From 833feccb5539146a7f7288ed7eaef5aed9f26911 Mon Sep 17 00:00:00 2001 From: Matthew Harmsen Date: Fri, 25 Jan 2013 00:07:39 -0800 Subject: Fixed CLI 'cert-find' clientAuth FQDN hostname issue * TRAC Ticket #488 - Dogtag 10: Fix CLI 'cert-find' clientAuth issue --- .../com/netscape/certsrv/client/ClientConfig.java | 12 +++ .../com/netscape/certsrv/client/PKIConnection.java | 89 +++++++++++++++++++--- base/deploy/src/scriptlets/configuration.jy | 1 + 3 files changed, 92 insertions(+), 10 deletions(-) diff --git a/base/common/src/com/netscape/certsrv/client/ClientConfig.java b/base/common/src/com/netscape/certsrv/client/ClientConfig.java index 885b60a26..64eae17eb 100644 --- a/base/common/src/com/netscape/certsrv/client/ClientConfig.java +++ b/base/common/src/com/netscape/certsrv/client/ClientConfig.java @@ -48,6 +48,8 @@ public class ClientConfig { } } + boolean InstanceCreationMode = false; + URI serverURI; String certDatabase; @@ -55,6 +57,15 @@ public class ClientConfig { String username; String password; + @XmlElement(defaultValue="false") + public boolean getInstanceCreationMode() { + return InstanceCreationMode; + } + + public void setInstanceCreationMode(boolean mode) { + this.InstanceCreationMode = mode; + } + @XmlElement(name="ServerURI") public URI getServerURI() { return serverURI; @@ -175,6 +186,7 @@ public class ClientConfig { public static void main(String args[]) throws Exception { ClientConfig before = new ClientConfig(); + before.setInstanceCreationMode(false); before.setServerURI("http://localhost:9180/ca"); before.setCertDatabase("certs"); before.setCertNickname("caadmin"); diff --git a/base/common/src/com/netscape/certsrv/client/PKIConnection.java b/base/common/src/com/netscape/certsrv/client/PKIConnection.java index 578e1cf44..4556f1c6a 100644 --- a/base/common/src/com/netscape/certsrv/client/PKIConnection.java +++ b/base/common/src/com/netscape/certsrv/client/PKIConnection.java @@ -2,6 +2,8 @@ package com.netscape.certsrv.client; import java.io.File; import java.io.IOException; +import java.lang.reflect.Field; +import java.lang.reflect.Modifier; import java.net.InetAddress; import java.net.InetSocketAddress; import java.net.Socket; @@ -154,34 +156,101 @@ public class PKIConnection { } private class ServerCertApprovalCB implements SSLCertificateApprovalCallback { + // NOTE: The following helper method defined as + // 'public String displayReason(int reason)' + // should be moved into the JSS class called + // 'org.mozilla.jss.ssl.SSLCertificateApprovalCallback' + // under its nested subclass called 'ValidityStatus'. + + // While all reason values should be unique, this method has been + // written to return the name of the first defined reason that is + // encountered which contains the requested value, or null if no + // reason containing the requested value is encountered. + public String displayReason(int reason) { + Class c = + SSLCertificateApprovalCallback.ValidityStatus.class; + for (Field f : c.getDeclaredFields()) { + int mod = f.getModifiers(); + if (Modifier.isStatic(mod) && + Modifier.isPublic(mod) && + Modifier.isFinal(mod)) { + try { + int value = f.getInt(null); + if (value == reason) { + return f.getName(); + } + } catch (IllegalAccessException e) { + e.printStackTrace(); + } + } + } + + return null; + } // Callback to approve or deny returned SSL server cert. // Right now, simply approve the cert. public boolean approve(org.mozilla.jss.crypto.X509Certificate serverCert, SSLCertificateApprovalCallback.ValidityStatus status) { + boolean approval = true; + String reasonName = null; + if (verbose) System.out.println("Server certificate: "+serverCert.getSubjectDN()); SSLCertificateApprovalCallback.ValidityItem item; + // If there are no items in the Enumeration returned by + // getReasons(), you can assume that the certificate is + // trustworthy, and return true to allow the connection to + // continue, or you can continue to make further tests of + // your own to determine trustworthiness. Enumeration errors = status.getReasons(); while (errors.hasMoreElements()) { item = (SSLCertificateApprovalCallback.ValidityItem) errors.nextElement(); int reason = item.getReason(); - if (reason == SSLCertificateApprovalCallback.ValidityStatus.UNTRUSTED_ISSUER || - reason == SSLCertificateApprovalCallback.ValidityStatus.BAD_CERT_DOMAIN) { - - // Allow these two since we haven't installed the CA cert for trust. - - return true; - + if (reason == SSLCertificateApprovalCallback.ValidityStatus.UNTRUSTED_ISSUER) { + // Ignore the "UNTRUSTED_ISSUER" validity status + // during PKI instance creation since we are + // utilizing an untrusted temporary CA cert. + if (!config.InstanceCreationMode) { + // Otherwise, issue a WARNING, but allow this process + // to continue since we haven't installed a trusted CA + // cert for this operation. + System.err.println("WARNING: UNTRUSTED ISSUER encountered on '"+serverCert.getSubjectDN()+"' indicates a non-trusted CA cert"); + } + } else if (reason == SSLCertificateApprovalCallback.ValidityStatus.BAD_CERT_DOMAIN) { + // Issue a WARNING, but allow this process to continue on + // common-name mismatches. + System.err.println("WARNING: BAD_CERT_DOMAIN encountered on '"+serverCert.getSubjectDN()+"' indicates a common-name mismatch"); + } else if (reason == SSLCertificateApprovalCallback.ValidityStatus.CA_CERT_INVALID) { + // Ignore the "CA_CERT_INVALID" validity status + // during PKI instance creation since we are + // utilizing an untrusted temporary CA cert. + if (!config.InstanceCreationMode) { + // Otherwise, set approval false to deny this + // certificate so that the connection is terminated. + // (Expect an IOException on the outstanding + // read()/write() on the socket). + System.err.println("ERROR: CA_CERT_INVALID encountered on '"+serverCert.getSubjectDN()+"' results in a denied SSL server cert!"); + approval = false; + } + } else { + // Set approval false to deny this certificate so that + // the connection is terminated. (Expect an IOException + // on the outstanding read()/write() on the socket). + reasonName = displayReason(reason); + if (reasonName != null ) { + System.err.println("ERROR: "+reasonName+" encountered on '"+serverCert.getSubjectDN()+"' results in a denied SSL server cert!"); + } else { + System.err.println("ERROR: Unknown/undefined reason "+reason+" encountered on '"+serverCert.getSubjectDN()+"' results in a denied SSL server cert!"); + } + approval = false; } } - // For other errors return false. - - return false; + return approval; } } diff --git a/base/deploy/src/scriptlets/configuration.jy b/base/deploy/src/scriptlets/configuration.jy index 5af3becf5..d6af9b1ca 100644 --- a/base/deploy/src/scriptlets/configuration.jy +++ b/base/deploy/src/scriptlets/configuration.jy @@ -77,6 +77,7 @@ def main(argv): # Setup connection parameters client_config = ClientConfig() + client_config.setInstanceCreationMode(True) client_config.setServerURI(master['pki_jython_base_uri']) # Establish REST Client -- cgit