summaryrefslogtreecommitdiffstats
path: root/pki/base/common/src/com/netscape/cms/servlet/request/ProcessCertReq.java
diff options
context:
space:
mode:
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/servlet/request/ProcessCertReq.java')
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/request/ProcessCertReq.java1912
1 files changed, 1912 insertions, 0 deletions
diff --git a/pki/base/common/src/com/netscape/cms/servlet/request/ProcessCertReq.java b/pki/base/common/src/com/netscape/cms/servlet/request/ProcessCertReq.java
new file mode 100644
index 000000000..6ad77a3f6
--- /dev/null
+++ b/pki/base/common/src/com/netscape/cms/servlet/request/ProcessCertReq.java
@@ -0,0 +1,1912 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.servlet.request;
+
+
+import com.netscape.cms.servlet.common.*;
+import com.netscape.cms.servlet.base.*;
+import java.io.*;
+import java.util.*;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.CertificateException;
+import javax.servlet.*;
+import javax.servlet.http.*;
+import netscape.security.extensions.*;
+import netscape.security.x509.*;
+import netscape.security.util.*;
+import com.netscape.certsrv.apps.*;
+import com.netscape.certsrv.base.*;
+import com.netscape.certsrv.publish.*;
+import com.netscape.certsrv.authority.*;
+import com.netscape.cms.servlet.cert.*;
+
+import com.netscape.certsrv.request.*;
+import com.netscape.certsrv.authentication.*;
+import com.netscape.certsrv.authorization.*;
+import com.netscape.certsrv.usrgrp.*;
+import com.netscape.certsrv.common.*;
+import com.netscape.certsrv.logging.*;
+
+
+/**
+ * Agent operations on Certificate requests. This servlet is used
+ * by an Agent to approve, reject, reassign, or change a certificate
+ * request.
+ *
+ * @version $Revision$, $Date$
+ */
+public class ProcessCertReq extends CMSServlet {
+
+ private final static String INFO = "processReq";
+ private final static String SEQNUM = "seqNum";
+ private final static String TO_DO = "toDo";
+ private final static String TPL_FILE = "processCertReq.template";
+
+ private IRequestQueue mQueue = null;
+ private String mFormPath = null;
+ private IReqParser mParser = null;
+ private IPublisherProcessor mPublisherProcessor = null;
+ private boolean mExtraAgentParams = false;
+
+ // for RA only since it does not have a database.
+ private final static String
+ REQ_COMPLETED_TEMPLATE = "ra/RequestCompleted.template";
+ private final static String
+ PROP_REQ_COMPLETED_TEMPLATE = "requestCompletedTemplate";
+ private final static String
+ PROP_EXTRA_AGENT_PARAMS = "extraAgentParams";
+ private static ICMSTemplateFiller
+ REQ_COMPLETED_FILLER = new RAReqCompletedFiller();
+ private String mReqCompletedTemplate = null;
+ private final static String
+ CERT_TYPE = "certType";
+
+ private String auditServiceID = ILogger.UNIDENTIFIED;
+ private final static String AGENT_CA_CLONE_ENROLLMENT_SERVLET =
+ "caProcessCertReq";
+ private final static String AGENT_RA_CLONE_ENROLLMENT_SERVLET =
+ "raProcessCertReq";
+ private final static String SIGNED_AUDIT_ACCEPTANCE = "accept";
+ private final static String SIGNED_AUDIT_CANCELLATION = "cancel";
+ private final static String SIGNED_AUDIT_CLONING = "clone";
+ private final static String SIGNED_AUDIT_REJECTION = "reject";
+ private final static byte EOL[] = { Character.LINE_SEPARATOR };
+ private final static String[]
+ SIGNED_AUDIT_MANUAL_CANCELLATION_REASON = new String[] {
+
+ /* 0 */ "manual non-profile cert request cancellation: "
+ + "request cannot be processed due to an "
+ + "authorization failure",
+
+ /* 1 */ "manual non-profile cert request cancellation: "
+ + "no reason has been given for cancelling this "
+ + "cert request",
+
+ /* 2 */ "manual non-profile cert request cancellation: "
+ + "indeterminate reason for inability to process "
+ + "cert request due to an EBaseException",
+
+ /* 3 */ "manual non-profile cert request cancellation: "
+ + "indeterminate reason for inability to process "
+ + "cert request due to an IOException",
+
+ /* 4 */ "manual non-profile cert request cancellation: "
+ + "indeterminate reason for inability to process "
+ + "cert request due to a CertificateException",
+
+ /* 5 */ "manual non-profile cert request cancellation: "
+ + "indeterminate reason for inability to process "
+ + "cert request due to a NoSuchAlgorithmException"
+ };
+ private final static String[]
+ SIGNED_AUDIT_MANUAL_REJECTION_REASON = new String[] {
+
+ /* 0 */ "manual non-profile cert request rejection: "
+ + "request cannot be processed due to an "
+ + "authorization failure",
+
+ /* 1 */ "manual non-profile cert request rejection: "
+ + "no reason has been given for rejecting this "
+ + "cert request",
+
+ /* 2 */ "manual non-profile cert request rejection: "
+ + "indeterminate reason for inability to process "
+ + "cert request due to an EBaseException",
+
+ /* 3 */ "manual non-profile cert request rejection: "
+ + "indeterminate reason for inability to process "
+ + "cert request due to an IOException",
+
+ /* 4 */ "manual non-profile cert request rejection: "
+ + "indeterminate reason for inability to process "
+ + "cert request due to a CertificateException",
+
+ /* 5 */ "manual non-profile cert request rejection: "
+ + "indeterminate reason for inability to process "
+ + "cert request due to a NoSuchAlgorithmException"
+ };
+ private final static String
+ LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST =
+ "LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST_5";
+ private final static String
+ LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED =
+ "LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED_5";
+
+ /**
+ * Process request.
+ */
+ public ProcessCertReq()
+ throws EBaseException {
+ super();
+ }
+
+ /**
+ * initialize the servlet. This servlet uses the template file
+ * "processCertReq.template" to process the response.
+ *
+ * @param sc servlet configuration, read from the web.xml file
+ */
+ public void init(ServletConfig sc) throws ServletException {
+ try {
+ super.init(sc);
+
+ // determine the service ID for signed audit log messages
+ String id = sc.getInitParameter(CMSServlet.PROP_ID);
+
+ if (id != null) {
+ if (!(auditServiceID.equals(
+ AGENT_CA_CLONE_ENROLLMENT_SERVLET))
+ && !(auditServiceID.equals(
+ AGENT_RA_CLONE_ENROLLMENT_SERVLET))) {
+ auditServiceID = ILogger.UNIDENTIFIED;
+ } else {
+ auditServiceID = id.trim();
+ }
+ }
+
+ mQueue = mAuthority.getRequestQueue();
+ mPublisherProcessor =
+ ((ICertAuthority) mAuthority).getPublisherProcessor();
+
+ mFormPath = "/" + mAuthority.getId() + "/" + TPL_FILE;
+
+ mParser = CertReqParser.DETAIL_PARSER;
+
+ // override success and error templates to null -
+ // handle templates locally.
+ mTemplates.remove(CMSRequest.SUCCESS);
+
+ try {
+ mReqCompletedTemplate = sc.getInitParameter(
+ PROP_REQ_COMPLETED_TEMPLATE);
+ if (mReqCompletedTemplate == null)
+ mReqCompletedTemplate = REQ_COMPLETED_TEMPLATE;
+ String tmp = sc.getInitParameter(PROP_EXTRA_AGENT_PARAMS);
+
+ if (tmp != null && tmp.trim().equalsIgnoreCase("true"))
+ mExtraAgentParams = true;
+ else
+ mExtraAgentParams = false;
+ } catch (Exception e) {
+ // does not happen.
+ }
+ } catch (ServletException eAudit1) {
+ // rethrow caught exception
+ throw eAudit1;
+ }
+ }
+
+
+ /**
+ * Process the HTTP request.
