From e832349f8846ab398b17b98ebe9862bc700d1b7f Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Tue, 5 Apr 2016 11:44:00 -0700 Subject: Ticket #2271 TMS- clean up key archival request records in ldap This patch does the following: * it adds in the kra request an extra field called "delayLDAPCommit" * when the request comes in to be processed, it sets this field to "false" * by default, if this field does not exist, the updateRequest() method will just write to ldap, just like before; however, if this field exists and it contains "true" then it will delay the write * once the request is processed and all unwanted fields are cleared from the request record, it will set "delayLDAPCommit" to "false", and call updateRequest(), which will then do the actual write to ldap * In addition, I also screened through both KRA and TPS code and removed debug messages that contain those fields. --- .../src/com/netscape/kra/NetkeyKeygenService.java | 6 ++++++ .../servlet/connector/GenerateKeyPairServlet.java | 15 ++++++++++++++- .../com/netscape/cmscore/request/ARequestQueue.java | 11 ++++++++--- .../server/tps/cms/KRARemoteRequestHandler.java | 21 +++++++++------------ .../org/dogtagpki/server/tps/engine/TPSEngine.java | 2 ++ .../server/tps/processor/TPSEnrollProcessor.java | 12 ++++++------ 6 files changed, 45 insertions(+), 22 deletions(-) diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java index f409eea96..e77ef25db 100644 --- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java @@ -410,6 +410,12 @@ public class NetkeyKeygenService implements IService { audit(auditMessage); String rWrappedDesKeyString = request.getExtDataInString(IRequest.NETKEY_ATTR_DRMTRANS_DES_KEY); + // the request reocrd field delayLDAPCommit == "true" will cause + // updateRequest() to delay actual write to ldap + request.setExtData("delayLDAPCommit", "true"); + // wrappedDesKey no longer needed. removing. + request.setExtData(IRequest.NETKEY_ATTR_DRMTRANS_DES_KEY, ""); + // CMS.debug("NetkeyKeygenService: received DRM-trans-wrapped DES key ="+rWrappedDesKeyString); wrapped_des_key = com.netscape.cmsutil.util.Utils.SpecialDecode(rWrappedDesKeyString); CMS.debug("NetkeyKeygenService: wrapped_des_key specialDecoded"); diff --git a/base/server/cms/src/com/netscape/cms/servlet/connector/GenerateKeyPairServlet.java b/base/server/cms/src/com/netscape/cms/servlet/connector/GenerateKeyPairServlet.java index 83f159a83..7cf750a33 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/connector/GenerateKeyPairServlet.java +++ b/base/server/cms/src/com/netscape/cms/servlet/connector/GenerateKeyPairServlet.java @@ -233,6 +233,19 @@ public class GenerateKeyPairServlet extends CMSServlet { String ivString = thisreq.getExtDataInString("iv_s"); + /* + * clean up fields in request + */ + thisreq.setExtData("wrappedUserPrivate", ""); + thisreq.setExtData("public_key", ""); + thisreq.setExtData("iv_s", ""); + thisreq.setExtData(IRequest.NETKEY_ATTR_DRMTRANS_DES_KEY, ""); + String test = thisreq.getExtDataInString("wrappedUserPrivate"); + + // now that fields are cleared, we can really write to ldap + thisreq.setExtData("delayLDAPCommit", "false"); + queue.updateRequest(thisreq); + /* if (selectedToken == null) status = "4"; @@ -251,7 +264,7 @@ public class GenerateKeyPairServlet extends CMSServlet { value = sb.toString(); } - CMS.debug("processServerSideKeyGen:outputString.encode " + value); + //CMS.debug("processServerSideKeyGen:outputString.encode " + value); try { resp.setContentLength(value.length()); diff --git a/base/server/cmscore/src/com/netscape/cmscore/request/ARequestQueue.java b/base/server/cmscore/src/com/netscape/cmscore/request/ARequestQueue.java index 3d82f8eb5..798da3fa5 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/request/ARequestQueue.java +++ b/base/server/cmscore/src/com/netscape/cmscore/request/ARequestQueue.java @@ -540,6 +540,8 @@ public abstract class ARequestQueue } public void