From 621d9e5c413e561293d7484b93882d985b3fe15f Mon Sep 17 00:00:00 2001 From: Endi Sukma Dewata Date: Sat, 24 Mar 2012 02:27:47 -0500 Subject: Removed unnecessary pki folder. Previously the source code was located inside a pki folder. This folder was created during svn migration and is no longer needed. This folder has now been removed and the contents have been moved up one level. Ticket #131 --- .../cms/servlet/csadmin/CertRequestPanel.java | 757 +++++++++++++++++++++ 1 file changed, 757 insertions(+) create mode 100644 base/common/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java (limited to 'base/common/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java') diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java b/base/common/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java new file mode 100644 index 000000000..20ddf9f2d --- /dev/null +++ b/base/common/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java @@ -0,0 +1,757 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.servlet.csadmin; + +import java.io.IOException; +import java.math.BigInteger; +import java.security.Principal; +import java.util.Enumeration; +import java.util.Locale; +import java.util.StringTokenizer; +import java.util.Vector; + +import javax.servlet.ServletConfig; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import netscape.security.pkcs.PKCS10; +import netscape.security.util.CertPrettyPrint; +import netscape.security.x509.X509CertImpl; +import netscape.security.x509.X509Key; + +import org.apache.velocity.context.Context; +import org.mozilla.jss.CryptoManager; +import org.mozilla.jss.crypto.InternalCertificate; +import org.mozilla.jss.crypto.PrivateKey; +import org.mozilla.jss.crypto.X509Certificate; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.ca.ICertificateAuthority; +import com.netscape.certsrv.dbs.certdb.ICertificateRepository; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.property.PropertySet; +import com.netscape.certsrv.util.HttpInput; +import com.netscape.cms.servlet.wizard.WizardServlet; +import com.netscape.cmsutil.crypto.CryptoUtil; + +public class CertRequestPanel extends WizardPanelBase { + private Vector mCerts = null; + private WizardServlet mServlet = null; + + public CertRequestPanel() { + } + + /** + * Initializes this panel. + */ + public void init(ServletConfig config, int panelno) + throws ServletException { + setPanelNo(panelno); + setName("Requests & Certificates"); + } + + public void init(WizardServlet servlet, ServletConfig config, int panelno, String id) + throws ServletException { + setPanelNo(panelno); + setName("Requests and Certificates"); + mServlet = servlet; + setId(id); + } + + // XXX how do you do this? There could be multiple certs. + public PropertySet getUsage() { + PropertySet set = new PropertySet(); + + Descriptor certDesc = new Descriptor(IDescriptor.STRING, null, /* no constraint */ + null, /* no default parameters */ + null); + + set.add("cert", certDesc); + + return set; + } + + /** + * Show "Apply" button on frame? + */ + public boolean showApplyButton() { + if (isPanelDone()) + return false; + else + return true; + } + + private boolean findCertificate(String tokenname, String nickname) + throws IOException { + IConfigStore cs = CMS.getConfigStore(); + CryptoManager cm = null; + try { + cm = CryptoManager.getInstance(); + } catch (Exception e) { + } + + String fullnickname = nickname; + + boolean hardware = false; + if (!tokenname.equals("internal") && !tokenname.equals("Internal Key Storage Token")) { + hardware = true; + fullnickname = tokenname + ":" + nickname; + } + + try { + X509Certificate cert = cm.findCertByNickname(fullnickname); + if (cert == null) + return