+ * <ul>
+ * <li>http.param seqNum request id
+ * <li>http.param notValidBefore certificate validity
+ * - notBefore - in seconds since jan 1, 1970
+ * <li>http.param notValidAfter certificate validity
+ * - notAfter - in seconds since jan 1, 1970
+ * <li>http.param subject certificate subject name
+ * <li>http.param toDo requested action
+ * (can be one of: clone, reject, accept, cancel)
+ * <li>http.param signatureAlgorithm certificate signing algorithm
+ * <li>http.param addExts base-64, DER encoded Extension or
+ * SEQUENCE OF Extensions to add to certificate
+ * <li>http.param pathLenConstraint integer path length constraint to
+ * use in BasicConstraint extension if applicable
+ * </ul>
+ *
+ * @param cmsReq the object holding the request and response information
+ */
+ public void process(CMSRequest cmsReq) throws EBaseException {
+ long startTime = CMS.getCurrentDate().getTime();
+ String toDo = null;
+ String subject = null;
+ String signatureAlgorithm = null;
+ long notValidBefore = 0;
+ long notValidAfter = 0;
+ int seqNum = -1;
+ EBaseException error = null;
+
+ HttpServletRequest req = cmsReq.getHttpReq();
+ HttpServletResponse resp = cmsReq.getHttpResp();
+
+ IArgBlock header = CMS.createArgBlock();
+ IArgBlock fixed = CMS.createArgBlock();
+ CMSTemplateParams argSet = new CMSTemplateParams(header, fixed);
+
+ CMSTemplate form = null, errorForm = null;
+ Locale[] locale = new Locale[1];
+
+ try {
+ form = getTemplate(mFormPath, req, locale);
+ } catch (IOException e) {
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", mFormPath, e.toString()));
+ throw new ECMSGWException(
+ CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR"));
+ }
+
+ try {
+ if (req.getParameter(SEQNUM) != null) {
+ CMS.debug(
+ "ProcessCertReq: parameter seqNum " + req.getParameter(SEQNUM));
+ seqNum = Integer.parseInt(req.getParameter(SEQNUM));
+ }
+ String notValidBeforeStr = req.getParameter("notValidBefore");
+
+ if (notValidBeforeStr != null && notValidBeforeStr.length() > 0) {
+ notValidBefore = Long.parseLong(notValidBeforeStr);
+ notValidBefore *= 1000;
+ }
+ String notValidAfterStr = req.getParameter("notValidAfter");
+
+ if (notValidAfterStr != null && notValidAfterStr.length() > 0) {
+ notValidAfter = Long.parseLong(notValidAfterStr);
+ notValidAfter *= 1000;
+ }
+
+ toDo = req.getParameter("toDo");
+
+ subject = req.getParameter("subject");
+ signatureAlgorithm = req.getParameter("signatureAlgorithm");
+
+
+ IRequest r = null;
+
+ if (seqNum > -1) {
+ r = mQueue.findRequest(new RequestId(
+ Integer.toString(seqNum)));
+ }
+
+ if(seqNum > -1 && r != null)
+ {
+ processX509(cmsReq, argSet, header, seqNum, req, resp,
+ toDo, signatureAlgorithm, subject,
+ notValidBefore, notValidAfter, locale[0], startTime);
+ } else {
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_INVALID_REQUEST_ID_1", String.valueOf(seqNum)));
+ error = new ECMSGWException(
+ CMS.getUserMessage("CMS_GW_INVALID_REQUEST_ID",
+ String.valueOf(seqNum)));
+ }
+ } catch (EBaseException e) {
+ error = e;
+ } catch (NumberFormatException e) {
+ log(ILogger.LL_FAILURE, "Error " + e);
+ error = new EBaseException(CMS.getUserMessage(getLocale(req),"CMS_BASE_INVALID_NUMBER_FORMAT"));
+ }
+
+ try {
+ ServletOutputStream out = resp.getOutputStream();
+
+ if (error == null) {
+ String xmlOutput = req.getParameter("xml");
+ if (xmlOutput != null && xmlOutput.equals("true")) {
+ outputXML(resp, argSet);
+ } else {
+ String output = form.getOutput(argSet);
+ resp.setContentType("text/html");
+ form.renderOutput(out, argSet);
+ cmsReq.setStatus(CMSRequest.SUCCESS);
+ }
+ } else {
+ cmsReq.setStatus(CMSRequest.ERROR);
+ cmsReq.setError(error);
+ }
+
+ } catch (IOException e) {
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSGW_ERR_STREAM_TEMPLATE", e.toString()));
+ throw new ECMSGWException(
+ CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR"));
+ }
+ return;
+ }
+
+ /**
+ * Process X509 certificate enrollment request and send request information
+ * to the caller.
+ * <P>
+ *
+ * (Certificate Request - an "agent" cert request for "cloning")
+ * <P>
+ *
+ * (Certificate Request Processed - either a manual "agent" non-profile
+ * based cert acceptance, a manual "agent" non-profile based cert
+ * cancellation, or a manual "agent" non-profile based cert rejection)
+ * <P>
+ *
+ * <ul>
+ * <li>signed.audit LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST used when a
+ * non-profile cert request is made (before approval process)
+ * <li>signed.audit LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED used when a
+ * certificate request has just been through the approval process
+ * </ul>
+ * @param cmsReq a certificate enrollment request
+ * @param argSet CMS template parameters
+ * @param header argument block
+ * @param seqNum sequence number
+ * @param req HTTP servlet request
+ * @param resp HTTP servlet response
+ * @param toDo string representing the requested action (can be one of:
+ * clone, reject, accept, cancel)
+ * @param signatureAlgorithm string containing the signature algorithm
+ * @param subject string containing the subject name of the certificate
+ * @param notValidBefore certificate validity - notBefore - in seconds
+ * since Jan 1, 1970
+ * @param notValidAfter certificate validity - notAfter - in seconds since
+ * Jan 1, 1970
+ * @param locale the system locale
+ * @param startTime the current date
+ * @exception EBaseException an error has occurred
+ */
+ private void processX509(CMSRequest cmsReq,
+ CMSTemplateParams argSet, IArgBlock header,
+ int seqNum, HttpServletRequest req,
+ HttpServletResponse resp,
+ String toDo, String signatureAlgorithm,
+ String subject,
+ long notValidBefore, long notValidAfter,
+ Locale locale, long startTime)
+ throws EBaseException {
+ String auditMessage = null;
+ String auditSubjectID = auditSubjectID();
+ String auditRequesterID = ILogger.UNIDENTIFIED;
+ String auditCertificateSubjectName = subject;
+ String auditInfoName = auditInfoName(toDo);
+ String id = null;
+
+ // "normalize" the "auditCertificateSubjectName"
+ if (auditCertificateSubjectName != null) {
+ // NOTE: This is ok even if the cert subject name is "" (empty)!
+ auditCertificateSubjectName = auditCertificateSubjectName.trim();
+ } else {
+ // NOTE: Here, the cert subject name is MISSING, not "" (empty)!
