diff options
Diffstat (limited to 'pki/base/common/src/com/netscape/cmscore/apps')
6 files changed, 2778 insertions, 0 deletions
diff --git a/pki/base/common/src/com/netscape/cmscore/apps/CMSEngine.java b/pki/base/common/src/com/netscape/cmscore/apps/CMSEngine.java new file mode 100644 index 000000000..afaa5c9fc --- /dev/null +++ b/pki/base/common/src/com/netscape/cmscore/apps/CMSEngine.java @@ -0,0 +1,1915 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cmscore.apps; + + +import java.util.*; +import java.math.*; +import java.text.*; +import java.io.*; +import java.util.Hashtable; +import java.util.Enumeration; +import java.util.Vector; +import java.util.Date; +import java.security.cert.Certificate; +import java.security.cert.CertificateEncodingException; +import java.security.cert.X509Certificate; +import java.security.cert.X509CRL; + +import netscape.ldap.*; +import javax.servlet.*; +import javax.servlet.http.*; + +import com.netscape.cms.servlet.csadmin.*; +import com.netscape.cmsutil.net.*; +import netscape.security.extensions.*; +import netscape.security.x509.*; +import netscape.security.util.*; +import java.security.NoSuchAlgorithmException; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.policy.*; +import com.netscape.certsrv.password.*; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.base.ISubsystem; +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.acls.*; +import com.netscape.certsrv.profile.IEnrollProfile; +import com.netscape.certsrv.dbs.certdb.*; +import com.netscape.certsrv.notification.*; +import com.netscape.certsrv.authority.*; +import com.netscape.certsrv.ldap.*; +import com.netscape.certsrv.connector.*; +import com.netscape.certsrv.logging.ELogException; +import com.netscape.certsrv.logging.ILogEvent; +import com.netscape.certsrv.logging.ILogQueue; +import com.netscape.certsrv.logging.ILogEventListener; +import com.netscape.certsrv.logging.ILogger; +import com.netscape.certsrv.request.*; +import com.netscape.certsrv.dbs.crldb.*; +import com.netscape.certsrv.dbs.repository.*; +import com.netscape.certsrv.ca.*; +import com.netscape.certsrv.ra.*; +import com.netscape.certsrv.kra.*; +import com.netscape.certsrv.common.Constants; +import com.netscape.certsrv.common.*; +import com.netscape.certsrv.apps.*; + +import com.netscape.cmscore.cert.CertPrettyPrint; +import com.netscape.cmscore.cert.CrlPrettyPrint; +import com.netscape.cmscore.cert.ExtPrettyPrint; +import com.netscape.cmscore.policy.*; +import com.netscape.cmscore.time.*; +import com.netscape.cmscore.ldapconn.*; +import com.netscape.cmscore.base.*; +import com.netscape.cmscore.util.Debug; +import com.netscape.cmscore.connector.*; +import com.netscape.cmscore.notification.*; +import com.netscape.cmscore.request.*; +import com.netscape.cmscore.cert.*; +import com.netscape.cmscore.logging.LogSubsystem; +import com.netscape.cmscore.logging.Logger; +import com.netscape.cmscore.logging.SignedAuditLogger; +import com.netscape.cmscore.util.OsSubsystem; +import com.netscape.cmscore.security.JssSubsystem; +import com.netscape.cmscore.dbs.DBSubsystem; +import com.netscape.cmscore.dbs.*; +import com.netscape.cmscore.authentication.*; +import com.netscape.cmscore.authorization.AuthzSubsystem; +import com.netscape.cmscore.usrgrp.UGSubsystem; +import com.netscape.cmscore.request.RequestSubsystem; +import com.netscape.cmscore.jobs.JobsScheduler; +import com.netscape.osutil.*; + +import com.netscape.cmscore.cert.OidLoaderSubsystem; +import com.netscape.cmscore.cert.X500NameSubsystem; + +import org.mozilla.jss.util.PasswordCallback; +import org.mozilla.jss.CryptoManager.CertificateUsage; +import netscape.security.pkcs.*; +import com.netscape.cmscore.security.*; +import com.netscape.cmscore.registry.*; +import com.netscape.cmsutil.password.*; +import org.w3c.dom.*; +import org.apache.xerces.parsers.DOMParser; + +public class CMSEngine implements ICMSEngine { + private static final String ID = "MAIN"; + + private static final String PROP_SUBSYSTEM = "subsystem"; + private static final String PROP_ID = "id"; + private static final String PROP_CLASS = "class"; + private static final String SERVER_XML = "server.xml"; + + public static final SubsystemRegistry mSSReg = SubsystemRegistry.getInstance(); + + public static String instanceDir; /* path to instance <server-root>/cert-<instance-name> */ + + private IConfigStore mConfig = null; + private ISubsystem mOwner = null; + private long mStartupTime = 0; + private boolean isStarted = false; + private StringBuffer mWarning = new StringBuffer(); + private ITimeSource mTimeSource = null; + private IPasswordStore mPasswordStore = null; + private WarningListener mWarningListener = null; + private ILogQueue mQueue = null; + private ISecurityDomainSessionTable mSecurityDomainSessionTable = null; + private String mConfigSDSessionId = null; + private Timer mSDTimer = null; + + // static subsystems - must be singletons + private static SubsystemInfo[] mStaticSubsystems = { + new SubsystemInfo( + Debug.ID, Debug.getInstance()), + new SubsystemInfo(LogSubsystem.ID, + LogSubsystem.getInstance()), + new SubsystemInfo( + OsSubsystem.ID, OsSubsystem.getInstance()), + new SubsystemInfo( + JssSubsystem.ID, JssSubsystem.getInstance()), + new SubsystemInfo( + DBSubsystem.ID, DBSubsystem.getInstance()), + new SubsystemInfo( + UGSubsystem.ID, UGSubsystem.getInstance()), + new SubsystemInfo( + PluginRegistry.ID, new PluginRegistry()), + new SubsystemInfo( + OidLoaderSubsystem.ID, OidLoaderSubsystem.getInstance()), + new SubsystemInfo( + X500NameSubsystem.ID, X500NameSubsystem.getInstance()), + // skip TP subsystem; + // problem in needing dbsubsystem in constructor. and it's not used. + new SubsystemInfo( + RequestSubsystem.ID, RequestSubsystem.getInstance()), + }; + + // dynamic subsystems are loaded at init time, not neccessarily singletons. + private static SubsystemInfo[] mDynSubsystems = null; + + // final static subsystems - must be singletons. + private static SubsystemInfo[] mFinalSubsystems = { + new SubsystemInfo( + AuthSubsystem.ID, AuthSubsystem.getInstance()), + new SubsystemInfo( + AuthzSubsystem.ID, AuthzSubsystem.getInstance()), + new SubsystemInfo( + JobsScheduler.ID, JobsScheduler.getInstance()), + }; + + private static final int IP = 0; + private static final int PORT = 1; + private static final int HOST = 2; + private static final int AGENT = 0; + private static final int ADMIN = 1; + private static final int EE_SSL = 2; + private static final int EE_NON_SSL = 3; + private static final int EE_CLIENT_AUTH_SSL = 4; + private static String mServerCertNickname = null; + private static String info[][] = { {null, null, null},//agent + {null, null, null},//admin + {null, null, null},//sslEE + {null, null, null},//non_sslEE + {null, null, null} //ssl_clientauth_EE + }; + + /** + * private constructor. + */ + public CMSEngine() { + } + + /** + * gets this ID + */ + public String getId() { + return ID; + } + + /** + * should never be called. returns error. + */ + public void setId(String id) throws EBaseException { + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_OPERATION")); + } + + /** + * Retrieves the instance roort path of this server. + */ + public String getInstanceDir() { + return instanceDir; + } + + public synchronized IPasswordStore getPasswordStore() { + // initialize the PasswordReader and PasswordWriter + try { + String pwdPath = mConfig.getString("passwordFile"); + if (mPasswordStore == null) { + CMS.debug("CMSEngine: getPasswordStore(): password store not initialized before."); + String pwdClass = mConfig.getString("passwordClass"); + + if (pwdClass != null) { + try { + mPasswordStore = (IPasswordStore)Class.forName(pwdClass).newInstance(); + } catch (Exception e) { + CMS.debug("CMSEngine: getPasswordStore(): password store initialization failure:" + e.toString()); + } + } + } else { + CMS.debug("CMSEngine: getPasswordStore(): password store initialized before."); + } + + // have to initialize it because other places don't always + mPasswordStore.init(pwdPath); + CMS.debug("CMSEngine: getPasswordStore(): password store initialized."); + } catch (Exception e) { + CMS.debug("CMSEngine: getPasswordStore(): failure:" + e.toString()); + } + + return mPasswordStore; + } + + /** + * initialize all static, dynamic and final static subsystems. + * @param owner null + * @param config main config store. + * @exception EBaseException if any error occur in subsystems during + * initialization. + */ + public void init(ISubsystem owner, IConfigStore config) + throws EBaseException { + mOwner = owner; + mConfig = config; + int state = mConfig.getInteger("cs.state"); + String sd = mConfig.getString("securitydomain.select", ""); + // my default is 1 day + String flush_timeout = config.getString("securitydomain.flushinterval", "86400000"); + String secdomain_source = config.getString("securitydomain.source", "memory"); + String secdomain_check_interval = config.getString("securitydomain.checkinterval", "5000"); + + if (secdomain_source.equals("ldap")) { + mSecurityDomainSessionTable = new LDAPSecurityDomainSessionTable((new Long(flush_timeout)).longValue()); + } else { + mSecurityDomainSessionTable = new SecurityDomainSessionTable((new Long(flush_timeout)).longValue()); + } + + mSDTimer = new Timer(); + SessionTimer timertask = new SessionTimer(mSecurityDomainSessionTable); + if ((state != 1) || (sd.equals("existing"))) { + // for non-security domain hosts or if not yet configured, + // do not check session domain table + } else { + mSDTimer.schedule(timertask, 5, (new Long(secdomain_check_interval)).longValue()); + } + + String tsClass = config.getString("timeSourceClass", null); + + if (tsClass != null) { + try { + mTimeSource = (ITimeSource) + Class.forName(tsClass).newInstance(); + } catch (Exception e) { + // nothing to do + } + } + if (mTimeSource == null) { + // if time source is not set, set it to simple time source + mTimeSource = new SimpleTimeSource(); + } + + instanceDir = config.getString("instanceRoot"); + + loadDynSubsystems(); + + java.security.Security.addProvider( + new netscape.security.provider.CMS()); + + mSSReg.put(ID, this); + initSubsystems(mStaticSubsystems, false); + + // Once the log subsystem is initialized, we + // want to register a listener to catch + // all the warning message so that we can + // display them in the console. + mQueue = Logger.getLogger().getLogQueue(); + mWarningListener = new