false; + try { + @SuppressWarnings("unused") + boolean done = cs.getBoolean("preop.CertRequestPanel.done"); // check for errors + return true; + } catch (Exception ee) { + if (hardware) { + CMS.debug("CertRequestPanel findCertificate: The certificate with the same nickname: " + + fullnickname + " has been found on HSM. Please remove it before proceeding."); + throw new IOException("The certificate with the same nickname: " + + fullnickname + " has been found on HSM. Please remove it before proceeding."); + } + return true; + } + } catch (IOException e) { + CMS.debug("CertRequestPanel findCertificate: throw exception:" + e.toString()); + throw e; + } catch (Exception e) { + CMS.debug("CertRequestPanel findCertificate: Exception=" + e.toString()); + return false; + } + } + + public void cleanUp() throws IOException { + IConfigStore cs = CMS.getConfigStore(); + String list = ""; + String tokenname = ""; + try { + list = cs.getString("preop.cert.list", ""); + tokenname = cs.getString("preop.module.token", ""); + } catch (Exception e) { + } + + ICertificateAuthority ca = (ICertificateAuthority) CMS.getSubsystem( + ICertificateAuthority.ID); + + if (ca != null) { + CMS.debug("CertRequestPanel cleanup: get certificate repository"); + BigInteger beginS = null; + BigInteger endS = null; + String beginNum = ""; + String endNum = ""; + try { + beginNum = cs.getString("dbs.beginSerialNumber", ""); + endNum = cs.getString("dbs.endSerialNumber", ""); + if (!beginNum.equals("")) + beginS = new BigInteger(beginNum, 16); + if (!endNum.equals("")) + endS = new BigInteger(endNum, 16); + } catch (Exception e) { + } + + ICertificateRepository cr = ca.getCertificateRepository(); + if (cr != null) { + try { + cr.removeCertRecords(beginS, endS); + } catch (Exception e) { + CMS.debug("CertRequestPanel cleanUp exception in removing all objects: " + e.toString()); + } + + try { + cr.resetSerialNumber(new BigInteger(beginNum, 16)); + } catch (Exception e) { + CMS.debug("CertRequestPanel cleanUp exception in resetting serial number: " + e.toString()); + } + } + } + + StringTokenizer st = new StringTokenizer(list, ","); + String nickname = ""; + boolean enable = false; + while (st.hasMoreTokens()) { + String t = st.nextToken(); + + try { + enable = cs.getBoolean(PCERT_PREFIX + t + ".enable", true); + nickname = cs.getString(PCERT_PREFIX + t + ".nickname", ""); + } catch (Exception e) { + } + + if (!enable) + continue; + + if (t.equals("sslserver")) + continue; + + if (findCertificate(tokenname, nickname)) { + try { + CMS.debug("CertRequestPanel cleanup: deleting certificate (" + nickname + ")."); + deleteCert(tokenname, nickname); + } catch (Exception e) { + CMS.debug("CertRequestPanel cleanup: failed to delete certificate (" + + nickname + "). Exception: " + e.toString()); + } + } + } + + try { + @SuppressWarnings("unused") + boolean done = cs.getBoolean("preop.CertRequestPanel.done"); // check for errors + cs.putBoolean("preop.CertRequestPanel.done", false); + cs.commit(false); + } catch (Exception e) { + } + } + + public boolean isPanelDone() { + IConfigStore cs = CMS.getConfigStore(); + try { + boolean s = cs.getBoolean("preop.CertRequestPanel.done", + false); + + if (s != true) { + return false; + } else { + return true; + } + } catch (EBaseException e) { + } + + return false; + } + + public void getCert(IConfigStore config, + Context context, String certTag, Cert cert) { + try { + + String subsystem = config.getString( + PCERT_PREFIX + certTag + ".subsystem"); + + String certs = config.getString(subsystem + "." + certTag + ".cert", ""); + + if (cert != null) { + String certf = certs; + + CMS.debug( + "CertRequestPanel getCert: certTag=" + certTag + + " cert=" + certs); + //get