.equals("downloadBIN"))) { + X509Certificate[] caCerts = + ((ICertAuthority) mAuthority).getCACertChain().getChain(); + + try { + bytes = caCerts[0].getEncoded(); + } catch (CertificateEncodingException e) { + cmsReq.setStatus(CMSRequest.ERROR); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERROR_GETTING_CACERT_ENCODED", e.toString())); + throw new ECMSGWException( + CMS.getUserMessage("CMS_GW_GETTING_CA_CERT_ERROR")); + } + } else { + CertificateChain certChain = + ((ICertAuthority) mAuthority).getCACertChain(); + + if (certChain == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_CA_CHAIN_EMPTY")); + throw new ECMSGWException( + CMS.getUserMessage("CMS_GW_CA_CHAIN_EMPTY")); + } + + try { + ByteArrayOutputStream encoded = new ByteArrayOutputStream(); + + certChain.encode(encoded, false); + bytes = encoded.toByteArray(); + } catch (IOException e) { + cmsReq.setStatus(CMSRequest.ERROR); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERROR_ENCODING_CA_CHAIN_1", e.toString())); + throw new ECMSGWException( + CMS.getUserMessage("CMS_GW_ENCODING_CA_CHAIN_ERROR")); + } + } + + String mimeType = null; + + if (op.equals("downloadBIN")) { + mimeType = "application/octet-stream"; + } else { + try { + mimeType = args.getValueAsString("mimeType"); + } catch (EBaseException e) { + mimeType = "application/octet-stream"; + } + } + + try { + if (op.equals("downloadBIN")) { + // file suffixes changed to comply with RFC 5280 + // requirements for AIA extensions + if (clientIsMSIE(httpReq)) { + httpResp.setHeader("Content-disposition", + "attachment; filename=ca.cer"); + } else { + httpResp.setHeader("Content-disposition", + "attachment; filename=ca.p7c"); + } + } + httpResp.setContentType(mimeType); + httpResp.getOutputStream().write(bytes); + httpResp.setContentLength(bytes.length); + httpResp.getOutputStream().flush(); + } catch (IOException e) { + cmsReq.setStatus(CMSRequest.ERROR); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERROR_DISPLAYING_CACHAIN_1", e.toString())); + throw new ECMSGWException( + CMS.getUserMessage("CMS_GW_DISPLAYING_CACHAIN_ERROR")); + } + } + + private void displayChain(String op, + IArgBlock args, + HttpServletRequest httpReq, + HttpServletResponse httpResp, + CMSRequest cmsReq) + throws EBaseException { + String outputString = null; + + CertificateChain certChain = + ((ICertAuthority) mAuthority).getCACertChain(); + + if (certChain == null) { + cmsReq.setStatus(CMSRequest.ERROR); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_CA_CHAIN_NOT_AVAILABLE")); + throw new ECMSGWException( + CMS.getUserMessage("CMS_GW_CA_CHAIN_NOT_AVAILABLE")); + } + + CMSTemplate form = null; + Locale[] locale = new Locale[1]; + + if (mOutputTemplatePath != null) + mFormPath = mOutputTemplatePath; try { form = getTemplate(mFormPath, httpReq, locale); } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", e.toString())); - cmsReq.setError(new ECMSGWException(CMS - .getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR"))); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", e.toString())); + cmsReq.setError(new ECMSGWException( + CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR"))); cmsReq.setStatus(CMSRequest.ERROR); return; } @@ -311,25 +306,23 @@ public class GetCAChain extends CMSServlet { byte[] bytes = null; try { - subjectdn = certChain.getFirstCertificate().getSubjectDN() - .toString(); + subjectdn = + certChain.getFirstCertificate().getSubjectDN().toString(); ByteArrayOutputStream encoded = new ByteArrayOutputStream(); certChain.encode(encoded); bytes = encoded.toByteArray(); } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERROR_ENCODING_CA_CHAIN_1", - e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERROR_ENCODING_CA_CHAIN_1", e.toString())); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_ENCODING_CA_CHAIN_ERROR")); + CMS.getUserMessage("CMS_GW_ENCODING_CA_CHAIN_ERROR")); } String chainBase64 = getBase64(bytes); header.addStringValue("subjectdn", subjectdn); header.addStringValue("chainBase64", chainBase64); - } else { + } else { try { X509Certificate[] certs = certChain.getChain(); @@ -346,13 +339,13 @@ public class GetCAChain extends CMSServlet { String subjectdn = certs[i].getSubjectDN().toString(); String finger = null; try { - finger = CMS.getFingerPrints(certs[i]); + finger = CMS.getFingerPrints(certs[i]); } catch (Exception e) { throw new IOException("Internal Error"); } - ICertPrettyPrint certDetails = CMS - .getCertPrettyPrint((X509CertImpl) certs[i]); + ICertPrettyPrint certDetails = + CMS.getCertPrettyPrint((X509CertImpl) certs[i]); IArgBlock rarg = CMS.createArgBlock(); @@ -360,15 +353,14 @@ public class GetCAChain extends CMSServlet { rarg.addStringValue("subjectdn", subjectdn); rarg.addStringValue("base64", getBase64(bytes)); rarg.addStringValue("certDetails", - certDetails.toString(locale[0])); + certDetails.toString(locale[0])); argSet.addRepeatRecord(rarg); } } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERROR_DISPLAYING_CACHAIN_1", - e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERROR_DISPLAYING_CACHAIN_1", e.toString())); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_DISPLAYING_CACHAIN_ERROR")); + CMS.getUserMessage("CMS_GW_DISPLAYING_CACHAIN_ERROR")); } } @@ -379,11 +371,10 @@ public class GetCAChain extends CMSServlet { form.renderOutput(out, argSet); cmsReq.setStatus(CMSRequest.SUCCESS); } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERR_BAD_SERV_OUT_STREAM", "", - e.toString())); - cmsReq.setError(new ECMSGWException(CMS - .getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR"))); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERR_BAD_SERV_OUT_STREAM", "", e.toString())); + cmsReq.setError(new ECMSGWException( + CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR"))); cmsReq.setStatus(CMSRequest.ERROR); } @@ -419,7 +410,7 @@ public class GetCAChain extends CMSServlet { locale = Locale.getDefault(); } else { locale = new Locale(UserInfo.getUserLanguage(lang), - UserInfo.getUserCountry(lang)); + UserInfo.getUserCountry(lang)); } return locale; } diff --git a/pki/base/common/src/com/netscape/cms/servlet/cert/GetCRL.java b/pki/base/common/src/com/netscape/cms/servlet/cert/GetCRL.java index 3b87ed5a5..2bbec4828 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/cert/GetCRL.java +++ b/pki/base/common/src/com/netscape/cms/servlet/cert/GetCRL.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.cert; + import java.io.IOException; import java.math.BigInteger; import java.security.cert.CRLException; @@ -47,9 +48,10 @@ import com.netscape.cms.servlet.common.CMSTemplate; import com.netscape.cms.servlet.common.CMSTemplateParams; import com.netscape.cms.servlet.common.ECMSGWException; + /** * Retrieve CRL for a Certificate Authority - * + * * @version $Revision$, $Date$ */ public class GetCRL extends CMSServlet { @@ -66,7 +68,6 @@ public class GetCRL extends CMSServlet { /** * initialize the servlet. - * * @param sc servlet configuration, read from the web.xml file */ public void init(ServletConfig sc) throws ServletException { @@ -78,13 +79,15 @@ public class GetCRL extends CMSServlet { mFormPath = mOutputTemplatePath; } + /** - * Process the HTTP request. - * + * Process the HTTP request. + * * @param cmsReq the object holding the request and response information - * @see DisplayCRL#process + * @see DisplayCRL#process */ - protected void process(CMSRequest cmsReq) throws EBaseException { + protected void process(CMSRequest cmsReq) + throws EBaseException { HttpServletRequest httpReq = cmsReq.getHttpReq(); HttpServletResponse httpResp = cmsReq.getHttpResp(); @@ -93,14 +96,14 @@ public class GetCRL extends CMSServlet { AuthzToken authzToken = null; try { - authzToken = authorize(mAclMethod, authToken, mAuthzResourceName, - "read"); + authzToken = authorize(mAclMethod, authToken, + mAuthzResourceName, "read"); } catch (EAuthzAccessDenied e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); } catch (Exception e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); } if (authzToken == null) { @@ -112,10 +115,9 @@ public class GetCRL extends CMSServlet { IArgBlock args = cmsReq.getHttpParams(); if (!(mAuthority instanceof ICertificateAuthority)) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_CA_FROM_RA_NOT_IMP")); - cmsReq.setError(new ECMSGWException(CMS - .getUserMessage("CMS_GW_NOT_YET_IMPLEMENTED"))); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_CA_FROM_RA_NOT_IMP")); + cmsReq.setError(new ECMSGWException( + CMS.getUserMessage("CMS_GW_NOT_YET_IMPLEMENTED"))); cmsReq.setStatus(CMSRequest.ERROR); return; } @@ -123,15 +125,14 @@ public class GetCRL extends CMSServlet { CMSTemplate form = null; Locale[] locale = new Locale[1]; - CMS.debug("**** mFormPath before getTemplate = " + mFormPath); +CMS.debug("**** mFormPath before getTemplate = "+mFormPath); try { form = getTemplate(mFormPath, httpReq, locale); } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", mFormPath, - e.toString())); - cmsReq.setError(new ECMSGWException(CMS - .getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR"))); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", mFormPath, e.toString())); + cmsReq.setError(new ECMSGWException( + CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR"))); cmsReq.setStatus(CMSRequest.ERROR); return; } @@ -147,18 +148,16 @@ public class GetCRL extends CMSServlet { op = args.getValueAsString("op", null); crlId = args.getValueAsString("crlIssuingPoint", null); if (op == null) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_NO_OPTIONS_SELECTED")); - cmsReq.setError(new ECMSGWException(CMS - .getUserMessage("CMS_GW_NO_OPTIONS_SELECTED"))); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_NO_OPTIONS_SELECTED")); + cmsReq.setError(new ECMSGWException( + CMS.getUserMessage("CMS_GW_NO_OPTIONS_SELECTED"))); cmsReq.setStatus(CMSRequest.ERROR); return; } if (crlId == null) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_NO_CRL_ISSUING_POINT")); - cmsReq.setError(new ECMSGWException(CMS - .getUserMessage("CMS_GW_NO_CRL_SELECTED"))); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_NO_CRL_ISSUING_POINT")); + cmsReq.setError(new ECMSGWException( + CMS.getUserMessage("CMS_GW_NO_CRL_SELECTED"))); cmsReq.setStatus(CMSRequest.ERROR); return; } @@ -166,25 +165,23 @@ public class GetCRL extends CMSServlet { ICRLIssuingPointRecord crlRecord = null; ICertificateAuthority ca = (ICertificateAuthority) mAuthority; ICRLIssuingPoint crlIP = null; - if (ca != null) - crlIP = ca.getCRLIssuingPoint(crlId); + if (ca != null) crlIP = ca.getCRLIssuingPoint(crlId); try { - crlRecord = (ICRLIssuingPointRecord) ca.getCRLRepository() - .readCRLIssuingPointRecord(crlId); + crlRecord = (ICRLIssuingPointRecord) ca.getCRLRepository().readCRLIssuingPointRecord(crlId); } catch (EBaseException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGW_NO_CRL_ISSUING_POINT_FOUND", crlId)); - cmsReq.setError(new ECMSGWException(CMS - .getUserMessage("CMS_GW_CRL_NOT_FOUND"))); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_NO_CRL_ISSUING_POINT_FOUND", crlId)); + cmsReq.setError(new ECMSGWException( + CMS.getUserMessage("CMS_GW_CRL_NOT_FOUND"))); cmsReq.setStatus(CMSRequest.ERROR); return; } if (crlRecord == null) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_CRL_NOT_YET_UPDATED_1", crlId)); - cmsReq.setError(new ECMSGWException(CMS - .getUserMessage("CMS_GW_CRL_NOT_UPDATED"))); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_CRL_NOT_YET_UPDATED_1", crlId)); + cmsReq.setError(new ECMSGWException( + CMS.getUserMessage("CMS_GW_CRL_NOT_UPDATED"))); cmsReq.setStatus(CMSRequest.ERROR); return; } @@ -203,43 +200,40 @@ public class GetCRL extends CMSServlet { header.addStringValue("crlDisplayType", crlDisplayType); } - if ((op.equals("checkCRLcache") || (op.equals("displayCRL") - && crlDisplayType != null && crlDisplayType.equals("cachedCRL"))) - && (crlIP == null || (!crlIP.isCRLCacheEnabled()) || crlIP - .isCRLCacheEmpty())) { - cmsReq.setError(CMS.getUserMessage( - ((crlIP != null && crlIP.isCRLCacheEnabled() && crlIP - .isCRLCacheEmpty()) ? "CMS_GW_CRL_CACHE_IS_EMPTY" - : "CMS_GW_CRL_CACHE_IS_NOT_ENABLED"), crlId)); + if ((op.equals("checkCRLcache") || + (op.equals("displayCRL") && crlDisplayType != null && crlDisplayType.equals("cachedCRL"))) && + (crlIP == null || (!crlIP.isCRLCacheEnabled()) || crlIP.isCRLCacheEmpty())) { + cmsReq.setError( + CMS.getUserMessage( + ((crlIP != null && crlIP.isCRLCacheEnabled() && crlIP.isCRLCacheEmpty())? + "CMS_GW_CRL_CACHE_IS_EMPTY":"CMS_GW_CRL_CACHE_IS_NOT_ENABLED"), crlId)); cmsReq.setStatus(CMSRequest.ERROR); return; } byte[] crlbytes = null; - if (op.equals("importDeltaCRL") - || op.equals("getDeltaCRL") - || (op.equals("displayCRL") && crlDisplayType != null && crlDisplayType - .equals("deltaCRL"))) { + if (op.equals("importDeltaCRL") || op.equals("getDeltaCRL") || + (op.equals("displayCRL") && crlDisplayType != null && + crlDisplayType.equals("deltaCRL"))) { crlbytes = crlRecord.getDeltaCRL(); - } else if (op.equals("importCRL") - || op.equals("getCRL") - || op.equals("checkCRL") - || (op.equals("displayCRL") && crlDisplayType != null && (crlDisplayType - .equals("entireCRL") - || crlDisplayType.equals("crlHeader") || crlDisplayType - .equals("base64Encoded")))) { + } else if (op.equals("importCRL") || op.equals("getCRL") || + op.equals("checkCRL") || + (op.equals("displayCRL") && + crlDisplayType != null && + (crlDisplayType.equals("entireCRL") || + crlDisplayType.equals("crlHeader") || + crlDisplayType.equals("base64Encoded")))) { crlbytes = crlRecord.getCRL(); - } - - if (crlbytes == null - && (!op.equals("checkCRLcache")) - && (!(op.equals("displayCRL") && crlDisplayType != null && crlDisplayType - .equals("cachedCRL")))) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_CRL_NOT_YET_UPDATED_1", crlId)); - cmsReq.setError(new ECMSGWException(CMS - .getUserMessage("CMS_GW_CRL_NOT_UPDATED"))); + } + + if (crlbytes == null && (!op.equals("checkCRLcache")) && + (!(op.equals("displayCRL") && crlDisplayType != null && + crlDisplayType.equals("cachedCRL")))) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_CRL_NOT_YET_UPDATED_1", crlId)); + cmsReq.setError(new ECMSGWException( + CMS.getUserMessage("CMS_GW_CRL_NOT_UPDATED"))); cmsReq.setStatus(CMSRequest.ERROR); return; } @@ -247,56 +241,48 @@ public class GetCRL extends CMSServlet { X509CRLImpl crl = null; - if (op.equals("checkCRL") - || op.equals("importCRL") - || op.equals("importDeltaCRL") - || (op.equals("displayCRL") && crlDisplayType != null && (crlDisplayType - .equals("entireCRL") - || crlDisplayType.equals("crlHeader") - || crlDisplayType.equals("base64Encoded") || crlDisplayType - .equals("deltaCRL")))) { + if (op.equals("checkCRL") || op.equals("importCRL") || + op.equals("importDeltaCRL") || + (op.equals("displayCRL") && crlDisplayType != null && + (crlDisplayType.equals("entireCRL") || + crlDisplayType.equals("crlHeader") || + crlDisplayType.equals("base64Encoded") || + crlDisplayType.equals("deltaCRL")))) { try { - if (op.equals("displayCRL") && crlDisplayType != null - && crlDisplayType.equals("crlHeader")) { + if (op.equals("displayCRL") && crlDisplayType != null && + crlDisplayType.equals("crlHeader")) { crl = new X509CRLImpl(crlbytes, false); } else { crl = new X509CRLImpl(crlbytes); } } catch (Exception e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_FAILED_DECODE_CRL_1", - e.toString())); - cmsReq.setError(new ECMSGWException(CMS - .getUserMessage("CMS_GW_DECODE_CRL_FAILED"))); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_FAILED_DECODE_CRL_1", e.toString())); + cmsReq.setError(new ECMSGWException( + CMS.getUserMessage("CMS_GW_DECODE_CRL_FAILED"))); cmsReq.setStatus(CMSRequest.ERROR); return; } - if ((op.equals("importDeltaCRL") || (op.equals("displayCRL") - && crlDisplayType != null && crlDisplayType - .equals("deltaCRL"))) - && ((!(crlIP != null && crlIP.isThisCurrentDeltaCRL(crl))) && (crlRecord - .getCRLNumber() == null - || crlRecord.getDeltaCRLNumber() == null - || crlRecord.getDeltaCRLNumber().compareTo( - crlRecord.getCRLNumber()) < 0 - || crlRecord.getDeltaCRLSize() == null || crlRecord - .getDeltaCRLSize().longValue() == -1))) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERR_NO_DELTA_CRL_1")); - cmsReq.setError(new ECMSGWException(CMS - .getUserMessage("CMS_GW_CRL_NOT_UPDATED"))); + if ((op.equals("importDeltaCRL") || (op.equals("displayCRL") && + crlDisplayType != null && crlDisplayType.equals("deltaCRL"))) && + ((!(crlIP != null && crlIP.isThisCurrentDeltaCRL(crl))) && + (crlRecord.getCRLNumber() == null || + crlRecord.getDeltaCRLNumber() == null || + crlRecord.getDeltaCRLNumber().compareTo(crlRecord.getCRLNumber()) < 0 || + crlRecord.getDeltaCRLSize() == null || + crlRecord.getDeltaCRLSize().longValue() == -1))) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERR_NO_DELTA_CRL_1")); + cmsReq.setError(new ECMSGWException( + CMS.getUserMessage("CMS_GW_CRL_NOT_UPDATED"))); cmsReq.setStatus(CMSRequest.ERROR); return; } - } + } String mimeType = "application/x-pkcs7-crl"; - if (op.equals("checkCRLcache") || op.equals("checkCRL") - || op.equals("displayCRL")) { + if (op.equals("checkCRLcache") || op.equals("checkCRL") || op.equals("displayCRL")) { header.addStringValue("toDo", op); - String certSerialNumber = args.getValueAsString("certSerialNumber", - ""); + String certSerialNumber = args.getValueAsString("certSerialNumber", ""); header.addStringValue("certSerialNumber", certSerialNumber); if (certSerialNumber.startsWith("0x")) { @@ -304,8 +290,8 @@ public class GetCRL extends CMSServlet { } if (op.equals("checkCRLcache")) { - if (crlIP.getRevocationDateFromCache(new BigInteger( - certSerialNumber), false, false) != null) { + if (crlIP.getRevocationDateFromCache( + new BigInteger(certSerialNumber), false, false) != null) { header.addBooleanValue("isOnCRL", true); } else { header.addBooleanValue("isOnCRL", false); @@ -314,15 +300,14 @@ public class GetCRL extends CMSServlet { if (op.equals("checkCRL")) { header.addBooleanValue("isOnCRL", - crl.isRevoked(new BigInteger(certSerialNumber))); + crl.isRevoked(new BigInteger(certSerialNumber))); } if (op.equals("displayCRL")) { - if (crlDisplayType.equals("entireCRL") - || crlDisplayType.equals("cachedCRL")) { - ICRLPrettyPrint crlDetails = (crlDisplayType - .equals("entireCRL")) ? CMS.getCRLPrettyPrint(crl) - : CMS.getCRLCachePrettyPrint(crlIP); + if (crlDisplayType.equals("entireCRL") || crlDisplayType.equals("cachedCRL")) { + ICRLPrettyPrint crlDetails = (crlDisplayType.equals("entireCRL"))? + CMS.getCRLPrettyPrint(crl): + CMS.getCRLCachePrettyPrint(crlIP); String pageStart = args.getValueAsString("pageStart", null); String pageSize = args.getValueAsString("pageSize", null); @@ -330,28 +315,26 @@ public class GetCRL extends CMSServlet { long lPageStart = new Long(pageStart).longValue(); long lPageSize = new Long(pageSize).longValue(); - if (lPageStart < 1) - lPageStart = 1; + if (lPageStart < 1) lPageStart = 1; - header.addStringValue("crlPrettyPrint", crlDetails - .toString(locale[0], lCRLSize, lPageStart, - lPageSize)); + header.addStringValue("crlPrettyPrint", + crlDetails.toString(locale[0], + lCRLSize, lPageStart, lPageSize)); header.addLongValue("pageStart", lPageStart); header.addLongValue("pageSize", lPageSize); } else { - header.addStringValue("crlPrettyPrint", - crlDetails.toString(locale[0])); + header.addStringValue( + "crlPrettyPrint", crlDetails.toString(locale[0])); } } else if (crlDisplayType.equals("crlHeader")) { ICRLPrettyPrint crlDetails = CMS.getCRLPrettyPrint(crl); - header.addStringValue("crlPrettyPrint", - crlDetails.toString(locale[0], lCRLSize, 0, 0)); + header.addStringValue( + "crlPrettyPrint", crlDetails.toString(locale[0], lCRLSize, 0, 0)); } else if (crlDisplayType.equals("base64Encoded")) { try { byte[] ba = crl.getEncoded(); - String crlBase64Encoded = com.netscape.osutil.OSUtil - .BtoA(ba); + String crlBase64Encoded = com.netscape.osutil.OSUtil.BtoA(ba); int length = crlBase64Encoded.length(); int i = 0; int j = 0; @@ -368,14 +351,11 @@ public class GetCRL extends CMSServlet { IArgBlock rarg = CMS.createArgBlock(); if (k > -1) { - rarg.addStringValue("crlBase64Encoded", - crlBase64Encoded.substring(j, k)); + rarg.addStringValue("crlBase64Encoded", crlBase64Encoded.substring(j, k)); i = k + 1; j = i; } else { - rarg.addStringValue("crlBase64Encoded", - crlBase64Encoded.substring(j, - length)); + rarg.addStringValue("crlBase64Encoded", crlBase64Encoded.substring(j, length)); i = length; } argSet.addRepeatRecord(rarg); @@ -385,17 +365,16 @@ public class GetCRL extends CMSServlet { } } else if (crlDisplayType.equals("deltaCRL")) { header.addIntegerValue("deltaCRLSize", - crl.getNumberOfRevokedCertificates()); + crl.getNumberOfRevokedCertificates()); ICRLPrettyPrint crlDetails = CMS.getCRLPrettyPrint(crl); - header.addStringValue("crlPrettyPrint", - crlDetails.toString(locale[0], 0, 0, 0)); + header.addStringValue( + "crlPrettyPrint", crlDetails.toString(locale[0], 0, 0, 0)); try { byte[] ba = crl.getEncoded(); - String crlBase64Encoded = com.netscape.osutil.OSUtil - .BtoA(ba); + String crlBase64Encoded = com.netscape.osutil.OSUtil.BtoA(ba); int length = crlBase64Encoded.length(); int i = 0; int j = 0; @@ -412,14 +391,11 @@ public class GetCRL extends CMSServlet { IArgBlock rarg = CMS.createArgBlock(); if (k > -1) { - rarg.addStringValue("crlBase64Encoded", - crlBase64Encoded.substring(j, k)); + rarg.addStringValue("crlBase64Encoded", crlBase64Encoded.substring(j, k)); i = k + 1; j = i; } else { - rarg.addStringValue("crlBase64Encoded", - crlBase64Encoded.substring(j, - length)); + rarg.addStringValue("crlBase64Encoded", crlBase64Encoded.substring(j, length)); i = length; } argSet.addRepeatRecord(rarg); @@ -437,11 +413,10 @@ public class GetCRL extends CMSServlet { form.renderOutput(out, argSet); cmsReq.setStatus(CMSRequest.SUCCESS); } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERR_OUT_STREAM_TEMPLATE", - e.toString())); - cmsReq.setError(new ECMSGWException(CMS - .getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR"))); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERR_OUT_STREAM_TEMPLATE", e.toString())); + cmsReq.setError(new ECMSGWException( + CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR"))); cmsReq.setStatus(CMSRequest.ERROR); } return; @@ -452,34 +427,32 @@ public class GetCRL extends CMSServlet { mimeType = "application/x-pkcs7-crl"; } else if (op.equals("getCRL")) { mimeType = "application/octet-stream"; - httpResp.setHeader("Content-disposition", "attachment; filename=" - + crlId + ".crl"); + httpResp.setHeader("Content-disposition", + "attachment; filename=" + crlId + ".crl"); } else if (op.equals("getDeltaCRL")) { mimeType = "application/octet-stream"; httpResp.setHeader("Content-disposition", - "attachment; filename=delta-" + crlId + ".crl"); + "attachment; filename=delta-" + crlId + ".crl"); } else { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_INVALID_OPTIONS_SELECTED")); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_INVALID_OPTIONS_SELECTED")); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_INVALID_OPTIONS_SELECTED")); + CMS.getUserMessage("CMS_GW_INVALID_OPTIONS_SELECTED")); } try { - // if (clientIsMSIE(httpReq) && op.equals("getCRL")) - // httpResp.setHeader("Content-disposition", - // "attachment; filename=getCRL.crl"); + // if (clientIsMSIE(httpReq) && op.equals("getCRL")) + // httpResp.setHeader("Content-disposition", + // "attachment; filename=getCRL.crl"); httpResp.setContentType(mimeType); httpResp.setContentLength(bytes.length); httpResp.getOutputStream().write(bytes); httpResp.getOutputStream().flush(); } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERROR_DISPLAYING_CRLINFO")); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERROR_DISPLAYING_CRLINFO")); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_DISPLAYING_CRLINFO_ERROR")); + CMS.getUserMessage("CMS_GW_DISPLAYING_CRLINFO_ERROR")); } - // cmsReq.setResult(null); + // cmsReq.setResult(null); cmsReq.setStatus(CMSRequest.SUCCESS); return; } diff --git a/pki/base/common/src/com/netscape/cms/servlet/cert/GetCertFromRequest.java b/pki/base/common/src/com/netscape/cms/servlet/cert/GetCertFromRequest.java index 7dcec5cd7..5909bc4b1 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/cert/GetCertFromRequest.java +++ b/pki/base/common/src/com/netscape/cms/servlet/cert/GetCertFromRequest.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.cert; + import java.io.IOException; import java.util.Locale; @@ -51,9 +52,10 @@ import com.netscape.cms.servlet.common.CMSTemplateParams; import com.netscape.cms.servlet.common.ECMSGWException; import com.netscape.cms.servlet.common.ICMSTemplateFiller; + /** - * Gets a issued certificate from a request id. - * + * Gets a issued certificate from a request id. + * * @version $Revision$, $Date$ */ public class GetCertFromRequest extends CMSServlet { @@ -62,26 +64,27 @@ public class GetCertFromRequest extends CMSServlet { */ private static final long serialVersionUID = 5310646832256611066L; private final static String PROP_IMPORT = "importCert"; - protected static final String GET_CERT_FROM_REQUEST_TEMPLATE = "ImportCert.template"; - protected static final String DISPLAY_CERT_FROM_REQUEST_TEMPLATE = "displayCertFromRequest.template"; + protected static final String + GET_CERT_FROM_REQUEST_TEMPLATE = "ImportCert.template"; + protected static final String + DISPLAY_CERT_FROM_REQUEST_TEMPLATE = "displayCertFromRequest.template"; protected static final String REQUEST_ID = "requestId"; protected static final String CERT_TYPE = "certtype"; - protected String mCertFrReqSuccessTemplate = null; + protected String mCertFrReqSuccessTemplate = null; protected ICMSTemplateFiller mCertFrReqFiller = null; protected IRequestQueue mQueue = null; protected boolean mImportCert = true; - public GetCertFromRequest() { + public GetCertFromRequest() { super(); } /** * initialize the servlet. This servlet uses the template files - * "displayCertFromRequest.template" and "ImportCert.template" - * + * "displayCertFromRequest.template" and "ImportCert.template" * @param sc servlet configuration, read from the web.xml file */ public void init(ServletConfig sc) throws ServletException { @@ -89,7 +92,8 @@ public class GetCertFromRequest extends CMSServlet { mTemplates.remove(CMSRequest.SUCCESS); mQueue = mAuthority.getRequestQueue(); try { - String tmp = sc.getInitParameter(PROP_IMPORT); + String tmp = sc.getInitParameter( + PROP_IMPORT); if (tmp != null && tmp.trim().equalsIgnoreCase("false")) mImportCert = false; @@ -98,43 +102,46 @@ public class GetCertFromRequest extends CMSServlet { if (mImportCert) defTemplate = GET_CERT_FROM_REQUEST_TEMPLATE; - else + else defTemplate = DISPLAY_CERT_FROM_REQUEST_TEMPLATE; if (mAuthority instanceof IRegistrationAuthority) defTemplate = "/ra/" + defTemplate; - else + else defTemplate = "/ca/" + defTemplate; - mCertFrReqSuccessTemplate = sc - .getInitParameter(PROP_SUCCESS_TEMPLATE); + mCertFrReqSuccessTemplate = sc.getInitParameter( + PROP_SUCCESS_TEMPLATE); if (mCertFrReqSuccessTemplate == null) mCertFrReqSuccessTemplate = defTemplate; - String fillername = sc - .getInitParameter(PROP_SUCCESS_TEMPLATE_FILLER); + String fillername = + sc.getInitParameter(PROP_SUCCESS_TEMPLATE_FILLER); if (fillername != null) { ICMSTemplateFiller filler = newFillerObject(fillername); - if (filler != null) + if (filler != null) mCertFrReqFiller = filler; } else { mCertFrReqFiller = new CertFrRequestFiller(); } } catch (Exception e) { // should never happen. - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGW_IMP_INIT_SERV_ERR", e.toString(), mId)); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_IMP_INIT_SERV_ERR", e.toString(), + mId)); } } + /** - * Process the HTTP request. + * Process the HTTP request. * <ul> - * <li>http.param requestId The request ID to search on + * <li>http.param requestId The request ID to search on * </ul> - * + * * @param cmsReq the object holding the request and response information */ - protected void process(CMSRequest cmsReq) throws EBaseException { + protected void process(CMSRequest cmsReq) + throws EBaseException { IArgBlock httpParams = cmsReq.getHttpParams(); HttpServletRequest httpReq = cmsReq.getHttpReq(); @@ -143,14 +150,14 @@ public class GetCertFromRequest extends CMSServlet { AuthzToken authzToken = null; try { - authzToken = authorize(mAclMethod, authToken, mAuthzResourceName, - "read"); + authzToken = authorize(mAclMethod, authToken, + mAuthzResourceName, "read"); } catch (EAuthzAccessDenied e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); } catch (Exception e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); } if (authzToken == null) { @@ -158,104 +165,96 @@ public class GetCertFromRequest extends CMSServlet { return; } - String requestId = httpParams.getValueAsString(REQUEST_ID, null); + String requestId = httpParams.getValueAsString(REQUEST_ID, null); if (requestId == null) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_NO_REQUEST_ID_PROVIDED")); - throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_NO_REQUEST_ID_PROVIDED")); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_NO_REQUEST_ID_PROVIDED")); + throw new ECMSGWException(CMS.getUserMessage("CMS_GW_NO_REQUEST_ID_PROVIDED")); } // check if request Id is valid. try { Integer.parseInt(requestId); } catch (NumberFormatException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_INVALID_REQ_ID_FORMAT", requestId)); - throw new EBaseException(CMS.getUserMessage(getLocale(httpReq), - "CMS_BASE_INVALID_NUMBER_FORMAT_1", requestId)); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_INVALID_REQ_ID_FORMAT", requestId)); + throw new EBaseException( + CMS.getUserMessage(getLocale(httpReq), "CMS_BASE_INVALID_NUMBER_FORMAT_1", requestId)); } IRequest r = mQueue.findRequest(new RequestId(requestId)); if (r == null) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_REQUEST_ID_NOT_FOUND", requestId)); - throw new ECMSGWException(CMS.getUserMessage( - "CMS_GW_REQUEST_ID_NOT_FOUND", requestId)); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_REQUEST_ID_NOT_FOUND", requestId)); + throw new ECMSGWException( + CMS.getUserMessage("CMS_GW_REQUEST_ID_NOT_FOUND", requestId)); } if (authToken != null) { - // if RA, group and requestOwner must match - String group = authToken.getInString("group"); - if ((group != null) && (group != "") - && group.equals("Registration Manager Agents")) { - boolean groupMatched = false; - String reqOwner = r.getRequestOwner(); - if (reqOwner != null) { - CMS.debug("GetCertFromRequest process: req owner=" - + reqOwner); - if (reqOwner.equals(group)) - groupMatched = true; - } - if (groupMatched == false) { - CMS.debug("RA group unmatched"); - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGW_REQUEST_ID_NOT_FOUND", requestId)); - throw new ECMSGWException(CMS.getUserMessage( - "CMS_GW_REQUEST_ID_NOT_FOUND", requestId)); - } + //if RA, group and requestOwner must match + String group = authToken.getInString("group"); + if ((group != null) && (group != "") && + group.equals("Registration Manager Agents")) { + boolean groupMatched = false; + String reqOwner = r.getRequestOwner(); + if (reqOwner != null) { + CMS.debug("GetCertFromRequest process: req owner="+reqOwner); + if (reqOwner.equals(group)) + groupMatched = true; + } + if (groupMatched == false) { + CMS.debug("RA group unmatched"); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_REQUEST_ID_NOT_FOUND", requestId)); + throw new ECMSGWException( + CMS.getUserMessage("CMS_GW_REQUEST_ID_NOT_FOUND", requestId)); } + } } - if (!((r.getRequestType().equals(IRequest.ENROLLMENT_REQUEST)) || (r - .getRequestType().equals(IRequest.RENEWAL_REQUEST)))) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGW_REQUEST_NOT_ENROLLMENT_1", requestId)); - throw new ECMSGWException(CMS.getUserMessage( - "CMS_GW_REQUEST_NOT_ENROLLMENT", requestId)); + if (!((r.getRequestType().equals(IRequest.ENROLLMENT_REQUEST)) || (r.getRequestType().equals(IRequest.RENEWAL_REQUEST)))) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_REQUEST_NOT_ENROLLMENT_1", requestId)); + throw new ECMSGWException( + CMS.getUserMessage("CMS_GW_REQUEST_NOT_ENROLLMENT", requestId)); } RequestStatus status = r.getRequestStatus(); if (!status.equals(RequestStatus.COMPLETE)) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGW_REQUEST_NOT_COMPLETED_1", requestId)); - throw new ECMSGWException(CMS.getUserMessage( - "CMS_GW_REQUEST_NOT_COMPLETED", requestId)); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_REQUEST_NOT_COMPLETED_1", requestId)); + throw new ECMSGWException( + CMS.getUserMessage("CMS_GW_REQUEST_NOT_COMPLETED", requestId)); } Integer result = r.getExtDataInInteger(IRequest.RESULT); if (result != null && !result.equals(IRequest.RES_SUCCESS)) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_REQUEST_HAD_ERROR_1", requestId)); - throw new ECMSGWException(CMS.getUserMessage( - "CMS_GW_REQUEST_HAD_ERROR", requestId)); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_REQUEST_HAD_ERROR_1", requestId)); + throw new ECMSGWException( + CMS.getUserMessage("CMS_GW_REQUEST_HAD_ERROR", requestId)); } Object o = r.getExtDataInCertArray(IRequest.ISSUED_CERTS); if (r.getExtDataInString("profile") != null) { // handle profile-based request - X509CertImpl cert = r - .getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT); + X509CertImpl cert = r.getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT); X509CertImpl certs[] = new X509CertImpl[1]; certs[0] = cert; o = certs; } if (o == null || !(o instanceof X509CertImpl[])) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGW_REQUEST_HAD_NO_CERTS_1", requestId)); - throw new ECMSGWException(CMS.getUserMessage( - "CMS_GW_REQUEST_HAD_NO_CERTS", requestId)); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_REQUEST_HAD_NO_CERTS_1", requestId)); + throw new ECMSGWException( + CMS.getUserMessage("CMS_GW_REQUEST_HAD_NO_CERTS", requestId)); } if (o instanceof X509CertImpl[]) { X509CertImpl[] certs = (X509CertImpl[]) o; if (certs == null || certs.length == 0 || certs[0] == null) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGW_REQUEST_HAD_NO_CERTS_1", requestId)); - throw new ECMSGWException(CMS.getUserMessage( - "CMS_GW_REQUEST_HAD_NO_CERTS", requestId)); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_REQUEST_HAD_NO_CERTS_1", requestId)); + throw new ECMSGWException( + CMS.getUserMessage("CMS_GW_REQUEST_HAD_NO_CERTS", requestId)); } // for importsCert to get the crmf_reqid. @@ -263,66 +262,58 @@ public class GetCertFromRequest extends CMSServlet { cmsReq.setStatus(CMSRequest.SUCCESS); - if (mImportCert - && checkImportCertToNav(cmsReq.getHttpResp(), httpParams, - certs[0])) { + if (mImportCert && + checkImportCertToNav(cmsReq.getHttpResp(), httpParams, certs[0])) { return; } try { cmsReq.setResult(certs); - renderTemplate(cmsReq, mCertFrReqSuccessTemplate, - mCertFrReqFiller); + renderTemplate(cmsReq, mCertFrReqSuccessTemplate, mCertFrReqFiller); } catch (IOException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGE_ERROR_DISPLAY_TEMPLATE_1", + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGE_ERROR_DISPLAY_TEMPLATE_1", mCertFrReqSuccessTemplate, e.toString())); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); + CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); } } return; } } + class CertFrRequestFiller extends ImportCertsTemplateFiller { public CertFrRequestFiller() { } - public CMSTemplateParams getTemplateParams(CMSRequest cmsReq, - IAuthority authority, Locale locale, Exception e) throws Exception { - CMSTemplateParams tparams = super.getTemplateParams(cmsReq, authority, - locale, e); + public CMSTemplateParams getTemplateParams( + CMSRequest cmsReq, IAuthority authority, Locale locale, Exception e) + throws Exception { + CMSTemplateParams tparams = + super.getTemplateParams(cmsReq, authority, locale, e); String reqId = cmsReq.getHttpParams().getValueAsString( GetCertFromRequest.REQUEST_ID); - tparams.getHeader() - .addStringValue(GetCertFromRequest.REQUEST_ID, reqId); + tparams.getHeader().addStringValue(GetCertFromRequest.REQUEST_ID, reqId); if (reqId != null) { - IRequest r = authority.getRequestQueue().findRequest( - new RequestId(reqId)); + IRequest r = authority.getRequestQueue().findRequest(new RequestId(reqId)); if (r != null) { boolean noCertImport = true; - String certType = r.getExtDataInString(IRequest.HTTP_PARAMS, - IRequest.CERT_TYPE); + String certType = r.getExtDataInString(IRequest.HTTP_PARAMS, IRequest.CERT_TYPE); if (certType != null && certType.equals(IRequest.CLIENT_CERT)) { noCertImport = false; } - tparams.getHeader().addBooleanValue("noCertImport", - noCertImport); + tparams.getHeader().addBooleanValue("noCertImport", noCertImport); - X509CertImpl[] certs = r - .getExtDataInCertArray(IRequest.ISSUED_CERTS); + X509CertImpl[] certs = r.getExtDataInCertArray(IRequest.ISSUED_CERTS); if (certs != null) { - X509CertInfo info = (X509CertInfo) certs[0] - .get(X509CertImpl.NAME + "." + X509CertImpl.INFO); - CertificateExtensions extensions = (CertificateExtensions) info - .get(X509CertInfo.EXTENSIONS); + X509CertInfo info = (X509CertInfo) certs[0].get(X509CertImpl.NAME + "." + X509CertImpl.INFO); + CertificateExtensions extensions = (CertificateExtensions) info.get(X509CertInfo.EXTENSIONS); - tparams.getHeader().addStringValue( - GetCertFromRequest.CERT_TYPE, "x509"); + tparams.getHeader().addStringValue(GetCertFromRequest.CERT_TYPE, "x509"); boolean emailCert = false; @@ -333,21 +324,16 @@ class CertFrRequestFiller extends ImportCertsTemplateFiller { if (ext instanceof NSCertTypeExtension) { NSCertTypeExtension type = (NSCertTypeExtension) ext; - if (((Boolean) type - .get(NSCertTypeExtension.EMAIL)) - .booleanValue()) + if (((Boolean) type.get(NSCertTypeExtension.EMAIL)).booleanValue()) emailCert = true; } if (ext instanceof KeyUsageExtension) { - KeyUsageExtension usage = (KeyUsageExtension) ext; + KeyUsageExtension usage = + (KeyUsageExtension) ext; try { - if (((Boolean) usage - .get(KeyUsageExtension.DIGITAL_SIGNATURE)) - .booleanValue() - || ((Boolean) usage - .get(KeyUsageExtension.DATA_ENCIPHERMENT)) - .booleanValue()) + if (((Boolean) usage.get(KeyUsageExtension.DIGITAL_SIGNATURE)).booleanValue() || + ((Boolean) usage.get(KeyUsageExtension.DATA_ENCIPHERMENT)).booleanValue()) emailCert = true; } catch (ArrayIndexOutOfBoundsException e0) { // bug356108: diff --git a/pki/base/common/src/com/netscape/cms/servlet/cert/GetEnableStatus.java b/pki/base/common/src/com/netscape/cms/servlet/cert/GetEnableStatus.java index 1e9f9a02e..8b5536ea8 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/cert/GetEnableStatus.java +++ b/pki/base/common/src/com/netscape/cms/servlet/cert/GetEnableStatus.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.cert; + import java.io.IOException; import java.util.Enumeration; import java.util.Locale; @@ -44,9 +45,10 @@ import com.netscape.cms.servlet.common.CMSTemplate; import com.netscape.cms.servlet.common.CMSTemplateParams; import com.netscape.cms.servlet.common.ECMSGWException; + /** * Servlet to get the enrollment status, enable or disable. - * + * * @version $Revision$, $Date$ */ public class GetEnableStatus extends CMSServlet { @@ -62,8 +64,7 @@ public class GetEnableStatus extends CMSServlet { } /** - * initialize the servlet. - * + * initialize the servlet. * @param sc servlet configuration, read from the web.xml file */ public void init(ServletConfig sc) throws ServletException { @@ -79,14 +80,15 @@ public class GetEnableStatus extends CMSServlet { } /** - * Process the HTTP request. + * Process the HTTP request. * <ul> * <li>http.param * </ul> - * + * * @param cmsReq the object holding the request and response information */ - protected void process(CMSRequest cmsReq) throws EBaseException { + protected void process(CMSRequest cmsReq) + throws EBaseException { HttpServletRequest httpReq = cmsReq.getHttpReq(); HttpServletResponse httpResp = cmsReq.getHttpResp(); @@ -94,8 +96,8 @@ public class GetEnableStatus extends CMSServlet { AuthzToken authzToken = null; try { - authzToken = authorize(mAclMethod, authToken, mAuthzResourceName, - "read"); + authzToken = authorize(mAclMethod, authToken, + mAuthzResourceName, "read"); } catch (Exception e) { // do nothing for now } @@ -111,10 +113,9 @@ public class GetEnableStatus extends CMSServlet { IArgBlock args = cmsReq.getHttpParams(); if (!(mAuthority instanceof IRegistrationAuthority)) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_CA_FROM_RA_NOT_IMP")); - cmsReq.setError(new ECMSGWException(CMS - .getUserMessage("CMS_GW_NOT_YET_IMPLEMENTED"))); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_CA_FROM_RA_NOT_IMP")); + cmsReq.setError(new ECMSGWException( + CMS.getUserMessage("CMS_GW_NOT_YET_IMPLEMENTED"))); cmsReq.setStatus(CMSRequest.ERROR); return; } @@ -125,11 +126,11 @@ public class GetEnableStatus extends CMSServlet { try { form = getTemplate(mFormPath, httpReq, locale); } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", mFormPath, - e.toString())); - cmsReq.setError(new ECMSGWException(CMS - .getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR"))); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", + mFormPath, e.toString())); + cmsReq.setError(new ECMSGWException( + CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR"))); cmsReq.setStatus(CMSRequest.ERROR); return; } @@ -141,8 +142,7 @@ public class GetEnableStatus extends CMSServlet { IConfigStore configStore = CMS.getConfigStore(); String val = configStore.getString("hashDirEnrollment.name"); - IAuthSubsystem authSS = (IAuthSubsystem) CMS - .getSubsystem(CMS.SUBSYSTEM_AUTH); + IAuthSubsystem authSS = (IAuthSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTH); IAuthManager authMgr = authSS.get(val); HashAuthentication mgr = (HashAuthentication) authMgr; long timeout = HashAuthentication.DEFAULT_TIMEOUT / 1000; @@ -164,10 +164,10 @@ public class GetEnableStatus extends CMSServlet { form.renderOutput(out, argSet); cmsReq.setStatus(CMSRequest.SUCCESS); } catch (IOException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGW_ERR_STREAM_TEMPLATE", e.toString())); - cmsReq.setError(new ECMSGWException(CMS - .getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR"))); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERR_STREAM_TEMPLATE", e.toString())); + cmsReq.setError(new ECMSGWException( + CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR"))); cmsReq.setStatus(CMSRequest.ERROR); } cmsReq.setStatus(CMSRequest.SUCCESS); diff --git a/pki/base/common/src/com/netscape/cms/servlet/cert/GetInfo.java b/pki/base/common/src/com/netscape/cms/servlet/cert/GetInfo.java index 300ba3e08..9d83d430c 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/cert/GetInfo.java +++ b/pki/base/common/src/com/netscape/cms/servlet/cert/GetInfo.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.cert; + import java.io.IOException; import java.math.BigInteger; import java.util.Enumeration; @@ -48,9 +49,10 @@ import com.netscape.cms.servlet.common.CMSTemplate; import com.netscape.cms.servlet.common.CMSTemplateParams; import com.netscape.cms.servlet.common.ECMSGWException; + /** * Get detailed information about CA CRL processing - * + * * @version $Revision$, $Date$ */ public class GetInfo extends CMSServlet { @@ -74,7 +76,6 @@ public class GetInfo extends CMSServlet { /** * initialize the servlet. - * * @param sc servlet configuration, read from the web.xml file */ public void init(ServletConfig sc) throws ServletException { @@ -89,11 +90,11 @@ public class GetInfo extends CMSServlet { } /** - * XXX Process the HTTP request. + * XXX Process the HTTP request. * <ul> * <li>http.param template filename of template to use to render the result * </ul> - * + * * @param cmsReq the object holding the request and response information */ public void process(CMSRequest cmsReq) throws EBaseException { @@ -104,14 +105,14 @@ public class GetInfo extends CMSServlet { AuthzToken authzToken = null; try { - authzToken = authorize(mAclMethod, authToken, mAuthzResourceName, - "read"); + authzToken = authorize(mAclMethod, authToken, + mAuthzResourceName, "read"); } catch (EAuthzAccessDenied e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); } catch (Exception e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); } if (authzToken == null) { @@ -128,33 +129,35 @@ public class GetInfo extends CMSServlet { String template = req.getParameter("template"); String formFile = ""; - /* - * for (int i = 0; ((template != null) && (i < template.length())); i++) - * { char c = template.charAt(i); if (!Character.isLetterOrDigit(c) && c - * != '_' && c != '-') { template = null; break; } } - */ +/* + for (int i = 0; ((template != null) && (i < template.length())); i++) { + char c = template.charAt(i); + if (!Character.isLetterOrDigit(c) && c != '_' && c != '-') { + template = null; + break; + } + } +*/ + if (template != null) { formFile = template + ".template"; } else { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE_1")); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE_1")); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); + CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); } CMSTemplate form = null; Locale[] locale = new Locale[1]; - CMS.debug("*** formFile = " + formFile); +CMS.debug("*** formFile = "+formFile); try { form = getTemplate(formFile, req, locale); } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", formFile, - e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", formFile, e.toString())); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); + CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); } try { @@ -169,27 +172,29 @@ public class GetInfo extends CMSServlet { if (error == null) { String xmlOutput = req.getParameter("xml"); if (xmlOutput != null && xmlOutput.equals("true")) { - outputXML(resp, argSet); + outputXML(resp, argSet); } else { - resp.setContentType("text/html"); - form.renderOutput(out, argSet); - cmsReq.setStatus(CMSRequest.SUCCESS); + resp.setContentType("text/html"); + form.renderOutput(out, argSet); + cmsReq.setStatus(CMSRequest.SUCCESS); } } else { cmsReq.setStatus(CMSRequest.ERROR); cmsReq.setError(error); } } catch (IOException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGW_ERR_STREAM_TEMPLATE", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERR_STREAM_TEMPLATE", e.toString())); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); + CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); } } private void process(CMSTemplateParams argSet, IArgBlock header, - HttpServletRequest req, HttpServletResponse resp, Locale locale) - throws EBaseException { + HttpServletRequest req, + HttpServletResponse resp, + Locale locale) + throws EBaseException { if (mCA != null) { String crlIssuingPoints = ""; String crlNumbers = ""; @@ -202,23 +207,20 @@ public class GetInfo extends CMSServlet { String crlTesting = ""; boolean isDeltaCRLEnabled = false; - String masterHost = CMS.getConfigStore().getString( - "master.ca.agent.host", ""); - String masterPort = CMS.getConfigStore().getString( - "master.ca.agent.port", ""); - - if (masterHost != null && masterHost.length() > 0 - && masterPort != null && masterPort.length() > 0) { + String masterHost = CMS.getConfigStore().getString("master.ca.agent.host", ""); + String masterPort = CMS.getConfigStore().getString("master.ca.agent.port", ""); + + if (masterHost != null && masterHost.length() > 0 && + masterPort != null && masterPort.length() > 0) { ICRLRepository crlRepository = mCA.getCRLRepository(); Vector ipNames = crlRepository.getIssuingPointsNames(); for (int i = 0; i < ipNames.size(); i++) { - String ipName = (String) ipNames.elementAt(i); + String ipName = (String)ipNames.elementAt(i); ICRLIssuingPointRecord crlRecord = null; try { - crlRecord = crlRepository - .readCRLIssuingPointRecord(ipName); + crlRecord = crlRepository.readCRLIssuingPointRecord(ipName); } catch (Exception e) { } if (crlRecord != null) { @@ -234,8 +236,8 @@ public class GetInfo extends CMSServlet { if (crlSizes.length() > 0) crlSizes += "+"; - crlSizes += ((crlRecord.getCRLSize() != null) ? crlRecord - .getCRLSize().toString() : "-1"); + crlSizes += ((crlRecord.getCRLSize() != null)? + crlRecord.getCRLSize().toString(): "-1"); if (deltaSizes.length() > 0) deltaSizes += "+"; @@ -302,18 +304,13 @@ public class GetInfo extends CMSServlet { if (recentChanges.length() > 0) recentChanges += "+"; if (ip.isCRLUpdateInProgress() == ICRLIssuingPoint.CRL_PUBLISHING_STARTED) { - recentChanges += "Publishing CRL #" - + ip.getCRLNumber(); + recentChanges += "Publishing CRL #" + ip.getCRLNumber(); } else if (ip.isCRLUpdateInProgress() == ICRLIssuingPoint.CRL_UPDATE_STARTED) { - recentChanges += "Creating CRL #" - + ip.getNextCRLNumber(); - } else { // ip.CRL_UPDATE_DONE - recentChanges += ip - .getNumberOfRecentlyRevokedCerts() - + ", " - + ip.getNumberOfRecentlyUnrevokedCerts() - + ", " - + ip.getNumberOfRecentlyExpiredCerts(); + recentChanges += "Creating CRL #" + ip.getNextCRLNumber(); + } else { // ip.CRL_UPDATE_DONE + recentChanges += ip.getNumberOfRecentlyRevokedCerts() + ", " + + ip.getNumberOfRecentlyUnrevokedCerts() + ", " + + ip.getNumberOfRecentlyExpiredCerts(); } isDeltaCRLEnabled |= ip.isDeltaCRLEnabled(); @@ -329,8 +326,7 @@ public class GetInfo extends CMSServlet { if (crlTesting.length() > 0) crlTesting += "+"; - crlTesting += ((ip.isCRLCacheTestingEnabled()) ? "1" - : "0"); + crlTesting += ((ip.isCRLCacheTestingEnabled())?"1":"0"); } } @@ -349,14 +345,11 @@ public class GetInfo extends CMSServlet { header.addStringValue("master_host", masterHost); header.addStringValue("master_port", masterPort); - header.addStringValue("masterCRLIssuingPoint", - ICertificateAuthority.PROP_MASTER_CRL); - ICRLIssuingPoint ip0 = mCA - .getCRLIssuingPoint(ICertificateAuthority.PROP_MASTER_CRL); + header.addStringValue("masterCRLIssuingPoint", ICertificateAuthority.PROP_MASTER_CRL); + ICRLIssuingPoint ip0 = mCA.getCRLIssuingPoint(ICertificateAuthority.PROP_MASTER_CRL); if (ip0 != null) { - header.addStringValue("defaultAlgorithm", - ip0.getSigningAlgorithm()); + header.addStringValue("defaultAlgorithm", ip0.getSigningAlgorithm()); } if (recentChanges.length() > 0) diff --git a/pki/base/common/src/com/netscape/cms/servlet/cert/HashEnrollServlet.java b/pki/base/common/src/com/netscape/cms/servlet/cert/HashEnrollServlet.java index 0922f8821..645cb831b 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/cert/HashEnrollServlet.java +++ b/pki/base/common/src/com/netscape/cms/servlet/cert/HashEnrollServlet.