diff options
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/servlet')
10 files changed, 565 insertions, 120 deletions
diff --git a/pki/base/common/src/com/netscape/cms/servlet/base/CMSServlet.java b/pki/base/common/src/com/netscape/cms/servlet/base/CMSServlet.java index 0d41c40d4..8c795cb55 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/base/CMSServlet.java +++ b/pki/base/common/src/com/netscape/cms/servlet/base/CMSServlet.java @@ -1782,6 +1782,8 @@ public abstract class CMSServlet extends HttpServlet { } String userid = authToken.getInString(IAuthToken.USER_ID); + CMS.debug("CMSServlet: userid=" + userid); + if (userid != null) { ctx.put(SessionContext.USER_ID, userid); } @@ -1806,8 +1808,7 @@ public abstract class CMSServlet extends HttpServlet { auditSubjectID, ILogger.FAILURE, auditAuthMgrID, - auditUID); - + auditUID); audit(auditMessage); // rethrow the specific exception to be handled later @@ -1850,9 +1851,23 @@ public abstract class CMSServlet extends HttpServlet { throws EBaseException { String auditMessage = null; String auditSubjectID = auditSubjectID(); + String auditGroupID = auditGroupID(); + String auditID = auditSubjectID; String auditACLResource = resource; String auditOperation = operation; + + SessionContext auditContext = SessionContext.getExistingContext(); + String authManagerId = null; + + if(auditContext != null) { + authManagerId = (String) auditContext.get(SessionContext.AUTH_MANAGER_ID); + + if(authManagerId != null && authManagerId.equals("TokenAuth")) { + auditID = auditGroupID; + } + } + // "normalize" the "auditACLResource" value if (auditACLResource != null) { auditACLResource = auditACLResource.trim(); @@ -1895,7 +1910,7 @@ public abstract class CMSServlet extends HttpServlet { // store a message in the signed audit log file auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_ROLE_ASSUME, - auditSubjectID, + auditID, ILogger.SUCCESS, auditGroups(auditSubjectID)); @@ -1914,7 +1929,7 @@ public abstract class CMSServlet extends HttpServlet { // store a message in the signed audit log file auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_ROLE_ASSUME, - auditSubjectID, + auditID, ILogger.FAILURE, auditGroups(auditSubjectID)); @@ -1936,7 +1951,7 @@ public abstract class CMSServlet extends HttpServlet { // store a message in the signed audit log file auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_ROLE_ASSUME, - auditSubjectID, + auditID, ILogger.FAILURE, auditGroups(auditSubjectID)); @@ -2007,15 +2022,18 @@ public abstract class CMSServlet extends HttpServlet { return null; } + CMS.debug("CMSServlet: in auditSubjectID"); String subjectID = null; // Initialize subjectID SessionContext auditContext = SessionContext.getExistingContext(); + CMS.debug("CMSServlet: auditSubjectID auditContext " + auditContext); if (auditContext != null) { subjectID = (String) auditContext.get(SessionContext.USER_ID); + CMS.debug("CMSServlet auditSubjectID: subjectID: " + subjectID); if (subjectID != null) { subjectID = subjectID.trim(); } else { @@ -2029,6 +2047,46 @@ public abstract class CMSServlet extends HttpServlet { } /** + * Signed Audit Log Group ID + * + * This method is inherited by all extended "CMSServlet"s, + * and is called to obtain the "gid" for + * a signed audit log message. + * <P> + * + * @return id string containing the signed audit log message SubjectID + */ + protected String auditGroupID() { + // if no signed audit object exists, bail + if (mSignedAuditLogger == null) { + return null; + } + + CMS.debug("CMSServlet: in auditGroupID"); + String groupID = null; + + // Initialize groupID + SessionContext auditContext = SessionContext.getExistingContext(); + + CMS.debug("CMSServlet: auditGroupID auditContext " + auditContext); + if (auditContext != null) { + groupID = (String) + auditContext.get(SessionContext.GROUP_ID); + + CMS.debug("CMSServlet auditGroupID: groupID: " + groupID); + if (groupID != null) { + groupID = groupID.trim(); + } else { + groupID = ILogger.NONROLEUSER; + } + } else { + groupID = ILogger.UNIDENTIFIED; + } + + return groupID; + } + + /** * Signed Audit Groups * * This method is called to extract all "groups" associated diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/AdminAuthenticatePanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/AdminAuthenticatePanel.java index d94bb4c15..129bc0bf6 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/AdminAuthenticatePanel.