and set formated cert + if (!certs.startsWith("...")) { + certf = CryptoUtil.certFormat(certs); + } + cert.setCert(certf); + + //get and set cert pretty print + byte[] certb = CryptoUtil.base64Decode(certs); + CertPrettyPrint pp = new CertPrettyPrint(certb); + cert.setCertpp(pp.toString(Locale.getDefault())); + } else { + CMS.debug("CertRequestPanel::getCert() - cert is null!"); + return; + } + String userfriendlyname = config.getString( + PCERT_PREFIX + certTag + ".userfriendlyname"); + + cert.setUserFriendlyName(userfriendlyname); + String type = config.getString(PCERT_PREFIX + certTag + ".type"); + + cert.setType(type); + String dn = config.getString(PCERT_PREFIX + certTag + ".dn"); + + cert.setDN(dn); + } catch (Exception e) { + CMS.debug("CertRequestPanel:getCert" + e.toString()); + } // try + } + + public X509Key getECCX509Key(IConfigStore config, String certTag) + throws Exception { + X509Key pubk = null; + String pubKeyEncoded = config.getString( + PCERT_PREFIX + certTag + ".pubkey.encoded"); + pubk = CryptoUtil.getPublicX509ECCKey(CryptoUtil.string2byte(pubKeyEncoded)); + return pubk; + } + + public X509Key getRSAX509Key(IConfigStore config, String certTag) + throws Exception { + X509Key pubk = null; + + String pubKeyModulus = config.getString( + PCERT_PREFIX + certTag + ".pubkey.modulus"); + String pubKeyPublicExponent = config.getString( + PCERT_PREFIX + certTag + ".pubkey.exponent"); + pubk = CryptoUtil.getPublicX509Key( + CryptoUtil.string2byte(pubKeyModulus), + CryptoUtil.string2byte(pubKeyPublicExponent)); + return pubk; + } + + public void handleCertRequest(IConfigStore config, + Context context, String certTag, Cert cert) { + try { + // get public key + String pubKeyType = config.getString( + PCERT_PREFIX + certTag + ".keytype"); + String algorithm = config.getString( + PCERT_PREFIX + certTag + ".keyalgorithm"); + X509Key pubk = null; + if (pubKeyType.equals("rsa")) { + pubk = getRSAX509Key(config, certTag); + } else if (pubKeyType.equals("ecc")) { + pubk = getECCX509Key(config, certTag); + } else { + CMS.debug("CertRequestPanel::handleCertRequest() - " + + "pubKeyType " + pubKeyType + " is unsupported!"); + return; + } + + CMS.debug("CertRequestPanel: tag=" + certTag); + if (pubk != null) { + CMS.debug("CertRequestPanel: got public key"); + } else { + CMS.debug("CertRequestPanel: error getting public key null"); + return; + } + + // get private key + String privKeyID = config.getString( + PCERT_PREFIX + certTag + ".privkey.id"); + CMS.debug("CertRequestPanel: privKeyID=" + privKeyID); + byte[] keyIDb = CryptoUtil.string2byte(privKeyID); + + PrivateKey privk = CryptoUtil.findPrivateKeyFromID(keyIDb); + + if (privk != null) { + CMS.debug("CertRequestPanel: got private key"); + } else { + CMS.debug("CertRequestPanel: error getting private key null"); + } + + // construct cert request + String caDN = config.getString(PCERT_PREFIX + certTag + ".dn"); + + cert.setDN(caDN); + PKCS10 certReq = CryptoUtil.createCertificationRequest(caDN, pubk, + privk, algorithm); + + CMS.debug("CertRequestPanel: created cert request"); + byte[] certReqb = certReq.toByteArray(); + String certReqs = CryptoUtil.base64Encode(certReqb); + String certReqf = CryptoUtil.reqFormat(certReqs); + + String subsystem = config.getString( + PCERT_PREFIX + certTag + ".subsystem"); + config.putString(subsystem + "." + certTag + ".certreq", certReqs); + config.commit(false); + cert.setRequest(certReqf); + } catch (Exception e) { + CMS.debug("CertRequestPanel::handleCertRequest" + e.toString()); + CMS.debug(e); + } // try + + } + + /** + * Display the panel. + */ + public void display(HttpServletRequest request, + HttpServletResponse response, + Context