updateRequest(IRequest r) { + // defualt is to really update ldap + String delayLDAPCommit = r.getExtDataInString("delayLDAPCommit"); ((Request) r).mModificationTime = CMS.getCurrentDate(); String name = getUserIdentity(); @@ -547,9 +549,12 @@ public abstract class ARequestQueue if (name != null) r.setExtData(IRequest.UPDATED_BY, name); - // TODO: use a state flag to determine whether to call - // addRequest or modifyRequest (see newRequest as well) - modifyRequest(r); + // by default, write request to LDAP + if (delayLDAPCommit == null || !delayLDAPCommit.equals("true")) { + // TODO: use a state flag to determine whether to call + // addRequest or modifyRequest (see newRequest as well) + modifyRequest(r); + } // else: delay the write to ldap } // PRIVATE functions diff --git a/base/tps/src/org/dogtagpki/server/tps/cms/KRARemoteRequestHandler.java b/base/tps/src/org/dogtagpki/server/tps/cms/KRARemoteRequestHandler.java index 1f7347ddd..0f3de3351 100644 --- a/base/tps/src/org/dogtagpki/server/tps/cms/KRARemoteRequestHandler.java +++ b/base/tps/src/org/dogtagpki/server/tps/cms/KRARemoteRequestHandler.java @@ -107,7 +107,7 @@ public class KRARemoteRequestHandler extends RemoteRequestHandler "&" + IRemoteRequest.KRA_Trans_DesKey + "=" + sDesKey; - CMS.debug("KRARemoteRequestHandler: outgoing request for ECC: " + request); + //CMS.debug("KRARemoteRequestHandler: outgoing request for ECC: " + request); resp = conn.send("GenerateKeyPair", @@ -127,7 +127,7 @@ public class KRARemoteRequestHandler extends RemoteRequestHandler "&" + IRemoteRequest.KRA_Trans_DesKey + "=" + sDesKey; - CMS.debug("KRARemoteRequestHandler: outgoing request for RSA: " + request); + //CMS.debug("KRARemoteRequestHandler: outgoing request for RSA: " + request); resp = conn.send("GenerateKeyPair", @@ -144,8 +144,8 @@ public class KRARemoteRequestHandler extends RemoteRequestHandler String content = resp.getContent(); - CMS.debug("KRARemoteRequestHandler: serverSideKeyGen(): got content = " + content); if (content != null && !content.equals("")) { + CMS.debug("KRARemoteRequestHandler: serverSideKeyGen(): got content"); Hashtable response = parseResponse(content); @@ -192,8 +192,7 @@ public class KRARemoteRequestHandler extends RemoteRequestHandler CMS.debug("KRARemoteRequestHandler: serverSideKeyGen(): response missing name-value pair for: " + IRemoteRequest.KRA_RESPONSE_Wrapped_PrivKey); } else { - CMS.debug("KRARemoteRequestHandler:serverSideKeyGen(): got IRemoteRequest.KRA_RESPONSE_Wrapped_PrivKey= " - + value); + CMS.debug("KRARemoteRequestHandler:serverSideKeyGen(): got IRemoteRequest.KRA_RESPONSE_Wrapped_PrivKey"); response.put(IRemoteRequest.KRA_RESPONSE_Wrapped_PrivKey, value); } @@ -202,8 +201,7 @@ public class KRARemoteRequestHandler extends RemoteRequestHandler CMS.debug("KRARemoteRequestHandler: serverSideKeyGen(): response missing name-value pair for: " + IRemoteRequest.KRA_RESPONSE_IV_Param); } else { - CMS.debug("KRARemoteRequestHandler:serverSideKeyGen(): got IRemoteRequest.KRA_RESPONSE_IV_Param= " - + value); + CMS.debug("KRARemoteRequestHandler:serverSideKeyGen(): got IRemoteRequest.KRA_RESPONSE_IV_Param"); response.put(IRemoteRequest.KRA_RESPONSE_IV_Param, value); } @@ -283,7 +281,7 @@ public class KRARemoteRequestHandler extends RemoteRequestHandler "&" + IRemoteRequest.KRA_Trans_DesKey + "=" + sDesKey; } - CMS.debug("KRARemoteRequestHandler: recoverKey(): sendMsg =" + sendMsg); + //CMS.debug("KRARemoteRequestHandler: recoverKey(): sendMsg =" + sendMsg); HttpResponse resp = conn.send("TokenKeyRecovery", sendMsg); @@ -294,8 +292,8 @@ public class KRARemoteRequestHandler extends RemoteRequestHandler String content = resp.getContent(); - CMS.debug("KRARemoteRequestHandler: recoverKey(): got content = " + content); if (content != null && !content.equals("")) { + CMS.debug("KRARemoteRequestHandler: recoverKey(): got content"); Hashtable response = parseResponse(content); @@ -337,8 +335,7 @@ public class KRARemoteRequestHandler extends RemoteRequestHandler CMS.debug("KRARemoteRequestHandler: recoverKey(): response missing name-value pair for: " + IRemoteRequest.KRA_RESPONSE_Wrapped_PrivKey); } else { - CMS.debug("KRARemoteRequestHandler:recoverKey(): got IRemoteRequest.KRA_RESPONSE_Wrapped_PrivKey= " - + value); + CMS.debug("KRARemoteRequestHandler:recoverKey(): got IRemoteRequest.KRA_RESPONSE_Wrapped_PrivKey"); response.put(IRemoteRequest.KRA_RESPONSE_Wrapped_PrivKey, value); } @@ -347,7 +344,7 @@ public class KRARemoteRequestHandler extends RemoteRequestHandler CMS.debug("KRARemoteRequestHandler: recoverKey(): response missing name-value pair for: " + IRemoteRequest.KRA_RESPONSE_IV_Param); } else { - CMS.debug("KRARemoteRequestHandler:recoverKey(): got IRemoteRequest.KRA_RESPONSE_IV_Param= " + value); + CMS.debug("KRARemoteRequestHandler:recoverKey(): got IRemoteRequest.KRA_RESPONSE_IV_Param"); response.put(IRemoteRequest.KRA_RESPONSE_IV_Param, value); } diff --git a/base/tps/src/org/dogtagpki/server/tps/engine/TPSEngine.java b/base/tps/src/org/dogtagpki/server/tps/engine/TPSEngine.java index 32dd7a200..bc9d12c19 100644 --- a/base/tps/src/org/dogtagpki/server/tps/engine/TPSEngine.java +++ b/base/tps/src/org/dogtagpki/server/tps/engine/TPSEngine.java @@ -537,9 +537,11 @@ public class TPSEngine { boolean archive, boolean isECC) throws TPSException { +/* CMS.debug("TPSEngine.serverSideKeyGen entering... keySize: " + keySize + " cuid: " + cuid + " userid: " + userid + " drmConnId: " + drmConnId + " wrappedDesKey: " + wrappedDesKey + " archive: " + archive + " isECC: " + isECC); +*/ if (cuid == null || userid == null || drmConnId == null || wrappedDesKey == null) { throw new TPSException("TPSEngine.serverSideKeyGen: Invalid input data!", diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java index 07f7fa0d0..19df79f53 100644 --- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java +++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java @@ -2816,7 +2816,7 @@ public class TPSEnrollProcessor extends TPSProcessor { TPSBuffer privKeyBuff = new TPSBuffer(Util.uriDecodeFromHex(wrappedPrivKeyStr)); privKeyBlob.add(privKeyBuff); - CMS.debug("TPSEnrollProcessor.importprivateKeyPKCS8 privKeyBlob: " + privKeyBlob.toHexString()); + //CMS.debug("TPSEnrollProcessor.importprivateKeyPKCS8 privKeyBlob: " + privKeyBlob.toHexString()); byte[] perms = { 0x40, 0x00, @@ -2840,7 +2840,7 @@ public class TPSEnrollProcessor extends TPSProcessor { CMS.debug("TPSEnrollProcessor.importprivateKeyPKCS8 : keyCheck: " + keyCheck.toHexString()); // String ivParams = ssKeyGenResponse.getIVParam(); - CMS.debug("TPSEnrollProcessor.importprivateKeyPKCS8: ivParams: " + ivParams); + //CMS.debug("TPSEnrollProcessor.importprivateKeyPKCS8: ivParams: " + ivParams); TPSBuffer ivParamsBuff = new TPSBuffer(Util.uriDecodeFromHex(ivParams)); if (ivParamsBuff.size() == 0) { @@ -2851,9 +2851,9 @@ public class TPSEnrollProcessor extends TPSProcessor { TPSBuffer kekWrappedDesKey = channel.getKekDesKey(); - if (kekWrappedDesKey != null) - CMS.debug("TPSEnrollProcessor.importPrivateKeyPKCS8: keyWrappedDesKey: " + kekWrappedDesKey.toHexString()); - else + if (kekWrappedDesKey != null) { + //CMS.debug("TPSEnrollProcessor.importPrivateKeyPKCS8: keyWrappedDesKey: " + kekWrappedDesKey.toHexString()); + } else CMS.debug("TPSEnrollProcessor.iportPrivateKeyPKC8: null kekWrappedDesKey!"); byte alg = (byte) 0x80; @@ -2873,7 +2873,7 @@ public class TPSEnrollProcessor extends TPSProcessor { } data.add((byte) ivParamsBuff.size()); data.add(ivParamsBuff); - CMS.debug("TPSEnrollProcessor.importprivateKeyPKCS8: key data outgoing: " + data.toHexString()); + //CMS.debug("TPSEnrollProcessor.importprivateKeyPKCS8: key data outgoing: " + data.toHexString()); int pe1 = (cEnrollInfo.getKeyUser() << 4) + cEnrollInfo.getPrivateKeyNumber(); int pe2 = (cEnrollInfo.getKeyUsage() << 4) + cEnrollInfo.getPublicKeyNumber(); -- cgit