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/AdminAuthenticatePanel.java @@ -221,6 +221,9 @@ public class AdminAuthenticatePanel extends WizardPanelBase { c1.append(".keytype,"); c1.append("cloning."); c1.append(t1); + c1.append(".keyalgorithm,"); + c1.append("cloning."); + c1.append(t1); c1.append(".privkey.id,"); c1.append("cloning."); c1.append(t1); diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java index 8cedeb247..0e1c20d2c 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java @@ -312,6 +312,8 @@ public class CertRequestPanel extends WizardPanelBase { // get public key String pubKeyType = config.getString( PCERT_PREFIX + certTag + ".keytype"); + String algorithm = config.getString( + PCERT_PREFIX + certTag + ".keyalgorithm"); X509Key pubk = null; if (pubKeyType.equals("rsa")) { pubk = getRSAX509Key(config, certTag); @@ -350,7 +352,7 @@ public class CertRequestPanel extends WizardPanelBase { cert.setDN(caDN); PKCS10 certReq = CryptoUtil.createCertificationRequest(caDN, pubk, - privk); + privk, algorithm); CMS.debug("CertRequestPanel: created cert request"); byte[] certReqb = certReq.toByteArray(); diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java index 258c36b62..592312084 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java @@ -128,6 +128,8 @@ public class CertUtil { try { String pubKeyType = config.getString( prefix + certTag + ".keytype"); + String algorithm = config.getString( + prefix + certTag + ".keyalgorithm"); if (pubKeyType.equals("rsa")) { String pubKeyModulus = config.getString( prefix + certTag + ".pubkey.modulus"); @@ -170,7 +172,7 @@ public class CertUtil { PKCS10 certReq = null; certReq = CryptoUtil.createCertificationRequest(dn, pubk, - privk); + privk, algorithm); byte[] certReqb = certReq.toByteArray(); String certReqs = CryptoUtil.base64Encode(certReqb); @@ -250,7 +252,53 @@ public class CertUtil { CMS.debug("CertUtil:updateLocalRequest - Exception:" + e.toString()); } } - + +/** + * reads from the admin cert profile caAdminCert.profile and takes the first + * entry in the list of allowed algorithms. Users that wish a different algorithm + * can specify it in the profile using default.params.signingAlg + */ + + public static String getAdminProfileAlgorithm(IConfigStore config) { + String algorithm = "SHA1withRSA"; + try { + String caSigningKeyType = config.getString("preop.cert.signing.keytype","rsa"); + String pfile = config.getString("profile.caAdminCert.config"); + FileInputStream fis = new FileInputStream(pfile); + DataInputStream in = new DataInputStream(fis); + BufferedReader br = new BufferedReader(new InputStreamReader(in)); + + String strLine; + while ((strLine = br.readLine()) != null) { + String marker2 = "default.params.signingAlg="; + int indx = strLine.indexOf(marker2); + if (indx != -1) { + String alg = strLine.substring(indx + marker2.length()); + if ((alg.length() > 0) && (!alg.equals("-"))) { + algorithm = alg; + break; + }; + }; + + String marker = "signingAlgsAllowed="; + indx = strLine.indexOf(marker); + if (indx != -1) { + String[] algs = strLine.substring(indx + marker.length()).split(","); + for (int i=0; i<algs.length; i++) { + if ((caSigningKeyType.equals("rsa") && (algs[i].indexOf("RSA") != -1)) || + (caSigningKeyType.equals("ecc") && (algs[i].indexOf("EC" ) != -1)) ) { + algorithm = algs[i]; + break; + } + } + } + } + in.close(); + } catch (Exception e) { + CMS.debug("getAdminProfleAlgorithm: exception: " + e); + } + return algorithm; + } public static X509CertImpl createLocalCert(IConfigStore config, X509Key x509key, String prefix, String certTag, String type, Context context) throws IOException { @@ -272,10 +320,16 @@ public class CertUtil { try { String dn = config.getString(prefix + certTag + ".dn"); + String keyAlgorithm = null; Date date = new Date(); X509CertInfo info = null; + if (certTag.equals("admin")) { + keyAlgorithm = getAdminProfileAlgorithm(config); + } else { + keyAlgorithm = config.getString(prefix + certTag + ".keyalgorithm"); + } ca = (ICertificateAuthority) CMS.getSubsystem( ICertificateAuthority.ID); cr = (ICertificateRepository) ca.getCertificateRepository(); @@ -284,14 +338,14 @@ public class CertUtil { CMS.debug("Creating local certificate... issuerdn=" + dn); CMS.debug("Creating local certificate... dn=" + dn); info = CryptoUtil.createX509CertInfo(x509key, serialNo.intValue(), dn, dn, date, - date); + date, keyAlgorithm); } else { String issuerdn = config.getString("preop.cert.signing.dn", ""); CMS.debug("Creating local certificate... issuerdn=" + issuerdn); CMS.debug("Creating local certificate... dn=" + dn); info = CryptoUtil.createX509CertInfo(x509key, - serialNo.intValue(), issuerdn, dn, date, date); + serialNo.intValue(), issuerdn, dn, date, date, keyAlgorithm); } CMS.debug("Cert Template: " + info.toString()); @@ -352,13 +406,13 @@ public class CertUtil { String caSigningKeyType = config.getString("preop.cert.signing.keytype","rsa"); CMS.debug("CA Signing Key type " + caSigningKeyType); + if (caSigningKeyType.equals("ecc")) { CMS.debug("Signing ECC certificate"); - cert = CryptoUtil.signECCCert(caPrik, info); + cert = CryptoUtil.signECCCert(caPrik, info, keyAlgorithm); } else { CMS.debug("Signing RSA certificate"); - cert = CryptoUtil.signCert(caPrik, info, - SignatureAlgorithm.RSASignatureWithSHA1Digest); + cert = CryptoUtil.signCert(caPrik, info, keyAlgorithm); } if (cert != null) { diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java index ae9acf9fe..843616822 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java @@ -435,48 +435,7 @@ public class DonePanel extends