context) { + + CMS.debug("CertRequestPanel: display()"); + context.put("title", "Requests and Certificates"); + + try { + mCerts = new Vector(); + + IConfigStore config = CMS.getConfigStore(); + + String certTags = config.getString("preop.cert.list"); + StringTokenizer st = new StringTokenizer(certTags, ","); + + while (st.hasMoreTokens()) { + String certTag = st.nextToken(); + + try { + String subsystem = config.getString( + PCERT_PREFIX + certTag + ".subsystem"); + String nickname = config.getString( + subsystem + "." + certTag + ".nickname"); + String tokenname = config.getString( + subsystem + "." + certTag + ".tokenname"); + Cert c = new Cert(tokenname, nickname, certTag); + + handleCertRequest(config, context, certTag, c); + + String type = config.getString( + PCERT_PREFIX + certTag + ".type"); + + c.setType(type); + boolean enable = config.getBoolean(PCERT_PREFIX + certTag + ".enable", true); + c.setEnable(enable); + getCert(config, context, certTag, c); + + c.setSubsystem(subsystem); + mCerts.addElement(c); + } catch (Exception e) { + CMS.debug( + "CertRequestPanel:display() Exception caught: " + + e.toString() + " for certTag " + certTag); + } + } + } catch (Exception e) { + CMS.debug( + "CertRequestPanel:display() Exception caught: " + + e.toString()); + System.err.println("Exception caught: " + e.toString()); + + } // try + + context.put("reqscerts", mCerts); + context.put("status", "display"); + // context.put("status_token", "None"); + context.put("panel", "admin/console/config/certrequestpanel.vm"); + + } + + /** + * Checks if the given parameters are valid. + */ + public void validate(HttpServletRequest request, + HttpServletResponse response, + Context context) throws IOException { + } + + private boolean findBootstrapServerCert() { + IConfigStore cs = CMS.getConfigStore(); + try { + String instanceID = cs.getString("instanceId", ""); + String nickname = "Server-Cert cert-" + instanceID; + + CryptoManager cm = CryptoManager.getInstance(); + X509Certificate cert = cm.findCertByNickname(nickname); + Principal issuerDN = cert.getIssuerDN(); + Principal subjectDN = cert.getSubjectDN(); + if (issuerDN.equals(subjectDN)) + return true; + } catch (Exception e) { + CMS.debug("CertRequestPanel findBootstrapServerCert Exception=" + e.toString()); + } + + return false; + } + + private void deleteBootstrapServerCert() { + IConfigStore cs = CMS.getConfigStore(); + try { + String instanceID = cs.getString("instanceId", ""); + String nickname = "Server-Cert cert-" + instanceID; + + deleteCert("Internal Key Storage Token", nickname); + } catch (Exception e) { + CMS.debug("CertRequestPanel deleteBootstrapServerCert Exception=" + e.toString()); + } + } + + /** + * Commit parameter changes + */ + public void update(HttpServletRequest request, + HttpServletResponse response, + Context context) throws IOException { + CMS.debug("CertRequestPanel: in update()"); + boolean hasErr = false; + IConfigStore config = CMS.getConfigStore(); + + if (isPanelDone()) { + context.put("updateStatus", "success"); + return; + } + + try { + Enumeration c = mCerts.elements(); + + String tokenname = ""; + try { + tokenname = config.getString("preop.module.token", ""); + } catch (Exception e) { + } + + while (c.hasMoreElements()) { + Cert cert = (Cert) c.nextElement(); + String certTag = cert.getCertTag(); + String subsystem = cert.getSubsystem(); + boolean enable = config.getBoolean(PCERT_PREFIX + certTag + ".enable", true); + if (!enable) + continue; + + if (hasErr) + continue; + + String nickname = cert.getNickname(); + + CMS.debug( + "CertRequestPanel: update() for cert tag " + + cert.getCertTag()); + // String b64 = config.getString(CERT_PREFIX+ certTag +".cert", ""); + String