WarningListener(mWarning); + mQueue.addLogEventListener(mWarningListener); + + initSubsystems(mDynSubsystems, true); + initSubsystems(mFinalSubsystems, false); + + CMS.debug("Java version=" + (String)System.getProperty("java.version")); + java.security.Provider ps[] = java.security.Security.getProviders(); + + if (ps == null || ps.length <= 0) { + CMS.debug("CMSEngine: Java Security Provider NONE"); + } else { + for (int x = 0; x < ps.length; x++) { + CMS.debug("CMSEngine: Java Security Provider " + x + " class=" + ps[x]); + } + } + parseServerXML(); + fixProxyPorts(); + } + + /** + * Parse ACL resource attributes + * @param resACLs same format as the resourceACLs attribute: + * <PRE> + * <resource name>:<permission1,permission2,...permissionn>: + * <allow|deny> (<subset of the permission set>) <evaluator expression> + * </PRE> + * @exception EACLsException ACL related parsing errors for resACLs + * @return an ACL instance built from the parsed resACLs + */ + public IACL parseACL(String resACLs) throws EACLsException { + if (resACLs == null) { + throw new EACLsException(CMS.getUserMessage("CMS_ACL_NULL_VALUE", "resACLs")); + } + + ACL acl = null; + Vector rights = null; + int idx1 = resACLs.indexOf(":"); + + if (idx1 <= 0) { + acl = new ACL(resACLs, rights, resACLs); + } else { + // getting resource id + String resource = resACLs.substring(0, idx1); + + if (resource == null) { + String infoMsg = "resource not specified in resourceACLS attribute:" + + resACLs; + + String[] params = new String[2]; + + params[0] = resACLs; + params[1] = infoMsg; + throw new EACLsException(CMS.getUserMessage("CMS_ACL_PARSING_ERROR", params)); + } + + // getting list of applicable rights + String st = resACLs.substring(idx1 + 1); + int idx2 = st.indexOf(":"); + String rightsString = null; + + if (idx2 != -1) + rightsString = st.substring(0, idx2); + else { + String infoMsg = + "rights not specified in resourceACLS attribute:" + resACLs; + String[] params = new String[2]; + + params[0] = resACLs; + params[1] = infoMsg; + throw new EACLsException(CMS.getUserMessage("CMS_ACL_PARSING_ERROR", params)); + } + + if (rightsString != null) { + rights = new Vector(); + StringTokenizer rtok = new StringTokenizer(rightsString, ","); + + while (rtok.hasMoreTokens()) { + rights.addElement(rtok.nextToken()); + } + } + + acl = new ACL(resource, rights, resACLs); + + String stx = st.substring(idx2 + 1); + int idx3 = stx.indexOf(":"); + String aclStr = stx.substring(0, idx3); + + // getting list of acl entries + if (aclStr != null) { + StringTokenizer atok = new StringTokenizer(aclStr, ";"); + + if (atok == null) { + throw new EACLsException(CMS.getUserMessage("CMS_ACL_NULL_VALUE", "atok")); + } + + while (atok.hasMoreTokens()) { + String acs = (String) atok.nextToken(); + + // construct ACL entry + ACLEntry entry = ACLEntry.parseACLEntry(acl, acs); + + if (entry == null) { + String infoMsg = "parseACLEntry() call failed"; + String[] params = new String[2]; + + params[0] = "ACLEntry = " + acs; + params[1] = infoMsg; + throw new EACLsException(CMS.getUserMessage("CMS_ACL_PARSING_ERROR", params)); + } + + entry.setACLEntryString(acs); + acl.addEntry(entry); + } + } else { + // fine + String infoMsg = "acls not specified in resourceACLS attribute:" + + + resACLs; + + String[] params = new String[2]; + + params[0] = resACLs; + params[1] = infoMsg; + throw new EACLsException(CMS.getUserMessage("CMS_ACL_PARSING_ERROR", params)); + } + + // getting description + String desc = stx.substring(idx3 + 1); + + acl.setDescription(desc); + } + + return (acl); + } + + /** + * Parse server.xml to get the ports and IPs + */ + private void parseServerXML() { + try { + String instanceRoot = mConfig.getString("instanceRoot"); + String path = instanceRoot+File.separator+"conf"+File.separator+SERVER_XML; + DOMParser parser = new DOMParser(); + parser.parse(path); + NodeList nodes = parser.getDocument().getElementsByTagName("Connector"); + String parentName=""; + String name=""; + String port=""; + for (int i=0; i<nodes.getLength(); i++) { + Element n = (Element)nodes.item(i); + + parentName = ""; + Element p = (Element) n.getParentNode(); + if(p != null) { + parentName = p.getAttribute("name"); + } + name = n.getAttribute("name"); + port = n.getAttribute("port"); + + // The "server.xml" file is parsed from top-to-bottom, and + // supports BOTH "Port Separation" (the new default method) + // as well as "Shared Ports" (the old legacy method). Since + // both methods must be supported, the file structure MUST + // conform to ONE AND ONLY ONE of the following formats: + // + // Port Separation: + // + // <Catalina> + // ... + // <!-- Port Separation: Unsecure Port --> + // <Connector name="Unsecure" . . . + // ... + // <!-- Port Separation: Agent Secure Port --> + // <Connector name="Agent" . . . + // ... + // <!-- Port Separation: Admin Secure Port --> + // <Connector name="Admin" . . . + // ... + // <!-- Port Separation: EE Secure Port --> + // <Connector name="EE" . . . + // ... + // </Catalina> + // + // + // Shared Ports: + // + // <Catalina> + // ... + // <!-- Shared Ports: Unsecure Port --> + // <Connector name="Unsecure" . . . + // ... + // <!-- Shared Ports: Agent, EE, and Admin Secure Port --> + // <Connector name="Secure" . . . + // ... + // <!-- + // <Connector name="Unused" . . . + // --> + // ... + // <!-- + // <Connector name="Unused" . . . + // --> + // ... + // </Catalina> + // + if ( parentName.equals("Catalina")) { + if( name.equals( "Unsecure" ) ) { + // Port Separation: Unsecure Port + // OR + // Shared Ports: Unsecure Port + info[EE_NON_SSL][PORT] = port; + } else if( name.equals( "Agent" ) ) { + // Port Separation: Agent Secure Port + info[AGENT][PORT] = port; + } else if( name.equals( "Admin" ) ) { + // Port Separation: Admin Secure Port + info[ADMIN][PORT] = port; + } else if( name.equals( "EE" ) ) { + // Port Separation: EE Secure Port + info[EE_SSL][PORT] = port; + } else if( name.equals( "EEClientAuth" ) ) { + // Port Separation: EE Client Auth Secure Port + info[EE_CLIENT_AUTH_SSL][PORT] = port; + } else if( name.equals( "Secure" ) ) { + // Shared Ports: Agent, EE, and Admin Secure Port + info[AGENT][PORT] = port; + info[ADMIN][PORT] = port; + info[EE_SSL][PORT] = port; + info[EE_CLIENT_AUTH_SSL][PORT] = port; + } + } + } + + } catch (Exception e) { + CMS.debug("CMSEngine: parseServerXML exception: " + e.toString()); + } + } + + private void fixProxyPorts() throws EBaseException { + try { + String port = mConfig.getString("proxy.securePort", ""); + if (!port.equals("")) { + info[EE_SSL][PORT] = port; + info[ADMIN][PORT] = port; + info[AGENT][PORT] = port; + info[EE_CLIENT_AUTH_SSL][PORT] = port; + } + + port = mConfig.getString("proxy.unsecurePort", ""); + if (!port.equals("")) { + info[EE_NON_SSL][PORT] = port; + } + } catch (EBaseException e) { + CMS.debug("CMSEngine: fixProxyPorts exception: " + e.toString()); + throw e; + } + } + + + public IConfigStore createFileConfigStore(String path) throws EBaseException { + try { + /* if the file is not there, create one */ + File f = new File(path); + if (!f.exists()) { + f.createNewFile(); + } + } catch (Exception e) { + } + + + return new FileConfigStore(path); + } + + public IArgBlock createArgBlock() { + return new ArgBlock(); + } + + public IArgBlock createArgBlock(Hashtable httpReq) { + return new ArgBlock(httpReq); + } + + public IArgBlock createArgBlock(String realm, Hashtable httpReq) { + return new ArgBlock(realm, httpReq); + } + + public boolean isPreOpMode() { + if (getCSState() == CMS.PRE_OP_MODE) + return true; + return false; + } + + public boolean isRunningMode() { + if (getCSState() == CMS.RUNNING_MODE) + return true; + return false; + } + + public void setCSState(int mode) { + mConfig.putInteger("cs.state", mode); + } + + public int getCSState() { + int mode = 0; + try { + mode = mConfig.getInteger("cs.state"); + } catch (Exception e) { + } + return mode; + } + + public IRepositoryRecord createRepositoryRecord() { + return new RepositoryRecord(); + } + + public ICRLIssuingPointRecord createCRLIssuingPointRecord(String + id, BigInteger crlNumber, Long crlSize, Date thisUpdate, Date nextUpdate) { + return new CRLIssuingPointRecord(id, crlNumber, crlSize, thisUpdate, nextUpdate); + } + + public ISecurityDomainSessionTable getSecurityDomainSessionTable() { + return mSecurityDomainSessionTable; + } + + public String getCRLIssuingPointRecordName() { + return CRLIssuingPointRecord.class.getName(); + } + + public String getEEHost() { + String host = ""; + try { + host = mConfig.getString("machineName"); + } catch (Exception e) { + } + return host; + } + + public String getEENonSSLHost() { + String host = ""; + try { + host = mConfig.getString("machineName"); + } catch (Exception e) { + } + return host; + } + + public String getEENonSSLIP() { + return info[EE_NON_SSL][IP]; + } + + public String getEENonSSLPort() { + return info[EE_NON_SSL][PORT]; + } + + public String getEESSLHost() { + String host = ""; + try { + host = mConfig.getString("machineName"); + } catch (Exception e) { + } + return host; + } + + public String getEESSLIP() { + return info[EE_SSL][IP]; + } + + public String getEESSLPort() { + return info[EE_SSL][PORT]; + } + + public String getEEClientAuthSSLPort() { + return info[EE_CLIENT_AUTH_SSL][PORT]; + } + + public String getAgentHost() { + String host = ""; + try { + host = mConfig.getString("machineName"); + } catch (Exception e) { + } + return host; + } + + public String getAgentIP() { + return info[AGENT][IP]; + } + + public String getAgentPort() { + return info[AGENT][PORT]; + } + + public String getAdminHost() { + String host = ""; + try { + host = mConfig.getString("machineName"); + } catch (Exception e) { + } + return host; + } + + public String getAdminIP() { + return info[ADMIN][IP]; + } + + public String getAdminPort() { + return info[ADMIN][PORT]; + } + + public IHttpConnection getHttpConnection(IRemoteAuthority authority, + ISocketFactory factory) { + return new HttpConnection(authority, factory); + } + + public IHttpConnection getHttpConnection(IRemoteAuthority authority, + ISocketFactory factory, int timeout) { + return new HttpConnection(authority, factory, timeout); + } + + public IResender getResender(IAuthority authority, String nickname, + IRemoteAuthority remote, int interval) { + return new Resender(authority, nickname, remote, interval); + } + + public IPKIMessage getHttpPKIMessage() { + return new HttpPKIMessage(); + } + + public ILdapConnInfo getLdapConnInfo(IConfigStore