diff options
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/servlet/key')
3 files changed, 619 insertions, 18 deletions
diff --git a/pki/base/common/src/com/netscape/cms/servlet/key/GetAsyncPk12.java b/pki/base/common/src/com/netscape/cms/servlet/key/GetAsyncPk12.java new file mode 100644 index 000000000..eb510bf59 --- /dev/null +++ b/pki/base/common/src/com/netscape/cms/servlet/key/GetAsyncPk12.java @@ -0,0 +1,241 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.servlet.key; + + +import com.netscape.cms.servlet.common.*; +import com.netscape.cms.servlet.base.*; + +import java.io.*; +import java.util.*; +import java.net.*; +import java.util.*; +import java.text.*; +import java.math.*; +import java.security.*; +import java.security.cert.X509Certificate; +import javax.servlet.*; +import javax.servlet.http.*; +import netscape.security.x509.*; +import com.netscape.certsrv.common.*; +import com.netscape.certsrv.authority.*; +import com.netscape.certsrv.base.*; + +import com.netscape.certsrv.dbs.*; +import com.netscape.certsrv.dbs.keydb.*; + +import com.netscape.cms.servlet.*; +import com.netscape.certsrv.request.*; +import com.netscape.certsrv.request.IRequest; +import com.netscape.certsrv.logging.*; +import com.netscape.certsrv.kra.*; +import com.netscape.certsrv.apps.*; +import com.netscape.certsrv.authentication.*; +import com.netscape.certsrv.authorization.*; + + +/** + * Get the recovered key in PKCS#12 format + * - for asynchronous key recovery only + * + */ +public class GetAsyncPk12 extends CMSServlet { + + private final static String INFO = "getAsyncPk12"; + + private final static String TPL_FILE = "finishAsyncRecovery.template"; + + private final static String IN_PASSWORD = "p12Password"; + private final static String IN_PASSWORD_AGAIN = "p12PasswordAgain"; + private final static String OUT_RECOVERY_SUCCESS = "recoverySuccess"; + private final static String OUT_ERROR = "errorDetails"; + + private com.netscape.certsrv.kra.IKeyService mService = null; + private final static String OUT_STATUS = "status"; + + private String mFormPath = null; + + /** + * Constructs getAsyncPk12 servlet. + */ + public GetAsyncPk12() { + super(); + } + + /** + * initialize the servlet. This servlet uses the template file + * "finishAsyncRecovery.template" to process the response. + * + * @param sc servlet configuration, read from the web.xml file + */ + public void init(ServletConfig sc) throws ServletException { + super.init(sc); + mFormPath = "/agent/" + mAuthority.getId() + "/" + TPL_FILE; + mService = (com.netscape.certsrv.kra.IKeyService) mAuthority; + + mTemplates.remove(CMSRequest.SUCCESS); + if (mOutputTemplatePath != null) + mFormPath = mOutputTemplatePath; + } + + /** + * Returns serlvet information. + */ + public String getServletInfo() { + return INFO; + } + + /** + * Process the HTTP request. + * <ul> + * <li>http.param reqID request id for recovery + * </ul> + * + * @param cmsReq the object holding the request and response information + */ + public void process(CMSRequest cmsReq) throws EBaseException { + + HttpServletRequest req = cmsReq.getHttpReq(); + HttpServletResponse resp = cmsReq.getHttpResp(); + + IAuthToken authToken = authenticate(cmsReq); + + AuthzToken authzToken = null; + + try { + authzToken = authorize(mAclMethod, authToken, + mAuthzResourceName, "download"); + } catch (EAuthzAccessDenied e) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); + } catch (Exception e) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); + } + + if (authzToken == null) { + cmsReq.setStatus(CMSRequest.UNAUTHORIZED); + return; + } + + CMSTemplate form = null; + Locale[] locale = new Locale[1]; + + try { + form = getTemplate(mFormPath, req, locale); + } catch (IOException e) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", mFormPath, e.toString())); + throw new ECMSGWException( + CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); + } + + cmsReq.setStatus(CMSRequest.SUCCESS); + IArgBlock header = CMS.createArgBlock(); + IArgBlock