+ auditCertificateSubjectName = ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+ }
+
+ try {
+ IRequest r = mQueue.findRequest(new RequestId(
+ Integer.toString(seqNum)));
+
+ if (r != null) {
+ // overwrite "auditRequesterID" if and only if "id" != null
+ id = r.getRequestId().toString();
+ if (id != null) {
+ auditRequesterID = id.trim();
+ }
+ }
+
+ if (mAuthority != null)
+ header.addStringValue("authorityid", mAuthority.getId());
+
+ if (toDo != null) {
+ // for audit log
+ IAuthToken authToken = authenticate(cmsReq);
+ AuthzToken authzToken = null;
+
+ try {
+ authzToken = authorize(mAclMethod, authToken,
+ mAuthzResourceName, "execute");
+ } catch (EAuthzAccessDenied e) {
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE",
+ e.toString()));
+ } catch (Exception e) {
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE",
+ e.toString()));
+ }
+
+ if (authzToken == null) {
+ cmsReq.setStatus(CMSRequest.UNAUTHORIZED);
+
+ // store a message in the signed audit log file
+ if (toDo.equals(SIGNED_AUDIT_CLONING)) {
+ // ("agent" cert request for "cloning")
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
+ auditSubjectID,
+ ILogger.FAILURE,
+ auditRequesterID,
+ auditServiceID,
+ auditCertificateSubjectName);
+
+ audit(auditMessage);
+ } else if (toDo.equals(SIGNED_AUDIT_ACCEPTANCE)) {
+ // (manual "agent" cert request processed - "accepted")
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+ auditSubjectID,
+ ILogger.FAILURE,
+ auditRequesterID,
+ auditInfoName,
+ ILogger.SIGNED_AUDIT_EMPTY_VALUE);
+
+ audit(auditMessage);
+ } else if (toDo.equals(SIGNED_AUDIT_CANCELLATION)) {
+ // (manual "agent" cert request processed - "cancelled")
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+ auditSubjectID,
+ ILogger.FAILURE,
+ auditRequesterID,
+ auditInfoName,
+ SIGNED_AUDIT_MANUAL_CANCELLATION_REASON[0]);
+
+ audit(auditMessage);
+ } else if (toDo.equals(SIGNED_AUDIT_REJECTION)) {
+ // (manual "agent" cert request processed - "rejected")
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+ auditSubjectID,
+ ILogger.FAILURE,
+ auditRequesterID,
+ auditInfoName,
+ SIGNED_AUDIT_MANUAL_REJECTION_REASON[0]);
+
+ audit(auditMessage);
+ }
+
+ return;
+ }
+
+ String authMgr = AuditFormat.NOAUTH;
+
+ if (authToken != null) {
+ authMgr =
+ authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME);
+ }
+ String agentID = authToken.getInString("userid");
+ String initiative = AuditFormat.FROMAGENT + " agentID: " + agentID;
+
+ // Get the certificate info from the request
+ X509CertInfo certInfo[] = r.getExtDataInCertInfoArray(IRequest.CERT_INFO);
+
+ header.addStringValue("toDo", toDo);
+ if (toDo.equals("accept")) {
+
+ if (certInfo != null) {
+ int alterationCounter = 0;
+
+ for (int i = 0; i < certInfo.length; i++) {
+ CertificateAlgorithmId certAlgId =
+ (CertificateAlgorithmId)
+ certInfo[i].get(X509CertInfo.ALGORITHM_ID);
+
+ AlgorithmId algId = (AlgorithmId)
+ certAlgId.get(CertificateAlgorithmId.ALGORITHM);
+
+ if (!(algId.getName().equals(signatureAlgorithm))) {
+ alterationCounter++;
+ AlgorithmId newAlgId = AlgorithmId.getAlgorithmId(signatureAlgorithm);
+
+ certInfo[i].set(X509CertInfo.ALGORITHM_ID,
+ new CertificateAlgorithmId(newAlgId));
+ }
+
+ CertificateSubjectName certSubject =
+ (CertificateSubjectName)
+ certInfo[i].get(X509CertInfo.SUBJECT);
+
+ if (subject != null &&
+ !(certSubject.toString().equals(subject))) {
+
+ alterationCounter++;
+ certInfo[i].set(X509CertInfo.SUBJECT,
+ new CertificateSubjectName(
+ (new X500Name(subject))));
+ }
+
+ CertificateValidity certValidity =
+ (CertificateValidity)
+ certInfo[i].get(X509CertInfo.VALIDITY);
+ Date currentTime = CMS.getCurrentDate();
+ boolean validityChanged = false;
+
+ // only override these values if agent specified them
+ if (notValidBefore > 0) {
+ Date notBefore = (Date) certValidity.get(
+ CertificateValidity.NOT_BEFORE);
+
+ if (notBefore.getTime() == 0 ||
+ notBefore.getTime() != notValidBefore) {
+ Date validFrom = new Date(notValidBefore);
+
+ notBefore = (notValidBefore == 0) ? currentTime : validFrom;
+ certValidity.set(CertificateValidity.NOT_BEFORE,
+ notBefore);
+ validityChanged = true;
+ }
+ }
+ if (notValidAfter > 0) {
+ Date validTo = new Date(notValidAfter);
+ Date notAfter = (Date)
+ certValidity.get(CertificateValidity.NOT_AFTER);
+
+ if (notAfter.getTime() == 0 ||
+ notAfter.getTime() != notValidAfter) {
+ notAfter = currentTime;
+ notAfter = (notValidAfter == 0) ? currentTime : validTo;
+ certValidity.set(CertificateValidity.NOT_AFTER,
+ notAfter);
+ validityChanged = true;
+ }
+ }
+ if (validityChanged) {
+ // this set() trigger this rebuild of internal
+ // raw der encoding cache of X509CertInfo.
+ // Otherwise, the above change wont have effect.
+ certInfo[i].set(X509CertInfo.VALIDITY, certValidity);
+ }
+
+ if (certInfo[i].get(X509CertInfo.VERSION) == null) {
+ certInfo[i].set(X509CertInfo.VERSION,
+ new CertificateVersion(
+ CertificateVersion.V3));
+ }
+
+ CertificateExtensions extensions = null;
+
+ try {
+ extensions = (CertificateExtensions)
+ certInfo[i].get(X509CertInfo.EXTENSIONS);
+ } catch (Exception e) {
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERROR_PARSING_EXTENS", e.toString()));
+ }
+
+ // 99/08/31 #361906 - handling additional extensions
+ String addExts = req.getParameter("addExts");
+
+ if (addExts != null && !addExts.trim().equals("")) {
+ Vector extsToBeAdded = new Vector();
+
+ byte[] b = (byte[]) (com.netscape.osutil.OSUtil.AtoB(addExts));
+
+ // this b can be "Extension" Or "SEQUENCE OF Extension"
+ try {
+ DerValue b_der = new DerValue(b);
+
+ while (b_der.data.available() != 0) {
+ Extension de = new Extension(b_der.data.getDerValue());
+
+ extsToBeAdded.addElement(de);
+ }
+ } catch (IOException e) {
+ // it could be a single extension
+ Extension de = new Extension(new DerValue(b));
+
+ extsToBeAdded.addElement(de);
+ }
+ if (extsToBeAdded.size() > 0) {
+ if (extensions == null) {
+ extensions = new CertificateExtensions();
+ certInfo[i].set(X509CertInfo.EXTENSIONS, extensions);
+ }
+ for (int j = 0; j < extsToBeAdded.size(); j++) {
+ Extension theExt = (Extension) extsToBeAdded.elementAt(j);
+
+ extensions.set(theExt.getExtensionId().toString(), theExt);
+ }
+ }
+ }
+
+ if (extensions != null) {
+ try {
+ NSCertTypeExtension nsExtensions =
+ (NSCertTypeExtension)
+ extensions.get(
+ NSCertTypeExtension.NAME);
+
+ if (nsExtensions != null) {
+ updateNSExtension(req, nsExtensions);
+ }
+ } catch (IOException e) {
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERROR_PROCESS_NETSCAPE_EXTENSION", e.toString()));
+ }
+
+ String pathLength = req.getParameter("pathLenConstraint");
+
+ if (pathLength != null) {
+ try {
+ int pathLen = Integer.parseInt(pathLength);
+ BasicConstraintsExtension bcExt =
+ (BasicConstraintsExtension)
+ extensions.get(
+ BasicConstraintsExtension.NAME);
+
+ if (bcExt != null) {
+ Integer bcPathLen = (Integer) bcExt.get(BasicConstraintsExtension.PATH_LEN);
+ Boolean isCA = (Boolean) bcExt.get(BasicConstraintsExtension.IS_CA);
+
+ if (bcPathLen != null &&
+ bcPathLen.intValue() != pathLen &&
+ isCA != null) {
+ BasicConstraintsExtension bcExt0 =
+ new BasicConstraintsExtension(isCA.booleanValue(), pathLen);
+
+ extensions.delete(BasicConstraintsExtension.NAME);
+ extensions.set(BasicConstraintsExtension.NAME, (Extension) bcExt0);
+ alterationCounter++;
+ }
+ }
+ } catch (IOException e) {