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.cert; + import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; @@ -84,9 +85,10 @@ import com.netscape.cms.servlet.common.CMSTemplateParams; import com.netscape.cms.servlet.common.ECMSGWException; import com.netscape.cms.servlet.common.ICMSTemplateFiller; + /** * performs face-to-face enrollment. - * + * * @version $Revision$, $Date$ */ public class HashEnrollServlet extends CMSServlet { @@ -98,9 +100,10 @@ public class HashEnrollServlet extends CMSServlet { public final static String ADMIN_ENROLL_SERVLET_ID = "adminEnroll"; // enrollment templates. - public static final String ENROLL_SUCCESS_TEMPLATE = "/ra/HashEnrollSuccess.template"; + public static final String + ENROLL_SUCCESS_TEMPLATE = "/ra/HashEnrollSuccess.template"; - // http params + // http params public static final String OLD_CERT_TYPE = "csrCertType"; public static final String CERT_TYPE = "certType"; // same as in ConfigConstant.java @@ -120,7 +123,8 @@ public class HashEnrollServlet extends CMSServlet { private boolean mAuthTokenOverride = true; private String mEnrollSuccessTemplate = null; - private ICMSTemplateFiller mEnrollSuccessFiller = new ImportCertsTemplateFiller(); + private ICMSTemplateFiller + mEnrollSuccessFiller = new ImportCertsTemplateFiller(); ICertificateAuthority mCa = null; ICertificateRepository mRepository = null; @@ -131,7 +135,6 @@ public class HashEnrollServlet extends CMSServlet { /** * initialize the servlet. - * * @param sc servlet configuration, read from the web.xml file */ public void init(ServletConfig sc) throws ServletException { @@ -139,17 +142,17 @@ public class HashEnrollServlet extends CMSServlet { // override success template to allow direct import of keygen certs. mTemplates.remove(CMSRequest.SUCCESS); try { - mEnrollSuccessTemplate = sc - .getInitParameter(CMSServlet.PROP_SUCCESS_TEMPLATE); + mEnrollSuccessTemplate = sc.getInitParameter( + CMSServlet.PROP_SUCCESS_TEMPLATE); if (mEnrollSuccessTemplate == null) mEnrollSuccessTemplate = ENROLL_SUCCESS_TEMPLATE; - String fillername = sc - .getInitParameter(PROP_SUCCESS_TEMPLATE_FILLER); + String fillername = + sc.getInitParameter(PROP_SUCCESS_TEMPLATE_FILLER); if (fillername != null) { ICMSTemplateFiller filler = newFillerObject(fillername); - if (filler != null) + if (filler != null) mEnrollSuccessFiller = filler; } @@ -158,18 +161,20 @@ public class HashEnrollServlet extends CMSServlet { init_testbed_hack(mConfig); } catch (Exception e) { - // this should never happen. - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGW_IMP_INIT_SERV_ERR", e.toString(), mId)); + // this should never happen. + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_IMP_INIT_SERV_ERR", e.toString(), mId)); } } + /** - * Process the HTTP request. - * + * Process the HTTP request. + * * @param cmsReq the object holding the request and response information */ - protected void process(CMSRequest cmsReq) throws EBaseException { + protected void process(CMSRequest cmsReq) + throws EBaseException { IArgBlock httpParams = cmsReq.getHttpParams(); HttpServletRequest httpReq = cmsReq.getHttpReq(); HttpServletResponse httpResp = cmsReq.getHttpResp(); @@ -187,8 +192,8 @@ public class HashEnrollServlet extends CMSServlet { IConfigStore configStore = CMS.getConfigStore(); String val = configStore.getString("hashDirEnrollment.name"); - IAuthSubsystem authSS = (IAuthSubsystem) CMS - .getSubsystem(CMS.SUBSYSTEM_AUTH); + IAuthSubsystem authSS = (IAuthSubsystem) + CMS.getSubsystem(CMS.SUBSYSTEM_AUTH); IAuthManager authMgr = authSS.get(val); HashAuthentication mgr = (HashAuthentication) authMgr; @@ -221,15 +226,14 @@ public class HashEnrollServlet extends CMSServlet { certType = httpParams.getValueAsString(OLD_CERT_TYPE, null); if (certType == null) { certType = httpParams.getValueAsString(CERT_TYPE, "client"); - } else { - ; - } + } else {; + } - processX509(cmsReq); + processX509(cmsReq); } - + private void printError(CMSRequest cmsReq, String errorCode) - throws EBaseException { + throws EBaseException { IArgBlock httpParams = cmsReq.getHttpParams(); HttpServletRequest httpReq = cmsReq.getHttpReq(); HttpServletResponse httpResp = cmsReq.getHttpResp(); @@ -249,10 +253,9 @@ public class HashEnrollServlet extends CMSServlet { form = getTemplate(formPath, httpReq, locale); } catch (IOException e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", formPath, - e.toString())); - cmsReq.setError(new ECMSGWException(CMS - .getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR"))); + CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", formPath, e.toString())); + cmsReq.setError(new ECMSGWException( + CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR"))); cmsReq.setStatus(CMSRequest.ERROR); return; } @@ -264,15 +267,16 @@ public class HashEnrollServlet extends CMSServlet { cmsReq.setStatus(CMSRequest.SUCCESS); } catch (IOException e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERR_BAD_SERV_OUT_STREAM", - e.toString())); - cmsReq.setError(new ECMSGWException(CMS - .getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR"))); + CMS.getLogMessage("CMSGW_ERR_BAD_SERV_OUT_STREAM", + e.toString())); + cmsReq.setError(new ECMSGWException( + CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR"))); cmsReq.setStatus(CMSRequest.ERROR); } } - protected void processX509(CMSRequest cmsReq) throws EBaseException { + protected void processX509(CMSRequest cmsReq) + throws EBaseException { IArgBlock httpParams = cmsReq.getHttpParams(); HttpServletRequest httpReq = cmsReq.getHttpReq(); @@ -280,16 +284,19 @@ public class HashEnrollServlet extends CMSServlet { IRequest req = mRequestQueue.newRequest(IRequest.ENROLLMENT_REQUEST); /* - * === certAuth based enroll === "certAuthEnroll" is on. - * "certauthEnrollType can be one of the three: single - it's for single - * cert enrollment dual - it's for dual certs enrollment encryption - - * getting the encryption cert only via authentication of the signing - * cert (crmf or keyGenInfo) + * === certAuth based enroll === + * "certAuthEnroll" is on. + * "certauthEnrollType can be one of the three: + * single - it's for single cert enrollment + * dual - it's for dual certs enrollment + * encryption - getting the encryption cert only via + * authentication of the signing cert + * (crmf or keyGenInfo) */ boolean certAuthEnroll = false; - String certAuthEnrollOn = httpParams.getValueAsString("certauthEnroll", - null); + String certAuthEnrollOn = + httpParams.getValueAsString("certauthEnroll", null); X509CertInfo new_certInfo = null; if ((certAuthEnrollOn != null) && (certAuthEnrollOn.equals("on"))) { @@ -300,8 +307,8 @@ public class HashEnrollServlet extends CMSServlet { String certauthEnrollType = null; if (certAuthEnroll == true) { - certauthEnrollType = httpParams.getValueAsString( - "certauthEnrollType", null); + certauthEnrollType = + httpParams.getValueAsString("certauthEnrollType", null); if (certauthEnrollType != null) { if (certauthEnrollType.equals("dual")) { CMS.debug("HashEnrollServlet: certauthEnrollType is dual"); @@ -310,22 +317,20 @@ public class HashEnrollServlet extends CMSServlet { } else if (certauthEnrollType.equals("single")) { CMS.debug("HashEnrollServlet: certauthEnrollType is single"); } else { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGW_INVALID_CERTAUTH_ENROLL_TYPE_1", - certauthEnrollType)); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_INVALID_CERTAUTH_ENROLL_TYPE_1", certauthEnrollType)); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_INVALID_CERTAUTH_ENROLL_TYPE")); + CMS.getUserMessage("CMS_GW_INVALID_CERTAUTH_ENROLL_TYPE")); } } else { log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_MISSING_CERTAUTH_ENROLL_TYPE")); + CMS.getLogMessage("CMSGW_MISSING_CERTAUTH_ENROLL_TYPE")); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_MISSING_CERTAUTH_ENROLL_TYPE")); + CMS.getUserMessage("CMS_GW_MISSING_CERTAUTH_ENROLL_TYPE")); } } - String challengePassword = httpParams.getValueAsString( - "challengePassword", ""); + String challengePassword = httpParams.getValueAsString("challengePassword", ""); cmsReq.setIRequest(req); saveHttpHeaders(httpReq, req); @@ -335,8 +340,8 @@ public class HashEnrollServlet extends CMSServlet { AuthzToken authzToken = null; try { - authzToken = authorize(mAclMethod, token, mAuthzResourceName, - "import"); + authzToken = authorize(mAclMethod, token, + mAuthzResourceName, "import"); } catch (Exception e) { // do nothing for now } @@ -351,43 +356,41 @@ public class HashEnrollServlet extends CMSServlet { String certBasedOldSubjectDN = null; BigInteger certBasedOldSerialNum = null; - // check if request was authenticated, if so set authtoken & certInfo. - // also if authenticated, take certInfo from authToken. + // check if request was authenticated, if so set authtoken & certInfo. + // also if authenticated, take certInfo from authToken. X509CertInfo certInfo = null; if (certAuthEnroll == true) { sslClientCert = getSSLClientCertificate(httpReq); if (sslClientCert == null) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_MISSING_SSL_CLIENT_CERT")); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_MISSING_SSL_CLIENT_CERT")); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_MISSING_SSL_CLIENT_CERT")); + CMS.getUserMessage("CMS_GW_MISSING_SSL_CLIENT_CERT")); } - certBasedOldSubjectDN = (String) sslClientCert.getSubjectDN() - .toString(); - certBasedOldSerialNum = (BigInteger) sslClientCert - .getSerialNumber(); + certBasedOldSubjectDN = (String) sslClientCert.getSubjectDN().toString(); + certBasedOldSerialNum = (BigInteger) sslClientCert.getSerialNumber(); try { - certInfo = (X509CertInfo) ((X509CertImpl) sslClientCert) - .get(X509CertImpl.NAME + "." + X509CertImpl.INFO); + certInfo = (X509CertInfo) + ((X509CertImpl) sslClientCert).get( + X509CertImpl.NAME + "." + X509CertImpl.INFO); } catch (CertificateParsingException ex) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_MISSING_CERTINFO_ENCRYPT_CERT")); - throw new ECMSGWException(CMS.getUserMessage( - getLocale(httpReq), "CMS_GW_MISSING_CERTINFO")); + CMS.getLogMessage("CMSGW_MISSING_CERTINFO_ENCRYPT_CERT")); + throw new ECMSGWException( + CMS.getUserMessage(getLocale(httpReq), "CMS_GW_MISSING_CERTINFO")); } } else { certInfo = CMS.getDefaultX509CertInfo(); } - X509CertInfo[] certInfoArray = new X509CertInfo[] { certInfo }; + X509CertInfo[] certInfoArray = new X509CertInfo[] {certInfo}; - // AuthToken authToken = access.getAuthToken(); + //AuthToken authToken = access.getAuthToken(); IConfigStore configStore = CMS.getConfigStore(); String val = configStore.getString("hashDirEnrollment.name"); - IAuthSubsystem authSS = (IAuthSubsystem) CMS - .getSubsystem(CMS.SUBSYSTEM_AUTH); + IAuthSubsystem authSS = (IAuthSubsystem) + CMS.getSubsystem(CMS.SUBSYSTEM_AUTH); IAuthManager authMgr1 = authSS.get(val); HashAuthentication mgr = (HashAuthentication) authMgr1; String pageID = httpParams.getValueAsString("pageID", null); @@ -402,22 +405,24 @@ public class HashEnrollServlet extends CMSServlet { cmsReq.setStatus(CMSRequest.SUCCESS); return; } else { - authMgr = authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME); - // don't store agent token in request. - // agent currently used for bulk issuance. + authMgr = + authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME); + // don't store agent token in request. + // agent currently used for bulk issuance. // if (!authMgr.equals(IAuthSubsystem.CERTUSERDB_AUTHMGR_ID)) { - log(ILogger.LL_INFO, "Enrollment request was authenticated by " - + authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME)); + log(ILogger.LL_INFO, + "Enrollment request was authenticated by " + + authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME)); fillCertInfoFromAuthToken(certInfo, authToken); - // save authtoken attrs to request directly (for policy use) + // save authtoken attrs to request directly (for policy use) saveAuthToken(authToken, req); // req.set(IRequest.AUTH_TOKEN, authToken); // } } // fill certInfo from input types: keygen, cmc, pkcs10 or crmf - KeyGenInfo keyGenInfo = httpParams.getValueAsKeyGenInfo( - SUBJECT_KEYGEN_INFO, null); + KeyGenInfo keyGenInfo = + httpParams.getValueAsKeyGenInfo(SUBJECT_KEYGEN_INFO, null); String certType = null; @@ -436,7 +441,8 @@ public class HashEnrollServlet extends CMSServlet { req.setExtData(IRequest.HTTP_PARAMS, CERT_TYPE, certType); } - String crmf = httpParams.getValueAsString(CRMF_REQUEST, null); + String crmf = + httpParams.getValueAsString(CRMF_REQUEST, null); if (certAuthEnroll == true) { @@ -445,21 +451,25 @@ public class HashEnrollServlet extends CMSServlet { // for dual certs if (certauthEnrollType.equals(CERT_AUTH_DUAL)) { if (mCa == null) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_NOT_A_CA")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_NOT_A_CA")); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_NOT_A_CA")); + CMS.getUserMessage("CMS_GW_NOT_A_CA")); } // first, make sure the client cert is indeed a - // signing only cert - if ((CMS.isSigningCert((X509CertImpl) sslClientCert) == false) - || ((CMS.isSigningCert((X509CertImpl) sslClientCert) == true) && (CMS - .isEncryptionCert((X509CertImpl) sslClientCert) == true))) { + // signing only cert + if ((CMS.isSigningCert((X509CertImpl) sslClientCert) == + false) || + ((CMS.isSigningCert((X509CertImpl) sslClientCert) == + true) && + (CMS.isEncryptionCert((X509CertImpl) sslClientCert) == + true))) { // either it's not a signing cert, or it's a dual cert log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_INVALID_CERT_TYPE")); + CMS.getLogMessage("CMSGW_INVALID_CERT_TYPE")); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_INVALID_CERT_TYPE")); + CMS.getUserMessage("CMS_GW_INVALID_CERT_TYPE")); } X509Key key = null; @@ -468,27 +478,22 @@ public class HashEnrollServlet extends CMSServlet { try { certInfo.set(X509CertInfo.KEY, new CertificateX509Key(key)); } catch (CertificateException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGW_FAILED_SET_KEY_FROM_CERT_AUTH_ENROLL_1", - e.toString())); - throw new ECMSGWException(CMS.getUserMessage( - "CMS_GW_SET_KEY_FROM_CERT_AUTH_ENROLL_FAILED", - e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_FAILED_SET_KEY_FROM_CERT_AUTH_ENROLL_1", e.toString())); + throw new ECMSGWException( + CMS.getUserMessage("CMS_GW_SET_KEY_FROM_CERT_AUTH_ENROLL_FAILED", e.toString())); } catch (IOException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGW_FAILED_SET_KEY_FROM_CERT_AUTH_ENROLL_1", - e.toString())); - throw new ECMSGWException(CMS.getUserMessage( - "CMS_GW_SET_KEY_FROM_CERT_AUTH_ENROLL_FAILED", - e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_FAILED_SET_KEY_FROM_CERT_AUTH_ENROLL_1", e.toString())); + throw new ECMSGWException( + CMS.getUserMessage("CMS_GW_SET_KEY_FROM_CERT_AUTH_ENROLL_FAILED", e.toString())); } - String filter = "(&(x509cert.subject=" + certBasedOldSubjectDN - + ")(!(x509cert.serialNumber=" + certBasedOldSerialNum - + "))(certStatus=VALID))"; - ICertRecordList list = (ICertRecordList) mCa - .getCertificateRepository().findCertRecordsInList( - filter, null, 10); + String filter = + "(&(x509cert.subject=" + certBasedOldSubjectDN + ")(!(x509cert.serialNumber=" + certBasedOldSerialNum + "))(certStatus=VALID))"; + ICertRecordList list = + (ICertRecordList) mCa.getCertificateRepository().findCertRecordsInList(filter, + null, 10); int size = list.getSize(); Enumeration en = list.getCertRecords(0, size - 1); boolean gotEncCert = false; @@ -497,8 +502,8 @@ public class HashEnrollServlet extends CMSServlet { // pairing encryption cert not found } else { X509CertInfo encCertInfo = CMS.getDefaultX509CertInfo(); - X509CertInfo[] cInfoArray = new X509CertInfo[] { certInfo, - encCertInfo }; + X509CertInfo[] cInfoArray = new X509CertInfo[] {certInfo, + encCertInfo}; int i = 1; while (en.hasMoreElements()) { @@ -506,47 +511,37 @@ public class HashEnrollServlet extends CMSServlet { X509CertImpl cert = record.getCertificate(); // if not encryption cert only, try next one - if ((CMS.isEncryptionCert(cert) == false) - || ((CMS.isEncryptionCert(cert) == true) && (CMS - .isSigningCert(cert) == true))) { + if ((CMS.isEncryptionCert(cert) == false) || + ((CMS.isEncryptionCert(cert) == true) && + (CMS.isSigningCert(cert) == true))) { continue; } key = (X509Key) cert.getPublicKey(); try { - encCertInfo = (X509CertInfo) cert - .get(X509CertImpl.NAME + "." - + X509CertImpl.INFO); + encCertInfo = (X509CertInfo) + cert.get( + X509CertImpl.NAME + "." + X509CertImpl.INFO); } catch (CertificateParsingException ex) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_MISSING_CERTINFO_ENCRYPT_CERT")); - throw new ECMSGWException(CMS.getUserMessage( - getLocale(httpReq), - "CMS_GW_MISSING_CERTINFO")); + CMS.getLogMessage("CMSGW_MISSING_CERTINFO_ENCRYPT_CERT")); + throw new ECMSGWException( + CMS.getUserMessage(getLocale(httpReq), "CMS_GW_MISSING_CERTINFO")); } try { - encCertInfo.set(X509CertInfo.KEY, - new CertificateX509Key(key)); + encCertInfo.set(X509CertInfo.KEY, new CertificateX509Key(key)); } catch (CertificateException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage( - "CMSGW_FAILED_SET_KEY_FROM_CERT_AUTH_ENROLL_1", - e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_FAILED_SET_KEY_FROM_CERT_AUTH_ENROLL_1", e.toString())); throw new ECMSGWException( - CMS.getUserMessage( - "CMS_GW_SET_KEY_FROM_CERT_AUTH_ENROLL_FAILED", - e.toString())); + CMS.getUserMessage("CMS_GW_SET_KEY_FROM_CERT_AUTH_ENROLL_FAILED", e.toString())); } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage( - "CMSGW_FAILED_SET_KEY_FROM_CERT_AUTH_ENROLL_1", - e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_FAILED_SET_KEY_FROM_CERT_AUTH_ENROLL_1", e.toString())); throw new ECMSGWException( - CMS.getUserMessage( - "CMS_GW_SET_KEY_FROM_CERT_AUTH_ENROLL_FAILED", - e.toString())); + CMS.getUserMessage("CMS_GW_SET_KEY_FROM_CERT_AUTH_ENROLL_FAILED", e.toString())); } fillCertInfoFromAuthToken(encCertInfo, authToken); @@ -560,21 +555,24 @@ public class HashEnrollServlet extends CMSServlet { if (gotEncCert == false) { // encryption cert not found, bail log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ENCRYPTION_CERT_NOT_FOUND")); + CMS.getLogMessage("CMSGW_ENCRYPTION_CERT_NOT_FOUND")); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_ENCRYPTION_CERT_NOT_FOUND")); + CMS.getUserMessage("CMS_GW_ENCRYPTION_CERT_NOT_FOUND")); } } else if (certauthEnrollType.equals(CERT_AUTH_ENCRYPTION)) { // first, make sure the client cert is indeed a - // signing only cert - if ((CMS.isSigningCert((X509CertImpl) sslClientCert) == false) - || ((CMS.isSigningCert((X509CertImpl) sslClientCert) == true) && (CMS - .isEncryptionCert((X509CertImpl) sslClientCert) == true))) { + // signing only cert + if ((CMS.isSigningCert((X509CertImpl) sslClientCert) == + false) || + ((CMS.isSigningCert((X509CertImpl) sslClientCert) == + true) && + (CMS.isEncryptionCert((X509CertImpl) sslClientCert) == + true))) { // either it's not a signing cert, or it's a dual cert log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_INVALID_CERT_TYPE")); + CMS.getLogMessage("CMSGW_INVALID_CERT_TYPE")); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_INVALID_CERT_TYPE")); + CMS.getUserMessage("CMS_GW_INVALID_CERT_TYPE")); } /* @@ -582,15 +580,15 @@ public class HashEnrollServlet extends CMSServlet { */ if (crmf != null && crmf != "") { certInfoArray = fillCRMF(crmf, authToken, httpParams, req); - req.setExtData(CLIENT_ISSUER, sslClientCert.getIssuerDN() - .toString()); - CMS.debug("HashEnrollServlet: sslClientCert issuerDN = " - + sslClientCert.getIssuerDN().toString()); + req.setExtData(CLIENT_ISSUER, + sslClientCert.getIssuerDN().toString()); + CMS.debug( + "HashEnrollServlet: sslClientCert issuerDN = " + sslClientCert.getIssuerDN().toString()); } else { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_MISSING_KEYGEN_INFO")); - throw new ECMSGWException(CMS.getUserMessage( - getLocale(httpReq), "CMS_GW_MISSING_KEYGEN_INFO")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_MISSING_KEYGEN_INFO")); + throw new ECMSGWException(CMS.getUserMessage(getLocale(httpReq), + "CMS_GW_MISSING_KEYGEN_INFO")); } } else if (certauthEnrollType.equals(CERT_AUTH_SINGLE)) { // have to be buried here to handle the issuer @@ -598,21 +596,21 @@ public class HashEnrollServlet extends CMSServlet { if (crmf != null && crmf != "") { certInfoArray = fillCRMF(crmf, authToken, httpParams, req); } else { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_MISSING_KEYGEN_INFO")); - throw new ECMSGWException(CMS.getUserMessage( - getLocale(httpReq), "CMS_GW_MISSING_KEYGEN_INFO")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_MISSING_KEYGEN_INFO")); + throw new ECMSGWException(CMS.getUserMessage(getLocale(httpReq), + "CMS_GW_MISSING_KEYGEN_INFO")); } - req.setExtData(CLIENT_ISSUER, sslClientCert.getIssuerDN() - .toString()); + req.setExtData(CLIENT_ISSUER, + sslClientCert.getIssuerDN().toString()); } } else if (crmf != null && crmf != "") { certInfoArray = fillCRMF(crmf, authToken, httpParams, req); } else { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_MISSING_KEYGEN_INFO")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_MISSING_KEYGEN_INFO")); throw new ECMSGWException(CMS.getUserMessage(getLocale(httpReq), - "CMS_GW_MISSING_KEYGEN_INFO")); + "CMS_GW_MISSING_KEYGEN_INFO")); } req.setExtData(IRequest.CERT_INFO, certInfoArray); @@ -623,9 +621,9 @@ public class HashEnrollServlet extends CMSServlet { req.setExtData(CHALLENGE_PASSWORD, pwd); } - // send request to request queue. + // send request to request queue. mRequestQueue.processRequest(req); - // process result. + // process result. // render OLD_CERT_TYPE's response differently, we // dont want any javascript in HTML, and need to @@ -640,28 +638,27 @@ public class HashEnrollServlet extends CMSServlet { return; } - // for audit log + //for audit log String initiative = null; String agentID = null; if (!authMgr.equals(IAuthSubsystem.CERTUSERDB_AUTHMGR_ID)) { - // request is from eegateway, so fromUser. + // request is from eegateway, so fromUser. initiative = AuditFormat.FROMUSER; } else { agentID = authToken.getInString("userid"); initiative = AuditFormat.FROMAGENT + " agentID: " + agentID; - } + } // if service not complete return standard templates. RequestStatus status = req.getRequestStatus(); if (status != RequestStatus.COMPLETE) { cmsReq.setIRequestStatus(); // set status acc. to IRequest status. - // audit log the status + // audit log the status try { if (status == RequestStatus.REJECTED) { - Vector messages = req - .getExtDataInStringVector(IRequest.ERRORS); + Vector messages = req.getExtDataInStringVector(IRequest.ERRORS); if (messages != null) { Enumeration msgs = messages.elements(); @@ -671,42 +668,52 @@ public class HashEnrollServlet extends CMSServlet { wholeMsg.append("\n"); wholeMsg.append(msgs.nextElement()); } - mLogger.log( - ILogger.EV_AUDIT, - ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.ENROLLMENTFORMAT, - new Object[] { req.getRequestId(), initiative, - authMgr, status.toString(), - certInfo.get(X509CertInfo.SUBJECT), - " violation: " + wholeMsg.toString() }, - ILogger.L_MULTILINE); + mLogger.log(ILogger.EV_AUDIT, + ILogger.S_OTHER, + AuditFormat.LEVEL, + AuditFormat.ENROLLMENTFORMAT, + new Object[] { + req.getRequestId(), + initiative, + authMgr, + status.toString(), + certInfo.get(X509CertInfo.SUBJECT), + " violation: " + + wholeMsg.toString()}, + ILogger.L_MULTILINE + ); } else { // no policy violation, from agent - mLogger.log( - ILogger.EV_AUDIT, - ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.ENROLLMENTFORMAT, - new Object[] { req.getRequestId(), initiative, - authMgr, status.toString(), - certInfo.get(X509CertInfo.SUBJECT), "" }); - } - } else { // other imcomplete status - mLogger.log( - ILogger.EV_AUDIT, + mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, AuditFormat.LEVEL, AuditFormat.ENROLLMENTFORMAT, - new Object[] { req.getRequestId(), initiative, - authMgr, status.toString(), - certInfo.get(X509CertInfo.SUBJECT), "" }); + new Object[] { + req.getRequestId(), + initiative, + authMgr, + status.toString(), + certInfo.get(X509CertInfo.SUBJECT), ""} + ); + } + } else { // other imcomplete status + mLogger.log(ILogger.EV_AUDIT, + ILogger.S_OTHER, + AuditFormat.LEVEL, + AuditFormat.ENROLLMENTFORMAT, + new Object[] { + req.getRequestId(), + initiative, + authMgr, + status.toString(), + certInfo.get(X509CertInfo.SUBJECT), ""} + ); } } catch (IOException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGW_CANT_GET_CERT_SUBJ_AUDITING", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_CANT_GET_CERT_SUBJ_AUDITING", e.toString())); } catch (CertificateException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGW_CANT_GET_CERT_SUBJ_AUDITING", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_CANT_GET_CERT_SUBJ_AUDITING", e.toString())); } return; } @@ -717,35 +724,39 @@ public class HashEnrollServlet extends CMSServlet { cmsReq.setStatus(CMSRequest.ERROR); cmsReq.setError(req.getExtDataInString(IRequest.ERROR)); - String[] svcErrors = req - .getExtDataInStringArray(IRequest.SVCERRORS); + String[] svcErrors = + req.getExtDataInStringArray(IRequest.SVCERRORS); if (svcErrors != null && svcErrors.length > 0) { for (int i = 0; i < svcErrors.length; i++) { String err = svcErrors[i]; if (err != null) { - // System.out.println( - // "revocation servlet: setting error description "+ - // err.toString()); + //System.out.println( + //"revocation servlet: setting error description "+ + //err.toString()); cmsReq.setErrorDescription(err); // audit log the error try { - mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.ENROLLMENTFORMAT, new Object[] { - req.getRequestId(), initiative, - authMgr, - "completed with error: " + err, - certInfo.get(X509CertInfo.SUBJECT), - "" }); + mLogger.log(ILogger.EV_AUDIT, + ILogger.S_OTHER, + AuditFormat.LEVEL, + AuditFormat.ENROLLMENTFORMAT, + new Object[] { + req.getRequestId(), + initiative, + authMgr, + "completed with error: " + + err, + certInfo.get(X509CertInfo.SUBJECT), ""} + ); } catch (IOException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGW_CANT_GET_CERT_SUBJ_AUDITING", + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_CANT_GET_CERT_SUBJ_AUDITING", e.toString())); } catch (CertificateException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGW_CANT_GET_CERT_SUBJ_AUDITING", + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_CANT_GET_CERT_SUBJ_AUDITING", e.toString())); } } @@ -756,143 +767,144 @@ public class HashEnrollServlet extends CMSServlet { // service success cmsReq.setStatus(CMSRequest.SUCCESS); - X509CertImpl[] issuedCerts = req - .getExtDataInCertArray(IRequest.ISSUED_CERTS); + X509CertImpl[] issuedCerts = + req.getExtDataInCertArray(IRequest.ISSUED_CERTS); // audit log the success. - mLogger.log( - ILogger.EV_AUDIT, - ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.ENROLLMENTFORMAT, - new Object[] { - req.getRequestId(), - initiative, - authMgr, - "completed", - issuedCerts[0].getSubjectDN(), - "cert issued serial number: 0x" - + issuedCerts[0].getSerialNumber().toString(16) }); + mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, + AuditFormat.LEVEL, + AuditFormat.ENROLLMENTFORMAT, + new Object[] { + req.getRequestId(), + initiative, + authMgr, + "completed", + issuedCerts[0].getSubjectDN(), + "cert issued serial number: 0x" + + issuedCerts[0].getSerialNumber().toString(16)} + ); // return cert as mime type binary if requested. - if (checkImportCertToNav(cmsReq.getHttpResp(), httpParams, - issuedCerts[0])) { + if (checkImportCertToNav( + cmsReq.getHttpResp(), httpParams, issuedCerts[0])) { cmsReq.setStatus(CMSRequest.SUCCESS); return; } - + // use success template. try { - cmsReq.setResult(issuedCerts); - renderTemplate(cmsReq, mEnrollSuccessTemplate, mEnrollSuccessFiller); - cmsReq.setStatus(CMSRequest.SUCCESS); + cmsReq.setResult(issuedCerts); + renderTemplate(cmsReq, mEnrollSuccessTemplate, + mEnrollSuccessFiller); + cmsReq.setStatus(CMSRequest.SUCCESS); } catch (IOException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_TEMP_REND_ERR", - mEnrollSuccessFiller.toString(), e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_TEMP_REND_ERR", mEnrollSuccessFiller.toString(), e.toString())); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_RETURNING_RESULT_ERROR")); + CMS.getUserMessage("CMS_GW_RETURNING_RESULT_ERROR")); } return; } /** - * fill subject name, validity, extensions from authoken if any, overriding - * what was in pkcs10. fill subject name, extensions from http input if not - * authenticated. requests not authenticated will need to be approved by an - * agent. + * fill subject name, validity, extensions from authoken if any, + * overriding what was in pkcs10. + * fill subject name, extensions from http input if not authenticated. + * requests not authenticated will need to be approved by an agent. */ - protected void fillCertInfoFromAuthToken(X509CertInfo certInfo, - IAuthToken authToken) throws EBaseException { + protected void fillCertInfoFromAuthToken( + X509CertInfo certInfo, IAuthToken authToken) + throws EBaseException { // override subject, validity and extensions from auth token // CA determines algorithm, version and issuer. - // take key from keygen, cmc, pkcs10 or crmf. + // take key from keygen, cmc, pkcs10 or crmf. // subject name. try { - String subjectname = authToken - .getInString(AuthToken.TOKEN_CERT_SUBJECT); + String subjectname = + authToken.getInString(AuthToken.TOKEN_CERT_SUBJECT); if (subjectname != null) { - CertificateSubjectName certSubject = (CertificateSubjectName) new CertificateSubjectName( - new X500Name(subjectname)); + CertificateSubjectName certSubject = (CertificateSubjectName) + new CertificateSubjectName(new X500Name(subjectname)); certInfo.set(X509CertInfo.SUBJECT, certSubject); - log(ILogger.LL_INFO, "cert subject set to " + certSubject - + " from authtoken"); + log(ILogger.LL_INFO, + "cert subject set to " + certSubject + " from authtoken"); } } catch (CertificateException e) { - log(ILogger.LL_WARN, - CMS.getLogMessage("CMSGW_ERROR_SET_SUBJECT_NAME_1", - e.toString())); + log(ILogger.LL_WARN, + CMS.getLogMessage("CMSGW_ERROR_SET_SUBJECT_NAME_1", e.toString())); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_SET_SUBJECT_NAME_ERROR")); + CMS.getUserMessage("CMS_GW_SET_SUBJECT_NAME_ERROR")); } catch (IOException e) { - log(ILogger.LL_WARN, - CMS.getLogMessage("CMSGW_ERROR_SET_SUBJECT_NAME_1", - e.toString())); + log(ILogger.LL_WARN, + CMS.getLogMessage("CMSGW_ERROR_SET_SUBJECT_NAME_1", + e.toString())); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_SET_SUBJECT_NAME_ERROR")); + CMS.getUserMessage("CMS_GW_SET_SUBJECT_NAME_ERROR")); } // validity try { CertificateValidity validity = null; - Date notBefore = authToken - .getInDate(AuthToken.TOKEN_CERT_NOTBEFORE); - Date notAfter = authToken.getInDate(AuthToken.TOKEN_CERT_NOTAFTER); + Date notBefore = + authToken.getInDate(AuthToken.TOKEN_CERT_NOTBEFORE); + Date notAfter = + authToken.getInDate(AuthToken.TOKEN_CERT_NOTAFTER); if (notBefore != null && notAfter != null) { validity = new CertificateValidity(notBefore, notAfter); certInfo.set(X509CertInfo.VALIDITY, validity); - log(ILogger.LL_INFO, "cert validity set to " + validity - + " from authtoken"); + log(ILogger.LL_INFO, + "cert validity set to " + validity + " from authtoken"); } } catch (CertificateException e) { - log(ILogger.LL_WARN, - CMS.getLogMessage("CMSGW_ERROR_SET_VALIDITY_1", - e.toString())); + log(ILogger.LL_WARN, + CMS.getLogMessage("CMSGW_ERROR_SET_VALIDITY_1", + e.toString())); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_SET_VALIDITY_ERROR")); + CMS.getUserMessage("CMS_GW_SET_VALIDITY_ERROR")); } catch (IOException e) { - log(ILogger.LL_WARN, - CMS.getLogMessage("CMSGW_ERROR_SET_VALIDITY_1", - e.toString())); + log(ILogger.LL_WARN, + CMS.getLogMessage("CMSGW_ERROR_SET_VALIDITY_1", e.toString())); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_SET_VALIDITY_ERROR")); + CMS.getUserMessage("CMS_GW_SET_VALIDITY_ERROR")); } - + // extensions try { - CertificateExtensions extensions = authToken - .getInCertExts(X509CertInfo.EXTENSIONS); + CertificateExtensions extensions = + authToken.getInCertExts(X509CertInfo.EXTENSIONS); if (extensions != null) { certInfo.set(X509CertInfo.EXTENSIONS, extensions); log(ILogger.LL_INFO, "cert extensions set from authtoken"); } } catch (CertificateException e) { - log(ILogger.LL_WARN, - CMS.getLogMessage("CMSGW_ERROR_SET_EXTENSIONS_1", - e.toString())); + log(ILogger.LL_WARN, + CMS.getLogMessage("CMSGW_ERROR_SET_EXTENSIONS_1", e.toString())); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_SET_EXTENSIONS_ERROR")); + CMS.getUserMessage("CMS_GW_SET_EXTENSIONS_ERROR")); } catch (IOException e) { - log(ILogger.LL_WARN, - CMS.getLogMessage("CMSGW_ERROR_SET_EXTENSIONS_1", - e.toString())); + log(ILogger.LL_WARN, + CMS.getLogMessage("CMSGW_ERROR_SET_EXTENSIONS_1", + e.toString())); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_SET_EXTENSIONS_ERROR")); + CMS.getUserMessage("CMS_GW_SET_EXTENSIONS_ERROR")); } } - protected X509CertInfo[] fillCRMF(String crmf, IAuthToken authToken, - IArgBlock httpParams, IRequest req) throws EBaseException { + protected X509CertInfo[] fillCRMF( + String crmf, IAuthToken authToken, IArgBlock httpParams, IRequest req) + throws EBaseException { try { byte[] crmfBlob = CMS.AtoB(crmf); - ByteArrayInputStream crmfBlobIn = new ByteArrayInputStream(crmfBlob); - - SEQUENCE crmfMsgs = (SEQUENCE) new SEQUENCE.OF_Template( - new CertReqMsg.Template()).decode(crmfBlobIn); + ByteArrayInputStream crmfBlobIn = + new ByteArrayInputStream(crmfBlob); + + SEQUENCE crmfMsgs = (SEQUENCE) + new SEQUENCE.OF_Template(new CertReqMsg.Template()).decode(crmfBlobIn); int nummsgs = crmfMsgs.size(); X509CertInfo[] certInfoArray = new X509CertInfo[nummsgs]; @@ -902,11 +914,17 @@ public class HashEnrollServlet extends CMSServlet { CertReqMsg certReqMsg = (CertReqMsg) crmfMsgs.elementAt(i); /* - * if (certReqMsg.hasPop()) { try { certReqMsg.verify(); } catch - * (ChallengeResponseException ex) { // create and save the - * challenge // construct the cmmf message together // in a - * sequence to challenge the requestor } catch (Exception e) { - * // failed, should only affect one request } } + if (certReqMsg.hasPop()) { + try { + certReqMsg.verify(); + } catch (ChallengeResponseException ex) { + // create and save the challenge + // construct the cmmf message together + // in a sequence to challenge the requestor + } catch (Exception e) { + // failed, should only affect one request + } + } */ CertRequest certReq = certReqMsg.getCertReq(); INTEGER certReqId = certReq.getCertReqId(); @@ -930,94 +948,95 @@ public class HashEnrollServlet extends CMSServlet { // field suggested notBefore and notAfter in CRMF // Tech Support #383184 - if (certTemplate.getNotBefore() != null - || certTemplate.getNotAfter() != null) { - CertificateValidity certValidity = new CertificateValidity( - certTemplate.getNotBefore(), - certTemplate.getNotAfter()); + if (certTemplate.getNotBefore() != null || certTemplate.getNotAfter() != null) { + CertificateValidity certValidity = new CertificateValidity(certTemplate.getNotBefore(), certTemplate.getNotAfter()); - certInfo.set(X509CertInfo.VALIDITY, certValidity); + certInfo.set(X509CertInfo.VALIDITY, certValidity); } if (certTemplate.hasSubject()) { Name subjectdn = certTemplate.getSubject(); - ByteArrayOutputStream subjectEncStream = new ByteArrayOutputStream(); + ByteArrayOutputStream subjectEncStream = + new ByteArrayOutputStream(); subjectdn.encode(subjectEncStream); byte[] subjectEnc = subjectEncStream.toByteArray(); X500Name subject = new X500Name(subjectEnc); - certInfo.set(X509CertInfo.SUBJECT, - new CertificateSubjectName(subject)); - } else if (authToken == null - || authToken.getInString(AuthToken.TOKEN_CERT_SUBJECT) == null) { - // No subject name - error! - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_MISSING_SUBJECT_NAME_FROM_AUTHTOKEN")); + certInfo.set(X509CertInfo.SUBJECT, + new CertificateSubjectName(subject)); + } else if (authToken == null || + authToken.getInString(AuthToken.TOKEN_CERT_SUBJECT) == null) { + // No subject name - error! + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_MISSING_SUBJECT_NAME_FROM_AUTHTOKEN")); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_MISSING_SUBJECT_NAME_FROM_AUTHTOKEN")); + CMS.getUserMessage("CMS_GW_MISSING_SUBJECT_NAME_FROM_AUTHTOKEN")); } - // get extensions + // get extensions CertificateExtensions extensions = null; try { - extensions = (CertificateExtensions) certInfo - .get(X509CertInfo.EXTENSIONS); + extensions = (CertificateExtensions) + certInfo.get(X509CertInfo.EXTENSIONS); } catch (CertificateException e) { extensions = null; } catch (IOException e) { extensions = null; } if (certTemplate.hasExtensions()) { - // put each extension from CRMF into CertInfo. - // index by extension name, consistent with + // put each extension from CRMF into CertInfo. + // index by extension name, consistent with // CertificateExtensions.parseExtension() method. - if (extensions == null) + if (extensions == null) extensions = new CertificateExtensions(); int numexts = certTemplate.numExtensions(); for (int j = 0; j < numexts; j++) { - org.mozilla.jss.pkix.cert.Extension jssext = certTemplate - .extensionAt(j); + org.mozilla.jss.pkix.cert.Extension jssext = + certTemplate.extensionAt(j); boolean isCritical = jssext.getCritical(); - org.mozilla.jss.asn1.OBJECT_IDENTIFIER jssoid = jssext - .getExtnId(); + org.mozilla.jss.asn1.OBJECT_IDENTIFIER jssoid = + jssext.getExtnId(); long[] numbers = jssoid.getNumbers(); int[] oidNumbers = new int[numbers.length]; for (int k = numbers.length - 1; k >= 0; k--) { oidNumbers[k] = (int) numbers[k]; } - ObjectIdentifier oid = new ObjectIdentifier(oidNumbers); - org.mozilla.jss.asn1.OCTET_STRING jssvalue = jssext - .getExtnValue(); - ByteArrayOutputStream jssvalueout = new ByteArrayOutputStream(); + ObjectIdentifier oid = + new ObjectIdentifier(oidNumbers); + org.mozilla.jss.asn1.OCTET_STRING jssvalue = + jssext.getExtnValue(); + ByteArrayOutputStream jssvalueout = + new ByteArrayOutputStream(); jssvalue.encode(jssvalueout); byte[] extValue = jssvalueout.toByteArray(); - Extension ext = new Extension(oid, isCritical, extValue); + Extension ext = + new Extension(oid, isCritical, extValue); extensions.parseExtension(ext); } - certInfo.set(X509CertInfo.VERSION, new CertificateVersion( - CertificateVersion.V3)); + certInfo.set(X509CertInfo.VERSION, + new CertificateVersion(CertificateVersion.V3)); certInfo.set(X509CertInfo.EXTENSIONS, extensions); } - // Added a new configuration parameter + // Added a new configuration parameter // eeGateway.Enrollment.authTokenOverride=[true|false] // By default, it is set to true. In most // of the case, administrator would want // to have the control of the subject name // formulation. // -- CRMFfillCert - if (authToken != null - && authToken.getInString(AuthToken.TOKEN_CERT_SUBJECT) != null) { - // if authenticated override subect name, validity and + if (authToken != null && + authToken.getInString(AuthToken.TOKEN_CERT_SUBJECT) != null) { + // if authenticated override subect name, validity and // extensions if any from authtoken. fillCertInfoFromAuthToken(certInfo, authToken); } @@ -1029,34 +1048,32 @@ public class HashEnrollServlet extends CMSServlet { return certInfoArray; } catch (CertificateException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERROR_CRMF_TO_CERTINFO_1", - e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERROR_CRMF_TO_CERTINFO_1", e.toString())); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_CRMF_TO_CERTINFO_ERROR")); + CMS.getUserMessage("CMS_GW_CRMF_TO_CERTINFO_ERROR")); } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERROR_CRMF_TO_CERTINFO_1", - e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERROR_CRMF_TO_CERTINFO_1", + e.toString())); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_CRMF_TO_CERTINFO_ERROR")); + CMS.getUserMessage("CMS_GW_CRMF_TO_CERTINFO_ERROR")); } catch (InvalidBERException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERROR_CRMF_TO_CERTINFO_1", - e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERROR_CRMF_TO_CERTINFO_1", e.toString())); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_CRMF_TO_CERTINFO_ERROR")); + CMS.getUserMessage("CMS_GW_CRMF_TO_CERTINFO_ERROR")); } catch (InvalidKeyException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERROR_CRMF_TO_CERTINFO_1", - e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERROR_CRMF_TO_CERTINFO_1", + e.toString())); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_CRMF_TO_CERTINFO_ERROR")); + CMS.getUserMessage("CMS_GW_CRMF_TO_CERTINFO_ERROR")); } } - protected void renderServerEnrollResult(CMSRequest cmsReq) - throws IOException { + protected void renderServerEnrollResult(CMSRequest cmsReq) throws + IOException { HttpServletResponse httpResp = cmsReq.getHttpResp(); httpResp.setContentType("text/html"); @@ -1071,16 +1088,11 @@ public class HashEnrollServlet extends CMSServlet { out.println("</TITLE>"); // out.println("<BODY BGCOLOR=white>"); - if (cmsReq.getIRequest().getRequestStatus() - .equals(RequestStatus.COMPLETE)) { + if (cmsReq.getIRequest().getRequestStatus().equals(RequestStatus.COMPLETE)) { out.println("<H1>"); out.println("SUCCESS"); out.println("</H1>"); - out.println("Your request is submitted and approved. Please cut and paste the certificate into your server."); // XXX - // - - // localize - // the - // message + out.println("Your request is submitted and approved. Please cut and paste the certificate into your server."); // XXX - localize the message out.println("<P>"); out.println("Request Creation Time: "); out.println(cmsReq.getIRequest().getCreationTime().toString()); @@ -1094,30 +1106,25 @@ public class HashEnrollServlet extends CMSServlet { out.println("Certificate: "); out.println("<P>"); out.println("<PRE>"); - X509CertImpl certs[] = cmsReq.getIRequest().getExtDataInCertArray( - IRequest.ISSUED_CERTS); + X509CertImpl certs[] = + cmsReq.getIRequest().getExtDataInCertArray(IRequest.ISSUED_CERTS); out.println(CMS.getEncodedCert(certs[0])); out.println("</PRE>"); out.println("<P>"); - out.println("<!HTTP_OUTPUT REQUEST_CREATION_TIME=" - + cmsReq.getIRequest().getCreationTime().toString() + ">"); - out.println("<!HTTP_OUTPUT REQUEST_STATUS=" - + cmsReq.getStatus().toString() + ">"); - out.println("<!HTTP_OUTPUT REQUEST_ID=" - + cmsReq.getIRequest().getRequestId().toString() + ">"); - out.println("<!HTTP_OUTPUT X509_CERTIFICATE=" - + CMS.getEncodedCert(certs[0]) + ">"); - } else if (cmsReq.getIRequest().getRequestStatus() - .equals(RequestStatus.PENDING)) { + out.println("<!HTTP_OUTPUT REQUEST_CREATION_TIME=" + + cmsReq.getIRequest().getCreationTime().toString() + ">"); + out.println("<!HTTP_OUTPUT REQUEST_STATUS=" + + cmsReq.getStatus().toString() + ">"); + out.println("<!HTTP_OUTPUT REQUEST_ID=" + + cmsReq.getIRequest().getRequestId().toString() + ">"); + out.println("<!HTTP_OUTPUT X509_CERTIFICATE=" + + CMS.getEncodedCert(certs[0]) + ">"); + } else if (cmsReq.getIRequest().getRequestStatus().equals(RequestStatus.PENDING)) { out.println("<H1>"); out.println("PENDING"); out.println("</H1>"); - out.println("Your request is submitted. You can check on the status of your request with an authorized agent or local administrator by referring to the request ID."); // XXX - // - - // localize - // the - // message + out.println("Your request is submitted. You can check on the status of your request with an authorized agent or local administrator by referring to the request ID."); // XXX - localize the message out.println("<P>"); out.println("Request Creation Time: "); out.println(cmsReq.getIRequest().getCreationTime().toString()); @@ -1128,22 +1135,18 @@ public class HashEnrollServlet extends CMSServlet { out.println("Request ID: "); out.println(cmsReq.getIRequest().getRequestId().toString()); out.println("<P>"); - out.println("<!HTTP_OUTPUT REQUEST_CREATION_TIME=" - + cmsReq.getIRequest().getCreationTime().toString() + ">"); - out.println("<!HTTP_OUTPUT REQUEST_STATUS=" - + cmsReq.getStatus().toString() + ">"); - out.println("<!HTTP_OUTPUT REQUEST_ID=" - + cmsReq.getIRequest().getRequestId().toString() + ">"); + out.println("<!HTTP_OUTPUT REQUEST_CREATION_TIME=" + + cmsReq.getIRequest().getCreationTime().toString() + ">"); + out.println("<!HTTP_OUTPUT REQUEST_STATUS=" + + cmsReq.getStatus().toString() + ">"); + out.println("<!HTTP_OUTPUT REQUEST_ID=" + + cmsReq.getIRequest().getRequestId().toString() + ">"); } else { out.println("<H1>"); out.println("ERROR"); out.println("</H1>"); out.println("<!INFO>"); - out.println("Please consult your local administrator for assistance."); // XXX - // - - // localize - // the - // message + out.println("Please consult your local administrator for assistance."); // XXX - localize the message out.println("<!/INFO>"); out.println("<P>"); out.println("Request Status: "); @@ -1152,55 +1155,62 @@ public class HashEnrollServlet extends CMSServlet { out.println("Error: "); out.println(cmsReq.getError()); // XXX - need to parse in Locale out.println("<P>"); - out.println("<!HTTP_OUTPUT REQUEST_STATUS=" - + cmsReq.getStatus().toString() + ">"); - out.println("<!HTTP_OUTPUT ERROR=" + cmsReq.getError() + ">"); + out.println("<!HTTP_OUTPUT REQUEST_STATUS=" + + cmsReq.getStatus().toString() + ">"); + out.println("<!HTTP_OUTPUT ERROR=" + + cmsReq.getError() + ">"); } /** - * // include all the input data IArgBlock args = - * cmsReq.getHttpParams(); Enumeration ele = args.getElements(); while - * (ele.hasMoreElements()) { String eleT = (String)ele.nextElement(); - * out.println("<!HTTP_INPUT " + eleT + "=" + args.get(eleT) + ">"); } + // include all the input data + IArgBlock args = cmsReq.getHttpParams(); + Enumeration ele = args.getElements(); + while (ele.hasMoreElements()) { + String eleT = (String)ele.nextElement(); + out.println("<!HTTP_INPUT " + eleT + "=" + + args.get(eleT) + ">"); + } **/ out.println("</HTML>"); } - // XXX ALERT !! - // Remove the following and calls to them when we bundle a cartman - // later than alpha1. - // These are here to cover up problem in cartman where the - // key usage extension always ends up being digital signature only + // XXX ALERT !! + // Remove the following and calls to them when we bundle a cartman + // later than alpha1. + // These are here to cover up problem in cartman where the + // key usage extension always ends up being digital signature only // and for rsa-ex ends up having no bits set. private boolean mIsTestBed = false; - private void init_testbed_hack(IConfigStore config) throws EBaseException { + private void init_testbed_hack(IConfigStore config) + throws EBaseException { mIsTestBed = config.getBoolean("isTestBed", true); } - private void do_testbed_hack(int nummsgs, X509CertInfo[] certinfo, - IArgBlock httpParams) throws EBaseException { - if (!mIsTestBed) + private void do_testbed_hack( + int nummsgs, X509CertInfo[] certinfo, IArgBlock httpParams) + throws EBaseException { + if (!mIsTestBed) return; - // get around bug in cartman - bits are off by one byte. + // get around bug in cartman - bits are off by one byte. for (int i = 0; i < certinfo.length; i++) { try { X509CertInfo cert = certinfo[i]; - CertificateExtensions exts = (CertificateExtensions) cert - .get(CertificateExtensions.NAME); + CertificateExtensions exts = (CertificateExtensions) + cert.get(CertificateExtensions.NAME); if (exts == null) { // should not happen. continue; } - KeyUsageExtension ext = (KeyUsageExtension) exts - .get(KeyUsageExtension.NAME); + KeyUsageExtension ext = (KeyUsageExtension) + exts.get(KeyUsageExtension.NAME); - if (ext == null) - // should not happen + if (ext == null) + // should not happen continue; byte[] value = ext.getExtensionValue(); @@ -1211,32 +1221,36 @@ public class HashEnrollServlet extends CMSServlet { newvalue[1] = 0x03; newvalue[2] = 0x07; newvalue[3] = value[3]; - // force encryption certs to have digitial signature + // force encryption certs to have digitial signature // set too so smime can find the cert for encryption. if (value[3] == 0x20) { /* - * newvalue[3] = 0x3f; newvalue[4] = (byte)0x80; + newvalue[3] = 0x3f; + newvalue[4] = (byte)0x80; */ - if (httpParams.getValueAsBoolean("dual-use-hack", true)) { + if (httpParams.getValueAsBoolean( + "dual-use-hack", true)) { newvalue[3] = (byte) 0xE0; // same as rsa-dual-use. } } newvalue[4] = 0; - KeyUsageExtension newext = new KeyUsageExtension( - Boolean.valueOf(true), (Object) newvalue); + KeyUsageExtension newext = + new KeyUsageExtension(Boolean.valueOf(true), + (Object) newvalue); exts.delete(KeyUsageExtension.NAME); exts.set(KeyUsageExtension.NAME, newext); } } catch (IOException e) { - // should never happen + // should never happen continue; } catch (CertificateException e) { - // should never happen + // should never happen continue; } } } } + diff --git a/pki/base/common/src/com/netscape/cms/servlet/cert/ImportCertsTemplateFiller.java b/pki/base/common/src/com/netscape/cms/servlet/cert/ImportCertsTemplateFiller.java index 8f1e57c45..75726730a 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/cert/ImportCertsTemplateFiller.java +++ b/pki/base/common/src/com/netscape/cms/servlet/cert/ImportCertsTemplateFiller.