msgs = messages.elements();
StringBuffer wholeMsg = new StringBuffer();
while (msgs.hasMoreElements()) {
wholeMsg.append("\n");
wholeMsg.append(msgs.nextElement());
}
mLogger.log(ILogger.EV_AUDIT,
ILogger.S_OTHER,
AuditFormat.LEVEL,
AuditFormat.ENROLLMENTFORMAT,
new Object[] {
req.getRequestId(),
initiative,
authMgr,
status.toString(),
certInfo.get(X509CertInfo.SUBJECT),
" violation: " +
wholeMsg.toString() }
);
} else { // no policy violation, from agent
mLogger.log(ILogger.EV_AUDIT,
ILogger.S_OTHER,
AuditFormat.LEVEL,
AuditFormat.ENROLLMENTFORMAT,
new Object[] {
req.getRequestId(),
initiative,
authMgr,
status.toString(),
certInfo.get(X509CertInfo.SUBJECT), "" }
);
}
} else { // other imcomplete status
long endTime = CMS.getCurrentDate().getTime();
mLogger.log(ILogger.EV_AUDIT,
ILogger.S_OTHER,
AuditFormat.LEVEL,
AuditFormat.ENROLLMENTFORMAT,
new Object[] {
req.getRequestId(),
initiative,
authMgr,
status.toString(),
certInfo.get(X509CertInfo.SUBJECT) + " time: " + (endTime - startTime), "" }
);
}
} catch (IOException e) {
log(ILogger.LL_FAILURE,
CMS.getLogMessage("CMSGW_CANT_GET_CERT_SUBJ_AUDITING",
e.toString()));
} catch (CertificateException e) {
log(ILogger.LL_FAILURE,
CMS.getLogMessage("CMSGW_CANT_GET_CERT_SUBJ_AUDITING",
e.toString()));
}
return false;
}
// if service error use standard error templates.
Integer result = req.getExtDataInInteger(IRequest.RESULT);
if (result.equals(IRequest.RES_ERROR)) {
cmsReq.setStatus(CMSRequest.ERROR);
cmsReq.setError(req.getExtDataInString(IRequest.ERROR));
String[] svcErrors =
req.getExtDataInStringArray(IRequest.SVCERRORS);
if (svcErrors != null && svcErrors.length > 0) {
for (int i = 0; i < svcErrors.length; i++) {
String err = svcErrors[i];
if (err != null) {
//System.out.println(
//"revocation servlet: setting error description "+
//err.toString());
cmsReq.setErrorDescription(err);
// audit log the error
try {
mLogger.log(ILogger.EV_AUDIT,
ILogger.S_OTHER,
AuditFormat.LEVEL,
AuditFormat.ENROLLMENTFORMAT,
new Object[] {
req.getRequestId(),
initiative,
authMgr,
"completed with error: " +
err,
certInfo.get(X509CertInfo.SUBJECT), ""
}
);
} catch (IOException e) {
log(ILogger.LL_FAILURE,
CMS.getLogMessage("CMSGW_CANT_GET_CERT_SUBJ_AUDITING",
e.toString()));
} catch (CertificateException e) {
log(ILogger.LL_FAILURE,
CMS.getLogMessage("CMSGW_CANT_GET_CERT_SUBJ_AUDITING",
e.toString()));
}
}
}
}
return false;
}
return true;
}
/**
* Process X509 certificate enrollment request
*
*
* (Certificate Request - either an "admin" cert request for an admin certificate, an "agent" cert request for
* "bulk enrollment", or an "EE" standard cert request)
*
*
* (Certificate Request Processed - either an automated "admin" non-profile based CA admin cert acceptance, an
* automated "admin" non-profile based CA admin cert rejection, an automated "EE" non-profile based cert acceptance,
* or an automated "EE" non-profile based cert rejection)
*
*
*
* - signed.audit LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST used when a non-profile cert request is made
* (before approval process)
*
- signed.audit LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED used when a certificate request has just been
* through the approval process
*
*
* @param cmsReq a certificate enrollment request
* @exception EBaseException an error has occurred
*/
protected void processX509(CMSRequest cmsReq)
throws EBaseException {
String auditMessage = null;
String auditSubjectID = auditSubjectID();
String auditRequesterID = ILogger.UNIDENTIFIED;
String auditCertificateSubjectName = ILogger.SIGNED_AUDIT_EMPTY_VALUE;
String id = null;
// define variables common to try-catch-blocks
long startTime = 0;
IArgBlock httpParams = null;
HttpServletRequest httpReq = null;
IAuthToken authToken = null;
AuthzToken authzToken = null;
IRequest req = null;
X509CertInfo certInfo = null;
IConfigStore configStore = CMS.getConfigStore();
/* XXX shouldn't we read this from ServletConfig at init time? */
enforcePop = configStore.getBoolean("enrollment.enforcePop", false);
CMS.debug("EnrollServlet: enforcePop " + enforcePop);
// ensure that any low-level exceptions are reported
// to the signed audit log and stored as failures
try {
startTime = CMS.getCurrentDate().getTime();