b64 = HttpInput.getCert(request, certTag); + + if (cert.getType().equals("local") + && b64.equals( + "...certificate be generated internally...")) { + + String pubKeyType = config.getString( + PCERT_PREFIX + certTag + ".keytype"); + X509Key x509key = null; + if (pubKeyType.equals("rsa")) { + x509key = getRSAX509Key(config, certTag); + } else if (pubKeyType.equals("ecc")) { + x509key = getECCX509Key(config, certTag); + } + + if (findCertificate(tokenname, nickname)) { + if (!certTag.equals("sslserver")) + continue; + } + X509CertImpl impl = CertUtil.createLocalCert(config, x509key, + PCERT_PREFIX, certTag, cert.getType(), context); + + if (impl != null) { + byte[] certb = impl.getEncoded(); + String certs = CryptoUtil.base64Encode(certb); + + cert.setCert(certs); + config.putString(subsystem + "." + certTag + ".cert", certs); + /* import certificate */ + CMS.debug( + "CertRequestPanel configCert: nickname=" + + nickname); + + try { + if (certTag.equals("sslserver") && findBootstrapServerCert()) + deleteBootstrapServerCert(); + if (findCertificate(tokenname, nickname)) + deleteCert(tokenname, nickname); + if (certTag.equals("signing") && subsystem.equals("ca")) + CryptoUtil.importUserCertificate(impl, nickname); + else + CryptoUtil.importUserCertificate(impl, nickname, false); + CMS.debug( + "CertRequestPanel configCert: cert imported for certTag " + + certTag); + } catch (Exception ee) { + CMS.debug( + "CertRequestPanel configCert: import certificate for certTag=" + + certTag + " Exception: " + + ee.toString()); + CMS.debug("ok"); + // hasErr = true; + } + } + } else if (cert.getType().equals("remote")) { + if (b64 != null && b64.length() > 0 + && !b64.startsWith("...")) { + String b64chain = HttpInput.getCertChain(request, certTag + "_cc"); + CMS.debug( + "CertRequestPanel: in update() process remote...import cert"); + + String input = HttpInput.getCert(request, cert.getCertTag()); + + if (input != null) { + try { + if (certTag.equals("sslserver") && findBootstrapServerCert()) + deleteBootstrapServerCert(); + if (findCertificate(tokenname, nickname)) { + deleteCert(tokenname, nickname); + } + } catch (Exception e) { + CMS.debug("CertRequestPanel update (remote): deleteCert Exception=" + e.toString()); + } + input = CryptoUtil.stripCertBrackets(input.trim()); + String certs = CryptoUtil.normalizeCertStr(input); + byte[] certb = CryptoUtil.base64Decode(certs); + + config.putString(subsystem + "." + certTag + ".cert", + certs); + try { + CryptoManager cm = CryptoManager.getInstance(); + X509Certificate x509cert = cm.importCertPackage( + certb, nickname); + + CryptoUtil.trustCertByNickname(nickname); + X509Certificate[] certchains = cm.buildCertificateChain( + x509cert); + X509Certificate leaf = null; + + if (certchains != null) { + CMS.debug( + "CertRequestPanel certchains length=" + + certchains.length); + leaf = certchains[certchains.length - 1]; + } + + if (leaf == null) { + CMS.debug("CertRequestPanel::update() - " + + "leaf is null!"); + throw new IOException("leaf is null"); + } + + if (/*(certchains.length <= 1) &&*/ + (b64chain != null && b64chain.length() != 0)) { + CMS.debug("CertRequestPanel: cert might not have contained chain...calling importCertificateChain: " + + b64chain); + try { + CryptoUtil.importCertificateChain( + CryptoUtil.normalizeCertAndReq(b64chain)); + } catch (Exception e) { + CMS.debug("CertRequestPanel: importCertChain: Exception: " + e.toString()); + } + } + + InternalCertificate icert = (InternalCertificate) leaf; + + icert.setSSLTrust( + InternalCertificate.TRUSTED_CA + | InternalCertificate.TRUSTED_CLIENT_CA + | InternalCertificate.VALID_CA); + CMS.debug( + "CertRequestPanel configCert: import certificate