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.cert; + import java.io.BufferedReader; import java.io.ByteArrayOutputStream; import java.io.StringReader; @@ -57,25 +58,25 @@ import com.netscape.cms.servlet.common.CMSTemplateParams; import com.netscape.cms.servlet.common.ECMSGWException; import com.netscape.cms.servlet.common.ICMSTemplateFiller; + /** * Set up HTTP response to import certificate into browsers * - * The result must have been populate with the set of certificates to return. - * + * The result must have been populate with the set of certificates + * to return. * <pre> * inputs: certtype. * outputs: - * - cert type from http input (if any) + * - cert type from http input (if any) * - CA chain - * - authority name (RM, CM, DRM) + * - authority name (RM, CM, DRM) * - scheme:host:port of server. - * array of one or more + * array of one or more * - cert serial number * - cert pretty print - * - cert in base 64 encoding. - * - cmmf blob to import + * - cert in base 64 encoding. + * - cmmf blob to import * </pre> - * * @version $Revision$, $Date$ */ public class ImportCertsTemplateFiller implements ICMSTemplateFiller { @@ -87,7 +88,7 @@ public class ImportCertsTemplateFiller implements ICMSTemplateFiller { public static final String CERT_FINGERPRINT = "certFingerprint"; // cisco public static final String CERT_NICKNAME = "certNickname"; public static final String CMMF_RESP = "cmmfResponse"; - public static final String PKCS7_RESP = "pkcs7ChainBase64"; // for MSIE + public static final String PKCS7_RESP = "pkcs7ChainBase64"; // for MSIE public ImportCertsTemplateFiller() { } @@ -98,31 +99,33 @@ public class ImportCertsTemplateFiller implements ICMSTemplateFiller { * @param locale locale of template. * @param e unexpected exception e. ignored. */ - public CMSTemplateParams getTemplateParams(CMSRequest cmsReq, - IAuthority authority, Locale locale, Exception e) throws Exception { + public CMSTemplateParams getTemplateParams( + CMSRequest cmsReq, IAuthority authority, Locale locale, Exception e) + throws Exception { Certificate[] certs = (Certificate[]) cmsReq.getResult(); if (certs instanceof X509CertImpl[]) - return getX509TemplateParams(cmsReq, authority, locale, e); + return getX509TemplateParams(cmsReq, authority, locale, e); else return null; } - - public CMSTemplateParams getX509TemplateParams(CMSRequest cmsReq, - IAuthority authority, Locale locale, Exception e) throws Exception { + + public CMSTemplateParams getX509TemplateParams( + CMSRequest cmsReq, IAuthority authority, Locale locale, Exception e) + throws Exception { IArgBlock header = CMS.createArgBlock(); IArgBlock fixed = CMS.createArgBlock(); CMSTemplateParams params = new CMSTemplateParams(header, fixed); - // set host name and port. + // set host name and port. HttpServletRequest httpReq = cmsReq.getHttpReq(); String host = httpReq.getServerName(); int port = httpReq.getServerPort(); String scheme = httpReq.getScheme(); String format = httpReq.getParameter("format"); - if (format != null && format.equals("cmc")) + if(format!=null && format.equals("cmc")) fixed.set("importCMC", "false"); - String agentPort = "" + port; + String agentPort = ""+port; fixed.set("agentHost", host); fixed.set("agentPort", agentPort); fixed.set(ICMSTemplateFiller.HOST, host); @@ -131,8 +134,7 @@ public class ImportCertsTemplateFiller implements ICMSTemplateFiller { IRequest r = cmsReq.getIRequest(); if (r != null) { - fixed.set(ICMSTemplateFiller.REQUEST_ID, r.getRequestId() - .toString()); + fixed.set(ICMSTemplateFiller.REQUEST_ID, r.getRequestId().toString()); } // set key record (if KRA enabled) @@ -140,53 +142,53 @@ public class ImportCertsTemplateFiller implements ICMSTemplateFiller { BigInteger keyRecSerialNo = r.getExtDataInBigInteger("keyRecord"); if (keyRecSerialNo != null) { - fixed.set(ICMSTemplateFiller.KEYREC_ID, - keyRecSerialNo.toString()); + fixed.set(ICMSTemplateFiller.KEYREC_ID, keyRecSerialNo.toString()); } } // set cert type. IArgBlock httpParams = cmsReq.getHttpParams(); - String certType = httpParams.getValueAsString(CERT_TYPE, null); + String certType = + httpParams.getValueAsString(CERT_TYPE, null); - if (certType != null) + if (certType != null) fixed.set(CERT_TYPE, certType); - // this authority - fixed.set(ICMSTemplateFiller.AUTHORITY, - (String) authority.getOfficialName()); + // this authority + fixed.set(ICMSTemplateFiller.AUTHORITY, + (String) authority.getOfficialName()); // CA chain. - CertificateChain cachain = ((ICertAuthority) authority) - .getCACertChain(); + CertificateChain cachain = + ((ICertAuthority) authority).getCACertChain(); X509Certificate[] cacerts = cachain.getChain(); String replyTo = httpParams.getValueAsString("replyTo", null); - if (replyTo != null) - fixed.set("replyTo", replyTo); + if (replyTo != null) fixed.set("replyTo", replyTo); - // set user + CA cert chain and pkcs7 for MSIE. + // set user + CA cert chain and pkcs7 for MSIE. X509CertImpl[] userChain = new X509CertImpl[cacerts.length + 1]; int m = 1, n = 0; - for (; n < cacerts.length; m++, n++) + for (; n < cacerts.length; m++, n++) userChain[m] = (X509CertImpl) cacerts[n]; - // certs. + // certs. X509CertImpl[] certs = (X509CertImpl[]) cmsReq.getResult(); // expose CRMF request id String crmfReqId = cmsReq.getExtData(IRequest.CRMF_REQID); if (crmfReqId == null) { - crmfReqId = (String) cmsReq.getResult(IRequest.CRMF_REQID); + crmfReqId = (String) cmsReq.getResult( + IRequest.CRMF_REQID); } if (crmfReqId != null) { fixed.set(CRMF_REQID, crmfReqId); } - // set CA certs in cmmf, initialize CertRepContent + // set CA certs in cmmf, initialize CertRepContent // note cartman can't trust ca certs yet but it'll import them. // also set cert nickname for cartman. CertRepContent certRepContent = null; @@ -194,31 +196,33 @@ public class ImportCertsTemplateFiller implements ICMSTemplateFiller { if (CMSServlet.doCMMFResponse(httpParams)) { byte[][] caPubs = new byte[cacerts.length][]; - for (int j = 0; j < cacerts.length; j++) + for (int j = 0; j < cacerts.length; j++) caPubs[j] = ((X509CertImpl) cacerts[j]).getEncoded(); certRepContent = new CertRepContent(caPubs); - String certnickname = cmsReq.getHttpParams().getValueAsString( - CERT_NICKNAME, null); + String certnickname = + cmsReq.getHttpParams().getValueAsString(CERT_NICKNAME, null); // if nickname is not requested set to subject name by default. - if (certnickname == null) + if (certnickname == null) fixed.set(CERT_NICKNAME, certs[0].getSubjectDN().toString()); else fixed.set(CERT_NICKNAME, certnickname); } - // make pkcs7 for MSIE - if (CMSServlet.clientIsMSIE(cmsReq.getHttpReq()) - && (certType == null || certType.equals("client"))) { + // make pkcs7 for MSIE + if (CMSServlet.clientIsMSIE(cmsReq.getHttpReq()) && + (certType == null || certType.equals("client"))) { userChain[0] = certs[0]; - PKCS7 p7 = new PKCS7(new AlgorithmId[0], new ContentInfo( - new byte[0]), userChain, new SignerInfo[0]); + PKCS7 p7 = new PKCS7(new AlgorithmId[0], + new ContentInfo(new byte[0]), + userChain, + new SignerInfo[0]); ByteArrayOutputStream bos = new ByteArrayOutputStream(); p7.encodeSignedData(bos); byte[] p7Bytes = bos.toByteArray(); - // String p7Str = encoder.encodeBuffer(p7Bytes); + // String p7Str = encoder.encodeBuffer(p7Bytes); String p7Str = CMS.BtoA(p7Bytes); header.set(PKCS7_RESP, p7Str); @@ -230,23 +234,24 @@ public class ImportCertsTemplateFiller implements ICMSTemplateFiller { X509CertImpl cert = certs[i]; // set serial number. - BigInteger serialNo = ((X509Certificate) cert).getSerialNumber(); + BigInteger serialNo = + ((X509Certificate) cert).getSerialNumber(); repeat.addBigIntegerValue(ISSUED_CERT_SERIAL, serialNo, 16); // set base64 encoded blob. byte[] certEncoded = cert.getEncoded(); - // String b64 = encoder.encodeBuffer(certEncoded); + // String b64 = encoder.encodeBuffer(certEncoded); String b64 = CMS.BtoA(certEncoded); - String b64cert = "-----BEGIN CERTIFICATE-----\n" + b64 - + "\n-----END CERTIFICATE-----"; + String b64cert = "-----BEGIN CERTIFICATE-----\n" + + b64 + "\n-----END CERTIFICATE-----"; repeat.set(BASE64_CERT, b64cert); - + // set cert pretty print. - - String prettyPrintRequested = cmsReq.getHttpParams() - .getValueAsString(CERT_PRETTYPRINT, null); + + String prettyPrintRequested = + cmsReq.getHttpParams().getValueAsString(CERT_PRETTYPRINT, null); if (prettyPrintRequested == null) { prettyPrintRequested = "true"; @@ -261,21 +266,21 @@ public class ImportCertsTemplateFiller implements ICMSTemplateFiller { repeat.set(CERT_PRETTYPRINT, ppStr); // Now formulate a PKCS#7 blob - X509CertImpl[] certsInChain = new X509CertImpl[1]; - ; + X509CertImpl[] certsInChain = new X509CertImpl[1];; if (cacerts != null) { for (int j = 0; j < cacerts.length; j++) { if (cert.equals(cacerts[j])) { - certsInChain = new X509CertImpl[cacerts.length]; + certsInChain = new + X509CertImpl[cacerts.length]; break; } certsInChain = new X509CertImpl[cacerts.length + 1]; } } - + // Set the EE cert certsInChain[0] = cert; - + // Set the Ca certificate chain if (cacerts != null) { for (int j = 0; j < cacerts.length; j++) { @@ -287,21 +292,23 @@ public class ImportCertsTemplateFiller implements ICMSTemplateFiller { String p7Str; try { - PKCS7 p7 = new PKCS7(new AlgorithmId[0], new ContentInfo( - new byte[0]), certsInChain, new SignerInfo[0]); + PKCS7 p7 = new PKCS7(new AlgorithmId[0], + new ContentInfo(new byte[0]), + certsInChain, + new SignerInfo[0]); ByteArrayOutputStream bos = new ByteArrayOutputStream(); p7.encodeSignedData(bos); byte[] p7Bytes = bos.toByteArray(); - // p7Str = encoder.encodeBuffer(p7Bytes); + //p7Str = encoder.encodeBuffer(p7Bytes); p7Str = CMS.BtoA(p7Bytes); repeat.addStringValue("pkcs7ChainBase64", p7Str); } catch (Exception ex) { - // p7Str = "PKCS#7 B64 Encoding error - " + ex.toString() - // + "; Please contact your administrator"; + //p7Str = "PKCS#7 B64 Encoding error - " + ex.toString() + //+ "; Please contact your administrator"; throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_FORMING_PKCS7_ERROR")); + CMS.getUserMessage("CMS_GW_FORMING_PKCS7_ERROR")); } // set cert fingerprint (for Cisco routers) @@ -311,24 +318,25 @@ public class ImportCertsTemplateFiller implements ICMSTemplateFiller { fingerprint = CMS.getFingerPrints(cert); } catch (CertificateEncodingException ex) { // should never happen - throw new EBaseException(CMS.getUserMessage(locale, - "CMS_BASE_INTERNAL_ERROR", ex.toString())); + throw new EBaseException( + CMS.getUserMessage(locale, "CMS_BASE_INTERNAL_ERROR", ex.toString())); } catch (NoSuchAlgorithmException ex) { // should never happen - throw new EBaseException(CMS.getUserMessage(locale, - "CMS_BASE_INTERNAL_ERROR", ex.toString())); + throw new EBaseException( + CMS.getUserMessage(locale, "CMS_BASE_INTERNAL_ERROR", ex.toString())); } - if (fingerprint != null && fingerprint.length() > 0) + if (fingerprint != null && fingerprint.length() > 0) repeat.set(CERT_FINGERPRINT, fingerprint); - // cmmf response for this cert. - if (CMSServlet.doCMMFResponse(httpParams) && crmfReqId != null - && (certType == null || certType.equals("client"))) { + // cmmf response for this cert. + if (CMSServlet.doCMMFResponse(httpParams) && crmfReqId != null && + (certType == null || certType.equals("client"))) { PKIStatusInfo status = new PKIStatusInfo(PKIStatusInfo.granted); - CertifiedKeyPair certifiedKP = new CertifiedKeyPair( - new CertOrEncCert(certEncoded)); - CertResponse resp = new CertResponse(new INTEGER(crmfReqId), - status, certifiedKP); + CertifiedKeyPair certifiedKP = + new CertifiedKeyPair(new CertOrEncCert(certEncoded)); + CertResponse resp = + new CertResponse(new INTEGER(crmfReqId), status, + certifiedKP); certRepContent.addCertResponse(resp); } @@ -344,19 +352,19 @@ public class ImportCertsTemplateFiller implements ICMSTemplateFiller { byte[] certRepBytes = certRepOut.toByteArray(); String certRepB64 = com.netscape.osutil.OSUtil.BtoA(certRepBytes); // add CR to each return as required by cartman - BufferedReader certRepB64lines = new BufferedReader( - new StringReader(certRepB64)); + BufferedReader certRepB64lines = + new BufferedReader(new StringReader(certRepB64)); StringWriter certRepStringOut = new StringWriter(); String oneLine = null; boolean first = true; while ((oneLine = certRepB64lines.readLine()) != null) { if (first) { - // certRepStringOut.write("\""+oneLine+"\""); + //certRepStringOut.write("\""+oneLine+"\""); certRepStringOut.write(oneLine); first = false; } else { - // certRepStringOut.write("+\"\\n"+oneLine+"\""); + //certRepStringOut.write("+\"\\n"+oneLine+"\""); certRepStringOut.write("\n" + oneLine); } } @@ -368,3 +376,4 @@ public class ImportCertsTemplateFiller implements ICMSTemplateFiller { return params; } } + diff --git a/pki/base/common/src/com/netscape/cms/servlet/cert/ListCerts.java b/pki/base/common/src/com/netscape/cms/servlet/cert/ListCerts.java index 7ec6ee669..e79efc327 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/cert/ListCerts.java +++ b/pki/base/common/src/com/netscape/cms/servlet/cert/ListCerts.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.cert; + import java.io.IOException; import java.math.BigInteger; import java.security.PublicKey; @@ -57,9 +58,10 @@ import com.netscape.cms.servlet.common.CMSTemplate; import com.netscape.cms.servlet.common.CMSTemplateParams; import com.netscape.cms.servlet.common.ECMSGWException; + /** * Retrieve a paged list of certs matching the specified query - * + * * @version $Revision$, $Date$ */ public class ListCerts extends CMSServlet { @@ -79,8 +81,8 @@ public class ListCerts extends CMSServlet { private ICertificateRepository mCertDB = null; private X500Name mAuthName = null; private String mFormPath = null; - private boolean mReverse = false; - private boolean mHardJumpTo = false; // jump to the end + private boolean mReverse = false; + private boolean mHardJumpTo = false; //jump to the end private String mDirection = null; private boolean mUseClientFilter = false; private Vector mAllowedClientFilters = new Vector(); @@ -96,7 +98,7 @@ public class ListCerts extends CMSServlet { /** * initialize the servlet. This servlet uses the template file * "queryCert.template" to render the response - * + * * @param sc servlet configuration, read from the web.xml file */ public void init(ServletConfig sc) throws ServletException { @@ -121,54 +123,44 @@ public class ListCerts extends CMSServlet { /* do nothing, just use the default if integer parsing failed */ } - /* - * useClientFilter should be off by default. We keep this parameter - * around so that we do not break the client applications that submits - * raw LDAP filter into this servlet. - */ - if (sc.getInitParameter(USE_CLIENT_FILTER) != null - && sc.getInitParameter(USE_CLIENT_FILTER).equalsIgnoreCase( - "true")) { - mUseClientFilter = true; + /* useClientFilter should be off by default. We keep + this parameter around so that we do not break + the client applications that submits raw LDAP + filter into this servlet. */ + if (sc.getInitParameter(USE_CLIENT_FILTER) != null && + sc.getInitParameter(USE_CLIENT_FILTER).equalsIgnoreCase("true")) { mUseClientFilter = true; } - if (sc.getInitParameter(ALLOWED_CLIENT_FILTERS) == null - || sc.getInitParameter(ALLOWED_CLIENT_FILTERS).equals("")) { - mAllowedClientFilters.addElement("(certStatus=*)"); - mAllowedClientFilters.addElement("(certStatus=VALID)"); - mAllowedClientFilters - .addElement("(|(certStatus=VALID)(certStatus=INVALID)(certStatus=EXPIRED))"); - mAllowedClientFilters - .addElement("(|(certStatus=VALID)(certStatus=REVOKED))"); + if (sc.getInitParameter(ALLOWED_CLIENT_FILTERS) == null || sc.getInitParameter(ALLOWED_CLIENT_FILTERS).equals("")) { + mAllowedClientFilters.addElement("(certStatus=*)"); + mAllowedClientFilters.addElement("(certStatus=VALID)"); + mAllowedClientFilters.addElement("(|(certStatus=VALID)(certStatus=INVALID)(certStatus=EXPIRED))"); + mAllowedClientFilters.addElement("(|(certStatus=VALID)(certStatus=REVOKED))"); } else { - StringTokenizer st = new StringTokenizer( - sc.getInitParameter(ALLOWED_CLIENT_FILTERS), ","); + StringTokenizer st = new StringTokenizer(sc.getInitParameter(ALLOWED_CLIENT_FILTERS), ","); while (st.hasMoreTokens()) { - mAllowedClientFilters.addElement(st.nextToken()); + mAllowedClientFilters.addElement(st.nextToken()); } } } - public String buildFilter(HttpServletRequest req) { + public String buildFilter(HttpServletRequest req) + { String queryCertFilter = req.getParameter("queryCertFilter"); - com.netscape.certsrv.apps.CMS.debug("client queryCertFilter=" - + queryCertFilter); + com.netscape.certsrv.apps.CMS.debug("client queryCertFilter=" + queryCertFilter); if (mUseClientFilter) { com.netscape.certsrv.apps.CMS.debug("useClientFilter=true"); Enumeration filters = mAllowedClientFilters.elements(); // check to see if the filter is allowed while (filters.hasMoreElements()) { - String filter = (String) filters.nextElement(); - com.netscape.certsrv.apps.CMS.debug("Comparing filter=" - + filter + " queryCertFilter=" + queryCertFilter); + String filter = (String)filters.nextElement(); + com.netscape.certsrv.apps.CMS.debug("Comparing filter=" + filter + " queryCertFilter=" + queryCertFilter); if (filter.equals(queryCertFilter)) { return queryCertFilter; } } - com.netscape.certsrv.apps.CMS.debug("Requested filter '" - + queryCertFilter + "' is not allowed. Please check the " - + ALLOWED_CLIENT_FILTERS + "parameter"); + com.netscape.certsrv.apps.CMS.debug("Requested filter '" + queryCertFilter + "' is not allowed. Please check the " + ALLOWED_CLIENT_FILTERS + "parameter"); return null; } else { com.netscape.certsrv.apps.CMS.debug("useClientFilter=false"); @@ -176,38 +168,35 @@ public class ListCerts extends CMSServlet { boolean skipRevoked = false; boolean skipNonValid = false; - if (req.getParameter("skipRevoked") != null - && req.getParameter("skipRevoked").equals("on")) { + if (req.getParameter("skipRevoked") != null && + req.getParameter("skipRevoked").equals("on")) { skipRevoked = true; } - if (req.getParameter("skipNonValid") != null - && req.getParameter("skipNonValid").equals("on")) { + if (req.getParameter("skipNonValid") != null && + req.getParameter("skipNonValid").equals("on")) { skipNonValid = true; } if (!skipRevoked && !skipNonValid) { - queryCertFilter = "(certStatus=*)"; - } else if (skipRevoked && skipNonValid) { - queryCertFilter = "(certStatus=VALID)"; - } else if (skipRevoked) { - queryCertFilter = "(|(certStatus=VALID)(certStatus=INVALID)(certStatus=EXPIRED))"; - } else if (skipNonValid) { - queryCertFilter = "(|(certStatus=VALID)(certStatus=REVOKED))"; + queryCertFilter = "(certStatus=*)"; + } else if (skipRevoked && skipNonValid) { + queryCertFilter = "(certStatus=VALID)"; + } else if (skipRevoked) { + queryCertFilter = "(|(certStatus=VALID)(certStatus=INVALID)(certStatus=EXPIRED))"; + } else if (skipNonValid) { + queryCertFilter = "(|(certStatus=VALID)(certStatus=REVOKED))"; } return queryCertFilter; } /** - * Process the HTTP request. - * <ul> - * <li>http.param maxCount Number of certificates to show + * Process the HTTP request. + * <ul> + * <li>http.param maxCount Number of certificates to show * <li>http.param queryFilter and ldap style filter specifying the - * certificates to show - * <li>http.param querySentinelDown the serial number of the first - * certificate to show (default decimal, or hex if prefixed with 0x) when - * paging down - * <li>http.param querySentinelUp the serial number of the first certificate - * to show (default decimal, or hex if prefixed with 0x) when paging up + * certificates to show + * <li>http.param querySentinelDown the serial number of the first certificate to show (default decimal, or hex if prefixed with 0x) when paging down + * <li>http.param querySentinelUp the serial number of the first certificate to show (default decimal, or hex if prefixed with 0x) when paging up * <li>http.param direction "up", "down", "begin", or "end" * </ul> */ @@ -220,8 +209,8 @@ public class ListCerts extends CMSServlet { AuthzToken authzToken = null; try { - authzToken = authorize(mAclMethod, authToken, mAuthzResourceName, - "list"); + authzToken = authorize(mAclMethod, authToken, + mAuthzResourceName, "list"); } catch (Exception e) { } @@ -246,54 +235,50 @@ public class ListCerts extends CMSServlet { try { form = getTemplate(mFormPath, req, locale); } catch (IOException e) { - log(ILogger.LL_FAILURE, - com.netscape.certsrv.apps.CMS.getLogMessage( - "CMSGW_ERR_GET_TEMPLATE", mFormPath, e.toString())); + log(ILogger.LL_FAILURE, + com.netscape.certsrv.apps.CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", mFormPath, e.toString())); throw new ECMSGWException( - com.netscape.certsrv.apps.CMS - .getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); + com.netscape.certsrv.apps.CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); } - mHardJumpTo = false; + mHardJumpTo = false; try { - if (req.getParameter("direction") != null) { - mDirection = req.getParameter("direction").trim(); - mReverse = mDirection.equals("up"); - if (mReverse) - com.netscape.certsrv.apps.CMS.debug("reverse is true"); - else - com.netscape.certsrv.apps.CMS.debug("reverse is false"); + if (req.getParameter("direction") != null) { + mDirection = req.getParameter("direction").trim(); + mReverse = mDirection.equals("up"); + if (mReverse) + com.netscape.certsrv.apps.CMS.debug("reverse is true"); + else + com.netscape.certsrv.apps.CMS.debug("reverse is false"); - } + } if (req.getParameter("maxCount") != null) { maxCount = Integer.parseInt(req.getParameter("maxCount")); } if (maxCount == -1 || maxCount > mMaxReturns) { - com.netscape.certsrv.apps.CMS.debug("Resetting page size from " - + maxCount + " to " + mMaxReturns); + com.netscape.certsrv.apps.CMS.debug("Resetting page size from " + maxCount + " to " + mMaxReturns); maxCount = mMaxReturns; } - String sentinelStr = ""; - if (mReverse) { - sentinelStr = req.getParameter("querySentinelUp"); - } else if (mDirection.equals("end")) { - // this servlet will figure out the end - sentinelStr = "0"; - mReverse = true; - mHardJumpTo = true; - } else if (mDirection.equals("down")) { - sentinelStr = req.getParameter("querySentinelDown"); - } else - sentinelStr = "0"; - // begin and non-specified have sentinel default "0" + String sentinelStr = ""; + if (mReverse) { + sentinelStr = req.getParameter("querySentinelUp"); + } else if (mDirection.equals("end")) { + // this servlet will figure out the end + sentinelStr = "0"; + mReverse = true; + mHardJumpTo = true; + } else if (mDirection.equals("down")) { + sentinelStr = req.getParameter("querySentinelDown"); + } else + sentinelStr = "0"; + //begin and non-specified have sentinel default "0" if (sentinelStr != null) { if (sentinelStr.trim().startsWith("0x")) { - sentinel = new BigInteger(sentinelStr.trim().substring(2), - 16); + sentinel = new BigInteger(sentinelStr.trim().substring(2), 16); } else { sentinel = new BigInteger(sentinelStr, 10); } @@ -302,12 +287,11 @@ public class ListCerts extends CMSServlet { revokeAll = req.getParameter("revokeAll"); if (mAuthority instanceof ICertificateAuthority) { - X509CertImpl caCert = ((ICertificateAuthority) mAuthority) - .getSigningUnit().getCertImpl(); + X509CertImpl caCert = ((ICertificateAuthority) mAuthority).getSigningUnit().getCertImpl(); - // if (isCertFromCA(caCert)) - header.addStringValue("caSerialNumber", caCert - .getSerialNumber().toString(16)); + //if (isCertFromCA(caCert)) + header.addStringValue("caSerialNumber", + caCert.getSerialNumber().toString(16)); } // constructs the ldap filter on the server side @@ -317,28 +301,25 @@ public class ListCerts extends CMSServlet { cmsReq.setStatus(CMSRequest.UNAUTHORIZED); return; } - - com.netscape.certsrv.apps.CMS.debug("queryCertFilter=" - + queryCertFilter); + + com.netscape.certsrv.apps.CMS.debug("queryCertFilter=" + queryCertFilter); int totalRecordCount = -1; try { - totalRecordCount = Integer.parseInt(req - .getParameter("totalRecordCount")); + totalRecordCount = Integer.parseInt(req.getParameter("totalRecordCount")); } catch (Exception e) { } - processCertFilter(argSet, header, maxCount, sentinel, - totalRecordCount, req.getParameter("serialTo"), - queryCertFilter, req, resp, revokeAll, locale[0]); + processCertFilter(argSet, header, maxCount, + sentinel, + totalRecordCount, + req.getParameter("serialTo"), + queryCertFilter, + req, resp, revokeAll, locale[0]); } catch (NumberFormatException e) { - log(ILogger.LL_FAILURE, - com.netscape.certsrv.apps.CMS - .getLogMessage("BASE_INVALID_NUMBER_FORMAT")); - - error = new EBaseException( - com.netscape.certsrv.apps.CMS.getUserMessage( - getLocale(req), "CMS_BASE_INVALID_NUMBER_FORMAT")); + log(ILogger.LL_FAILURE, com.netscape.certsrv.apps.CMS.getLogMessage("BASE_INVALID_NUMBER_FORMAT")); + + error = new EBaseException(com.netscape.certsrv.apps.CMS.getUserMessage(getLocale(req),"CMS_BASE_INVALID_NUMBER_FORMAT")); } catch (EBaseException e) { error = e; } @@ -351,38 +332,44 @@ public class ListCerts extends CMSServlet { if (error == null) { String xmlOutput = req.getParameter("xml"); if (xmlOutput != null && xmlOutput.equals("true")) { - outputXML(resp, argSet); + outputXML(resp, argSet); } else { - cmsReq.setStatus(CMSRequest.SUCCESS); - resp.setContentType("text/html"); - form.renderOutput(out, argSet); + cmsReq.setStatus(CMSRequest.SUCCESS); + resp.setContentType("text/html"); + form.renderOutput(out, argSet); } } else { cmsReq.setStatus(CMSRequest.ERROR); cmsReq.setError(error); } } catch (IOException e) { - log(ILogger.LL_FAILURE, - com.netscape.certsrv.apps.CMS.getLogMessage( - "CMSGW_ERR_OUT_STREAM_TEMPLATE", e.toString())); + log(ILogger.LL_FAILURE, + com.netscape.certsrv.apps.CMS.getLogMessage("CMSGW_ERR_OUT_STREAM_TEMPLATE", e.toString())); throw new ECMSGWException( - com.netscape.certsrv.apps.CMS - .getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); + com.netscape.certsrv.apps.CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); } } - private void processCertFilter(CMSTemplateParams argSet, IArgBlock header, - int maxCount, BigInteger sentinel, int totalRecordCount, - String serialTo, String filter, HttpServletRequest req, - HttpServletResponse resp, String revokeAll, Locale locale) - throws EBaseException { + private void processCertFilter(CMSTemplateParams argSet, + IArgBlock header, + int maxCount, + BigInteger sentinel, + int totalRecordCount, + String serialTo, + String filter, + HttpServletRequest req, + HttpServletResponse resp, + String revokeAll, + Locale locale + ) throws EBaseException { BigInteger serialToVal = MINUS_ONE; try { if (serialTo != null) { serialTo = serialTo.trim(); if (serialTo.startsWith("0x")) { - serialToVal = new BigInteger(serialTo.substring(2), 16); + serialToVal = new BigInteger + (serialTo.substring(2), 16); serialTo = serialToVal.toString(); } else { serialToVal = new BigInteger(serialTo); @@ -392,30 +379,32 @@ public class ListCerts extends CMSServlet { } String jumpTo = sentinel.toString(); - int pSize = 0; - if (mReverse) { - if (!mHardJumpTo) // reverse gets one more - pSize = -1 * maxCount - 1; - else - pSize = -1 * maxCount; - } else - pSize = maxCount; - - ICertRecordList list = (ICertRecordList) mCertDB - .findCertRecordsInList(filter, (String[]) null, jumpTo, - mHardJumpTo, "serialno", pSize); + int pSize = 0; + if (mReverse) { + if (!mHardJumpTo) //reverse gets one more + pSize = -1*maxCount-1; + else + pSize = -1*maxCount; + } else + pSize = maxCount; + + ICertRecordList list = (ICertRecordList) mCertDB.findCertRecordsInList( + filter, (String[]) null, jumpTo, mHardJumpTo, "serialno", + pSize); // retrive maxCount + 1 entries - Enumeration e = list.getCertRecords(0, maxCount); + Enumeration e = list.getCertRecords(0, maxCount); ICertRecordList tolist = null; int toCurIndex = 0; if (!serialToVal.equals(MINUS_ONE)) { - // if user specify a range, we need to + // if user specify a range, we need to // calculate the totalRecordCount - tolist = (ICertRecordList) mCertDB.findCertRecordsInList(filter, - (String[]) null, serialTo, "serialno", maxCount); + tolist = (ICertRecordList) mCertDB.findCertRecordsInList( + filter, + (String[]) null, serialTo, + "serialno", maxCount); Enumeration en = tolist.getCertRecords(0, 0); if (en == null || (!en.hasMoreElements())) { @@ -428,98 +417,88 @@ public class ListCerts extends CMSServlet { if (curToSerial.compareTo(serialToVal) == -1) { toCurIndex = list.getSize() - 1; } else { - if (!rx.getSerialNumber().toString() - .equals(serialTo.trim())) { + if (!rx.getSerialNumber().toString().equals(serialTo.trim())) { toCurIndex = toCurIndex - 1; } } } } - + int curIndex = list.getCurrentIndex(); int count = 0; - BigInteger firstSerial = new BigInteger("0"); - BigInteger curSerial = new BigInteger("0"); - ICertRecord[] recs = new ICertRecord[maxCount]; - int rcount = 0; + BigInteger firstSerial = new BigInteger("0"); + BigInteger curSerial = new BigInteger("0"); + ICertRecord[] recs = new ICertRecord[maxCount]; + int rcount = 0; if (e != null) { - /* - * in reverse (page up), because the sentinel is the one after the - * last item to be displayed, we need to skip it - */ - while ((count < ((mReverse && !mHardJumpTo) ? (maxCount + 1) - : maxCount)) && e.hasMoreElements()) { + /* in reverse (page up), because the sentinel is the one after the + * last item to be displayed, we need to skip it + */ + while ((count < ((mReverse &&!mHardJumpTo)? (maxCount+1):maxCount)) && e.hasMoreElements()) { ICertRecord rec = (ICertRecord) e.nextElement(); if (rec == null) { - com.netscape.certsrv.apps.CMS.debug("record " + count - + " is null"); + com.netscape.certsrv.apps.CMS.debug("record "+count+" is null"); break; - } + } curSerial = rec.getSerialNumber(); - com.netscape.certsrv.apps.CMS.debug("record " + count - + " is serial#" + curSerial); - - if (count == 0) { - firstSerial = curSerial; - if (mReverse && !mHardJumpTo) {// reverse got one more, skip - count++; - continue; - } - } - - // DS has a problem where last record will be returned - // even though the filter is not matched. - /* - * cfu - is this necessary? it breaks when paging up if - * (curSerial.compareTo(sentinel) == -1) { - * com.netscape.certsrv.apps - * .CMS.debug("curSerial compare sentinel -1 break..."); - * - * break; } - */ + com.netscape.certsrv.apps.CMS.debug("record "+count+" is serial#"+curSerial); + + if (count == 0) { + firstSerial = curSerial; + if (mReverse && !mHardJumpTo) {//reverse got one more, skip + count++; + continue; + } + } + + // DS has a problem where last record will be returned + // even though the filter is not matched. + /*cfu - is this necessary? it breaks when paging up + if (curSerial.compareTo(sentinel) == -1) { + com.netscape.certsrv.apps.CMS.debug("curSerial compare sentinel -1 break..."); + + break; + } + */ if (!serialToVal.equals(MINUS_ONE)) { // check if we go over the limit if (curSerial.compareTo(serialToVal) == 1) { - com.netscape.certsrv.apps.CMS - .debug("curSerial compare serialToVal 1 breaking..."); + com.netscape.certsrv.apps.CMS.debug("curSerial compare serialToVal 1 breaking..."); break; - } + } } - if (mReverse) { - recs[rcount++] = rec; - } else { + if (mReverse) { + recs[rcount++] = rec; + } else { - IArgBlock rarg = com.netscape.certsrv.apps.CMS - .createArgBlock(); + IArgBlock rarg = com.netscape.certsrv.apps.CMS.createArgBlock(); - fillRecordIntoArg(rec, rarg); - argSet.addRepeatRecord(rarg); - } + fillRecordIntoArg(rec, rarg); + argSet.addRepeatRecord(rarg); + } count++; } } else { - com.netscape.certsrv.apps.CMS - .debug("ListCerts::processCertFilter() - no Cert Records found!"); + com.netscape.certsrv.apps.CMS.debug( + "ListCerts::processCertFilter() - no Cert Records found!" ); return; } - if (mReverse) { - // fill records into arg block and argSet - for (int ii = rcount - 1; ii >= 0; ii--) { - if (recs[ii] != null) { - IArgBlock rarg = com.netscape.certsrv.apps.CMS - .createArgBlock(); - // com.netscape.certsrv.apps.CMS.debug("item "+ii+" is serial # "+ - // recs[ii].getSerialNumber()); - fillRecordIntoArg(recs[ii], rarg); - argSet.addRepeatRecord(rarg); - } - } - } + if (mReverse) { + // fill records into arg block and argSet + for (int ii = rcount-1; ii>= 0; ii--) { + if (recs[ii] != null) { + IArgBlock rarg = com.netscape.certsrv.apps.CMS.createArgBlock(); + //com.netscape.certsrv.apps.CMS.debug("item "+ii+" is serial # "+ recs[ii].getSerialNumber()); + fillRecordIntoArg(recs[ii], rarg); + argSet.addRepeatRecord(rarg); + } + } + } // peek ahead ICertRecord nextRec = null; @@ -543,72 +522,70 @@ public class ListCerts extends CMSServlet { if (totalRecordCount == -1) { if (!serialToVal.equals(MINUS_ONE)) { totalRecordCount = toCurIndex - curIndex + 1; - com.netscape.certsrv.apps.CMS.debug("totalRecordCount=" - + totalRecordCount); + com.netscape.certsrv.apps.CMS.debug("totalRecordCount="+totalRecordCount); } else { - totalRecordCount = list.getSize() - list.getCurrentIndex(); - com.netscape.certsrv.apps.CMS.debug("totalRecordCount=" - + totalRecordCount); + totalRecordCount = list.getSize() - + list.getCurrentIndex(); + com.netscape.certsrv.apps.CMS.debug("totalRecordCount="+totalRecordCount); } } header.addIntegerValue("totalRecordCount", totalRecordCount); - header.addIntegerValue("currentRecordCount", - list.getSize() - list.getCurrentIndex()); - - String qs = ""; - if (mReverse) - qs = "querySentinelUp"; - else - qs = "querySentinelDown"; - - if (mHardJumpTo) { - com.netscape.certsrv.apps.CMS - .debug("curSerial added to querySentinelUp:" - + curSerial.toString()); - - header.addStringValue("querySentinelUp", curSerial.toString()); + header.addIntegerValue("currentRecordCount", list.getSize() - + list.getCurrentIndex()); + + String qs = ""; + if (mReverse) + qs = "querySentinelUp"; + else + qs = "querySentinelDown"; + + if (mHardJumpTo) { + com.netscape.certsrv.apps.CMS.debug("curSerial added to querySentinelUp:"+ curSerial.toString()); + + header.addStringValue("querySentinelUp", curSerial.toString()); + } else { + if (nextRec == null) { + header.addStringValue(qs, null); + com.netscape.certsrv.apps.CMS.debug("nextRec is null"); + if (mReverse) { + com.netscape.certsrv.apps.CMS.debug("curSerial added to querySentinelUp:"+ curSerial.toString()); + + header.addStringValue("querySentinelUp", curSerial.toString()); + } } else { - if (nextRec == null) { - header.addStringValue(qs, null); - com.netscape.certsrv.apps.CMS.debug("nextRec is null"); - if (mReverse) { - com.netscape.certsrv.apps.CMS - .debug("curSerial added to querySentinelUp:" - + curSerial.toString()); - - header.addStringValue("querySentinelUp", - curSerial.toString()); - } - } else { - BigInteger nextRecNo = nextRec.getSerialNumber(); + BigInteger nextRecNo = nextRec.getSerialNumber(); - if (serialToVal.equals(MINUS_ONE)) { - header.addStringValue(qs, nextRecNo.toString()); + if (serialToVal.equals(MINUS_ONE)) { + header.addStringValue( + qs, nextRecNo.toString()); + } else { + if (nextRecNo.compareTo(serialToVal) <= 0) { + header.addStringValue( + qs, nextRecNo.toString()); } else { - if (nextRecNo.compareTo(serialToVal) <= 0) { - header.addStringValue(qs, nextRecNo.toString()); - } else { - header.addStringValue(qs, null); - } + header.addStringValue(qs, + null); } - com.netscape.certsrv.apps.CMS.debug("querySentinel " + qs - + " = " + nextRecNo.toString()); } - } // !mHardJumpto + com.netscape.certsrv.apps.CMS.debug("querySentinel "+qs+" = "+nextRecNo.toString()); + } + } // !mHardJumpto - header.addStringValue(!mReverse ? "querySentinelUp" - : "querySentinelDown", firstSerial.toString()); + header.addStringValue(!mReverse? "querySentinelUp":"querySentinelDown", + firstSerial.toString()); } /** * Process the key search. */ - private void process(CMSTemplateParams argSet, IArgBlock header, - int maxCount, int sentinel, String filter, HttpServletRequest req, - HttpServletResponse resp, String revokeAll, Locale locale) - throws EBaseException { + private void process(CMSTemplateParams argSet, IArgBlock header, + int maxCount, int sentinel, + String filter, HttpServletRequest req, + HttpServletResponse resp, + String revokeAll, Locale locale) + throws EBaseException { try { if (filter.indexOf(CURRENT_TIME, 0) > -1) { filter = insertCurrentTime(filter); @@ -618,11 +595,11 @@ public class ListCerts extends CMSServlet { } // xxx the filter includes serial number range??? - ICertRecordList list = (ICertRecordList) mCertDB - .findCertRecordsInList(filter, null, maxCount); + ICertRecordList list = + (ICertRecordList) mCertDB.findCertRecordsInList(filter, null, maxCount); // sentinel is the index on the list now, not serial number - Enumeration e = list.getCertRecords(sentinel, sentinel + maxCount - - 1); + Enumeration e = + list.getCertRecords(sentinel, sentinel + maxCount - 1); int count = 0; @@ -651,9 +628,7 @@ public class ListCerts extends CMSServlet { else header.addStringValue("querySentinelDown", null); } catch (EBaseException e) { - log(ILogger.LL_FAILURE, - com.netscape.certsrv.apps.CMS.getLogMessage( - "CMSGW_ERROR_LISTCERTS", e.toString())); + log(ILogger.LL_FAILURE, com.netscape.certsrv.apps.CMS.getLogMessage("CMSGW_ERROR_LISTCERTS", e.toString())); throw e; } return; @@ -666,8 +641,7 @@ public class ListCerts extends CMSServlet { int i = filter.indexOf(CURRENT_TIME, k); while (i > -1) { - if (now == null) - now = new Date(); + if (now == null) now = new Date(); if (newFilter.length() == 0) { newFilter.append(filter.substring(k, i)); newFilter.append(now.getTime()); @@ -688,7 +662,7 @@ public class ListCerts extends CMSServlet { * Fills cert record into argument block. */ private void fillRecordIntoArg(ICertRecord rec, IArgBlock rarg) - throws EBaseException { + throws EBaseException { X509CertImpl xcert = rec.getCertificate(); @@ -696,16 +670,15 @@ public class ListCerts extends CMSServlet { fillX509RecordIntoArg(rec, rarg); } } - + private void fillX509RecordIntoArg(ICertRecord rec, IArgBlock rarg) - throws EBaseException { + throws EBaseException { X509CertImpl cert = rec.getCertificate(); rarg.addIntegerValue("version", cert.getVersion()); rarg.addStringValue("serialNumber", cert.getSerialNumber().toString(16)); - rarg.addStringValue("serialNumberDecimal", cert.getSerialNumber() - .toString()); + rarg.addStringValue("serialNumberDecimal", cert.getSerialNumber().toString()); if (cert.getSubjectDN().toString().equals("")) { rarg.addStringValue("subject", " "); @@ -726,32 +699,28 @@ public class ListCerts extends CMSServlet { if (pKey instanceof X509Key) { key = (X509Key) pKey; } - rarg.addStringValue("subjectPublicKeyAlgorithm", key - .getAlgorithmId().getOID().toString()); + rarg.addStringValue("subjectPublicKeyAlgorithm", key.getAlgorithmId().getOID().toString()); if (key.getAlgorithmId().toString().equalsIgnoreCase("RSA")) { RSAPublicKey rsaKey = new RSAPublicKey(key.getEncoded()); - rarg.addIntegerValue("subjectPublicKeyLength", - rsaKey.getKeySize()); + rarg.addIntegerValue("subjectPublicKeyLength", rsaKey.getKeySize()); } } catch (Exception e) { rarg.addStringValue("subjectPublicKeyAlgorithm", null); rarg.addIntegerValue("subjectPublicKeyLength", 0); } - rarg.addLongValue("validNotBefore", - cert.getNotBefore().getTime() / 1000); + rarg.addLongValue("validNotBefore", cert.getNotBefore().getTime() / 1000); rarg.addLongValue("validNotAfter", cert.getNotAfter().getTime() / 1000); rarg.addStringValue("signatureAlgorithm", cert.getSigAlgOID()); String issuedBy = rec.getIssuedBy(); - if (issuedBy == null) - issuedBy = ""; + if (issuedBy == null) issuedBy = ""; rarg.addStringValue("issuedBy", issuedBy); // cert.getIssuerDN().toString() rarg.addLongValue("issuedOn", rec.getCreateTime().getTime() / 1000); - rarg.addStringValue("revokedBy", ((rec.getRevokedBy() == null) ? "" - : rec.getRevokedBy())); + rarg.addStringValue("revokedBy", + ((rec.getRevokedBy() == null) ? "" : rec.getRevokedBy())); if (rec.getRevokedOn() == null) { rarg.addStringValue("revokedOn", null); } else { @@ -770,8 +739,7 @@ public class ListCerts extends CMSServlet { Extension ext = (Extension) enum1.nextElement(); if (ext instanceof CRLReasonExtension) { - reason = ((CRLReasonExtension) ext).getReason() - .toInt(); + reason = ((CRLReasonExtension) ext).getReason().toInt(); break; } } @@ -781,3 +749,4 @@ public class ListCerts extends CMSServlet { } } } + diff --git a/pki/base/common/src/com/netscape/cms/servlet/cert/Monitor.java b/pki/base/common/src/com/netscape/cms/servlet/cert/Monitor.java index 577caa18e..db77d039c 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/cert/Monitor.java +++ b/pki/base/common/src/com/netscape/cms/servlet/cert/Monitor.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.cert; + import java.io.IOException; import java.util.Calendar; import java.util.Date; @@ -50,9 +51,10 @@ import com.netscape.cms.servlet.common.CMSTemplate; import com.netscape.cms.servlet.common.CMSTemplateParams; import com.netscape.cms.servlet.common.ECMSGWException; + /** * Provide statistical queries of request and certificate records. - * + * * @version $Revision$, $Date$ */ public class Monitor extends CMSServlet { @@ -81,8 +83,8 @@ public class Monitor extends CMSServlet { /** * initialize the servlet. This servlet uses the template file - * 'monitor.template' to render the response. - * + * 'monitor.template' to render the response. + * * @param sc servlet configuration, read from the web.xml file */ @@ -109,8 +111,8 @@ public class Monitor extends CMSServlet { * Process the HTTP request. * <ul> * <li>http.param startTime start of time period to query - * <li>http.param endTime end of time period to query - * <li>http.param interval time between queries + * <li>http.param endTime end of time period to query + * <li>http.param interval time between queries * <li>http.param numberOfIntervals number of queries to run * <li>http.param maxResults =number * <li>http.param timeLimit =time @@ -124,14 +126,14 @@ public class Monitor extends CMSServlet { AuthzToken authzToken = null; try { - authzToken = authorize(mAclMethod, authToken, mAuthzResourceName, - "read"); + authzToken = authorize(mAclMethod, authToken, + mAuthzResourceName, "read"); } catch (EAuthzAccessDenied e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); } catch (Exception e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); } if (authzToken == null) { @@ -156,11 +158,9 @@ public class Monitor extends CMSServlet { try { form = getTemplate(mFormPath, req, locale); } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", mFormPath, - e.toString())); - throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", mFormPath, e.toString())); + throw new ECMSGWException(CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); } try { @@ -169,11 +169,10 @@ public class Monitor extends CMSServlet { interval = req.getParameter("interval"); numberOfIntervals = req.getParameter("numberOfIntervals"); - process(argSet, header, startTime, endTime, interval, - numberOfIntervals, locale[0]); + process(argSet, header, startTime, endTime, interval, numberOfIntervals, locale[0]); } catch (EBaseException e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERR_PROCESSING_REQ", e.toString())); + CMS.getLogMessage("CMSGW_ERR_PROCESSING_REQ", e.toString())); error = e; } @@ -183,34 +182,35 @@ public class Monitor extends CMSServlet { if (error == null) { String xmlOutput = req.getParameter("xml"); if (xmlOutput != null && xmlOutput.equals("true")) { - outputXML(resp, argSet); + outputXML(resp, argSet); } else { - resp.setContentType("text/html"); - form.renderOutput(out, argSet); - cmsReq.setStatus(CMSRequest.SUCCESS); + resp.setContentType("text/html"); + form.renderOutput(out, argSet); + cmsReq.setStatus(CMSRequest.SUCCESS); } } else { cmsReq.setStatus(CMSRequest.ERROR); cmsReq.setError(error); } } catch (IOException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGW_ERR_STREAM_TEMPLATE", e.toString())); - throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERR_STREAM_TEMPLATE", + e.toString())); + throw new ECMSGWException(CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); } } - private void process(CMSTemplateParams argSet, IArgBlock header, - String startTime, String endTime, String interval, - String numberOfIntervals, Locale locale) throws EBaseException { + private void process(CMSTemplateParams argSet, IArgBlock header, + String startTime, String endTime, + String interval, String numberOfIntervals, + Locale locale) + throws EBaseException { if (interval == null || interval.length() == 0) { header.addStringValue("error", "Invalid interval: " + interval); return; } if (numberOfIntervals == null || numberOfIntervals.length() == 0) { - header.addStringValue("error", "Invalid number of intervals: " - + numberOfIntervals); + header.addStringValue("error", "Invalid number of intervals: " + numberOfIntervals); return; } @@ -235,8 +235,7 @@ public class Monitor extends CMSServlet { try { iNumberOfIntervals = Integer.parseInt(numberOfIntervals); } catch (NumberFormatException nfe) { - header.addStringValue("error", "Invalid number of intervals: " - + numberOfIntervals); + header.addStringValue("error", "Invalid number of intervals: " + numberOfIntervals); return; } @@ -271,7 +270,7 @@ public class Monitor extends CMSServlet { return; } - + Date nextDate(Date d, int seconds) { Date date = new Date((d.getTime()) + ((long) (seconds * 1000))); @@ -289,8 +288,7 @@ public class Monitor extends CMSServlet { try { if (mCertDB != null) { - filter = Filter(ICertRecord.ATTR_CREATE_TIME, startTime, - endTime); + filter = Filter(ICertRecord.ATTR_CREATE_TIME, startTime, endTime); Enumeration e = mCertDB.findCertRecs(filter); @@ -308,21 +306,18 @@ public class Monitor extends CMSServlet { } if (mQueue != null) { - filter = Filter(IRequestRecord.ATTR_CREATE_TIME, startTime, - endTime); + filter = Filter(IRequestRecord.ATTR_CREATE_TIME, startTime, endTime); IRequestList reqList = mQueue.listRequestsByFilter(filter); int count = 0; while (reqList != null && reqList.hasMoreElements()) { - IRequestRecord rec = (IRequestRecord) reqList - .nextRequest(); + IRequestRecord rec = (IRequestRecord) reqList.nextRequest(); if (rec != null) { if (count == 0) { - arg.addStringValue("firstRequest", rec - .getRequestId().toString()); + arg.addStringValue("firstRequest", rec.getRequestId().toString()); } count++; } @@ -331,21 +326,20 @@ public class Monitor extends CMSServlet { mTotalReqs += count; } } catch (Exception ex) { - return "Exception: " + ex; + return "Exception: " + ex; } return null; } else { - return "Missing start or end date"; + return "Missing start or end date"; } } Date StringToDate(String z) { Date d = null; - if (z != null - && (z.length() == 14 || z.length() == 15 - && (z.charAt(14) == 'Z' || z.charAt(14) == 'z'))) { + if (z != null && (z.length() == 14 || + z.length() == 15 && (z.charAt(14) == 'Z' || z.charAt(14) == 'z'))) { // 20020516132030Z or 20020516132030 try { int year = Integer.parseInt(z.substring(0, 4)); @@ -354,12 +348,12 @@ public class Monitor extends CMSServlet { int hour = Integer.parseInt(z.substring(8, 10)); int minute = Integer.parseInt(z.substring(10, 12)); int second = Integer.parseInt(z.substring(12, 14)); - Calendar calendar = Calendar.getInstance(); + Calendar calendar= Calendar.getInstance(); calendar.set(year, month, date, hour, minute, second); d = calendar.getTime(); } catch (NumberFormatException nfe) { } - } else if (z != null && z.length() > 1 && z.charAt(0) == '-') { // -5 + } else if (z != null && z.length() > 1 && z.charAt(0) == '-') { // -5 try { int i = Integer.parseInt(z); @@ -376,42 +370,37 @@ public class Monitor extends CMSServlet { Calendar calendar = Calendar.getInstance(); calendar.setTime(d); + String time = "" + (calendar.get(Calendar.YEAR)); int i = calendar.get(Calendar.MONTH) + 1; - if (i < 10) - time += "0"; + if (i < 10) time += "0"; time += i; - i = calendar.get(Calendar.DAY_OF_MONTH); - if (i < 10) - time += "0"; + i = calendar.get(Calendar.DAY_OF_MONTH); + if (i < 10) time += "0"; time += i; i = calendar.get(Calendar.HOUR_OF_DAY); - if (i < 10) - time += "0"; + if (i < 10) time += "0"; time += i; i = calendar.get(Calendar.MINUTE); - if (i < 10) - time += "0"; + if (i < 10) time += "0"; time += i; i = calendar.get(Calendar.SECOND); - if (i < 10) - time += "0"; + if (i < 10) time += "0"; time += i + "Z"; return time; } String Filter(String name, String start, String end) { - String filter = "(&(" + name + ">=" + start + ")(" + name + "<=" + end - + "))"; + String filter = "(&(" + name + ">=" + start + ")(" + name + "<=" + end + "))"; return filter; } String uriFilter(String name, String start, String end) { - String filter = "(%26(" + name + "%3e%3d" + start + ")(" + name - + "%3c%3d" + end + "))"; + String filter = "(%26(" + name + "%3e%3d" + start + ")(" + name + "%3c%3d" + end + "))"; return filter; } } + diff --git a/pki/base/common/src/com/netscape/cms/servlet/cert/ReasonToRevoke.java b/pki/base/common/src/com/netscape/cms/servlet/cert/ReasonToRevoke.java index 2d11bff6b..50296cf1c 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/cert/ReasonToRevoke.java +++ b/pki/base/common/src/com/netscape/cms/servlet/cert/ReasonToRevoke.