config) + throws EBaseException, ELdapException { + return new LdapConnInfo(config); + } + + public LDAPSSLSocketFactoryExt getLdapJssSSLSocketFactory( + String certNickname) { + return new LdapJssSSLSocketFactory(certNickname); + } + + public LDAPSSLSocketFactoryExt getLdapJssSSLSocketFactory() { + return new LdapJssSSLSocketFactory(); + } + + public ILdapAuthInfo getLdapAuthInfo() { + return new LdapAuthInfo(); + } + + public ILdapConnFactory getLdapBoundConnFactory() + throws ELdapException { + return new LdapBoundConnFactory(); + } + + public ILdapConnFactory getLdapAnonConnFactory() + throws ELdapException { + return new LdapAnonConnFactory(); + } + + public IRequestEncoder getHttpRequestEncoder() { + return new HttpRequestEncoder(); + } + + public Enumeration getSubsystemNames() { + return mSSReg.keys(); + } + + public Enumeration getSubsystems() { + return mSSReg.elements(); + } + + public ISubsystem getSubsystem(String name) { + return (ISubsystem) mSSReg.get(name); + } + + /** + * initialize an array of subsystem info. + */ + private void initSubsystems(SubsystemInfo[] sslist, boolean doSetId) + throws EBaseException { + if (sslist == null) + return; + for (int i = 0; i < sslist.length; i++) { + initSubsystem(sslist[i], doSetId); + } + } + + /** + * load dynamic subsystems + */ + private void loadDynSubsystems() + throws EBaseException { + IConfigStore ssconfig = mConfig.getSubStore(PROP_SUBSYSTEM); + + // count number of dyn loaded subsystems. + Enumeration ssnames = ssconfig.getSubStoreNames(); + int nsubsystems = 0; + + for (nsubsystems = 0; ssnames.hasMoreElements(); nsubsystems++) + ssnames.nextElement(); + if (Debug.ON) { + Debug.trace(nsubsystems + " dyn subsystems loading.."); + } + if (nsubsystems == 0) + return; + + // load dyn subsystems. + mDynSubsystems = new SubsystemInfo[nsubsystems]; + ssnames = ssconfig.getSubStoreNames(); + for (int i = 0; i < mDynSubsystems.length; i++) { + IConfigStore config = + ssconfig.getSubStore(String.valueOf(i)); + String id = config.getString(PROP_ID); + String classname = config.getString(PROP_CLASS); + ISubsystem ss = null; + + try { + ss = (ISubsystem) Class.forName(classname).newInstance(); + } catch (InstantiationException e) { + throw new EBaseException( + CMS.getUserMessage("CMS_BASE_LOAD_FAILED_1", id, e.toString())); + } catch (IllegalAccessException e) { + throw new EBaseException( + CMS.getUserMessage("CMS_BASE_LOAD_FAILED_1", id, e.toString())); + } catch (ClassNotFoundException e) { + throw new EBaseException( + CMS.getUserMessage("CMS_BASE_LOAD_FAILED_1", id, e.toString())); + } + mDynSubsystems[i] = new SubsystemInfo(id, ss); + Debug.trace("loaded dyn subsystem " + id); + } + } + + public LDAPConnection getBoundConnection(String host, int port, + int version, LDAPSSLSocketFactoryExt fac, String bindDN, + String bindPW) throws LDAPException + { + return new LdapBoundConnection(host, port, version, fac, + bindDN, bindPW); + } + + /** + * initialize a subsystem + */ + private void initSubsystem(SubsystemInfo ssinfo, boolean doSetId) + throws EBaseException { + String id = ssinfo.mId; + ISubsystem ss = ssinfo.mInstance; + IConfigStore ssConfig = mConfig.getSubStore(id); + + CMS.debug("CMSEngine: initSubsystem id=" + id); + if (doSetId) + ss.setId(id); + CMS.debug("CMSEngine: ready to init id=" + id); + ss.init(this, ssConfig); + // add to id - subsystem hash table. + CMS.debug("CMSEngine: done init id=" + id); + mSSReg.put(id, ss); + CMS.debug("CMSEngine: initialized " + id); + + if(id.equals("ca") || id.equals("ocsp") || + id.equals("kra") || id.equals("tks")) { + CMS.debug("CMSEngine::initSubsystem " + id + " Java subsytem about to calculate serverCertNickname. "); + // get SSL server nickname + IConfigStore serverCertStore = mConfig.getSubStore(id + "." + "sslserver"); + if (serverCertStore != null && serverCertStore.size() > 0) { + String nickName = serverCertStore.getString("nickname"); + String tokenName = serverCertStore.getString("tokenname"); + if (tokenName != null && tokenName.length() > 0 && + nickName != null && nickName.length() > 0) { + CMS.setServerCertNickname(tokenName, nickName); + CMS.debug("Subsystem " + id + " init sslserver: tokenName:"+tokenName+" nickName:"+nickName); + } else if (nickName != null && nickName.length() > 0) { + CMS.setServerCertNickname(nickName); + CMS.debug("Subsystem " + id + " init sslserver: nickName:"+nickName); + } else { + CMS.debug("Subsystem " + id + " init error: SSL server certificate nickname is not available."); + } + } + } + } + + public void reinit(String id) throws EBaseException { + ISubsystem system = getSubsystem(id); + IConfigStore cs = mConfig.getSubStore(id); + system.init(this, cs); + } + + /** + * Starts up all subsystems. subsystems must be initialized. + * @exception EBaseException if any subsystem fails to startup. + */ + public void startup() throws EBaseException { + //OsSubsystem.nativeExit(0); + startupSubsystems(mStaticSubsystems); + if (mDynSubsystems != null) + startupSubsystems(mDynSubsystems); + startupSubsystems(mFinalSubsystems); + + // global admin servlet. (anywhere else more fit for this ?) + + mStartupTime = System.currentTimeMillis(); + + mQueue.removeLogEventListener(mWarningListener); + if (!mWarning.toString().equals("")) { + System.out.println(Constants.SERVER_STARTUP_WARNING_MESSAGE + mWarning); + } + + // check serial number ranges if a CA/KRA + ICertificateAuthority ca = (ICertificateAuthority) getSubsystem("ca"); + if ((ca != null) && !isPreOpMode()) { + CMS.debug("CMSEngine: checking request serial number ranges for the CA"); + ca.getRequestQueue().getRequestRepository().checkRanges(); + + CMS.debug("CMSEngine: checking certificate serial number ranges"); + ca.getCertificateRepository().checkRanges(); + } + + IKeyRecoveryAuthority kra = (IKeyRecoveryAuthority) getSubsystem("kra"); + if ((kra != null) && !isPreOpMode()) { + CMS.debug("CMSEngine: checking request serial number ranges for the KRA"); + kra.getRequestQueue().getRequestRepository().checkRanges(); + + CMS.debug("CMSEngine: checking key serial number ranges"); + kra.getKeyRepository().checkRanges(); + } + + /*LogDoc + * + * @phase server startup + * @reason all subsystems are initialized and started. + */ + Logger.getLogger().log(ILogger.EV_SYSTEM, ILogger.S_ADMIN, + ILogger.LL_INFO, CMS.getLogMessage("SERVER_STARTUP")); + System.out.println(Constants.SERVER_STARTUP_MESSAGE); + isStarted = true; + + } + + public boolean isInRunningState() { + return isStarted; + } + + public byte[] getPKCS7(Locale locale, IRequest req) { + try { + X509CertImpl cert = req.getExtDataInCert( + IEnrollProfile.REQUEST_ISSUED_CERT); + if (cert == null) + return null; + + ICertificateAuthority ca = (ICertificateAuthority) + CMS.getSubsystem("ca"); + CertificateChain cachain = ca.getCACertChain(); + X509Certificate[] cacerts = cachain.getChain(); + + X509CertImpl[] userChain = new X509CertImpl[cacerts.length + 1]; + int m = 1, n = 0; + + for (; n < cacerts.length; m++, n++) { + userChain[m] = (X509CertImpl) cacerts[n]; + } + + userChain[0] = cert; + PKCS7 p7 = new PKCS7(new AlgorithmId[0], + new ContentInfo(new byte[0]), + userChain, + new SignerInfo[0]); + ByteArrayOutputStream bos = new ByteArrayOutputStream(); + + p7.encodeSignedData(bos); + return bos.toByteArray(); + } catch (Exception e) { + return null; + } + } + + public String getServerCertNickname() { + return mServerCertNickname; + } + + public void setServerCertNickname(String tokenName, String + nickName) { + String newName = null; + + if (tokenName.equals(Constants.PR_INTERNAL_TOKEN_NAME) || + tokenName.equalsIgnoreCase("Internal Key Storage Token")) + newName = nickName; + else { + if (tokenName.equals("") && nickName.equals("")) + return; // not sure the logic + else + newName = tokenName + ":" + nickName; + } + setServerCertNickname(newName); + } + + public void setServerCertNickname(String newName) { + // modify server.xml +/* + String filePrefix = instanceDir + File.separator + + "config" + File.separator; + String orig = filePrefix + "server.xml"; + String dest = filePrefix + "server.xml.bak"; + String newF = filePrefix + "server.xml.new"; + + // save the old copy + Utils.copy(orig, dest); + + BufferedReader in1 = null; + PrintWriter out1 = null; + + try { + in1 = new BufferedReader(new FileReader(dest)); + out1 = new PrintWriter( + new BufferedWriter(new FileWriter(newF))); + String line = ""; + + while (in1.ready()) { + line = in1.readLine(); + if (line != null) + out1.println(lineParsing(line, newName)); + } + + out1.close(); + in1.close(); + } catch (Exception eee) { + Logger.getLogger().log(ILogger.EV_SYSTEM, ILogger.S_ADMIN, + ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", eee.toString())); + } + + File file = new File(newF); + File nfile = new File(orig); + + try { + boolean success = file.renameTo(nfile); + + if (!success) { + if (Utils.isNT()) { + // NT is very picky on the path + Utils.exec("copy " + + file.getAbsolutePath().replace('/', '\\') + " " + + nfile.getAbsolutePath().replace('/', '\\')); + } else { + Utils.exec("cp " + file.getAbsolutePath() + " " + + nfile.getAbsolutePath()); + } + } + } catch (Exception exx) { + Logger.getLogger().log(ILogger.EV_SYSTEM, ILogger.S_ADMIN, + ILogger.LL_FAILURE, "CMSEngine: Error " + exx.toString()); + } + // update "cache" for CMS.getServerCertNickname() +*/ + mServerCertNickname = newName; + } + + private String lineParsing(String input, String newName) { + //<SSLPARAMS servercertnickname="Server-Cert cert-firefly" + int index = input.indexOf("servercertnickname"); + + if (index >= 0) { + String str = input.substring(index + 20); + int index2 = str.indexOf("\""); + String newLine = input.substring(0, index + 20) + + newName + str.substring(index2); + + return newLine; + } else { + return input; + } + } + + public String getFingerPrint(Certificate cert) + throws CertificateEncodingException, NoSuchAlgorithmException { + return CertUtils.getFingerPrint(cert); + } + + public String getFingerPrints(Certificate cert) + throws NoSuchAlgorithmException, CertificateEncodingException { + return CertUtils.getFingerPrints(cert); + } + + public String getFingerPrints(byte[] certDer) + throws NoSuchAlgorithmException { + return CertUtils.getFingerPrints(certDer); + } + + public String getUserMessage(Locale locale, String msgID, String params[]) { + // if locale is null, try to get it out from session context + if (locale == null) { + SessionContext sc = SessionContext.getExistingContext(); + + if (sc != null) + locale = (Locale) sc.get(SessionContext.LOCALE); + } + ResourceBundle rb = null; + + if (locale == null) { + rb = ResourceBundle.getBundle( + "UserMessages", Locale.ENGLISH); + } else { + rb = ResourceBundle.getBundle( + "UserMessages", locale); + } + String msg = rb.getString(msgID); + + if (params == null) + return msg; + MessageFormat mf = new MessageFormat(msg); + + return mf.format(params); + } + + public String getUserMessage(Locale locale, String msgID) { + return getUserMessage(locale, msgID, (String[]) null); + } + + public String getUserMessage(Locale locale, String msgID, String p1) { + String params[] = { p1 }; + + return getUserMessage(locale, msgID, params); + } + + public String getUserMessage(Locale locale, String msgID, String p1, String p2) { + String params[] = { p1, p2 }; + + return getUserMessage(locale, msgID, params); + } + + public String getUserMessage(Locale locale, String msgID, + String p1, String p2, String p3) { + String params[] = { p1, p2, p3 }; + + return getUserMessage(locale, msgID, params); + } + + public String getLogMessage(String msgID, String params[]) { + ResourceBundle rb = ResourceBundle.getBundle( + "LogMessages"); + String msg = rb.getString(msgID); + + if (params == null) + return msg; + MessageFormat mf = new MessageFormat(msg); + + return mf.format(params); + } + + public void debug(byte data[]) { + if (!debugOn()) { + // this helps to not saving stuff to file when debug + // is disable + return; + } + Debug.print(data); + } + + public void debug(int level, String msg) { + if (!debugOn()) { + // this helps to not saving stuff to file when debug + // is disable + return; + } + Debug.trace(level, msg); + } + + public void debug(String msg) { + if (!debugOn()) { + // this helps to not saving stuff to file when debug + // is disable + return; + } + Debug.trace(msg); + } + + public void debug(Throwable e) { + if (!debugOn()) { + // this helps to not saving stuff to file when debug + // is disable + return; + } + Debug.printStackTrace(e); + } + + public boolean debugOn() { + return Debug.on(); + } + + public void debugStackTrace() { + Debug.printStackTrace(); + } + + public void traceHashKey(String type, String key) { + Debug.traceHashKey(type, key); + } + public void traceHashKey(String type, String key, String val) { + Debug.traceHashKey(type, key, val); + } + public void traceHashKey(String type, String key, String val, String def) { + Debug.traceHashKey(type, key, val, def); + } + + + public String getLogMessage(String msgID) { + return getLogMessage(msgID, (String[]) null); + } + + public String getLogMessage(String msgID, String p1) { + String params[] = { p1 }; + + return getLogMessage(msgID, params); + } + + public String getLogMessage(String msgID, String p1, String p2) { + String params[] = { p1, p2 }; + + return getLogMessage(msgID, params); + } + + public String getLogMessage(String msgID, String p1, String p2, String p3) { + String params[] = { p1, p2, p3 }; + + return getLogMessage(msgID, params); + } + + public String getLogMessage(String msgID, String p1, String p2, String p3, String p4) { + String params[] = { p1, p2, p3, p4 }; + + return getLogMessage(msgID, params); + } + + public String getLogMessage(String msgID, String p1, String p2, String p3, String p4, String p5) { + String params[] = { p1, p2, p3, p4, p5 }; + + return getLogMessage(msgID, params); + } + + public String getLogMessage(String msgID, String p1, String p2, String p3, String p4, String p5, String p6) { + String params[] = { p1, p2, p3, p4, p5, p6 }; + + return getLogMessage(msgID, params); + } + + public String getLogMessage(String msgID, String p1, String p2, String p3, String p4, String p5, String p6, String p7) { + String params[] = { p1, p2, p3, p4, p5, p6, p7 }; + + return getLogMessage(msgID, params); + } + + public String getLogMessage(String msgID, String p1, String p2, String p3, String p4, String p5, String p6, String p7, String p8) { + String params[] = { p1, p2, p3, p4, p5, p6, p7, p8 }; + + return getLogMessage(msgID, params); + } + + public String getLogMessage(String msgID, String p1, String p2, String p3, String p4, String p5, String p6, String p7, String p8, String p9) { + String params[] = { p1, p2, p3, p4, p5, p6, p7, p8, p9 }; + + return getLogMessage(msgID, params); + } + + public void getSubjAltNameConfigDefaultParams(String name, + Vector params) { + GeneralNameUtil.SubjAltNameGN.getDefaultParams(name, params); + } + + public void getSubjAltNameConfigExtendedPluginInfo(String name, + Vector params) { + GeneralNameUtil.SubjAltNameGN.getExtendedPluginInfo(name, params); + } + + public ISubjAltNameConfig createSubjAltNameConfig(String name, IConfigStore config, boolean isValueConfigured) throws EBaseException { + return new GeneralNameUtil.SubjAltNameGN(name, config, isValueConfigured); + } + + public GeneralName form_GeneralNameAsConstraints(String generalNameChoice, String value) throws EBaseException { + return GeneralNameUtil.form_GeneralNameAsConstraints(generalNameChoice, value); + } + + public GeneralName form_GeneralName(String generalNameChoice, + String value) throws EBaseException { + return GeneralNameUtil.form_GeneralName(generalNameChoice, value); + } + + public void getGeneralNameConfigDefaultParams(String name, + boolean isValueConfigured, Vector params) { + GeneralNameUtil.GeneralNameConfig.getDefaultParams(name, isValueConfigured, params); + } + + public void getGeneralNamesConfigDefaultParams(String name, + boolean isValueConfigured, Vector params) { + GeneralNameUtil.GeneralNamesConfig.getDefaultParams(name, isValueConfigured, params); + } + + public void getGeneralNameConfigExtendedPluginInfo(String name, + boolean isValueConfigured, Vector info) { + GeneralNameUtil.GeneralNameConfig.getExtendedPluginInfo(name, isValueConfigured, info); + } + + public void getGeneralNamesConfigExtendedPluginInfo(String name, + boolean isValueConfigured, Vector info) { + GeneralNameUtil.GeneralNamesConfig.getExtendedPluginInfo(name, isValueConfigured, info); + } + + public IGeneralNamesConfig createGeneralNamesConfig(String name, + IConfigStore config, boolean isValueConfigured, + boolean isPolicyEnabled) throws EBaseException { + return new GeneralNameUtil.GeneralNamesConfig(name, config, isValueConfigured, isPolicyEnabled); + } + + public IGeneralNameAsConstraintsConfig createGeneralNameAsConstraintsConfig(String name, IConfigStore config, boolean isValueConfigured, + boolean isPolicyEnabled) throws EBaseException { + return new GeneralNameUtil.GeneralNameAsConstraintsConfig(name, config, isValueConfigured, isPolicyEnabled); + } + + public IGeneralNamesAsConstraintsConfig createGeneralNamesAsConstraintsConfig(String name, IConfigStore config, boolean isValueConfigured, + boolean isPolicyEnabled) throws EBaseException { + return new GeneralNameUtil.GeneralNamesAsConstraintsConfig(name, config, isValueConfigured, isPolicyEnabled); + } + + public ObjectIdentifier checkOID(String attrName, String value) + throws EBaseException { + return CertUtils.checkOID(attrName, value); + } + + public String BtoA(byte data[]) { + return OSUtil.BtoA(data); + } + + public byte[] AtoB(String data) { + return OSUtil.AtoB(data); + } + + public String getEncodedCert(X509Certificate cert) { + try { + return + "-----BEGIN CERTIFICATE-----\n" + + CMS.BtoA(cert.getEncoded()) + + "\n-----END CERTIFICATE-----\n"; + } catch (Exception e) { + return null; + } + } + + public boolean verifySystemCerts() { + return CertUtils.verifySystemCerts(); + } + + public boolean verifySystemCertByTag(String tag) { + return CertUtils.verifySystemCertByTag(tag); + } + + public boolean verifySystemCertByNickname(String nickname, String certificateUsage) { + return CertUtils.verifySystemCertByNickname(nickname, certificateUsage); + } + + public CertificateUsage getCertificateUsage(String certusage) { + return CertUtils.getCertificateUsage(certusage); + } + + public boolean isSigningCert(X509Certificate cert) { + return CertUtils.isSigningCert((X509CertImpl) cert); + } + + public boolean isEncryptionCert(X509Certificate cert) { + return CertUtils.isEncryptionCert((X509CertImpl) cert); + } + + public X509CertInfo getDefaultX509CertInfo() { + return new CertInfo(); + } + + public IEmailResolverKeys getEmailResolverKeys() { + return new EmailResolverKeys(); + } + + public IEmailResolver getReqCertSANameEmailResolver() { + return new ReqCertSANameEmailResolver(); + } + + public IEmailFormProcessor getEmailFormProcessor() { + return new EmailFormProcessor(); + } + + public IEmailTemplate getEmailTemplate(String path) { + return new EmailTemplate(path); + } + + public IMailNotification getMailNotification() { + try { + String className = mConfig.getString("notificationClassName", + "com.netscape.cms.notification.MailNotification"); + IMailNotification notification = (IMailNotification) + Class.forName(className).newInstance(); + + return notification; + } catch (Exception e) { + return null; + } + } + + public IPrettyPrintFormat getPrettyPrintFormat(String delimiter) { + return new com.netscape.cmscore.cert.PrettyPrintFormat(delimiter); + } + + public IExtPrettyPrint getExtPrettyPrint(Extension e, int indent) { + return new ExtPrettyPrint(e, indent); + } + + public ICertPrettyPrint getCertPrettyPrint(X509Certificate cert) { + return new CertPrettyPrint(cert); + } + + public ICRLPrettyPrint getCRLPrettyPrint(X509CRL crl) { + return new CrlPrettyPrint((X509CRLImpl) crl); + } + + public ICRLPrettyPrint getCRLCachePrettyPrint(ICRLIssuingPoint ip) { + return new CrlCachePrettyPrint(ip); + } + + public IPasswordCheck getPasswordChecker() { + try { + String className = mConfig.getString("passwordCheckerClass", + "com.netscape.cms.password.PasswordChecker"); + IPasswordCheck check = (IPasswordCheck) + Class.forName(className).newInstance(); + + return check; + } catch (Exception e) { + return null; + } + } + + public ILogger getLogger() { + return Logger.getLogger(); + } + + public ILogger getSignedAuditLogger() { + return SignedAuditLogger.getLogger(); + } + + /** + * starts up subsystems in a subsystem list.. + */ + private void startupSubsystems(SubsystemInfo[] sslist) + throws EBaseException { + ISubsystem ss = null; + + for (int i = 0; i < sslist.length; i++) { + CMS.debug("CMSEngine: " + sslist[i].mId + " startup start"); + ss = sslist[i].mInstance; + ss.startup(); + CMS.debug("CMSEngine: " + sslist[i].mId + " startup done"); + } + } + + public void