successfully, certTag=" + + certTag); + } catch (Exception ee) { + CMS.debug( + "CertRequestPanel configCert: import certificate for certTag=" + + certTag + " Exception: " + + ee.toString()); + CMS.debug("ok"); + // hasErr=true; + } + } else { + CMS.debug("CertRequestPanel: in update() input null"); + hasErr = true; + } + } else { + CMS.debug("CertRequestPanel: in update() b64 not set"); + hasErr = true; + } + + } else { + b64 = CryptoUtil.stripCertBrackets(b64.trim()); + String certs = CryptoUtil.normalizeCertStr(b64); + byte[] certb = CryptoUtil.base64Decode(certs); + X509CertImpl impl = new X509CertImpl(certb); + try { + if (certTag.equals("sslserver") && findBootstrapServerCert()) + deleteBootstrapServerCert(); + if (findCertificate(tokenname, nickname)) { + deleteCert(tokenname, nickname); + } + } catch (Exception ee) { + CMS.debug("CertRequestPanel update: deleteCert Exception=" + ee.toString()); + } + + try { + if (certTag.equals("signing") && subsystem.equals("ca")) + CryptoUtil.importUserCertificate(impl, nickname); + else + CryptoUtil.importUserCertificate(impl, nickname, false); + } catch (Exception ee) { + CMS.debug("CertRequestPanel: Failed to import user certificate." + ee.toString()); + hasErr = true; + } + } + + //update requests in request queue for local certs to allow renewal + if ((cert.getType().equals("local")) || (cert.getType().equals("selfsign"))) { + CertUtil.updateLocalRequest(config, certTag, cert.getRequest(), "pkcs10", null); + } + + if (certTag.equals("signing") && subsystem.equals("ca")) { + String NickName = nickname; + if (!tokenname.equals("internal") && !tokenname.equals("Internal Key Storage Token")) + NickName = tokenname + ":" + nickname; + + CMS.debug("CertRequestPanel update: set trust on CA signing cert " + NickName); + CryptoUtil.trustCertByNickname(NickName); + CMS.reinit(ICertificateAuthority.ID); + } + } //while loop + + if (hasErr == false) { + config.putBoolean("preop.CertRequestPanel.done", true); + } + config.commit(false); + } catch (Exception e) { + CMS.debug("CertRequestPanel: Exception caught: " + e.toString()); + System.err.println("Exception caught: " + e.toString()); + } + + //reset the attribute of the user certificate to u,u,u + String certlist = ""; + try { + certlist = config.getString("preop.cert.list", ""); + StringTokenizer tokenizer = new StringTokenizer(certlist, ","); + CryptoManager cm = CryptoManager.getInstance(); + while (tokenizer.hasMoreTokens()) { + String tag = tokenizer.nextToken(); + if (tag.equals("signing")) + continue; + String nickname = config.getString("preop.cert." + tag + ".nickname", ""); + String tokenname = config.getString("preop.module.token", ""); + if (!tokenname.equals("Internal Key Storage Token")) + nickname = tokenname + ":" + nickname; + X509Certificate c = cm.findCertByNickname(nickname); + if (c instanceof InternalCertificate) { + InternalCertificate ic = (InternalCertificate) c; + ic.setSSLTrust(InternalCertificate.USER); + ic.setEmailTrust(InternalCertificate.USER); + if (tag.equals("audit_signing")) { + ic.setObjectSigningTrust(InternalCertificate.USER + | InternalCertificate.VALID_PEER | InternalCertificate.TRUSTED_PEER); + } else { + ic.setObjectSigningTrust(InternalCertificate.USER); + } + } + } + } catch (Exception e) { + } + if (!hasErr) { + context.put("updateStatus", "success"); + } else { + context.put("updateStatus", "failure"); + } + } + + /** + * If validiate() returns false, this method will be called. + */ + public void displayError(HttpServletRequest request, + HttpServletResponse response, + Context context) { + context.put("title", "Certificate Request"); + context.put("panel", "admin/console/config/certrequestpanel.vm"); + } +} -- cgit