httpParams = cmsReq.getHttpParams();
httpReq = cmsReq.getHttpReq();
if (mAuthMgr != null) {
authToken = authenticate(cmsReq);
}
try {
authzToken = authorize(mAclMethod, authToken,
mAuthzResourceName, "submit");
} catch (EAuthzAccessDenied e) {
log(ILogger.LL_FAILURE,
CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString()));
} catch (Exception e) {
log(ILogger.LL_FAILURE,
CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString()));
}
if (authzToken == null) {
cmsReq.setStatus(CMSRequest.UNAUTHORIZED);
// store a message in the signed audit log file
// (either an "admin" cert request for an admin certificate,
// an "agent" cert request for "bulk enrollment", or
// an "EE" standard cert request)
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
auditSubjectID,
ILogger.FAILURE,
auditRequesterID,
auditServiceID,
auditCertificateSubjectName);
audit(auditMessage);
return;
}
// create enrollment request in request queue.
req = mRequestQueue.newRequest(IRequest.ENROLLMENT_REQUEST);
// retrieve the actual "auditRequesterID"
if (req != null) {
// overwrite "auditRequesterID" if and only if "id" != null
id = req.getRequestId().toString();
if (id != null) {
auditRequesterID = id.trim();
}
}
try {
if (CMS.getConfigStore().getBoolean("useThreadNaming", false)) {
String currentName = Thread.currentThread().getName();
Thread.currentThread().setName(currentName
+ "-request-"
+ req.getRequestId().toString()
+ "-"
+ (new Date()).getTime());
}
} catch (Exception e) {
}
/*
* === certAuth based enroll ===
* "certAuthEnroll" is on.
* "certauthEnrollType can be one of the three:
* single - it's for single cert enrollment
* dual - it's for dual certs enrollment
* encryption - getting the encryption cert only via
* authentication of the signing cert
* (crmf or keyGenInfo)
*/
boolean certAuthEnroll = false;
String certauthEnrollType = null;
certAuthEnroll = getCertAuthEnrollStatus(httpParams);
try {
if (certAuthEnroll == true) {
certauthEnrollType = getCertAuthEnrollType(httpParams,
certAuthEnroll);
}
} catch (ECMSGWException e) {
// store a message in the signed audit log file
// (either an "admin" cert request for an admin certificate,
// an "agent" cert request for "bulk enrollment", or
// an "EE" standard cert request)
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
auditSubjectID,
ILogger.FAILURE,
auditRequesterID,
auditServiceID,
auditCertificateSubjectName);
audit(auditMessage);
throw new ECMSGWException(e.toString());
}
CMS.debug("EnrollServlet: In EnrollServlet.processX509!");
CMS.debug("EnrollServlet: certAuthEnroll " + certAuthEnroll);
CMS.debug("EnrollServlet: certauthEnrollType " + certauthEnrollType);
String challengePassword = httpParams.getValueAsString(
"challengePassword", "");
cmsReq.setIRequest(req);
saveHttpHeaders(httpReq, req);
saveHttpParams(httpParams, req);
X509Certificate sslClientCert = null;
// cert auth enroll
String certBasedOldSubjectDN = null;
BigInteger certBasedOldSerialNum = null;
// check if request was authenticated, if so set authtoken &
// certInfo. also if authenticated, take certInfo from authToken.
certInfo = null;
if (certAuthEnroll == true) {
sslClientCert = getSSLClientCertificate(httpReq);
if (sslClientCert == null) {
log(ILogger.LL_FAILURE,
CMS.getLogMessage("CMSGW_MISSING_SSL_CLIENT_CERT"));
// store a message in the signed audit log file
// (either an "admin" cert request for an admin certificate,
// an "agent" cert request for "bulk enrollment", or
// an "EE" standard cert request)
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
auditSubjectID,
ILogger.FAILURE,
auditRequesterID,
auditServiceID,
auditCertificateSubjectName);
audit(auditMessage);
throw new ECMSGWException(
CMS.getUserMessage("CMS_GW_MISSING_SSL_CLIENT_CERT"));
}
certBasedOldSubjectDN = sslClientCert.getSubjectDN().toString();
certBasedOldSerialNum = sslClientCert.getSerialNumber();
CMS.debug("EnrollServlet: certBasedOldSubjectDN " + certBasedOldSubjectDN);
CMS.debug("EnrollServlet: certBasedOldSerialNum " + certBasedOldSerialNum);
// if the cert subject name is NOT MISSING, retrieve the
// actual "auditCertificateSubjectName" and "normalize" it
if (certBasedOldSubjectDN != null) {
// NOTE: This is ok even if the cert subject name
// is "" (empty)!
