diff options
Diffstat (limited to 'pki/base/common/src/com/netscape/cmscore/authentication/ChallengePhraseAuthentication.java')
-rw-r--r-- | pki/base/common/src/com/netscape/cmscore/authentication/ChallengePhraseAuthentication.java | 198 |
1 files changed, 103 insertions, 95 deletions
diff --git a/pki/base/common/src/com/netscape/cmscore/authentication/ChallengePhraseAuthentication.java b/pki/base/common/src/com/netscape/cmscore/authentication/ChallengePhraseAuthentication.java index bf698ddad..d4bc5e46e 100644 --- a/pki/base/common/src/com/netscape/cmscore/authentication/ChallengePhraseAuthentication.java +++ b/pki/base/common/src/com/netscape/cmscore/authentication/ChallengePhraseAuthentication.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cmscore.authentication; - import java.math.BigInteger; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; @@ -50,14 +49,12 @@ import com.netscape.cmscore.dbs.CertRecord; import com.netscape.cmscore.dbs.CertificateRepository; import com.netscape.cmscore.util.Debug; - /** - * Challenge phrase based authentication. - * Maps a certificate to the request in the - * internal database and further compares the challenge phrase with - * that from the EE input. + * Challenge phrase based authentication. Maps a certificate to the request in + * the internal database and further compares the challenge phrase with that + * from the EE input. * <P> - * + * * @author cfu chrisho * @version $Revision$, $Date$ */ @@ -69,7 +66,7 @@ public class ChallengePhraseAuthentication implements IAuthManager { /* required credentials */ public static final String CRED_CERT_SERIAL = IAuthManager.CRED_CERT_SERIAL_TO_REVOKE; public static final String CRED_CHALLENGE = "challengePhrase"; - protected String[] mRequiredCreds = { CRED_CERT_SERIAL, CRED_CHALLENGE}; + protected String[] mRequiredCreds = { CRED_CERT_SERIAL, CRED_CHALLENGE }; /* config parameters to pass to console (none) */ protected static String[] mConfigParams = null; @@ -86,7 +83,7 @@ public class ChallengePhraseAuthentication implements IAuthManager { private Vector mID = null; private MessageDigest mSHADigest = null; - // request attributes hacks + // request attributes hacks public static final String CHALLENGE_PHRASE = CRED_CHALLENGE; public static final String SUBJECTNAME = "subjectName"; public static final String SERIALNUMBER = "serialNumber"; @@ -98,14 +95,15 @@ public class ChallengePhraseAuthentication implements IAuthManager { /** * initializes the ChallengePhraseAuthentication auth manager * <p> - * called by AuthSubsystem init() method, when initializing - * all available authentication managers. + * called by AuthSubsystem init() method, when initializing all available + * authentication managers. + * * @param name The name of this authentication manager instance. * @param implName The name of the authentication manager plugin. * @param config The configuration store for this authentication manager. */ public void init(String name, String implName, IConfigStore config) - throws EBaseException { + throws EBaseException { mName = name; mImplName = implName; mConfig = config; @@ -113,12 +111,13 @@ public class ChallengePhraseAuthentication implements IAuthManager { try { mSHADigest = MessageDigest.getInstance("SHA1"); } catch (NoSuchAlgorithmException e) { - throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.getMessage())); + throw new EAuthException(CMS.getUserMessage( + "CMS_AUTHENTICATION_INTERNAL_ERROR", e.getMessage())); } log(ILogger.LL_INFO, CMS.getLogMessage("INIT_DONE", name)); } - + /** * Gets the name of this authentication manager. */ @@ -132,26 +131,26 @@ public class ChallengePhraseAuthentication implements IAuthManager { public String getImplName() { return mImplName; } - + /** * authenticates revocation of a certification by a challenge phrase * <p> - * called by other subsystems or their servlets to authenticate - * a revocation request - * @param authCred - authentication credential that contains - * a Certificate to revoke + * called by other subsystems or their servlets to authenticate a revocation + * request + * + * @param authCred - authentication credential that contains a Certificate + * to revoke * @return the authentication token that contains the request id - * + * * @exception EMissingCredential If a required credential for this - * authentication manager is missing. + * authentication manager is missing. * @exception EInvalidCredentials If credentials cannot be authenticated. * @exception EBaseException If an internal error occurred. * @see com.netscape.certsrv.authentication.AuthToken */ public IAuthToken authenticate(IAuthCredentials authCred) - throws EMissingCredential, EInvalidCredentials, EBaseException { - mCA = (ICertificateAuthority) - SubsystemRegistry.getInstance().get("ca"); + throws EMissingCredential, EInvalidCredentials, EBaseException { + mCA = (ICertificateAuthority) SubsystemRegistry.getInstance().get("ca"); if (mCA != null) { mCertDB = (CertificateRepository) mCA.getCertificateRepository(); @@ -160,13 +159,10 @@ public class ChallengePhraseAuthentication implements IAuthManager { AuthToken authToken = new