// --- BEGIN COPYRIGHT BLOCK --- // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by // the Free Software Foundation; version 2 of the License. // // This program is distributed in the hope that it will be useful, // but WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the // GNU General Public License for more details. // // You should have received a copy of the GNU General Public License along // with this program; if not, write to the Free Software Foundation, Inc., // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. // // (C) 2007 Red Hat, Inc. // All rights reserved. // --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.cert; import java.io.IOException; import java.math.BigInteger; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.Collection; import java.util.Date; import java.util.Enumeration; import java.util.Locale; import java.util.Vector; import javax.servlet.ServletConfig; import javax.servlet.ServletException; import javax.servlet.ServletOutputStream; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import netscape.security.x509.RevocationReason; import netscape.security.x509.X509CertImpl; import org.apache.commons.lang.StringUtils; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.authentication.AuthToken; import com.netscape.certsrv.authentication.IAuthSubsystem; import com.netscape.certsrv.authentication.IAuthToken; import com.netscape.certsrv.authority.ICertAuthority; import com.netscape.certsrv.authorization.AuthzToken; import com.netscape.certsrv.authorization.EAuthzAccessDenied; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IArgBlock; import com.netscape.certsrv.base.Nonces; import com.netscape.certsrv.base.PKIException; import com.netscape.certsrv.ca.ICRLIssuingPoint; import com.netscape.certsrv.ca.ICertificateAuthority; import com.netscape.certsrv.dbs.certdb.CertId; import com.netscape.certsrv.dbs.certdb.ICertRecord; import com.netscape.certsrv.dbs.certdb.ICertificateRepository; import com.netscape.certsrv.logging.AuditFormat; import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.publish.IPublisherProcessor; import com.netscape.certsrv.ra.IRegistrationAuthority; import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.RequestId; import com.netscape.certsrv.request.RequestStatus; import com.netscape.certsrv.usrgrp.Certificates; import com.netscape.certsrv.usrgrp.ICertUserLocator; import com.netscape.certsrv.usrgrp.IUGSubsystem; import com.netscape.certsrv.usrgrp.IUser; import com.netscape.cms.servlet.base.CMSServlet; import com.netscape.cms.servlet.common.CMSRequest; import com.netscape.cms.servlet.common.CMSTemplate; import com.netscape.cms.servlet.common.CMSTemplateParams; import com.netscape.cms.servlet.common.ECMSGWException; /** * Revoke a Certificate * * @version $Revision$, $Date$ */ public class DoRevoke extends CMSServlet { /** * */ private static final long serialVersionUID = 1693115906265904238L; private final static String TPL_FILE = "revocationResult.template"; private ICertificateRepository mCertDB = null; private String mFormPath = null; private IPublisherProcessor mPublisherProcessor = null; private Nonces mNonces = null; private int mTimeLimits = 30; /* in seconds */ private IUGSubsystem mUG = null; private ICertUserLocator mUL = null; public DoRevoke() { super(); } /** * initialize the servlet. This servlet uses the template * file "revocationResult.template" to render the result * * @param sc servlet configuration, read from the web.xml file */ public void init(ServletConfig sc) throws ServletException { super.init(sc); mFormPath = "/" + mAuthority.getId() + "/" + TPL_FILE; mUG = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG); mUL = mUG.getCertUserLocator(); if (mAuthority instanceof ICertificateAuthority) { mCertDB = ((ICertificateAuthority) mAuthority).getCertificateRepository(); if (((ICertificateAuthority) mAuthority).noncesEnabled()) { mNonces = ((ICertificateAuthority) mAuthority).getNonces(); } } if (mAuthority instanceof ICertAuthority) { mPublisherProcessor = ((ICertAuthority) mAuthority).getPublisherProcessor(); } mTemplates.remove(CMSRequest.SUCCESS); if (mOutputTemplatePath != null) mFormPath = mOutputTemplatePath; /* Server-Side time limit */ try { mTimeLimits = Integer.parseInt(sc.getInitParameter("timeLimits")); } catch (Exception e) { /* do nothing, just use the default if integer parsing failed */ } } /** * Serves HTTP request. The http parameters used by this request are as follows: * *