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.cert; + import java.io.IOException; import java.util.Enumeration; import java.util.Locale; @@ -47,9 +48,10 @@ import com.netscape.cms.servlet.common.CMSTemplate; import com.netscape.cms.servlet.common.CMSTemplateParams; import com.netscape.cms.servlet.common.ECMSGWException; + /** * Specify the RevocationReason when revoking a certificate - * + * * @version $Revision$, $Date$ */ public class ReasonToRevoke extends CMSServlet { @@ -73,9 +75,9 @@ public class ReasonToRevoke extends CMSServlet { } /** - * initialize the servlet. This servlet uses the template file - * 'reasonToRevoke.template' to render the response - * + * initialize the servlet. This servlet uses the template file + * 'reasonToRevoke.template' to render the response + * * @param sc servlet configuration, read from the web.xml file */ public void init(ServletConfig sc) throws ServletException { @@ -83,8 +85,7 @@ public class ReasonToRevoke extends CMSServlet { mFormPath = "/" + mAuthority.getId() + "/" + TPL_FILE; if (mAuthority instanceof ICertificateAuthority) { mCA = (ICertificateAuthority) mAuthority; - mCertDB = ((ICertificateAuthority) mAuthority) - .getCertificateRepository(); + mCertDB = ((ICertificateAuthority) mAuthority).getCertificateRepository(); } if (mCA != null && mCA.noncesEnabled()) { @@ -107,13 +108,13 @@ public class ReasonToRevoke extends CMSServlet { /** * Returns serlvet information. */ - public String getServletInfo() { - return INFO; + public String getServletInfo() { + return INFO; } /** - * Process the HTTP request. - * + * Process the HTTP request. + * * @param cmsReq the object holding the request and response information */ public void process(CMSRequest cmsReq) throws EBaseException { @@ -125,14 +126,14 @@ public class ReasonToRevoke extends CMSServlet { AuthzToken authzToken = null; try { - authzToken = authorize(mAclMethod, authToken, mAuthzResourceName, - "revoke"); + authzToken = authorize(mAclMethod, authToken, + mAuthzResourceName, "revoke"); } catch (EAuthzAccessDenied e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); } catch (Exception e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); } if (authzToken == null) { @@ -150,11 +151,10 @@ public class ReasonToRevoke extends CMSServlet { try { form = getTemplate(mFormPath, req, locale); } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", mFormPath, - e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", mFormPath, e.toString())); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); + CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); } IArgBlock header = CMS.createArgBlock(); @@ -163,28 +163,31 @@ public class ReasonToRevoke extends CMSServlet { try { if (req.getParameter("totalRecordCount") != null) { - totalRecordCount = Integer.parseInt(req - .getParameter("totalRecordCount")); + totalRecordCount = + Integer.parseInt(req.getParameter("totalRecordCount")); } revokeAll = req.getParameter("revokeAll"); - process(argSet, header, req, resp, revokeAll, totalRecordCount, - locale[0]); + process(argSet, header, req, resp, + revokeAll, totalRecordCount, locale[0]); } catch (EBaseException e) { error = e; } catch (NumberFormatException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_INVALID_RECORD_COUNT_FORMAT")); - error = new EBaseException(CMS.getUserMessage(getLocale(req), - "CMS_BASE_INVALID_NUMBER_FORMAT")); - } + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_INVALID_RECORD_COUNT_FORMAT")); + error = new EBaseException(CMS.getUserMessage(getLocale(req), "CMS_BASE_INVALID_NUMBER_FORMAT")); + } /* - * catch (Exception e) { noError = false; - * header.addStringValue(OUT_ERROR, MessageFormatter.getLocalizedString( - * errorlocale[0], BaseResources.class.getName(), - * BaseResources.INTERNAL_ERROR_1, e.toString())); } + catch (Exception e) { + noError = false; + header.addStringValue(OUT_ERROR, + MessageFormatter.getLocalizedString( + errorlocale[0], + BaseResources.class.getName(), + BaseResources.INTERNAL_ERROR_1, + e.toString())); + } */ try { @@ -193,28 +196,30 @@ public class ReasonToRevoke extends CMSServlet { if (error == null) { String xmlOutput = req.getParameter("xml"); if (xmlOutput != null && xmlOutput.equals("true")) { - outputXML(resp, argSet); + outputXML(resp, argSet); } else { - resp.setContentType("text/html"); - form.renderOutput(out, argSet); - cmsReq.setStatus(CMSRequest.SUCCESS); + resp.setContentType("text/html"); + form.renderOutput(out, argSet); + cmsReq.setStatus(CMSRequest.SUCCESS); } } else { cmsReq.setStatus(CMSRequest.ERROR); cmsReq.setError(error); } } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERR_OUT_STREAM_TEMPLATE", - e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERR_OUT_STREAM_TEMPLATE", e.toString())); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); + CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); } } private void process(CMSTemplateParams argSet, IArgBlock header, - HttpServletRequest req, HttpServletResponse resp, String revokeAll, - int totalRecordCount, Locale locale) throws EBaseException { + HttpServletRequest req, + HttpServletResponse resp, + String revokeAll, int totalRecordCount, + Locale locale) + throws EBaseException { header.addStringValue("revokeAll", revokeAll); header.addIntegerValue("totalRecordCount", totalRecordCount); @@ -232,15 +237,15 @@ public class ReasonToRevoke extends CMSServlet { X509CertImpl caCert = mCA.getSigningUnit().getCertImpl(); if (isCertFromCA(caCert)) { - header.addStringValue("caSerialNumber", caCert - .getSerialNumber().toString(16)); + header.addStringValue("caSerialNumber", + caCert.getSerialNumber().toString(16)); } } /** - * ICertRecordList list = mCertDB.findCertRecordsInList( revokeAll, - * null, totalRecordCount); Enumeration e = list.getCertRecords(0, - * totalRecordCount - 1); + ICertRecordList list = mCertDB.findCertRecordsInList( + revokeAll, null, totalRecordCount); + Enumeration e = list.getCertRecords(0, totalRecordCount - 1); **/ Enumeration e = mCertDB.searchCertificates(revokeAll, totalRecordCount, mTimeLimits); @@ -260,16 +265,16 @@ public class ReasonToRevoke extends CMSServlet { count++; IArgBlock rarg = CMS.createArgBlock(); - rarg.addStringValue("serialNumber", xcert - .getSerialNumber().toString(16)); - rarg.addStringValue("serialNumberDecimal", xcert - .getSerialNumber().toString()); - rarg.addStringValue("subject", xcert.getSubjectDN() - .toString()); - rarg.addLongValue("validNotBefore", xcert - .getNotBefore().getTime() / 1000); - rarg.addLongValue("validNotAfter", xcert.getNotAfter() - .getTime() / 1000); + rarg.addStringValue("serialNumber", + xcert.getSerialNumber().toString(16)); + rarg.addStringValue("serialNumberDecimal", + xcert.getSerialNumber().toString()); + rarg.addStringValue("subject", + xcert.getSubjectDN().toString()); + rarg.addLongValue("validNotBefore", + xcert.getNotBefore().getTime() / 1000); + rarg.addLongValue("validNotAfter", + xcert.getNotAfter().getTime() / 1000); argSet.addRepeatRecord(rarg); } } @@ -283,3 +288,4 @@ public class ReasonToRevoke extends CMSServlet { return; } } + diff --git a/pki/base/common/src/com/netscape/cms/servlet/cert/RemoteAuthConfig.java b/pki/base/common/src/com/netscape/cms/servlet/cert/RemoteAuthConfig.java index fc81c70c7..9c414b9cb 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/cert/RemoteAuthConfig.java +++ b/pki/base/common/src/com/netscape/cms/servlet/cert/RemoteAuthConfig.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.cert; + import java.io.IOException; import java.util.Calendar; import java.util.Date; @@ -53,6 +54,7 @@ import com.netscape.cms.servlet.common.CMSTemplate; import com.netscape.cms.servlet.common.CMSTemplateParams; import com.netscape.cms.servlet.common.ECMSGWException; + /** * Allow agent to turn on/off authentication managers * @@ -87,11 +89,11 @@ public class RemoteAuthConfig extends CMSServlet { /** * Initializes the servlet. - * - * Presence of "auths.enableRemoteConfiguration=true" in CMS.cfg enables - * remote configuration for authentication plugins. List of remotely set - * instances can be found in CMS.cfg at - * "auths.remotelySetInstances=<name1>,<name2>,...,<nameN>" + * + * Presence of "auths.enableRemoteConfiguration=true" in CMS.cfg + * enables remote configuration for authentication plugins. + * List of remotely set instances can be found in CMS.cfg + * at "auths.remotelySetInstances=<name1>,<name2>,...,<nameN>" */ public void init(ServletConfig sc) throws ServletException { super.init(sc); @@ -100,11 +102,9 @@ public class RemoteAuthConfig extends CMSServlet { mFileConfig = CMS.getConfigStore(); mAuthConfig = mFileConfig.getSubStore("auths"); try { - mEnableRemoteConfiguration = mAuthConfig.getBoolean( - ENABLE_REMOTE_CONFIG, false); + mEnableRemoteConfiguration = mAuthConfig.getBoolean(ENABLE_REMOTE_CONFIG, false); } catch (EBaseException eb) { - // Thanks to design of getBoolean we have to catch but we will never - // get anything. + // Thanks to design of getBoolean we have to catch but we will never get anything. } String remoteList = null; @@ -112,8 +112,7 @@ public class RemoteAuthConfig extends CMSServlet { try { remoteList = mAuthConfig.getString(REMOTELY_SET_INSTANCES, null); } catch (EBaseException eb) { - // Thanks to design of getString we have to catch but we will never - // get anything. + // Thanks to design of getString we have to catch but we will never get anything. } if (remoteList != null) { StringTokenizer s = new StringTokenizer(remoteList, ","); @@ -134,10 +133,16 @@ public class RemoteAuthConfig extends CMSServlet { /** * Serves HTTPS request. The format of this request is as follows: - * https://host:ee-port/remoteAuthConfig? op="add"|"delete"& - * instance=<instanceName>& of=<authPluginName>& host=<hostName>& - * port=<portNumber>& password=<password>& [adminDN=<adminDN>]& [uid=<uid>]& - * [baseDN=<baseDN>] + * https://host:ee-port/remoteAuthConfig? + * op="add"|"delete"& + * instance=<instanceName>& + * of=<authPluginName>& + * host=<hostName>& + * port=<portNumber>& + * password=<password>& + * [adminDN=<adminDN>]& + * [uid=<uid>]& + * [baseDN=<baseDN>] */ public void process(CMSRequest cmsReq) throws EBaseException { HttpServletRequest req = cmsReq.getHttpReq(); @@ -169,8 +174,7 @@ public class RemoteAuthConfig extends CMSServlet { if (adminDN != null && adminDN.length() > 0) { errMsg = authenticateRemoteAdmin(host, port, adminDN, password); } else { - errMsg = authenticateRemoteAdmin(host, port, uid, baseDN, - password); + errMsg = authenticateRemoteAdmin(host, port, uid, baseDN, password); } if (errMsg == null || errMsg.length() == 0) { if (mAuthSubsystem != null && mAuthConfig != null) { @@ -193,17 +197,14 @@ public class RemoteAuthConfig extends CMSServlet { header.addStringValue("error", errMsg); } else { header.addStringValue("plugin", plugin); - header.addStringValue("instance", - instance); + header.addStringValue("instance", instance); } } else { - header.addStringValue("error", - "Unknown instance " + instance - + "."); + header.addStringValue("error", "Unknown instance " + + instance + "."); } } else { - header.addStringValue("error", - "Unknown plugin name: " + plugin); + header.addStringValue("error", "Unknown plugin name: " + plugin); } } else if (op.equals("add")) { String plugin = req.getParameter("of"); @@ -215,33 +216,28 @@ public class RemoteAuthConfig extends CMSServlet { instance = makeInstanceName(); } if (isInstanceListed(instance)) { - header.addStringValue("error", - "Instance name " + instance - + " is already in use."); + header.addStringValue("error", "Instance name " + + instance + " is already in use."); } else { errMsg = addInstance(instance, plugin, - host, port, baseDN, - req.getParameter("dnPattern")); + host, port, baseDN, + req.getParameter("dnPattern")); if (errMsg != null && errMsg.length() > 0) { header.addStringValue("error", errMsg); } else { header.addStringValue("plugin", plugin); - header.addStringValue("instance", - instance); + header.addStringValue("instance", instance); } } } else { - header.addStringValue("error", - "Unknown plugin name: " + plugin); + header.addStringValue("error", "Unknown plugin name: " + plugin); } } else { - header.addStringValue("error", - "Unsupported operation: " + op); + header.addStringValue("error", "Unsupported operation: " + op); } } } else { - header.addStringValue("error", - "Invalid configuration data."); + header.addStringValue("error", "Invalid configuration data."); } } else { header.addStringValue("error", errMsg); @@ -255,10 +251,9 @@ public class RemoteAuthConfig extends CMSServlet { try { form = getTemplate(mFormPath, req, locale); } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", e.toString())); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); + CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); } try { @@ -268,15 +263,15 @@ public class RemoteAuthConfig extends CMSServlet { form.renderOutput(out, argSet); cmsReq.setStatus(CMSRequest.SUCCESS); } catch (IOException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGW_ERR_STREAM_TEMPLATE", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERR_STREAM_TEMPLATE", e.toString())); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); + CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); } } private String authenticateRemoteAdmin(String host, String port, - String adminDN, String password) { + String adminDN, String password) { if (host == null || host.length() == 0) { return "Missing host name."; } @@ -318,16 +313,13 @@ public class RemoteAuthConfig extends CMSServlet { LDAPEntry groupEntry = c.read(nextValue); if (groupEntry != null) { - LDAPAttribute gAttr = groupEntry - .getAttribute(UNIQUE_MEMBER); + LDAPAttribute gAttr = groupEntry.getAttribute(UNIQUE_MEMBER); if (gAttr != null) { - Enumeration eValues = gAttr - .getStringValues(); + Enumeration eValues = gAttr.getStringValues(); while (eValues.hasMoreElements()) { - String value = (String) eValues - .nextElement(); + String value = (String) eValues.nextElement(); if (value.equals(entry.getDN())) { c.disconnect(); @@ -347,11 +339,13 @@ public class RemoteAuthConfig extends CMSServlet { } catch (LDAPException e) { /* - * switch (e.getLDAPResultCode()) { case - * LDAPException.NO_SUCH_OBJECT: case - * LDAPException.INVALID_CREDENTIALS: case - * LDAPException.INSUFFICIENT_ACCESS_RIGHTS: case - * LDAPException.LDAP_PARTIAL_RESULTS: default: } + switch (e.getLDAPResultCode()) { + case LDAPException.NO_SUCH_OBJECT: + case LDAPException.INVALID_CREDENTIALS: + case LDAPException.INSUFFICIENT_ACCESS_RIGHTS: + case LDAPException.LDAP_PARTIAL_RESULTS: + default: + } */ c.disconnect(); return "LDAP error: " + e.toString(); @@ -368,7 +362,8 @@ public class RemoteAuthConfig extends CMSServlet { } private String authenticateRemoteAdmin(String host, String port, - String uid, String baseDN, String password) { + String uid, String baseDN, + String password) { if (host == null || host.length() == 0) { return "Missing host name."; } @@ -403,7 +398,8 @@ public class RemoteAuthConfig extends CMSServlet { connected = true; boolean memberOf = false; LDAPSearchResults results = c.search(baseDN, LDAPv2.SCOPE_SUB, - "(uid=" + uid + ")", null, false); + "(uid=" + uid + ")", + null, false); while (results.hasMoreElements()) { LDAPEntry entry = null; @@ -424,16 +420,13 @@ public class RemoteAuthConfig extends CMSServlet { LDAPEntry groupEntry = c.read(nextValue); if (groupEntry != null) { - LDAPAttribute gAttr = groupEntry - .getAttribute(UNIQUE_MEMBER); + LDAPAttribute gAttr = groupEntry.getAttribute(UNIQUE_MEMBER); if (gAttr != null) { - Enumeration eValues = gAttr - .getStringValues(); + Enumeration eValues = gAttr.getStringValues(); while (eValues.hasMoreElements()) { - String value = (String) eValues - .nextElement(); + String value = (String) eValues.nextElement(); if (value.equals(entry.getDN())) { c.disconnect(); @@ -479,8 +472,9 @@ public class RemoteAuthConfig extends CMSServlet { return "Access unauthorized"; } - private String addInstance(String instance, String plugin, String host, - String port, String baseDN, String dnPattern) { + private String addInstance(String instance, String plugin, + String host, String port, + String baseDN, String dnPattern) { if (host == null || host.length() == 0) { return "Missing host name."; } @@ -522,8 +516,7 @@ public class RemoteAuthConfig extends CMSServlet { StringBuffer list = new StringBuffer(); for (int i = 0; i < mRemotelySetInstances.size(); i++) { - if (i > 0) - list.append(","); + if (i > 0) list.append(","); list.append((String) mRemotelySetInstances.elementAt(i)); } @@ -549,8 +542,7 @@ public class RemoteAuthConfig extends CMSServlet { StringBuffer list = new StringBuffer(); for (int i = 0; i < mRemotelySetInstances.size(); i++) { - if (i > 0) - list.append(","); + if (i > 0) list.append(","); list.append((String) mRemotelySetInstances.elementAt(i)); } @@ -610,21 +602,17 @@ public class RemoteAuthConfig extends CMSServlet { int y = now.get(Calendar.YEAR); String name = "R" + y; - if (now.get(Calendar.MONTH) < 10) - name += "0"; + if (now.get(Calendar.MONTH) < 10) name += "0"; name += now.get(Calendar.MONTH); - if (now.get(Calendar.DAY_OF_MONTH) < 10) - name += "0"; + if (now.get(Calendar.DAY_OF_MONTH) < 10) name += "0"; name += now.get(Calendar.DAY_OF_MONTH); - if (now.get(Calendar.HOUR_OF_DAY) < 10) - name += "0"; + if (now.get(Calendar.HOUR_OF_DAY) < 10) name += "0"; name += now.get(Calendar.HOUR_OF_DAY); - if (now.get(Calendar.MINUTE) < 10) - name += "0"; + if (now.get(Calendar.MINUTE) < 10) name += "0"; name += now.get(Calendar.MINUTE); - if (now.get(Calendar.SECOND) < 10) - name += "0"; + if (now.get(Calendar.SECOND) < 10) name += "0"; name += now.get(Calendar.SECOND); return name; } } + diff --git a/pki/base/common/src/com/netscape/cms/servlet/cert/RenewalServlet.java b/pki/base/common/src/com/netscape/cms/servlet/cert/RenewalServlet.java index 1eccf40e2..050dd36dc 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/cert/RenewalServlet.java +++ b/pki/base/common/src/com/netscape/cms/servlet/cert/RenewalServlet.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.cert; + import java.io.IOException; import java.math.BigInteger; import java.security.cert.CertificateException; @@ -58,7 +59,7 @@ import com.netscape.cms.servlet.common.ICMSTemplateFiller; /** * Certificate Renewal - * + * * @version $Revision$, $Date$ */ public class RenewalServlet extends CMSServlet { @@ -68,27 +69,29 @@ public class RenewalServlet extends CMSServlet { private static final long serialVersionUID = -3094124661102395244L; // renewal templates. - public static final String RENEWAL_SUCCESS_TEMPLATE = "RenewalSuccess.template"; + public static final String + RENEWAL_SUCCESS_TEMPLATE = "RenewalSuccess.template"; - // http params + // http params public static final String CERT_TYPE = "certType"; public static final String SERIAL_NO = "serialNo"; - // XXX can't do pkcs10 cause it's got no serial no. + // XXX can't do pkcs10 cause it's got no serial no. // (unless put serial no in pki attributes) - // public static final String PKCS10 = "pkcs10"; + // public static final String PKCS10 = "pkcs10"; public static final String IMPORT_CERT = "importCert"; private String mRenewalSuccessTemplate = RENEWAL_SUCCESS_TEMPLATE; - private ICMSTemplateFiller mRenewalSuccessFiller = new ImportCertsTemplateFiller(); + private ICMSTemplateFiller + mRenewalSuccessFiller = new ImportCertsTemplateFiller(); public RenewalServlet() { super(); } /** - * initialize the servlet. This servlet makes use of the template file - * "RenewalSuccess.template" to render the response - * + * initialize the servlet. This servlet makes use of the + * template file "RenewalSuccess.template" to render the + * response * @param sc servlet configuration, read from the web.xml file */ public void init(ServletConfig sc) throws ServletException { @@ -96,44 +99,47 @@ public class RenewalServlet extends CMSServlet { // override success template. has same info as enrollment. mTemplates.remove(CMSRequest.SUCCESS); try { - mRenewalSuccessTemplate = sc - .getInitParameter(PROP_SUCCESS_TEMPLATE); + mRenewalSuccessTemplate = sc.getInitParameter( + PROP_SUCCESS_TEMPLATE); if (mRenewalSuccessTemplate == null) mRenewalSuccessTemplate = RENEWAL_SUCCESS_TEMPLATE; - String fillername = sc - .getInitParameter(PROP_SUCCESS_TEMPLATE_FILLER); + String fillername = + sc.getInitParameter(PROP_SUCCESS_TEMPLATE_FILLER); if (fillername != null) { ICMSTemplateFiller filler = newFillerObject(fillername); - if (filler != null) + if (filler != null) mRenewalSuccessFiller = filler; } } catch (Exception e) { - // this should never happen. - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGW_IMP_INIT_SERV_ERR", e.toString(), mId)); + // this should never happen. + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_IMP_INIT_SERV_ERR", e.toString(), + mId)); } } + /** - * Process the HTTP request. - * + * Process the HTTP request. + * * @param cmsReq the object holding the request and response information */ - protected void process(CMSRequest cmsReq) throws EBaseException { + protected void process(CMSRequest cmsReq) + throws EBaseException { long startTime = CMS.getCurrentDate().getTime(); IArgBlock httpParams = cmsReq.getHttpParams(); HttpServletRequest httpReq = cmsReq.getHttpReq(); - // renewal requires either: - // - coming from ee: - // - old cert from ssl client auth - // - old certs from auth manager - // - coming from agent or trusted RA: - // - serial no of cert to be renewed. - + // renewal requires either: + // - coming from ee: + // - old cert from ssl client auth + // - old certs from auth manager + // - coming from agent or trusted RA: + // - serial no of cert to be renewed. + BigInteger old_serial_no = null; X509CertImpl old_cert = null; X509CertImpl renewed_cert = null; @@ -146,14 +152,14 @@ public class RenewalServlet extends CMSServlet { AuthzToken authzToken = null; try { - authzToken = authorize(mAclMethod, authToken, mAuthzResourceName, - "renew"); + authzToken = authorize(mAclMethod, authToken, + mAuthzResourceName, "renew"); } catch (EAuthzAccessDenied e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); } catch (Exception e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); } if (authzToken == null) { @@ -164,12 +170,12 @@ public class RenewalServlet extends CMSServlet { String authMgr = AuditFormat.NOAUTH; if (authToken != null && !mAuthMgr.equals("sslClientCertAuthMgr")) { - authMgr = authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME); + authMgr = + authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME); } - // coming from agent - if (mAuthMgr != null - && mAuthMgr.equals(IAuthSubsystem.CERTUSERDB_AUTHMGR_ID)) { + // coming from agent + if (mAuthMgr != null && mAuthMgr.equals(IAuthSubsystem.CERTUSERDB_AUTHMGR_ID)) { X509Certificate[] cert = new X509Certificate[1]; old_serial_no = getCertFromAgent(httpParams, cert); @@ -183,8 +189,8 @@ public class RenewalServlet extends CMSServlet { int endMonth = httpParams.getValueAsInt("endMonth", -1); int endDate = httpParams.getValueAsInt("endDate", -1); - if (beginYear != -1 && beginMonth != -1 && beginDate != -1 - && endYear != -1 && endMonth != -1 && endDate != -1) { + if (beginYear != -1 && beginMonth != -1 && beginDate != -1 && + endYear != -1 && endMonth != -1 && endDate != -1) { Calendar calendar = Calendar.getInstance(); calendar.set(beginYear, beginMonth, beginDate); notBefore = calendar.getTime(); @@ -193,7 +199,7 @@ public class RenewalServlet extends CMSServlet { } } // coming from client else { - // from auth manager + // from auth manager X509CertImpl[] cert = new X509CertImpl[1]; old_serial_no = getCertFromAuthMgr(authToken, cert); @@ -207,43 +213,44 @@ public class RenewalServlet extends CMSServlet { X509CertInfo new_certInfo = null; req = mRequestQueue.newRequest(IRequest.RENEWAL_REQUEST); - req.setExtData(IRequest.OLD_SERIALS, - new BigInteger[] { old_serial_no }); + req.setExtData(IRequest.OLD_SERIALS, new BigInteger[] {old_serial_no}); if (old_cert != null) { req.setExtData(IRequest.OLD_CERTS, - new X509CertImpl[] { old_cert }); - // create new certinfo from old_cert contents. - X509CertInfo old_certInfo = (X509CertInfo) ((X509CertImpl) old_cert) - .get(X509CertImpl.NAME + "." + X509CertImpl.INFO); + new X509CertImpl[] { old_cert } + ); + // create new certinfo from old_cert contents. + X509CertInfo old_certInfo = (X509CertInfo) + ((X509CertImpl) old_cert).get( + X509CertImpl.NAME + "." + X509CertImpl.INFO); new_certInfo = new X509CertInfo(old_certInfo.getEncodedInfo()); } else { - // if no old cert (came from RA agent) create new cert info - // (serializable) to pass through policies. And set the old + // if no old cert (came from RA agent) create new cert info + // (serializable) to pass through policies. And set the old // serial number to pick up. new_certInfo = new CertInfo(); - new_certInfo.set(X509CertInfo.SERIAL_NUMBER, - new CertificateSerialNumber(old_serial_no)); + new_certInfo.set(X509CertInfo.SERIAL_NUMBER, + new CertificateSerialNumber(old_serial_no)); } - + if (notBefore == null || notAfter == null) { notBefore = new Date(0); notAfter = new Date(0); } - new_certInfo.set(X509CertInfo.VALIDITY, new CertificateValidity( - notBefore, notAfter)); - req.setExtData(IRequest.CERT_INFO, - new X509CertInfo[] { new_certInfo }); + new_certInfo.set(X509CertInfo.VALIDITY, + new CertificateValidity(notBefore, notAfter)); + req.setExtData(IRequest.CERT_INFO, new X509CertInfo[] { new_certInfo } + ); } catch (CertificateException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGW_ERROR_SETTING_RENEWAL_VALIDITY_1", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERROR_SETTING_RENEWAL_VALIDITY_1", e.toString())); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_SETTING_RENEWAL_VALIDITY_ERROR")); + CMS.getUserMessage("CMS_GW_SETTING_RENEWAL_VALIDITY_ERROR")); } catch (IOException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGW_ERROR_SETTING_RENEWAL_VALIDITY_1", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERROR_SETTING_RENEWAL_VALIDITY_1", e.toString())); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_SETTING_RENEWAL_VALIDITY_ERROR")); + CMS.getUserMessage("CMS_GW_SETTING_RENEWAL_VALIDITY_ERROR")); } saveHttpHeaders(httpReq, req); @@ -252,23 +259,22 @@ public class RenewalServlet extends CMSServlet { saveAuthToken(authToken, req); cmsReq.setIRequest(req); - // send request to request queue. + // send request to request queue. mRequestQueue.processRequest(req); // for audit log String initiative = null; String agentID = null; - if (mAuthMgr != null - && mAuthMgr.equals(IAuthSubsystem.CERTUSERDB_AUTHMGR_ID)) { + if (mAuthMgr != null && mAuthMgr.equals(IAuthSubsystem.CERTUSERDB_AUTHMGR_ID)) { agentID = authToken.getInString("userid"); initiative = AuditFormat.FROMAGENT + " agentID: " + agentID; - } else { + }else { // request is from eegateway, so fromUser. initiative = AuditFormat.FROMUSER; } - // check resulting status + // check resulting status RequestStatus status = req.getRequestStatus(); if (status != RequestStatus.COMPLETE) { @@ -286,76 +292,92 @@ public class RenewalServlet extends CMSServlet { wholeMsg.append(msgs.nextElement()); } - mLogger.log( - ILogger.EV_AUDIT, - ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.RENEWALFORMAT, - new Object[] { req.getRequestId(), initiative, - authMgr, status.toString(), - old_cert.getSubjectDN(), - old_cert.getSerialNumber().toString(16), - "violation: " + wholeMsg.toString() } - // wholeMsg}, - // ILogger.L_MULTILINE + mLogger.log(ILogger.EV_AUDIT, + ILogger.S_OTHER, + AuditFormat.LEVEL, + AuditFormat.RENEWALFORMAT, + new Object[] { + req.getRequestId(), + initiative, + authMgr, + status.toString(), + old_cert.getSubjectDN(), + old_cert.getSerialNumber().toString(16), + "violation: " + + wholeMsg.toString()} + // wholeMsg}, + // ILogger.L_MULTILINE ); } else { // no policy violation, from agent - mLogger.log( - ILogger.EV_AUDIT, - ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.RENEWALFORMAT, - new Object[] { req.getRequestId(), initiative, - authMgr, status.toString(), - old_cert.getSubjectDN(), - old_cert.getSerialNumber().toString(16), "" }); + mLogger.log(ILogger.EV_AUDIT, + ILogger.S_OTHER, + AuditFormat.LEVEL, + AuditFormat.RENEWALFORMAT, + new Object[] { + req.getRequestId(), + initiative, + authMgr, + status.toString(), + old_cert.getSubjectDN(), + old_cert.getSerialNumber().toString(16), + "" } + ); } - } else { // other imcomplete status - mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, - AuditFormat.LEVEL, AuditFormat.RENEWALFORMAT, - new Object[] { req.getRequestId(), initiative, authMgr, - status.toString(), old_cert.getSubjectDN(), - old_cert.getSerialNumber().toString(16), "" }); + } else { // other imcomplete status + mLogger.log(ILogger.EV_AUDIT, + ILogger.S_OTHER, + AuditFormat.LEVEL, + AuditFormat.RENEWALFORMAT, + new Object[] { + req.getRequestId(), + initiative, + authMgr, + status.toString(), + old_cert.getSubjectDN(), + old_cert.getSerialNumber().toString(16), + "" } + ); } return; } - // service error + // service error Integer result = req.getExtDataInInteger(IRequest.RESULT); - CMS.debug("RenewalServlet: Result for request " + req.getRequestId() - + " is " + result); + CMS.debug( + "RenewalServlet: Result for request " + req.getRequestId() + " is " + result); if (result.equals(IRequest.RES_ERROR)) { - CMS.debug("RenewalServlet: Result for request " - + req.getRequestId() + " is error."); + CMS.debug( + "RenewalServlet: Result for request " + req.getRequestId() + " is error."); cmsReq.setStatus(CMSRequest.ERROR); cmsReq.setError(req.getExtDataInString(IRequest.ERROR)); - String[] svcErrors = req - .getExtDataInStringArray(IRequest.SVCERRORS); + String[] svcErrors = + req.getExtDataInStringArray(IRequest.SVCERRORS); if (svcErrors != null && svcErrors.length > 0) { for (int i = 0; i < svcErrors.length; i++) { String err = svcErrors[i]; if (err != null) { - // System.out.println( - // "revocation servlet: setting error description "+ - // err.toString()); + //System.out.println( + //"revocation servlet: setting error description "+ + //err.toString()); cmsReq.setErrorDescription(err); - mLogger.log( - ILogger.EV_AUDIT, - ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.RENEWALFORMAT, - new Object[] { - req.getRequestId(), - initiative, - authMgr, - "completed with error: " + err, - old_cert.getSubjectDN(), - old_cert.getSerialNumber().toString(16), - "" }); + mLogger.log(ILogger.EV_AUDIT, + ILogger.S_OTHER, + AuditFormat.LEVEL, + AuditFormat.RENEWALFORMAT, + new Object[] { + req.getRequestId(), + initiative, + authMgr, + "completed with error: " + + err, + old_cert.getSubjectDN(), + old_cert.getSerialNumber().toString(16), + "" } + ); } } @@ -370,29 +392,32 @@ public class RenewalServlet extends CMSServlet { respondSuccess(cmsReq, renewed_cert); long endTime = CMS.getCurrentDate().getTime(); - mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, AuditFormat.LEVEL, - AuditFormat.RENEWALFORMAT, - new Object[] { - req.getRequestId(), - initiative, - authMgr, - "completed", - old_cert.getSubjectDN(), - old_cert.getSerialNumber().toString(16), - "new serial number: 0x" - + renewed_cert.getSerialNumber().toString(16) - + " time: " + (endTime - startTime) }); + mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, + AuditFormat.LEVEL, + AuditFormat.RENEWALFORMAT, + new Object[] { + req.getRequestId(), + initiative, + authMgr, + "completed", + old_cert.getSubjectDN(), + old_cert.getSerialNumber().toString(16), + "new serial number: 0x" + + renewed_cert.getSerialNumber().toString(16) + " time: " + (endTime - startTime)} + ); return; } - private void respondSuccess(CMSRequest cmsReq, X509CertImpl renewed_cert) - throws EBaseException { - cmsReq.setResult(new X509CertImpl[] { renewed_cert }); + private void respondSuccess( + CMSRequest cmsReq, X509CertImpl renewed_cert) + throws EBaseException { + cmsReq.setResult(new X509CertImpl[] {renewed_cert} + ); cmsReq.setStatus(CMSRequest.SUCCESS); - // check if cert should be imported. - // browser must have input type set to nav or cartman since + // check if cert should be imported. + // browser must have input type set to nav or cartman since // there's no other way to tell IArgBlock httpParams = cmsReq.getHttpParams(); @@ -400,73 +425,73 @@ public class RenewalServlet extends CMSServlet { String certType = httpParams.getValueAsString(CERT_TYPE, "client"); String agent = httpReq.getHeader("user-agent"); - if (checkImportCertToNav(cmsReq.getHttpResp(), httpParams, renewed_cert)) { + if (checkImportCertToNav(cmsReq.getHttpResp(), + httpParams, renewed_cert)) { return; } else { try { - renderTemplate(cmsReq, mRenewalSuccessTemplate, - mRenewalSuccessFiller); + renderTemplate(cmsReq, + mRenewalSuccessTemplate, mRenewalSuccessFiller); } catch (IOException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGE_ERROR_DISPLAY_TEMPLATE_1", + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGE_ERROR_DISPLAY_TEMPLATE_1", mRenewalSuccessTemplate, e.toString())); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); + CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); } } return; } - protected BigInteger getRenewedCert(ICertRecord certRec) - throws EBaseException { + protected BigInteger getRenewedCert(ICertRecord certRec) + throws EBaseException { BigInteger renewedCert = null; String serial = null; - MetaInfo meta = certRec.getMetaInfo(); + MetaInfo meta = certRec.getMetaInfo(); if (meta == null) { - log(ILogger.LL_INFO, "no meta info in cert serial 0x" - + certRec.getSerialNumber().toString(16)); + log(ILogger.LL_INFO, + "no meta info in cert serial 0x" + certRec.getSerialNumber().toString(16)); return null; } serial = (String) meta.get(ICertRecord.META_RENEWED_CERT); if (serial == null) { - log(ILogger.LL_INFO, "no renewed cert in cert 0x" - + certRec.getSerialNumber().toString(16)); + log(ILogger.LL_INFO, + "no renewed cert in cert 0x" + certRec.getSerialNumber().toString(16)); return null; } renewedCert = new BigInteger(serial); - log(ILogger.LL_INFO, - "renewed cert serial 0x" + renewedCert.toString(16) - + "found for 0x" - + certRec.getSerialNumber().toString(16)); + log(ILogger.LL_INFO, + "renewed cert serial 0x" + renewedCert.toString(16) + "found for 0x" + + certRec.getSerialNumber().toString(16)); return renewedCert; } /** * get certs to renew from agent. */ - private BigInteger getCertFromAgent(IArgBlock httpParams, - X509Certificate[] certContainer) throws EBaseException { + private BigInteger getCertFromAgent( + IArgBlock httpParams, X509Certificate[] certContainer) + throws EBaseException { BigInteger serialno = null; X509Certificate cert = null; // get serial no serialno = httpParams.getValueAsBigInteger(SERIAL_NO, null); if (serialno == null) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_MISSING_SERIALNO_FOR_RENEW")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_MISSING_SERIALNO_FOR_RENEW")); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_MISSING_SERIALNO_FOR_RENEW")); + CMS.getUserMessage("CMS_GW_MISSING_SERIALNO_FOR_RENEW")); } // get cert from db if we're cert authority. if (mAuthority instanceof ICertificateAuthority) { cert = getX509Certificate(serialno); if (cert == null) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGW_MISSING_SERIALNO_FOR_RENEW_1", - serialno.toString(16))); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_MISSING_SERIALNO_FOR_RENEW_1", serialno.toString(16))); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_INVALID_CERT_FOR_RENEWAL")); + CMS.getUserMessage("CMS_GW_INVALID_CERT_FOR_RENEWAL")); } } certContainer[0] = cert; @@ -476,21 +501,24 @@ public class RenewalServlet extends CMSServlet { /** * get cert to renew from auth manager */ - private BigInteger getCertFromAuthMgr(IAuthToken authToken, - X509Certificate[] certContainer) throws EBaseException { - X509CertImpl cert = authToken.getInCert(AuthToken.TOKEN_CERT); + private BigInteger getCertFromAuthMgr( + IAuthToken authToken, X509Certificate[] certContainer) + throws EBaseException { + X509CertImpl cert = + authToken.getInCert(AuthToken.TOKEN_CERT); if (cert == null) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_MISSING_CERTS_RENEW_FROM_AUTHMGR")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_MISSING_CERTS_RENEW_FROM_AUTHMGR")); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_MISSING_CERTS_RENEW_FROM_AUTHMGR")); + CMS.getUserMessage("CMS_GW_MISSING_CERTS_RENEW_FROM_AUTHMGR")); } - if (mAuthority instanceof ICertificateAuthority && !isCertFromCA(cert)) { - log(ILogger.LL_FAILURE, "certficate from auth manager for " - + " renewal is not from this ca."); + if (mAuthority instanceof ICertificateAuthority && + !isCertFromCA(cert)) { + log(ILogger.LL_FAILURE, "certficate from auth manager for " + + " renewal is not from this ca."); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_INVALID_CERT_FOR_RENEWAL")); + CMS.getUserMessage("CMS_GW_INVALID_CERT_FOR_RENEWAL")); } certContainer[0] = cert; BigInteger serialno = ((X509Certificate) cert).getSerialNumber(); diff --git a/pki/base/common/src/com/netscape/cms/servlet/cert/RevocationServlet.java b/pki/base/common/src/com/netscape/cms/servlet/cert/RevocationServlet.java index 6142d6857..9b39acc74 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/cert/RevocationServlet.java +++ b/pki/base/common/src/com/netscape/cms/servlet/cert/RevocationServlet.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.cert; + import java.io.IOException; import java.math.BigInteger; import java.security.cert.CertificateEncodingException; @@ -56,9 +57,10 @@ import com.netscape.cms.servlet.common.CMSTemplate; import com.netscape.cms.servlet.common.CMSTemplateParams; import com.netscape.cms.servlet.common.ECMSGWException; + /** * Perform the first step in revoking a certificate - * + * * @version $Revision$, $Date$ */ public class RevocationServlet extends CMSServlet { @@ -70,11 +72,11 @@ public class RevocationServlet extends CMSServlet { // revocation templates. private final static String TPL_FILE = "reasonToRevoke.template"; - // http params + // http params public static final String SERIAL_NO = "serialNo"; - // XXX can't do pkcs10 cause it's got no serial no. + // XXX can't do pkcs10 cause it's got no serial no. // (unless put serial no in pki attributes) - // public static final String PKCS10 = "pkcs10"; + // public static final String PKCS10 = "pkcs10"; public static final String REASON_CODE = "reasonCode"; private String mFormPath = null; @@ -83,14 +85,15 @@ public class RevocationServlet extends CMSServlet { private Random mRandom = null; private Nonces mNonces = null; + public RevocationServlet() { super(); } /** - * initialize the servlet. This servlet uses the template file - * "reasonToRevoke.template" to render the result. - * + * initialize the servlet. This servlet uses + * the template file "reasonToRevoke.template" to render the + * result. * @param sc servlet configuration, read from the web.xml file */ public void init(ServletConfig sc) throws ServletException { @@ -100,7 +103,8 @@ public class RevocationServlet extends CMSServlet { mFormPath = "/" + TPL_FILE; try { - mFormPath = sc.getInitParameter(PROP_SUCCESS_TEMPLATE); + mFormPath = sc.getInitParameter( + PROP_SUCCESS_TEMPLATE); if (mFormPath == null) mFormPath = "/" + TPL_FILE; @@ -111,7 +115,7 @@ public class RevocationServlet extends CMSServlet { } } - // set to false by revokeByDN=false in web.xml + // set to false by revokeByDN=false in web.xml mRevokeByDN = false; String tmp = sc.getInitParameter(PROP_REVOKEBYDN); @@ -123,26 +127,28 @@ public class RevocationServlet extends CMSServlet { } } + /** - * Process the HTTP request. Note that this servlet does not actually - * perform the certificate revocation. This is the first step in the - * multi-step revocation process. (the next step is in the ReasonToRevoke - * servlet. - * + * Process the HTTP request. Note that this servlet does not + * actually perform the certificate revocation. This is the first + * step in the multi-step revocation process. (the next step is + * in the ReasonToRevoke servlet. + * * @param cmsReq the object holding the request and response information */ - protected void process(CMSRequest cmsReq) throws EBaseException { + protected void process(CMSRequest cmsReq) + throws EBaseException { IArgBlock httpParams = cmsReq.getHttpParams(); HttpServletRequest httpReq = cmsReq.getHttpReq(); HttpServletResponse httpResp = cmsReq.getHttpResp(); - // revocation requires either: - // - coming from ee: - // - old cert from ssl client auth - // - old certs from auth manager - // - coming from agent or trusted RA: - // - serial no of cert to be revoked. - + // revocation requires either: + // - coming from ee: + // - old cert from ssl client auth + // - old certs from auth manager + // - coming from agent or trusted RA: + // - serial no of cert to be revoked. + BigInteger old_serial_no = null; X509CertImpl old_cert = null; String revokeAll = null; @@ -153,11 +159,10 @@ public class RevocationServlet extends CMSServlet { try { form = getTemplate(mFormPath, httpReq, locale); } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", mFormPath, - e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", mFormPath, e.toString())); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); + CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); } IArgBlock header = CMS.createArgBlock(); @@ -169,50 +174,45 @@ public class RevocationServlet extends CMSServlet { AuthzToken authzToken = null; try { - authzToken = authorize(mAclMethod, authToken, mAuthzResourceName, - "submit"); + authzToken = authorize(mAclMethod, authToken, + mAuthzResourceName, "submit"); } catch (EAuthzAccessDenied e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); } catch (Exception e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); } if (authzToken == null) { cmsReq.setStatus(CMSRequest.UNAUTHORIZED); return; } - - // coming from agent - if (mAuthMgr != null - && mAuthMgr.equals(IAuthSubsystem.CERTUSERDB_AUTHMGR_ID)) { + + // coming from agent + if (mAuthMgr != null && mAuthMgr.equals(IAuthSubsystem.CERTUSERDB_AUTHMGR_ID)) { X509Certificate[] cert = new X509Certificate[1]; old_serial_no = getCertFromAgent(httpParams, cert); old_cert = (X509CertImpl) cert[0]; } // coming from client else { - // from auth manager + // from auth manager X509CertImpl[] cert = new X509CertImpl[1]; - + old_serial_no = getCertFromAuthMgr(authToken, cert); old_cert = cert[0]; } - header.addStringValue("serialNumber", old_cert.getSerialNumber() - .toString(16)); - header.addStringValue("serialNumberDecimal", old_cert.getSerialNumber() - .toString()); - // header.addStringValue("subject", old_cert.getSubjectDN().toString()); - // header.addLongValue("validNotBefore", - // old_cert.getNotBefore().getTime()/1000); - // header.addLongValue("validNotAfter", - // old_cert.getNotAfter().getTime()/1000); + header.addStringValue("serialNumber", old_cert.getSerialNumber().toString(16)); + header.addStringValue("serialNumberDecimal", old_cert.getSerialNumber().toString()); + // header.addStringValue("subject", old_cert.getSubjectDN().toString()); + // header.addLongValue("validNotBefore", old_cert.getNotBefore().getTime()/1000); + // header.addLongValue("validNotAfter", old_cert.getNotAfter().getTime()/1000); if (mNonces != null) { long n = mRandom.nextLong(); - long m = mNonces.addNonce(n, (X509Certificate) old_cert); + long m = mNonces.addNonce(n, (X509Certificate)old_cert); if ((n + m) != 0) { header.addStringValue("nonce", Long.toString(m)); } @@ -222,20 +222,19 @@ public class RevocationServlet extends CMSServlet { X509CertImpl[] certsToRevoke = null; if (mAuthority instanceof ICertificateAuthority) { - certsToRevoke = ((ICertificateAuthority) mAuthority) - .getCertificateRepository().getX509Certificates( - old_cert.getSubjectDN().toString(), - ICertificateRepository.ALL_UNREVOKED_CERTS); + certsToRevoke = ((ICertificateAuthority) mAuthority).getCertificateRepository().getX509Certificates( + old_cert.getSubjectDN().toString(), + ICertificateRepository.ALL_UNREVOKED_CERTS); } else if (mAuthority instanceof IRegistrationAuthority) { IRequest req = mRequestQueue.newRequest(IRequest.GETCERTS_REQUEST); - String filter = "(&(" + ICertRecord.ATTR_X509CERT + "." - + X509CertInfo.SUBJECT + "=" - + old_cert.getSubjectDN().toString() + ")(|(" - + ICertRecord.ATTR_CERT_STATUS + "=" - + ICertRecord.STATUS_VALID + ")(" - + ICertRecord.ATTR_CERT_STATUS + "=" - + ICertRecord.STATUS_EXPIRED + ")))"; + String filter = "(&(" + ICertRecord.ATTR_X509CERT + "." + + X509CertInfo.SUBJECT + "=" + + old_cert.getSubjectDN().toString() + ")(|(" + + ICertRecord.ATTR_CERT_STATUS + "=" + + ICertRecord.STATUS_VALID + ")(" + + ICertRecord.ATTR_CERT_STATUS + "=" + + ICertRecord.STATUS_EXPIRED + ")))"; req.setExtData(IRequest.CERT_FILTER, filter); mRequestQueue.processRequest(req); @@ -249,8 +248,7 @@ public class RevocationServlet extends CMSServlet { String name = (String) enum1.nextElement(); if (name.equals(IRequest.OLD_CERTS)) { - X509CertImpl[] certs = req - .getExtDataInCertArray(IRequest.OLD_CERTS); + X509CertImpl[] certs = req.getExtDataInCertArray(IRequest.OLD_CERTS); certsToRevoke = certs; } @@ -264,20 +262,18 @@ public class RevocationServlet extends CMSServlet { if (certsToRevoke != null && certsToRevoke.length > 0) { for (int i = 0; i < certsToRevoke.length; i++) { - if (old_cert.getSerialNumber().equals( - certsToRevoke[i].getSerialNumber())) { + if (old_cert.getSerialNumber().equals(certsToRevoke[i].getSerialNumber())) { authorized = true; break; } } } - if (!noInfo - && (certsToRevoke == null || certsToRevoke.length == 0 || (!authorized))) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CA_CERT_ALREADY_REVOKED_1", old_serial_no.toString(16))); - throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_CERT_ALREADY_REVOKED")); + if (!noInfo && (certsToRevoke == null || certsToRevoke.length == 0 || + (!authorized))) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CA_CERT_ALREADY_REVOKED_1", old_serial_no.toString(16))); + throw new ECMSGWException(CMS.getUserMessage("CMS_GW_CERT_ALREADY_REVOKED")); } if (!mRevokeByDN || noInfo) { @@ -287,8 +283,7 @@ public class RevocationServlet extends CMSServlet { byte[] ba = old_cert.getEncoded(); // Do base 64 encoding - header.addStringValue("b64eCertificate", - com.netscape.osutil.OSUtil.BtoA(ba)); + header.addStringValue("b64eCertificate", com.netscape.osutil.OSUtil.BtoA(ba)); } catch (CertificateEncodingException e) { } } @@ -300,16 +295,16 @@ public class RevocationServlet extends CMSServlet { for (int i = 0; i < certsToRevoke.length; i++) { IArgBlock rarg = CMS.createArgBlock(); - rarg.addStringValue("serialNumber", certsToRevoke[i] - .getSerialNumber().toString(16)); - rarg.addStringValue("serialNumberDecimal", certsToRevoke[i] - .getSerialNumber().toString()); - rarg.addStringValue("subject", certsToRevoke[i].getSubjectDN() - .toString()); - rarg.addLongValue("validNotBefore", certsToRevoke[i] - .getNotBefore().getTime() / 1000); - rarg.addLongValue("validNotAfter", certsToRevoke[i] - .getNotAfter().getTime() / 1000); + rarg.addStringValue("serialNumber", + certsToRevoke[i].getSerialNumber().toString(16)); + rarg.addStringValue("serialNumberDecimal", + certsToRevoke[i].getSerialNumber().toString()); + rarg.addStringValue("subject", + certsToRevoke[i].getSubjectDN().toString()); + rarg.addLongValue("validNotBefore", + certsToRevoke[i].getNotBefore().getTime() / 1000); + rarg.addLongValue("validNotAfter", + certsToRevoke[i].getNotAfter().getTime() / 1000); argSet.addRepeatRecord(rarg); } } else { @@ -318,7 +313,7 @@ public class RevocationServlet extends CMSServlet { } // set revocation reason, default to unspecified if not set. - int reasonCode = httpParams.getValueAsInt(REASON_CODE, 0); + int reasonCode = httpParams.getValueAsInt(REASON_CODE, 0); header.addIntegerValue("reason", reasonCode); @@ -329,11 +324,10 @@ public class RevocationServlet extends CMSServlet { form.renderOutput(out, argSet); cmsReq.setStatus(CMSRequest.SUCCESS); } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERR_OUT_STREAM_TEMPLATE", - e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERR_OUT_STREAM_TEMPLATE", e.toString())); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); + CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); } return; @@ -342,28 +336,29 @@ public class RevocationServlet extends CMSServlet { /** * get cert to revoke from agent. */ - private BigInteger getCertFromAgent(IArgBlock httpParams, - X509Certificate[] certContainer) throws EBaseException { + private BigInteger getCertFromAgent( + IArgBlock httpParams, X509Certificate[] certContainer) + throws EBaseException { BigInteger serialno = null; X509Certificate cert = null; // get serial no serialno = httpParams.getValueAsBigInteger(SERIAL_NO, null); if (serialno == null) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_MISSING_SERIALNO_FOR_REVOKE")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_MISSING_SERIALNO_FOR_REVOKE")); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_MISSING_SERIALNO_FOR_REVOKE")); + CMS.getUserMessage("CMS_GW_MISSING_SERIALNO_FOR_REVOKE")); } // get cert from db if we're cert authority. if (mAuthority instanceof ICertificateAuthority) { cert = getX509Certificate(serialno); if (cert == null) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_INVALID_CERT_FOR_REVOCATION")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_INVALID_CERT_FOR_REVOCATION")); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_INVALID_CERT_FOR_REVOCATION")); + CMS.getUserMessage("CMS_GW_INVALID_CERT_FOR_REVOCATION")); } } certContainer[0] = cert; @@ -373,21 +368,23 @@ public class RevocationServlet extends CMSServlet { /** * get cert to revoke from auth manager */ - private BigInteger getCertFromAuthMgr(IAuthToken authToken, - X509Certificate[] certContainer) throws EBaseException { - X509CertImpl cert = authToken.getInCert(AuthToken.TOKEN_CERT); + private BigInteger getCertFromAuthMgr( + IAuthToken authToken, X509Certificate[] certContainer) + throws EBaseException { + X509CertImpl cert = + authToken.getInCert(AuthToken.TOKEN_CERT); if (cert == null) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_MISSING_CERTS_REVOKE_FROM_AUTHMGR")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_MISSING_CERTS_REVOKE_FROM_AUTHMGR")); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_MISSING_CERTS_REVOKE_FROM_AUTHMGR")); + CMS.getUserMessage("CMS_GW_MISSING_CERTS_REVOKE_FROM_AUTHMGR")); } - if (mAuthority instanceof ICertificateAuthority && !isCertFromCA(cert)) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_INVALID_CERT_FOR_REVOCATION")); + if (mAuthority instanceof ICertificateAuthority && + !isCertFromCA(cert)) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_INVALID_CERT_FOR_REVOCATION")); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_INVALID_CERT_FOR_REVOCATION")); + CMS.getUserMessage("CMS_GW_INVALID_CERT_FOR_REVOCATION")); } certContainer[0] = cert; BigInteger serialno = ((X509Certificate) cert).getSerialNumber(); @@ -396,3 +393,4 @@ public class RevocationServlet extends CMSServlet { } } + diff --git a/pki/base/common/src/com/netscape/cms/servlet/cert/RevocationSuccessTemplateFiller.java b/pki/base/common/src/com/netscape/cms/servlet/cert/RevocationSuccessTemplateFiller.java index d35133206..3a571d440 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/cert/RevocationSuccessTemplateFiller.java +++ b/pki/base/common/src/com/netscape/cms/servlet/cert/RevocationSuccessTemplateFiller.