WizardPanelBase { context.put("errorString", "Failed to update connector information."); return; } - - // retrieve CA subsystem certificate from the CA - IUGSubsystem system = - (IUGSubsystem) (CMS.getSubsystem(IUGSubsystem.ID)); - String id = ""; - try { - String b64 = getCASubsystemCert(); - if (b64 != null) { - int num = cs.getInteger("preop.subsystem.count", 0); - id = getCAUserId(); - num++; - cs.putInteger("preop.subsystem.count", num); - cs.putInteger("subsystem.count", num); - IUser user = system.createUser(id); - user.setFullName(id); - user.setEmail(""); - user.setPassword(""); - user.setUserType("agentType"); - user.setState("1"); - user.setPhone(""); - X509CertImpl[] certs = new X509CertImpl[1]; - certs[0] = new X509CertImpl(CMS.AtoB(b64)); - user.setX509Certificates(certs); - system.addUser(user); - CMS.debug("DonePanel display: successfully add the user"); - system.addUserCert(user); - CMS.debug("DonePanel display: successfully add the user certificate"); - cs.commit(false); - } - } catch (Exception e) { - } - - try { - String groupName = "Trusted Managers"; - IGroup group = system.getGroupFromName(groupName); - if (!group.isMember(id)) { - group.addMemberName(id); - system.modifyGroup(group); - CMS.debug("DonePanel display: successfully added the user to the group."); - } - } catch (Exception e) { - } + setupClientAuthUser(); } // if KRA // import the CA certificate into the OCSP @@ -494,6 +453,8 @@ public class DonePanel extends WizardPanelBase { } catch (Exception e) { CMS.debug("DonePanel display: Failed to update OCSP information in CA."); } + + setupClientAuthUser(); } if (!select.equals("clone")) { @@ -565,6 +526,7 @@ public class DonePanel extends WizardPanelBase { cs.putString("cloning." + ss + ".nickname", cs.getString("preop.cert." + ss + ".nickname", "")); cs.putString("cloning." + ss + ".dn", cs.getString("preop.cert." + ss + ".dn", "")); cs.putString("cloning." + ss + ".keytype", cs.getString("preop.cert." + ss + ".keytype", "")); + cs.putString("cloning." + ss + ".keyalgorithm", cs.getString("preop.cert." + ss + ".keyalgorithm", "")); cs.putString("cloning." + ss + ".privkey.id", cs.getString("preop.cert." + ss + ".privkey.id", "")); cs.putString("cloning." + ss + ".pubkey.exponent", cs.getString("preop.cert." + ss + ".pubkey.exponent", "")); cs.putString("cloning." + ss + ".pubkey.modulus", cs.getString("preop.cert." + ss + ".pubkey.modulus", "")); @@ -613,6 +575,54 @@ public class DonePanel extends WizardPanelBase { context.put("csstate", "1"); } + private void setupClientAuthUser() + { + IConfigStore cs = CMS.getConfigStore(); + + // retrieve CA subsystem certificate from the CA + IUGSubsystem system = + (IUGSubsystem) (CMS.getSubsystem(IUGSubsystem.ID)); + String id = ""; + try { + String b64 = getCASubsystemCert(); + if (b64 != null) { + int num = cs.getInteger("preop.subsystem.count", 0); + id = getCAUserId(); + num++; + cs.putInteger("preop.subsystem.count", num); + cs.putInteger("subsystem.count", num); + IUser user = system.createUser(id); + user.setFullName(id); + user.setEmail(""); + user.setPassword(""); + user.setUserType("agentType"); + user.setState("1"); + user.setPhone(""); + X509CertImpl[] certs = new X509CertImpl[1]; + certs[0] = new X509CertImpl(CMS.AtoB(b64)); + user.setX509Certificates(certs); + system.addUser(user); + CMS.debug("DonePanel display: successfully add the user"); + system.addUserCert(user); + CMS.debug("DonePanel display: successfully add the user certificate"); + cs.commit(false); + } + } catch (Exception e) { + } + + try { + String groupName = "Trusted Managers"; + IGroup group = system.getGroupFromName(groupName); + if (!group.isMember(id)) { + group.addMemberName(id); + system.modifyGroup(group); + CMS.debug("DonePanel display: successfully added the user to the group."); + } + } catch (Exception e) { + } + } + + private void updateOCSPConfig(HttpServletResponse response) throws IOException { IConfigStore config = CMS.getConfigStore(); @@ -629,8 +639,9 @@ public class DonePanel extends WizardPanelBase { } catch (Exception e) { } - String ocsphost = CMS.getEESSLHost(); - int ocspport = Integer.parseInt(CMS.getEESSLPort()); + String ocsphost = CMS.getAgentHost(); + int ocspport = Integer.parseInt(CMS.getAgentPort()); + int ocspagentport = Integer.parseInt(CMS.getAgentPort()); String session_id = CMS.getConfigSDSessionId(); String content = "xmlOutput=true&sessionID="+session_id+"&ocsp_host="+ocsphost+"&ocsp_port="+ocspport; diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java index 167d9b818..475ac46d2 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java @@ -391,6 +391,9 @@ public class RestoreKeyCertPanel extends WizardPanelBase { c1.append(".keytype,"); c1.append("cloning."); c1.append(t1); + c1.append(".keyalgorithm,"); + c1.append("cloning."); + c1.append(t1); c1.append(".privkey.id,"); c1.append("cloning."); c1.append(t1); diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/SizePanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/SizePanel.java index 032724ebb..39cc2c211 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/SizePanel.