* serialNumber Serial number of certificate to revoke (in HEX) * revocationReason Revocation reason (Described below) * totalRecordCount [number] * verifiedRecordCount [number] * invalidityDate [number of seconds in Jan 1,1970] * ** * revocationReason can be one of these values: * *
* 0 = Unspecified (default) * 1 = Key compromised * 2 = CA key compromised * 3 = Affiliation changed * 4 = Certificate superseded * 5 = Cessation of operation * 6 = Certificate is on hold **/ public void process(CMSRequest cmsReq) throws EBaseException { HttpServletRequest req = cmsReq.getHttpReq(); HttpServletResponse resp = cmsReq.getHttpResp(); IAuthToken authToken = authenticate(cmsReq); String revokeAll = null; int totalRecordCount = -1; int verifiedRecordCount = -1; EBaseException error = null; int reason = -1; boolean authorized = true; Date invalidityDate = null; CMSTemplate form = null; Locale[] locale = new Locale[1]; try { form = getTemplate(mFormPath, req, locale); } catch (IOException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", mFormPath, e.toString())); throw new ECMSGWException(CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE")); } IArgBlock header = CMS.createArgBlock(); IArgBlock ctx = CMS.createArgBlock(); CMSTemplateParams argSet = new CMSTemplateParams(header, ctx); try { if (req.getParameter("revocationReason") != null) { reason = Integer.parseInt(req.getParameter( "revocationReason")); } if (req.getParameter("totalRecordCount") != null) { totalRecordCount = Integer.parseInt(req.getParameter( "totalRecordCount")); } if (req.getParameter("verifiedRecordCount") != null) { verifiedRecordCount = Integer.parseInt( req.getParameter( "verifiedRecordCount")); } if (req.getParameter("invalidityDate") != null) { long l = Long.parseLong(req.getParameter( "invalidityDate")); if (l > 0) { invalidityDate = new Date(l); } } revokeAll = req.getParameter("revokeAll"); if (mNonces != null) { boolean nonceVerified = false; boolean skipNonceVerification = false; X509Certificate cert2 = getSSLClientCertificate(req); if (cert2 != null) { X509Certificate certChain[] = new X509Certificate[1]; certChain[0] = cert2; IUser user = null; try { user = mUL.locateUser(new Certificates(certChain)); } catch (Exception e) { CMS.debug("DoRevoke: Failed to map certificate '" + cert2.getSubjectDN().getName() + "' to user."); } if (mUG.isMemberOf(user, "Subsystem Group")) { skipNonceVerification = true; } } String nonceStr = req.getParameter("nonce"); if (nonceStr != null) { long nonce = Long.parseLong(nonceStr.trim()); X509Certificate cert1 = mNonces.getCertificate(nonce); if (cert1 == null) { CMS.debug("DoRevoke: Unknown nonce"); } else if (cert1 != null && cert2 != null && cert1.equals(cert2)) { nonceVerified = true; mNonces.removeNonce(nonce); } } else { CMS.debug("DoRevoke: Missing nonce"); } CMS.debug("DoRevoke: nonceVerified=" + nonceVerified); CMS.debug("DoRevoke: skipNonceVerification=" + skipNonceVerification); if ((!nonceVerified) && (!skipNonceVerification)) { cmsReq.setStatus(CMSRequest.UNAUTHORIZED); return; } } String comments = req.getParameter(IRequest.REQUESTOR_COMMENTS); String eeSubjectDN = null; String eeSerialNumber = null; //for audit log. String initiative = null; String authMgr = AuditFormat.NOAUTH; authToken = authenticate(req); AuthzToken authzToken = null; try { authzToken = authorize(mAclMethod, authToken, mAuthzResourceName, "revoke"); } catch (EAuthzAccessDenied e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); } catch (Exception e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); } if (authzToken == null) { cmsReq.setStatus(CMSRequest.UNAUTHORIZED); return; } if (mAuthMgr != null && mAuthMgr.equals(IAuthSubsystem.CERTUSERDB_AUTHMGR_ID)) { if (authToken != null) { String serialNumber = req.getParameter("serialNumber"); getSSLClientCertificate(req); // throw exception on error if (serialNumber != null) { eeSerialNumber = serialNumber; } authMgr = authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME); String agentID = authToken.getInString("userid"); initiative = AuditFormat.FROMAGENT + " agentID: " + agentID + " authenticated by " + authMgr; } } else { // request is fromUser. initiative = AuditFormat.FROMUSER; String serialNumber = req.getParameter("serialNumber"); X509CertImpl sslCert = (X509CertImpl) getSSLClientCertificate(req); if (serialNumber == null || sslCert == null || !(serialNumber.equals(sslCert.getSerialNumber().toString(16)))) { authorized = false; } else { eeSubjectDN = sslCert.getSubjectDN().toString(); eeSerialNumber = sslCert.getSerialNumber().toString(); } } if (authorized) { BigInteger serialNumber = parseSerialNumber(eeSerialNumber); process(argSet, header, reason, invalidityDate, initiative, req, resp, verifiedRecordCount, revokeAll, totalRecordCount, serialNumber, eeSubjectDN, comments, locale[0]); } } catch (NumberFormatException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_INVALID_NUMBER_FORMAT")); error = new EBaseException(CMS.getLogMessage("BASE_INVALID_NUMBER_FORMAT")); } catch (EBaseException e) { error = e; } /* catch (Exception e) { noError = false; header.addStringValue(OUT_ERROR, MessageFormatter.getLocalizedString( errorlocale[0], BaseResources.class.getName(), BaseResources.INTERNAL_ERROR_1, e.toString())); } */ try { ServletOutputStream out = resp.getOutputStream(); if (error == null && authorized) { String xmlOutput = req.getParameter("xml"); if (xmlOutput != null && xmlOutput.equals("true")) { outputXML(resp, argSet); } else { resp.setContentType("text/html"); form.renderOutput(out, argSet); cmsReq.setStatus(CMSRequest.SUCCESS); } } else if (!authorized) { cmsReq.setStatus(CMSRequest.UNAUTHORIZED); } else { cmsReq.setStatus(CMSRequest.ERROR); cmsReq.setError(error); } } catch (IOException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERR_OUT_STREAM_TEMPLATE", e.toString())); throw new ECMSGWException(CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE")); } } /** * Process cert status change request *
* * (Certificate Request - either an "agent" cert status change request, or an "EE" cert status change request) *
* * (Certificate Request Processed - either an "agent" cert status change request, or an "EE" cert status change * request) *
* *
* * @param req HTTP request * @return id string containing the signed audit log message RequesterID */ private RequestId auditRequesterID(HttpServletRequest req) { String requesterID = req.getParameter("requestId"); if (requesterID != null) { return new RequestId(requesterID.trim()); } else { return null; } } /** * This method parses a String serial number into BigInteger. * * @param serialNumber a String containing the un-normalized serial number * @return a BigInteger containing the serial number */ private BigInteger parseSerialNumber(String serialNumber) { if (StringUtils.isEmpty(serialNumber)) return null; // Normalize the serialNumber serialNumber = serialNumber.trim(); // find out if the value is hex or decimal //try decimal try { return new BigInteger(serialNumber, 10); } catch (NumberFormatException e) { } //try hex try { return new BigInteger(serialNumber, 16); } catch (NumberFormatException e) { } // give up if it isn't hex or dec throw new NumberFormatException("Invalid serial number: "+serialNumber); } }