disableRequests() { + CommandQueue.mShuttingDown = true; + } + + public boolean areRequestsDisabled() { + return CommandQueue.mShuttingDown; + } + + public void terminateRequests() { + java.util.Enumeration e = CommandQueue.mCommandQueue.keys(); + + while (e.hasMoreElements()) { + Object thisRequest = e.nextElement(); + + HttpServlet thisServlet = (HttpServlet) CommandQueue.mCommandQueue.get(thisRequest); + + if (thisServlet != null) { + CommandQueue.mCommandQueue.remove((Object) thisRequest); + thisServlet.destroy(); + } + } + } + public static boolean isNT() { + return (File.separator.equals("\\")); + } + + private static void shutdownHttpServer() { + + try { + String cmds[] = null; + String cmd = "stop-cert"; + if (isNT()) { + // NT + cmds = new String[3]; + cmds[0] = "cmd"; + cmds[1] = "/c"; + cmds[2] = instanceDir +"\\" + cmd; + } else { + // UNIX + cmds = new String[3]; + cmds[0] = "/bin/sh"; + cmds[1] = "-c"; + cmds[2] = instanceDir +"/" +cmd; + } + + Process process = Runtime.getRuntime().exec(cmds); + + + process.waitFor(); + + BufferedReader pOut = null; + String l = null; + } catch (Exception e) { + + } + } // end shutdownHttpServer + /** + * Shuts down subsystems in backwards order + * exceptions are ignored. process exists at end to force exit. + */ + public void shutdown() { + Logger.getLogger().log(ILogger.EV_SYSTEM, ILogger.S_ADMIN, + ILogger.LL_INFO, Constants.SERVER_SHUTDOWN_MESSAGE); + + CMS.debug("CMSEngine.shutdown()"); + +/* + CommandQueue commandQueue = new CommandQueue(); + Thread t1 = new Thread(commandQueue); + + t1.setDaemon(true); + t1.start(); + + // wait for command queue to emptied before proceeding to shutting down subsystems + Date time = new Date(); + long startTime = time.getTime(); + long timeOut = time.getTime(); + + while (t1.isAlive() && ((timeOut - startTime) < (60 * 1000))) //wait for 1 minute + { + try { + Thread.currentThread().sleep(5000); // sleep for 5 sec + }catch (java.lang.InterruptedException e) { + } + timeOut = time.getTime(); + } + terminateRequests(); +*/ + + shutdownSubsystems(mFinalSubsystems); + shutdownSubsystems(mDynSubsystems); + shutdownSubsystems(mStaticSubsystems); + + System.exit(0); + } + + /** + * Shuts down subsystems in backwards order + * exceptions are ignored. process exists at end to force exit. + * Added extra call to shutdown the web server. + */ + + public void forceShutdown() { + + Logger.getLogger().log(ILogger.EV_SYSTEM, ILogger.S_ADMIN, + ILogger.LL_INFO, Constants.SERVER_SHUTDOWN_MESSAGE); + + CMS.debug("CMSEngine.forceShutdown()"); + + CommandQueue commandQueue = new CommandQueue(); + Thread t1 = new Thread(commandQueue); + + t1.setDaemon(true); + t1.start(); + + // wait for command queue to emptied before proceeding to shutting down subsystems + Date time = new Date(); + long startTime = time.getTime(); + long timeOut = time.getTime(); + + while (t1.isAlive() && ((timeOut - startTime) < (60 * 1000))) //wait for 1 minute + { + try { + Thread.currentThread().sleep(5000); // sleep for 5 sec + }catch (java.lang.InterruptedException e) { + } + timeOut = time.getTime(); + } + terminateRequests(); + + shutdownSubsystems(mFinalSubsystems); + shutdownSubsystems(mDynSubsystems); + shutdownSubsystems(mStaticSubsystems); + shutdownHttpServer(); + + } + + /** + * shuts down a subsystem list in reverse order. + */ + private void shutdownSubsystems(SubsystemInfo[] sslist) { + if (sslist == null) + return; + + for (int i = sslist.length - 1; i >= 0; i--) { + if (sslist[i] != null && sslist[i].mInstance != null) + { + sslist[i].mInstance.shutdown(); + } + } + } + + /** + * returns the main config store + */ + public IConfigStore getConfigStore() { + return mConfig; + } + + /** + * get time server started up + */ + public long getStartupTime() { + return mStartupTime; + } + + public void putPasswordCache(String tag, String pw) { + try { + PWsdrCache pwc = new PWsdrCache(); + pwc.addEntry(tag, pw); + } catch (EBaseException e) { + // intercept this for now -- don't want to change the callers + Logger.getLogger().log(ILogger.EV_SYSTEM, ILogger.S_OTHER, + ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SDR_ADD_ERROR", e.toString())); + } + } + + public PasswordCallback getPasswordCallback() { + return new PWCBsdr(); + } + + public int getpid() { + return OsSubsystem.getpid(); + } + + public Date getCurrentDate() { + if (mTimeSource == null) { + return new Date(); + } + return mTimeSource.getCurrentDate(); + } + + public void setConfigSDSessionId(String val) { + mConfigSDSessionId = val; + } + + public String getConfigSDSessionId() { + return mConfigSDSessionId; + } + + public static void upgradeConfig(IConfigStore c) + throws EBaseException { + String version = c.getString("cms.version", "pre4.2"); + + if (version.equals("4.22")) { + Upgrade.perform422to45(c); + }else if (version.equals("4.2")) { + // SUPPORT UPGRADE FROM 4.2 to 4.2 (SP2) + Upgrade.perform42to422(c); + Upgrade.perform422to45(c); + } else { + // ONLY SUPPORT UPGRADE FROM 4.2 to 4.2 (SP2) + /** + if (!version.equals("pre4.2")) + return; + + Upgrade.perform(c); + **/ + } + } + + public ICommandQueue getCommandQueue() { + return new CommandQueue(); + } + + private ICertificateRepository getCertDB() { + ICertificateRepository certDB = null; + + try { + ICertificateAuthority ca = (ICertificateAuthority) + SubsystemRegistry.getInstance().get("ca"); + + if (ca != null) { + certDB = (ICertificateRepository) ca.getCertificateRepository(); + } + } catch (Exception e) { + CMS.debug("CMSEngine: " + CMS.getLogMessage("CMSCORE_AUTH_AGENT_CERT_REPO")); + } + + return certDB; + } + + private IRequestQueue getReqQueue() { + IRequestQueue queue = null; + + try { + IRegistrationAuthority ra = (IRegistrationAuthority) + SubsystemRegistry.getInstance().get("ra"); + + if (ra != null) { + queue = ra.getRequestQueue(); + } + + } catch (Exception e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_AUTH_AGENT_REQUEST_QUEUE")); + } + + return queue; + } + + private VerifiedCerts mVCList = null; + private int mVCListSize = 0; + + public void setListOfVerifiedCerts(int size, long interval, long unknownStateInterval) { + if (size > 0 && mVCListSize == 0) { + mVCListSize = size; + mVCList = new VerifiedCerts(size, interval, unknownStateInterval); + } + } + + public boolean isRevoked(X509Certificate[] certificates) { + boolean revoked = false; + + if (certificates != null) { + X509CertImpl cert = (X509CertImpl) certificates[0]; + + int result = VerifiedCert.UNKNOWN; + + if (mVCList != null) { + result = mVCList.check(cert); + } + if (result != VerifiedCert.REVOKED && + result != VerifiedCert.NOT_REVOKED && + result != VerifiedCert.CHECKED) { + + CertificateRepository certDB = (CertificateRepository) getCertDB(); + + if (certDB != null) { + try { + if (certDB.isCertificateRevoked(cert) != null) { + revoked = true; + if (mVCList != null) + mVCList.update(cert, VerifiedCert.REVOKED); + } else { + if (mVCList != null) + mVCList.update(cert, VerifiedCert.NOT_REVOKED); + } + } catch (EBaseException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_AUTH_AGENT_REVO_STATUS")); + } + } else { + IRequestQueue queue = getReqQueue(); + + if (queue != null) { + IRequest checkRevReq = null; + + try { + checkRevReq = queue.newRequest(CertRequestConstants.GETREVOCATIONINFO_REQUEST); + checkRevReq.setExtData(IRequest.REQ_TYPE, + CertRequestConstants.GETREVOCATIONINFO_REQUEST); + checkRevReq.setExtData(IRequest.REQUESTOR_TYPE, + IRequest.REQUESTOR_RA); + + X509CertImpl agentCerts[] = new X509CertImpl[certificates.length]; + + for (int i = 0; i < certificates.length; i++) { + agentCerts[i] = (X509CertImpl) certificates[i]; + } + checkRevReq.setExtData(IRequest.ISSUED_CERTS, agentCerts); + + queue.processRequest(checkRevReq); + } catch (EBaseException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_AUTH_AGENT_PROCESS_CHECKING")); + } + + RequestStatus status = checkRevReq.getRequestStatus(); + + if (status == RequestStatus.COMPLETE) { + Enumeration enum1 = checkRevReq.getExtDataKeys(); + + while (enum1.hasMoreElements()) { + String name = (String) enum1.nextElement(); + + if (name.equals(IRequest.REVOKED_CERTS)) { + revoked = true; + if (mVCList != null) + mVCList.update(cert, VerifiedCert.REVOKED); + } + } + if (revoked == false) { + if (mVCList != null) + mVCList.update(cert, VerifiedCert.NOT_REVOKED); + } + + } else { + if (mVCList != null) + mVCList.update(cert, VerifiedCert.CHECKED); + } + } + } + } else if (result == VerifiedCert.REVOKED) { + revoked = true; + } + } + + return revoked; + } + + private void log(int level, String msg) { + Logger.getLogger().log(ILogger.EV_SYSTEM, null, + ILogger.S_AUTHENTICATION, level, msg); + } +} + + +class WarningListener implements ILogEventListener { + private StringBuffer mSB = null; + + public WarningListener(StringBuffer sb) { + mSB = sb; + } + + public void log(ILogEvent event) throws ELogException { + String str = event.toString(); + + // start.cc and restart.cc does not like carriage + // return. They are the programs that pass the + // log messages to the console + str = str.replace('\n', ' '); + if (event.getLevel() == ILogger.LL_FAILURE) { + mSB.append("FAILURE: " + str + "|"); + } + if (event.getLevel() == ILogger.LL_WARN) { + mSB.append("WARNING: " + str + "|"); + } + } + + public void flush() { + } + + public void shutdown() { + } + + public IConfigStore getConfigStore() { + return null; + } + + public void init(ISubsystem owner, IConfigStore config) + throws EBaseException { + } + + public void startup() { + } + + /** + * Retrieve last "maxLine" number of system log with log lever >"level" + * and from source "source". If the parameter is omitted. All entries + * are sent back. + */ + public synchronized NameValuePairs retrieveLogContent(Hashtable req) throws ServletException, + IOException, EBaseException { + return null; + } + + /** + * Retrieve log file list. + */ + public synchronized NameValuePairs retrieveLogList(Hashtable req) throws ServletException, + IOException, EBaseException { + return null; + } + + public String getImplName() { + return "ConsoleLog"; + } + + public String getDescription() { + return "ConsoleLog"; + } + + public Vector getDefaultParams() { + Vector v = new Vector(); + + return v; + } + + public Vector getInstanceParams() { + Vector v = new Vector(); + + return v; + } +} + + +class SubsystemInfo { + public final String mId; + public final ISubsystem mInstance; + public SubsystemInfo(String id, ISubsystem ssInstance) { + mId = id; + mInstance = ssInstance; + } + +} + diff --git a/pki/base/common/src/com/netscape/cmscore/apps/CommandQueue.java b/pki/base/common/src/com/netscape/cmscore/apps/CommandQueue.java new file mode 100644 index 000000000..638eae082 --- /dev/null +++ b/pki/base/common/src/com/netscape/cmscore/apps/CommandQueue.java @@ -0,0 +1,98 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cmscore.apps; + + +import java.util.Hashtable; +import java.util.Enumeration; +import java.util.TimeZone; +import com.netscape.certsrv.apps.