summaryrefslogtreecommitdiffstats
path: root/pki/base/common/src/com/netscape/cms/servlet/processors/PKCS10Processor.java
diff options
context:
space:
mode:
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/servlet/processors/PKCS10Processor.java')
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/processors/PKCS10Processor.java342
1 files changed, 342 insertions, 0 deletions
diff --git a/pki/base/common/src/com/netscape/cms/servlet/processors/PKCS10Processor.java b/pki/base/common/src/com/netscape/cms/servlet/processors/PKCS10Processor.java
new file mode 100644
index 000000000..bcbe839c1
--- /dev/null
+++ b/pki/base/common/src/com/netscape/cms/servlet/processors/PKCS10Processor.java
@@ -0,0 +1,342 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.servlet.processors;
+
+
+import com.netscape.cms.servlet.common.*;
+import com.netscape.cms.servlet.base.*;
+
+import java.util.StringTokenizer;
+import java.util.Vector;
+import java.util.Enumeration;
+import java.util.Date;
+import java.util.Hashtable;
+
+import java.io.*;
+
+import java.security.InvalidKeyException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.CertificateParsingException;
+import java.security.cert.X509Certificate;
+import java.security.MessageDigest;
+import java.security.PublicKey;
+
+
+import netscape.security.util.*;
+import netscape.security.x509.*;
+import netscape.security.pkcs.*;
+import netscape.security.util.ObjectIdentifier;
+import netscape.security.util.DerValue;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.ServletOutputStream;
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletContext;
+import javax.servlet.ServletException;
+
+import org.mozilla.jss.asn1.SET;
+import org.mozilla.jss.asn1.SEQUENCE;
+import org.mozilla.jss.asn1.INTEGER;
+import org.mozilla.jss.asn1.OCTET_STRING;
+import org.mozilla.jss.pkix.crmf.CertTemplate;
+import org.mozilla.jss.pkix.crmf.CertReqMsg;
+import org.mozilla.jss.pkix.crmf.CertRequest;
+import org.mozilla.jss.pkix.crmf.ChallengeResponseException;
+import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo;
+import org.mozilla.jss.pkix.primitive.Name;
+import org.mozilla.jss.pkix.primitive.AlgorithmIdentifier;
+import org.mozilla.jss.asn1.InvalidBERException;
+import org.mozilla.jss.asn1.OBJECT_IDENTIFIER;
+import org.mozilla.jss.asn1.ANY;
+import org.mozilla.jss.pkix.cms.*;
+import org.mozilla.jss.pkix.cmc.*;
+import org.mozilla.jss.pkcs10.*;
+import org.mozilla.jss.crypto.*;
+import org.mozilla.jss.pkix.cert.Certificate;
+import org.mozilla.jss.pkix.cert.CertificateInfo;
+import org.mozilla.jss.asn1.ASN1Util;
+import org.mozilla.jss.pkcs11.*;
+
+import com.netscape.cms.servlet.*;
+
+import com.netscape.certsrv.apps.*;
+import com.netscape.certsrv.authority.*;
+
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.IRequestQueue;
+import com.netscape.certsrv.request.RequestStatus;
+import com.netscape.certsrv.request.RequestId;
+
+import com.netscape.certsrv.authentication.*;
+import com.netscape.cms.servlet.*;
+
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.logging.AuditFormat;
+
+import com.netscape.certsrv.usrgrp.*;
+import com.netscape.certsrv.ca.*;
+import com.netscape.certsrv.dbs.certdb.*;
+import com.netscape.certsrv.base.*;
+import java.math.*;
+
+import com.netscape.cms.servlet.processors.IPKIProcessor;
+import com.netscape.cms.servlet.processors.PKIProcessor;
+
+
+/**
+ * PKCS10Processor process Certificate Requests in
+ * PKCS10 format, as defined here:
+ * http://www.rsasecurity.com/rsalabs/pkcs/pkcs-10/index.html