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/SizePanel.java @@ -130,6 +130,29 @@ public class SizePanel extends WizardPanelBase { } context.put("select", select); + + String ecclist = ""; + try { + ecclist = config.getString("preop.ecc.algorithm.list", "SHA256withEC,SHA1withEC,SHA384withEC,SHA512withEC"); + } catch (Exception e) { + } + context.put("ecclist", ecclist); + + String rsalist = ""; + try { + rsalist = config.getString("preop.rsa.algorithm.list", "SHA256withRSA,SHA1withRSA,SHA512withRSA,MD5withRSA,MD2withRSA"); + } catch (Exception e) { + } + + context.put("rsalist", rsalist); + + String subsystemType = ""; + try { + subsystemType = config.getString("pkicreate.subsystem_type"); + } catch (Exception e) { + } + context.put("subsystemtype", subsystemType); + try { // same token for now String token = config.getString(PRE_CONF_CA_TOKEN); @@ -229,6 +252,15 @@ public class SizePanel extends WizardPanelBase { continue; String keytype = HttpInput.getKeyType(request, ct + "_keytype"); // rsa or ecc + String keyalgorithm = HttpInput.getString(request, ct + "_keyalgorithm"); + + if (keyalgorithm == null) { + if (keytype != null && keytype.equals("ecc")) { + keyalgorithm = "SHA256withEC"; + } else { + keyalgorithm = "SHA256withRSA"; + } + } String select = HttpInput.getID(request, ct + "_choice"); @@ -243,6 +275,8 @@ public class SizePanel extends WizardPanelBase { config.getString(PCERT_PREFIX+ct+".keysize.size", ""); String oldkeytype = config.getString(PCERT_PREFIX + ct + ".keytype", ""); + String oldkeyalgorithm = + config.getString(PCERT_PREFIX + ct + ".keyalgorithm", ""); if (select.equals("default")) { // XXXrenaming these...keep for now just in case @@ -258,6 +292,7 @@ public class SizePanel extends WizardPanelBase { } config.putString(PCERT_PREFIX + ct + ".keytype", keytype); + config.putString(PCERT_PREFIX + ct + ".keyalgorithm", keyalgorithm); config.putString(PCERT_PREFIX + ct + ".keysize.select", "default"); if (keytype != null && keytype.equals("ecc")) { @@ -282,6 +317,7 @@ public class SizePanel extends WizardPanelBase { HttpInput.getKeySize(request, ct + "_custom_size", keytype)); config.putString(PCERT_PREFIX + ct + ".keytype", keytype); + config.putString(PCERT_PREFIX + ct + ".keyalgorithm", keyalgorithm); config.putString(PCERT_PREFIX + ct + ".keysize.select", "custom"); config.putString(PCERT_PREFIX + ct + ".keysize.custom_size", @@ -297,8 +333,11 @@ public class SizePanel extends WizardPanelBase { config.getString(PCERT_PREFIX+ct+".keysize.size", ""); String newkeytype = config.getString(PCERT_PREFIX + ct + ".keytype", ""); + String newkeyalgorithm = + config.getString(PCERT_PREFIX + ct + ".keyalgorithm", ""); if (!oldkeysize.equals(newkeysize) || - !oldkeytype.equals(newkeytype)) + !oldkeytype.equals(newkeytype) || + !oldkeyalgorithm.equals(newkeyalgorithm)) hasChanged = true; }// while @@ -342,9 +381,10 @@ public class SizePanel extends WizardPanelBase { try { String keytype = config.getString(PCERT_PREFIX + ct + ".keytype"); + String keyalgorithm = config.getString(PCERT_PREFIX + ct + ".keyalgorithm"); int keysize = config.getInteger( PCERT_PREFIX + ct + ".keysize.size"); - + if (keytype.equals("rsa")) { createRSAKeyPair(token, keysize, config, ct); @@ -442,6 +482,12 @@ public class SizePanel extends WizardPanelBase { config.putString(PCERT_PREFIX + ct + ".pubkey.encoded", CryptoUtil.byte2string(encoded)); + String keyAlgo = ""; + try { + keyAlgo = config.getString(PCERT_PREFIX + ct + ".keyalgorithm"); + } catch (Exception e1) { + } + // set default signing algorithm for CA String systemType = ""; try { @@ -452,20 +498,20 @@ public class SizePanel extends WizardPanelBase { if (systemType.equals("OCSP")) { if (ct.equals("signing")) { config.putString("ocsp.signing.defaultSigningAlgorithm", - "SHA1withEC"); + keyAlgo); } } if (systemType.equals("CA")) { if (ct.equals("signing")) { config.putString("ca.signing.defaultSigningAlgorithm", - "SHA1withEC"); + keyAlgo); config.putString("ca.crl.MasterCRL.signingAlgorithm", - "SHA1withEC"); + keyAlgo); } if (ct.equals("ocsp_signing")) { config.putString("ca.ocsp_signing.defaultSigningAlgorithm", - "SHA1withEC"); + keyAlgo); } } @@ -498,15 +544,21 @@ public class SizePanel extends WizardPanelBase { config.putString(PCERT_PREFIX + ct + ".pubkey.exponent", CryptoUtil.byte2string(exponent)); + String keyAlgo = ""; + try { + keyAlgo = config.getString(PCERT_PREFIX + ct + ".keyalgorithm"); + } catch (Exception e1) { + } + if (ct.equals("signing")) { config.putString("ca.signing.defaultSigningAlgorithm", - "SHA1withRSA"); + keyAlgo); config.putString("ca.crl.MasterCRL.signingAlgorithm", - "SHA1withRSA"); + keyAlgo); } if (ct.equals("ocsp_signing")) { config.putString("ca.ocsp_signing.defaultSigningAlgorithm", - "SHA1withRSA"); + keyAlgo); } } diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateOCSPConfig.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateOCSPConfig.java index f105ea95b..b2b8b5d28 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateOCSPConfig.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateOCSPConfig.java @@ -99,18 +99,34 @@ public class UpdateOCSPConfig extends CMSServlet { return; } + IConfigStore cs = CMS.getConfigStore(); + String nickname = ""; + + // get nickname + try { + nickname = cs.getString("ca.subsystem.nickname", ""); + String tokenname = cs.getString("ca.subsystem.tokenname", ""); + if (!tokenname.equals("internal") && !tokenname.equals("Internal Key Storage Token")) + nickname = tokenname+":"+nickname; + } catch (Exception e) { + } + + CMS.debug("UpdateOCSPConfig process: nickname="+nickname); + String ocsphost = httpReq.getParameter("ocsp_host"); String ocspport = httpReq.getParameter("ocsp_port"); try { - IConfigStore cs = CMS.getConfigStore(); cs.putString("ca.publish.enable", "true"); cs.putString("ca.publish.publisher.instance.OCSPPublisher.host", ocsphost); cs.putString("ca.publish.publisher.instance.OCSPPublisher.port", ocspport); + cs.putString("ca.publish.publisher.instance.OCSPPublisher.nickName", + nickname); cs.putString("ca.publish.publisher.instance.OCSPPublisher.path", - "/ocsp/ee/ocsp/addCRL"); + "/ocsp/agent/ocsp/addCRL"); cs.putString("ca.publish.publisher.instance.OCSPPublisher.pluginName", "OCSPPublisher"); + cs.putString("ca.publish.publisher.instance.OCSPPublisher.enableClientAuth", "true"); cs.putString("ca.publish.rule.instance.ocsprule.enable", "true"); cs.putString("ca.publish.rule.instance.ocsprule.mapper", "NoMap"); cs.putString("ca.publish.rule.instance.ocsprule.pluginName", "Rule"); diff --git a/pki/base/common/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/pki/base/common/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java index 6e99f0baa..533667ef3 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +++ b/pki/base/common/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java @@ -30,6 +30,7 @@ import com.netscape.certsrv.template.*; import com.netscape.certsrv.profile.*; import com.netscape.certsrv.request.*; import com.netscape.certsrv.authentication.*; +import com.netscape.certsrv.authorization.*; import com.netscape.certsrv.logging.*; import com.netscape.cms.servlet.common.*; import com.netscape.cms.servlet.common.AuthCredentials; @@ -395,6 +396,33 @@ profile, IRequest req) { e.toString()); return; } + + //authorization only makes sense when request is authenticated + AuthzToken authzToken = null; + if (authToken != null) { + CMS.debug("ProfileSubmitCMCServlet authToken not null"); + try { + authzToken = authorize(mAclMethod, authToken, + mAuthzResourceName, "submit"); + } catch (Exception e) { + CMS.debug("ProfileSubmitCMCServlet authorization failure: "+e.toString()); + } + } + + if (authzToken == null) { + CMS.debug("ProfileSubmitCMCServlet authorization failure: authzToken is null"); + CMCOutputTemplate template = new CMCOutputTemplate(); + SEQUENCE seq = new SEQUENCE(); + seq.addElement(new INTEGER(0)); + UTF8String s = null; + try { + s = new UTF8String("ProfileSubmitCMCServlet authorization failure"); + } catch (Exception ee) { + } + template.createFullResponseWithFailedStatus(response, seq, + OtherInfo.BAD_REQUEST, s); + return; + } } IRequest reqs[] = null; diff --git a/pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java b/pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java index d4f3d1dee..25059cac5 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java +++ b/pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java @@ -75,13 +75,41 @@ public class TokenServlet extends CMSServlet { private final static String LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST = - "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_5"; + "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_3"; - private final static String - LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED = - "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_5"; + private final static String + LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS = + "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS_8"; + + private final static String + LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE = + "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE_9"; + + private final static String + LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST = + "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_5"; + + private final static String + LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS = + "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS_6"; + + private final static String + LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE = + "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE_7"; + private final static String + LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST = + "LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_4"; + + private final static String + LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS = + "LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS_7"; + + private final static String + LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE = + "LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE_8"; + /** * Constructs tks servlet. */ @@ -209,7 +237,10 @@ public class TokenServlet extends CMSServlet { byte[] xcard_challenge, xhost_challenge; byte[] enc_session_key, xkeyInfo; String auditMessage = null; - + String errorMsg = ""; + String badParams = ""; + + String rCUID = req.getParameter("CUID"); String keySet = req.getParameter("keySet"); if (keySet == null || keySet.equals("")) { keySet = "defKeySet"; @@ -231,6 +262,22 @@ public class TokenServlet extends CMSServlet { enc_session_key = null; // kek_session_key = null; + SessionContext sContext = SessionContext.getContext(); + + String agentId=""; + if (sContext != null) { + agentId = + (String) sContext.get(SessionContext.USER_ID); + } + + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST, + rCUID, + ILogger.SUCCESS, + agentId); + + audit(auditMessage); + String kek_wrapped_desKeyString = null; String keycheck_s = null; @@ -255,32 +302,27 @@ public class TokenServlet extends CMSServlet { String rcard_challenge = req.getParameter("card_challenge"); String rhost_challenge = req.getParameter("host_challenge"); String rKeyInfo = req.getParameter("KeyInfo"); - String rCUID = req.getParameter("CUID"); String rcard_cryptogram = req.getParameter("card_cryptogram"); if ((rCUID == null) || (rCUID.equals(""))) { CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: CUID"); + badParams += " CUID,"; missingParam = true; } - SessionContext sContext = SessionContext.getContext(); - - String agentId=""; - if (sContext != null) { - agentId = - (String) sContext.get(SessionContext.USER_ID); - } - if ((rcard_challenge == null) || (rcard_challenge.equals(""))) { + badParams += " card_challenge,"; CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: card challenge"); missingParam = true; } if ((rhost_challenge == null) || (rhost_challenge.equals(""))) { + badParams += " host_challenge,"; CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: host challenge"); missingParam = true; } if ((rKeyInfo == null) || (rKeyInfo.equals(""))) { + badParams += " KeyInfo,"; CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: key info"); missingParam = true; } @@ -291,38 +333,34 @@ public class TokenServlet extends CMSServlet { boolean sameCardCrypto = true; if (!missingParam) { - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST, - rCUID, - ILogger.SUCCESS, - agentId, - isCryptoValidate? "true":"false", - serversideKeygen? "true":"false"); - - audit(auditMessage); - xCUID =com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); + xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); if (xCUID == null || xCUID.length != 10) { + badParams += " CUID length,"; CMS.debug("TokenServlet: Invalid CUID length"); missingParam = true; } xkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); if (xkeyInfo == null || xkeyInfo.length != 2) { - CMS.debug("TokenServlet: Invalid key info length"); + badParams += " KeyInfo length,"; + CMS.debug("TokenServlet: Invalid key info length."); missingParam = true; } xcard_challenge = com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_challenge); if (xcard_challenge == null || xcard_challenge.length != 8) { - CMS.debug("TokenServlet: Invalid card challenge length"); + badParams += " card_challenge length,"; + CMS.debug("TokenServlet: Invalid card challenge length."); missingParam = true; } xhost_challenge = com.netscape.cmsutil.util.Utils.SpecialDecode(rhost_challenge); if (xhost_challenge == null || xhost_challenge.length != 8) { + badParams += " host_challenge length,"; CMS.debug("TokenServlet: Invalid host challenge length"); missingParam = true; } + } CUID = null; @@ -565,42 +603,73 @@ public class TokenServlet extends CMSServlet { if (session_key != null && session_key.length > 0) { outputString = com.netscape.cmsutil.util.Utils.SpecialEncode(session_key); - } else + } else { + status = "1"; + } if (enc_session_key != null && enc_session_key.length > 0) { encSessionKeyString = com.netscape.cmsutil.util.Utils.SpecialEncode(enc_session_key); - } else + } else { status = "1"; + } + if (serversideKeygen == true) { if ( drm_trans_wrapped_desKey != null && drm_trans_wrapped_desKey.length > 0) drm_trans_wrapped_desKeyString = com.netscape.cmsutil.util.Utils.SpecialEncode(drm_trans_wrapped_desKey); - else + else { status = "1"; + } } + if (host_cryptogram != null && host_cryptogram.length > 0) { cryptogram = com.netscape.cmsutil.util.Utils.SpecialEncode(host_cryptogram); - } else + } else { status = "2"; + } - if (selectedToken == null || keyNickName == null) + if (selectedToken == null || keyNickName == null) { status = "4"; + } - if (!sameCardCrypto) + if (!sameCardCrypto) { status = "3"; + } - if (missingParam) + if (missingParam) { status = "3"; - - if (!status.equals("0")) + } + + if (!status.equals("0")) { + + + if(status.equals("1")) { + errorMsg = "Problem generating