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.cert; + import java.util.Locale; import javax.servlet.http.HttpServletRequest; @@ -30,13 +31,21 @@ import com.netscape.cms.servlet.common.CMSRequest; import com.netscape.cms.servlet.common.CMSTemplateParams; import com.netscape.cms.servlet.common.ICMSTemplateFiller; + /** - * Certificates Template filler. must have list of certificates in result. looks - * at inputs: certtype. outputs: - cert type from http input (if any) - CA chain - * - authority name (RM, CM, DRM) - scheme:host:port of server. array of one or - * more - cert serial number - cert pretty print - cert in base 64 encoding. - - * cmmf blob to import - * + * Certificates Template filler. + * must have list of certificates in result. + * looks at inputs: certtype. + * outputs: + * - cert type from http input (if any) + * - CA chain + * - authority name (RM, CM, DRM) + * - scheme:host:port of server. + * array of one or more + * - cert serial number + * - cert pretty print + * - cert in base 64 encoding. + * - cmmf blob to import * @version $Revision$, $Date$ */ class RevocationSuccessTemplateFiller implements ICMSTemplateFiller { @@ -51,12 +60,13 @@ class RevocationSuccessTemplateFiller implements ICMSTemplateFiller { * @param locale locale of template. * @param e unexpected exception e. ignored. */ - public CMSTemplateParams getTemplateParams(CMSRequest cmsReq, - IAuthority authority, Locale locale, Exception e) throws Exception { + public CMSTemplateParams getTemplateParams( + CMSRequest cmsReq, IAuthority authority, Locale locale, Exception e) + throws Exception { IArgBlock fixed = CMS.createArgBlock(); CMSTemplateParams params = new CMSTemplateParams(null, fixed); - // set host name and port. + // set host name and port. HttpServletRequest httpReq = cmsReq.getHttpReq(); String host = httpReq.getServerName(); int port = httpReq.getServerPort(); @@ -67,14 +77,15 @@ class RevocationSuccessTemplateFiller implements ICMSTemplateFiller { fixed.set(ICMSTemplateFiller.SCHEME, scheme); // this authority - fixed.set(ICMSTemplateFiller.AUTHORITY, - (String) authority.getOfficialName()); + fixed.set(ICMSTemplateFiller.AUTHORITY, + (String) authority.getOfficialName()); // XXX CA chain. - RevokedCertImpl[] revoked = (RevokedCertImpl[]) cmsReq.getResult(); + RevokedCertImpl[] revoked = + (RevokedCertImpl[]) cmsReq.getResult(); - // revoked certs. + // revoked certs. for (int i = 0; i < revoked.length; i++) { IArgBlock repeat = CMS.createArgBlock(); @@ -85,3 +96,4 @@ class RevocationSuccessTemplateFiller implements ICMSTemplateFiller { return params; } } + diff --git a/pki/base/common/src/com/netscape/cms/servlet/cert/SrchCerts.java b/pki/base/common/src/com/netscape/cms/servlet/cert/SrchCerts.java index 40464e9e1..84e7e784a 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/cert/SrchCerts.java +++ b/pki/base/common/src/com/netscape/cms/servlet/cert/SrchCerts.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.cert; + import java.io.IOException; import java.math.BigInteger; import java.security.PublicKey; @@ -60,9 +61,10 @@ import com.netscape.cms.servlet.common.CMSTemplate; import com.netscape.cms.servlet.common.CMSTemplateParams; import com.netscape.cms.servlet.common.ECMSGWException; + /** * Search for certificates matching complex query filter - * + * * @version $Revision$, $Date$ */ public class SrchCerts extends CMSServlet { @@ -94,9 +96,8 @@ public class SrchCerts extends CMSServlet { } /** - * initialize the servlet. This servlet uses srchCert.template to render the - * response - * + * initialize the servlet. This servlet uses srchCert.template + * to render the response * @param sc servlet configuration, read from the web.xml file */ public void init(ServletConfig sc) throws ServletException { @@ -110,8 +111,7 @@ public class SrchCerts extends CMSServlet { if (authConfig != null) { try { - mMaxReturns = authConfig.getInteger( - PROP_MAX_SEARCH_RETURNS, MAX_RESULTS); + mMaxReturns = authConfig.getInteger(PROP_MAX_SEARCH_RETURNS, MAX_RESULTS); } catch (EBaseException e) { // do nothing } @@ -128,8 +128,7 @@ public class SrchCerts extends CMSServlet { /* Server-Side time limit */ try { - int maxResults = Integer - .parseInt(sc.getInitParameter("maxResults")); + int maxResults = Integer.parseInt(sc.getInitParameter("maxResults")); if (maxResults < mMaxReturns) mMaxReturns = maxResults; } catch (Exception e) { @@ -141,21 +140,20 @@ public class SrchCerts extends CMSServlet { /* do nothing, just use the default if integer parsing failed */ } - /* - * useClientFilter should be off by default. We keep this parameter - * around so that we do not break the client applications that submits - * raw LDAP filter into this servlet. - */ - if (sc.getInitParameter("useClientFilter") != null - && sc.getInitParameter("useClientFilter").equalsIgnoreCase( - "true")) { + /* useClientFilter should be off by default. We keep + this parameter around so that we do not break + the client applications that submits raw LDAP + filter into this servlet. */ + if (sc.getInitParameter("useClientFilter") != null && + sc.getInitParameter("useClientFilter").equalsIgnoreCase("true")) { mUseClientFilter = true; } } - private boolean isOn(HttpServletRequest req, String name) { + private boolean isOn(HttpServletRequest req, String name) + { String inUse = req.getParameter(name); - if (inUse == null) { + if (inUse == null) { return false; } if (inUse.equals("on")) { @@ -164,9 +162,10 @@ public class SrchCerts extends CMSServlet { return false; } - private boolean isOff(HttpServletRequest req, String name) { + private boolean isOff(HttpServletRequest req, String name) + { String inUse = req.getParameter(name); - if (inUse == null) { + if (inUse == null) { return false; } if (inUse.equals("off")) { @@ -175,8 +174,8 @@ public class SrchCerts extends CMSServlet { return false; } - private void buildCertStatusFilter(HttpServletRequest req, - StringBuffer filter) { + private void buildCertStatusFilter(HttpServletRequest req, StringBuffer filter) + { if (!isOn(req, "statusInUse")) { return; } @@ -186,7 +185,8 @@ public class SrchCerts extends CMSServlet { filter.append(")"); } - private void buildProfileFilter(HttpServletRequest req, StringBuffer filter) { + private void buildProfileFilter(HttpServletRequest req, StringBuffer filter) + { if (!isOn(req, "profileInUse")) { return; } @@ -196,16 +196,16 @@ public class SrchCerts extends CMSServlet { filter.append(")"); } - private void buildBasicConstraintsFilter(HttpServletRequest req, - StringBuffer filter) { + private void buildBasicConstraintsFilter(HttpServletRequest req, StringBuffer filter) + { if (!isOn(req, "basicConstraintsInUse")) { return; } filter.append("(x509cert.BasicConstraints.isCA=on)"); } - private void buildSerialNumberRangeFilter(HttpServletRequest req, - StringBuffer filter) { + private void buildSerialNumberRangeFilter(HttpServletRequest req, StringBuffer filter) + { if (!isOn(req, "serialNumberRangeInUse")) { return; } @@ -225,8 +225,9 @@ public class SrchCerts extends CMSServlet { } } - private void buildAVAFilter(HttpServletRequest req, String paramName, - String avaName, StringBuffer lf, String match) { + private void buildAVAFilter(HttpServletRequest req, String paramName, + String avaName, StringBuffer lf, String match) + { String val = req.getParameter(paramName); if (val != null && !val.equals("")) { if (match != null && match.equals("exact")) { @@ -253,7 +254,8 @@ public class SrchCerts extends CMSServlet { } } - private void buildSubjectFilter(HttpServletRequest req, StringBuffer filter) { + private void buildSubjectFilter(HttpServletRequest req, StringBuffer filter) + { if (!isOn(req, "subjectInUse")) { return; } @@ -284,8 +286,9 @@ public class SrchCerts extends CMSServlet { } } - private void buildRevokedByFilter(HttpServletRequest req, - StringBuffer filter) { + private void buildRevokedByFilter(HttpServletRequest req, + StringBuffer filter) + { if (!isOn(req, "revokedByInUse")) { return; } @@ -299,8 +302,10 @@ public class SrchCerts extends CMSServlet { } } - private void buildDateFilter(HttpServletRequest req, String prefix, - String outStr, long adjustment, StringBuffer filter) { + private void buildDateFilter(HttpServletRequest req, String prefix, + String outStr, long adjustment, + StringBuffer filter) + { String queryCertFilter = null; long epoch = 0; try { @@ -319,16 +324,19 @@ public class SrchCerts extends CMSServlet { } private void buildRevokedOnFilter(HttpServletRequest req, - StringBuffer filter) { + StringBuffer filter) + { if (!isOn(req, "revokedOnInUse")) { return; } buildDateFilter(req, "revokedOnFrom", "certRevokedOn>=", 0, filter); - buildDateFilter(req, "revokedOnTo", "certRevokedOn<=", 86399999, filter); + buildDateFilter(req, "revokedOnTo", "certRevokedOn<=", 86399999, + filter); } private void buildRevocationReasonFilter(HttpServletRequest req, - StringBuffer filter) { + StringBuffer filter) + { if (!isOn(req, "revocationReasonInUse")) { return; } @@ -339,21 +347,23 @@ public class SrchCerts extends CMSServlet { String queryCertFilter = null; StringTokenizer st = new StringTokenizer(reasons, ","); if (st.hasMoreTokens()) { - filter.append("(|"); - while (st.hasMoreTokens()) { - String token = st.nextToken(); - if (queryCertFilter == null) { - queryCertFilter = ""; - } - filter.append("(x509cert.certRevoInfo="); - filter.append(token); - filter.append(")"); - } - filter.append(")"); + filter.append("(|"); + while (st.hasMoreTokens()) { + String token = st.nextToken(); + if (queryCertFilter == null) { + queryCertFilter = ""; + } + filter.append("(x509cert.certRevoInfo="); + filter.append(token); + filter.append(")"); + } + filter.append(")"); } } - private void buildIssuedByFilter(HttpServletRequest req, StringBuffer filter) { + private void buildIssuedByFilter(HttpServletRequest req, + StringBuffer filter) + { if (!isOn(req, "issuedByInUse")) { return; } @@ -367,38 +377,44 @@ public class SrchCerts extends CMSServlet { } } - private void buildIssuedOnFilter(HttpServletRequest req, StringBuffer filter) { + private void buildIssuedOnFilter(HttpServletRequest req, + StringBuffer filter) + { if (!isOn(req, "issuedOnInUse")) { return; } buildDateFilter(req, "issuedOnFrom", "certCreateTime>=", 0, filter); - buildDateFilter(req, "issuedOnTo", "certCreateTime<=", 86399999, filter); + buildDateFilter(req, "issuedOnTo", "certCreateTime<=", 86399999, + filter); } private void buildValidNotBeforeFilter(HttpServletRequest req, - StringBuffer filter) { + StringBuffer filter) + { if (!isOn(req, "validNotBeforeInUse")) { return; } - buildDateFilter(req, "validNotBeforeFrom", "x509cert.notBefore>=", 0, - filter); - buildDateFilter(req, "validNotBeforeTo", "x509cert.notBefore<=", - 86399999, filter); + buildDateFilter(req, "validNotBeforeFrom", "x509cert.notBefore>=", + 0, filter); + buildDateFilter(req, "validNotBeforeTo", "x509cert.notBefore<=", + 86399999, filter); } private void buildValidNotAfterFilter(HttpServletRequest req, - StringBuffer filter) { + StringBuffer filter) + { if (!isOn(req, "validNotAfterInUse")) { return; } - buildDateFilter(req, "validNotAfterFrom", "x509cert.notAfter>=", 0, - filter); - buildDateFilter(req, "validNotAfterTo", "x509cert.notAfter<=", - 86399999, filter); + buildDateFilter(req, "validNotAfterFrom", "x509cert.notAfter>=", + 0, filter); + buildDateFilter(req, "validNotAfterTo", "x509cert.notAfter<=", + 86399999, filter); } private void buildValidityLengthFilter(HttpServletRequest req, - StringBuffer filter) { + StringBuffer filter) + { if (!isOn(req, "validityLengthInUse")) { return; } @@ -422,7 +438,9 @@ public class SrchCerts extends CMSServlet { filter.append(")"); } - private void buildCertTypeFilter(HttpServletRequest req, StringBuffer filter) { + private void buildCertTypeFilter(HttpServletRequest req, + StringBuffer filter) + { if (!isOn(req, "certTypeInUse")) { return; } @@ -453,7 +471,8 @@ public class SrchCerts extends CMSServlet { } } - public String buildFilter(HttpServletRequest req) { + public String buildFilter(HttpServletRequest req) + { String queryCertFilter = req.getParameter("queryCertFilter"); StringBuffer filter = new StringBuffer(); @@ -485,8 +504,10 @@ public class SrchCerts extends CMSServlet { /** * Serves HTTP request. This format of this request is as follows: - * queryCert? [maxCount=<number>] [queryFilter=<filter>] - * [revokeAll=<filter>] + * queryCert? + * [maxCount=<number>] + * [queryFilter=<filter>] + * [revokeAll=<filter>] */ public void process(CMSRequest cmsReq) throws EBaseException { HttpServletRequest req = cmsReq.getHttpReq(); @@ -497,14 +518,14 @@ public class SrchCerts extends CMSServlet { AuthzToken authzToken = null; try { - authzToken = authorize(mAclMethod, authToken, mAuthzResourceName, - "list"); + authzToken = authorize(mAclMethod, authToken, + mAuthzResourceName, "list"); } catch (EAuthzAccessDenied e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); } catch (Exception e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); } if (authzToken == null) { @@ -530,10 +551,10 @@ public class SrchCerts extends CMSServlet { try { form = getTemplate(mFormPath, req, locale); } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", e.toString())); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); + CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); } try { @@ -549,13 +570,11 @@ public class SrchCerts extends CMSServlet { timeLimit = Integer.parseInt(timeLimitStr); String queryCertFilter = buildFilter(req); - process(argSet, header, queryCertFilter, revokeAll, maxResults, - timeLimit, req, resp, locale[0]); + process(argSet, header, queryCertFilter, + revokeAll, maxResults, timeLimit, req, resp, locale[0]); } catch (NumberFormatException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("BASE_INVALID_NUMBER_FORMAT")); - error = new EBaseException(CMS.getUserMessage(getLocale(req), - "CMS_BASE_INVALID_NUMBER_FORMAT")); + log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_INVALID_NUMBER_FORMAT")); + error = new EBaseException(CMS.getUserMessage(getLocale(req),"CMS_BASE_INVALID_NUMBER_FORMAT")); } catch (EBaseException e) { error = e; } @@ -566,32 +585,33 @@ public class SrchCerts extends CMSServlet { if (error == null) { String xmlOutput = req.getParameter("xml"); if (xmlOutput != null && xmlOutput.equals("true")) { - outputXML(resp, argSet); + outputXML(resp, argSet); } else { - cmsReq.setStatus(CMSRequest.SUCCESS); - resp.setContentType("text/html"); - form.renderOutput(out, argSet); + cmsReq.setStatus(CMSRequest.SUCCESS); + resp.setContentType("text/html"); + form.renderOutput(out, argSet); } } else { cmsReq.setStatus(CMSRequest.ERROR); cmsReq.setError(error); } } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERR_OUT_STREAM_TEMPLATE", - e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERR_OUT_STREAM_TEMPLATE", e.toString())); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); + CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); } } /** * Process the key search. */ - private void process(CMSTemplateParams argSet, IArgBlock header, - String filter, String revokeAll, int maxResults, int timeLimit, - HttpServletRequest req, HttpServletResponse resp, Locale locale) - throws EBaseException { + private void process(CMSTemplateParams argSet, IArgBlock header, + String filter, String revokeAll, + int maxResults, int timeLimit, + HttpServletRequest req, HttpServletResponse resp, + Locale locale) + throws EBaseException { try { long startTime = CMS.getCurrentDate().getTime(); @@ -601,19 +621,15 @@ public class SrchCerts extends CMSServlet { // xxx the filter includes serial number range??? if (maxResults == -1 || maxResults > mMaxReturns) { - CMS.debug("Resetting maximum of returned results from " - + maxResults + " to " + mMaxReturns); + CMS.debug("Resetting maximum of returned results from " + maxResults + " to " + mMaxReturns); maxResults = mMaxReturns; } if (timeLimit == -1 || timeLimit > mTimeLimits) { - CMS.debug("Resetting timelimit from " + timeLimit + " to " - + mTimeLimits); + CMS.debug("Resetting timelimit from " + timeLimit + " to " + mTimeLimits); timeLimit = mTimeLimits; } - CMS.debug("Start searching ... " + "filter=" + filter - + " maxreturns=" + maxResults + " timelimit=" + timeLimit); - Enumeration e = mCertDB.searchCertificates(filter, maxResults, - timeLimit); + CMS.debug("Start searching ... " + "filter=" + filter + " maxreturns=" + maxResults + " timelimit=" + timeLimit); + Enumeration e = mCertDB.searchCertificates(filter, maxResults, timeLimit); int count = 0; @@ -655,8 +671,7 @@ public class SrchCerts extends CMSServlet { int i = filter.indexOf(CURRENT_TIME, k); while (i > -1) { - if (now == null) - now = new Date(); + if (now == null) now = new Date(); newFilter.append(filter.substring(k, i)); newFilter.append(now.getTime()); k = i + CURRENT_TIME.length(); @@ -672,7 +687,7 @@ public class SrchCerts extends CMSServlet { * Fills cert record into argument block. */ private void fillRecordIntoArg(ICertRecord rec, IArgBlock rarg) - throws EBaseException { + throws EBaseException { X509CertImpl xcert = rec.getCertificate(); @@ -680,21 +695,20 @@ public class SrchCerts extends CMSServlet { fillX509RecordIntoArg(rec, rarg); } } - + private void fillX509RecordIntoArg(ICertRecord rec, IArgBlock rarg) - throws EBaseException { + throws EBaseException { X509CertImpl cert = rec.getCertificate(); rarg.addIntegerValue("version", cert.getVersion()); rarg.addStringValue("serialNumber", cert.getSerialNumber().toString(16)); - rarg.addStringValue("serialNumberDecimal", cert.getSerialNumber() - .toString()); + rarg.addStringValue("serialNumberDecimal", cert.getSerialNumber().toString()); String subject = (String) cert.getSubjectDN().toString(); if (subject.equals("")) { - rarg.addStringValue("subject", " "); + rarg.addStringValue("subject", " "); } else { rarg.addStringValue("subject", subject); @@ -714,32 +728,28 @@ public class SrchCerts extends CMSServlet { if (pKey instanceof X509Key) { key = (X509Key) pKey; } - rarg.addStringValue("subjectPublicKeyAlgorithm", key - .getAlgorithmId().getOID().toString()); + rarg.addStringValue("subjectPublicKeyAlgorithm", key.getAlgorithmId().getOID().toString()); if (key.getAlgorithmId().toString().equalsIgnoreCase("RSA")) { RSAPublicKey rsaKey = new RSAPublicKey(key.getEncoded()); - rarg.addIntegerValue("subjectPublicKeyLength", - rsaKey.getKeySize()); + rarg.addIntegerValue("subjectPublicKeyLength", rsaKey.getKeySize()); } } catch (Exception e) { rarg.addStringValue("subjectPublicKeyAlgorithm", null); rarg.addIntegerValue("subjectPublicKeyLength", 0); } - rarg.addLongValue("validNotBefore", - cert.getNotBefore().getTime() / 1000); + rarg.addLongValue("validNotBefore", cert.getNotBefore().getTime() / 1000); rarg.addLongValue("validNotAfter", cert.getNotAfter().getTime() / 1000); rarg.addStringValue("signatureAlgorithm", cert.getSigAlgOID()); String issuedBy = rec.getIssuedBy(); - if (issuedBy == null) - issuedBy = ""; + if (issuedBy == null) issuedBy = ""; rarg.addStringValue("issuedBy", issuedBy); // cert.getIssuerDN().toString() rarg.addLongValue("issuedOn", rec.getCreateTime().getTime() / 1000); - rarg.addStringValue("revokedBy", ((rec.getRevokedBy() == null) ? "" - : rec.getRevokedBy())); + rarg.addStringValue("revokedBy", + ((rec.getRevokedBy() == null) ? "" : rec.getRevokedBy())); if (rec.getRevokedOn() == null) { rarg.addStringValue("revokedOn", null); } else { @@ -758,8 +768,7 @@ public class SrchCerts extends CMSServlet { Extension ext = (Extension) enum1.nextElement(); if (ext instanceof CRLReasonExtension) { - reason = ((CRLReasonExtension) ext).getReason() - .toInt(); + reason = ((CRLReasonExtension) ext).getReason().toInt(); break; } } diff --git a/pki/base/common/src/com/netscape/cms/servlet/cert/UpdateCRL.java b/pki/base/common/src/com/netscape/cms/servlet/cert/UpdateCRL.java index 83e2d3954..396f333bc 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/cert/UpdateCRL.java +++ b/pki/base/common/src/com/netscape/cms/servlet/cert/UpdateCRL.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.cert; + import java.io.IOException; import java.math.BigInteger; import java.util.Date; @@ -58,9 +59,10 @@ import com.netscape.cms.servlet.common.CMSTemplate; import com.netscape.cms.servlet.common.CMSTemplateParams; import com.netscape.cms.servlet.common.ECMSGWException; + /** * Force the CRL to be updated now. - * + * * @version $Revision$, $Date$ */ public class UpdateCRL extends CMSServlet { @@ -85,41 +87,40 @@ public class UpdateCRL extends CMSServlet { } /** - * Initializes the servlet. This servlet uses updateCRL.template to render - * the result + * Initializes the servlet. This servlet uses updateCRL.template + * to render the result */ public void init(ServletConfig sc) throws ServletException { super.init(sc); mFormPath = "/" + mAuthority.getId() + "/" + TPL_FILE; if (mAuthority instanceof ICertificateAuthority) mCA = (ICertificateAuthority) mAuthority; - - // override success to do output orw own template. + + // override success to do output orw own template. mTemplates.remove(CMSRequest.SUCCESS); if (mOutputTemplatePath != null) mFormPath = mOutputTemplatePath; } /** - * Process the HTTP request. + * Process the HTTP request. * <ul> * <li>http.param signatureAlgorithm the algorithm to use to sign the CRL - * <li>http.param waitForUpdate true/false - should the servlet wait until - * the CRL update is complete? + * <li>http.param waitForUpdate true/false - should the servlet wait until + * the CRL update is complete? * <li>http.param clearCRLCache true/false - should the CRL cache cleared - * before the CRL is generated? + * before the CRL is generated? * <li>http.param crlIssuingPoint the CRL Issuing Point to Update * </ul> - * * @param cmsReq the object holding the request and response information */ public void process(CMSRequest cmsReq) throws EBaseException { HttpServletRequest req = cmsReq.getHttpReq(); HttpServletResponse resp = cmsReq.getHttpResp(); - IStatsSubsystem statsSub = (IStatsSubsystem) CMS.getSubsystem("stats"); + IStatsSubsystem statsSub = (IStatsSubsystem)CMS.getSubsystem("stats"); if (statsSub != null) { - statsSub.startTiming("crl", true /* main action */); + statsSub.startTiming("crl", true /* main action */); } long startTime = CMS.getCurrentDate().getTime(); @@ -127,20 +128,20 @@ public class UpdateCRL extends CMSServlet { AuthzToken authzToken = null; try { - authzToken = authorize(mAclMethod, authToken, mAuthzResourceName, - "update"); + authzToken = authorize(mAclMethod, authToken, + mAuthzResourceName, "update"); } catch (EAuthzAccessDenied e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); } catch (Exception e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); } if (authzToken == null) { cmsReq.setStatus(CMSRequest.UNAUTHORIZED); if (statsSub != null) { - statsSub.endTiming("crl"); + statsSub.endTiming("crl"); } return; } @@ -157,20 +158,21 @@ public class UpdateCRL extends CMSServlet { try { form = getTemplate(mFormPath, req, locale); } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", mFormPath, - e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", mFormPath, e.toString())); if (statsSub != null) { - statsSub.endTiming("crl"); + statsSub.endTiming("crl"); } throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); + CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); } try { - String signatureAlgorithm = req.getParameter("signatureAlgorithm"); + String signatureAlgorithm = + req.getParameter("signatureAlgorithm"); - process(argSet, header, req, resp, signatureAlgorithm, locale[0]); + process(argSet, header, req, resp, + signatureAlgorithm, locale[0]); } catch (EBaseException e) { error = e; } @@ -181,43 +183,42 @@ public class UpdateCRL extends CMSServlet { if (error == null) { String xmlOutput = req.getParameter("xml"); if (xmlOutput != null && xmlOutput.equals("true")) { - outputXML(resp, argSet); + outputXML(resp, argSet); } else { - resp.setContentType("text/html"); - form.renderOutput(out, argSet); - cmsReq.setStatus(CMSRequest.SUCCESS); + resp.setContentType("text/html"); + form.renderOutput(out, argSet); + cmsReq.setStatus(CMSRequest.SUCCESS); } } else { cmsReq.setStatus(CMSRequest.ERROR); cmsReq.setError(error); } } catch (IOException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGW_ERR_STREAM_TEMPLATE", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERR_STREAM_TEMPLATE", + e.toString())); if (statsSub != null) { - statsSub.endTiming("crl"); + statsSub.endTiming("crl"); } throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); + CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); } if (statsSub != null) { - statsSub.endTiming("crl"); + statsSub.endTiming("crl"); } } - private CRLExtensions crlEntryExtensions(String reason, String invalidity) { + private CRLExtensions crlEntryExtensions (String reason, String invalidity) { CRLExtensions entryExts = new CRLExtensions(); CRLReasonExtension crlReasonExtn = null; if (reason != null && reason.length() > 0) { try { - RevocationReason revReason = RevocationReason.fromInt(Integer - .parseInt(reason)); - if (revReason == null) - revReason = RevocationReason.UNSPECIFIED; + RevocationReason revReason = RevocationReason.fromInt(Integer.parseInt(reason)); + if (revReason == null) revReason = RevocationReason.UNSPECIFIED; crlReasonExtn = new CRLReasonExtension(revReason); } catch (Exception e) { - CMS.debug("Invalid revocation reason: " + reason); + CMS.debug("Invalid revocation reason: "+reason); } } @@ -227,16 +228,15 @@ public class UpdateCRL extends CMSServlet { Date invalidityDate = null; try { long backInTime = Long.parseLong(invalidity); - invalidityDate = new Date(now - (backInTime * 60000)); + invalidityDate = new Date(now-(backInTime*60000)); } catch (Exception e) { - CMS.debug("Invalid invalidity time offset: " + invalidity); + CMS.debug("Invalid invalidity time offset: "+invalidity); } if (invalidityDate != null) { try { - invalidityDateExtn = new InvalidityDateExtension( - invalidityDate); + invalidityDateExtn = new InvalidityDateExtension(invalidityDate); } catch (Exception e) { - CMS.debug("Error creating invalidity extension: " + e); + CMS.debug("Error creating invalidity extension: "+e); } } } @@ -245,8 +245,7 @@ public class UpdateCRL extends CMSServlet { try { entryExts.set(crlReasonExtn.getName(), crlReasonExtn); } catch (Exception e) { - CMS.debug("Error adding revocation reason extension to entry extensions: " - + e); + CMS.debug("Error adding revocation reason extension to entry extensions: "+e); } } @@ -254,16 +253,14 @@ public class UpdateCRL extends CMSServlet { try { entryExts.set(invalidityDateExtn.getName(), invalidityDateExtn); } catch (Exception e) { - CMS.debug("Error adding invalidity date extension to entry extensions: " - + e); + CMS.debug("Error adding invalidity date extension to entry extensions: "+e); } } return entryExts; } - private void addInfo(CMSTemplateParams argSet, - ICRLIssuingPoint crlIssuingPoint, long cacheUpdate) { + private void addInfo(CMSTemplateParams argSet, ICRLIssuingPoint crlIssuingPoint, long cacheUpdate) { IArgBlock rarg = CMS.createArgBlock(); rarg.addLongValue("cacheUpdate", cacheUpdate); @@ -295,12 +292,18 @@ public class UpdateCRL extends CMSServlet { } private void process(CMSTemplateParams argSet, IArgBlock header, - HttpServletRequest req, HttpServletResponse resp, - String signatureAlgorithm, Locale locale) throws EBaseException { + HttpServletRequest req, + HttpServletResponse resp, + String signatureAlgorithm, + Locale locale) + throws EBaseException { long startTime = CMS.getCurrentDate().getTime(); - String waitForUpdate = req.getParameter("waitForUpdate"); - String clearCache = req.getParameter("clearCRLCache"); - String crlIssuingPointId = req.getParameter("crlIssuingPoint"); + String waitForUpdate = + req.getParameter("waitForUpdate"); + String clearCache = + req.getParameter("clearCRLCache"); + String crlIssuingPointId = + req.getParameter("crlIssuingPoint"); String test = req.getParameter("test"); String add = req.getParameter("add"); String from = req.getParameter("from"); @@ -318,41 +321,40 @@ public class UpdateCRL extends CMSServlet { if (crlIssuingPointId.equals(ip.getId())) { break; } - if (!ips.hasMoreElements()) - crlIssuingPointId = null; + if (!ips.hasMoreElements()) crlIssuingPointId = null; } } if (crlIssuingPointId == null) { crlIssuingPointId = ICertificateAuthority.PROP_MASTER_CRL; } - ICRLIssuingPoint crlIssuingPoint = mCA - .getCRLIssuingPoint(crlIssuingPointId); + ICRLIssuingPoint crlIssuingPoint = + mCA.getCRLIssuingPoint(crlIssuingPointId); header.addStringValue("crlIssuingPoint", crlIssuingPointId); IPublisherProcessor lpm = mCA.getPublisherProcessor(); if (crlIssuingPoint != null) { - if (clearCache != null - && clearCache.equals("true") - && crlIssuingPoint.isCRLGenerationEnabled() - && crlIssuingPoint.isCRLUpdateInProgress() == ICRLIssuingPoint.CRL_UPDATE_DONE - && crlIssuingPoint.isCRLIssuingPointInitialized() == ICRLIssuingPoint.CRL_IP_INITIALIZED) { + if (clearCache != null && clearCache.equals("true") && + crlIssuingPoint.isCRLGenerationEnabled() && + crlIssuingPoint.isCRLUpdateInProgress() == ICRLIssuingPoint.CRL_UPDATE_DONE && + crlIssuingPoint.isCRLIssuingPointInitialized() + == ICRLIssuingPoint.CRL_IP_INITIALIZED) { crlIssuingPoint.clearCRLCache(); } - if (waitForUpdate != null - && waitForUpdate.equals("true") - && crlIssuingPoint.isCRLGenerationEnabled() - && crlIssuingPoint.isCRLUpdateInProgress() == ICRLIssuingPoint.CRL_UPDATE_DONE - && crlIssuingPoint.isCRLIssuingPointInitialized() == ICRLIssuingPoint.CRL_IP_INITIALIZED) { - if (test != null && test.equals("true") - && crlIssuingPoint.isCRLCacheTestingEnabled() - && (!mTesting.contains(crlIssuingPointId))) { + if (waitForUpdate != null && waitForUpdate.equals("true") && + crlIssuingPoint.isCRLGenerationEnabled() && + crlIssuingPoint.isCRLUpdateInProgress() == ICRLIssuingPoint.CRL_UPDATE_DONE && + crlIssuingPoint.isCRLIssuingPointInitialized() + == ICRLIssuingPoint.CRL_IP_INITIALIZED) { + if (test != null && test.equals("true") && + crlIssuingPoint.isCRLCacheTestingEnabled() && + (!mTesting.contains(crlIssuingPointId))) { CMS.debug("CRL test started."); mTesting.add(crlIssuingPointId); BigInteger addLen = null; BigInteger startFrom = null; - if (add != null && add.length() > 0 && from != null - && from.length() > 0) { + if (add != null && add.length() > 0 && + from != null && from.length() > 0) { try { addLen = new BigInteger(add); startFrom = new BigInteger(from); @@ -363,8 +365,7 @@ public class UpdateCRL extends CMSServlet { Date revocationDate = CMS.getCurrentDate(); String err = null; - CRLExtensions entryExts = crlEntryExtensions(reason, - invalidity); + CRLExtensions entryExts = crlEntryExtensions (reason, invalidity); BigInteger serialNumber = startFrom; BigInteger counter = addLen; @@ -378,25 +379,22 @@ public class UpdateCRL extends CMSServlet { long t1 = System.currentTimeMillis(); long t2 = 0; - + while (counter.compareTo(BigInteger.ZERO) > 0) { - RevokedCertImpl revokedCert = new RevokedCertImpl( - serialNumber, revocationDate, entryExts); - crlIssuingPoint.addRevokedCert(serialNumber, - revokedCert); + RevokedCertImpl revokedCert = + new RevokedCertImpl(serialNumber, revocationDate, entryExts); + crlIssuingPoint.addRevokedCert(serialNumber, revokedCert); serialNumber = serialNumber.add(BigInteger.ONE); counter = counter.subtract(BigInteger.ONE); - if ((counter.compareTo(BigInteger.ZERO) == 0) - || (stepBy != null && ((counter.mod(stepBy)) - .compareTo(BigInteger.ZERO) == 0))) { + if ((counter.compareTo(BigInteger.ZERO) == 0) || + (stepBy != null && ((counter.mod(stepBy)).compareTo(BigInteger.ZERO) == 0))) { t2 = System.currentTimeMillis(); long t0 = t2 - t1; t1 = t2; try { if (signatureAlgorithm != null) { - crlIssuingPoint - .updateCRLNow(signatureAlgorithm); + crlIssuingPoint.updateCRLNow(signatureAlgorithm); } else { crlIssuingPoint.updateCRLNow(); } @@ -422,12 +420,12 @@ public class UpdateCRL extends CMSServlet { mTesting.remove(crlIssuingPointId); CMS.debug("CRL test finished."); - } else if (test != null && test.equals("true") - && crlIssuingPoint.isCRLCacheTestingEnabled() - && mTesting.contains(crlIssuingPointId)) { + } else if (test != null && test.equals("true") && + crlIssuingPoint.isCRLCacheTestingEnabled() && + mTesting.contains(crlIssuingPointId)) { header.addStringValue("crlUpdate", "testingInProgress"); - } else if (test != null && test.equals("true") - && (!crlIssuingPoint.isCRLCacheTestingEnabled())) { + } else if (test != null && test.equals("true") && + (!crlIssuingPoint.isCRLCacheTestingEnabled())) { header.addStringValue("crlUpdate", "testingNotEnabled"); } else { try { @@ -437,8 +435,7 @@ public class UpdateCRL extends CMSServlet { long now1 = System.currentTimeMillis(); if (signatureAlgorithm != null) { - crlIssuingPoint - .updateCRLNow(signatureAlgorithm); + crlIssuingPoint.updateCRLNow(signatureAlgorithm); } else { crlIssuingPoint.updateCRLNow(); } @@ -451,80 +448,60 @@ public class UpdateCRL extends CMSServlet { } if (lpm != null && lpm.enabled()) { - Enumeration rules = lpm - .getRules(IPublisherProcessor.PROP_LOCAL_CRL); + Enumeration rules = lpm.getRules(IPublisherProcessor.PROP_LOCAL_CRL); if (rules != null && rules.hasMoreElements()) { if (publishError != null) { - header.addStringValue("crlPublished", - "Failure"); - header.addStringValue("error", - publishError.toString(locale)); + header.addStringValue("crlPublished", "Failure"); + header.addStringValue("error", publishError.toString(locale)); } else { - header.addStringValue("crlPublished", - "Success"); + header.addStringValue("crlPublished", "Success"); } } } // for audit log SessionContext sContext = SessionContext.getContext(); - String agentId = (String) sContext - .get(SessionContext.USER_ID); - IAuthToken authToken = (IAuthToken) sContext - .get(SessionContext.AUTH_TOKEN); + String agentId = (String) sContext.get(SessionContext.USER_ID); + IAuthToken authToken = (IAuthToken) sContext.get(SessionContext.AUTH_TOKEN); String authMgr = AuditFormat.NOAUTH; - + if (authToken != null) { - authMgr = authToken - .getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME); + authMgr = authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME); } long endTime = CMS.getCurrentDate().getTime(); if (crlIssuingPoint.getNextUpdate() != null) { - mLogger.log( - ILogger.EV_AUDIT, - ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.CRLUPDATEFORMAT, - new Object[] { - AuditFormat.FROMAGENT - + " agentID: " + agentId, - authMgr, - "completed", - crlIssuingPoint.getId(), - crlIssuingPoint.getCRLNumber(), - crlIssuingPoint.getLastUpdate(), - crlIssuingPoint.getNextUpdate(), - Long.toString(crlIssuingPoint - .getCRLSize()) - + " time: " - + (endTime - startTime) }); - } else { - mLogger.log( - ILogger.EV_AUDIT, - ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.CRLUPDATEFORMAT, - new Object[] { - AuditFormat.FROMAGENT - + " agentID: " + agentId, - authMgr, - "completed", - crlIssuingPoint.getId(), - crlIssuingPoint.getCRLNumber(), - crlIssuingPoint.getLastUpdate(), - "not set", - Long.toString(crlIssuingPoint - .getCRLSize()) - + " time: " - + (endTime - startTime) }); + mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, + AuditFormat.LEVEL, + AuditFormat.CRLUPDATEFORMAT, + new Object[] { + AuditFormat.FROMAGENT + " agentID: " + agentId, + authMgr, + "completed", + crlIssuingPoint.getId(), + crlIssuingPoint.getCRLNumber(), + crlIssuingPoint.getLastUpdate(), + crlIssuingPoint.getNextUpdate(), + Long.toString(crlIssuingPoint.getCRLSize()) + " time: " + (endTime - startTime)} + ); + }else { + mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, + AuditFormat.LEVEL, + AuditFormat.CRLUPDATEFORMAT, + new Object[] { + AuditFormat.FROMAGENT + " agentID: " + agentId, + authMgr, + "completed", + crlIssuingPoint.getId(), + crlIssuingPoint.getCRLNumber(), + crlIssuingPoint.getLastUpdate(), + "not set", + Long.toString(crlIssuingPoint.getCRLSize()) + " time: " + (endTime - startTime)} + ); } } catch (EBaseException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERR_UPDATE_CRL", - e.toString())); - if ((lpm != null) && lpm.enabled() - && (e instanceof ELdapException)) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERR_UPDATE_CRL", e.toString())); + if ((lpm != null) && lpm.enabled() && (e instanceof ELdapException)) { header.addStringValue("crlPublished", "Failure"); header.addStringValue("error", e.toString(locale)); } else { @@ -533,10 +510,12 @@ public class UpdateCRL extends CMSServlet { } } } else { - if (crlIssuingPoint.isCRLIssuingPointInitialized() != ICRLIssuingPoint.CRL_IP_INITIALIZED) { + if (crlIssuingPoint.isCRLIssuingPointInitialized() + != ICRLIssuingPoint.CRL_IP_INITIALIZED) { header.addStringValue("crlUpdate", "notInitialized"); - } else if (crlIssuingPoint.isCRLUpdateInProgress() != ICRLIssuingPoint.CRL_UPDATE_DONE - || crlIssuingPoint.isManualUpdateSet()) { + } else if (crlIssuingPoint.isCRLUpdateInProgress() + != ICRLIssuingPoint.CRL_UPDATE_DONE || + crlIssuingPoint.isManualUpdateSet()) { header.addStringValue("crlUpdate", "inProgress"); } else if (!crlIssuingPoint.isCRLGenerationEnabled()) { header.addStringValue("crlUpdate", "Disabled"); diff --git a/pki/base/common/src/com/netscape/cms/servlet/cert/UpdateDir.java b/pki/base/common/src/com/netscape/cms/servlet/cert/UpdateDir.java index 8ea34b1ba..ccba33622 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/cert/UpdateDir.java +++ b/pki/base/common/src/com/netscape/cms/servlet/cert/UpdateDir.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.cert; + import java.io.IOException; import java.math.BigInteger; import java.util.Enumeration; @@ -57,9 +58,10 @@ import com.netscape.cms.servlet.common.CMSTemplate; import com.netscape.cms.servlet.common.CMSTemplateParams; import com.netscape.cms.servlet.common.ECMSGWException; + /** * Update the configured LDAP server with specified objects - * + * * @version $Revision$, $Date$ */ public class UpdateDir extends CMSServlet { @@ -83,10 +85,12 @@ public class UpdateDir extends CMSServlet { private final static int REVOKED_FROM = 10; private final static int REVOKED_TO = 11; private final static int CHECK_FLAG = 12; - private final static String[] updateName = { "updateAll", "updateCRL", - "updateCA", "updateValid", "validFrom", "validTo", "updateExpired", - "expiredFrom", "expiredTo", "updateRevoked", "revokedFrom", - "revokedTo", "checkFlag" }; + private final static String[] updateName = + {"updateAll", "updateCRL", "updateCA", + "updateValid", "validFrom", "validTo", + "updateExpired", "expiredFrom", "expiredTo", + "updateRevoked", "revokedFrom", "revokedTo", + "checkFlag"}; private String mFormPath = null; private ICertificateAuthority mCA = null; @@ -108,7 +112,7 @@ public class UpdateDir extends CMSServlet { public void init(ServletConfig sc) throws ServletException { super.init(sc); - if (mAuthority != null) { + if( mAuthority != null ) { mFormPath = "/" + mAuthority.getId() + "/" + TPL_FILE; if (mAuthority instanceof ICertificateAuthority) { mCA = (ICertificateAuthority) mAuthority; @@ -125,8 +129,8 @@ public class UpdateDir extends CMSServlet { } /** - * Process the HTTP request. - * + * Process the HTTP request. + * * @param cmsReq the object holding the request and response information */ public void process(CMSRequest cmsReq) throws EBaseException { @@ -138,14 +142,14 @@ public class UpdateDir extends CMSServlet { AuthzToken authzToken = null; try { - authzToken = authorize(mAclMethod, authToken, mAuthzResourceName, - "update"); + authzToken = authorize(mAclMethod, authToken, + mAuthzResourceName, "update"); } catch (EAuthzAccessDenied e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); } catch (Exception e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); } if (authzToken == null) { @@ -165,19 +169,18 @@ public class UpdateDir extends CMSServlet { try { form = getTemplate(mFormPath, req, locale); } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", mFormPath, - e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", mFormPath, e.toString())); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); + CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); } try { String crlIssuingPointId = req.getParameter("crlIssuingPoint"); - if (mPublisherProcessor == null || !mPublisherProcessor.enabled()) - throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_NO_PUB_MODULE")); + if (mPublisherProcessor == null || + !mPublisherProcessor.enabled()) + throw new ECMSGWException(CMS.getUserMessage("CMS_GW_NO_PUB_MODULE")); String[] updateValue = new String[updateName.length]; @@ -185,17 +188,14 @@ public class UpdateDir extends CMSServlet { updateValue[i] = req.getParameter(updateName[i]); } - String masterHost = CMS.getConfigStore().getString( - "master.ca.agent.host", ""); - String masterPort = CMS.getConfigStore().getString( - "master.ca.agent.port", ""); - if (masterHost != null && masterHost.length() > 0 - && masterPort != null && masterPort.length() > 0) { + String masterHost = CMS.getConfigStore().getString("master.ca.agent.host", ""); + String masterPort = CMS.getConfigStore().getString("master.ca.agent.port", ""); + if (masterHost != null && masterHost.length() > 0 && + masterPort != null && masterPort.length() > 0) { mClonedCA = true; } - process(argSet, header, req, resp, crlIssuingPointId, updateValue, - locale[0]); + process(argSet, header, req, resp, crlIssuingPointId, updateValue, locale[0]); } catch (EBaseException e) { error = e; } @@ -206,28 +206,29 @@ public class UpdateDir extends CMSServlet { if (error == null) { String xmlOutput = req.getParameter("xml"); if (xmlOutput != null && xmlOutput.equals("true")) { - outputXML(resp, argSet); + outputXML(resp, argSet); } else { - resp.setContentType("text/html"); - form.renderOutput(out, argSet); - cmsReq.setStatus(CMSRequest.SUCCESS); + resp.setContentType("text/html"); + form.renderOutput(out, argSet); + cmsReq.setStatus(CMSRequest.SUCCESS); } } else { cmsReq.setStatus(CMSRequest.ERROR); cmsReq.setError(error); } } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERR_OUT_STREAM_TEMPLATE", - e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERR_OUT_STREAM_TEMPLATE", e.toString())); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); + CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); } } - private void updateCRLIssuingPoint(IArgBlock header, - String crlIssuingPointId, ICRLIssuingPoint crlIssuingPoint, - Locale locale) { + private void updateCRLIssuingPoint( + IArgBlock header, + String crlIssuingPointId, + ICRLIssuingPoint crlIssuingPoint, + Locale locale) { SessionContext sc = SessionContext.getContext(); sc.put(ICRLIssuingPoint.SC_ISSUING_POINT_ID, crlIssuingPointId); @@ -236,67 +237,53 @@ public class UpdateDir extends CMSServlet { try { if (mCRLRepository != null) { - crlRecord = (ICRLIssuingPointRecord) mCRLRepository - .readCRLIssuingPointRecord(crlIssuingPointId); + crlRecord = (ICRLIssuingPointRecord)mCRLRepository.readCRLIssuingPointRecord(crlIssuingPointId); } } catch (EBaseException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERR_GET_CRL_RECORD", e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERR_GET_CRL_RECORD", e.toString())); } if (crlRecord == null) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGW_CRL_NOT_YET_UPDATED_1", crlIssuingPointId)); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_CRL_NOT_YET_UPDATED_1", crlIssuingPointId)); header.addStringValue("crlPublished", "Failure"); - header.addStringValue( - "crlError", - new ECMSGWException(CMS.getUserMessage(locale, - "CMS_GW_CRL_NOT_YET_UPDATED")).toString()); + header.addStringValue("crlError", + new ECMSGWException(CMS.getUserMessage(locale, "CMS_GW_CRL_NOT_YET_UPDATED")).toString()); } else { - String publishDN = (crlIssuingPoint != null) ? crlIssuingPoint - .getPublishDN() : null; + String publishDN = (crlIssuingPoint != null)? crlIssuingPoint.getPublishDN(): null; byte[] crlbytes = crlRecord.getCRL(); if (crlbytes == null) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_CRL_NOT_YET_UPDATED_1", "")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_CRL_NOT_YET_UPDATED_1", "")); header.addStringValue("crlPublished", "Failure"); - header.addStringValue( - "crlError", - new ECMSGWException(CMS.getUserMessage(locale, - "CMS_GW_CRL_NOT_YET_UPDATED")).toString()); + header.addStringValue("crlError", + new ECMSGWException(CMS.getUserMessage(locale, "CMS_GW_CRL_NOT_YET_UPDATED")).toString()); } else { X509CRLImpl crl = null; try { crl = new X509CRLImpl(crlbytes); } catch (Exception e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERR_DECODE_CRL", - e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERR_DECODE_CRL", e.toString())); } if (crl == null) { header.addStringValue("crlPublished", "Failure"); - header.addStringValue( - "crlError", - new ECMSGWException(CMS.getUserMessage(locale, - "CMS_GW_DECODE_CRL_FAILED")).toString()); + header.addStringValue("crlError", + new ECMSGWException(CMS.getUserMessage(locale,"CMS_GW_DECODE_CRL_FAILED")).toString()); } else { try { if (publishDN != null) { mPublisherProcessor.publishCRL(publishDN, crl); } else { - mPublisherProcessor.publishCRL(crl, - crlIssuingPointId); + mPublisherProcessor.publishCRL(crl,crlIssuingPointId); } header.addStringValue("crlPublished", "Success"); } catch (ELdapException e) { header.addStringValue("crlPublished", "Failure"); header.addStringValue("crlError", e.toString(locale)); - log(ILogger.LL_FAILURE, - CMS.getLogMessage("LDAP_ERROR_PUBLISH_CRL", - e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage("LDAP_ERROR_PUBLISH_CRL", e.toString())); } } } @@ -311,9 +298,7 @@ public class UpdateDir extends CMSServlet { try { deltaCrl = new X509CRLImpl(deltaCrlBytes); } catch (Exception e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERR_DECODE_DELTA_CRL", - e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERR_DECODE_DELTA_CRL", e.toString())); } boolean goodDelta = false; @@ -321,26 +306,24 @@ public class UpdateDir extends CMSServlet { BigInteger crlNumber = crlRecord.getCRLNumber(); BigInteger deltaNumber = crlRecord.getDeltaCRLNumber(); Long deltaCRLSize = crlRecord.getDeltaCRLSize(); - if (deltaCRLSize != null && deltaCRLSize.longValue() > -1 - && crlNumber != null && deltaNumber != null - && deltaNumber.compareTo(crlNumber) >= 0) { + if (deltaCRLSize != null && deltaCRLSize.longValue() > -1 && + crlNumber != null && deltaNumber != null && + deltaNumber.compareTo(crlNumber) >= 0) { goodDelta = true; } } - if (deltaCrl != null - && ((mClonedCA && goodDelta) || (crlIssuingPoint != null && crlIssuingPoint - .isThisCurrentDeltaCRL(deltaCrl)))) { + if (deltaCrl != null && ((mClonedCA && goodDelta) || + (crlIssuingPoint != null && + crlIssuingPoint.isThisCurrentDeltaCRL(deltaCrl)))) { try { if (publishDN != null) { mPublisherProcessor.publishCRL(publishDN, deltaCrl); } else { - mPublisherProcessor.publishCRL(deltaCrl, - crlIssuingPointId); + mPublisherProcessor.publishCRL(deltaCrl,crlIssuingPointId); } } catch (ELdapException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGW_ERR_PUBLISH_DELTA_CRL", e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERR_PUBLISH_DELTA_CRL", e.toString())); } } } @@ -348,14 +331,17 @@ public class UpdateDir extends CMSServlet { } private void process(CMSTemplateParams argSet, IArgBlock header, - HttpServletRequest req, HttpServletResponse resp, - String crlIssuingPointId, String[] updateValue, Locale locale) - throws EBaseException { + HttpServletRequest req, + HttpServletResponse resp, + String crlIssuingPointId, + String[] updateValue, + Locale locale) + throws EBaseException { // all or crl - if ((updateValue[UPDATE_ALL] != null && updateValue[UPDATE_ALL] - .equalsIgnoreCase("yes")) - || (updateValue[UPDATE_CRL] != null && updateValue[UPDATE_CRL] - .equalsIgnoreCase("yes"))) { + if ((updateValue[UPDATE_ALL] != null && + updateValue[UPDATE_ALL].equalsIgnoreCase("yes")) || + (updateValue[UPDATE_CRL] != null && + updateValue[UPDATE_CRL].equalsIgnoreCase("yes"))) { // check if received issuing point ID is known to the server if (crlIssuingPointId != null) { Enumeration ips = mCA.getCRLIssuingPoints(); @@ -366,8 +352,7 @@ public class UpdateDir extends CMSServlet { if (crlIssuingPointId.equals(ip.getId())) { break; } - if (!ips.hasMoreElements()) - crlIssuingPointId = null; + if (!ips.hasMoreElements()) crlIssuingPointId = null; } } if (crlIssuingPointId == null) { @@ -376,7 +361,7 @@ public class UpdateDir extends CMSServlet { Vector ipNames = mCRLRepository.getIssuingPointsNames(); if (ipNames != null && ipNames.size() > 0) { for (int i = 0; i < ipNames.size(); i++) { - String ipName = (String) ipNames.elementAt(i); + String ipName = (String)ipNames.elementAt(i); updateCRLIssuingPoint(header, ipName, null, locale); } @@ -385,49 +370,46 @@ public class UpdateDir extends CMSServlet { Enumeration oips = mCA.getCRLIssuingPoints(); while (oips.hasMoreElements()) { - ICRLIssuingPoint oip = (ICRLIssuingPoint) oips - .nextElement(); + ICRLIssuingPoint oip = (ICRLIssuingPoint) oips.nextElement(); updateCRLIssuingPoint(header, oip.getId(), oip, locale); } } } else { - ICRLIssuingPoint crlIssuingPoint = mCA - .getCRLIssuingPoint(crlIssuingPointId); + ICRLIssuingPoint crlIssuingPoint = + mCA.getCRLIssuingPoint(crlIssuingPointId); ICRLIssuingPointRecord crlRecord = null; - updateCRLIssuingPoint(header, crlIssuingPointId, - crlIssuingPoint, locale); + updateCRLIssuingPoint(header, crlIssuingPointId, + crlIssuingPoint, locale); } } - ICertificateRepository certificateRepository = (ICertificateRepository) mCA - .getCertificateRepository(); + ICertificateRepository certificateRepository = (ICertificateRepository) mCA.getCertificateRepository(); // all or ca - if ((updateValue[UPDATE_ALL] != null && updateValue[UPDATE_ALL] - .equalsIgnoreCase("yes")) - || (updateValue[UPDATE_CA] != null && updateValue[UPDATE_CA] - .equalsIgnoreCase("yes"))) { + if ((updateValue[UPDATE_ALL] != null && + updateValue[UPDATE_ALL].equalsIgnoreCase("yes")) || + (updateValue[UPDATE_CA] != null && + updateValue[UPDATE_CA].equalsIgnoreCase("yes"))) { X509CertImpl caCert = mCA.getSigningUnit().getCertImpl(); try { mPublisherProcessor.publishCACert(caCert); header.addStringValue("caCertPublished", "Success"); } catch (ELdapException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "LDAP_ERROR_PUBLISH_CACERT_1", caCert.getSerialNumber() - .toString(16), e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage("LDAP_ERROR_PUBLISH_CACERT_1", + caCert.getSerialNumber().toString(16), e.toString())); header.addStringValue("caCertPublished", "Failure"); header.addStringValue("caCertError", e.toString(locale)); } } // all or valid - if ((updateValue[UPDATE_ALL] != null && updateValue[UPDATE_ALL] - .equalsIgnoreCase("yes")) - || (updateValue[UPDATE_VALID] != null && updateValue[UPDATE_VALID] - .equalsIgnoreCase("yes"))) { + if ((updateValue[UPDATE_ALL] != null && + updateValue[UPDATE_ALL].equalsIgnoreCase("yes")) || + (updateValue[UPDATE_VALID] != null && + updateValue[UPDATE_VALID].equalsIgnoreCase("yes"))) { if (certificateRepository != null) { if (updateValue[VALID_FROM].startsWith("0x")) { updateValue[VALID_FROM] = hexToDecimal(updateValue[VALID_FROM]); @@ -437,15 +419,17 @@ public class UpdateDir extends CMSServlet { } Enumeration validCerts = null; - if (updateValue[CHECK_FLAG] != null - && updateValue[CHECK_FLAG].equalsIgnoreCase("yes")) { - validCerts = certificateRepository - .getValidNotPublishedCertificates( - updateValue[VALID_FROM], - updateValue[VALID_TO]); + if (updateValue[CHECK_FLAG] != null && + updateValue[CHECK_FLAG].equalsIgnoreCase("yes")) { + validCerts = + certificateRepository.getValidNotPublishedCertificates( + updateValue[VALID_FROM], + updateValue[VALID_TO]); } else { - validCerts = certificateRepository.getValidCertificates( - updateValue[VALID_FROM], updateValue[VALID_TO]); + validCerts = + certificateRepository.getValidCertificates( + updateValue[VALID_FROM], + updateValue[VALID_TO]); } int i = 0; int l = 0; @@ -453,9 +437,9 @@ public class UpdateDir extends CMSServlet { if (validCerts != null) { while (validCerts.hasMoreElements()) { - ICertRecord certRecord = (ICertRecord) validCerts - .nextElement(); - // X509CertImpl cert = certRecord.getCertificate(); + ICertRecord certRecord = + (ICertRecord) validCerts.nextElement(); + //X509CertImpl cert = certRecord.getCertificate(); X509CertImpl cert = null; Object o = certRecord.getCertificate(); @@ -465,92 +449,84 @@ public class UpdateDir extends CMSServlet { MetaInfo metaInfo = null; String ridString = null; - metaInfo = (MetaInfo) certRecord - .get(ICertRecord.ATTR_META_INFO); + metaInfo = (MetaInfo) certRecord.get(ICertRecord.ATTR_META_INFO); if (metaInfo == null) { // ca's self signed signing cert and // server cert has no related request and // have no metaInfo - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGW_FAIL_GET_ICERT_RECORD", cert - .getSerialNumber().toString(16))); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_FAIL_GET_ICERT_RECORD", + cert.getSerialNumber().toString(16))); } else { - ridString = (String) metaInfo - .get(ICertRecord.META_REQUEST_ID); + ridString = (String) metaInfo.get(ICertRecord.META_REQUEST_ID); } IRequest r = null; if (ridString != null) { RequestId rid = new RequestId(ridString); - + r = mCA.getRequestQueue().findRequest(rid); - } + } try { l++; - SessionContext sc = SessionContext.getContext(); + SessionContext sc = SessionContext.getContext(); if (r == null) { if (CMS.isEncryptionCert(cert)) - sc.put((Object) "isEncryptionCert", - (Object) "true"); - else - sc.put((Object) "isEncryptionCert", - (Object) "false"); + sc.put((Object) "isEncryptionCert", (Object) "true"); + else + sc.put((Object) "isEncryptionCert", (Object) "false"); mPublisherProcessor.publishCert(cert, null); } else { if (CMS.isEncryptionCert(cert)) r.setExtData("isEncryptionCert", "true"); - else + else r.setExtData("isEncryptionCert", "false"); mPublisherProcessor.publishCert(cert, r); } i++; } catch (Exception e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGW_FAIL_PUBLISH_CERT", certRecord - .getSerialNumber().toString(16), e - .toString())); - validCertsError += "Failed to publish certificate: 0x" - + certRecord.getSerialNumber().toString(16) - + ".