AuthToken(this); /* - X509Certificate[] x509Certs = - (X509Certificate[]) authCred.get(CRED_CERT); - if (x509Certs == null) { - log(ILogger.LL_FAILURE, - " missing cert credential."); - throw new EMissingCredential(CRED_CERT_SERIAL); - } + * X509Certificate[] x509Certs = (X509Certificate[]) + * authCred.get(CRED_CERT); if (x509Certs == null) { + * log(ILogger.LL_FAILURE, " missing cert credential."); throw new + * EMissingCredential(CRED_CERT_SERIAL); } */ String serialNumString = (String) authCred.get(CRED_CERT_SERIAL); @@ -174,42 +170,45 @@ public class ChallengePhraseAuthentication implements IAuthManager { BigInteger serialNum = null; if (serialNumString == null || serialNumString.equals("")) - throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_CERT_SERIAL)); + throw new EMissingCredential(CMS.getUserMessage( + "CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_CERT_SERIAL)); else { - //serialNumString = getDecimalStr(serialNumString); + // serialNumString = getDecimalStr(serialNumString); try { serialNumString = serialNumString.trim(); - if (serialNumString.startsWith("0x") || serialNumString.startsWith("0X")) { - serialNum = new - BigInteger(serialNumString.substring(2), 16); + if (serialNumString.startsWith("0x") + || serialNumString.startsWith("0X")) { + serialNum = new BigInteger(serialNumString.substring(2), 16); } else { - serialNum = new - BigInteger(serialNumString); + serialNum = new BigInteger(serialNumString); } - + } catch (NumberFormatException e) { - throw new EAuthUserError(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_ATTRIBUTE_VALUE", "Invalid serial number.")); + throw new EAuthUserError(CMS.getUserMessage( + "CMS_AUTHENTICATION_INVALID_ATTRIBUTE_VALUE", + "Invalid serial number.")); } } String challenge = (String) authCred.get(CRED_CHALLENGE); if (challenge == null) { - throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_CHALLENGE)); + throw new EMissingCredential(CMS.getUserMessage( + "CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_CHALLENGE)); } if (challenge.equals("")) { // empty challenge not allowed - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_AUTH_REVO_ATTEMPT", serialNum.toString())); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_AUTH_REVO_ATTEMPT", + serialNum.toString())); + throw new EInvalidCredentials( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } - /* maybe later - if (mCertDB.isCertificateRevoked(cert) != null) { - log(ILogger.LL_FAILURE, - "Certificate has already been revoked."); - // throw something else...cfu - throw new EInvalidCredentials(); - } + /* + * maybe later if (mCertDB.isCertificateRevoked(cert) != null) { + * log(ILogger.LL_FAILURE, "Certificate has already been revoked."); // + * throw something else...cfu throw new EInvalidCredentials(); } */ X509CertImpl[] certsToRevoke = null; @@ -217,9 +216,9 @@ public class ChallengePhraseAuthentication implements IAuthManager { // check challenge phrase against request /* - * map cert to a request: a cert serial number maps to a - * cert record in the internal db, from the cert record, - * where we'll find the challenge phrase + * map cert to a request: a cert serial number maps to a cert record in + * the internal db, from the cert record, where we'll find the challenge + * phrase */ if (mCertDB != null) { /* is CA */ CertRecord record = null; @@ -235,13 +234,16 @@ public class ChallengePhraseAuthentication implements IAuthManager { String status = record.getStatus(); if (!status.equals("REVOKED")) { - boolean samepwd = compareChallengePassword(record, challenge); + boolean samepwd = compareChallengePassword(record, + challenge); if (samepwd) { bigIntArray = new BigInteger[1]; bigIntArray[0] = record.getSerialNumber(); - } else - throw new EAuthUserError(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_ATTRIBUTE_VALUE", "Invalid password.")); + } else + throw new EAuthUserError(CMS.getUserMessage( + "CMS_AUTHENTICATION_INVALID_ATTRIBUTE_VALUE", + "Invalid password.")); } else { bigIntArray = new BigInteger[0]; @@ -260,8 +262,8 @@ public class ChallengePhraseAuthentication implements IAuthManager { if (queue != null) { IRequest checkChallengeReq = null; - checkChallengeReq = - queue.newRequest(IRequest.REVOCATION_CHECK_CHALLENGE_REQUEST); + checkChallengeReq = queue + .newRequest(IRequest.REVOCATION_CHECK_CHALLENGE_REQUEST); checkChallengeReq.setExtData(CHALLENGE_PHRASE, challenge); // pass just serial number instead of whole cert if (serialNum != null) @@ -271,19 +273,23 @@ public class ChallengePhraseAuthentication implements IAuthManager { RequestStatus status = checkChallengeReq.getRequestStatus(); if (status == RequestStatus.COMPLETE) { - bigIntArray = checkChallengeReq.getExtDataInBigIntegerArray("serialNoArray"); + bigIntArray = checkChallengeReq + .getExtDataInBigIntegerArray("serialNoArray"); } else { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_AUTH_INCOMPLETE_REQUEST")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_AUTH_INCOMPLETE_REQUEST")); } } else { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_AUTH_FAILED_GET_QUEUE")); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_REVOCATION_CHALLENGE_QUEUE_FAILED")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_AUTH_FAILED_GET_QUEUE")); + throw