session key info."; + } + + if(status.equals("2")) { + errorMsg = "Problem creating host_cryptogram."; + } + + if(status.equals("4")) { + errorMsg = "Problem obtaining token information."; + } + + if(status.equals("3")) { + if(badParams.endsWith(",")) { + badParams = badParams.substring(0,badParams.length() -1); + } + errorMsg = "Missing input parameters :" + badParams; + } + value = "status="+status; + } else { - if (serversideKeygen == true) { StringBuffer sb = new StringBuffer(); sb.append("status=0&"); @@ -642,14 +711,35 @@ public class TokenServlet extends CMSServlet { } catch (IOException e) { CMS.debug("TokenServlet: " + e.toString()); } - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED, + + if(status.equals("0")) { + + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, rCUID, + ILogger.SUCCESS, status, agentId, isCryptoValidate? "true":"false", - serversideKeygen? "true":"false"); + serversideKeygen? "true":"false", + selectedToken, + keyNickName); + + } else { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE, + rCUID, + ILogger.FAILURE, + status, + agentId, + isCryptoValidate? "true":"false", + serversideKeygen? "true":"false", + selectedToken, + keyNickName, + errorMsg); + } + audit(auditMessage); } @@ -658,12 +748,15 @@ public class TokenServlet extends CMSServlet { byte[] KeySetData,KeysValues,CUID,xCUID; byte[] xkeyInfo,xnewkeyInfo; boolean missingParam = false; + String errorMsg = ""; + String badParams = ""; IConfigStore sconfig = CMS.getConfigStore(); String rnewKeyInfo = req.getParameter("newKeyInfo"); String newMasterKeyName = req.getParameter("newKeyInfo"); String oldMasterKeyName = req.getParameter("KeyInfo"); String rCUID =req.getParameter("CUID"); + String auditMessage=""; String keySet = req.getParameter("keySet"); if (keySet == null || keySet.equals("")) { @@ -671,15 +764,37 @@ public class TokenServlet extends CMSServlet { } CMS.debug("keySet selected: " + keySet); + SessionContext sContext = SessionContext.getContext(); + + String agentId=""; + if (sContext != null) { + agentId = + (String) sContext.get(SessionContext.USER_ID); + } + + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST, + rCUID, + ILogger.SUCCESS, + agentId, + oldMasterKeyName, + newMasterKeyName); + + audit(auditMessage); + + if ((rCUID == null) || (rCUID.equals(""))) { + badParams += " CUID,"; CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: CUID"); missingParam = true; } if ((rnewKeyInfo == null) || (rnewKeyInfo.equals(""))) { + badParams += " newKeyInfo,"; CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: newKeyInfo"); missingParam = true; } if ((oldMasterKeyName == null) || (oldMasterKeyName.equals(""))){ + badParams += " KeyInfo,"; CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: KeyInfo"); missingParam = true; } @@ -687,11 +802,13 @@ public class TokenServlet extends CMSServlet { if (!missingParam) { xkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(oldMasterKeyName); if (xkeyInfo == null || xkeyInfo.length != 2) { + badParams += " KeyInfo length,"; CMS.debug("TokenServlet: Invalid key info length"); missingParam = true; } xnewkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(newMasterKeyName); if (xnewkeyInfo == null || xnewkeyInfo.length != 2) { + badParams += " NewKeyInfo length,"; CMS.debug("TokenServlet: Invalid new key info length"); missingParam = true; } @@ -705,6 +822,7 @@ public class TokenServlet extends CMSServlet { if (!missingParam) { xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); if (xCUID == null || xCUID.length != 10) { + badParams += " CUID length,"; CMS.debug("TokenServlet: Invalid CUID length"); missingParam = true; } @@ -776,14 +894,24 @@ public class TokenServlet extends CMSServlet { //String value="keySetData=%00" if the KeySetData=byte[0]=0; String value = ""; + String status = "0"; + if (KeySetData != null && KeySetData.length > 1) { value = "status=0&"+"keySetData=" + com.netscape.cmsutil.util.Utils.SpecialEncode(KeySetData); CMS.debug("TokenServlet:process DiversifyKey.encode " +value); } else if (missingParam) { - value = "status=3"; - } else - value = "status=1"; + status = "3"; + if(badParams.endsWith(",")) { + badParams = badParams.substring(0,badParams.length() -1); + } + errorMsg = "Missing input parameters: " + badParams; + value = "status=" + status; + } else { + errorMsg = "Problem diversifying key data."; + status = "1"; + value = "status=" + status; + } resp.setContentLength(value.length()); CMS.debug("TokenServlet:outputString.length " +value.length()); @@ -796,6 +924,32 @@ public class TokenServlet extends CMSServlet { } catch (Exception e) { CMS.debug("TokenServlet:process DiversifyKey: " + e.toString()); } + + if(status.equals("0")) { + + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, + rCUID, + ILogger.SUCCESS, + status, + agentId, + oldMasterKeyName, + newMasterKeyName); + + } else { + + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE, + rCUID, + ILogger.FAILURE, + status, + agentId, + oldMasterKeyName, + newMasterKeyName, + errorMsg); + } + + audit(auditMessage); } private