*; + + +/*--------------------------------------------------------------- + ** CommandQueue - Class + */ + +/** + * register and unregister proccess for clean shutdown + */ +public class CommandQueue implements Runnable, ICommandQueue { + + public static Hashtable mCommandQueue = new Hashtable(); + public static boolean mShuttingDown = false; + + /*----------------------------------------------------------- + ** CommandQueue - Constructor + */ + + /** + * Main constructor. + */ + public CommandQueue() { + + } // CommandQueue + + /*----------------------------------------------------------- + ** run + */ + + /** + * Overrides Thread.run(), calls batchPublish(). + */ + public void run() { + //int priority = Thread.MIN_PRIORITY; + //Thread.currentThread().setPriority(priority); + /*------------------------------------------------- + ** Loop until queue is empty + */ + mShuttingDown = true; + while (mCommandQueue.isEmpty() == false) { + try { + Thread.currentThread().sleep(5 * 1000); + //gcProcess(); + } catch (Exception e) { + + } + } + } // run + + public boolean registerProcess(Object currentRequest, Object currentServlet) { + if (mShuttingDown == false) { + if ((currentServlet instanceof com.netscape.cms.servlet.base.CMSStartServlet) == false) + mCommandQueue.put(currentRequest, currentServlet); + return true; + }else + return false; + + } + + public void unRegisterProccess(Object currentRequest, Object currentServlet) { + java.util.Enumeration e = mCommandQueue.keys(); + + while (e.hasMoreElements()) { + Object thisRequest = e.nextElement(); + + if (thisRequest.equals(currentRequest)) { + if (mCommandQueue.get(currentRequest).equals(currentServlet)) + mCommandQueue.remove(currentRequest); + } + } + + } +} // CommandQueue + diff --git a/pki/base/common/src/com/netscape/cmscore/apps/PKIServerEvent.java b/pki/base/common/src/com/netscape/cmscore/apps/PKIServerEvent.java new file mode 100644 index 000000000..27d2e3f7d --- /dev/null +++ b/pki/base/common/src/com/netscape/cmscore/apps/PKIServerEvent.java @@ -0,0 +1,43 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cmscore.apps; + + +/** + * A class represents a PKIServer event. + * <P> + * + * @author thomask + * @version $Revision$, $Date$ + */ +public class PKIServerEvent { + + public final static int INITIALIZED = 0; + public final static int STARTED_UP = 1; + public final static int STOPPED = 2; + + public int mStatus; + + public PKIServerEvent(int status) { + mStatus = status; + } + + public int getStatus() { + return mStatus; + } +} diff --git a/pki/base/common/src/com/netscape/cmscore/apps/PKIServerListener.java b/pki/base/common/src/com/netscape/cmscore/apps/PKIServerListener.java new file mode 100644 index 000000000..78fe9069f --- /dev/null +++ b/pki/base/common/src/com/netscape/cmscore/apps/PKIServerListener.java @@ -0,0 +1,36 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cmscore.apps; + + +/** + * A class represents a listener that listens to + * PKIServer event. + * <P> + * + * @author thomask + * @version $Revision$, $Date$ + */ +public class PKIServerListener { + + /** + * Updates listener with the server event. + */ + public void update(PKIServerEvent e) { + } +} diff --git a/pki/base/common/src/com/netscape/cmscore/apps/Setup.java b/pki/base/common/src/com/netscape/cmscore/apps/Setup.java new file mode 100644 index 000000000..21a39ec8f --- /dev/null +++ b/pki/base/common/src/com/netscape/cmscore/apps/Setup.java @@ -0,0 +1,347 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cmscore.apps; + + +import java.io.File; +import com.netscape.certsrv.common.*; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.base.EBaseException; +import netscape.ldap.*; +import java.io.*; + + +/** + * Select certificate server serices. + * + * @author thomask + * @author nicolson + * @version $Revision$, $Date$ + */ +public class Setup { + + // These are a bunch of fixed values that just need to be stored to the + // config file before the server is started. + public static final String[][] authEntries = new String[][] { + {"auths._000", "##"}, + {"auths._001", "## new authentication"}, + {"auths._002", "##"}, + {"auths.impl._000", "##"}, + {"auths.impl._001", "## authentication manager implementations"}, + {"auths.impl._002", "##"}, + {"auths.impl.UidPwdDirAuth.class", "com.netscape.cms.authentication.UidPwdDirAuthentication"}, + {"auths.impl.UidPwdPinDirAuth.class", "com.netscape.cms.authentication.UidPwdPinDirAuthentication"}, + {"auths.impl.UdnPwdDirAuth.class", "com.netscape.cms.authentication.UdnPwdDirAuthentication"}, + {"auths.impl.NISAuth.class", "com.netscape.cms.authentication.NISAuth"}, + {"auths.impl.CMCAuth.class", "com.netscape.cms.authentication.CMCAuth"}, + {"auths.impl.AgentCertAuth.class", "com.netscape.cms.authentication.AgentCertAuthentication"}, + {"auths.impl.PortalEnroll.class", "com.netscape.cms.authentication.PortalEnroll" + }, + {"auths.revocationChecking.bufferSize", "50"}, + }; + public static void installAuthImpls(IConfigStore c) + throws EBaseException { + for (int i = 0; i < authEntries.length; i++) { + c.putString(authEntries[i][0], authEntries[i][1]); + } + } + + public static final String[][] oidmapEntries = new String[][] { + {"oidmap.pse.class", "netscape.security.extensions.PresenceServerExtension"}, + {"oidmap.pse.oid", "2.16.840.1.113730.1.18"}, + {"oidmap.ocsp_no_check.class", "netscape.security.extensions.OCSPNoCheckExtension"}, + {"oidmap.ocsp_no_check.oid", "1.3.6.1.5.5.7.48.1.5"}, + {"oidmap.netscape_comment.class", "netscape.security.x509.NSCCommentExtension"}, + {"oidmap.netscape_comment.oid", "2.16.840.1.113730.1.13"}, + {"oidmap.extended_key_usage.class", "netscape.security.extensions.ExtendedKeyUsageExtension"}, + {"oidmap.extended_key_usage.oid", "2.5.29.37"}, + {"oidmap.subject_info_access.class", "netscape.security.extensions.SubjectInfoAccessExtension"}, + {"oidmap.subject_info_access.oid", "1.3.6.1.5.5.7.1.11"}, + {"oidmap.auth_info_access.class", "netscape.security.extensions.AuthInfoAccessExtension"}, + {"oidmap.auth_info_access.oid", "1.3.6.1.5.5.7.1.1"}, + {"oidmap.challenge_password.class", "com.netscape.cms.servlet.cert.scep.ChallengePassword"}, + {"oidmap.challenge_password.oid", "1.2.840.113549.1.9.7"}, + {"oidmap.extensions_requested_vsgn.class", "com.netscape.cms.servlet.cert.scep.ExtensionsRequested"}, + {"oidmap.extensions_requested_vsgn.oid", "2.16.840.1.113733.1.9.8"}, + {"oidmap.extensions_requested_pkcs9.class", "com.netscape.cms.servlet.cert.scep.ExtensionsRequested"}, + {"oidmap.extensions_requested_pkcs9.oid", "1.2.840.113549.1.9.14"}, + }; + + public static void installOIDMap(IConfigStore c) + throws EBaseException { + for (int i = 0; i < oidmapEntries.length; i++) { + c.putString(oidmapEntries[i][0], oidmapEntries[i][1]); + } + } + + /** + * This function is used for installation and upgrade. + */ + public static void installPolicyImpls(String prefix, IConfigStore c) + throws EBaseException { + boolean isCA = false; + + if (prefix.equals("ca")) + isCA = true; + + // + // Policy implementations (class names) + // + c.putString(prefix + ".Policy.impl._000", "##"); + c.putString(prefix + ".Policy.impl._001", + "## Policy Implementations"); + c.putString(prefix + ".Policy.impl._002", "##"); + c.putString( + prefix + ".Policy.impl.KeyAlgorithmConstraints.class", + "com.netscape.cmscore.policy.KeyAlgorithmConstraints"); + c.putString( + prefix + ".Policy.impl.DSAKeyConstraints.class", + "com.netscape.cmscore.policy.DSAKeyConstraints"); + c.putString( + prefix + ".Policy.impl.RSAKeyConstraints.class", + "com.netscape.cmscore.policy.RSAKeyConstraints"); + c.putString( + prefix + ".Policy.impl.SigningAlgorithmConstraints.class", + "com.netscape.cmscore.policy.SigningAlgorithmConstraints"); + c.putString( + prefix + ".Policy.impl.ValidityConstraints.class", + "com.netscape.cmscore.policy.ValidityConstraints"); + + /** + c.putString( + prefix + ".Policy.impl.NameConstraints.class", + "com.netscape.cmscore.policy.NameConstraints"); + **/ + c.putString( + prefix + ".Policy.impl.RenewalConstraints.class", + "com.netscape.cmscore.policy.RenewalConstraints"); + c.putString( + prefix + ".Policy.impl.RenewalValidityConstraints.class", + "com.netscape.cmscore.policy.RenewalValidityConstraints"); + c.putString( + prefix + ".Policy.impl.RevocationConstraints.class", + "com.netscape.cmscore.policy.RevocationConstraints"); + //getTempCMSConfig().putString( + // prefix + ".Policy.impl.DefaultRevocation.class", + // "com.netscape.cmscore.policy.DefaultRevocation"); + c.putString( + prefix + ".Policy.impl.NSCertTypeExt.class", + "com.netscape.cmscore.policy.NSCertTypeExt"); + c.putString( + prefix + ".Policy.impl.KeyUsageExt.class", + "com.netscape.cmscore.policy.KeyUsageExt"); + c.putString( + prefix + ".Policy.impl.SubjectKeyIdentifierExt.class", + "com.netscape.cmscore.policy.SubjectKeyIdentifierExt"); + c.putString( + prefix + ".Policy.impl.CertificatePoliciesExt.class", + "com.netscape.cmscore.policy.CertificatePoliciesExt"); + c.putString( + prefix + ".Policy.impl.NSCCommentExt.class", + "com.netscape.cmscore.policy.NSCCommentExt"); + c.putString( + prefix + ".Policy.impl.IssuerAltNameExt.class", + "com.netscape.cmscore.policy.IssuerAltNameExt"); + c.putString( + prefix + ".Policy.impl.PrivateKeyUsagePeriodExt.class", + "com.netscape.cmscore.policy.PrivateKeyUsagePeriodExt"); + c.putString( + prefix + ".Policy.impl.AttributePresentConstraints.class", + "com.netscape.cmscore.policy.AttributePresentConstraints"); + c.putString( + prefix + ".Policy.impl.SubjectAltNameExt.class", + "com.netscape.cmscore.policy.SubjectAltNameExt"); + c.putString( + prefix + ".Policy.impl.SubjectDirectoryAttributesExt.class", + "com.netscape.cmscore.policy.SubjectDirectoryAttributesExt"); + c.putString( + prefix + ".Policy.impl.CertificateRenewalWindowExt.class", + "com.netscape.cmscore.policy.CertificateRenewalWindowExt"); + c.putString( + prefix + ".Policy.impl.CertificateScopeOfUseExt.class", + "com.netscape.cmscore.policy.CertificateScopeOfUseExt"); + if (isCA) { + c.putString( + prefix + ".Policy.impl.AuthorityKeyIdentifierExt.class", + "com.netscape.cmscore.policy.AuthorityKeyIdentifierExt"); + c.putString( + prefix + ".Policy.impl.BasicConstraintsExt.class", + "com.netscape.cmscore.policy.BasicConstraintsExt"); + c.putString( + prefix + ".Policy.impl.SubCANameConstraints.class", + "com.netscape.cmscore.policy.SubCANameConstraints"); + } + c.putString( + prefix + ".Policy.impl.CRLDistributionPointsExt.class", + "com.netscape.cmscore.policy.CRLDistributionPointsExt"); + c.putString( + prefix + ".Policy.impl.AuthInfoAccessExt.class", + "com.netscape.cmscore.policy.AuthInfoAccessExt"); + c.putString( + prefix + ".Policy.impl.OCSPNoCheckExt.class", + "com.netscape.cmscore.policy.OCSPNoCheckExt"); + c.putString( + prefix + ".Policy.impl.ExtendedKeyUsageExt.class", + "com.netscape.cmscore.policy.ExtendedKeyUsageExt"); + if (isCA) { + c.putString( + prefix + ".Policy.impl.UniqueSubjectNameConstraints.class", + "com.netscape.cmscore.policy.UniqueSubjectNameConstraints"); + } + c.putString( + prefix + ".Policy.impl.GenericASN1Ext.class", + "com.netscape.cmscore.policy.GenericASN1Ext"); + c.putString( + prefix + ".Policy.impl.RemoveBasicConstraintsExt.class", + "com.netscape.cmscore.policy.RemoveBasicConstraintsExt"); + } + + /** + * This function is used for installation and upgrade. + */ + public static void installCACRLExtensions(IConfigStore c) + throws EBaseException { + // ca crl extensions + + // AuthorityKeyIdentifier + c.putString("ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.enable", + "false"); + c.putString("ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.critical", + "false"); + c.putString("ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.type", + "CRLExtension"); + c.putString("ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.class", + "com.netscape.cms.crl.CMSAuthorityKeyIdentifierExtension"); + + // IssuerAlternativeName + c.putString("ca.crl.MasterCRL.extension.IssuerAlternativeName.enable", + "false"); + c.putString("ca.crl.MasterCRL.extension.IssuerAlternativeName.critical", + "false"); + c.putString("ca.crl.MasterCRL.extension.IssuerAlternativeName.type", + "CRLExtension"); + c.putString("ca.crl.MasterCRL.extension.IssuerAlternativeName.class", + "com.netscape.cms.crl.CMSIssuerAlternativeNameExtension"); + c.putString("ca.crl.MasterCRL.extension.IssuerAlternativeName.numNames", "0"); + c.putString("ca.crl.MasterCRL.extension.IssuerAlternativeName.nameType0", ""); + c.putString("ca.crl.MasterCRL.extension.IssuerAlternativeName.name0", ""); + + // CRLNumber + c.putString("ca.crl.MasterCRL.extension.CRLNumber.enable", "true"); + c.putString("ca.crl.MasterCRL.extension.CRLNumber.critical", "false"); + c.putString("ca.crl.MasterCRL.extension.CRLNumber.type", "CRLExtension"); + c.putString("ca.crl.MasterCRL.extension.CRLNumber.class", + "com.netscape.cms.crl.CMSCRLNumberExtension"); + + // DeltaCRLIndicator + c.putString("ca.crl.MasterCRL.extension.DeltaCRLIndicator.enable", "false"); + c.putString("ca.crl.MasterCRL.extension.DeltaCRLIndicator.critical", "true"); + c.putString("ca.crl.MasterCRL.extension.DeltaCRLIndicator.type", "CRLExtension"); + c.putString("ca.crl.MasterCRL.extension.DeltaCRLIndicator.class", + "com.netscape.cms.crl.CMSDeltaCRLIndicatorExtension"); + + // IssuingDistributionPoint + c.putString("ca.crl.MasterCRL.extension.IssuingDistributionPoint.enable", + "false"); + c.putString("ca.crl.MasterCRL.extension.IssuingDistributionPoint.critical", + "true"); + c.putString("ca.crl.MasterCRL.extension.IssuingDistributionPoint.type", + "CRLExtension"); + c.putString("ca.crl.MasterCRL.extension.IssuingDistributionPoint.class", + "com.netscape.cms.crl.CMSIssuingDistributionPointExtension"); + c.putString("ca.crl.MasterCRL.extension.IssuingDistributionPoint.pointType", ""); + c.putString("ca.crl.MasterCRL.extension.IssuingDistributionPoint.pointName", ""); + c.putString("ca.crl.MasterCRL.extension.IssuingDistributionPoint.onlyContainsUserCerts", + "false"); + c.putString("ca.crl.MasterCRL.extension.IssuingDistributionPoint.onlyContainsCACerts", + "false"); + c.putString("ca.crl.MasterCRL.extension.IssuingDistributionPoint.onlySomeReasons", ""); + //"keyCompromise,cACompromise,affiliationChanged,superseded,cessationOfOperation,certificateHold"); + c.putString("ca.crl.MasterCRL.extension.IssuingDistributionPoint.indirectCRL", + "false"); + + // CRLReason + c.putString("ca.crl.MasterCRL.extension.CRLReason.enable", "true"); + c.putString("ca.crl.MasterCRL.extension.CRLReason.critical", "false"); + c.putString("ca.crl.MasterCRL.extension.CRLReason.type", "CRLEntryExtension"); + c.putString("ca.crl.MasterCRL.extension.CRLReason.class", + "com.netscape.cms.crl.CMSCRLReasonExtension"); + + // HoldInstruction + c.putString("ca.crl.MasterCRL.extension.HoldInstruction.enable", "false"); + c.putString("ca.crl.MasterCRL.extension.HoldInstruction.critical", "false"); + c.putString("ca.crl.MasterCRL.extension.HoldInstruction.type", "CRLEntryExtension"); + c.putString("ca.crl.MasterCRL.extension.HoldInstruction.class", + "com.netscape.cms.crl.CMSHoldInstructionExtension"); + c.putString("ca.crl.MasterCRL.extension.HoldInstruction.instruction", "none"); + + // InvalidityDate + c.putString("ca.crl.MasterCRL.extension.InvalidityDate.enable", "true"); + c.putString("ca.crl.MasterCRL.extension.InvalidityDate.critical", "false"); + c.putString("ca.crl.MasterCRL.extension.InvalidityDate.type", "CRLEntryExtension"); + c.putString("ca.crl.MasterCRL.extension.InvalidityDate.class", + "com.netscape.cms.crl.CMSInvalidityDateExtension"); + + // CertificateIssuer + /* + c.putString("ca.crl.MasterCRL.extension.CertificateIssuer.enable", "false"); + c.putString("ca.crl.MasterCRL.extension.CertificateIssuer.critical", "true"); + c.putString("ca.crl.MasterCRL.extension.CertificateIssuer.type", "CRLEntryExtension"); + c.putString("ca.crl.MasterCRL.extension.CertificateIssuer.class", + "com.netscape.cms.crl.CMSCertificateIssuerExtension"); + c.putString("ca.crl.MasterCRL.extension.CertificateIssuer.numNames", "0"); + c.putString("ca.crl.MasterCRL.extension.CertificateIssuer.nameType0", ""); + c.putString("ca.crl.MasterCRL.extension.CertificateIssuer.name0", ""); + */ + + // FreshestCRL + c.putString("ca.crl.MasterCRL.extension.FreshestCRL.enable", "false"); + c.putString("ca.crl.MasterCRL.extension.FreshestCRL.critical", "false"); + c.putString("ca.crl.MasterCRL.extension.FreshestCRL.type", "CRLExtension"); + c.putString("ca.crl.MasterCRL.extension.FreshestCRL.class", + "com.netscape.cms.crl.CMSFreshestCRLExtension"); + c.putString("ca.crl.MasterCRL.extension.FreshestCRL.numPoints", "0"); + c.putString("ca.crl.MasterCRL.extension.FreshestCRL.pointType0", ""); + c.putString("ca.crl.MasterCRL.extension.FreshestCRL.pointName0", ""); + } + + public static void installCAPublishingImpls(IConfigStore c) + throws EBaseException { + for (int i = 0; i < caLdappublishImplsEntries.length; i++) { + c.putString( + caLdappublishImplsEntries[i][0], caLdappublishImplsEntries[i][1]); + } + } + + private static final String[][] caLdappublishImplsEntries = new String[][] { + {"ca.publish.mapper.impl.LdapCaSimpleMap.class", "com.netscape.cms.publish.LdapCaSimpleMap"}, + {"ca.publish.mapper.impl.LdapSimpleMap.class", "com.netscape.cms.publish.LdapSimpleMap"}, + {"ca.publish.mapper.impl.LdapEnhancedMap.class", "com.netscape.cms.publish.LdapEnhancedMap"}, + {"ca.publish.mapper.impl.LdapDNCompsMap.class", "com.netscape.cms.publish.LdapCertCompsMap"}, + {"ca.publish.mapper.impl.LdapSubjAttrMap.class", "com.netscape.cms.publish.LdapCertSubjMap"}, + {"ca.publish.mapper.impl.LdapDNExactMap.class", "com.netscape.cms.publish.LdapCertExactMap"}, + //{"ca.publish.mapper.impl.LdapCrlIssuerCompsMap.class","com.netscape.cms.publish.LdapCrlIssuerCompsMap"}, + {"ca.publish.publisher.impl.LdapUserCertPublisher.class", "com.netscape.cms.publish.LdapUserCertPublisher"}, + {"ca.publish.publisher.impl.LdapCaCertPublisher.class", "com.netscape.cms.publish.LdapCaCertPublisher"}, + {"ca.publish.publisher.impl.LdapCrlPublisher.class", "com.netscape.cms.publish.LdapCrlPublisher"}, + {"ca.publish.publisher.impl.FileBasedPublisher.class", "com.netscape.cms.publish.FileBasedPublisher"}, + {"ca.publish.publisher.impl.OCSPPublisher.class", "com.netscape.cms.publish.OCSPPublisher"}, + {"ca.publish.rule.impl.Rule.class", "com.netscape.cmscore.ldap.LdapRule"}, + }; + +} diff --git a/pki/base/common/src/com/netscape/cmscore/apps/Upgrade.java b/pki/base/common/src/com/netscape/cmscore/apps/Upgrade.java new file mode 100644 index 000000000..f04eb1869 --- /dev/null +++ b/pki/base/common/src/com/netscape/cmscore/apps/Upgrade.java @@ -0,0 +1,339 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cmscore.apps; + + +import netscape.ldap.*; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.ldap.*; +import com.netscape.cmscore.util.*; +import org.mozilla.jss.util.Password; +import org.mozilla.jss.util.PasswordCallback; +import org.mozilla.jss.util.PasswordCallbackInfo; +import org.mozilla.jss.util.ConsolePasswordCallback; +import java.io.File; +import java.lang.