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERROR_PROCESS_CONSTRAINTS_EXTENSION", e.toString()));
+ } catch (NumberFormatException e) {
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERROR_PROCESS_CONSTRAINTS_EXTENSION", e.toString()));
+ }
+ }
+
+ // handle Presence Server Extension
+ String PSE_Enable = req.getParameter("PSE_Enable");
+
+ if (PSE_Enable != null) {
+ boolean Critical = (req.getParameter("PSE_Critical") != null);
+ int Version = 0;
+
+ try {
+ Version = Integer.parseInt(req.getParameter("PSE_Version"));
+ } catch (Exception e1) {
+ }
+ String StreetAddress = req.getParameter("PSE_StreetAddress");
+
+ if (StreetAddress == null) {
+ StreetAddress = "";
+ }
+ String TelephoneNumber = req.getParameter("PSE_TelephoneNumber");
+
+ if (TelephoneNumber == null) {
+ TelephoneNumber = "";
+ }
+ String RFC822Name = req.getParameter("PSE_RFC822Name");
+
+ if (RFC822Name == null) {
+ RFC822Name = "";
+ }
+ String IMID = req.getParameter("PSE_IMID");
+
+ if (IMID == null) {
+ IMID = "";
+ }
+ String HostName = req.getParameter("PSE_HostName");
+
+ if (HostName == null) {
+ HostName = "";
+ }
+ int PortNumber = 0;
+
+ try {
+ PortNumber = Integer.parseInt(req.getParameter("PSE_PortNumber"));
+ } catch (Exception e1) {
+ }
+ int MaxUsers = 0;
+
+ try {
+ MaxUsers = Integer.parseInt(req.getParameter("PSE_MaxUsers"));
+ } catch (Exception e1) {
+ }
+ int ServiceLevel = 0;
+
+ try {
+ ServiceLevel = Integer.parseInt(req.getParameter("PSE_ServiceLevel"));
+ } catch (Exception e1) {
+ }
+ // create extension
+ PresenceServerExtension pseExt = new PresenceServerExtension(Critical, Version, StreetAddress, TelephoneNumber, RFC822Name, IMID, HostName, PortNumber, MaxUsers, ServiceLevel);
+
+ extensions.set(pseExt.getExtensionId().toString(), pseExt);
+ }
+
+ if (mExtraAgentParams) {
+ Enumeration extraparams = req.getParameterNames();
+ int l = IRequest.AGENT_PARAMS.length() + 1;
+ int ap_counter = 0;
+ Hashtable agentparamsargblock = new Hashtable();
+
+ if (extraparams != null) {
+ while (extraparams.hasMoreElements()) {
+ String s = (String) extraparams.nextElement();
+
+ if (s.startsWith(IRequest.AGENT_PARAMS)) {
+ String param_value = req.getParameter(s);
+
+ if (param_value != null) {
+ String new_name = s.substring(l);
+
+ agentparamsargblock.put(new_name, param_value);
+ ap_counter += 1;
+ }
+ }
+ }
+ }
+ if (ap_counter > 0) {
+ r.setExtData(IRequest.AGENT_PARAMS, agentparamsargblock);
+ alterationCounter++;
+ }
+ }
+
+ // this set() trigger this rebuild of internal
+ // raw der encoding cache of X509CertInfo.
+ // Otherwise, the above change wont have effect.
+ certInfo[i].set(X509CertInfo.EXTENSIONS, extensions);
+ }
+ alterationCounter += updateExtensionsInRequest(req, r);
+ }
+ if (alterationCounter > 0) {
+ mQueue.updateRequest(r);
+ }
+ }
+
+ mQueue.approveRequest(r);
+
+ if (r.getRequestStatus().equals(RequestStatus.PENDING)) {
+ cmsReq.setResult(r);
+ cmsReq.setStatus(CMSRequest.PENDING);
+ if (certInfo != null) {
+ for (int i = 0; i < certInfo.length; i++) {
+ mLogger.log(ILogger.EV_AUDIT,
+ ILogger.S_OTHER,
+ AuditFormat.LEVEL,
+ AuditFormat.FORMAT,
+ new Object[] {
+ r.getRequestType(),
+ r.getRequestId(),
+ initiative,
+ authMgr,
+ "pending",
+ certInfo[i].get(X509CertInfo.SUBJECT),
+ ""}
+ );
+ }
+ } else {
+ if (subject != null) {
+ mLogger.log(ILogger.EV_AUDIT,
+ ILogger.S_OTHER,
+ AuditFormat.LEVEL,
+ AuditFormat.FORMAT,
+ new Object[] {
+ r.getRequestType(),
+ r.getRequestId(),
+ initiative,
+ authMgr,
+ "pending",
+ subject,
+ ""}
+ );
+ } else {
+ mLogger.log(ILogger.EV_AUDIT,
+ ILogger.S_OTHER,
+ AuditFormat.LEVEL,
+ AuditFormat.NODNFORMAT,
+ new Object[] {
+ r.getRequestType(),
+ r.getRequestId(),
+ initiative,
+ authMgr,
+ "pending"}
+ );
+ }
+ }
+ } else if (r.getRequestStatus().equals(
+ RequestStatus.APPROVED) ||
+ r.getRequestStatus().equals(
+ RequestStatus.SVC_PENDING)) {
+ cmsReq.setResult(r);
+ cmsReq.setStatus(CMSRequest.SVC_PENDING);
+ if (certInfo != null) {
+ for (int i = 0; i < certInfo.length; i++) {
+ mLogger.log(ILogger.EV_AUDIT,
+ ILogger.S_OTHER,
+ AuditFormat.LEVEL,
+ AuditFormat.FORMAT,
+ new Object[] {
+ r.getRequestType(),
+ r.getRequestId(),
+ initiative,
+ authMgr,
+ r.getRequestStatus(),
+ certInfo[i].get(X509CertInfo.SUBJECT),
+ ""}
+ );
+ }
+ } else {
+ if (subject != null) {
+ mLogger.log(ILogger.EV_AUDIT,
+ ILogger.S_OTHER,
+ AuditFormat.LEVEL,
+ AuditFormat.FORMAT,
+ new Object[] {
+ r.getRequestType(),
+ r.getRequestId(),
+ initiative,
+ authMgr,
+ r.getRequestStatus(),
+ subject,
+ ""}
+ );
+ } else {
+ mLogger.log(ILogger.EV_AUDIT,
+ ILogger.S_OTHER,
+ AuditFormat.LEVEL,
+ AuditFormat.NODNFORMAT,
+ new Object[] {
+ r.getRequestType(),
+ r.getRequestId(),
+ initiative,
+ authMgr,
+ r.getRequestStatus()}
+ );
+ }
+ }
+ } else if (r.getRequestStatus().equals(
+ RequestStatus.COMPLETE)) {
+ cmsReq.setStatus(CMSRequest.SUCCESS);
+
+ // XXX make the repeat record.
+ // Get the certificate(s) from the request
+ X509CertImpl issuedCerts[] =
+ r.getExtDataInCertArray(IRequest.ISSUED_CERTS);
+
+ // return potentially more than one certificates.
+ if (issuedCerts != null) {
+ long endTime = CMS.getCurrentDate().getTime();
+ StringBuffer sbuf = new StringBuffer();
+
+ //header.addBigIntegerValue("serialNumber",
+ //issuedCerts[0].getSerialNumber(),16);
+ for (int i = 0; i < issuedCerts.length; i++) {
+ if (i != 0)
+ sbuf.append(", ");
+ sbuf.append("0x" +
+ issuedCerts[i].getSerialNumber().toString(16));
+ mLogger.log(ILogger.EV_AUDIT,
+ ILogger.S_OTHER,
+ AuditFormat.LEVEL,
+ AuditFormat.FORMAT,
+ new Object[] {
+ r.getRequestType(),
+ r.getRequestId(),
+ initiative,
+ authMgr,
+ "completed",
+ issuedCerts[i].getSubjectDN(),
+ "cert issued serial number: 0x" +
+ issuedCerts[i].getSerialNumber().toString(16) + " time: " + (endTime - startTime)}
+ );
+
+ // store a message in the signed audit log file
+ // (one for each manual "agent"
+ // cert request processed - "accepted")
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+ auditSubjectID,
+ ILogger.SUCCESS,
+ auditRequesterID,
+ auditInfoName,
+ auditInfoCertValue(issuedCerts[i]));
+
+ audit(auditMessage);
+ }
+ header.addStringValue(
+ "serialNumber", sbuf.toString());
+ } else {
+ if (subject != null) {
+ mLogger.log(ILogger.EV_AUDIT,
+ ILogger.S_OTHER,
+ AuditFormat.LEVEL,
+ AuditFormat.FORMAT,
+ new Object[] {
+ r.getRequestType(),
+ r.getRequestId(),
+ initiative,
+ authMgr,
+ "completed",
+ subject,
+ ""}
+ );
+ } else {
+ mLogger.log(ILogger.EV_AUDIT,
+ ILogger.S_OTHER,
+ AuditFormat.LEVEL,
+ AuditFormat.NODNFORMAT,
+ new Object[] {
+ r.getRequestType(),
+ r.getRequestId(),
+ initiative,
+ authMgr,
+ "completed"}
+ );
+ }
+
+ // store a message in the signed audit log file
+ // (manual "agent" cert request processed
+ // - "accepted")
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+ auditSubjectID,
+ ILogger.SUCCESS,
+ auditRequesterID,
+ auditInfoName,
+ ILogger.SIGNED_AUDIT_EMPTY_VALUE);
+
+ audit(auditMessage);
+ }
+
+ // grant trusted manager or agent privileges
+ Object grantError = null;
+
+ try {
+ int res = grant_privileges(
+ cmsReq, r, issuedCerts, header);
+
+ if (res != 0) {
+ header.addStringValue(GRANT_ERROR, "SUCCESS");
+ grantError = "SUCCESS";
+ }
+ } catch (EBaseException e) {
+ header.addStringValue(GRANT_ERROR, e.toString());
+ grantError = e;
+ }
+
+ // if this is a RA, show the certificate right away
+ // since ther is no cert database.
