From 621d9e5c413e561293d7484b93882d985b3fe15f Mon Sep 17 00:00:00 2001 From: Endi Sukma Dewata Date: Sat, 24 Mar 2012 02:27:47 -0500 Subject: Removed unnecessary pki folder. Previously the source code was located inside a pki folder. This folder was created during svn migration and is no longer needed. This folder has now been removed and the contents have been moved up one level. Ticket #131 --- .../cms/servlet/processors/PKIProcessor.java | 356 +++++++++++++++++++++ 1 file changed, 356 insertions(+) create mode 100644 base/common/src/com/netscape/cms/servlet/processors/PKIProcessor.java (limited to 'base/common/src/com/netscape/cms/servlet/processors/PKIProcessor.java') diff --git a/base/common/src/com/netscape/cms/servlet/processors/PKIProcessor.java b/base/common/src/com/netscape/cms/servlet/processors/PKIProcessor.java new file mode 100644 index 000000000..5b78bb42a --- /dev/null +++ b/base/common/src/com/netscape/cms/servlet/processors/PKIProcessor.java @@ -0,0 +1,356 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.servlet.processors; + +import java.io.IOException; +import java.security.cert.CertificateException; +import java.util.Date; + +import javax.servlet.http.HttpServletRequest; + +import netscape.security.x509.CertificateExtensions; +import netscape.security.x509.CertificateSubjectName; +import netscape.security.x509.CertificateValidity; +import netscape.security.x509.X500Name; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.authentication.AuthToken; +import com.netscape.certsrv.authentication.IAuthToken; +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.IArgBlock; +import com.netscape.certsrv.base.SessionContext; +import com.netscape.certsrv.logging.ILogger; +import com.netscape.certsrv.request.IRequest; +import com.netscape.cms.servlet.base.CMSServlet; +import com.netscape.cms.servlet.common.CMSRequest; +import com.netscape.cms.servlet.common.ECMSGWException; + +/** + * Process Certificate Requests + * + * @version $Revision$, $Date$ + */ +public class PKIProcessor implements IPKIProcessor { + + public final static String ADMIN_ENROLL_SERVLET_ID = "caadminEnroll"; + public static final String SUBJECT_NAME = "subject"; + public static final String OLD_CERT_TYPE = "csrCertType"; + public static final String CERT_TYPE = "certType"; + public static final String PKCS10_REQUEST = "pkcs10Request"; + public static final String SUBJECT_KEYGEN_INFO = "subjectKeyGenInfo"; + + protected CMSRequest mRequest = null; + + protected HttpServletRequest httpReq = null; + protected String mServletId = null; + protected CMSServlet mServlet = null; + + protected ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); + + public PKIProcessor() { + } + + public PKIProcessor(CMSRequest cmsReq, CMSServlet servlet) { + mRequest = cmsReq; + + mServlet = servlet; + + if (mServlet == null || mRequest == null) { + return; + } + + mServletId = servlet.getId(); + + } + + public void process(CMSRequest cmsReq) + throws EBaseException { + } + + protected void fillCertInfo( + String protocolString, X509CertInfo certInfo, + IAuthToken authToken, IArgBlock httpParams) + throws EBaseException { + } + + protected X509CertInfo[] fillCertInfoArray( + String protocolString, IAuthToken authToken, IArgBlock httpParams, IRequest req) + throws EBaseException { + return null; + } + + /** + * fill subject name, validity, extensions from authoken if any, + * overriding what was in pkcs10. + * fill subject name, extensions from http input if not authenticated. + * requests not authenticated will need to be approved by an agent. + */ + public static void fillCertInfoFromAuthToken( + X509CertInfo certInfo, IAuthToken authToken) + throws EBaseException { + // override subject, validity and extensions from auth token + // CA determines algorithm, version and issuer. + // take key from keygen, cmc, pkcs10 or crmf. + + CMS.debug("PKIProcessor: fillCertInfoFromAuthToken"); + // subject name. + try { + String subjectname = + authToken.getInString(AuthToken.TOKEN_CERT_SUBJECT); + + if (subjectname != null) { + CertificateSubjectName certSubject = (CertificateSubjectName) + new CertificateSubjectName(new X500Name(subjectname)); + + certInfo.set(X509CertInfo.SUBJECT, certSubject); + log(ILogger.LL_INFO, + "cert subject set to " + certSubject + " from authtoken"); + } + } catch (CertificateException e) { + log(ILogger.LL_WARN, + CMS.getLogMessage("CMSGW_ERROR_SET_SUBJECT_NAME_1", + e.toString())); + throw new ECMSGWException( + CMS.getUserMessage("CMS_GW_SET_SUBJECT_NAME_ERROR")); + } catch (IOException e) { + log(ILogger.LL_WARN, + CMS.getLogMessage("CMSGW_ERROR_SET_SUBJECT_NAME", + e.toString())); + throw new ECMSGWException( + CMS.getUserMessage("CMS_GW_SET_SUBJECT_NAME_ERROR")); + } + + // validity + try { + CertificateValidity validity = null; + Date notBefore = + authToken.getInDate(AuthToken.TOKEN_CERT_NOTBEFORE); + Date notAfter = + authToken.getInDate(AuthToken.TOKEN_CERT_NOTAFTER); + + if (notBefore != null && notAfter != null) { + validity = new CertificateValidity(notBefore, notAfter); + certInfo.set(X509CertInfo.VALIDITY, validity); + log(ILogger.LL_INFO, + "cert validity set to " + validity + " from authtoken"); + } + } catch (CertificateException e) { + log(ILogger.LL_WARN, + CMS.getLogMessage("CMSGW_ERROR_SET_VALIDITY_1", e.toString())); + throw new ECMSGWException( + CMS.getUserMessage("CMS_GW_SET_VALIDITY_ERROR")); + } catch (IOException e) { + log(ILogger.LL_WARN, + CMS.getLogMessage("CMSGW_ERROR_SET_VALIDITY_1", e.toString())); + throw new ECMSGWException( + CMS.getUserMessage("CMS_GW_SET_VALIDITY_ERROR")); + } + + // extensions + try { + CertificateExtensions extensions = + authToken.getInCertExts(X509CertInfo.EXTENSIONS); + + if (extensions != null) { + certInfo.set(X509CertInfo.EXTENSIONS, extensions); + log(ILogger.LL_INFO, "cert extensions set from authtoken"); + } + } catch (CertificateException e) { + log(ILogger.LL_WARN, + CMS.getLogMessage("CMSGW_ERROR_SET_EXTENSIONS_1", e.toString())); + throw new ECMSGWException( + CMS.getUserMessage("CMS_GW_SET_EXTENSIONS_ERROR")); + } catch (IOException e) { + log(ILogger.LL_WARN, + CMS.getLogMessage("CMSGW_ERROR_SET_EXTENSIONS_1", e.toString())); + throw new ECMSGWException( + CMS.getUserMessage("CMS_GW_SET_EXTENSIONS_ERROR")); + } + } + + /** + * fill subject name, extension from form. + * this is done for unauthenticated requests. + * unauthenticated requests must be approved by agents so these will + * all be seen by and agent. + */ + public static void fillCertInfoFromForm( + X509CertInfo certInfo, IArgBlock httpParams) + throws EBaseException { + + CMS.debug("PKIProcessor: fillCertInfoFromForm"); + // subject name. + try { + String subject = httpParams.getValueAsString(PKIProcessor.SUBJECT_NAME, null); + + if (subject == null) { + throw new ECMSGWException( + CMS.getUserMessage("CMS_GW_MISSING_SUBJECT_FROM_FORM")); + } + + X500Name x500name = new X500Name(subject); + + certInfo.set( + X509CertInfo.SUBJECT, new CertificateSubjectName(x500name)); + + fillValidityFromForm(certInfo, httpParams); + } catch (CertificateException e) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERROR_SET_SUBJECT_NAME_1", e.toString())); + throw new ECMSGWException( + CMS.getUserMessage("CMS_GW_SET_SUBJECT_NAME_ERROR")); + } catch (IOException e) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERROR_SET_SUBJECT_NAME_1", e.toString())); + throw