void processEncryptData(HttpServletRequest req, @@ -805,6 +959,8 @@ public class TokenServlet extends CMSServlet { byte[] data = null; boolean isRandom = true; // randomly generate the data to be encrypted + String errorMsg = ""; + String badParams = ""; IConfigStore sconfig = CMS.getConfigStore(); encryptedData = null; String rdata = req.getParameter("data"); @@ -814,6 +970,15 @@ public class TokenServlet extends CMSServlet { if (keySet == null || keySet.equals("")) { keySet = "defKeySet"; } + + SessionContext sContext = SessionContext.getContext(); + + String agentId=""; + if (sContext != null) { + agentId = + (String) sContext.get(SessionContext.USER_ID); + } + CMS.debug("keySet selected: " + keySet); String s_isRandom = sconfig.getString("tks.EncryptData.isRandom", "true"); @@ -825,6 +990,15 @@ public class TokenServlet extends CMSServlet { isRandom = true; } + String auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST, + rCUID, + ILogger.SUCCESS, + agentId, + s_isRandom); + + audit(auditMessage); + if (isRandom) { if ((rdata == null) || (rdata.equals(""))) { CMS.debug("TokenServlet: processEncryptData(): no data in request. Generating random number as data"); @@ -837,33 +1011,40 @@ public class TokenServlet extends CMSServlet { random.nextBytes(data); } catch (Exception e) { CMS.debug("TokenServlet: processEncryptData():"+ e.toString()); - throw new EBaseException("processEncryptData:"+ e.toString()); + badParams += " Random Number,"; + missingParam = true; } } else if ((!isRandom) && (((rdata == null) || (rdata.equals(""))))){ CMS.debug("TokenServlet: processEncryptData(): missing request parameter: data."); + badParams += " data,"; missingParam = true; } if ((rCUID == null) || (rCUID.equals(""))) { - + badParams += " CUID,"; CMS.debug("TokenServlet: processEncryptData(): missing request parameter: CUID"); missingParam = true; } + if ((rKeyInfo == null) || (rKeyInfo.equals(""))) { + badParams += " KeyInfo,"; CMS.debug("TokenServlet: processEncryptData(): missing request parameter: key info"); missingParam = true; } + if (!missingParam) { xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); if (xCUID == null || xCUID.length != 10) { + badParams += " CUID length,"; CMS.debug("TokenServlet: Invalid CUID length"); - throw new EBaseException("Invalid CUID length"); + missingParam = true; } xkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); if (xkeyInfo == null || xkeyInfo.length != 2) { + badParams += " KeyInfo length,"; CMS.debug("TokenServlet: Invalid key info length"); - throw new EBaseException("Invalid key info length"); + missingParam = true; } } @@ -871,6 +1052,8 @@ public class TokenServlet extends CMSServlet { if (!useSoftToken_s.equalsIgnoreCase("true")) useSoftToken_s = "false"; + String selectedToken = null; + String keyNickName = null; if (!missingParam) { if (!isRandom) data = com.netscape.cmsutil.util.Utils.SpecialDecode(rdata); @@ -879,8 +1062,6 @@ public class TokenServlet extends CMSServlet { String keyInfoMap = "tks." + keySet + ".mk_mappings." + rKeyInfo; String mappingValue = CMS.getConfigStore().getString(keyInfoMap, null); - String selectedToken = null; - String keyNickName = null; if (mappingValue == null) { selectedToken = CMS.getConfigStore().getString("tks.defaultSlot", "internal"); keyNickName = rKeyInfo; @@ -902,6 +1083,7 @@ public class TokenServlet extends CMSServlet { resp.setContentType("text/html"); String value = ""; + String status = "0"; if (encryptedData != null && encryptedData.length > 0) { String outputString = new String(encryptedData); // sending both the pre-encrypted and encrypted data back @@ -910,9 +1092,17 @@ public class TokenServlet extends CMSServlet { "&encryptedData=" + com.netscape.cmsutil.util.Utils.SpecialEncode(encryptedData); } else if (missingParam) { - value = "status=3"; - } else - value = "status=1"; + if(badParams.endsWith(",")) { + badParams = badParams.substring(0,badParams.length() -1); + } + errorMsg = "Missing input parameters: " + badParams; + status = "3"; + value = "status=" + status; + } else { + errorMsg = "Problem encrypting data."; + status = "1"; + value = "status=" + status; + } CMS.debug("TokenServlet:process EncryptData.encode " +value); @@ -927,6 +1117,34 @@ public class TokenServlet extends CMSServlet { } catch (Exception e) { CMS.debug("TokenServlet: " + e.toString()); } + + if(status.equals("0")) { + + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS, + rCUID, + ILogger.SUCCESS, + status, + agentId, + s_isRandom, + selectedToken, + keyNickName); + + } else { + + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE, + rCUID, + ILogger.FAILURE, + status, + agentId, + s_isRandom, + selectedToken, + keyNickName, + errorMsg); + } + + audit(auditMessage); } /* @@ -953,7 +1171,7 @@ public class TokenServlet extends CMSServlet { try { authzToken = authorize(mAclMethod, authToken, - mAuthzResourceName, "read"); + mAuthzResourceName, "execute"); } catch (Exception e) { } |