+ *
+ * @version $Revision$, $Date$
+ */
+public class PKCS10Processor extends PKIProcessor {
+
+ private PKCS10 mPkcs10 = null;
+
+ private final String USE_INTERNAL_PKCS10 = "internal";
+
+ public PKCS10Processor() {
+
+ super();
+ }
+
+ public PKCS10Processor(CMSRequest cmsReq, CMSServlet servlet) {
+ super(cmsReq, servlet);
+
+ }
+
+ public void process(CMSRequest cmsReq)
+ throws EBaseException {
+ }
+
+ public void fillCertInfo(
+ PKCS10 pkcs10, X509CertInfo certInfo,
+ IAuthToken authToken, IArgBlock httpParams)
+ throws EBaseException {
+
+ mPkcs10 = pkcs10;
+
+ fillCertInfo(USE_INTERNAL_PKCS10, certInfo, authToken, httpParams);
+
+ }
+
+ public void fillCertInfo(
+ String protocolString, X509CertInfo certInfo,
+ IAuthToken authToken, IArgBlock httpParams)
+ throws EBaseException {
+
+ PKCS10 p10 = null;
+
+ CMS.debug("PKCS10Processor:fillCertInfo");
+
+ if (protocolString == null) {
+ p10 = getPKCS10(httpParams);
+ } else if (protocolString.equals(USE_INTERNAL_PKCS10)) {
+ p10 = mPkcs10;
+ } else {
+ CMS.debug( "PKCS10Processor::fillCertInfo() - p10 is null!" );
+ throw new EBaseException( "p10 is null" );
+ }
+
+ if (mServlet == null) {
+ EBaseException ex = new ECMSGWException("Servlet property of PKCS10Processor is null.");
+
+ throw ex;
+
+ }
+
+ // fill key
+ X509Key key = p10.getSubjectPublicKeyInfo();
+
+ if (key == null) {
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_MISSING_KEY_IN_P10"));
+ throw new ECMSGWException(CMS.getUserMessage("CMS_GW_MISSING_KEY_IN_P10"));
+ }
+ CertificateX509Key certKey = new CertificateX509Key(key);
+
+ try {
+ certInfo.set(X509CertInfo.KEY, certKey);
+ } catch (CertificateException e) {
+ EBaseException ex = new ECMSGWException(
+ CMS.getUserMessage("CMS_GW_SET_KEY_FROM_P10_FAILED", e.toString()));
+
+ log(ILogger.LL_FAILURE, ex.toString());
+ throw ex;
+ } catch (IOException e) {
+ EBaseException ex = new ECMSGWException(
+ CMS.getUserMessage("CMS_GW_SET_KEY_FROM_P10_FAILED", e.toString()));
+
+ log(ILogger.LL_FAILURE, ex.toString());
+ throw ex;
+ }
+
+ X500Name subject = p10.getSubjectName();
+
+ if (subject != null) {
+ try {
+ certInfo.set(X509CertInfo.SUBJECT,
+ new CertificateSubjectName(subject));
+ log(ILogger.LL_INFO,
+ "Setting subject name " + subject + " from p10.");
+ } catch (CertificateException e) {
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSGW_FAILED_SET_SUBJECT_FROM_P10", e.toString()));
+ throw new ECMSGWException(
+ CMS.getUserMessage("CMS_GW_SET_SUBJECT_FROM_P10_FAILED", e.toString()));
+ } catch (IOException e) {
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSGW_FAILED_SET_SUBJECT_FROM_P10", e.toString()));
+ throw new ECMSGWException(
+ CMS.getUserMessage("CMS_GW_SET_SUBJECT_FROM_P10_FAILED", e.toString()));
+ } catch (Exception e) {
+ // if anything bad happens in X500 name parsing,
+ // this will catch it.
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSGW_FAILED_SET_SUBJECT_FROM_P10", e.toString()));
+ throw new ECMSGWException(
+ CMS.getUserMessage("CMS_GW_SET_SUBJECT_FROM_P10_FAILED", e.toString()));
+ }
+ } else if (authToken == null ||
+ authToken.getInString(AuthToken.TOKEN_CERT_SUBJECT) == null) {
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSGW_MISSING_SUBJECT_IN_P10"));
+ throw new ECMSGWException(CMS.getUserMessage("CMS_GW_MISSING_SUBJECT_IN_P10"));
+ }
+
+ // fill extensions from pkcs 10 attributes if any.
+ // other pkcs10 attributes are not recognized.
+ // ExtensionReq ::= SEQUENCE OF Extension
+ // ExtensionReq {pkcs-9 14}.