new ECMSGWException( + CMS.getUserMessage("CMS_GW_SET_SUBJECT_NAME_ERROR")); + } catch (IllegalArgumentException e) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERROR_SET_SUBJECT_NAME_1", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_REQ_ILLEGAL_CHARACTERS")); + throw new ECMSGWException( + CMS.getUserMessage("CMS_GW_CONVERT_DN_TO_X500NAME_ERROR")); + } + + // requested extensions. + // let polcies form extensions from http input. + } + + public static void fillValidityFromForm( + X509CertInfo certInfo, IArgBlock httpParams) + throws EBaseException { + CMS.debug("PKIProcessor: fillValidityFromForm!"); + try { + String notValidBeforeStr = httpParams.getValueAsString("notValidBefore", null); + String notValidAfterStr = httpParams.getValueAsString("notValidAfter", null); + + if (notValidBeforeStr != null && notValidAfterStr != null) { + long notValidBefore = 0; + long notValidAfter = 0; + + try { + notValidBefore = Long.parseLong(notValidBeforeStr); + } catch (NumberFormatException e) { + } + try { + notValidAfter = Long.parseLong(notValidAfterStr); + } catch (NumberFormatException e) { + } + + if (notValidBefore > 0 && notValidAfter > 0) { + CertificateValidity validity = null; + Date notBefore = new Date(notValidBefore); + Date notAfter = new Date(notValidAfter); + + if (notBefore != null && notAfter != null) { + validity = new CertificateValidity(notBefore, notAfter); + certInfo.set(X509CertInfo.VALIDITY, validity); + log(ILogger.LL_INFO, + "cert validity set to " + validity + " from authtoken"); + } + } + } + } catch (CertificateException e) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERROR_SET_SUBJECT_NAME_1", e.toString())); + throw new ECMSGWException( + CMS.getUserMessage("CMS_GW_SET_SUBJECT_NAME_ERROR")); + } catch (IOException e) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERROR_SET_SUBJECT_NAME_1", e.toString())); + throw new ECMSGWException( + CMS.getUserMessage("CMS_GW_SET_SUBJECT_NAME_ERROR")); + } + } + + /** + * log according to authority category. + */ + public static void log(int event, int level, String msg) { + CMS.getLogger().log(event, ILogger.S_OTHER, level, + "PKIProcessor " + ": " + msg); + } + + public static void log(int level, String msg) { + CMS.getLogger().log(ILogger.EV_SYSTEM, ILogger.S_OTHER, level, + "PKIProcessor " + ": " + msg); + } + + /** + * Signed Audit Log + * + * This method is inherited by all extended "CMSServlet"s, + * and is called to store messages to the signed audit log. + *

+ * + * @param msg signed audit log message + */ + protected void audit(String msg) { + // in this case, do NOT strip preceding/trailing whitespace + // from passed-in String parameters + + if (mSignedAuditLogger == null) { + return; + } + + mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, + null, + ILogger.S_SIGNED_AUDIT, + ILogger.LL_SECURITY, + msg); + } + + /** + * Signed Audit Log Subject ID + * + * This method is inherited by all extended "CMSServlet"s, + * and is called to obtain the "SubjectID" for + * a signed audit log message. + *

+ * + * @return id string containing the signed audit log message SubjectID + */ + protected String auditSubjectID() { + // if no signed audit object exists, bail + if (mSignedAuditLogger == null) { + return null; + } + + String subjectID = null; + + // Initialize subjectID + SessionContext auditContext = SessionContext.getExistingContext(); + + if (auditContext != null) { + subjectID = (String) + auditContext.get(SessionContext.USER_ID); + + if (subjectID != null) { + subjectID = subjectID.trim(); + } else { + subjectID = ILogger.NONROLEUSER; + } + } else { + subjectID = ILogger.UNIDENTIFIED; + } + + return subjectID; + } +} -- cgit