+ /*
+ if (mAuthority instanceof RegistrationAuthority) {
+ Object[] results =
+ new Object[] { issuedCerts, grantError };
+ cmsReq.setResult(results);
+ renderTemplate(cmsReq,
+ mReqCompletedTemplate, REQ_COMPLETED_FILLER);
+
+ return;
+ }
+ */
+
+ cmsReq.setResult(r);
+
+ String scheme = req.getScheme();
+
+ if (scheme.equals("http") &&
+ connectionIsSSL(req)) scheme = "https";
+
+ /*
+ header.addStringValue(
+ "authorityid", mAuthority.getId());
+ header.addStringValue("serviceURL", scheme +"://"+
+ req.getServerName() + ":"+
+ req.getServerPort() +
+ req.getRequestURI());
+ */
+
+ if (mPublisherProcessor != null && mPublisherProcessor.ldapEnabled()) {
+ header.addStringValue("dirEnabled", "yes");
+
+ Integer[] ldapPublishStatus =
+ r.getExtDataInIntegerArray("ldapPublishStatus");
+ int certsUpdated = 0;
+
+ if (ldapPublishStatus != null) {
+ for (int i = 0;
+ i < ldapPublishStatus.length; i++) {
+ if (ldapPublishStatus[i] ==
+ IRequest.RES_SUCCESS) {
+ certsUpdated++;
+ }
+ }
+ }
+ header.addIntegerValue("certsUpdated", certsUpdated);
+
+ } else {
+ header.addStringValue("dirEnabled", "no");
+ }
+ }
+
+ } else if (toDo.equals("reject")) {
+ mQueue.rejectRequest(r);
+ if (certInfo != null) {
+ for (int i = 0; i < certInfo.length; i++) {
+ mLogger.log(ILogger.EV_AUDIT,
+ ILogger.S_OTHER,
+ AuditFormat.LEVEL,
+ AuditFormat.FORMAT,
+ new Object[] {
+ r.getRequestType(),
+ r.getRequestId(),
+ initiative,
+ authMgr,
+ "rejected",
+ certInfo[i].get(X509CertInfo.SUBJECT),
+ ""}
+ );
+ }
+ } else {
+ if (subject != null) {
+ mLogger.log(ILogger.EV_AUDIT,
+ ILogger.S_OTHER,
+ AuditFormat.LEVEL,
+ AuditFormat.FORMAT,
+ new Object[] {
+ r.getRequestType(),
+ r.getRequestId(),
+ initiative,
+ authMgr,
+ "rejected",
+ subject,
+ ""}
+ );
+ } else {
+ mLogger.log(ILogger.EV_AUDIT,
+ ILogger.S_OTHER,
+ AuditFormat.LEVEL,
+ AuditFormat.NODNFORMAT,
+ new Object[] {
+ r.getRequestType(),
+ r.getRequestId(),
+ initiative,
+ authMgr,
+ "rejected"}
+ );
+ }
+ }
+
+ // store a message in the signed audit log file
+ // (manual "agent" cert request processed - "rejected")
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+ auditSubjectID,
+ ILogger.SUCCESS,
+ auditRequesterID,
+ auditInfoName,
+ SIGNED_AUDIT_MANUAL_REJECTION_REASON[1]);
+
+ audit(auditMessage);
+
+ } else if (toDo.equals("cancel")) {
+ mQueue.cancelRequest(r);
+
+ if (certInfo != null) {
+ for (int i = 0; i < certInfo.length; i++) {
+ mLogger.log(ILogger.EV_AUDIT,
+ ILogger.S_OTHER,
+ AuditFormat.LEVEL,
+ AuditFormat.FORMAT,
+ new Object[] {
+ r.getRequestType(),
+ r.getRequestId(),
+ initiative,
+ authMgr,
+ "canceled",
+ certInfo[i].get(X509CertInfo.SUBJECT),
+ ""}
+ );
+ }
+ } else {
+ if (subject != null) {
+ mLogger.log(ILogger.EV_AUDIT,
+ ILogger.S_OTHER,
+ AuditFormat.LEVEL,
+ AuditFormat.FORMAT,
+ new Object[] {
+ r.getRequestType(),
+ r.getRequestId(),
+ initiative,
+ authMgr,
+ "canceled",
+ subject,
+ ""}
+ );
+ } else {
+ mLogger.log(ILogger.EV_AUDIT,
+ ILogger.S_OTHER,
+ AuditFormat.LEVEL,
+ AuditFormat.NODNFORMAT,
+ new Object[] {
+ r.getRequestType(),
+ r.getRequestId(),
+ initiative,
+ authMgr,
+ "canceled"}
+ );
+ }
+
+ }
+
+ // store a message in the signed audit log file
+ // (manual "agent" cert request processed - "cancelled")
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+ auditSubjectID,
+ ILogger.SUCCESS,
+ auditRequesterID,
+ auditInfoName,
+ SIGNED_AUDIT_MANUAL_CANCELLATION_REASON[1]);
+
+ audit(auditMessage);
+
+ } else if (toDo.equals("clone")) {
+ IRequest clonedRequest = mQueue.cloneAndMarkPending(r);
+
+ header.addStringValue("clonedRequestId",
+ clonedRequest.getRequestId().toString());
+
+ if (certInfo != null) {
+ for (int i = 0; i < certInfo.length; i++) {
+ mLogger.log(ILogger.EV_AUDIT,
+ ILogger.S_OTHER,
+ AuditFormat.LEVEL,
+ AuditFormat.FORMAT,
+ new Object[] {
+ r.getRequestType(),
+ r.getRequestId(),
+ initiative,
+ authMgr,
+ "cloned to reqID: " +
+ clonedRequest.getRequestId().toString(),
+ certInfo[i].get(X509CertInfo.SUBJECT),
+ ""}
+ );
+ }
+ } else {
+ if (subject != null) {
+ mLogger.log(ILogger.EV_AUDIT,
+ ILogger.S_OTHER,
+ AuditFormat.LEVEL,
+ AuditFormat.FORMAT,
+ new Object[] {
+ r.getRequestType(),
+ r.getRequestId(),
+ initiative,
+ authMgr,
+ "cloned to reqID: " +
+ clonedRequest.getRequestId().toString(),
+ subject,
+ ""}
+ );
+ } else {
+ mLogger.log(ILogger.EV_AUDIT,
+ ILogger.S_OTHER,
+ AuditFormat.LEVEL,
+ AuditFormat.NODNFORMAT,
+ new Object[] {
+ r.getRequestType(),
+ r.getRequestId(),
+ initiative,
+ authMgr,
+ "cloned to reqID: " +
+ clonedRequest.getRequestId().toString()}
+ );
+ }
+ }
+
+ // store a message in the signed audit log file
+ // ("agent" cert request for "cloning")
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
+ auditSubjectID,
+ ILogger.SUCCESS,
+ auditRequesterID,
+ auditServiceID,
+ auditCertificateSubjectName);
+
+ audit(auditMessage);
+ }
+ }
+
+ // add authority names to know what privileges can be requested.