auditCertificateSubjectName = certBasedOldSubjectDN.trim();
}
try {
certInfo = (X509CertInfo)
((X509CertImpl) sslClientCert).get(
X509CertImpl.NAME + "." + X509CertImpl.INFO);
} catch (CertificateParsingException ex) {
log(ILogger.LL_FAILURE,
CMS.getLogMessage("CMSGW_MISSING_CERTINFO"));
// store a message in the signed audit log file
// (either an "admin" cert request for an admin certificate,
// an "agent" cert request for "bulk enrollment", or
// an "EE" standard cert request)
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
auditSubjectID,
ILogger.FAILURE,
auditRequesterID,
auditServiceID,
auditCertificateSubjectName);
audit(auditMessage);
throw new ECMSGWException(
CMS.getUserMessage(getLocale(httpReq), "CMS_GW_MISSING_CERTINFO"));
}
} else {
CMS.debug("EnrollServlet: No CertAuthEnroll.");
certInfo = CMS.getDefaultX509CertInfo();
}
X509CertInfo[] certInfoArray = new X509CertInfo[] { certInfo };
String authMgr = AuditFormat.NOAUTH;
// if authentication
if (authToken != null) {
authMgr =
authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME);
// don't store agent token in request.
// agent currently used for bulk issuance.
// if (!authMgr.equals(AuthSubsystem.CERTUSERDB_AUTHMGR_ID)) {
log(ILogger.LL_INFO,
"Enrollment request was authenticated by " +
authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME));
PKIProcessor.fillCertInfoFromAuthToken(certInfo,
authToken);
// save authtoken attrs to request directly
// (for policy use)
saveAuthToken(authToken, req);
// req.set(IRequest.AUTH_TOKEN, authToken);
// }
}
CMS.debug("EnrollServlet: Enroll authMgr " + authMgr);
if (certAuthEnroll == true) {
// log(ILogger.LL_DEBUG,
// "just gotten subjectDN and serialNumber " +
// "from ssl client cert");
if (authToken == null) {
// authToken is null, can't match to anyone; bail!
log(ILogger.LL_FAILURE,
CMS.getLogMessage("CMSGW_ERR_PROCESS_ENROLL_NO_AUTH"));
// store a message in the signed audit log file
// (either an "admin" cert request for an admin certificate,
// an "agent" cert request for "bulk enrollment", or
// an "EE" standard cert request)
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
auditSubjectID,
ILogger.FAILURE,
auditRequesterID,
auditServiceID,
auditCertificateSubjectName);
audit(auditMessage);
return;
}
}
// fill certInfo from input types: keygen, cmc, pkcs10 or crmf
KeyGenInfo keyGenInfo = httpParams.getValueAsKeyGenInfo(
SUBJECT_KEYGEN_INFO, null);
PKCS10 pkcs10 = null;
// support Enterprise 3.5.1 server where CERT_TYPE=csrCertType
// instead of certType
String certType = httpParams.getValueAsString(OLD_CERT_TYPE, null);
CMS.debug("EnrollServlet: certType " + certType);
if (certType == null) {
certType = httpParams.getValueAsString(CERT_TYPE, "client");
CMS.debug("EnrollServlet: certType " + certType);
} else {
// some policies may rely on the fact that
// CERT_TYPE is set. So for 3.5.1 or eariler
// we need to set CERT_TYPE here.
req.setExtData(IRequest.HTTP_PARAMS, CERT_TYPE, certType);
}
if (certType.equals("client")) {
// coming from MSIE
String p10b64 = httpParams.getValueAsString(PKCS10_REQUEST,
null);
if (p10b64 != null) {
try {
byte[] bytes = CMS.AtoB(p10b64);
pkcs10 = new PKCS10(bytes);
} catch (Exception e) {
// ok, if the above fails, it could
// be a PKCS10 with header
pkcs10 = httpParams.getValueAsPKCS10(PKCS10_REQUEST,
false, null);
// e.printStackTrace();
}
}
//pkcs10 = httpParams.getValuePKCS10(PKCS10_REQUEST, null);
} else {
try {
// coming from server cut & paste blob.