+ try {
+ PKCS10Attributes p10Attrs = p10.getAttributes();
+
+ if (p10Attrs != null) {
+ PKCS10Attribute p10Attr = (PKCS10Attribute)
+ (p10Attrs.getAttribute(CertificateExtensions.NAME));
+
+ if (p10Attr != null && p10Attr.getAttributeId().equals(
+ PKCS9Attribute.EXTENSION_REQUEST_OID)) {
+ Extensions exts0 = (Extensions)
+ (p10Attr.getAttributeValue());
+ DerOutputStream extOut = new DerOutputStream();
+
+ exts0.encode(extOut);
+ byte[] extB = extOut.toByteArray();
+ DerInputStream extIn = new DerInputStream(extB);
+ CertificateExtensions exts = new CertificateExtensions(extIn);
+
+ if (exts != null) {
+ certInfo.set(X509CertInfo.EXTENSIONS, exts);
+ }
+ }
+ }
+ CMS.debug(
+ "PKCS10Processor: Seted cert extensions from pkcs10. ");
+ } catch (IOException e) {
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSGW_FAILED_SET_EXTENSIONS_FROM_P10", e.toString()));
+ throw new ECMSGWException(
+ CMS.getUserMessage("CMS_GW_SET_KEY_FROM_P10_FAILED", e.toString()));
+
+ } catch (CertificateException e) {
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSGW_FAILED_SET_EXTENSIONS_FROM_P10", e.toString()));
+ throw new ECMSGWException(
+ CMS.getUserMessage("CMS_GW_SET_KEY_FROM_P10_FAILED", e.toString()));
+ } catch (Exception e) {
+ // if anything bad happens in extensions parsing,
+ // this will catch it.
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSGW_FAILED_SET_EXTENSIONS_FROM_P10", e.toString()));
+ throw new ECMSGWException(
+ CMS.getUserMessage("CMS_GW_SET_KEY_FROM_P10_FAILED", e.toString()));
+ }
+
+ // override pkcs10 attributes with authtoken attributes
+ // like subject name, validity and extensions if any.
+ // adminEnroll is an exception
+ String authMgr = mServlet.getAuthMgr();
+
+ if (authToken != null &&
+ authToken.getInString(AuthToken.TOKEN_CERT_SUBJECT) != null &&
+ !(authMgr.equals(IAuthSubsystem.PASSWDUSERDB_AUTHMGR_ID))) {
+ fillCertInfoFromAuthToken(certInfo, authToken);
+ }
+
+ // SPECIAL CASE:
+ // if it is adminEnroll servlet, get the validity
+ // from the http parameters.
+ if (mServletId.equals(PKIProcessor.ADMIN_ENROLL_SERVLET_ID)) {
+ fillValidityFromForm(certInfo, httpParams);
+ }
+
+ }
+
+ private PKCS10 getPKCS10(IArgBlock httpParams)
+ throws EBaseException {
+
+ PKCS10 pkcs10 = null;
+
+ String certType = null;
+
+ // support Enterprise 3.5.1 server where CERT_TYPE=csrCertType
+ // instead of certType
+ certType = httpParams.getValueAsString(PKIProcessor.OLD_CERT_TYPE, null);
+ if (certType == null) {
+ certType = httpParams.getValueAsString(PKIProcessor.CERT_TYPE, "client");
+ } else {
+ // some policies may rely on the fact that
+ // CERT_TYPE is set. So for 3.5.1 or eariler
+ // we need to set CERT_TYPE but not here.
+ }
+ if (certType.equals("client")) {
+ // coming from MSIE
+ String p10b64 = httpParams.getValueAsString(PKIProcessor.PKCS10_REQUEST, null);
+
+ if (p10b64 != null) {
+ try {
+ byte[] bytes = CMS.AtoB(p10b64);
+
+ pkcs10 = new PKCS10(bytes);
+ } catch (Exception e) {
+ // ok, if the above fails, it could
+ // be a PKCS10 with header
+ pkcs10 = httpParams.getValueAsPKCS10(PKIProcessor.PKCS10_REQUEST, false, null);
+ // e.printStackTrace();
+ }
+ }
+
+ //pkcs10 = httpParams.getValuePKCS10(PKCS10_REQUEST, null);
+
+ } else {
+ try {
+ // coming from server cut & paste blob.
+ pkcs10 = httpParams.getValueAsPKCS10(PKIProcessor.PKCS10_REQUEST, false, null);
+ }catch (Exception ex) {
+ ex.printStackTrace();
+ }
+ }
+
+ return pkcs10;
+
+ }
+
+}
generated by cgit (git 2.34.1) at 2024-04-23 07:08:16 +0000