+ if (CMS.getSubsystem("kra") != null)
+ header.addStringValue("localkra", "yes");
+ if (CMS.getSubsystem("ca") != null)
+ header.addStringValue("localca", "yes");
+ if (CMS.getSubsystem("ra") != null)
+ header.addStringValue("localra", "yes");
+
+ header.addIntegerValue("seqNum", seqNum);
+ mParser.fillRequestIntoArg(locale, r, argSet, header);
+ String rid = r.getExtDataInString(IRequest.REMOTE_REQID);
+
+ if (rid != null)
+ header.addStringValue("remoteReqID", rid);
+ } catch (EBaseException e) {
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_IO_ERROR_REMOTE_REQUEST", e.toString()));
+
+ // store a message in the signed audit log file
+ if (toDo != null) {
+ if (toDo.equals(SIGNED_AUDIT_CLONING)) {
+ // ("agent" cert request for "cloning")
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
+ auditSubjectID,
+ ILogger.FAILURE,
+ auditRequesterID,
+ auditServiceID,
+ auditCertificateSubjectName);
+
+ audit(auditMessage);
+ } else if (toDo.equals(SIGNED_AUDIT_ACCEPTANCE)) {
+ // (manual "agent" cert request processed - "accepted")
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+ auditSubjectID,
+ ILogger.FAILURE,
+ auditRequesterID,
+ auditInfoName,
+ ILogger.SIGNED_AUDIT_EMPTY_VALUE);
+
+ audit(auditMessage);
+ } else if (toDo.equals(SIGNED_AUDIT_CANCELLATION)) {
+ // (manual "agent" cert request processed - "cancelled")
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+ auditSubjectID,
+ ILogger.FAILURE,
+ auditRequesterID,
+ auditInfoName,
+ SIGNED_AUDIT_MANUAL_CANCELLATION_REASON[2]);
+
+ audit(auditMessage);
+ } else if (toDo.equals(SIGNED_AUDIT_REJECTION)) {
+ // (manual "agent" cert request processed - "rejected")
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+ auditSubjectID,
+ ILogger.FAILURE,
+ auditRequesterID,
+ auditInfoName,
+ SIGNED_AUDIT_MANUAL_REJECTION_REASON[2]);
+
+ audit(auditMessage);
+ }
+ }
+
+ throw e;
+ } catch (IOException e) {
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_IO_ERROR_REMOTE_REQUEST", e.toString()));
+
+ // store a message in the signed audit log file
+ if (toDo != null) {
+ if (toDo.equals(SIGNED_AUDIT_CLONING)) {
+ // ("agent" cert request for "cloning")
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
+ auditSubjectID,
+ ILogger.FAILURE,
+ auditRequesterID,
+ auditServiceID,
+ auditCertificateSubjectName);
+
+ audit(auditMessage);
+ } else if (toDo.equals(SIGNED_AUDIT_ACCEPTANCE)) {
+ // (manual "agent" cert request processed - "accepted")
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+ auditSubjectID,
+ ILogger.FAILURE,
+ auditRequesterID,
+ auditInfoName,
+ ILogger.SIGNED_AUDIT_EMPTY_VALUE);
+
+ audit(auditMessage);
+ } else if (toDo.equals(SIGNED_AUDIT_CANCELLATION)) {
+ // (manual "agent" cert request processed - "cancelled")
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+ auditSubjectID,
+ ILogger.FAILURE,
+ auditRequesterID,
+ auditInfoName,
+ SIGNED_AUDIT_MANUAL_CANCELLATION_REASON[3]);
+
+ audit(auditMessage);
+ } else if (toDo.equals(SIGNED_AUDIT_REJECTION)) {
+ // (manual "agent" cert request processed - "rejected")
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+ auditSubjectID,
+ ILogger.FAILURE,
+ auditRequesterID,
+ auditInfoName,
+ SIGNED_AUDIT_MANUAL_REJECTION_REASON[3]);
+
+ audit(auditMessage);
+ }
+ }
+
+ throw new ECMSGWException(
+ CMS.getUserMessage("CMS_GW_ENCODING_ISSUED_CERT_ERROR"));
+ } catch (CertificateException e) {
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_IO_ERROR_REMOTE_REQUEST", e.toString()));
+
+ // store a message in the signed audit log file
+ if (toDo != null) {
+ if (toDo.equals(SIGNED_AUDIT_CLONING)) {
+ // ("agent" cert request for "cloning")
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
+ auditSubjectID,
+ ILogger.FAILURE,
+ auditRequesterID,
+ auditServiceID,
+ auditCertificateSubjectName);
+
+ audit(auditMessage);
+ } else if (toDo.equals(SIGNED_AUDIT_ACCEPTANCE)) {
+ // (manual "agent" cert request processed - "accepted")
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+ auditSubjectID,
+ ILogger.FAILURE,
+ auditRequesterID,
+ auditInfoName,
+ ILogger.SIGNED_AUDIT_EMPTY_VALUE);
+
+ audit(auditMessage);
+ } else if (toDo.equals(SIGNED_AUDIT_CANCELLATION)) {
+ // (manual "agent" cert request processed - "cancelled")
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+ auditSubjectID,
+ ILogger.FAILURE,
+ auditRequesterID,
+ auditInfoName,
+ SIGNED_AUDIT_MANUAL_CANCELLATION_REASON[4]);
+
+ audit(auditMessage);
+ } else if (toDo.equals(SIGNED_AUDIT_REJECTION)) {
+ // (manual "agent" cert request processed - "rejected")
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+ auditSubjectID,
+ ILogger.FAILURE,
+ auditRequesterID,
+ auditInfoName,
+ SIGNED_AUDIT_MANUAL_REJECTION_REASON[4]);
+
+ audit(auditMessage);
+ }
+ }
+
+ throw new ECMSGWException(
+ CMS.getUserMessage("CMS_GW_ENCODING_ISSUED_CERT_ERROR"));
+ } catch (NoSuchAlgorithmException e) {
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_IO_ERROR_REMOTE_REQUEST", e.toString()));
+
+ // store a message in the signed audit log file
+ if (toDo != null) {
+ if (toDo.equals(SIGNED_AUDIT_CLONING)) {
+ // ("agent" cert request for "cloning")
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
+ auditSubjectID,
+ ILogger.FAILURE,
+ auditRequesterID,
+ auditServiceID,
+ auditCertificateSubjectName);
+
+ audit(auditMessage);
+ } else if (toDo.equals(SIGNED_AUDIT_ACCEPTANCE)) {
+ // (manual "agent" cert request processed - "accepted")
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+ auditSubjectID,
+ ILogger.FAILURE,
+ auditRequesterID,
+ auditInfoName,
+ ILogger.SIGNED_AUDIT_EMPTY_VALUE);
+
+ audit(auditMessage);
+ } else if (toDo.equals(SIGNED_AUDIT_CANCELLATION)) {
+ // (manual "agent" cert request processed - "cancelled")
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+ auditSubjectID,
+ ILogger.FAILURE,
+ auditRequesterID,
+ auditInfoName,
+ SIGNED_AUDIT_MANUAL_CANCELLATION_REASON[5]);
+
+ audit(auditMessage);
+ } else if (toDo.equals(SIGNED_AUDIT_REJECTION)) {
+ // (manual "agent" cert request processed - "rejected")
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+ auditSubjectID,
+ ILogger.FAILURE,
+ auditRequesterID,
+ auditInfoName,
+ SIGNED_AUDIT_MANUAL_REJECTION_REASON[5]);
+
+ audit(auditMessage);
+ }
+ }
+
+ throw new EBaseException(CMS.getUserMessage(locale, "CMS_BASE_INTERNAL_ERROR", e.toString()));
+ }
+ return;
+ }
+
+ private void updateNSExtension(HttpServletRequest req,
+ NSCertTypeExtension ext) throws IOException {
+ try {
+
+ if (req.getParameter("certTypeSSLServer") == null) {
+ ext.set(NSCertTypeExtension.SSL_SERVER, Boolean.valueOf(false));
+ } else {
+ ext.set(NSCertTypeExtension.SSL_SERVER, Boolean.valueOf(true));
+ }
+
+ if (req.getParameter("certTypeSSLClient") == null) {
+ ext.set(NSCertTypeExtension.SSL_CLIENT, Boolean.valueOf(false));
+ } else {
+ ext.set(NSCertTypeExtension.SSL_CLIENT, Boolean.valueOf(true));
+ }
+
+ if (req.getParameter("certTypeEmail") == null) {
+ ext.set(NSCertTypeExtension.EMAIL, Boolean.valueOf(false));
+ } else {
+ ext.set(NSCertTypeExtension.EMAIL, Boolean.valueOf(true));
+ }
+
+ if (req.getParameter("certTypeObjSigning") == null) {
+ ext.set(NSCertTypeExtension.OBJECT_SIGNING, Boolean.valueOf(false));
+ } else {
+ ext.set(NSCertTypeExtension.OBJECT_SIGNING, Boolean.valueOf(true));
+ }
+
+ if (req.getParameter("certTypeEmailCA") == null) {
+ ext.set(NSCertTypeExtension.EMAIL_CA, Boolean.valueOf(false));
+ } else {
+ ext.set(NSCertTypeExtension.EMAIL_CA, Boolean.valueOf(true));
+ }
+
+ if (req.getParameter("certTypeSSLCA") == null) {
+ ext.set(NSCertTypeExtension.SSL_CA, Boolean.valueOf(false));
+ } else {
+ ext.set(NSCertTypeExtension.SSL_CA, Boolean.valueOf(true));
+ }
+
+ if (req.getParameter("certTypeObjSigningCA") == null) {
+ ext.set(NSCertTypeExtension.OBJECT_SIGNING_CA, Boolean.valueOf(false));
+ } else {
+ ext.set(NSCertTypeExtension.OBJECT_SIGNING_CA, Boolean.valueOf(true));
+ }
+ } catch (CertificateException e) {
+ }
+ }
+
+ /**
+ * This method sets extensions parameter into the request so
+ * that the NSCertTypeExtension policy creates new
+ * NSCertTypExtension with this setting. Note that this
+ * setting will not be used if the NSCertType Extension
+ * already exist in CertificateExtension. In that case,
+ * updateExtensions() will be called to set the extension
+ * parameter into the extension directly.