\n <BR> "; + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_FAIL_PUBLISH_CERT", certRecord.getSerialNumber().toString(16), + e.toString())); + validCertsError += + "Failed to publish certificate: 0x" + + certRecord.getSerialNumber().toString(16) + + ".\n <BR> "; } } } if (i > 0 && i == l) { - header.addStringValue("validCertsPublished", "Success"); + header.addStringValue("validCertsPublished", + "Success"); if (i == 1) - header.addStringValue( - "validCertsError", - i - + " valid certificate is published in the directory."); + header.addStringValue("validCertsError", i + + " valid certificate is published in the directory."); else - header.addStringValue( - "validCertsError", - i - + " valid certificates are published in the directory."); + header.addStringValue("validCertsError", i + + " valid certificates are published in the directory."); } else { if (l == 0) { header.addStringValue("validCertsPublished", "No"); } else { header.addStringValue("validCertsPublished", "Failure"); - header.addStringValue("validCertsError", - validCertsError); + header.addStringValue("validCertsError", + validCertsError); } } } else { header.addStringValue("validCertsPublished", "Failure"); - header.addStringValue("validCertsError", - "Certificate repository is unavailable."); + header.addStringValue("validCertsError", "Certificate repository is unavailable."); } } // all or expired - if ((updateValue[UPDATE_ALL] != null && updateValue[UPDATE_ALL] - .equalsIgnoreCase("yes")) - || (updateValue[UPDATE_EXPIRED] != null && updateValue[UPDATE_EXPIRED] - .equalsIgnoreCase("yes"))) { + if ((updateValue[UPDATE_ALL] != null && + updateValue[UPDATE_ALL].equalsIgnoreCase("yes")) || + (updateValue[UPDATE_EXPIRED] != null && + updateValue[UPDATE_EXPIRED].equalsIgnoreCase("yes"))) { if (certificateRepository != null) { if (updateValue[EXPIRED_FROM].startsWith("0x")) { updateValue[EXPIRED_FROM] = hexToDecimal(updateValue[EXPIRED_FROM]); @@ -560,26 +536,27 @@ public class UpdateDir extends CMSServlet { } Enumeration expiredCerts = null; - if (updateValue[CHECK_FLAG] != null - && updateValue[CHECK_FLAG].equalsIgnoreCase("yes")) { - expiredCerts = certificateRepository - .getExpiredPublishedCertificates( - updateValue[EXPIRED_FROM], - updateValue[EXPIRED_TO]); + if (updateValue[CHECK_FLAG] != null && + updateValue[CHECK_FLAG].equalsIgnoreCase("yes")) { + expiredCerts = + certificateRepository.getExpiredPublishedCertificates( + updateValue[EXPIRED_FROM], + updateValue[EXPIRED_TO]); } else { - expiredCerts = certificateRepository - .getExpiredCertificates(updateValue[EXPIRED_FROM], - updateValue[EXPIRED_TO]); + expiredCerts = + certificateRepository.getExpiredCertificates( + updateValue[EXPIRED_FROM], + updateValue[EXPIRED_TO]); } int i = 0; int l = 0; StringBuffer expiredCertsError = new StringBuffer(); - if (expiredCerts != null) { + if (expiredCerts != null) { while (expiredCerts.hasMoreElements()) { - ICertRecord certRecord = (ICertRecord) expiredCerts - .nextElement(); - // X509CertImpl cert = certRecord.getCertificate(); + ICertRecord certRecord = + (ICertRecord) expiredCerts.nextElement(); + //X509CertImpl cert = certRecord.getCertificate(); X509CertImpl cert = null; Object o = certRecord.getCertificate(); @@ -589,27 +566,25 @@ public class UpdateDir extends CMSServlet { MetaInfo metaInfo = null; String ridString = null; - metaInfo = (MetaInfo) certRecord - .get(ICertRecord.ATTR_META_INFO); + metaInfo = (MetaInfo) certRecord.get(ICertRecord.ATTR_META_INFO); if (metaInfo == null) { // ca's self signed signing cert and // server cert has no related request and // have no metaInfo - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGW_FAIL_GET_ICERT_RECORD", cert - .getSerialNumber().toString(16))); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_FAIL_GET_ICERT_RECORD", + cert.getSerialNumber().toString(16))); } else { - ridString = (String) metaInfo - .get(ICertRecord.META_REQUEST_ID); + ridString = (String) metaInfo.get(ICertRecord.META_REQUEST_ID); } IRequest r = null; if (ridString != null) { RequestId rid = new RequestId(ridString); - + r = mCA.getRequestQueue().findRequest(rid); - } + } try { l++; @@ -620,53 +595,47 @@ public class UpdateDir extends CMSServlet { } i++; } catch (Exception e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "LDAP_ERROR_UNPUBLISH_CERT", certRecord - .getSerialNumber().toString(16), e - .toString())); - expiredCertsError - .append("Failed to unpublish certificate: 0x"); - expiredCertsError.append(certRecord - .getSerialNumber().toString(16)); - expiredCertsError - .append(".\n <BR> "); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("LDAP_ERROR_UNPUBLISH_CERT", + certRecord.getSerialNumber().toString(16), + e.toString())); + expiredCertsError.append( + "Failed to unpublish certificate: 0x"); + expiredCertsError.append( + certRecord.getSerialNumber().toString(16)); + expiredCertsError.append( + ".\n <BR> "); } } } if (i > 0 && i == l) { header.addStringValue("expiredCertsUnpublished", "Success"); if (i == 1) - header.addStringValue( - "expiredCertsError", - i - + " expired certificate is unpublished in the directory."); + header.addStringValue("expiredCertsError", i + + " expired certificate is unpublished in the directory."); else - header.addStringValue( - "expiredCertsError", - i - + " expired certificates are unpublished in the directory."); + header.addStringValue("expiredCertsError", i + + " expired certificates are unpublished in the directory."); } else { if (l == 0) { header.addStringValue("expiredCertsUnpublished", "No"); } else { - header.addStringValue("expiredCertsUnpublished", - "Failure"); - header.addStringValue("expiredCertsError", - expiredCertsError.toString()); + header.addStringValue("expiredCertsUnpublished", "Failure"); + header.addStringValue("expiredCertsError", + expiredCertsError.toString()); } } } else { header.addStringValue("expiredCertsUnpublished", "Failure"); - header.addStringValue("expiredCertsError", - "Certificate repository is unavailable."); + header.addStringValue("expiredCertsError", "Certificate repository is unavailable."); } } // all or revoked - if ((updateValue[UPDATE_ALL] != null && updateValue[UPDATE_ALL] - .equalsIgnoreCase("yes")) - || (updateValue[UPDATE_REVOKED] != null && updateValue[UPDATE_REVOKED] - .equalsIgnoreCase("yes"))) { + if ((updateValue[UPDATE_ALL] != null && + updateValue[UPDATE_ALL].equalsIgnoreCase("yes")) || + (updateValue[UPDATE_REVOKED] != null && + updateValue[UPDATE_REVOKED].equalsIgnoreCase("yes"))) { if (certificateRepository != null) { if (updateValue[REVOKED_FROM].startsWith("0x")) { updateValue[REVOKED_FROM] = hexToDecimal(updateValue[REVOKED_FROM]); @@ -676,26 +645,27 @@ public class UpdateDir extends CMSServlet { } Enumeration revokedCerts = null; - if (updateValue[CHECK_FLAG] != null - && updateValue[CHECK_FLAG].equalsIgnoreCase("yes")) { - revokedCerts = certificateRepository - .getRevokedPublishedCertificates( - updateValue[REVOKED_FROM], - updateValue[REVOKED_TO]); + if (updateValue[CHECK_FLAG] != null && + updateValue[CHECK_FLAG].equalsIgnoreCase("yes")) { + revokedCerts = + certificateRepository.getRevokedPublishedCertificates( + updateValue[REVOKED_FROM], + updateValue[REVOKED_TO]); } else { - revokedCerts = certificateRepository - .getRevokedCertificates(updateValue[REVOKED_FROM], - updateValue[REVOKED_TO]); + revokedCerts = + certificateRepository.getRevokedCertificates( + updateValue[REVOKED_FROM], + updateValue[REVOKED_TO]); } int i = 0; int l = 0; String revokedCertsError = ""; - if (revokedCerts != null) { + if (revokedCerts != null) { while (revokedCerts.hasMoreElements()) { - ICertRecord certRecord = (ICertRecord) revokedCerts - .nextElement(); - // X509CertImpl cert = certRecord.getCertificate(); + ICertRecord certRecord = + (ICertRecord) revokedCerts.nextElement(); + //X509CertImpl cert = certRecord.getCertificate(); X509CertImpl cert = null; Object o = certRecord.getCertificate(); @@ -705,27 +675,25 @@ public class UpdateDir extends CMSServlet { MetaInfo metaInfo = null; String ridString = null; - metaInfo = (MetaInfo) certRecord - .get(ICertRecord.ATTR_META_INFO); + metaInfo = (MetaInfo) certRecord.get(ICertRecord.ATTR_META_INFO); if (metaInfo == null) { // ca's self signed signing cert and // server cert has no related request and // have no metaInfo - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGW_FAIL_GET_ICERT_RECORD", cert - .getSerialNumber().toString(16))); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_FAIL_GET_ICERT_RECORD", + cert.getSerialNumber().toString(16))); } else { - ridString = (String) metaInfo - .get(ICertRecord.META_REQUEST_ID); + ridString = (String) metaInfo.get(ICertRecord.META_REQUEST_ID); } IRequest r = null; if (ridString != null) { RequestId rid = new RequestId(ridString); - + r = mCA.getRequestQueue().findRequest(rid); - } + } try { l++; @@ -736,42 +704,37 @@ public class UpdateDir extends CMSServlet { } i++; } catch (Exception e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "LDAP_ERROR_UNPUBLISH_CERT", certRecord - .getSerialNumber().toString(16), e - .toString())); - revokedCertsError += "Failed to unpublish certificate: 0x" - + certRecord.getSerialNumber().toString(16) - + ".\n <BR> "; + log(ILogger.LL_FAILURE, + CMS.getLogMessage("LDAP_ERROR_UNPUBLISH_CERT", + certRecord.getSerialNumber().toString(16), + e.toString())); + revokedCertsError += + "Failed to unpublish certificate: 0x" + + certRecord.getSerialNumber().toString(16) + + ".\n <BR> "; } } } if (i > 0 && i == l) { header.addStringValue("revokedCertsUnpublished", "Success"); if (i == 1) - header.addStringValue( - "revokedCertsError", - i - + " revoked certificate is unpublished in the directory."); + header.addStringValue("revokedCertsError", i + + " revoked certificate is unpublished in the directory."); else - header.addStringValue( - "revokedCertsError", - i - + " revoked certificates are unpublished in the directory."); + header.addStringValue("revokedCertsError", i + + " revoked certificates are unpublished in the directory."); } else { if (l == 0) { header.addStringValue("revokedCertsUnpublished", "No"); } else { - header.addStringValue("revokedCertsUnpublished", - "Failure"); - header.addStringValue("revokedCertsError", - revokedCertsError); + header.addStringValue("revokedCertsUnpublished", "Failure"); + header.addStringValue("revokedCertsError", + revokedCertsError); } } } else { header.addStringValue("revokedCertsUnpublished", "Failure"); - header.addStringValue("revokedCertsError", - "Certificate repository is unavailable."); + header.addStringValue("revokedCertsError", "Certificate repository is unavailable."); } } diff --git a/pki/base/common/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java b/pki/base/common/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java index fe2485a60..79151072d 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java +++ b/pki/base/common/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java @@ -123,303 +123,298 @@ import com.netscape.certsrv.request.RequestStatus; import com.netscape.cms.servlet.profile.SSLClientCertProvider; import com.netscape.cmsutil.scep.CRSPKIMessage; + /** - * This servlet deals with PKCS#10-based certificate requests from CRS, now - * called SCEP, and defined at: - * http://search.ietf.org/internet-drafts/draft-nourse-scep-02.txt + * This servlet deals with PKCS#10-based certificate requests from + * CRS, now called SCEP, and defined at: + * http://search.ietf.org/internet-drafts/draft-nourse-scep-02.txt * * The router is hardcoded to look for the http://host:80/cgi-bin/pkiclient.exe - * - * The HTTP parameters are 'operation' and 'message' operation can be either - * 'GetCACert' or 'PKIOperation' - * + * + * The HTTP parameters are 'operation' and 'message' + * operation can be either 'GetCACert' or 'PKIOperation' + * * @version $Revision$, $Date$ */ -public class CRSEnrollment extends HttpServlet { - /** +public class CRSEnrollment extends HttpServlet +{ + /** * */ private static final long serialVersionUID = 8483002540957382369L; - protected IProfileSubsystem mProfileSubsystem = null; - protected String mProfileId = null; - protected ICertAuthority mAuthority; - protected IConfigStore mConfig = null; - protected IAuthSubsystem mAuthSubsystem; - protected String mAppendDN = null; - protected String mEntryObjectclass = null; - protected boolean mCreateEntry = false; - protected boolean mFlattenDN = false; - - private String mAuthManagerName; - private String mSubstoreName; - private boolean mEnabled = false; - private boolean mUseCA = true; - private String mNickname = null; - private String mTokenName = ""; - private String mHashAlgorithm = "SHA1"; - private String mHashAlgorithmList = null; - private String[] mAllowedHashAlgorithm; - private String mConfiguredEncryptionAlgorithm = "DES3"; - private String mEncryptionAlgorithm = "DES3"; - private String mEncryptionAlgorithmList = null; - private String[] mAllowedEncryptionAlgorithm; - private Random mRandom = null; - private int mNonceSizeLimit = 0; - protected ILogger mLogger = CMS.getLogger(); - private ICertificateAuthority ca; - /* for hashing challenge password */ - protected MessageDigest mSHADigest = null; - - private static final String PROP_SUBSTORENAME = "substorename"; - private static final String PROP_AUTHORITY = "authority"; - private static final String PROP_CRS = "crs"; - private static final String PROP_CRSCA = "casubsystem"; - private static final String PROP_CRSAUTHMGR = "authName"; - private static final String PROP_APPENDDN = "appendDN"; - private static final String PROP_CREATEENTRY = "createEntry"; - private static final String PROP_FLATTENDN = "flattenDN"; - private static final String PROP_ENTRYOC = "entryObjectclass"; - - // URL parameters - private static final String URL_OPERATION = "operation"; - private static final String URL_MESSAGE = "message"; - - // possible values for 'operation' - private static final String OP_GETCACERT = "GetCACert"; - private static final String OP_PKIOPERATION = "PKIOperation"; - - public static final String AUTH_PASSWORD = "pwd"; - - public static final String AUTH_CREDS = "AuthCreds"; - public static final String AUTH_TOKEN = "AuthToken"; - public static final String AUTH_FAILED = "AuthFailed"; - - public static final String SANE_DNSNAME = "DNSName"; - public static final String SANE_IPADDRESS = "IPAddress"; - - public static final String CERTINFO = "CertInfo"; - public static final String SUBJECTNAME = "SubjectName"; - - public static ObjectIdentifier OID_UNSTRUCTUREDNAME = null; - public static ObjectIdentifier OID_UNSTRUCTUREDADDRESS = null; - public static ObjectIdentifier OID_SERIALNUMBER = null; - - public CRSEnrollment() { +protected IProfileSubsystem mProfileSubsystem = null; + protected String mProfileId = null; + protected ICertAuthority mAuthority; + protected IConfigStore mConfig = null; + protected IAuthSubsystem mAuthSubsystem; + protected String mAppendDN=null; + protected String mEntryObjectclass=null; + protected boolean mCreateEntry=false; + protected boolean mFlattenDN=false; + + private String mAuthManagerName; + private String mSubstoreName; + private boolean mEnabled = false; + private boolean mUseCA = true; + private String mNickname = null; + private String mTokenName = ""; + private String mHashAlgorithm = "SHA1"; + private String mHashAlgorithmList = null; + private String[] mAllowedHashAlgorithm; + private String mConfiguredEncryptionAlgorithm = "DES3"; + private String mEncryptionAlgorithm = "DES3"; + private String mEncryptionAlgorithmList = null; + private String[] mAllowedEncryptionAlgorithm; + private Random mRandom = null; + private int mNonceSizeLimit = 0; + protected ILogger mLogger = CMS.getLogger(); + private ICertificateAuthority ca; + /* for hashing challenge password */ + protected MessageDigest mSHADigest = null; + + private static final String PROP_SUBSTORENAME = "substorename"; + private static final String PROP_AUTHORITY = "authority"; + private static final String PROP_CRS = "crs"; + private static final String PROP_CRSCA = "casubsystem"; + private static final String PROP_CRSAUTHMGR = "authName"; + private static final String PROP_APPENDDN = "appendDN"; + private static final String PROP_CREATEENTRY= "createEntry"; + private static final String PROP_FLATTENDN = "flattenDN"; + private static final String PROP_ENTRYOC = "entryObjectclass"; + + // URL parameters + private static final String URL_OPERATION = "operation"; + private static final String URL_MESSAGE = "message"; + + // possible values for 'operation' + private static final String OP_GETCACERT = "GetCACert"; + private static final String OP_PKIOPERATION = "PKIOperation"; + + public static final String AUTH_PASSWORD = "pwd"; + + public static final String AUTH_CREDS = "AuthCreds"; + public static final String AUTH_TOKEN = "AuthToken"; + public static final String AUTH_FAILED = "AuthFailed"; + + public static final String SANE_DNSNAME = "DNSName"; + public static final String SANE_IPADDRESS = "IPAddress"; + + public static final String CERTINFO = "CertInfo"; + public static final String SUBJECTNAME = "SubjectName"; + + + public static ObjectIdentifier OID_UNSTRUCTUREDNAME = null; + public static ObjectIdentifier OID_UNSTRUCTUREDADDRESS = null; + public static ObjectIdentifier OID_SERIALNUMBER = null; + + public CRSEnrollment(){} + + public static Hashtable toHashtable(HttpServletRequest req) { + Hashtable httpReqHash = new Hashtable(); + Enumeration names = req.getParameterNames(); + while (names.hasMoreElements()) { + String name = (String)names.nextElement(); + httpReqHash.put(name, req.getParameter(name)); + } + return httpReqHash; + } + + public void init(ServletConfig sc) { + // Find the CertificateAuthority we should use for CRS. + String crsCA = sc.getInitParameter(PROP_AUTHORITY); + if (crsCA == null) + crsCA = "ca"; + mAuthority = (ICertAuthority) CMS.getSubsystem(crsCA); + ca = (ICertificateAuthority)mAuthority; + + if (mAuthority == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_CANT_FIND_AUTHORITY",crsCA)); + } + + try { + if (mAuthority instanceof ISubsystem) { + IConfigStore authorityConfig = ((ISubsystem)mAuthority).getConfigStore(); + IConfigStore scepConfig = authorityConfig.getSubStore("scep"); + mEnabled = scepConfig.getBoolean("enable", false); + mHashAlgorithm = scepConfig.getString("hashAlgorithm", "SHA1"); + mConfiguredEncryptionAlgorithm = scepConfig.getString("encryptionAlgorithm", "DES3"); + mNonceSizeLimit = scepConfig.getInteger("nonceSizeLimit", 0); + mHashAlgorithmList = scepConfig.getString("allowedHashAlgorithms", "SHA1,SHA256,SHA512"); + mAllowedHashAlgorithm = mHashAlgorithmList.split(","); + mEncryptionAlgorithmList = scepConfig.getString("allowedEncryptionAlgorithms", "DES3"); + mAllowedEncryptionAlgorithm = mEncryptionAlgorithmList.split(","); + mNickname = scepConfig.getString("nickname", ca.getNickname()); + if (mNickname.equals(ca.getNickname())) { + mTokenName = ca.getSigningUnit().getTokenName(); + } else { + mTokenName = scepConfig.getString("tokenname", ""); + mUseCA = false; + } + if (!(mTokenName.equalsIgnoreCase(Constants.PR_INTERNAL_TOKEN) || + mTokenName.equalsIgnoreCase("Internal Key Storage Token") || + mTokenName.length() == 0)) { + int i = mNickname.indexOf(':'); + if (!((i > -1) && (mTokenName.length() == i) && (mNickname.startsWith(mTokenName)))) { + mNickname = mTokenName + ":" + mNickname; + } + } + } + } catch (EBaseException e) { + CMS.debug("CRSEnrollment: init: EBaseException: "+e); + } + mEncryptionAlgorithm = mConfiguredEncryptionAlgorithm; + CMS.debug("CRSEnrollment: init: SCEP support is "+((mEnabled)?"enabled":"disabled")+"."); + CMS.debug("CRSEnrollment: init: SCEP nickname: "+mNickname); + CMS.debug("CRSEnrollment: init: CA nickname: "+ca.getNickname()); + CMS.debug("CRSEnrollment: init: Token name: "+mTokenName); + CMS.debug("CRSEnrollment: init: Is SCEP using CA keys: "+mUseCA); + CMS.debug("CRSEnrollment: init: mNonceSizeLimit: "+mNonceSizeLimit); + CMS.debug("CRSEnrollment: init: mHashAlgorithm: "+mHashAlgorithm); + CMS.debug("CRSEnrollment: init: mHashAlgorithmList: "+mHashAlgorithmList); + for (int i = 0; i < mAllowedHashAlgorithm.length; i++) { + mAllowedHashAlgorithm[i] = mAllowedHashAlgorithm[i].trim(); + CMS.debug("CRSEnrollment: init: mAllowedHashAlgorithm["+i+"]="+mAllowedHashAlgorithm[i]); + } + CMS.debug("CRSEnrollment: init: mEncryptionAlgorithm: "+mEncryptionAlgorithm); + CMS.debug("CRSEnrollment: init: mEncryptionAlgorithmList: "+mEncryptionAlgorithmList); + for (int i = 0; i < mAllowedEncryptionAlgorithm.length; i++) { + mAllowedEncryptionAlgorithm[i] = mAllowedEncryptionAlgorithm[i].trim(); + CMS.debug("CRSEnrollment: init: mAllowedEncryptionAlgorithm["+i+"]="+mAllowedEncryptionAlgorithm[i]); + } + + try { + mProfileSubsystem = (IProfileSubsystem)CMS.getSubsystem("profile"); + mProfileId = sc.getInitParameter("profileId"); + CMS.debug("CRSEnrollment: init: mProfileId="+mProfileId); + + mAuthSubsystem = (IAuthSubsystem)CMS.getSubsystem(CMS.SUBSYSTEM_AUTH); + mAuthManagerName = sc.getInitParameter(PROP_CRSAUTHMGR); + mAppendDN = sc.getInitParameter(PROP_APPENDDN); + String tmp = sc.getInitParameter(PROP_CREATEENTRY); + if (tmp != null && tmp.trim().equalsIgnoreCase("true")) + mCreateEntry = true; + else + mCreateEntry = false; + tmp = sc.getInitParameter(PROP_FLATTENDN); + if (tmp != null && tmp.trim().equalsIgnoreCase("true")) + mFlattenDN = true; + else + mFlattenDN = false; + mEntryObjectclass = sc.getInitParameter(PROP_ENTRYOC); + if (mEntryObjectclass == null) + mEntryObjectclass = "cep"; + mSubstoreName = sc.getInitParameter(PROP_SUBSTORENAME); + if (mSubstoreName == null) + mSubstoreName = "default"; + } catch (Exception e) { + } + + OID_UNSTRUCTUREDNAME = X500NameAttrMap.getDefault().getOid("UNSTRUCTUREDNAME"); + OID_UNSTRUCTUREDADDRESS = X500NameAttrMap.getDefault().getOid("UNSTRUCTUREDADDRESS"); + OID_SERIALNUMBER = X500NameAttrMap.getDefault().getOid("SERIALNUMBER"); + + + try { + mSHADigest = MessageDigest.getInstance("SHA1"); } - - public static Hashtable toHashtable(HttpServletRequest req) { - Hashtable httpReqHash = new Hashtable(); - Enumeration names = req.getParameterNames(); - while (names.hasMoreElements()) { - String name = (String) names.nextElement(); - httpReqHash.put(name, req.getParameter(name)); - } - return httpReqHash; - } - - public void init(ServletConfig sc) { - // Find the CertificateAuthority we should use for CRS. - String crsCA = sc.getInitParameter(PROP_AUTHORITY); - if (crsCA == null) - crsCA = "ca"; - mAuthority = (ICertAuthority) CMS.getSubsystem(crsCA); - ca = (ICertificateAuthority) mAuthority; - - if (mAuthority == null) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_CANT_FIND_AUTHORITY", crsCA)); - } - - try { - if (mAuthority instanceof ISubsystem) { - IConfigStore authorityConfig = ((ISubsystem) mAuthority) - .getConfigStore(); - IConfigStore scepConfig = authorityConfig.getSubStore("scep"); - mEnabled = scepConfig.getBoolean("enable", false); - mHashAlgorithm = scepConfig.getString("hashAlgorithm", "SHA1"); - mConfiguredEncryptionAlgorithm = scepConfig.getString( - "encryptionAlgorithm", "DES3"); - mNonceSizeLimit = scepConfig.getInteger("nonceSizeLimit", 0); - mHashAlgorithmList = scepConfig.getString( - "allowedHashAlgorithms", "SHA1,SHA256,SHA512"); - mAllowedHashAlgorithm = mHashAlgorithmList.split(","); - mEncryptionAlgorithmList = scepConfig.getString( - "allowedEncryptionAlgorithms", "DES3"); - mAllowedEncryptionAlgorithm = mEncryptionAlgorithmList - .split(","); - mNickname = scepConfig.getString("nickname", ca.getNickname()); - if (mNickname.equals(ca.getNickname())) { - mTokenName = ca.getSigningUnit().getTokenName(); - } else { - mTokenName = scepConfig.getString("tokenname", ""); - mUseCA = false; - } - if (!(mTokenName.equalsIgnoreCase(Constants.PR_INTERNAL_TOKEN) - || mTokenName - .equalsIgnoreCase("Internal Key Storage Token") || mTokenName - .length() == 0)) { - int i = mNickname.indexOf(':'); - if (!((i > -1) && (mTokenName.length() == i) && (mNickname - .startsWith(mTokenName)))) { - mNickname = mTokenName + ":" + mNickname; - } - } - } - } catch (EBaseException e) { - CMS.debug("CRSEnrollment: init: EBaseException: " + e); - } - mEncryptionAlgorithm = mConfiguredEncryptionAlgorithm; - CMS.debug("CRSEnrollment: init: SCEP support is " - + ((mEnabled) ? "enabled" : "disabled") + "."); - CMS.debug("CRSEnrollment: init: SCEP nickname: " + mNickname); - CMS.debug("CRSEnrollment: init: CA nickname: " + ca.getNickname()); - CMS.debug("CRSEnrollment: init: Token name: " + mTokenName); - CMS.debug("CRSEnrollment: init: Is SCEP using CA keys: " + mUseCA); - CMS.debug("CRSEnrollment: init: mNonceSizeLimit: " + mNonceSizeLimit); - CMS.debug("CRSEnrollment: init: mHashAlgorithm: " + mHashAlgorithm); - CMS.debug("CRSEnrollment: init: mHashAlgorithmList: " - + mHashAlgorithmList); - for (int i = 0; i < mAllowedHashAlgorithm.length; i++) { - mAllowedHashAlgorithm[i] = mAllowedHashAlgorithm[i].trim(); - CMS.debug("CRSEnrollment: init: mAllowedHashAlgorithm[" + i + "]=" - + mAllowedHashAlgorithm[i]); - } - CMS.debug("CRSEnrollment: init: mEncryptionAlgorithm: " - + mEncryptionAlgorithm); - CMS.debug("CRSEnrollment: init: mEncryptionAlgorithmList: " - + mEncryptionAlgorithmList); - for (int i = 0; i < mAllowedEncryptionAlgorithm.length; i++) { - mAllowedEncryptionAlgorithm[i] = mAllowedEncryptionAlgorithm[i] - .trim(); - CMS.debug("CRSEnrollment: init: mAllowedEncryptionAlgorithm[" + i - + "]=" + mAllowedEncryptionAlgorithm[i]); - } - - try { - mProfileSubsystem = (IProfileSubsystem) CMS.getSubsystem("profile"); - mProfileId = sc.getInitParameter("profileId"); - CMS.debug("CRSEnrollment: init: mProfileId=" + mProfileId); - - mAuthSubsystem = (IAuthSubsystem) CMS - .getSubsystem(CMS.SUBSYSTEM_AUTH); - mAuthManagerName = sc.getInitParameter(PROP_CRSAUTHMGR); - mAppendDN = sc.getInitParameter(PROP_APPENDDN); - String tmp = sc.getInitParameter(PROP_CREATEENTRY); - if (tmp != null && tmp.trim().equalsIgnoreCase("true")) - mCreateEntry = true; - else - mCreateEntry = false; - tmp = sc.getInitParameter(PROP_FLATTENDN); - if (tmp != null && tmp.trim().equalsIgnoreCase("true")) - mFlattenDN = true; - else - mFlattenDN = false; - mEntryObjectclass = sc.getInitParameter(PROP_ENTRYOC); - if (mEntryObjectclass == null) - mEntryObjectclass = "cep"; - mSubstoreName = sc.getInitParameter(PROP_SUBSTORENAME); - if (mSubstoreName == null) - mSubstoreName = "default"; - } catch (Exception e) { - } - - OID_UNSTRUCTUREDNAME = X500NameAttrMap.getDefault().getOid( - "UNSTRUCTUREDNAME"); - OID_UNSTRUCTUREDADDRESS = X500NameAttrMap.getDefault().getOid( - "UNSTRUCTUREDADDRESS"); - OID_SERIALNUMBER = X500NameAttrMap.getDefault().getOid("SERIALNUMBER"); - - try { - mSHADigest = MessageDigest.getInstance("SHA1"); - } catch (NoSuchAlgorithmException e) { - } - - mRandom = new Random(); - } - - /** - * - * Service a CRS Request. It all starts here. This is where the message from - * the router is processed - * - * @param httpReq The HttpServletRequest. - * @param httpResp The HttpServletResponse. - * - */ - public void service(HttpServletRequest httpReq, HttpServletResponse httpResp) - throws ServletException { - boolean running_state = CMS.isInRunningState(); - if (!running_state) - throw new ServletException("CMS server is not ready to serve."); + catch (NoSuchAlgorithmException e) { + } + + mRandom = new Random(); + } + + + /** + * + * Service a CRS Request. It all starts here. This is where the message from the + * router is processed + * + * @param httpReq The HttpServletRequest. + * @param httpResp The HttpServletResponse. + * + */ + public void service(HttpServletRequest httpReq, + HttpServletResponse httpResp) + throws ServletException + { + boolean running_state = CMS.isInRunningState(); + if (!running_state) + throw new ServletException( + "CMS server is not ready to serve."); String operation = null; - String message = null; + String message = null; mEncryptionAlgorithm = mConfiguredEncryptionAlgorithm; - + + // Parse the URL from the HTTP Request. Split it up into // a structure which enables us to read the form elements IArgBlock input = CMS.createArgBlock(toHashtable(httpReq)); - - try { + + try { // Read in two form parameters - the router sets these - operation = (String) input.get(URL_OPERATION); + operation = (String)input.get(URL_OPERATION); CMS.debug("operation=" + operation); - message = (String) input.get(URL_MESSAGE); + message = (String)input.get(URL_MESSAGE); CMS.debug("message=" + message); - + if (!mEnabled) { CMS.debug("CRSEnrollment: SCEP support is disabled."); throw new ServletException("SCEP support is disabled."); } if (operation == null) { // 'operation' is mandatory. - throw new ServletException( - "Bad request: operation missing from URL"); + throw new ServletException("Bad request: operation missing from URL"); } - - /** - * the router can make two kinds of requests 1) simple request for - * CA cert 2) encoded, signed, enveloped request for anything else - * (PKIOperation) + + /** + * the router can make two kinds of requests + * 1) simple request for CA cert + * 2) encoded, signed, enveloped request for anything else (PKIOperation) */ - + if (operation.equals(OP_GETCACERT)) { - handleGetCACert(httpReq, httpResp); - } else if (operation.equals(OP_PKIOPERATION)) { - String decodeMode = (String) input.get("decode"); + handleGetCACert(httpReq, httpResp); + } + else if (operation.equals(OP_PKIOPERATION)) { + String decodeMode = (String)input.get("decode"); if (decodeMode == null || decodeMode.equals("false")) { - handlePKIOperation(httpReq, httpResp, message); + handlePKIOperation(httpReq, httpResp, message); } else { - decodePKIMessage(httpReq, httpResp, message); + decodePKIMessage(httpReq, httpResp, message); } - } else { + } + else { CMS.debug("Invalid operation " + operation); - throw new ServletException("unknown operation requested: " - + operation); + throw new ServletException("unknown operation requested: "+operation); } - - } catch (ServletException e) { + + } + catch (ServletException e) + { CMS.debug("ServletException " + e); throw new ServletException(e.getMessage().toString()); - } catch (Exception e) { - CMS.debug("Service exception " + e); - log(ILogger.LL_FAILURE, e.getMessage()); } - + catch (Exception e) + { + CMS.debug("Service exception " + e); + log(ILogger.LL_FAILURE,e.getMessage()); + } + } /** - * Log a message to the system log + * Log a message to the system log */ - private void log(int level, String msg) { - mLogger.log(ILogger.EV_SYSTEM, ILogger.S_OTHER, level, - "CEP Enrollment: " + msg); + private void log(int level, String msg) { + + mLogger.log(ILogger.EV_SYSTEM, ILogger.S_OTHER, + level, "CEP Enrollment: "+msg); } - private boolean isAlgorithmAllowed(String[] allowedAlgorithm, - String algorithm) { + private boolean isAlgorithmAllowed (String[] allowedAlgorithm, String algorithm) { boolean allowed = false; if (algorithm != null && algorithm.length() > 0) { @@ -433,9 +428,8 @@ public class CRSEnrollment extends HttpServlet { return allowed; } - public IAuthToken authenticate(AuthCredentials credentials, - IProfileAuthenticator authenticator, HttpServletRequest request) - throws EBaseException { + public IAuthToken authenticate(AuthCredentials credentials, IProfileAuthenticator authenticator, + HttpServletRequest request) throws EBaseException { // build credential Enumeration authNames = authenticator.getValueNames(); @@ -451,319 +445,313 @@ public class CRSEnrollment extends HttpServlet { credentials.set("clientHost", request.getRemoteHost()); IAuthToken authToken = authenticator.authenticate(credentials); if (authToken == null) { - return null; + return null; } SessionContext sc = SessionContext.getContext(); if (sc != null) { - sc.put(SessionContext.AUTH_MANAGER_ID, authenticator.getName()); - String userid = authToken.getInString(IAuthToken.USER_ID); - if (userid != null) { - sc.put(SessionContext.USER_ID, userid); - } + sc.put(SessionContext.AUTH_MANAGER_ID, authenticator.getName()); + String userid = authToken.getInString(IAuthToken.USER_ID); + if (userid != null) { + sc.put(SessionContext.USER_ID, userid); + } } return authToken; } - /** - * Return the CA certificate back to the requestor. This needs to be changed - * so that if the CA has a certificate chain, the whole thing should get - * packaged as a PKIMessage (degnerate PKCS7 - no signerInfo) - */ - - public void handleGetCACert(HttpServletRequest httpReq, - HttpServletResponse httpResp) throws ServletException { - java.security.cert.X509Certificate[] chain = null; - - CertificateChain certChain = mAuthority.getCACertChain(); - - try { - if (certChain == null) { - throw new ServletException("Internal Error: cannot get CA Cert"); - } - - chain = certChain.getChain(); - - byte[] bytes = null; - - int i = 0; - String message = (String) httpReq.getParameter(URL_MESSAGE); - CMS.debug("handleGetCACert message=" + message); - if (message != null) { - try { - int j = Integer.parseInt(message); - if (j < chain.length) { - i = j; - } - } catch (NumberFormatException e1) { - } - } - CMS.debug("handleGetCACert selected chain=" + i); - - if (mUseCA) { - bytes = chain[i].getEncoded(); - } else { - CryptoContext cx = new CryptoContext(); - bytes = cx.getSigningCert().getEncoded(); - } - - httpResp.setContentType("application/x-x509-ca-cert"); - - // The following code may be used one day to encode - // the RA/CA cert chain for RA mode, but it will need some - // work. - - /****** - * SET certs = new SET(); for (int i=0; i<chain.length; i++) { ANY - * cert = new ANY(chain[i].getEncoded()); certs.addElement(cert); } - * - * SignedData crsd = new SignedData( new SET(), // empty set of - * digestAlgorithmID's new ContentInfo( new OBJECT_IDENTIFIER(new - * long[] {1,2,840,113549,1,7,1}), null), //empty content certs, - * null, // no CRL's new SET() // empty SignerInfos ); - * - * ContentInfo wrap = new ContentInfo(ContentInfo.SIGNED_DATA, - * crsd); - * - * ByteArrayOutputStream baos = new ByteArrayOutputStream(); - * wrap.encode(baos); - * - * bytes = baos.toByteArray(); - * - * httpResp.setContentType("application/x-x509-ca-ra-cert"); - *****/ - - httpResp.setContentLength(bytes.length); - httpResp.getOutputStream().write(bytes); - httpResp.getOutputStream().flush(); - - CMS.debug("Output certificate chain:"); - CMS.debug(bytes); - } catch (Exception e) { - CMS.debug("handleGetCACert exception " + e); - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERROR_SENDING_DER_ENCODE_CERT", - e.getMessage())); - throw new ServletException( - "Failed sending DER encoded version of CA cert to client"); - } - - } - - public String getPasswordFromP10(PKCS10 p10) { - PKCS10Attributes p10atts = p10.getAttributes(); - Enumeration e = p10atts.getElements(); - - try { - while (e.hasMoreElements()) { - PKCS10Attribute p10a = (PKCS10Attribute) e.nextElement(); - CertAttrSet attr = p10a.getAttributeValue(); - - if (attr.getName().equals(ChallengePassword.NAME)) { - if (attr.get(ChallengePassword.PASSWORD) != null) { - return (String) attr.get(ChallengePassword.PASSWORD); - } - } - } - } catch (Exception e1) { - // do nothing - } - return null; - } - - /** - * If the 'operation' is 'PKIOperation', the 'message' part of the URL is a - * PKIMessage structure. We decode it to see what type message it is. - */ - - /** - * Decodes the PKI message and return information to RA. - */ - public void decodePKIMessage(HttpServletRequest httpReq, - HttpServletResponse httpResp, String msg) throws ServletException { - - CryptoContext cx = null; - - CRSPKIMessage req = null; - - byte[] decodedPKIMessage; - byte[] response = null; - String responseData = ""; - - decodedPKIMessage = com.netscape.osutil.OSUtil.AtoB(msg); - - try { - ByteArrayInputStream is = new ByteArrayInputStream( - decodedPKIMessage); - - // We make two CRSPKIMessages. One of them, is the request, so we - // initialize - // it from the DER given to us from the router. - // The second is the response, and we'll fill this in as we go. - - if (decodedPKIMessage.length < 50) { - throw new ServletException( - "CRS request is too small to be a real request (" - + decodedPKIMessage.length + " bytes)"); - } - try { - req = new CRSPKIMessage(is); - String ea = req.getEncryptionAlgorithm(); - if (!isAlgorithmAllowed(mAllowedEncryptionAlgorithm, ea)) { - CMS.debug("CRSEnrollment: decodePKIMessage: Encryption algorithm '" - + ea - + "' is not allowed (" - + mEncryptionAlgorithmList + ")."); - throw new ServletException("Encryption algorithm '" + ea - + "' is not allowed (" + mEncryptionAlgorithmList - + ")."); - } - String da = req.getDigestAlgorithmName(); - if (!isAlgorithmAllowed(mAllowedHashAlgorithm, da)) { - CMS.debug("CRSEnrollment: decodePKIMessage: Hashing algorithm '" - + da - + "' is not allowed (" - + mHashAlgorithmList - + ")."); - throw new ServletException("Hashing algorithm '" + da - + "' is not allowed (" + mHashAlgorithmList + ")."); - } - if (ea != null) { - mEncryptionAlgorithm = ea; - } - } catch (Exception e) { - CMS.debug(e); - throw new ServletException("Could not decode the request."); - } - - // Create a new crypto context for doing all the crypto operations - cx = new CryptoContext(); - - // Verify Signature on message (throws exception if sig bad) - verifyRequest(req, cx); - unwrapPKCS10(req, cx); - - IProfile profile = mProfileSubsystem.getProfile(mProfileId); - if (profile == null) { - CMS.debug("Profile '" + mProfileId + "' not found."); - throw new ServletException("Profile '" + mProfileId - + "' not found."); - } else { - CMS.debug("Found profile '" + mProfileId + "'."); - } - - IProfileAuthenticator authenticator = null; + /** + * Return the CA certificate back to the requestor. + * This needs to be changed so that if the CA has a certificate chain, + * the whole thing should get packaged as a PKIMessage (degnerate PKCS7 - no + * signerInfo) + */ + + public void handleGetCACert(HttpServletRequest httpReq, + HttpServletResponse httpResp) + throws ServletException { + java.security.cert.X509Certificate[] chain = null; + + CertificateChain certChain = mAuthority.getCACertChain(); + + try { + if (certChain == null) { + throw new ServletException("Internal Error: cannot get CA Cert"); + } + + chain = certChain.getChain(); + + byte[] bytes = null; + + int i = 0; + String message = (String)httpReq.getParameter(URL_MESSAGE); + CMS.debug("handleGetCACert message=" + message); + if (message != null) { try { - CMS.debug("Retrieving authenticator"); - authenticator = profile.getAuthenticator(); - if (authenticator == null) { - CMS.debug("Authenticator not found."); - throw new ServletException("Authenticator not found."); - } else { - CMS.debug("Got authenticator=" - + authenticator.getClass().getName()); - } - } catch (EProfileException e) { - throw new ServletException("Authenticator not found."); + int j = Integer.parseInt(message); + if (j < chain.length) { + i = j; + } + } catch (NumberFormatException e1) { } - AuthCredentials credentials = new AuthCredentials(); - IAuthToken authToken = null; - // for ssl authentication; pass in servlet for retrieving - // ssl client certificates - SessionContext context = SessionContext.getContext(); - - // insert profile context so that input parameter can be retrieved - context.put("sslClientCertProvider", new SSLClientCertProvider( - httpReq)); - - try { - authToken = authenticate(credentials, authenticator, httpReq); - } catch (Exception e) { - CMS.debug("Authentication failure: " + e.getMessage()); - throw new ServletException("Authentication failure: " - + e.getMessage()); + } + CMS.debug("handleGetCACert selected chain=" + i); + + if (mUseCA) { + bytes = chain[i].getEncoded(); + } else { + CryptoContext cx = new CryptoContext(); + bytes = cx.getSigningCert().getEncoded(); + } + + httpResp.setContentType("application/x-x509-ca-cert"); + + +// The following code may be used one day to encode +// the RA/CA cert chain for RA mode, but it will need some +// work. + + /****** + SET certs = new SET(); + for (int i=0; i<chain.length; i++) { + ANY cert = new ANY(chain[i].getEncoded()); + certs.addElement(cert); + } + + SignedData crsd = new SignedData( + new SET(), // empty set of digestAlgorithmID's + new ContentInfo( + new OBJECT_IDENTIFIER(new long[] {1,2,840,113549,1,7,1}), + null), //empty content + certs, + null, // no CRL's + new SET() // empty SignerInfos + ); + + ContentInfo wrap = new ContentInfo(ContentInfo.SIGNED_DATA, crsd); + + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + wrap.encode(baos); + + bytes = baos.toByteArray(); + + httpResp.setContentType("application/x-x509-ca-ra-cert"); + *****/ + + httpResp.setContentLength(bytes.length); + httpResp.getOutputStream().write(bytes); + httpResp.getOutputStream().flush(); + + CMS.debug("Output certificate chain:"); + CMS.debug(bytes); + } + catch (Exception e) { + CMS.debug("handleGetCACert exception " + e); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERROR_SENDING_DER_ENCODE_CERT",e.getMessage())); + throw new ServletException("Failed sending DER encoded version of CA cert to client"); + } + + } + + public String getPasswordFromP10(PKCS10 p10) + { + PKCS10Attributes p10atts = p10.getAttributes(); + Enumeration e = p10atts.getElements(); + + try { + while (e.hasMoreElements()) { + PKCS10Attribute p10a = (PKCS10Attribute)e.nextElement(); + CertAttrSet attr = p10a.getAttributeValue(); + + if (attr.getName().equals(ChallengePassword.NAME)) { + if (attr.get(ChallengePassword.PASSWORD) != null) { + return (String)attr.get(ChallengePassword.PASSWORD); + } + } + } + } catch(Exception e1) { + // do nothing + } + return null; + } + + /** + * If the 'operation' is 'PKIOperation', the 'message' part of the URL is a + * PKIMessage structure. We decode it to see what type message it is. + */ + + /** + * Decodes the PKI message and return information to RA. + */ + public void decodePKIMessage(HttpServletRequest httpReq, + HttpServletResponse httpResp, + String msg) + throws ServletException { + + CryptoContext cx=null; + + CRSPKIMessage req=null; + + byte[] decodedPKIMessage; + byte[] response=null; + String responseData = ""; + + decodedPKIMessage = com.netscape.osutil.OSUtil.AtoB(msg); + + try { + ByteArrayInputStream is = new ByteArrayInputStream(decodedPKIMessage); + + // We make two CRSPKIMessages. One of them, is the request, so we initialize + // it from the DER given to us from the router. + // The second is the response, and we'll fill this in as we go. + + if (decodedPKIMessage.length < 50) { + throw new ServletException("CRS request is too small to be a real request ("+ + decodedPKIMessage.length+" bytes)"); + } + try { + req = new CRSPKIMessage(is); + String ea = req.getEncryptionAlgorithm(); + if (!isAlgorithmAllowed (mAllowedEncryptionAlgorithm, ea)) { + CMS.debug("CRSEnrollment: decodePKIMessage: Encryption algorithm '"+ea+ + "' is not allowed ("+mEncryptionAlgorithmList+")."); + throw new ServletException("Encryption algorithm '"+ea+ + "' is not allowed ("+mEncryptionAlgorithmList+")."); } - if (authToken == null) { - CMS.debug("Authentication failure."); - throw new ServletException("Authentication failure."); + String da = req.getDigestAlgorithmName(); + if (!isAlgorithmAllowed (mAllowedHashAlgorithm, da)) { + CMS.debug("CRSEnrollment: decodePKIMessage: Hashing algorithm '"+da+ + "' is not allowed ("+mHashAlgorithmList+")."); + throw new ServletException("Hashing algorithm '"+da+ + "' is not allowed ("+mHashAlgorithmList+")."); } - - // Deal with Transaction ID - String transactionID = req.getTransactionID(); - responseData = responseData + "<TransactionID>" + transactionID - + "</TransactionID>"; - - // End-User or RA's IP address - responseData = responseData + "<RemoteAddr>" - + httpReq.getRemoteAddr() + "</RemoteAddr>"; - - responseData = responseData + "<RemoteHost>" - + httpReq.getRemoteHost() + "</RemoteHost>"; - - // Deal with Nonces - byte[] sn = req.getSenderNonce(); - - // Deal with message type - String mt = req.getMessageType(); - responseData = responseData + "<MessageType>" + mt - + "</MessageType>"; - - PKCS10 p10 = (PKCS10) req.getP10(); - X500Name p10subject = p10.getSubjectName(); - responseData = responseData + "<SubjectName>" - + p10subject.toString() + "</SubjectName>"; - - String pkcs10Attr = ""; - PKCS10Attributes p10atts = p10.getAttributes(); - Enumeration e = p10atts.getElements(); - - while (e.hasMoreElements()) { - PKCS10Attribute p10a = (PKCS10Attribute) e.nextElement(); - CertAttrSet attr = p10a.getAttributeValue(); - - if (attr.getName().equals(ChallengePassword.NAME)) { - if (attr.get(ChallengePassword.PASSWORD) != null) { - pkcs10Attr = pkcs10Attr - + "<ChallengePassword><Password>" - + (String) attr.get(ChallengePassword.PASSWORD) - + "</Password></ChallengePassword>"; - } - - } - String extensionsStr = ""; - if (attr.getName().equals(ExtensionsRequested.NAME)) { - - Enumeration exts = ((ExtensionsRequested) attr) - .getExtensions().elements(); - while (exts.hasMoreElements()) { - Extension ext = (Extension) exts.nextElement(); - - if (ext.getExtensionId() - .equals(OIDMap - .getOID(SubjectAlternativeNameExtension.IDENT))) { - DerOutputStream dos = new DerOutputStream(); - SubjectAlternativeNameExtension sane = new SubjectAlternativeNameExtension( - Boolean.valueOf(false), // noncritical - ext.getExtensionValue()); - - Vector v = (Vector) sane - .get(SubjectAlternativeNameExtension.SUBJECT_NAME); - - Enumeration gne = v.elements(); + if (ea != null) { + mEncryptionAlgorithm = ea; + } + } + catch (Exception e) { + CMS.debug(e); + throw new ServletException("Could not decode the request."); + } + + // Create a new crypto context for doing all the crypto operations + cx = new CryptoContext(); + + // Verify Signature on message (throws exception if sig bad) + verifyRequest(req,cx); + unwrapPKCS10(req,cx); + + IProfile profile = mProfileSubsystem.getProfile(mProfileId); + if (profile == null) { + CMS.debug("Profile '" + mProfileId + "' not found."); + throw new ServletException("Profile '" + mProfileId + "' not found."); + } else { + CMS.debug("Found profile '" + mProfileId + "'."); + } + + IProfileAuthenticator authenticator = null; + try { + CMS.debug("Retrieving authenticator"); + authenticator = profile.getAuthenticator(); + if (authenticator == null) { + CMS.debug("Authenticator not found."); + throw new ServletException("Authenticator not found."); + } else { + CMS.debug("Got authenticator=" + authenticator.getClass().getName()); + } + } catch (EProfileException e) { + throw new ServletException("Authenticator not found."); + } + AuthCredentials credentials = new AuthCredentials(); + IAuthToken authToken = null; + // for ssl authentication; pass in servlet for retrieving + // ssl client certificates + SessionContext context = SessionContext.getContext(); + + // insert profile context so that input parameter can be retrieved + context.put("sslClientCertProvider", new SSLClientCertProvider(httpReq)); + + try { + authToken = authenticate(credentials, authenticator, httpReq); + } catch (Exception e) { + CMS.debug("Authentication failure: "+ e.getMessage()); + throw new ServletException("Authentication failure: "+ e.getMessage()); + } + if (authToken == null) { + CMS.debug("Authentication failure."); + throw new ServletException("Authentication failure."); + } + + // Deal with Transaction ID + String transactionID = req.getTransactionID(); + responseData = responseData + + "<TransactionID>" + transactionID + "</TransactionID>"; + + // End-User or RA's IP address + responseData = responseData + + "<RemoteAddr>" + httpReq.getRemoteAddr() + "</RemoteAddr>"; + + responseData = responseData + + "<RemoteHost>" + httpReq.getRemoteHost() + "</RemoteHost>"; + + // Deal with Nonces + byte[] sn = req.getSenderNonce(); + + // Deal with message type + String mt = req.getMessageType(); + responseData = responseData + + "<MessageType>" + mt + "</MessageType>"; + + PKCS10 p10 = (PKCS10)req.getP10(); + X500Name p10subject = p10.getSubjectName(); + responseData = responseData + + "<SubjectName>" + p10subject.toString() + "</SubjectName>"; + + String pkcs10Attr = ""; + PKCS10Attributes p10atts = p10.getAttributes(); + Enumeration e = p10atts.getElements(); + + while (e.hasMoreElements()) { + PKCS10Attribute p10a = (PKCS10Attribute)e.nextElement(); + CertAttrSet attr = p10a.getAttributeValue(); + + + if (attr.getName().equals(ChallengePassword.NAME)) { + if (attr.get(ChallengePassword.PASSWORD) != null) { + pkcs10Attr = pkcs10Attr + + "<ChallengePassword><Password>" + (String)attr.get(ChallengePassword.PASSWORD) + "</Password></ChallengePassword>"; + } + + } + String extensionsStr = ""; + if (attr.getName().equals(ExtensionsRequested.NAME)) { + + Enumeration exts = ((ExtensionsRequested)attr).getExtensions().elements(); + while (exts.hasMoreElements()) { + Extension ext = (Extension) exts.nextElement(); + + if (ext.getExtensionId().equals( + OIDMap.getOID(SubjectAlternativeNameExtension.IDENT)) ) { + DerOutputStream dos = new DerOutputStream(); + SubjectAlternativeNameExtension sane = new SubjectAlternativeNameExtension( + Boolean.valueOf(false), // noncritical + ext.getExtensionValue()); + + + Vector v = + (Vector) sane.get(SubjectAlternativeNameExtension. SUBJECT_NAME); + + Enumeration gne = v.elements(); StringBuffer subjAltNameStr = new StringBuffer(); - while (gne.hasMoreElements()) { - GeneralNameInterface gni = (GeneralNameInterface) gne - .nextElement(); - if (gni instanceof GeneralName) { - GeneralName genName = (GeneralName) gni; - - String gn = genName.toString(); - int colon = gn.indexOf(':'); - String gnType = gn.substring(0, colon) - .trim(); - String gnValue = gn.substring(colon + 1) - .trim(); + while (gne.hasMoreElements()) { + GeneralNameInterface gni = (GeneralNameInterface) gne.nextElement(); + if (gni instanceof GeneralName) { + GeneralName genName = (GeneralName) gni; + + String gn = genName.toString(); + int colon = gn.indexOf(':'); + String gnType = gn.substring(0,colon).trim(); + String gnValue = gn.substring(colon+1).trim(); subjAltNameStr.append("<"); subjAltNameStr.append(gnType); @@ -772,1460 +760,1465 @@ public class CRSEnrollment extends HttpServlet { subjAltNameStr.append("</"); subjAltNameStr.append(gnType); subjAltNameStr.append(">"); - } - } // while - extensionsStr = "<SubjAltName>" - + subjAltNameStr.toString() - + "</SubjAltName>"; - } // if - } // while - pkcs10Attr = pkcs10Attr + "<Extensions>" + extensionsStr - + "</Extensions>"; - } // if extensions - } // while - responseData = responseData + "<PKCS10>" + pkcs10Attr + "</PKCS10>"; - - } catch (ServletException e) { - throw new ServletException(e.getMessage().toString()); - } catch (CRSInvalidSignatureException e) { - CMS.debug("handlePKIMessage exception " + e); - CMS.debug(e); - } catch (Exception e) { - CMS.debug("handlePKIMessage exception " + e); - CMS.debug(e); - throw new ServletException( - "Failed to process message in CEP servlet: " - + e.getMessage()); - } - - // We have now processed the request, and need to make the response - // message - - try { - - responseData = "<XMLResponse>" + responseData + "</XMLResponse>"; - // Get the response coding - response = responseData.getBytes(); - - // Encode the httpResp into B64 - httpResp.setContentType("application/xml"); - httpResp.setContentLength(response.length); - httpResp.getOutputStream().write(response); - httpResp.getOutputStream().flush(); - - int i1 = responseData.indexOf("<Password>"); - if (i1 > -1) { - i1 += 10; // 10 is a length of "<Password>" - int i2 = responseData.indexOf("</Password>", i1); - if (i2 > -1) { - responseData = responseData.substring(0, i1) + "********" - + responseData.substring(i2, responseData.length()); - } - } - - CMS.debug("Output (decoding) PKIOperation response:"); - CMS.debug(responseData); - } catch (Exception e) { - throw new ServletException( - "Failed to create response for CEP message" - + e.getMessage()); - } - - } - - /** - * finds a request with this transaction ID. If could not find any request - - * return null If could only find 'rejected' or 'cancelled' requests, return - * null If found 'pending' or 'completed' request - return that request - */ - - public void handlePKIOperation(HttpServletRequest httpReq, - HttpServletResponse httpResp, String msg) throws ServletException { - - CryptoContext cx = null; - - CRSPKIMessage req = null; - CRSPKIMessage crsResp = null; - - byte[] decodedPKIMessage; - byte[] response = null; - X509CertImpl cert = null; - - decodedPKIMessage = com.netscape.osutil.OSUtil.AtoB(msg); - - try { - ByteArrayInputStream is = new ByteArrayInputStream( - decodedPKIMessage); - - // We make two CRSPKIMessages. One of them, is the request, so we - // initialize - // it from the DER given to us from the router. - // The second is the response, and we'll fill this in as we go. - - if (decodedPKIMessage.length < 50) { - throw new ServletException( - "CRS request is too small to be a real request (" - + decodedPKIMessage.length + " bytes)"); - } - try { - req = new CRSPKIMessage(is); - String ea = req.getEncryptionAlgorithm(); - if (!isAlgorithmAllowed(mAllowedEncryptionAlgorithm, ea)) { - CMS.debug("CRSEnrollment: handlePKIOperation: Encryption algorithm '" - + ea - + "' is not allowed (" - + mEncryptionAlgorithmList + ")."); - throw new ServletException("Encryption algorithm '" + ea - + "' is not allowed (" + mEncryptionAlgorithmList - + ")."); - } - String da = req.getDigestAlgorithmName(); - if (!isAlgorithmAllowed(mAllowedHashAlgorithm, da)) { - CMS.debug("CRSEnrollment: handlePKIOperation: Hashing algorithm '" - + da - + "' is not allowed (" - + mHashAlgorithmList - + ")."); - throw new ServletException("Hashing algorithm '" + da - + "' is not allowed (" + mHashAlgorithmList + ")."); - } - if (ea != null) { - mEncryptionAlgorithm = ea; - } - crsResp = new CRSPKIMessage(); - } catch (ServletException e) { - throw new ServletException(e.getMessage().toString()); - } catch (Exception e) { - CMS.debug(e); - throw new ServletException("Could not decode the request."); - } - crsResp.setMessageType(CRSPKIMessage.mType_CertRep); - - // Create a new crypto context for doing all the crypto operations - cx = new CryptoContext(); - - // Verify Signature on message (throws exception if sig bad) - verifyRequest(req, cx); - - // Deal with Transaction ID - String transactionID = req.getTransactionID(); - if (transactionID == null) { - throw new ServletException( - "Error: malformed PKIMessage - missing transactionID"); - } else { - crsResp.setTransactionID(transactionID); - } - - // Deal with Nonces - byte[] sn = req.getSenderNonce(); - if (sn == null) { - throw new ServletException( - "Error: malformed PKIMessage - missing sendernonce"); - } else { - if (mNonceSizeLimit > 0 && sn.length > mNonceSizeLimit) { - byte[] snLimited = (mNonceSizeLimit > 0) ? new byte[mNonceSizeLimit] - : null; - System.arraycopy(sn, 0, snLimited, 0, mNonceSizeLimit); - crsResp.setRecipientNonce(snLimited); - } else { - crsResp.setRecipientNonce(sn); - } - byte[] serverNonce = new byte[16]; - mRandom.nextBytes(serverNonce); - crsResp.setSenderNonce(serverNonce); - // crsResp.setSenderNonce(new byte[] {0}); - } - - // Deal with message type - String mt = req.getMessageType(); - if (mt == null) { - throw new ServletException( - "Error: malformed PKIMessage - missing messageType"); + } + } // while + extensionsStr = "<SubjAltName>" + + subjAltNameStr.toString() + "</SubjAltName>"; + } // if + } // while + pkcs10Attr = pkcs10Attr + + "<Extensions>" + extensionsStr + "</Extensions>"; + } // if extensions + } // while + responseData = responseData + + "<PKCS10>" + pkcs10Attr + "</PKCS10>"; + + } catch (ServletException e) { + throw new ServletException(e.getMessage().toString()); + } catch (CRSInvalidSignatureException e) { + CMS.debug("handlePKIMessage exception " + e); + CMS.debug(e); + } catch (Exception e) { + CMS.debug("handlePKIMessage exception " + e); + CMS.debug(e); + throw new ServletException("Failed to process message in CEP servlet: "+ e.getMessage()); + } + + // We have now processed the request, and need to make the response message + + try { + + responseData = "<XMLResponse>" + responseData + "</XMLResponse>"; + // Get the response coding + response = responseData.getBytes(); + + // Encode the httpResp into B64 + httpResp.setContentType("application/xml"); + httpResp.setContentLength(response.length); + httpResp.getOutputStream().write(response); + httpResp.getOutputStream().flush(); + + int i1 = responseData.indexOf("<Password>"); + if (i1 > -1) { + i1 += 10; // 10 is a length of "<Password>" + int i2 = responseData.indexOf("</Password>", i1); + if (i2 > -1) { + responseData = responseData.substring(0, i1) + "********" + + responseData.substring(i2, responseData.length()); + } + } + + CMS.debug("Output (decoding) PKIOperation response:"); + CMS.debug(responseData); + } + catch (Exception e) { + throw new ServletException("Failed to create response for CEP message"+e.getMessage()); + } + + } + + + /** + * finds a request with this transaction ID. + * If could not find any request - return null + * If could only find 'rejected' or 'cancelled' requests, return null + * If found 'pending' or 'completed' request - return that request + */ + + + public void handlePKIOperation(HttpServletRequest httpReq, + HttpServletResponse httpResp, + String msg) + throws ServletException { + + + CryptoContext cx=null; + + CRSPKIMessage req=null; + CRSPKIMessage crsResp=null; + + byte[] decodedPKIMessage; + byte[] response=null; + X509CertImpl cert = null; + + decodedPKIMessage = com.netscape.osutil.OSUtil.AtoB(msg); + + try { + ByteArrayInputStream is = new ByteArrayInputStream(decodedPKIMessage); + + // We make two CRSPKIMessages. One of them, is the request, so we initialize + // it from the DER given to us from the router. + // The second is the response, and we'll fill this in as we go. + + if (decodedPKIMessage.length < 50) { + throw new ServletException("CRS request is too small to be a real request ("+ + decodedPKIMessage.length+" bytes)"); + } + try { + req = new CRSPKIMessage(is); + String ea = req.getEncryptionAlgorithm(); + if (!isAlgorithmAllowed (mAllowedEncryptionAlgorithm, ea)) { + CMS.debug("CRSEnrollment: handlePKIOperation: Encryption algorithm '"+ea+ + "' is not allowed ("+mEncryptionAlgorithmList+")."); + throw new ServletException("Encryption algorithm '"+ea+ + "' is not allowed ("+mEncryptionAlgorithmList+")."); } - - // now run appropriate code, depending on message type - if (mt.equals(CRSPKIMessage.mType_PKCSReq)) { - CMS.debug("Processing PKCSReq"); - try { - // Check if there is an existing request. If this returns - // non-null, - // then the request is 'active' (either pending or - // completed) in - // which case, we compare the hash of the new request to the - // hash of the - // one in the queue - if they are the same, I return the - // state of the - // original request - as if it was 'getCertInitial' message. - // If the hashes are different, then the user attempted to - // enroll - // for a new request with the same txid, which is not - // allowed - - // so we return 'failure'. - - IRequest cmsRequest = findRequestByTransactionID( - req.getTransactionID(), true); - - // If there was no request (with a cert) with this - // transaction ID, - // process it as a new request - - cert = handlePKCSReq(httpReq, cmsRequest, req, crsResp, cx); - - } catch (CRSFailureException e) { - throw new ServletException( - "Couldn't handle CEP request (PKCSReq) - " - + e.getMessage()); - } - } else if (mt.equals(CRSPKIMessage.mType_GetCertInitial)) { - CMS.debug("Processing GetCertInitial"); - cert = handleGetCertInitial(req, crsResp); - } else { - CMS.debug("Invalid request type " + mt); + String da = req.getDigestAlgorithmName(); + if (!isAlgorithmAllowed (mAllowedHashAlgorithm, da)) { + CMS.debug("CRSEnrollment: handlePKIOperation: Hashing algorithm '"+da+ + "' is not allowed ("+mHashAlgorithmList+")."); + throw new ServletException("Hashing algorithm '"+da+ + "' is not allowed ("+mHashAlgorithmList+")."); } - } catch (ServletException e) { - throw new ServletException(e.getMessage().toString()); - } catch (CRSInvalidSignatureException e) { - CMS.debug("handlePKIMessage exception " + e); + if (ea != null) { + mEncryptionAlgorithm = ea; + } + crsResp = new CRSPKIMessage(); + } + catch (ServletException e) { + throw new ServletException(e.getMessage().toString()); + } + catch (Exception e) { CMS.debug(e); - crsResp.setFailInfo(CRSPKIMessage.mFailInfo_badMessageCheck); - } catch (Exception e) { - CMS.debug("handlePKIMessage exception " + e); - CMS.debug(e); - throw new ServletException( - "Failed to process message in CEP servlet: " - + e.getMessage()); - } - - // We have now processed the request, and need to make the response - // message - - try { - // make the response - processCertRep(cx, cert, crsResp, req); - - // Get the response coding - response = crsResp.getResponse(); - - // Encode the crsResp into B64 - httpResp.setContentType("application/x-pki-message"); - httpResp.setContentLength(response.length); - httpResp.getOutputStream().write(response); - httpResp.getOutputStream().flush(); - - CMS.debug("Output PKIOperation response:"); - CMS.debug(CMS.BtoA(response)); - } catch (Exception e) { - throw new ServletException( - "Failed to create response for CEP message" - + e.getMessage()); - } - - } - - /** - * finds a request with this transaction ID. If could not find any request - - * return null If could only find 'rejected' or 'cancelled' requests, return - * null If found 'pending' or 'completed' request - return that request - */ - - public IRequest findRequestByTransactionID(String txid, - boolean ignoreRejected) throws EBaseException { - - /* Check if certificate request has been completed */ - - IRequestQueue rq = ca.getRequestQueue(); - IRequest foundRequest = null; - - Enumeration rids = rq.findRequestsBySourceId(txid); - if (rids == null) { - return null; - } - - int count = 0; - while (rids.hasMoreElements()) { - RequestId rid = (RequestId) rids.nextElement(); - if (rid == null) { - continue; - } - - IRequest request = rq.findRequest(rid); - if (request == null) { - continue; - } - if (!ignoreRejected - || request.getRequestStatus().equals(RequestStatus.PENDING) - || request.getRequestStatus() - .equals(RequestStatus.COMPLETE)) { - if (foundRequest != null) { - } - foundRequest = request; - } - } - return foundRequest; - } - - /** - * Called if the router is requesting us to send it its certificate Examine - * request queue for a request matching the transaction ID. Ignore any - * rejected or cancelled requests. - * - * If a request is found in the pending state, the response should be - * 'pending' - * - * If a request is found in the completed state, the response should be to - * return the certificate - * - * If no request is found, the response should be to return null - * - */ - - public X509CertImpl handleGetCertInitial(CRSPKIMessage req, - CRSPKIMessage resp) { - IRequest foundRequest = null; - - // already done by handlePKIOperation - // resp.setRecipientNonce(req.getSenderNonce()); - // resp.setSenderNonce(null); - - try { - foundRequest = findRequestByTransactionID(req.getTransactionID(), - false); - } catch (EBaseException e) { - } - - if (foundRequest == null) { - resp.setFailInfo(CRSPKIMessage.mFailInfo_badCertId); - resp.setPKIStatus(CRSPKIMessage.mStatus_FAILURE); - return null; - } - - return makeResponseFromRequest(req, resp, foundRequest); - } - - public void verifyRequest(CRSPKIMessage req, CryptoContext cx) - throws CRSInvalidSignatureException { - - // Get Signed Data - - byte[] reqAAbytes = req.getAA(); - byte[] reqAAsig = req.getAADigest(); - - } - - /** - * Create an entry for this user in the publishing directory - * - */ - - private boolean createEntry(String dn) { - boolean result = false; - - IPublisherProcessor ldapPub = mAuthority.getPublisherProcessor(); - if (ldapPub == null || !ldapPub.enabled()) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERROR_CREATE_ENTRY_FROM_CEP")); - - return result; - } - - ILdapConnFactory connFactory = ((IPublisherProcessor) ldapPub) - .getLdapConnModule().getLdapConnFactory(); - if (connFactory == null) { - return result; - } - - LDAPConnection connection = null; - try { - connection = connFactory.getConn(); - String[] objectclasses = { "top", mEntryObjectclass }; - LDAPAttribute ocAttrs = new LDAPAttribute("objectclass", - objectclasses); - - LDAPAttributeSet attrSet = new LDAPAttributeSet(); - attrSet.add(ocAttrs); - - LDAPEntry newEntry = new LDAPEntry(dn, attrSet); - connection.add(newEntry); - result = true; - } catch (Exception e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_FAIL_CREAT_ENTRY_EXISTS", dn)); - } finally { - try { - connFactory.returnConn(connection); - } catch (Exception f) { - } - } - return result; - } - - /** - * Here we decrypt the PKCS10 message from the client - * - */ - - public void unwrapPKCS10(CRSPKIMessage req, CryptoContext cx) - throws ServletException, CryptoManager.NotInitializedException, - CryptoContext.CryptoContextException, CRSFailureException { - - byte[] decryptedP10bytes = null; - SymmetricKey sk; - SymmetricKey skinternal; - SymmetricKey.Type skt; - KeyWrapper kw; - Cipher cip; - EncryptionAlgorithm ea; - boolean errorInRequest = false; - - // Unwrap the session key with the Cert server key - try { - kw = cx.getKeyWrapper(); - - kw.initUnwrap(cx.getPrivateKey(), null); - - skt = SymmetricKey.Type.DES; - ea = EncryptionAlgorithm.DES_CBC; - if (mEncryptionAlgorithm != null - && mEncryptionAlgorithm.equals("DES3")) { - skt = SymmetricKey.Type.DES3; - ea = EncryptionAlgorithm.DES3_CBC; - } - - sk = kw.unwrapSymmetric(req.getWrappedKey(), skt, - SymmetricKey.Usage.DECRYPT, 0); // keylength is ignored - - skinternal = cx.getDESKeyGenerator().clone(sk); - - cip = skinternal.getOwningToken().getCipherContext(ea); - - cip.initDecrypt(skinternal, (new IVParameterSpec(req.getIV()))); - - decryptedP10bytes = cip.doFinal(req.getEncryptedPkcs10()); - CMS.debug("decryptedP10bytes:"); - CMS.debug(decryptedP10bytes); - - req.setP10(new PKCS10(decryptedP10bytes)); - } catch (Exception e) { - CMS.debug("failed to unwrap PKCS10 " + e); - throw new CRSFailureException("Could not unwrap PKCS10 blob: " - + e.getMessage()); - } - - } - - private void getDetailFromRequest(CRSPKIMessage req, CRSPKIMessage crsResp) - throws CRSFailureException { - - IRequest issueReq = null; - X509CertImpl issuedCert = null; - Vector extensionsRequested = null; - SubjectAlternativeNameExtension sane = null; - CertAttrSet requested_ext = null; - - try { - PKCS10 p10 = (PKCS10) req.getP10(); - - if (p10 == null) { - crsResp.setFailInfo(CRSPKIMessage.mFailInfo_badMessageCheck); - crsResp.setPKIStatus(CRSPKIMessage.mStatus_FAILURE); - throw new CRSFailureException( - "Failed to decode pkcs10 from CEP request"); - } - - AuthCredentials authCreds = new AuthCredentials(); - - String challengePassword = null; - // Here, we make a new CertInfo - it's a new start for a certificate - - X509CertInfo certInfo = CMS.getDefaultX509CertInfo(); - - // get some stuff out of the request - X509Key key = p10.getSubjectPublicKeyInfo(); - X500Name p10subject = p10.getSubjectName(); - - X500Name subject = null; - - // The following code will copy all the attributes - // into the AuthCredentials so they can be used for - // authentication - // - // Optionally, you can re-map the subject name from: - // one RDN, with many AVA's to - // many RDN's with one AVA in each. - - Enumeration rdne = p10subject.getRDNs(); - Vector rdnv = new Vector(); - - Hashtable sanehash = new Hashtable(); - - X500NameAttrMap xnap = X500NameAttrMap.getDefault(); - while (rdne.hasMoreElements()) { - RDN rdn = (RDN) rdne.nextElement(); - int i = 0; - AVA[] oldavas = rdn.getAssertion(); - for (i = 0; i < rdn.getAssertionLength(); i++) { - AVA[] newavas = new AVA[1]; - newavas[0] = oldavas[i]; - - authCreds.set(xnap.getName(oldavas[i].getOid()), oldavas[i] - .getValue().getAsString()); - - if (oldavas[i].getOid().equals(OID_UNSTRUCTUREDNAME)) { - - sanehash.put(SANE_DNSNAME, oldavas[i].getValue() - .getAsString()); - } - if (oldavas[i].getOid().equals(OID_UNSTRUCTUREDADDRESS)) { - sanehash.put(SANE_IPADDRESS, oldavas[i].getValue() - .getAsString()); - } - - RDN newrdn = new RDN(newavas); - if (mFlattenDN) { - rdnv.addElement(newrdn); - } - } - } - - if (mFlattenDN) - subject = new X500Name(rdnv); - else - subject = p10subject; - - // create default key usage extension - KeyUsageExtension kue = new KeyUsageExtension(); - kue.set(KeyUsageExtension.DIGITAL_SIGNATURE, Boolean.valueOf(true)); - kue.set(KeyUsageExtension.KEY_ENCIPHERMENT, Boolean.valueOf(true)); - - PKCS10Attributes p10atts = p10.getAttributes(); - Enumeration e = p10atts.getElements(); - - while (e.hasMoreElements()) { - PKCS10Attribute p10a = (PKCS10Attribute) e.nextElement(); - CertAttrSet attr = p10a.getAttributeValue(); - - if (attr.getName().equals(ChallengePassword.NAME)) { - if (attr.get(ChallengePassword.PASSWORD) != null) { - req.put(AUTH_PASSWORD, - (String) attr.get(ChallengePassword.PASSWORD)); - req.put(ChallengePassword.NAME, - hashPassword((String) attr - .get(ChallengePassword.PASSWORD))); - } - } - - if (attr.getName().equals(ExtensionsRequested.NAME)) { - - Enumeration exts = ((ExtensionsRequested) attr) - .getExtensions().elements(); - while (exts.hasMoreElements()) { - Extension ext = (Extension) exts.nextElement(); - - if (ext.getExtensionId().equals( - OIDMap.getOID(KeyUsageExtension.IDENT))) { - - kue = new KeyUsageExtension(new Boolean(false), // noncritical - ext.getExtensionValue()); - } - - if (ext.getExtensionId() - .equals(OIDMap - .getOID(SubjectAlternativeNameExtension.IDENT))) { - DerOutputStream dos = new DerOutputStream(); - sane = new SubjectAlternativeNameExtension( - new Boolean(false), // noncritical - ext.getExtensionValue()); - - Vector v = (Vector) sane - .get(SubjectAlternativeNameExtension.SUBJECT_NAME); - - Enumeration gne = v.elements(); - - while (gne.hasMoreElements()) { - GeneralNameInterface gni = (GeneralNameInterface) gne - .nextElement(); - if (gni instanceof GeneralName) { - GeneralName genName = (GeneralName) gni; - - String gn = genName.toString(); - int colon = gn.indexOf(':'); - String gnType = gn.substring(0, colon) - .trim(); - String gnValue = gn.substring(colon + 1) - .trim(); - - authCreds.set(gnType, gnValue); - } - } - } - } - } - } - - if (authCreds != null) - req.put(AUTH_CREDS, authCreds); - - try { - if (sane == null) - sane = makeDefaultSubjectAltName(sanehash); - } catch (Exception sane_e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGW_ENROLL_FAIL_NO_SUBJ_ALT_NAME", - sane_e.getMessage())); - } - - try { - if (mAppendDN != null && !mAppendDN.equals("")) { - - X500Name newSubject = new X500Name(subject.toString()); - subject = new X500Name(subject.toString().concat( - "," + mAppendDN)); - } - - } catch (Exception sne) { - log(ILogger.LL_INFO, "Unable to use appendDN parameter: " - + mAppendDN + ". Error is " + sne.getMessage() - + " Using unmodified subjectname"); - } - - if (subject != null) - req.put(SUBJECTNAME, subject); - - if (key == null || subject == null) { - // log - // throw new - // ERegistrationException(RegistrationResources.ERROR_MALFORMED_P10); - } - - certInfo.set(X509CertInfo.VERSION, new CertificateVersion( - CertificateVersion.V3)); - - certInfo.set(X509CertInfo.SUBJECT, new CertificateSubjectName( - subject)); - - certInfo.set(X509CertInfo.KEY, new CertificateX509Key(key)); - - CertificateExtensions ext = new CertificateExtensions(); - - if (kue != null) { - ext.set(KeyUsageExtension.NAME, kue); - } - - // add subjectAltName extension, if present - if (sane != null) { - ext.set(SubjectAlternativeNameExtension.NAME, sane); - } - - certInfo.set(X509CertInfo.EXTENSIONS, ext); - - req.put(CERTINFO, certInfo); - } catch (Exception e) { - crsResp.setFailInfo(CRSPKIMessage.mFailInfo_badMessageCheck); - crsResp.setPKIStatus(CRSPKIMessage.mStatus_FAILURE); - return; - } // NEED TO FIX - } - - private SubjectAlternativeNameExtension makeDefaultSubjectAltName( - Hashtable ht) { - - // if no subjectaltname extension was requested, we try to make it up - // from some of the elements of the subject name - - int itemCount = ht.size(); - GeneralNameInterface[] gn = new GeneralNameInterface[ht.size()]; - - itemCount = 0; - Enumeration en = ht.keys(); - while (en.hasMoreElements()) { - String key = (String) en.nextElement(); - if (key.equals(SANE_DNSNAME)) { - gn[itemCount++] = new DNSName((String) ht.get(key)); - } - if (key.equals(SANE_IPADDRESS)) { - gn[itemCount++] = new IPAddressName((String) ht.get(key)); - } - } - - try { - return new SubjectAlternativeNameExtension(new GeneralNames(gn)); - } catch (Exception e) { - log(ILogger.LL_INFO, - CMS.getLogMessage("CMSGW_ENROLL_FAIL_NO_SUBJ_ALT_NAME", - e.getMessage())); - return null; - } + throw new ServletException("Could not decode the request."); + } + crsResp.setMessageType(CRSPKIMessage.mType_CertRep); + + // Create a new crypto context for doing all the crypto operations + cx = new CryptoContext(); + + // Verify Signature on message (throws exception if sig bad) + verifyRequest(req,cx); + + // Deal with Transaction ID + String transactionID = req.getTransactionID(); + if (transactionID == null) { + throw new ServletException("Error: malformed PKIMessage - missing transactionID"); + } + else { + crsResp.setTransactionID(transactionID); + } + + // Deal with Nonces + byte[] sn = req.getSenderNonce(); + if (sn == null) { + throw new ServletException("Error: malformed PKIMessage - missing sendernonce"); + } + else { + if (mNonceSizeLimit > 0 && sn.length > mNonceSizeLimit) { + byte[] snLimited = (mNonceSizeLimit > 0)? new byte[mNonceSizeLimit]: null; + System.arraycopy(sn, 0, snLimited, 0, mNonceSizeLimit); + crsResp.setRecipientNonce(snLimited); + } else { + crsResp.setRecipientNonce(sn); + } + byte[] serverNonce = new byte[16]; + mRandom.nextBytes(serverNonce); + crsResp.setSenderNonce(serverNonce); + // crsResp.setSenderNonce(new byte[] {0}); + } + + // Deal with message type + String mt = req.getMessageType(); + if (mt == null) { + throw new ServletException("Error: malformed PKIMessage - missing messageType"); + } + + // now run appropriate code, depending on message type + if (mt.equals(CRSPKIMessage.mType_PKCSReq)) { + CMS.debug("Processing PKCSReq"); + try { + // Check if there is an existing request. If this returns non-null, + // then the request is 'active' (either pending or completed) in + // which case, we compare the hash of the new request to the hash of the + // one in the queue - if they are the same, I return the state of the + // original request - as if it was 'getCertInitial' message. + // If the hashes are different, then the user attempted to enroll + // for a new request with the same txid, which is not allowed - + // so we return 'failure'. + + IRequest cmsRequest= findRequestByTransactionID(req.getTransactionID(),true); + + // If there was no request (with a cert) with this transaction ID, + // process it as a new request + + cert = handlePKCSReq(httpReq, cmsRequest,req,crsResp,cx); + + } + catch (CRSFailureException e) { + throw new ServletException("Couldn't handle CEP request (PKCSReq) - "+e.getMessage()); + } + } + else if (mt.equals(CRSPKIMessage.mType_GetCertInitial)) { + CMS.debug("Processing GetCertInitial"); + cert = handleGetCertInitial(req,crsResp); + } else { + CMS.debug("Invalid request type " + mt); + } + } + catch (ServletException e) { + throw new ServletException(e.getMessage().toString()); + } + catch (CRSInvalidSignatureException e) { + CMS.debug("handlePKIMessage exception " + e); + CMS.debug(e); + crsResp.setFailInfo(CRSPKIMessage.mFailInfo_badMessageCheck); + } + catch (Exception e) { + CMS.debug("handlePKIMessage exception " + e); + CMS.debug(e); + throw new ServletException("Failed to process message in CEP servlet: "+ e.getMessage()); + } + + // We have now processed the request, and need to make the response message + + try { + // make the response + processCertRep(cx, cert,crsResp, req); + + // Get the response coding + response = crsResp.getResponse(); + + // Encode the crsResp into B64 + httpResp.setContentType("application/x-pki-message"); + httpResp.setContentLength(response.length); + httpResp.getOutputStream().write(response); + httpResp.getOutputStream().flush(); + + CMS.debug("Output PKIOperation response:"); + CMS.debug(CMS.BtoA(response)); + } + catch (Exception e) { + throw new ServletException("Failed to create response for CEP message"+e.getMessage()); + } + + } + + + /** + * finds a request with this transaction ID. + * If could not find any request - return null + * If could only find 'rejected' or 'cancelled' requests, return null + * If found 'pending' or 'completed' request - return that request + */ + + public IRequest findRequestByTransactionID(String txid, boolean ignoreRejected) + throws EBaseException { + + /* Check if certificate request has been completed */ + + IRequestQueue rq = ca.getRequestQueue(); + IRequest foundRequest = null; + + Enumeration rids = rq.findRequestsBySourceId(txid); + if (rids == null) { return null; } + + int count=0; + while (rids.hasMoreElements()) { + RequestId rid = (RequestId) rids.nextElement(); + if (rid == null) { + continue; + } + + IRequest request = rq.findRequest(rid); + if (request == null) { + continue; + } + if ( !ignoreRejected || + request.getRequestStatus().equals(RequestStatus.PENDING) || + request.getRequestStatus().equals(RequestStatus.COMPLETE)) { + if (foundRequest != null) { + } + foundRequest = request; + } + } + return foundRequest; + } + + /** + * Called if the router is requesting us to send it its certificate + * Examine request queue for a request matching the transaction ID. + * Ignore any rejected or cancelled requests. + * + * If a request is found in the pending state, the response should be + * 'pending' + * + * If a request is found in the completed state, the response should be + * to return the certificate + * + * If no request is found, the response should be to return null + * + */ + + public X509CertImpl handleGetCertInitial(CRSPKIMessage req,CRSPKIMessage resp) + { + IRequest foundRequest=null; + + // already done by handlePKIOperation + // resp.setRecipientNonce(req.getSenderNonce()); + // resp.setSenderNonce(null); + + try { + foundRequest = findRequestByTransactionID(req.getTransactionID(),false); + } catch (EBaseException e) { + } + + if (foundRequest == null) { + resp.setFailInfo(CRSPKIMessage.mFailInfo_badCertId); + resp.setPKIStatus(CRSPKIMessage.mStatus_FAILURE); + return null; + } + + return makeResponseFromRequest(req,resp,foundRequest); + } + + + public void verifyRequest(CRSPKIMessage req, CryptoContext cx) + throws CRSInvalidSignatureException { + + // Get Signed Data + + byte[] reqAAbytes = req.getAA(); + byte[] reqAAsig = req.getAADigest(); + + } + + + /** + * Create an entry for this user in the publishing directory + * + */ + + private boolean createEntry(String dn) + { + boolean result = false; + + IPublisherProcessor ldapPub = mAuthority.getPublisherProcessor(); + if (ldapPub == null || !ldapPub.enabled()) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERROR_CREATE_ENTRY_FROM_CEP")); + + return result; + } + + ILdapConnFactory connFactory = ((IPublisherProcessor)ldapPub).getLdapConnModule().getLdapConnFactory(); + if (connFactory == null) { + return result; + } + + LDAPConnection connection=null; + try { + connection = connFactory.getConn(); + String[] objectclasses = { "top", mEntryObjectclass }; + LDAPAttribute ocAttrs = new LDAPAttribute("objectclass",objectclasses); + + LDAPAttributeSet attrSet = new LDAPAttributeSet(); + attrSet.add(ocAttrs); + + LDAPEntry newEntry = new LDAPEntry(dn, attrSet); + connection.add(newEntry); + result=true; + } + catch (Exception e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_FAIL_CREAT_ENTRY_EXISTS",dn)); + } + finally { + try { + connFactory.returnConn(connection); + } + catch (Exception f) {} + } + return result; } - // Perform authentication - - /* - * if the authentication is set up for CEP, and the user provides some - * credential, an attempt is made to authenticate the user If this fails, - * this method will return true If it is sucessful, this method will return - * true and an authtoken will be in the request - * - * If authentication is not configured, this method will return false. The - * request will be processed in the usual way, but no authtoken will be in - * the request. - * - * In other word, this method returns true if the request should be aborted, - * false otherwise. - */ - - private boolean authenticateUser(CRSPKIMessage req) { - boolean authenticationFailed = true; - - if (mAuthManagerName == null) { - return false; - } - - String password = (String) req.get(AUTH_PASSWORD); - - AuthCredentials authCreds = (AuthCredentials) req.get(AUTH_CREDS); - - if (authCreds == null) { - authCreds = new AuthCredentials(); - } - - // authtoken starts as null - AuthToken token = null; - - if (password != null && !password.equals("")) { - try { - authCreds.set(AUTH_PASSWORD, password); - } catch (Exception e) { - } - } - try { - token = (AuthToken) mAuthSubsystem.authenticate(authCreds, - mAuthManagerName); - authCreds.delete(AUTH_PASSWORD); - // if we got here, the authenticate call must not have thrown - // an exception - authenticationFailed = false; - } catch (EInvalidCredentials ex) { - // Invalid credentials - we must reject the request - authenticationFailed = true; - } catch (EMissingCredential mc) { - // Misssing credential - we'll log, and process manually - authenticationFailed = false; - } catch (EBaseException ex) { - // If there's some other error, we'll reject - // So, we just continue on, - AUTH_TOKEN will not be set. - } - if (token != null) { - req.put(AUTH_TOKEN, token); + /** + * Here we decrypt the PKCS10 message from the client + * + */ + + public void unwrapPKCS10(CRSPKIMessage req, CryptoContext cx) + throws ServletException, + CryptoManager.NotInitializedException, + CryptoContext.CryptoContextException, + CRSFailureException { + + byte[] decryptedP10bytes = null; + SymmetricKey sk; + SymmetricKey skinternal; + SymmetricKey.Type skt; + KeyWrapper kw; + Cipher cip; + EncryptionAlgorithm ea; + boolean errorInRequest = false; + + // Unwrap the session key with the Cert server key + try { + kw = cx.getKeyWrapper(); + + kw.initUnwrap(cx.getPrivateKey(),null); + + skt = SymmetricKey.Type.DES; + ea = EncryptionAlgorithm.DES_CBC; + if (mEncryptionAlgorithm != null && mEncryptionAlgorithm.equals("DES3")) { + skt = SymmetricKey.Type.DES3; + ea = EncryptionAlgorithm.DES3_CBC; + } + + sk = kw.unwrapSymmetric(req.getWrappedKey(), + skt, + SymmetricKey.Usage.DECRYPT, + 0); // keylength is ignored + + skinternal = cx.getDESKeyGenerator().clone(sk); + + cip = skinternal.getOwningToken().getCipherContext(ea); + + cip.initDecrypt(skinternal,(new IVParameterSpec(req.getIV()))); + + decryptedP10bytes = cip.doFinal(req.getEncryptedPkcs10()); + CMS.debug("decryptedP10bytes:"); + CMS.debug(decryptedP10bytes); + + req.setP10(new PKCS10(decryptedP10bytes)); + } catch (Exception e) { + CMS.debug("failed to unwrap PKCS10 " + e); + throw new CRSFailureException("Could not unwrap PKCS10 blob: "+e.getMessage()); + } + + } + + + +private void getDetailFromRequest(CRSPKIMessage req, CRSPKIMessage crsResp) + throws CRSFailureException { + + IRequest issueReq = null; + X509CertImpl issuedCert=null; + Vector extensionsRequested = null; + SubjectAlternativeNameExtension sane = null; + CertAttrSet requested_ext = null; + + try { + PKCS10 p10 = (PKCS10)req.getP10(); + + if (p10 == null) { + crsResp.setFailInfo(CRSPKIMessage.mFailInfo_badMessageCheck); + crsResp.setPKIStatus(CRSPKIMessage.mStatus_FAILURE); + throw new CRSFailureException("Failed to decode pkcs10 from CEP request"); + } + + AuthCredentials authCreds = new AuthCredentials(); + + String challengePassword = null; + // Here, we make a new CertInfo - it's a new start for a certificate + + X509CertInfo certInfo = CMS.getDefaultX509CertInfo(); + + // get some stuff out of the request + X509Key key = p10.getSubjectPublicKeyInfo(); + X500Name p10subject = p10.getSubjectName(); + + X500Name subject=null; + + // The following code will copy all the attributes + // into the AuthCredentials so they can be used for + // authentication + // + // Optionally, you can re-map the subject name from: + // one RDN, with many AVA's to + // many RDN's with one AVA in each. + + Enumeration rdne = p10subject.getRDNs(); + Vector rdnv = new Vector(); + + Hashtable sanehash = new Hashtable(); + + X500NameAttrMap xnap = X500NameAttrMap.getDefault(); + while (rdne.hasMoreElements()) { + RDN rdn = (RDN) rdne.nextElement(); + int i=0; + AVA[] oldavas = rdn.getAssertion(); + for (i=0; i<rdn.getAssertionLength(); i++) { + AVA[] newavas = new AVA[1]; + newavas[0] = oldavas[i]; + + authCreds.set(xnap.getName(oldavas[i].getOid()), + oldavas[i].getValue().getAsString()); + + if (oldavas[i].getOid().equals(OID_UNSTRUCTUREDNAME)) { + + sanehash.put(SANE_DNSNAME,oldavas[i].getValue().getAsString()); + } + if (oldavas[i].getOid().equals(OID_UNSTRUCTUREDADDRESS)) { + sanehash.put(SANE_IPADDRESS,oldavas[i].getValue().getAsString()); + } + + RDN newrdn = new RDN(newavas); + if (mFlattenDN) { + rdnv.addElement(newrdn); + } + } + } + + if (mFlattenDN) subject = new X500Name(rdnv); + else subject = p10subject; + + + // create default key usage extension + KeyUsageExtension kue = new KeyUsageExtension(); + kue.set(KeyUsageExtension.DIGITAL_SIGNATURE, Boolean.valueOf(true)); + kue.set(KeyUsageExtension.KEY_ENCIPHERMENT, Boolean.valueOf(true)); + + + PKCS10Attributes p10atts = p10.getAttributes(); + Enumeration e = p10atts.getElements(); + + while (e.hasMoreElements()) { + PKCS10Attribute p10a = (PKCS10Attribute)e.nextElement(); + CertAttrSet attr = p10a.getAttributeValue(); + + + if (attr.getName().equals(ChallengePassword.NAME)) { + if (attr.get(ChallengePassword.PASSWORD) != null) { + req.put(AUTH_PASSWORD, + (String)attr.get(ChallengePassword.PASSWORD)); + req.put(ChallengePassword.NAME, + hashPassword( + (String)attr.get(ChallengePassword.PASSWORD))); + } + } + + if (attr.getName().equals(ExtensionsRequested.NAME)) { + + Enumeration exts = ((ExtensionsRequested)attr).getExtensions().elements(); + while (exts.hasMoreElements()) { + Extension ext = (Extension) exts.nextElement(); + + if (ext.getExtensionId().equals( + OIDMap.getOID(KeyUsageExtension.IDENT)) ) { + + kue = new KeyUsageExtension( + new Boolean(false), // noncritical + ext.getExtensionValue()); + } + + if (ext.getExtensionId().equals( + OIDMap.getOID(SubjectAlternativeNameExtension.IDENT)) ) { + DerOutputStream dos = new DerOutputStream(); + sane = new SubjectAlternativeNameExtension( + new Boolean(false), // noncritical + ext.getExtensionValue()); + + + Vector v = + (Vector) sane.get(SubjectAlternativeNameExtension. SUBJECT_NAME); + + Enumeration gne = v.elements(); + + while (gne.hasMoreElements()) { + GeneralNameInterface gni = (GeneralNameInterface) gne.nextElement(); + if (gni instanceof GeneralName) { + GeneralName genName = (GeneralName) gni; + + String gn = genName.toString(); + int colon = gn.indexOf(':'); + String gnType = gn.substring(0,colon).trim(); + String gnValue = gn.substring(colon+1).trim(); + + authCreds.set(gnType,gnValue); + } + } + } + } + } + } + + if (authCreds != null) req.put(AUTH_CREDS,authCreds); + + try { + if (sane == null) sane = makeDefaultSubjectAltName(sanehash); + } catch (Exception sane_e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ENROLL_FAIL_NO_SUBJ_ALT_NAME", + sane_e.getMessage())); + } + + + + try { + if (mAppendDN != null && ! mAppendDN.equals("")) { + + X500Name newSubject = new X500Name(subject.toString()); + subject = new X500Name( subject.toString().concat(","+mAppendDN)); + } + + } catch (Exception sne) { + log(ILogger.LL_INFO, "Unable to use appendDN parameter: "+mAppendDN+". Error is "+sne.getMessage()+" Using unmodified subjectname"); + } + + if (subject != null) req.put(SUBJECTNAME, subject); + + if (key == null || subject == null) { + // log + //throw new ERegistrationException(RegistrationResources.ERROR_MALFORMED_P10); + } + + + + certInfo.set(X509CertInfo.VERSION, + new CertificateVersion(CertificateVersion.V3)); + + certInfo.set(X509CertInfo.SUBJECT, + new CertificateSubjectName(subject)); + + certInfo.set(X509CertInfo.KEY, + new CertificateX509Key(key)); + + CertificateExtensions ext = new CertificateExtensions(); + + if (kue != null) { + ext.set(KeyUsageExtension.NAME, kue); + } + + // add subjectAltName extension, if present + if (sane != null) { + ext.set(SubjectAlternativeNameExtension.NAME, sane); + } + + certInfo.set(X509CertInfo.EXTENSIONS,ext); + + req.put(CERTINFO, certInfo); + } catch (Exception e) { + crsResp.setFailInfo(CRSPKIMessage.mFailInfo_badMessageCheck); + crsResp.setPKIStatus(CRSPKIMessage.mStatus_FAILURE); + return ; + } // NEED TO FIX + } + + + private SubjectAlternativeNameExtension makeDefaultSubjectAltName(Hashtable ht) { + + // if no subjectaltname extension was requested, we try to make it up + // from some of the elements of the subject name + + int itemCount = ht.size(); + GeneralNameInterface[] gn = new GeneralNameInterface[ht.size()]; + + itemCount = 0; + Enumeration en = ht.keys(); + while (en.hasMoreElements()) { + String key = (String) en.nextElement(); + if (key.equals(SANE_DNSNAME)) { + gn[itemCount++] = new DNSName((String)ht.get(key)); + } + if (key.equals(SANE_IPADDRESS)) { + gn[itemCount++] = new IPAddressName((String)ht.get(key)); } - - return authenticationFailed; } - private boolean areFingerprintsEqual(IRequest req, Hashtable fingerprints) { - - Hashtable old_fprints = req - .getExtDataInHashtable(IRequest.FINGERPRINTS); - if (old_fprints == null) { - return false; - } - - byte[] old_md5 = CMS.AtoB((String) old_fprints.get("MD5")); - byte[] new_md5 = (byte[]) fingerprints.get("MD5"); - - if (old_md5.length != new_md5.length) - return false; - - for (int i = 0; i < old_md5.length; i++) { - if (old_md5[i] != new_md5[i]) - return false; - } - return true; - } - - public X509CertImpl handlePKCSReq(HttpServletRequest httpReq, - IRequest cmsRequest, CRSPKIMessage req, CRSPKIMessage crsResp, - CryptoContext cx) throws ServletException, - CryptoManager.NotInitializedException, CRSFailureException { - - try { - unwrapPKCS10(req, cx); - Hashtable fingerprints = makeFingerPrints(req); - - if (cmsRequest != null) { - if (areFingerprintsEqual(cmsRequest, fingerprints)) { - CMS.debug("created response from request"); - return makeResponseFromRequest(req, crsResp, cmsRequest); - } else { - CMS.debug("duplicated transaction id"); - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ENROLL_FAIL_DUP_TRANS_ID")); - crsResp.setFailInfo(CRSPKIMessage.mFailInfo_badRequest); - crsResp.setPKIStatus(CRSPKIMessage.mStatus_FAILURE); - return null; - } - } - - getDetailFromRequest(req, crsResp); - boolean authFailed = authenticateUser(req); - - if (authFailed) { - CMS.debug("authentication failed"); - log(ILogger.LL_SECURITY, - CMS.getLogMessage("CMSGW_ENROLL_FAIL_NO_AUTH")); - crsResp.setFailInfo(CRSPKIMessage.mFailInfo_badIdentity); - crsResp.setPKIStatus(CRSPKIMessage.mStatus_FAILURE); - - // perform audit log - String auditMessage = CMS.getLogMessage( - "LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST_5", - httpReq.getRemoteAddr(), ILogger.FAILURE, - req.getTransactionID(), "CRSEnrollment", - ILogger.SIGNED_AUDIT_EMPTY_VALUE); - ILogger signedAuditLogger = CMS.getSignedAuditLogger(); - if (signedAuditLogger != null) { - signedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, null, - ILogger.S_SIGNED_AUDIT, ILogger.LL_SECURITY, - auditMessage); - } - - return null; - } else { - IRequest ireq = postRequest(httpReq, req, crsResp); - - CMS.debug("created response"); - return makeResponseFromRequest(req, crsResp, ireq); - } - } catch (CryptoContext.CryptoContextException e) { - CMS.debug("failed to decrypt the request " + e); - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ENROLL_FAIL_NO_DECRYPT_PKCS10", - e.getMessage())); - crsResp.setFailInfo(CRSPKIMessage.mFailInfo_badMessageCheck); - crsResp.setPKIStatus(CRSPKIMessage.mStatus_FAILURE); - } catch (EBaseException e) { - CMS.debug("operation failure - " + e); - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSGW_ERNOLL_FAIL_NO_NEW_REQUEST_POSTED", e.getMessage())); - crsResp.setFailInfo(CRSPKIMessage.mFailInfo_internalCAError); - crsResp.setPKIStatus(CRSPKIMessage.mStatus_FAILURE); - } - return null; - } - - // //// post the request - - /* - * needed: - * - * token (authtoken) certInfo fingerprints x req.transactionID crsResp - */ - - private IRequest postRequest(HttpServletRequest httpReq, CRSPKIMessage req, - CRSPKIMessage crsResp) throws EBaseException { - X500Name subject = (X500Name) req.get(SUBJECTNAME); - - if (mCreateEntry) { - if (subject == null) { - CMS.debug("CRSEnrollment::postRequest() - subject is null!"); - return null; - } - createEntry(subject.toString()); - } - - // use profile framework to handle SCEP - if (mProfileId != null) { - PKCS10 pkcs10data = (PKCS10) req.getP10(); - String pkcs10blob = CMS.BtoA(pkcs10data.toByteArray()); - - // XXX authentication handling - CMS.debug("Found profile=" + mProfileId); - IProfile profile = mProfileSubsystem.getProfile(mProfileId); - if (profile == null) { - CMS.debug("profile " + mProfileId + " not found"); - return null; - } - IProfileContext ctx = profile.createContext(); - - IProfileAuthenticator authenticator = null; - try { - CMS.debug("Retrieving authenticator"); - authenticator = profile.getAuthenticator(); - if (authenticator == null) { - CMS.debug("No authenticator Found"); - } else { - CMS.debug("Got authenticator=" - + authenticator.getClass().getName()); - } - } catch (EProfileException e) { - // authenticator not installed correctly - } - - IAuthToken authToken = null; - - // for ssl authentication; pass in servlet for retrieving - // ssl client certificates - SessionContext context = SessionContext.getContext(); - - // insert profile context so that input parameter can be retrieved - context.put("profileContext", ctx); - context.put("sslClientCertProvider", new SSLClientCertProvider( - httpReq)); - - String p10Password = getPasswordFromP10(pkcs10data); - AuthCredentials credentials = new