*; + + +public final class Upgrade { + public static void perform422to45(IConfigStore c) + throws EBaseException { + jss3(c); + c.putInteger("agentGateway.https.timeout", 120); + IConfigStore cs = c.getSubStore("ca"); + + if (cs != null && cs.size() > 0) { + c.putString("ca.publish.mapper.impl.LdapEnhancedMap.class", + "com.netscape.certsrv.ldap.LdapEnhancedMap"); + } + c.putString("cms.version", "4.5"); + c.commit(false); + } + + public static void perform42to422(IConfigStore c) + throws EBaseException { + // upgrade CMS's configuration parameters + c.putString("eeGateway.dynamicVariables", + "serverdate=serverdate(),subsystemname=subsystemname(),http=http(),authmgrs=authmgrs(),clacrlurl=clacrlurl()"); + + // new OCSP Publisher implemention + c.putString("ra.publish.publisher.impl.OCSPPublisher.class", + "com.netscape.certsrv.ldap.OCSPPublisher"); + c.putString("ca.publish.publisher.impl.OCSPPublisher.class", + "com.netscape.certsrv.ldap.OCSPPublisher"); + + // new logging framework + c.putString("log.impl.file.class", + "com.netscape.certsrv.logging.RollingLogFile"); + + c.putString("log.instance.Audit.bufferSize", + c.getString("logAudit.bufferSize")); + c.putString("log.instance.Audit.enable", + c.getString("logAudit.on")); + // This feature doesnot work in the previous release + // But it works now. I don't want people to have their + // logs auto deleted without notice.It's dangerous. + c.putString("log.instance.Audit.expirationTime", + "0"); //Specifically turn it off. + // c.getString("logAudit.expirationTime")); + c.putString("log.instance.Audit.fileName", + c.getString("logAudit.fileName")); + c.putString("log.instance.Audit.flushInterval", + c.getString("logAudit.flushInterval")); + c.putString("log.instance.Audit.level", + c.getString("logAudit.level")); + c.putString("log.instance.Audit.maxFileSize", + c.getString("logAudit.maxFileSize")); + c.putString("log.instance.Audit.pluginName", + "file"); + c.putString("log.instance.Audit.rolloverInterval", + c.getString("logAudit.rolloverInterval")); + c.putString("log.instance.Audit.type", + "audit"); + + c.putString("log.instance.Error.bufferSize", + c.getString("logError.bufferSize")); + c.putString("log.instance.Error.enable", + c.getString("logError.on")); + c.putString("log.instance.Error.expirationTime", + "0"); //Specifically turn it off. + // c.getString("logError.expirationTime")); + c.putString("log.instance.Error.fileName", + c.getString("logError.fileName")); + c.putString("log.instance.Error.flushInterval", + c.getString("logError.flushInterval")); + c.putString("log.instance.Error.level", + c.getString("logError.level")); + c.putString("log.instance.Error.maxFileSize", + c.getString("logError.maxFileSize")); + c.putString("log.instance.Error.pluginName", + "file"); + c.putString("log.instance.Error.rolloverInterval", + c.getString("logError.rolloverInterval")); + c.putString("log.instance.Error.type", + "system"); + + c.putString("log.instance.System.bufferSize", + c.getString("logSystem.bufferSize")); + c.putString("log.instance.System.enable", + c.getString("logSystem.on")); + c.putString("log.instance.System.expirationTime", + "0"); //Specifically turn it off. + // c.getString("logSystem.expirationTime")); + c.putString("log.instance.System.fileName", + c.getString("logSystem.fileName")); + c.putString("log.instance.System.flushInterval", + c.getString("logSystem.flushInterval")); + c.putString("log.instance.System.level", + c.getString("logSystem.level")); + c.putString("log.instance.System.maxFileSize", + c.getString("logSystem.maxFileSize")); + c.putString("log.instance.System.pluginName", + "file"); + c.putString("log.instance.System.rolloverInterval", + c.getString("logSystem.rolloverInterval")); + c.putString("log.instance.System.type", + "system"); + + if (!OsSubsystem.isUnix()) { + c.putString("log.impl.NTEventLog.class", + "com.netscape.certsrv.logging.NTEventLog"); + + c.putString("log.instance.NTAudit.NTEventSourceName", + c.getString("logNTAudit.NTEventSourceName")); + c.putString("log.instance.NTAudit.enable", + c.getString("logNTAudit.on")); + c.putString("log.instance.NTAudit.level", + c.getString("logNTAudit.level")); + c.putString("log.instance.NTAudit.pluginName", + "NTEventLog"); + c.putString("log.instance.NTAudit.type", + "system"); + + c.putString("log.instance.NTSystem.NTEventSourceName", + c.getString("logNTSystem.NTEventSourceName")); + c.putString("log.instance.NTSystem.enable", + c.getString("logNTSystem.on")); + c.putString("log.instance.NTSystem.level", + c.getString("logNTSystem.level")); + c.putString("log.instance.NTSystem.pluginName", + "NTEventLog"); + c.putString("log.instance.NTSystem.type", + "system"); + } + c.putString("cms.version", "4.22"); + c.commit(false); + } + + /** + * This method handles pre4.2 -> 4.2 configuration + * upgrade. + */ + public static void perform(IConfigStore c) + throws EBaseException { + boolean isCA = false; + boolean isRA = false; + boolean isKRA = false; + + // determine what subsystems do we have? + IConfigStore cs = c.getSubStore("ca"); + + if (cs != null && cs.size() > 0) { + isCA = true; + } + cs = c.getSubStore("ra"); + if (cs != null && cs.size() > 0) { + isRA = true; + } + cs = c.getSubStore("kra"); + if (cs != null && cs.size() > 0) { + isKRA = true; + } + + Setup.installAuthImpls(c); + Setup.installOIDMap(c); + + // start upgrade processing + if (isCA) { + Setup.installPolicyImpls("ca", c); + Setup.installCACRLExtensions(c); + Setup.installCAPublishingImpls(c); + caPublishing(c); + } + + if (isRA) { + Setup.installPolicyImpls("ra", c); + } + + c.putString("eeGateway.dynamicVariables", + "serverdate=serverdate(),subsystemname=subsystemname(),http=http(),authmgrs=authmgrs()"); + + c.putString("cms.version", "4.2"); + // Assumed user backups (including CMS.cfg) the system before + // upgrading + c.commit(false); + } + + /** + * Upgrade publishing. This function upgrades both enabled + * or disabled publishing configuration. + */ + public static void caPublishing(IConfigStore c) + throws EBaseException { + c.putString("ca.publish.enable", + c.getString("ca.enableLdapPublish", "false")); + c.putString("ca.publish.ldappublish.enable", + c.getString("ca.enableLdapPublish", "false")); + c.putString("ca.publish.ldappublish.ldap.ldapauth.authtype", + c.getString("ca.ldappublish.ldap.ldapauth.authtype", "BasicAuth")); + c.putString("ca.publish.ldappublish.ldap.ldapauth.bindDN", + c.getString("ca.ldappublish.ldap.ldapauth.bindDN", "")); + c.putString("ca.publish.ldappublish.ldap.ldapauth.bindPWPrompt", + c.getString("ca.ldappublish.ldap.ldapauth.bindPWPrompt", "LDAP Publishing")); + c.putString("ca.publish.ldappublish.ldap.ldapconn.host", + c.getString("ca.ldappublish.ldap.ldapconn.host", "")); + c.putString("ca.publish.ldappublish.ldap.ldapconn.port", + c.getString("ca.ldappublish.ldap.ldapconn.port", "")); + c.putString("ca.publish.ldappublish.ldap.ldapconn.secureConn", + c.getString("ca.ldappublish.ldap.ldapconn.secureConn", "false")); + c.putString("ca.publish.ldappublish.ldap.ldapconn.version", + c.getString("ca.ldappublish.ldap.ldapconn.version", "2")); + + // mappers + c.putString("ca.publish.mapper.instance.LdapCaCertMap.pluginName", + "LdapDNCompsMap"); + c.putString("ca.publish.mapper.instance.LdapCaCertMap.dnComps", + c.getString("ca.ldappublish.type.ca.mapper.dnComps")); + c.putString("ca.publish.mapper.instance.LdapCaCertMap.filterComps", + c.getString("ca.ldappublish.type.ca.mapper.filterComps")); + c.putString("ca.publish.mapper.instance.LdapCaCertMap.baseDN", + c.getString("ca.ldappublish.type.ca.mapper.baseDN")); + + c.putString("ca.publish.mapper.instance.LdapCrlMap.pluginName", + "LdapDNCompsMap"); + c.putString("ca.publish.mapper.instance.LdapCrlMap.dnComps", + c.getString("ca.ldappublish.type.crl.mapper.dnComps")); + c.putString("ca.publish.mapper.instance.LdapCrlMap.filterComps", + c.getString("ca.ldappublish.type.crl.mapper.filterComps")); + c.putString("ca.publish.mapper.instance.LdapCrlMap.baseDN", + c.getString("ca.ldappublish.type.crl.mapper.baseDN")); + c.putString("ca.publish.mapper.instance.LdapUserCertMap.pluginName", + "LdapDNCompsMap"); + c.putString("ca.publish.mapper.instance.LdapUserCertMap.dnComps", + c.getString("ca.ldappublish.type.client.mapper.dnComps")); + c.putString("ca.publish.mapper.instance.LdapUserCertMap.filterComps", + c.getString("ca.ldappublish.type.client.mapper.filterComps")); + c.putString("ca.publish.mapper.instance.LdapUserCertMap.baseDN", + c.getString("ca.ldappublish.type.client.mapper.baseDN")); + + // publishers + c.putString("ca.publish.publisher.instance.LdapCaCertPublisher.caCertAttr", "caCertificate;binary"); + c.putString("ca.publish.publisher.instance.LdapCaCertPublisher.caObjectClass", "certificationAuthority"); + c.putString("ca.publish.publisher.instance.LdapCaCertPublisher.pluginName", "LdapCaCertPublisher"); + c.putString("ca.publish.publisher.instance.LdapCrlPublisher.crlAttr", "certificateRevocationList;binary"); + c.putString("ca.publish.publisher.instance.LdapCrlPublisher.pluginName", "LdapCrlPublisher"); + c.putString("ca.publish.publisher.instance.LdapUserCertPublisher.certAttr", "userCertificate;binary"); + c.putString("ca.publish.publisher.instance.LdapUserCertPublisher.pluginName", "LdapUserCertPublisher"); + + // rules + c.putString("ca.publish.rule.instance.LdapCaCertRule.pluginName ", + "Rule"); + c.putString("ca.publish.rule.instance.LdapCaCertRule.predicate", + ""); + c.putString("ca.publish.rule.instance.LdapCaCertRule.publisher", + "LdapCaCertPublisher"); + c.putString("ca.publish.rule.instance.LdapCaCertRule.type", + "cacert"); + c.putString("ca.publish.rule.instance.LdapCaCertRule.enable", + "true"); + c.putString("ca.publish.rule.instance.LdapCaCertRule.mapper", + "LdapCaCertMap"); + + c.putString("ca.publish.rule.instance.LdapCrlRule.pluginName", + "Rule"); + c.putString("ca.publish.rule.instance.LdapCrlRule.predicate", ""); + c.putString("ca.publish.rule.instance.LdapCrlRule.publisher", + "LdapCrlPublisher"); + c.putString("ca.publish.rule.instance.LdapCrlRule.type", "crl"); + c.putString("ca.publish.rule.instance.LdapCrlRule.enable", "true"); + c.putString("ca.publish.rule.instance.LdapCrlRule.mapper", + "LdapCrlMap"); + + c.putString("ca.publish.rule.instance.LdapUserCertRule.pluginName", + "Rule"); + c.putString("ca.publish.rule.instance.LdapUserCertRule.predicate", ""); + c.putString("ca.publish.rule.instance.LdapUserCertRule.publisher", + "LdapUserCertPublisher"); + c.putString("ca.publish.rule.instance.LdapUserCertRule.type", "certs"); + c.putString("ca.publish.rule.instance.LdapUserCertRule.enable", "true"); + c.putString("ca.publish.rule.instance.LdapUserCertRule.mapper", + "LdapUserCertMap"); + + c.removeSubStore("ca.ldappublish"); + } + + /** + * Upgrade publishing. This function upgrades both enabled + * or disabled publishing configuration. + */ + public static void jss3(IConfigStore c) + throws EBaseException { + String moddb = c.getString("jss.moddb"); + + if (moddb == null) return; + + int i = moddb.lastIndexOf("/"); + String dir = moddb.substring(0, i); + String secmodName = moddb.substring(i + 1); + String certdb = c.getString("jss.certdb"); + + i = certdb.indexOf("/config/cert7.db"); + certdb = certdb.substring(0, i); + i = certdb.lastIndexOf("/"); + String instID = certdb.substring(i + 1); + String certPrefix = ".." + File.separator + ".." + File.separator + instID + + File.separator + "config" + File.separator; + String keyPrefix = certPrefix; + + c.putString("jss.certPrefix", certPrefix.replace('\\', '/')); + c.putString("jss.keyPrefix", keyPrefix.replace('\\', '/')); + c.putString("jss.configDir", dir.replace('\\', '/')); + c.putString("jss.secmodName", secmodName); + + } +} |