+ */
+ private int updateExtensionsInRequest(HttpServletRequest req, IRequest r) {
+ int nChanges = 0;
+
+ if (req.getParameter("certTypeSSLServer") != null) {
+ r.setExtData(NSCertTypeExtension.SSL_SERVER, "true");
+ nChanges++;
+ } else {
+ r.deleteExtData(NSCertTypeExtension.SSL_SERVER);
+ nChanges++;
+ }
+
+ if (req.getParameter("certTypeSSLClient") != null) {
+ r.setExtData(NSCertTypeExtension.SSL_CLIENT, "true");
+ nChanges++;
+ } else {
+ r.deleteExtData(NSCertTypeExtension.SSL_CLIENT);
+ nChanges++;
+ }
+
+ if (req.getParameter("certTypeEmail") != null) {
+ r.setExtData(NSCertTypeExtension.EMAIL, "true");
+ nChanges++;
+ } else {
+ r.deleteExtData(NSCertTypeExtension.EMAIL);
+ nChanges++;
+ }
+
+ if (req.getParameter("certTypeObjSigning") != null) {
+ r.setExtData(NSCertTypeExtension.OBJECT_SIGNING, "true");
+ nChanges++;
+ } else {
+ r.deleteExtData(NSCertTypeExtension.OBJECT_SIGNING);
+ nChanges++;
+ }
+
+ if (req.getParameter("certTypeEmailCA") != null) {
+ r.setExtData(NSCertTypeExtension.EMAIL_CA, "true");
+ nChanges++;
+ } else {
+ r.deleteExtData(NSCertTypeExtension.EMAIL_CA);
+ nChanges++;
+ }
+
+ if (req.getParameter("certTypeSSLCA") != null) {
+ r.setExtData(NSCertTypeExtension.SSL_CA, "true");
+ nChanges++;
+ } else {
+ r.deleteExtData(NSCertTypeExtension.SSL_CA);
+ nChanges++;
+ }
+
+ if (req.getParameter("certTypeObjSigningCA") != null) {
+ r.setExtData(NSCertTypeExtension.OBJECT_SIGNING_CA, "true");
+ nChanges++;
+ } else {
+ r.deleteExtData(NSCertTypeExtension.OBJECT_SIGNING_CA);
+ nChanges++;
+ }
+
+ return nChanges;
+ }
+
+ protected static final String GRANT_ERROR = "grantError";
+
+ public static final String
+ GRANT_TRUSTEDMGR_PRIVILEGE = "grantTrustedManagerPrivilege";
+ public static final String
+ GRANT_CMAGENT_PRIVILEGE = "grantCMAgentPrivilege";
+ public static final String
+ GRANT_RMAGENT_PRIVILEGE = "grantRMAgentPrivilege";
+ public static final String
+ GRANT_DRMAGENT_PRIVILEGE = "grantDRMAgentPrivilege";
+ public static final String GRANT_UID = "grantUID";
+ public static final String GRANT_PRIVILEGE = "grantPrivilege";
+
+ protected int grant_privileges(
+ CMSRequest cmsReq, IRequest req, Certificate[] certs, IArgBlock header)
+ throws EBaseException {
+ // get privileges to grant
+ IArgBlock httpParams = cmsReq.getHttpParams();
+
+ boolean grantTrustedMgr =
+ httpParams.getValueAsBoolean(GRANT_TRUSTEDMGR_PRIVILEGE, false);
+ boolean grantRMAgent =
+ httpParams.getValueAsBoolean(GRANT_RMAGENT_PRIVILEGE, false);
+ boolean grantCMAgent =
+ httpParams.getValueAsBoolean(GRANT_CMAGENT_PRIVILEGE, false);
+ boolean grantDRMAgent =
+ httpParams.getValueAsBoolean(GRANT_DRMAGENT_PRIVILEGE, false);
+
+ if (!grantTrustedMgr &&
+ !grantCMAgent && !grantRMAgent && !grantDRMAgent) {
+ return 0;
+ } else {
+ IAuthToken authToken = getAuthToken(req);
+ AuthzToken authzToken = null;
+ String resourceName = "certServer." + mAuthority.getId() + ".group";
+
+ try {
+ authzToken = authorize(mAclMethod, authToken,
+ resourceName, "add");
+ } catch (Exception e) {
+ // do nothing for now
+ }
+
+ if (authzToken == null) {
+ String[] obj = new String[1];
+
+ if (grantTrustedMgr)
+ obj[0] = TRUSTED_RA_GROUP;
+ else if (grantRMAgent)
+ obj[0] = RA_AGENT_GROUP;
+ else if (grantCMAgent)
+ obj[0] = CA_AGENT_GROUP;
+ else if (grantDRMAgent)
+ obj[0] = KRA_AGENT_GROUP;
+ else
+ obj[0] = "unknown group";
+
+ throw new ECMSGWException(CMS.getUserMessage("CMS_GW_UNAUTHORIZED_CREATE_GROUP", obj[0]));
+ }
+ }
+
+ String uid = (String) httpParams.getValueAsString(GRANT_UID, null);
+
+ if (uid == null || uid.length() == 0) {
+ throw new ECMSGWException(CMS.getUserMessage("CMS_GW_MISSING_GRANT_UID"));
+ }
+ header.addStringValue(GRANT_UID, uid);
+
+ String groupname = null, groupname1 = null;
+ String userType = "";
+
+ if (grantTrustedMgr) {
+ groupname = TRUSTED_RA_GROUP;
+ userType = Constants.PR_SUBSYSTEM_TYPE;
+ } else {
+ if (grantCMAgent)
+ groupname = CA_AGENT_GROUP;
+ else if (grantRMAgent)
+ groupname = RA_AGENT_GROUP;
+
+ if (grantDRMAgent) {
+ if (groupname != null)
+ groupname1 = KRA_AGENT_GROUP;
+ else
+ groupname = KRA_AGENT_GROUP;
+ }
+ userType = Constants.PR_AGENT_TYPE;
+ }
+
+ String privilege =
+ (groupname1 == null) ? groupname : groupname + " and " + groupname1;
+
+ header.addStringValue(GRANT_PRIVILEGE, privilege);
+
+ IUGSubsystem ug = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG);
+ IUser user = ug.createUser(uid);
+
+ user.setFullName(uid);
+ user.setEmail("");
+ user.setPhone("");
+ user.setPassword("");
+ user.setUserType(userType);
+ user.setState("1");
+ IGroup group = ug.findGroup(groupname), group1 = null;
+
+ if (group == null) {
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSGW_ERROR_FIND_GROUP_1", groupname));
+ throw new ECMSGWException(CMS.getUserMessage("CMS_GW_FIND_GROUP_ERROR", groupname));
+ }
+ if (groupname1 != null) {
+ group1 = ug.findGroup(groupname1);
+ if (group1 == null) {
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSGW_ERROR_FIND_GROUP_1", groupname));
+ throw new ECMSGWException(CMS.getUserMessage("CMS_GW_FIND_GROUP_ERROR", groupname1));
+ }
+ }
+ try {
+ ug.addUser(user);
+ } catch (Exception e) {
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSGW_ERROR_ADDING_USER_1", uid));
+ throw new ECMSGWException(CMS.getUserMessage("CMS_GW_ADDING_USER_ERROR", uid));
+ }
+ try {
+ if (certs[0] instanceof X509CertImpl) {
+ X509CertImpl tmp[] = (X509CertImpl[]) certs;
+
+ user.setX509Certificates(tmp);