fixed = CMS.createArgBlock(); + CMSTemplateParams argSet = new CMSTemplateParams(header, fixed); + int seq = -1; + + // get status and populate argSet + try { + String reqID = req.getParameter("reqID"); + header.addStringValue("reqID", reqID); + + // only the init DRM agent can get the pkcs12 + SessionContext sContext = SessionContext.getContext(); + String agent = null; + + if (sContext != null) { + agent = (String) sContext.get(SessionContext.USER_ID); + } + + if (agent == null ) { + CMS.debug( "GetAsyncPk12::process() - agent is null!" ); + throw new EBaseException( "agent is null" ); + } + + String initAgent = "undefined"; + initAgent = mService.getInitAgentAsyncKeyRecovery(reqID); + + if ((initAgent.equals("undefined")) || !agent.equals(initAgent)) { + log(ILogger.LL_SECURITY, + CMS.getLogMessage("CMSGW_INVALID_AGENT_ASYNC_3", + reqID, initAgent)); + throw new ECMSGWException( + CMS.getUserMessage("CMS_GW_INVALID_AGENT_ASYNC", + reqID, initAgent)); + } + + // The async recovery request must be in "approved" state + // i.e. all required # of recovery agents approved + if (mService.isApprovedAsyncKeyRecovery(reqID) != true) { + CMS.debug("GetAsyncPk12::process() - # required recovery agents not met"); + throw new EBaseException( "# required recovery agents not met" ); + } + + String password = req.getParameter(IN_PASSWORD); + String passwordAgain = req.getParameter(IN_PASSWORD_AGAIN); + + if (password == null || password.equals("")) { + header.addStringValue(OUT_ERROR, "PKCS12 password not found"); + throw new EBaseException( "PKCS12 password not found" ); + } + if (passwordAgain == null || !passwordAgain.equals(password)) { + header.addStringValue(OUT_ERROR, "PKCS12 password not matched"); + throw new EBaseException( "PKCS12 password not matched" ); + } + + // got all approval, return pk12 + byte pkcs12[] = mService.doKeyRecovery(reqID, password); + + if (pkcs12 != null) { + try { + resp.setContentType("application/x-pkcs12"); + resp.getOutputStream().write(pkcs12); + mRenderResult = false; + return; + } catch (IOException e) { + header.addStringValue(OUT_ERROR, + CMS.getUserMessage(locale[0], "CMS_BASE_INTERNAL_ERROR", e.toString())); + } + } else if (((IKeyRecoveryAuthority) mService).getError(reqID) != null) { + // error in recovery process + header.addStringValue(OUT_ERROR, + ((IKeyRecoveryAuthority) mService).getError(reqID)); + } else { + // pk12 hasn't been created yet. Shouldn't get here + } + } catch (EBaseException e) { + header.addStringValue(OUT_ERROR, e.toString(locale[0])); + } + + try { + ServletOutputStream out = resp.getOutputStream(); + + resp.setContentType("text/html"); + form.renderOutput(out, argSet); + } catch (IOException e) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERR_STREAM_TEMPLATE", e.toString())); + throw new ECMSGWException( + CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); + } + + cmsReq.setStatus(CMSRequest.SUCCESS); + } +} diff --git a/pki/base/common/src/com/netscape/cms/servlet/key/GrantAsyncRecovery.java b/pki/base/common/src/com/netscape/cms/servlet/key/GrantAsyncRecovery.java new file mode 100644 index 000000000..dbb5356cc --- /dev/null +++ b/pki/base/common/src/com/netscape/cms/servlet/key/GrantAsyncRecovery.java @@ -0,0 +1,288 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2010 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.servlet.key; + +import com.netscape.certsrv.kra.IKeyRecoveryAuthority; +import com.netscape.cms.servlet.common.*; +import com.netscape.cms.servlet.base.*; + +import java.io.*; +import java.util.*; +import java.net.*; +import java.util.*; +import java.text.*; +import java.math.*; +import java.security.*; +import java.security.cert.X509Certificate; +import javax.servlet.*; +import javax.servlet.http.*; +import netscape.security.x509.*; +import com.netscape.certsrv.common.*; +import com.netscape.certsrv.authority.*; +import com.netscape.certsrv.base.*; + +import com.netscape.certsrv.dbs.*; +import com.netscape.certsrv.dbs.keydb.