new EBaseException( + CMS.getUserMessage("CMS_BASE_REVOCATION_CHALLENGE_QUEUE_FAILED")); } } // else, ra if (bigIntArray != null && bigIntArray.length > 0) { if (Debug.ON) { Debug.trace("challenge authentication serialno array not null"); - for (int i = 0; i < bigIntArray.length; i++) + for (int i = 0; i < bigIntArray.length; i++) Debug.trace("challenge auth serialno " + bigIntArray[i]); } } @@ -301,16 +307,17 @@ public class ChallengePhraseAuthentication implements IAuthManager { if (str.startsWith("0x") || str.startsWith("0X")) { newStr = "" + Integer.parseInt(str.trim().substring(2), 16); } - + return newStr; } - private boolean compareChallengePassword(CertRecord record, String pwd) - throws EBaseException { + private boolean compareChallengePassword(CertRecord record, String pwd) + throws EBaseException { MetaInfo metaInfo = (MetaInfo) record.get(CertRecord.ATTR_META_INFO); if (metaInfo == null) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "metaInfo")); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_ATTRIBUTE", "metaInfo")); } if (pwd == null) { @@ -322,8 +329,8 @@ public class ChallengePhraseAuthentication implements IAuthManager { String hashpwd = hashPassword(pwd); // got metaInfo - String challengeString = - (String) metaInfo.get(CertRecord.META_CHALLENGE_PHRASE); + String challengeString = (String) metaInfo + .get(CertRecord.META_CHALLENGE_PHRASE); if (challengeString == null) { if (Debug.ON) { @@ -336,20 +343,21 @@ public class ChallengePhraseAuthentication implements IAuthManager { return false; /* - log(ILogger.LL_FAILURE, - "Incorrect challenge phrase password used for revocation"); - throw new EInvalidCredentials(); + * log(ILogger.LL_FAILURE, + * "Incorrect challenge phrase password used for revocation"); throw + * new EInvalidCredentials(); */ - } else + } else return true; } /** - * get the list of authentication credential attribute names - * required by this authentication manager. Generally used by - * the servlets that handle agent operations to authenticate its - * users. It calls this method to know which are the - * required credentials from the user (e.g. Javascript form data) + * get the list of authentication credential attribute names required by + * this authentication manager. Generally used by the servlets that handle + * agent operations to authenticate its users. It calls this method to know + * which are the required credentials from the user (e.g. Javascript form + * data) + * * @return attribute names in Vector */ public String[] getRequiredCreds() { @@ -357,15 +365,16 @@ public class ChallengePhraseAuthentication implements IAuthManager { } /** - * get the list of configuration parameter names - * required by this authentication manager. Generally used by - * the Certificate Server Console to display the table for - * configuration purposes. ChallengePhraseAuthentication is currently not - * exposed in this case, so this method is not to be used. - * @return configuration parameter names in Hashtable of Vectors - * where each hashtable entry's key is the substore name, value is a - * Vector of parameter names. If no substore, the parameter name - * is the Hashtable key itself, with value same as key. + * get the list of configuration parameter names required by this + * authentication manager. Generally used by the Certificate Server Console + * to display the table for configuration purposes. + * ChallengePhraseAuthentication is currently not exposed in this case, so + * this method is not to be used. + * + * @return configuration parameter names in Hashtable of Vectors where each + * hashtable entry's key is the substore name, value is a Vector of + * parameter names. If no substore, the parameter name is the + * Hashtable key itself, with value same as key. */ public String[] getConfigParams() { return (mConfigParams); @@ -378,8 +387,8 @@ public class ChallengePhraseAuthentication implements IAuthManager { } /** - * gets the configuretion substore used by this authentication - * manager + * gets the configuretion substore used by this authentication manager + * * @return configuration store */ public IConfigStore getConfigStore() { @@ -389,24 +398,23 @@ public class ChallengePhraseAuthentication implements IAuthManager { private void log(int level, String msg) { if (mLogger == null) return; - mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHENTICATION, - level, msg); + mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHENTICATION, level, + msg); } private IRequestQueue getReqQueue() { IRequestQueue queue = null; try { - IRegistrationAuthority ra = (IRegistrationAuthority) - SubsystemRegistry.getInstance().get("ra"); + IRegistrationAuthority ra = (IRegistrationAuthority) SubsystemRegistry + .getInstance().get("ra"); if (ra != null) { queue = ra.getRequestQueue(); mRequestor = IRequest.REQUESTOR_RA; } } catch (Exception e) { - log(ILogger.LL_FAILURE, - " cannot get access to the request queue."); + log(ILogger.LL_FAILURE, " cannot get access to the request queue."); } return queue; |