AuthCredentials(); - credentials.set("UID", httpReq.getRemoteAddr()); - credentials.set("PWD", p10Password); + try { + return new SubjectAlternativeNameExtension( new GeneralNames(gn) ); + } catch (Exception e) { + log(ILogger.LL_INFO, CMS.getLogMessage("CMSGW_ENROLL_FAIL_NO_SUBJ_ALT_NAME", + e.getMessage())); + return null; + } + } + + + + // Perform authentication + + /* + * if the authentication is set up for CEP, and the user provides + * some credential, an attempt is made to authenticate the user + * If this fails, this method will return true + * If it is sucessful, this method will return true and + * an authtoken will be in the request + * + * If authentication is not configured, this method will + * return false. The request will be processed in the usual + * way, but no authtoken will be in the request. + * + * In other word, this method returns true if the request + * should be aborted, false otherwise. + */ + + private boolean authenticateUser(CRSPKIMessage req) { + boolean authenticationFailed = true; + + if (mAuthManagerName == null) { + return false; + } + + String password = (String)req.get(AUTH_PASSWORD); + + AuthCredentials authCreds = (AuthCredentials)req.get(AUTH_CREDS); + + if (authCreds == null) { + authCreds = new AuthCredentials(); + } + + // authtoken starts as null + AuthToken token = null; + + if (password != null && !password.equals("")) { + try { + authCreds.set(AUTH_PASSWORD,password); + } catch (Exception e) {} + } + + try { + token = (AuthToken)mAuthSubsystem.authenticate(authCreds,mAuthManagerName); + authCreds.delete(AUTH_PASSWORD); + // if we got here, the authenticate call must not have thrown + // an exception + authenticationFailed = false; + } + catch (EInvalidCredentials ex) { + // Invalid credentials - we must reject the request + authenticationFailed = true; + } + catch (EMissingCredential mc) { + // Misssing credential - we'll log, and process manually + authenticationFailed = false; + } + catch (EBaseException ex) { + // If there's some other error, we'll reject + // So, we just continue on, - AUTH_TOKEN will not be set. + } + + if (token != null) { + req.put(AUTH_TOKEN,token); + } + + return authenticationFailed; + } + + private boolean areFingerprintsEqual(IRequest req, Hashtable fingerprints) + { + + Hashtable old_fprints = req.getExtDataInHashtable(IRequest.FINGERPRINTS); + if (old_fprints == null) { return false; } + + byte[] old_md5 = CMS.AtoB((String) old_fprints.get("MD5")); + byte[] new_md5 = (byte[]) fingerprints.get("MD5"); + + if (old_md5.length != new_md5.length) return false; + + for (int i=0;i<old_md5.length; i++) { + if (old_md5[i] != new_md5[i]) return false; + } + return true; + } + + public X509CertImpl handlePKCSReq(HttpServletRequest httpReq, + IRequest cmsRequest, CRSPKIMessage req, + CRSPKIMessage crsResp, CryptoContext cx) + throws ServletException, + CryptoManager.NotInitializedException, + CRSFailureException { + + try { + unwrapPKCS10(req,cx); + Hashtable fingerprints = makeFingerPrints(req); + + if (cmsRequest != null) { + if (areFingerprintsEqual(cmsRequest, fingerprints)) { + CMS.debug("created response from request"); + return makeResponseFromRequest(req,crsResp,cmsRequest); + } + else { + CMS.debug("duplicated transaction id"); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ENROLL_FAIL_DUP_TRANS_ID")); + crsResp.setFailInfo(CRSPKIMessage.mFailInfo_badRequest); + crsResp.setPKIStatus(CRSPKIMessage.mStatus_FAILURE); + return null; + } + } + + getDetailFromRequest(req,crsResp); + boolean authFailed = authenticateUser(req); + + if (authFailed) { + CMS.debug("authentication failed"); + log(ILogger.LL_SECURITY, CMS.getLogMessage("CMSGW_ENROLL_FAIL_NO_AUTH")); + crsResp.setFailInfo(CRSPKIMessage.mFailInfo_badIdentity); + crsResp.setPKIStatus(CRSPKIMessage.mStatus_FAILURE); + + + // perform audit log + String auditMessage = CMS.getLogMessage( + "LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST_5", + httpReq.getRemoteAddr(), + ILogger.FAILURE, + req.getTransactionID(), + "CRSEnrollment", + ILogger.SIGNED_AUDIT_EMPTY_VALUE); + ILogger signedAuditLogger = CMS.getSignedAuditLogger(); + if (signedAuditLogger != null) { + signedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, + null, ILogger.S_SIGNED_AUDIT, + ILogger.LL_SECURITY, auditMessage); + } + + return null; + } + else { + IRequest ireq = postRequest(httpReq, req,crsResp); + + + CMS.debug("created response"); + return makeResponseFromRequest(req,crsResp, ireq); + } + } catch (CryptoContext.CryptoContextException e) { + CMS.debug("failed to decrypt the request " + e); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ENROLL_FAIL_NO_DECRYPT_PKCS10", + e.getMessage())); + crsResp.setFailInfo(CRSPKIMessage.mFailInfo_badMessageCheck); + crsResp.setPKIStatus(CRSPKIMessage.mStatus_FAILURE); + } catch (EBaseException e) { + CMS.debug("operation failure - " + e); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERNOLL_FAIL_NO_NEW_REQUEST_POSTED", + e.getMessage())); + crsResp.setFailInfo(CRSPKIMessage.mFailInfo_internalCAError); + crsResp.setPKIStatus(CRSPKIMessage.mStatus_FAILURE); + } + return null; + } + + +////// post the request + +/* + needed: + + token (authtoken) + certInfo + fingerprints x + req.transactionID + crsResp +*/ + +private IRequest postRequest(HttpServletRequest httpReq, CRSPKIMessage req, CRSPKIMessage crsResp) +throws EBaseException { + X500Name subject = (X500Name)req.get(SUBJECTNAME); + + if (mCreateEntry) { + if (subject == null) { + CMS.debug( "CRSEnrollment::postRequest() - subject is null!" ); + return null; + } + createEntry(subject.toString()); + } + + // use profile framework to handle SCEP + if (mProfileId != null) { + PKCS10 pkcs10data = (PKCS10)req.getP10(); + String pkcs10blob = CMS.BtoA(pkcs10data.toByteArray()); + + // XXX authentication handling + CMS.debug("Found profile=" + mProfileId); + IProfile profile = mProfileSubsystem.getProfile(mProfileId); + if (profile == null) { + CMS.debug("profile " + mProfileId + " not found"); + return null; + } + IProfileContext ctx = profile.createContext(); + + IProfileAuthenticator authenticator = null; + try { + CMS.debug("Retrieving authenticator"); + authenticator = profile.getAuthenticator(); if (authenticator == null) { - // XXX - to help caRouterCert to work, we need to - // add authentication to caRouterCert - authToken = new AuthToken(null); - } else { - authToken = authenticate(credentials, authenticator, httpReq); - } - - IRequest reqs[] = null; - CMS.debug("CRSEnrollment: Creating profile requests"); - ctx.set(IEnrollProfile.CTX_CERT_REQUEST_TYPE, "pkcs10"); - ctx.set(IEnrollProfile.CTX_CERT_REQUEST, pkcs10blob); - Locale locale = Locale.getDefault(); - reqs = profile.createRequests(ctx, locale); - if (reqs == null) { - CMS.debug("CRSEnrollment: No request has been created"); - return null; + CMS.debug("No authenticator Found"); } else { - CMS.debug("CRSEnrollment: Request (" + reqs.length - + ") have been created"); - } - // set transaction id - reqs[0].setSourceId(req.getTransactionID()); - reqs[0].setExtData("profile", "true"); - reqs[0].setExtData("profileId", mProfileId); - reqs[0].setExtData(IEnrollProfile.CTX_CERT_REQUEST_TYPE, - IEnrollProfile.REQ_TYPE_PKCS10); - reqs[0].setExtData(IEnrollProfile.CTX_CERT_REQUEST, pkcs10blob); - reqs[0].setExtData("requestor_name", ""); - reqs[0].setExtData("requestor_email", ""); - reqs[0].setExtData("requestor_phone", ""); - reqs[0].setExtData("profileRemoteHost", httpReq.getRemoteHost()); - reqs[0].setExtData("profileRemoteAddr", httpReq.getRemoteAddr()); - reqs[0].setExtData("profileApprovedBy", profile.getApprovedBy()); - - CMS.debug("CRSEnrollment: Populating inputs"); - profile.populateInput(ctx, reqs[0]); - CMS.debug("CRSEnrollment: Populating requests"); - profile.populate(reqs[0]); - - CMS.debug("CRSEnrollment: Submitting request"); - profile.submit(authToken, reqs[0]); - CMS.debug("CRSEnrollment: Done submitting request"); - profile.getRequestQueue().markAsServiced(reqs[0]); - CMS.debug("CRSEnrollment: Request marked as serviced"); - - return reqs[0]; - - } - - IRequestQueue rq = ca.getRequestQueue(); - IRequest pkiReq = rq.newRequest(IRequest.ENROLLMENT_REQUEST); - - AuthToken token = (AuthToken) req.get(AUTH_TOKEN); - if (token != null) { - pkiReq.setExtData(IRequest.AUTH_TOKEN, token); - } - - pkiReq.setExtData(IRequest.HTTP_PARAMS, IRequest.CERT_TYPE, - IRequest.CEP_CERT); - X509CertInfo certInfo = (X509CertInfo) req.get(CERTINFO); - pkiReq.setExtData(IRequest.CERT_INFO, new X509CertInfo[] { certInfo }); - pkiReq.setExtData("cepsubstore", mSubstoreName); - - try { - String chpwd = (String) req.get(ChallengePassword.NAME); - if (chpwd != null) { - pkiReq.setExtData("challengePhrase", chpwd); - } - } catch (Exception pwex) { - } - - Hashtable fingerprints = (Hashtable) req.get(IRequest.FINGERPRINTS); - if (fingerprints.size() > 0) { - Hashtable encodedPrints = new Hashtable(fingerprints.size()); - Enumeration e = fingerprints.keys(); - while (e.hasMoreElements()) { - String key = (String) e.nextElement(); - byte[] value = (byte[]) fingerprints.get(key); - encodedPrints.put(key, CMS.BtoA(value)); + CMS.debug("Got authenticator=" + authenticator.getClass().getName()); } - pkiReq.setExtData(IRequest.FINGERPRINTS, encodedPrints); - } - - pkiReq.setSourceId(req.getTransactionID()); - - rq.processRequest(pkiReq); - - crsResp.setPKIStatus(CRSPKIMessage.mStatus_SUCCESS); - - mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, AuditFormat.LEVEL, - AuditFormat.ENROLLMENTFORMAT, - new Object[] { - pkiReq.getRequestId(), - AuditFormat.FROMROUTER, - mAuthManagerName == null ? AuditFormat.NOAUTH - : mAuthManagerName, "pending", subject, "" }); - - return pkiReq; - } - - public Hashtable makeFingerPrints(CRSPKIMessage req) { + } catch (EProfileException e) { + // authenticator not installed correctly + } + + IAuthToken authToken = null; + + // for ssl authentication; pass in servlet for retrieving + // ssl client certificates + SessionContext context = SessionContext.getContext(); + + + // insert profile context so that input parameter can be retrieved + context.put("profileContext", ctx); + context.put("sslClientCertProvider", + new SSLClientCertProvider(httpReq)); + + String p10Password = getPasswordFromP10(pkcs10data); + AuthCredentials credentials = new AuthCredentials(); + credentials.set("UID", httpReq.getRemoteAddr()); + credentials.set("PWD", p10Password); + + if (authenticator == null) { + // XXX - to help caRouterCert to work, we need to + // add authentication to caRouterCert + authToken = new AuthToken(null); + } else { + authToken = authenticate(credentials, authenticator, httpReq); + } + + IRequest reqs[] = null; + CMS.debug("CRSEnrollment: Creating profile requests"); + ctx.set(IEnrollProfile.CTX_CERT_REQUEST_TYPE, "pkcs10"); + ctx.set(IEnrollProfile.CTX_CERT_REQUEST, pkcs10blob); + Locale locale = Locale.getDefault(); + reqs = profile.createRequests(ctx, locale); + if (reqs == null) { + CMS.debug("CRSEnrollment: No request has been created"); + return null; + } else { + CMS.debug("CRSEnrollment: Request (" + reqs.length + ") have been created"); + } + // set transaction id + reqs[0].setSourceId(req.getTransactionID()); + reqs[0].setExtData("profile", "true"); + reqs[0].setExtData("profileId", mProfileId); + reqs[0].setExtData(IEnrollProfile.CTX_CERT_REQUEST_TYPE, IEnrollProfile.REQ_TYPE_PKCS10); + reqs[0].setExtData(IEnrollProfile.CTX_CERT_REQUEST, pkcs10blob); + reqs[0].setExtData("requestor_name", ""); + reqs[0].setExtData("requestor_email", ""); + reqs[0].setExtData("requestor_phone", ""); + reqs[0].setExtData("profileRemoteHost", httpReq.getRemoteHost()); + reqs[0].setExtData("profileRemoteAddr", httpReq.getRemoteAddr()); + reqs[0].setExtData("profileApprovedBy", profile.getApprovedBy()); + + CMS.debug("CRSEnrollment: Populating inputs"); + profile.populateInput(ctx, reqs[0]); + CMS.debug("CRSEnrollment: Populating requests"); + profile.populate(reqs[0]); + + CMS.debug("CRSEnrollment: Submitting request"); + profile.submit(authToken, reqs[0]); + CMS.debug("CRSEnrollment: Done submitting request"); + profile.getRequestQueue().markAsServiced(reqs[0]); + CMS.debug("CRSEnrollment: Request marked as serviced"); + + return reqs[0]; + + } + + IRequestQueue rq = ca.getRequestQueue(); + IRequest pkiReq = rq.newRequest(IRequest.ENROLLMENT_REQUEST); + + AuthToken token = (AuthToken) req.get(AUTH_TOKEN); + if (token != null) { + pkiReq.setExtData(IRequest.AUTH_TOKEN,token); + } + + pkiReq.setExtData(IRequest.HTTP_PARAMS, IRequest.CERT_TYPE, IRequest.CEP_CERT); + X509CertInfo certInfo = (X509CertInfo) req.get(CERTINFO); + pkiReq.setExtData(IRequest.CERT_INFO, new X509CertInfo[] { certInfo } ); + pkiReq.setExtData("cepsubstore", mSubstoreName); + + try { + String chpwd = (String)req.get(ChallengePassword.NAME); + if (chpwd != null) { + pkiReq.setExtData("challengePhrase", + chpwd ); + } + } catch (Exception pwex) { + } + + Hashtable fingerprints = (Hashtable)req.get(IRequest.FINGERPRINTS); + if (fingerprints.size() > 0) { + Hashtable encodedPrints = new Hashtable(fingerprints.size()); + Enumeration e = fingerprints.keys(); + while (e.hasMoreElements()) { + String key = (String)e.nextElement(); + byte[] value = (byte[])fingerprints.get(key); + encodedPrints.put(key, CMS.BtoA(value)); + } + pkiReq.setExtData(IRequest.FINGERPRINTS, encodedPrints); + } + + pkiReq.setSourceId(req.getTransactionID()); + + rq.processRequest(pkiReq); + + crsResp.setPKIStatus(CRSPKIMessage.mStatus_SUCCESS); + + mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, + AuditFormat.LEVEL, + AuditFormat.ENROLLMENTFORMAT, + new Object[] { + pkiReq.getRequestId(), + AuditFormat.FROMROUTER, + mAuthManagerName == null ? AuditFormat.NOAUTH : mAuthManagerName, + "pending", + subject , + ""} + ); + + return pkiReq; + } + + + + public Hashtable makeFingerPrints(CRSPKIMessage req) { Hashtable fingerprints = new Hashtable(); MessageDigest md; - String[] hashes = new String[] { "MD2", "MD5", "SHA1", "SHA256", - "SHA512" }; - PKCS10 p10 = (PKCS10) req.getP10(); + String[] hashes = new String[] {"MD2", "MD5", "SHA1", "SHA256", "SHA512"}; + PKCS10 p10 = (PKCS10)req.getP10(); - for (int i = 0; i < hashes.length; i++) { - try { - md = MessageDigest.getInstance(hashes[i]); - md.update(p10.getCertRequestInfo()); - fingerprints.put(hashes[i], md.digest()); - } catch (NoSuchAlgorithmException nsa) { - } + for (int i=0;i<hashes.length;i++) { + try { + md = MessageDigest.getInstance(hashes[i]); + md.update(p10.getCertRequestInfo()); + fingerprints.put(hashes[i],md.digest()); + } + catch (NoSuchAlgorithmException nsa) {} } - if (fingerprints != null) { - req.put(IRequest.FINGERPRINTS, fingerprints); - } - return fingerprints; - } + if (fingerprints != null) { + req.put(IRequest.FINGERPRINTS,fingerprints); + } + return fingerprints; + } + + + // Take a look to see if the request was successful, and fill + // in the response message - // Take a look to see if the request was successful, and fill - // in the response message - private X509CertImpl makeResponseFromRequest(CRSPKIMessage crsReq, - CRSPKIMessage crsResp, IRequest pkiReq) { + private X509CertImpl makeResponseFromRequest(CRSPKIMessage crsReq, CRSPKIMessage crsResp, + IRequest pkiReq) + { - X509CertImpl issuedCert = null; + X509CertImpl issuedCert=null; RequestStatus status = pkiReq.getRequestStatus(); String profileId = pkiReq.getExtDataInString("profileId"); if (profileId != null) { - CMS.debug("CRSEnrollment: Found profile request"); - X509CertImpl cert = pkiReq - .getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT); - if (cert == null) { - CMS.debug("CRSEnrollment: No certificate has been found"); - } else { - CMS.debug("CRSEnrollment: Found certificate"); - } - crsResp.setPKIStatus(CRSPKIMessage.mStatus_SUCCESS); - return cert; + CMS.debug("CRSEnrollment: Found profile request"); + X509CertImpl cert = + pkiReq.getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT); + if (cert == null) { + CMS.debug("CRSEnrollment: No certificate has been found"); + } else { + CMS.debug("CRSEnrollment: Found certificate"); + } + crsResp.setPKIStatus(CRSPKIMessage.mStatus_SUCCESS); + return cert; } - if (status.equals(RequestStatus.COMPLETE)) { + + if ( status.equals(RequestStatus.COMPLETE)) { Integer success = pkiReq.getExtDataInInteger(IRequest.RESULT); + if (success.equals(IRequest.RES_SUCCESS)) { // The cert was issued, lets send it back to the router - X509CertImpl[] issuedCertBuf = pkiReq - .getExtDataInCertArray(IRequest.ISSUED_CERTS); + X509CertImpl[] issuedCertBuf = + pkiReq.getExtDataInCertArray(IRequest.ISSUED_CERTS); if (issuedCertBuf == null || issuedCertBuf.length == 0) { - // writeError("Internal Error: Bad operation",httpReq,httpResp); - CMS.debug("CRSEnrollment::makeResponseFromRequest() - " - + "Bad operation"); + // writeError("Internal Error: Bad operation",httpReq,httpResp); + CMS.debug( "CRSEnrollment::makeResponseFromRequest() - " + + "Bad operation" ); return null; } issuedCert = issuedCertBuf[0]; crsResp.setPKIStatus(CRSPKIMessage.mStatus_SUCCESS); - - } else { // status is not 'success' - there must've been a problem - + + } + else { // status is not 'success' - there must've been a problem + crsResp.setPKIStatus(CRSPKIMessage.mStatus_FAILURE); crsResp.setFailInfo(CRSPKIMessage.mFailInfo_badAlg); } - } else if (status.equals(RequestStatus.REJECTED_STRING) - || status.equals(RequestStatus.CANCELED_STRING)) { - crsResp.setPKIStatus(CRSPKIMessage.mStatus_FAILURE); - crsResp.setFailInfo(CRSPKIMessage.mFailInfo_badRequest); - } else { // not complete + } + else if (status.equals(RequestStatus.REJECTED_STRING) || + status.equals(RequestStatus.CANCELED_STRING)) { + crsResp.setPKIStatus(CRSPKIMessage.mStatus_FAILURE); + crsResp.setFailInfo(CRSPKIMessage.mFailInfo_badRequest); + } + else { // not complete crsResp.setPKIStatus(CRSPKIMessage.mStatus_PENDING); } return issuedCert; } - /** - * This needs to be re-written to log the messages to the system log, since - * there will be no visual webpage feedback for the user. (he's using a - * router) - */ - - private void writeError(String errMsg, HttpServletRequest httpReq, - HttpServletResponse httpResp) throws IOException { - } - - protected String hashPassword(String pwd) { - String salt = "lala123"; - byte[] pwdDigest = mSHADigest.digest((salt + pwd).getBytes()); - String b64E = com.netscape.osutil.OSUtil.BtoA(pwdDigest); - return "{SHA}" + b64E; - } - - /** - * Make the CRSPKIMESSAGE response - */ - - private void processCertRep(CryptoContext cx, X509CertImpl issuedCert, - CRSPKIMessage crsResp, CRSPKIMessage crsReq) - throws CRSFailureException { - byte[] msgdigest = null; - byte[] encryptedDesKey = null; - - try { - if (issuedCert != null) { - - SymmetricKey sk; - SymmetricKey skinternal; - - KeyGenAlgorithm kga = KeyGenAlgorithm.DES; - EncryptionAlgorithm ea = EncryptionAlgorithm.DES_CBC; - if (mEncryptionAlgorithm != null - && mEncryptionAlgorithm.equals("DES3")) { - kga = KeyGenAlgorithm.DES3; - ea = EncryptionAlgorithm.DES3_CBC; - } - - // 1. Make the Degenerated PKCS7 with the recipient's - // certificate in it - - byte toBeEncrypted[] = crsResp.makeSignedRep(1, // version - issuedCert.getEncoded()); - - // 2. Encrypt the above byte array with a new random DES key - - sk = cx.getDESKeyGenerator().generate(); - - skinternal = cx.getInternalToken().getKeyGenerator(kga) - .clone(sk); - - byte[] padded = Cipher.pad(toBeEncrypted, ea.getBlockSize()); - - // This should be changed to generate proper DES IV. - - Cipher cipher = cx.getInternalToken().getCipherContext(ea); - IVParameterSpec desIV = new IVParameterSpec(new byte[] { - (byte) 0xff, (byte) 0x00, (byte) 0xff, (byte) 0x00, - (byte) 0xff, (byte) 0x00, (byte) 0xff, (byte) 0x00 }); - - cipher.initEncrypt(sk, desIV); - byte[] encryptedData = cipher.doFinal(padded); - - crsResp.makeEncryptedContentInfo(desIV.getIV(), encryptedData, - mEncryptionAlgorithm); - - // 3. Extract the recipient's public key - - PublicKey rcpPK = crsReq.getSignerPublicKey(); - - // 4. Encrypt the DES key with the public key - - // we have to move the key onto the interal token. - // skinternal = cx.getInternalKeyStorageToken().cloneKey(sk); - skinternal = cx.getInternalToken().cloneKey(sk); - - KeyWrapper kw = cx.getInternalKeyWrapper(); - kw.initWrap(rcpPK, null); - encryptedDesKey = kw.wrap(skinternal); - crsResp.setRcpIssuerAndSerialNumber(crsReq - .getSgnIssuerAndSerialNumber()); - crsResp.makeRecipientInfo(0, encryptedDesKey); - } - - byte[] ed = crsResp.makeEnvelopedData(0); - - // 7. Make Digest of SignedData Content - MessageDigest md = MessageDigest.getInstance(mHashAlgorithm); - msgdigest = md.digest(ed); - - crsResp.setMsgDigest(msgdigest); - - } - - catch (Exception e) { - throw new CRSFailureException( - "Failed to create inner response to CEP message: " - + e.getMessage()); - } - // 5. Make a RecipientInfo - // The issuer name & serial number here, should be that of - // the EE's self-signed Certificate - // [I can get it from the req blob, but later, I should - // store the recipient's self-signed certificate with the request - // so I can get at it later. I need to do this to support - // 'PENDING'] - try { - - // 8. Make Authenticated Attributes - // we can just pull the transaction ID out of the request. - // Later, we will have to put it out of the Request queue, - // so we can support PENDING - crsResp.setTransactionID(crsReq.getTransactionID()); - // recipientNonce and SenderNonce have already been set - - crsResp.makeAuthenticatedAttributes(); - // crsResp.makeAuthenticatedAttributes_old(); - - // now package up the rest of the SignerInfo - { - byte[] signingcertbytes = cx.getSigningCert().getEncoded(); - - Certificate.Template sgncert_t = new Certificate.Template(); - Certificate sgncert = (Certificate) sgncert_t - .decode(new ByteArrayInputStream(signingcertbytes)); + /** + * This needs to be re-written to log the messages to the system log, since there + * will be no visual webpage feedback for the user. (he's using a router) + */ - IssuerAndSerialNumber sgniasn = new IssuerAndSerialNumber( - sgncert.getInfo().getIssuer(), sgncert.getInfo() - .getSerialNumber()); - - crsResp.setSgnIssuerAndSerialNumber(sgniasn); + private void writeError(String errMsg, HttpServletRequest httpReq, + HttpServletResponse httpResp) + throws IOException + { + } - // 10. Make SignerInfo - crsResp.makeSignerInfo(1, cx.getPrivateKey(), mHashAlgorithm); - // 11. Make SignedData - crsResp.makeSignedData(1, signingcertbytes, mHashAlgorithm); + protected String hashPassword(String pwd) { + String salt = "lala123"; + byte[] pwdDigest = mSHADigest.digest((salt+pwd).getBytes()); + String b64E = com.netscape.osutil.OSUtil.BtoA(pwdDigest); + return "{SHA}"+b64E; + } - crsResp.debug(); - } - } catch (Exception e) { - throw new CRSFailureException( - "Failed to create outer response to CEP request: " - + e.getMessage()); - } - // if debugging, dump out the response into a file - } - class CryptoContext { - private CryptoManager cm; - private CryptoToken internalToken; - private CryptoToken keyStorageToken; - private CryptoToken internalKeyStorageToken; - private KeyGenerator DESkg; - private Enumeration externalTokens = null; - private org.mozilla.jss.crypto.X509Certificate signingCert; - private org.mozilla.jss.crypto.PrivateKey signingCertPrivKey; - private int signingCertKeySize = 0; - - class CryptoContextException extends Exception { - /** + /** + * Make the CRSPKIMESSAGE response + */ + + + private void processCertRep(CryptoContext cx, + X509CertImpl issuedCert, + CRSPKIMessage crsResp, + CRSPKIMessage crsReq) + throws CRSFailureException { + byte[] msgdigest = null; + byte[] encryptedDesKey = null; + + try { + if (issuedCert != null) { + + SymmetricKey sk; + SymmetricKey skinternal; + + KeyGenAlgorithm kga = KeyGenAlgorithm.DES; + EncryptionAlgorithm ea = EncryptionAlgorithm.DES_CBC; + if (mEncryptionAlgorithm != null && mEncryptionAlgorithm.equals("DES3")) { + kga = KeyGenAlgorithm.DES3; + ea = EncryptionAlgorithm.DES3_CBC; + } + + // 1. Make the Degenerated PKCS7 with the recipient's certificate in it + + byte toBeEncrypted[] = + crsResp.makeSignedRep(1, // version + issuedCert.getEncoded() + ); + + // 2. Encrypt the above byte array with a new random DES key + + sk = cx.getDESKeyGenerator().generate(); + + skinternal = cx.getInternalToken().getKeyGenerator(kga).clone(sk); + + byte[] padded = Cipher.pad(toBeEncrypted, ea.getBlockSize()); + + + // This should be changed to generate proper DES IV. + + Cipher cipher = cx.getInternalToken().getCipherContext(ea); + IVParameterSpec desIV = + new IVParameterSpec(new byte[]{ + (byte)0xff, (byte)0x00, + (byte)0xff, (byte)0x00, + (byte)0xff, (byte)0x00, + (byte)0xff, (byte)0x00 } ); + + cipher.initEncrypt(sk,desIV); + byte[] encryptedData = cipher.doFinal(padded); + + crsResp.makeEncryptedContentInfo(desIV.getIV(),encryptedData, mEncryptionAlgorithm); + + // 3. Extract the recipient's public key + + PublicKey rcpPK = crsReq.getSignerPublicKey(); + + + // 4. Encrypt the DES key with the public key + + // we have to move the key onto the interal token. + //skinternal = cx.getInternalKeyStorageToken().cloneKey(sk); + skinternal = cx.getInternalToken().cloneKey(sk); + + KeyWrapper kw = cx.getInternalKeyWrapper(); + kw.initWrap(rcpPK, null); + encryptedDesKey = kw.wrap(skinternal); + + crsResp.setRcpIssuerAndSerialNumber(crsReq.getSgnIssuerAndSerialNumber()); + crsResp.makeRecipientInfo(0, encryptedDesKey ); + + } + + + byte[] ed = crsResp.makeEnvelopedData(0); + + // 7. Make Digest of SignedData Content + MessageDigest md = MessageDigest.getInstance(mHashAlgorithm); + msgdigest = md.digest(ed); + + crsResp.setMsgDigest(msgdigest); + + } + + catch (Exception e) { + throw new CRSFailureException("Failed to create inner response to CEP message: "+e.getMessage()); + } + + + // 5. Make a RecipientInfo + + // The issuer name & serial number here, should be that of + // the EE's self-signed Certificate + // [I can get it from the req blob, but later, I should + // store the recipient's self-signed certificate with the request + // so I can get at it later. I need to do this to support + // 'PENDING'] + + + try { + + // 8. Make Authenticated Attributes + // we can just pull the transaction ID out of the request. + // Later, we will have to put it out of the Request queue, + // so we can support PENDING + crsResp.setTransactionID(crsReq.getTransactionID()); + // recipientNonce and SenderNonce have already been set + + crsResp.makeAuthenticatedAttributes(); + // crsResp.makeAuthenticatedAttributes_old(); + + + + // now package up the rest of the SignerInfo + { + byte[] signingcertbytes = cx.getSigningCert().getEncoded(); + + + Certificate.Template sgncert_t = new Certificate.Template(); + Certificate sgncert = + (Certificate) sgncert_t.decode(new ByteArrayInputStream(signingcertbytes)); + + IssuerAndSerialNumber sgniasn = + new IssuerAndSerialNumber(sgncert.getInfo().getIssuer(), + sgncert.getInfo().getSerialNumber()); + + crsResp.setSgnIssuerAndSerialNumber(sgniasn); + + // 10. Make SignerInfo + crsResp.makeSignerInfo(1, cx.getPrivateKey(), mHashAlgorithm); + + // 11. Make SignedData + crsResp.makeSignedData(1, signingcertbytes, mHashAlgorithm); + + crsResp.debug(); + } + } + catch (Exception e) { + throw new CRSFailureException("Failed to create outer response to CEP request: "+e.getMessage()); + } + + + // if debugging, dump out the response into a file + + } + + + + class CryptoContext { + private CryptoManager cm; + private CryptoToken internalToken; + private CryptoToken keyStorageToken; + private CryptoToken internalKeyStorageToken; + private KeyGenerator DESkg; + private Enumeration externalTokens = null; + private org.mozilla.jss.crypto.X509Certificate signingCert; + private org.mozilla.jss.crypto.PrivateKey signingCertPrivKey; + private int signingCertKeySize = 0; + + + class CryptoContextException extends Exception { + /** * */ - private static final long serialVersionUID = -1124116326126256475L; + private static final long serialVersionUID = -1124116326126256475L; + public CryptoContextException() { super(); } + public CryptoContextException(String s) { super(s); } + } - public CryptoContextException() { - super(); - } + public CryptoContext() + throws CryptoContextException + { + try { + KeyGenAlgorithm kga = KeyGenAlgorithm.DES; + if (mEncryptionAlgorithm != null && mEncryptionAlgorithm.equals("DES3")) { + kga = KeyGenAlgorithm.DES3; + } + cm = CryptoManager.getInstance(); + internalToken = cm.getInternalCryptoToken(); + DESkg = internalToken.getKeyGenerator(kga); + if (mTokenName.equalsIgnoreCase(Constants.PR_INTERNAL_TOKEN) || + mTokenName.equalsIgnoreCase("Internal Key Storage Token") || + mTokenName.length() == 0) { + keyStorageToken = cm.getInternalKeyStorageToken(); + internalKeyStorageToken = keyStorageToken; + CMS.debug("CRSEnrollment: CryptoContext: internal token name: '"+mTokenName+"'"); + } else { + keyStorageToken = cm.getTokenByName(mTokenName); + internalKeyStorageToken = null; + } + if (!mUseCA && internalKeyStorageToken == null) { + PasswordCallback cb = CMS.getPasswordCallback(); + keyStorageToken.login(cb); // ONE_TIME by default. + } + signingCert = cm.findCertByNickname(mNickname); + signingCertPrivKey = cm.findPrivKeyByCert(signingCert); + byte[] encPubKeyInfo = signingCert.getPublicKey().getEncoded(); + SEQUENCE.Template outer = SEQUENCE.getTemplate(); + outer.addElement( ANY.getTemplate() ); // algid + outer.addElement( BIT_STRING.getTemplate() ); + SEQUENCE outerSeq = (SEQUENCE) ASN1Util.decode(outer, encPubKeyInfo); + BIT_STRING bs = (BIT_STRING) outerSeq.elementAt(1); + byte[] encPubKey = bs.getBits(); + if( bs.getPadCount() != 0) { + throw new CryptoContextException("Internal error: Invalid Public key. Not an integral number of bytes."); + } + SEQUENCE.Template inner = new SEQUENCE.Template(); + inner.addElement( INTEGER.getTemplate()); + inner.addElement( INTEGER.getTemplate()); + SEQUENCE pubKeySeq = (SEQUENCE) ASN1Util.decode(inner, encPubKey); + INTEGER modulus = (INTEGER) pubKeySeq.elementAt(0); + signingCertKeySize = modulus.bitLength(); + + try { + FileOutputStream fos = new FileOutputStream("pubkey.der"); + fos.write(signingCert.getPublicKey().getEncoded()); + fos.close(); + } catch (Exception e) {} + + } + catch (InvalidBERException e) { + throw new CryptoContextException("Internal Error: Bad internal Certificate Representation. Not a valid RSA-signed certificate"); + } + catch (CryptoManager.NotInitializedException e) { + throw new CryptoContextException("Crypto Manager not initialized"); + } + catch (NoSuchAlgorithmException e) { + throw new CryptoContextException("Cannot create DES key generator"); + } + catch (ObjectNotFoundException e) { + throw new CryptoContextException("Certificate not found: "+ca.getNickname()); + } + catch (TokenException e) { + throw new CryptoContextException("Problem with Crypto Token: "+e.getMessage()); + } + catch (NoSuchTokenException e) { + throw new CryptoContextException("Crypto Token not found: "+e.getMessage()); + } + catch (IncorrectPasswordException e) { + throw new CryptoContextException("Incorrect Password."); + } + } + + + public KeyGenerator getDESKeyGenerator() { + return DESkg; + } - public CryptoContextException(String s) { - super(s); - } - } + public CryptoToken getInternalToken() { + return internalToken; + } - public CryptoContext() throws CryptoContextException { - try { - KeyGenAlgorithm kga = KeyGenAlgorithm.DES; - if (mEncryptionAlgorithm != null - && mEncryptionAlgorithm.equals("DES3")) { - kga = KeyGenAlgorithm.DES3; - } - cm = CryptoManager.getInstance(); - internalToken = cm.getInternalCryptoToken(); - DESkg = internalToken.getKeyGenerator(kga); - if (mTokenName.equalsIgnoreCase(Constants.PR_INTERNAL_TOKEN) - || mTokenName - .equalsIgnoreCase("Internal Key Storage Token") - || mTokenName.length() == 0) { - keyStorageToken = cm.getInternalKeyStorageToken(); - internalKeyStorageToken = keyStorageToken; - CMS.debug("CRSEnrollment: CryptoContext: internal token name: '" - + mTokenName + "'"); - } else { - keyStorageToken = cm.getTokenByName(mTokenName); - internalKeyStorageToken = null; - } - if (!mUseCA && internalKeyStorageToken == null) { - PasswordCallback cb = CMS.getPasswordCallback(); - keyStorageToken.login(cb); // ONE_TIME by default. - } - signingCert = cm.findCertByNickname(mNickname); - signingCertPrivKey = cm.findPrivKeyByCert(signingCert); - byte[] encPubKeyInfo = signingCert.getPublicKey().getEncoded(); - SEQUENCE.Template outer = SEQUENCE.getTemplate(); - outer.addElement(ANY.getTemplate()); // algid - outer.addElement(BIT_STRING.getTemplate()); - SEQUENCE outerSeq = (SEQUENCE) ASN1Util.decode(outer, - encPubKeyInfo); - BIT_STRING bs = (BIT_STRING) outerSeq.elementAt(1); - byte[] encPubKey = bs.getBits(); - if (bs.getPadCount() != 0) { - throw new CryptoContextException( - "Internal error: Invalid Public key. Not an integral number of bytes."); - } - SEQUENCE.Template inner = new SEQUENCE.Template(); - inner.addElement(INTEGER.getTemplate()); - inner.addElement(INTEGER.getTemplate()); - SEQUENCE pubKeySeq = (SEQUENCE) ASN1Util.decode(inner, - encPubKey); - INTEGER modulus = (INTEGER) pubKeySeq.elementAt(0); - signingCertKeySize = modulus.bitLength(); + public void setExternalTokens( Enumeration tokens ) { + externalTokens = tokens; + } - try { - FileOutputStream fos = new FileOutputStream("pubkey.der"); - fos.write(signingCert.getPublicKey().getEncoded()); - fos.close(); - } catch (Exception e) { - } + public Enumeration getExternalTokens() { + return externalTokens; + } - } catch (InvalidBERException e) { - throw new CryptoContextException( - "Internal Error: Bad internal Certificate Representation. Not a valid RSA-signed certificate"); - } catch (CryptoManager.NotInitializedException e) { - throw new CryptoContextException( - "Crypto Manager not initialized"); - } catch (NoSuchAlgorithmException e) { - throw new CryptoContextException( - "Cannot create DES key generator"); - } catch (ObjectNotFoundException e) { - throw new CryptoContextException("Certificate not found: " - + ca.getNickname()); - } catch (TokenException e) { - throw new CryptoContextException("Problem with Crypto Token: " - + e.getMessage()); - } catch (NoSuchTokenException e) { - throw new CryptoContextException("Crypto Token not found: " - + e.getMessage()); - } catch (IncorrectPasswordException e) { - throw new CryptoContextException("Incorrect Password."); - } - } + public CryptoToken getInternalKeyStorageToken() { + return internalKeyStorageToken; + } - public KeyGenerator getDESKeyGenerator() { - return DESkg; - } + public CryptoToken getKeyStorageToken() { + return keyStorageToken; + } - public CryptoToken getInternalToken() { - return internalToken; - } + public CryptoManager getCryptoManager() { + return cm; + } - public void setExternalTokens(Enumeration tokens) { - externalTokens = tokens; + public KeyWrapper getKeyWrapper() + throws CryptoContextException { + try { + return signingCertPrivKey.getOwningToken().getKeyWrapper(KeyWrapAlgorithm.RSA); } - - public Enumeration getExternalTokens() { - return externalTokens; + catch (TokenException e) { + throw new CryptoContextException("Problem with Crypto Token: "+e.getMessage()); } - - public CryptoToken getInternalKeyStorageToken() { - return internalKeyStorageToken; + catch (NoSuchAlgorithmException e) { + throw new CryptoContextException(e.getMessage()); } + } - public CryptoToken getKeyStorageToken() { - return keyStorageToken; + public KeyWrapper getInternalKeyWrapper() + throws CryptoContextException { + try { + return getInternalToken().getKeyWrapper(KeyWrapAlgorithm.RSA); } - - public CryptoManager getCryptoManager() { - return cm; + catch (TokenException e) { + throw new CryptoContextException("Problem with Crypto Token: "+e.getMessage()); } - - public KeyWrapper getKeyWrapper() throws CryptoContextException { - try { - return signingCertPrivKey.getOwningToken().getKeyWrapper( - KeyWrapAlgorithm.RSA); - } catch (TokenException e) { - throw new CryptoContextException("Problem with Crypto Token: " - + e.getMessage()); - } catch (NoSuchAlgorithmException e) { - throw new CryptoContextException(e.getMessage()); - } + catch (NoSuchAlgorithmException e) { + throw new CryptoContextException(e.getMessage()); } + } - public KeyWrapper getInternalKeyWrapper() throws CryptoContextException { - try { - return getInternalToken().getKeyWrapper(KeyWrapAlgorithm.RSA); - } catch (TokenException e) { - throw new CryptoContextException("Problem with Crypto Token: " - + e.getMessage()); - } catch (NoSuchAlgorithmException e) { - throw new CryptoContextException(e.getMessage()); - } - } + public org.mozilla.jss.crypto.PrivateKey getPrivateKey() { + return signingCertPrivKey; + } - public org.mozilla.jss.crypto.PrivateKey getPrivateKey() { - return signingCertPrivKey; - } + public org.mozilla.jss.crypto.X509Certificate getSigningCert() { + return signingCert; + } + + } - public org.mozilla.jss.crypto.X509Certificate getSigningCert() { - return signingCert; - } - } + /* General failure. The request/response cannot be processed. */ - /* General failure. The request/response cannot be processed. */ - class CRSFailureException extends Exception { - /** + class CRSFailureException extends Exception { + /** * */ - private static final long serialVersionUID = 1962741611501549051L; + private static final long serialVersionUID = 1962741611501549051L; + public CRSFailureException() { super(); } + public CRSFailureException(String s) { super(s); } + } - public CRSFailureException() { - super(); - } - - public CRSFailureException(String s) { - super(s); - } - } - - class CRSInvalidSignatureException extends Exception { - /** + class CRSInvalidSignatureException extends Exception { + /** * */ - private static final long serialVersionUID = 9096408193567657944L; - - public CRSInvalidSignatureException() { - super(); - } + private static final long serialVersionUID = 9096408193567657944L; + public CRSInvalidSignatureException() { super(); } + public CRSInvalidSignatureException(String s) { super(s); } + } - public CRSInvalidSignatureException(String s) { - super(s); - } - } + - class CRSPolicyException extends Exception { - /** + class CRSPolicyException extends Exception { + /** * */ - private static final long serialVersionUID = 5846593800658787396L; - - public CRSPolicyException() { - super(); - } - - public CRSPolicyException(String s) { - super(s); - } - } + private static final long serialVersionUID = 5846593800658787396L; + public CRSPolicyException() { super(); } + public CRSPolicyException(String s) { super(s); } + } } + diff --git a/pki/base/common/src/com/netscape/cms/servlet/cert/scep/ChallengePassword.java b/pki/base/common/src/com/netscape/cms/servlet/cert/scep/ChallengePassword.java index 0456071f8..b449a8bd8 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/cert/scep/ChallengePassword.java +++ b/pki/base/common/src/com/netscape/cms/servlet/cert/scep/ChallengePassword.java @@ -29,109 +29,115 @@ import netscape.security.util.DerValue; import netscape.security.x509.CertAttrSet; /** - * Class for handling the decoding of a SCEP Challenge Password object. - * Currently this class cannot be used for encoding thus some fo the methods are - * unimplemented + * Class for handling the decoding of a SCEP Challenge Password + * object. Currently this class cannot be used for encoding + * thus some fo the methods are unimplemented */ public class ChallengePassword implements CertAttrSet { - public static final String NAME = "ChallengePassword"; - public static final String PASSWORD = "password"; - - private String cpw; - - /** - * Get the password marshalled in this object - * - * @return the challenge password - */ - public String toString() { - return cpw; - } - - /** - * Create a ChallengePassword object - * - * @param stuff (must be of type byte[]) a DER-encoded by array following - * The ASN.1 template for ChallenegePassword specified in the - * SCEP documentation - * @throws IOException if the DER encoded byt array was malformed, or if it - * did not match the template - */ - - public ChallengePassword(Object stuff) throws IOException { - - ByteArrayInputStream is = new ByteArrayInputStream((byte[]) stuff); - try { - decode(is); - } catch (Exception e) { - throw new IOException(e.getMessage()); - } - - } - - /** - * Currently Unimplemented - */ - public void encode(OutputStream out) throws CertificateException, - IOException { - } - - public void decode(InputStream in) throws CertificateException, IOException { + public static final String NAME = "ChallengePassword"; + public static final String PASSWORD = "password"; + + private String cpw; + + + /** + * Get the password marshalled in this object + * @return the challenge password + */ + public String toString() { + return cpw; + } + + /** + * Create a ChallengePassword object + * @param stuff (must be of type byte[]) a DER-encoded by array following + * The ASN.1 template for ChallenegePassword specified in the SCEP + * documentation + * @throws IOException if the DER encoded byt array was malformed, or if it + * did not match the template + */ + + public ChallengePassword(Object stuff) + throws IOException { + + ByteArrayInputStream is = new ByteArrayInputStream((byte[])stuff); + try { + decode(is); + } catch (Exception e) { + throw new IOException(e.getMessage()); + } + + } + + /** + * Currently Unimplemented + */ + public void encode(OutputStream out) + throws CertificateException, IOException + { } + + public void decode(InputStream in) + throws CertificateException, IOException + { DerValue derVal = new DerValue(in); construct(derVal); - - } - - private void construct(DerValue derVal) throws IOException { - try { - cpw = derVal.getPrintableString(); - } catch (NullPointerException e) { - cpw = ""; - } - } - - /** - * Currently Unimplemented - */ - public void set(String name, Object obj) throws CertificateException, - IOException { + } - /** - * Get an attribute of this object. - * - * @param name the name of the attribute of this object to get. The only - * supported attribute is "password" - */ - public Object get(String name) throws CertificateException, IOException { + private void construct(DerValue derVal) throws IOException { + try { + cpw = derVal.getPrintableString(); + } + catch (NullPointerException e) { + cpw = ""; + } + } + + + /** + * Currently Unimplemented + */ + public void set(String name, Object obj) + throws CertificateException, IOException + { } + + /** + * Get an attribute of this object. + * @param name the name of the attribute of this object to get. The only + * supported attribute is "password" + */ + public Object get(String name) + throws CertificateException, IOException + { if (name.equalsIgnoreCase(PASSWORD)) { return cpw; - } else { - throw new IOException("Attribute name not recognized by " - + "CertAttrSet: ChallengePassword"); + } + else { + throw new IOException("Attribute name not recognized by "+ + "CertAttrSet: ChallengePassword"); } } - - /** - * Currently Unimplemented - */ - public void delete(String name) throws CertificateException, IOException { - } - - /** - * @return an empty set of elements - */ - public Enumeration getElements() { - return (new Hashtable()).elements(); - } - - /** - * @return the String "ChallengePassword" - */ - public String getName() { - return NAME; - } - + + /** + * Currently Unimplemented + */ + public void delete(String name) + throws CertificateException, IOException + { } + + /** + * @return an empty set of elements + */ + public Enumeration getElements() + { return (new Hashtable()).elements();} + + /** + * @return the String "ChallengePassword" + */ + public String getName() + { return NAME;} + + } diff --git a/pki/base/common/src/com/netscape/cms/servlet/cert/scep/ExtensionsRequested.java b/pki/base/common/src/com/netscape/cms/servlet/cert/scep/ExtensionsRequested.java index e0c0c347c..a8757e74f 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/cert/scep/ExtensionsRequested.java +++ b/pki/base/common/src/com/netscape/cms/servlet/cert/scep/ExtensionsRequested.java @@ -31,44 +31,51 @@ import netscape.security.util.DerValue; import netscape.security.x509.CertAttrSet; import netscape.security.x509.Extension; + public class ExtensionsRequested implements CertAttrSet { - public static final String NAME = "EXTENSIONS_REQUESTED"; + public static final String NAME = "EXTENSIONS_REQUESTED"; + public static final String KUE_DIGITAL_SIGNATURE = "kue_digital_signature"; - public static final String KUE_KEY_ENCIPHERMENT = "kue_key_encipherment"; + public static final String KUE_KEY_ENCIPHERMENT = "kue_key_encipherment"; private String kue_digital_signature = "false"; - private String kue_key_encipherment = "false"; - + private String kue_key_encipherment = "false"; + private Vector exts = new Vector(); public ExtensionsRequested(Object stuff) throws IOException { ByteArrayInputStream is = new ByteArrayInputStream((byte[]) stuff); - + try { decode(is); - } catch (Exception e) { + } + catch (Exception e) { e.printStackTrace(); throw new IOException(e.getMessage()); } } - - public void encode(OutputStream out) throws CertificateException, - IOException { - } - - public void decode(InputStream in) throws CertificateException, IOException { + + public void encode(OutputStream out) + throws CertificateException, IOException + { } + + public void decode(InputStream in) + throws CertificateException, IOException + { DerValue derVal = new DerValue(in); - + construct(derVal); } - - public void set(String name, Object obj) throws CertificateException, - IOException { - } - - public Object get(String name) throws CertificateException, IOException { + + public void set(String name, Object obj) + throws CertificateException, IOException + { } + + public Object get(String name) + throws CertificateException, IOException + { if (name.equalsIgnoreCase(KUE_DIGITAL_SIGNATURE)) { return kue_digital_signature; } @@ -78,82 +85,107 @@ public class ExtensionsRequested implements CertAttrSet { throw new IOException("Unsupported attribute queried"); } - - public void delete(String name) throws CertificateException, IOException { - } - - public Enumeration getElements() { - return (new Hashtable()).elements(); - } - - public String getName() { - return NAME; + + public void delete(String name) + throws CertificateException, IOException + { } - /** - * construct - expects this in the inputstream (from the router): - * - * 211 30 31: SEQUENCE { 213 06 10: OBJECT IDENTIFIER '2 16 840 1 113733 1 9 - * 8' 225 31 17: SET { 227 04 15: OCTET STRING, encapsulates { 229 30 13: - * SEQUENCE { 231 30 11: SEQUENCE { 233 06 3: OBJECT IDENTIFIER keyUsage (2 - * 5 29 15) 238 04 4: OCTET STRING : 03 02 05 A0 : } : } : } - * - * or this (from IRE client): - * - * 262 30 51: SEQUENCE { 264 06 9: OBJECT IDENTIFIER extensionReq (1 2 840 - * 113549 1 9 14) 275 31 38: SET { 277 30 36: SEQUENCE { 279 30 34: SEQUENCE - * { 281 06 3: OBJECT IDENTIFIER subjectAltName (2 5 29 17) 286 04 27: OCTET - * STRING : 30 19 87 04 D0 0C 3E 6F 81 03 61 61 61 82 0C 61 : 61 61 2E 6D 63 - * 6F 6D 2E 63 6F 6D : } : } : } : } - */ + public Enumeration getElements() + { return (new Hashtable()).elements();} + + public String getName() + { return NAME;} + + + +/** + construct - expects this in the inputstream (from the router): + + 211 30 31: SEQUENCE { + 213 06 10: OBJECT IDENTIFIER '2 16 840 1 113733 1 9 8' + 225 31 17: SET { + 227 04 15: OCTET STRING, encapsulates { + 229 30 13: SEQUENCE { + 231 30 11: SEQUENCE { + 233 06 3: OBJECT IDENTIFIER keyUsage (2 5 29 15) + 238 04 4: OCTET STRING + : 03 02 05 A0 + : } + : } + : } + + or this (from IRE client): + + 262 30 51: SEQUENCE { + 264 06 9: OBJECT IDENTIFIER extensionReq (1 2 840 113549 1 9 14) + 275 31 38: SET { + 277 30 36: SEQUENCE { + 279 30 34: SEQUENCE { + 281 06 3: OBJECT IDENTIFIER subjectAltName (2 5 29 17) + 286 04 27: OCTET STRING + : 30 19 87 04 D0 0C 3E 6F 81 03 61 61 61 82 0C 61 + : 61 61 2E 6D 63 6F 6D 2E 63 6F 6D + : } + : } + : } + : } + + + */ private void construct(DerValue dv) throws IOException { - DerInputStream stream = null; - DerValue[] dvs; + DerInputStream stream = null; + DerValue[] dvs; - try { // try decoding as sequence first + try { // try decoding as sequence first - stream = dv.toDerInputStream(); + stream = dv.toDerInputStream(); - DerValue stream_dv = stream.getDerValue(); - stream.reset(); + DerValue stream_dv = stream.getDerValue(); + stream.reset(); + - dvs = stream.getSequence(2); - } catch (IOException ioe) { - // if it failed, the outer sequence may be - // encapsulated in an octet string, as in the first - // example above + dvs = stream.getSequence(2); + } + catch (IOException ioe) { + // if it failed, the outer sequence may be + // encapsulated in an octet string, as in the first + // example above - byte[] octet_string = dv.getOctetString(); + byte[] octet_string = dv.getOctetString(); - // Make a new input stream from the byte array, - // and re-parse it as a sequence. + // Make a new input stream from the byte array, + // and re-parse it as a sequence. - dv = new DerValue(octet_string); + dv = new DerValue(octet_string); - stream = dv.toDerInputStream(); - dvs = stream.getSequence(2); - } + stream = dv.toDerInputStream(); + dvs = stream.getSequence(2); + } - // now, the stream will be in the correct format - stream.reset(); + // now, the stream will be in the correct format + stream.reset(); - while (true) { - DerValue ext_dv = null; - try { - ext_dv = stream.getDerValue(); - } catch (IOException ex) { - break; - } + while (true) { + DerValue ext_dv=null; + try { + ext_dv = stream.getDerValue(); + } + catch (IOException ex) { + break; + } - Extension ext = new Extension(ext_dv); - exts.addElement(ext); - } + Extension ext = new Extension(ext_dv); + exts.addElement(ext); + } } - public Vector getExtensions() { - return exts; - } + public Vector getExtensions() { + return exts; + } } + + |