*; + +import com.netscape.cms.servlet.*; +import com.netscape.certsrv.request.*; +import com.netscape.certsrv.request.IRequest; +import com.netscape.certsrv.logging.*; +import com.netscape.certsrv.kra.*; +import com.netscape.certsrv.apps.*; +import com.netscape.certsrv.authentication.*; +import com.netscape.certsrv.authorization.*; + + +/** + * Approve an asynchronous key recovery request + * + */ +public class GrantAsyncRecovery extends CMSServlet { + + private final static String INFO = "grantAsyncRecovery"; + private final static String TPL_FILE = "grantAsyncRecovery.template"; + + private final static String IN_SERIALNO = "serialNumber"; + private final static String IN_REQ_ID = "reqID"; + private final static String IN_UID = "uid"; + private final static String IN_CERT = "cert"; + + private final static String OUT_OP = "op"; + private final static String OUT_SERIALNO = IN_SERIALNO; + private final static String OUT_RECOVERY_SUCCESS = "recoverySuccess"; + private final static String OUT_SERVICE_URL = "serviceURL"; + private final static String OUT_ERROR = "errorDetails"; + + private IKeyService mService = null; + private String mFormPath = null; + + private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN = + "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN_4"; + + /** + * Constructs EA servlet. + */ + public GrantAsyncRecovery() { + super(); + } + + /** + * initialize the servlet. This servlet uses the template file + * 'grantAsyncRecovery.template' to process the response. + * + * @param sc servlet configuration, read from the web.xml file + */ + public void init(ServletConfig sc) throws ServletException { + super.init(sc); + mFormPath = "/" + mAuthority.getId() + "/" + TPL_FILE; + mService = (IKeyService) mAuthority; + + mTemplates.remove(CMSRequest.SUCCESS); + + if (mOutputTemplatePath != null) + mFormPath = mOutputTemplatePath; + } + + /** + * Returns serlvet information. + */ + public String getServletInfo() { + return INFO; + } + + /** + * Process the HTTP request. + * <ul> + * <li>http.param reqID request ID of the request to approve + * <li>http.param agentID User ID of the agent approving the request + + * </ul> + * + * @param cmsReq the object holding the request and response information + */ + public void process(CMSRequest cmsReq) throws EBaseException { + + HttpServletRequest req = cmsReq.getHttpReq(); + HttpServletResponse resp = cmsReq.getHttpResp(); + + CMS.debug("GrantAsyncRecovery: process() begins"); + + IAuthToken authToken = authenticate(cmsReq); + + AuthzToken authzToken = null; + + try { + authzToken = authorize(mAclMethod, authToken, + mAuthzResourceName, "recover"); + } catch (EAuthzAccessDenied e) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); + } catch (Exception e) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); + } + + if (authzToken == null) { + cmsReq.setStatus(CMSRequest.UNAUTHORIZED); + return; + } + + CMSTemplate form = null; + Locale[] locale = new Locale[1]; + + try { + form = getTemplate(mFormPath, req, locale); + } catch (IOException e) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", mFormPath, e.toString())); + throw new ECMSGWException( + CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); + } + + IArgBlock header = CMS.createArgBlock(); + IArgBlock fixed = CMS.createArgBlock(); + CMSTemplateParams argSet = new CMSTemplateParams(header, fixed); + + int seq = -1; + + String agentID = authToken.getInString("uid"); + CMS.debug("GrantAsyncRecovery: process() agent uid=" + agentID); + CMS.debug("GrantAsyncRecovery: process() request id=" + req.getParameter("reqID")); + try { + process(argSet, header, + req.getParameter("reqID"), + agentID, + req, resp, locale[0]); + } catch (NumberFormatException e) { + header.addStringValue(OUT_ERROR, + CMS.getUserMessage(locale[0], "CMS_BASE_INTERNAL_ERROR", e.toString())); + } + try { + ServletOutputStream out = resp.getOutputStream(); + + resp.setContentType("text/html"); + form.renderOutput(out, argSet); + } catch (IOException e) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERR_STREAM_TEMPLATE", e.toString())); + throw new ECMSGWException( + CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); + } + cmsReq.setStatus(CMSRequest.SUCCESS); + } + + /** + * Update agent approval list + * <P> + * + * <ul> + * <li>signed.audit LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN used + * whenever DRM agents login as recovery agents to approve key recovery + * requests + * </ul> + * @param argSet CMS template parameters + * @param header argument block + * @param reqID string containing the recovery request ID + * @param agentID string containing the agent ID + * @param req HTTP servlet request + * @param resp HTTP servlet response + * @param locale the system locale + */ + private void process(CMSTemplateParams argSet, + IArgBlock header, String reqID, + String agentID, + HttpServletRequest req, HttpServletResponse resp, + Locale locale) { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + String auditRequestID = reqID; + String auditAgentID = agentID; + + // "normalize" the "reqID" + if (auditRequestID != null) { + auditRequestID = auditRequestID.trim(); + + if (auditRequestID.equals("")) { + auditRequestID = ILogger.UNIDENTIFIED; + } + } else { + auditRequestID = ILogger.UNIDENTIFIED; + } + + // "normalize" the "auditAgentID" + if (auditAgentID != null) { + auditAgentID = auditAgentID.trim(); + + if (auditAgentID.equals("")) { + auditAgentID = ILogger.UNIDENTIFIED; + } + } else { + auditAgentID = ILogger.UNIDENTIFIED; + } + + try { + header.addStringValue(OUT_OP, + req.getParameter(OUT_OP)); + header.addStringValue(OUT_SERVICE_URL, + req.getRequestURI()); + + // update approving agent list + mService.addAgentAsyncKeyRecovery(reqID, agentID); + + header.addStringValue("requestID", reqID); + header.addStringValue("agentID", agentID); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN, + auditSubjectID, + ILogger.SUCCESS, + auditRequestID, + auditAgentID); + + audit(auditMessage); + + } catch (EBaseException e) { + header.addStringValue(OUT_ERROR, e.toString(locale)); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN, + auditSubjectID, + ILogger.FAILURE, + auditRequestID, + auditAgentID); + + audit(auditMessage); + } catch (Exception e) { + header.addStringValue(OUT_ERROR, e.toString()); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN, + auditSubjectID, + ILogger.FAILURE, + auditRequestID, + auditAgentID); + + audit(auditMessage); + } + } +} + diff --git a/pki/base/common/src/com/netscape/cms/servlet/key/RecoverBySerial.java b/pki/base/common/src/com/netscape/cms/servlet/key/RecoverBySerial.java index e88abccbe..7882b815f 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/key/RecoverBySerial.java +++ b/pki/base/common/src/com/netscape/cms/servlet/key/RecoverBySerial.java @@ -176,14 +176,33 @@ public class RecoverBySerial extends CMSServlet { try { String localAgents = req.getParameter("localAgents"); + String initAsyncRecovery = req.getParameter("initAsyncRecovery"); // this information is needed within the server for // various signed audit log messages to report ctx = SessionContext.getContext(); - ctx.put(SessionContext.RECOVERY_ID, - req.getParameter("recoveryID")); - byte pkcs12[] = process(form, argSet, header, + /* + When Recovery is first initiated, if it is in asynch mode, + no pkcs#12 password is needed. + The initiating agent uid will be recorded in the recovery + request. + Later, as approving agents submit their approvals, they will + also be listed in the request. + */ + if ((initAsyncRecovery != null) && + initAsyncRecovery.equalsIgnoreCase("ON")) { + process(form, argSet, header, + req.getParameter(IN_SERIALNO), + req.getParameter(IN_CERT), + req, resp, locale[0]); + + int requiredNumber = mService.getNoOfRequiredAgents(); + header.addIntegerValue("noOfRequiredAgents", requiredNumber); + } else { + ctx.put(SessionContext.RECOVERY_ID, + req.getParameter("recoveryID")); + byte