+ }
+
+ ug.addUserCert(user);
+ } catch (Exception e) {
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSGW_ERROR_ADDING_CERT_1", uid));
+ throw new ECMSGWException(CMS.getUserMessage("CMS_GW_ADDING_CERT_ERROR", uid));
+ }
+ try {
+ group.addMemberName(uid);
+ ug.modifyGroup(group);
+ // for audit log
+ SessionContext sContext = SessionContext.getContext();
+ String adminId = (String) sContext.get(SessionContext.USER_ID);
+
+ mLogger.log(ILogger.EV_AUDIT, ILogger.S_USRGRP,
+ AuditFormat.LEVEL, AuditFormat.ADDUSERGROUPFORMAT,
+ new Object[] {adminId, uid, groupname}
+ );
+
+ if (group1 != null) {
+ group1.addMemberName(uid);
+ ug.modifyGroup(group1);
+
+ mLogger.log(ILogger.EV_AUDIT, ILogger.S_USRGRP,
+ AuditFormat.LEVEL, AuditFormat.ADDUSERGROUPFORMAT,
+ new Object[] {adminId, uid, groupname1}
+ );
+
+ }
+ } catch (Exception e) {
+ String msg =
+ "Could not add user " + uid + " to group " + groupname;
+
+ if (group1 != null)
+ msg += " or group " + groupname1;
+ log(ILogger.LL_FAILURE, msg);
+ if (group1 == null)
+ throw new ECMSGWException(CMS.getUserMessage("CMS_GW_ADDING_MEMBER", uid, groupname));
+ else
+ throw new ECMSGWException(CMS.getUserMessage("CMS_GW_ADDING_MEMBER_1", uid, groupname, groupname1));
+ }
+ return 1;
+ }
+
+ /**
+ * Signed Audit Log Info Name
+ *
+ * This method is called to obtain the "InfoName" for
+ * a signed audit log message.
+ * <P>
+ *
+ * @param type signed audit log request processing type
+ * @return id string containing the signed audit log message InfoName
+ */
+ private String auditInfoName(String type) {
+ // in this case, do NOT strip preceding/trailing whitespace
+ // from passed-in String parameters (this is done below)
+
+ String infoName = ILogger.UNIDENTIFIED;
+
+ if (mSignedAuditLogger == null) {
+ return infoName;
+ }
+
+ if (type != null) {
+ type = type.trim();
+
+ if (type.equals(SIGNED_AUDIT_ACCEPTANCE)) {
+ infoName = ILogger.SIGNED_AUDIT_ACCEPTANCE;
+ } else if (type.equals(SIGNED_AUDIT_CANCELLATION)) {
+ infoName = ILogger.SIGNED_AUDIT_CANCELLATION;
+ } else if (type.equals(SIGNED_AUDIT_REJECTION)) {
+ infoName = ILogger.SIGNED_AUDIT_REJECTION;
+ }
+ }
+
+ return infoName;
+ }
+
+ /**
+ * Signed Audit Log Info Certificate Value
+ *
+ * This method is called to obtain the certificate from the passed in
+ * "X509CertImpl" for a signed audit log message.
+ * <P>
+ *
+ * @param x509cert an X509CertImpl
+ * @return cert string containing the certificate
+ */
+ private String auditInfoCertValue(X509CertImpl x509cert) {
+ // if no signed audit object exists, bail
+ if (mSignedAuditLogger == null) {
+ return null;
+ }
+
+ if (x509cert == null) {
+ return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+ }
+
+ byte rawData[] = null;
+
+ try {
+ rawData = x509cert.getEncoded();
+ } catch (CertificateEncodingException e) {
+ return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+ }
+
+ String cert = null;
+
+ // convert "rawData" into "base64Data"
+ if (rawData != null) {
+ String base64Data = null;
+
+ base64Data = com.netscape.osutil.OSUtil.BtoA(rawData).trim();
+
+ // extract all line separators from the "base64Data"
+ StringBuffer sb = new StringBuffer();
+ for (int i = 0; i < base64Data.length(); i++) {
+ if (base64Data.substring(i, i).getBytes() != EOL) {
+ sb.append(base64Data.substring(i, i));
+ }
+ }
+ cert = sb.toString();
+ }
+
+ if (cert != null) {
+ cert = cert.trim();
+
+ if (cert.equals("")) {
+ return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+ } else {
+ return cert;
+ }
+ } else {
+ return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+ }
+ }
+}
+
+
+class RAReqCompletedFiller extends ImportCertsTemplateFiller {
+ private static final String RA_AGENT_GROUP = "Registration Manager Agents";
+ private static final String KRA_AGENT_GROUP = "Data Recovery Manager Agents";
+ public RAReqCompletedFiller() {
+ super();
+ }
+
+ public CMSTemplateParams getTemplateParams(
+ CMSRequest cmsReq, IAuthority authority, Locale locale, Exception e)
+ throws Exception {
+
+ Object[] results = (Object[]) cmsReq.getResult();
+ Object grantError = results[1];
+ //X509CertImpl[] issuedCerts = (X509CertImpl[])results[0];
+ Certificate[] issuedCerts = (Certificate[]) results[0];
+
+ cmsReq.setResult(issuedCerts);
+ CMSTemplateParams params =
+ super.getTemplateParams(cmsReq, authority, locale, e);
+
+ if (grantError != null) {
+ IArgBlock header = params.getHeader();
+
+ if (grantError instanceof String) {
+ header.addStringValue(
+ ProcessCertReq.GRANT_ERROR, (String) grantError);
+ } else {
+ EBaseException ex = (EBaseException) grantError;
+
+ header.addStringValue(
+ ProcessCertReq.GRANT_ERROR, ex.toString(locale));
+ }
+ IArgBlock httpParams = cmsReq.getHttpParams();
+ String uid = httpParams.getValueAsString(
+ ProcessCertReq.GRANT_UID, null);
+
+ header.addStringValue(ProcessCertReq.GRANT_UID, uid);
+ boolean grantRMAgent = httpParams.getValueAsBoolean(
+ ProcessCertReq.GRANT_RMAGENT_PRIVILEGE, false);
+ boolean grantDRMAgent = httpParams.getValueAsBoolean(
+ ProcessCertReq.GRANT_DRMAGENT_PRIVILEGE, false);
+ String privilege = null;
+
+ if (grantRMAgent) {
+ privilege = RA_AGENT_GROUP;
+ }
+ if (grantDRMAgent) {
+ if (privilege != null)
+ privilege += " and " + KRA_AGENT_GROUP;
+ else
+ privilege = KRA_AGENT_GROUP;
+ }
+ header.addStringValue(ProcessCertReq.GRANT_PRIVILEGE, privilege);
+ }
+ return params;
+ }
+}
+
generated by cgit (git 2.34.1) at 2024-04-26 18:06:17 +0000