pkcs12[] = process(form, argSet, header, req.getParameter(IN_SERIALNO), req.getParameter("localAgents"), req.getParameter(IN_PASSWORD), @@ -193,13 +212,14 @@ public class RecoverBySerial extends CMSServlet { req.getParameter(IN_NICKNAME), req, resp, locale[0]); - if (pkcs12 != null) { + if (pkcs12 != null) { //resp.setStatus(HttpServletResponse.SC_OK); resp.setContentType("application/x-pkcs12"); //resp.setContentLength(pkcs12.length); resp.getOutputStream().write(pkcs12); mRenderResult = false; return; + } } } catch (NumberFormatException e) { header.addStringValue(OUT_ERROR, @@ -228,6 +248,61 @@ public class RecoverBySerial extends CMSServlet { } /** + * Async Key Recovery - request initiation + */ + private void process(CMSTemplate form, CMSTemplateParams argSet, + IArgBlock header, String seq, String cert, + HttpServletRequest req, HttpServletResponse resp, + Locale locale) { + + // seq is the key id + if (seq == null) { + header.addStringValue(OUT_ERROR, "sequence number not found"); + return; + } + X509CertImpl x509cert = null; + + if (cert == null) { + header.addStringValue(OUT_ERROR, "certificate not found"); + return; + } else { + try { + x509cert = Cert.mapCert(cert); + } catch (IOException e) { + header.addStringValue(OUT_ERROR, e.toString()); + } + } + if (x509cert == null) { + header.addStringValue(OUT_ERROR, "invalid X.509 certificate"); + return; + } + + SessionContext sContext = SessionContext.getContext(); + + try { + String reqID = mService.initAsyncKeyRecovery( + new BigInteger(seq), x509cert, + (String) sContext.get(SessionContext.USER_ID)); + header.addStringValue(OUT_SERIALNO, req.getParameter(IN_SERIALNO)); + header.addStringValue("requestID", reqID); + } catch (EBaseException e) { + String error = + "Failed to recover key for key id " + + seq + ".\nException: " + e.toString(); + + CMS.getLogger().log(ILogger.EV_SYSTEM, + ILogger.S_KRA, ILogger.LL_FAILURE, error); + try { + ((IKeyRecoveryAuthority) mService).createError(seq, error); + } catch (EBaseException eb) { + CMS.getLogger().log(ILogger.EV_SYSTEM, + ILogger.S_KRA, ILogger.LL_FAILURE, eb.toString()); + } + } + return; + } + + /** * Recovers a key. The p12 will be protected by the password * provided by the administrator. */ @@ -269,6 +344,12 @@ public class RecoverBySerial extends CMSServlet { try { Credential creds[] = null; + SessionContext sContext = SessionContext.getContext(); + String agent = null; + + if (sContext != null) { + agent = (String) sContext.get(SessionContext.USER_ID); + } if (CMS.getConfigStore().getBoolean("kra.keySplitting")) { if (localAgents == null) { String recoveryID = req.getParameter("recoveryID"); @@ -283,12 +364,6 @@ public class RecoverBySerial extends CMSServlet { header.addStringValue("recoveryID", recoveryID); - SessionContext sContext = SessionContext.getContext(); - String agent = null; - - if (sContext != null) { - agent = (String) sContext.get(SessionContext.USER_ID); - } params.put("agent", agent); // new thread to wait for pk12 @@ -330,7 +405,7 @@ public class RecoverBySerial extends CMSServlet { byte pkcs12[] = mService.doKeyRecovery( new BigInteger(seq), creds, password, x509cert, - delivery, nickname); + delivery, nickname, agent); return pkcs12; } else { @@ -346,12 +421,6 @@ public class RecoverBySerial extends CMSServlet { header.addStringValue("recoveryID", recoveryID); - SessionContext sContext = SessionContext.getContext(); - String agent = null; - - if (sContext != null) { - agent = (String) sContext.get(SessionContext.USER_ID); - } params.put("agent", agent); // new thread to wait for pk12 @@ -423,11 +492,14 @@ public class RecoverBySerial extends CMSServlet { return; } + SessionContext sContext = SessionContext.getContext(); + try { byte pkcs12[] = mService.doKeyRecovery( new BigInteger(theSeq), creds, thePassword, theCert, - theDelivery, theNickname); + theDelivery, theNickname, + (String) sContext.get(SessionContext.USER_ID)); ((IKeyRecoveryAuthority) mService).createPk12(theRecoveryID, pkcs12); } catch (EBaseException e) { |