pkcs10 = httpParams.getValueAsPKCS10(PKCS10_REQUEST,
false, null);
} catch (Exception ex) {
ex.printStackTrace();
}
}
String cmc = null;
String asciiBASE64Blob = httpParams.getValueAsString(CMC_REQUEST, null);
if (asciiBASE64Blob != null) {
int startIndex = asciiBASE64Blob.indexOf(HEADER);
int endIndex = asciiBASE64Blob.indexOf(TRAILER);
if (startIndex != -1 && endIndex != -1) {
startIndex = startIndex + HEADER.length();
cmc = asciiBASE64Blob.substring(startIndex, endIndex);
} else
cmc = asciiBASE64Blob;
CMS.debug("EnrollServlet: cmc " + cmc);
}
String crmf = httpParams.getValueAsString(CRMF_REQUEST, null);
CMS.debug("EnrollServlet: crmf " + crmf);
if (certAuthEnroll == true) {
PKIProcessor.fillCertInfoFromAuthToken(certInfo, authToken);
// for dual certs
if (certauthEnrollType.equals(CERT_AUTH_DUAL)) {
CMS.debug("EnrollServlet: Attempting CERT_AUTH_DUAL");
boolean gotEncCert = false;
X509CertInfo[] cInfoArray = null;
try {
cInfoArray = handleCertAuthDual(certInfo, authToken,
sslClientCert, mCa,
certBasedOldSubjectDN,
certBasedOldSerialNum);
} catch (ECMSGWException e) {
// store a message in the signed audit log file
// (either an "admin" cert request for an admin
// certificate, an "agent" cert request for
// "bulk enrollment", or an "EE" standard cert request)
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
auditSubjectID,
ILogger.FAILURE,
auditRequesterID,
auditServiceID,
auditCertificateSubjectName);
audit(auditMessage);
throw new ECMSGWException(e.toString());
}
if (cInfoArray != null && cInfoArray.length != 0) {
CMS.debug("EnrollServlet: cInfoArray Length " + cInfoArray.length);
certInfoArray = cInfoArray;
gotEncCert = true;
}
if (gotEncCert == false) {
// encryption cert not found, bail
log(ILogger.LL_FAILURE,
CMS.getLogMessage(
"CMSGW_ENCRYPTION_CERT_NOT_FOUND"));
// store a message in the signed audit log file
// (either an "admin" cert request for an admin
// certificate, an "agent" cert request for
// "bulk enrollment", or an "EE" standard cert request)
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
auditSubjectID,
ILogger.FAILURE,
auditRequesterID,
auditServiceID,
auditCertificateSubjectName);
audit(auditMessage);
throw new ECMSGWException(
CMS.getUserMessage("CMS_GW_ENCRYPTION_CERT_NOT_FOUND"));
}
} else if (certauthEnrollType.equals(CERT_AUTH_ENCRYPTION)) {
// first, make sure the client cert is indeed a
// signing only cert
try {
checkClientCertSigningOnly(sslClientCert);
} catch (ECMSGWException e) {
// store a message in the signed audit log file
// (either an "admin" cert request for an admin
// certificate, an "agent" cert request for
// "bulk enrollment", or an "EE" standard cert request)
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
auditSubjectID,
ILogger.FAILURE,
auditRequesterID,
auditServiceID,
auditCertificateSubjectName);
audit(auditMessage);
throw new ECMSGWException(e.toString());
}
/*
* either crmf or keyGenInfo
*/
if (keyGenInfo != null) {
KeyGenProcessor keyGenProc = new KeyGenProcessor(cmsReq,
this);
keyGenProc.fillCertInfo(null, certInfo,
authToken, httpParams);
req.setExtData(CLIENT_ISSUER,
sslClientCert.getIssuerDN().toString());
CMS.debug("EnrollServlet: sslClientCert issuerDN = " +
sslClientCert.getIssuerDN().toString());
} else if (crmf != null && crmf != "") {
CRMFProcessor crmfProc = new CRMFProcessor(cmsReq, this, enforcePop);
certInfoArray = crmfProc.fillCertInfoArray(crmf,
authToken,
httpParams,
req);
req.setExtData(CLIENT_ISSUER,
sslClientCert.getIssuerDN().toString());
CMS.debug("EnrollServlet: sslClientCert issuerDN = " +
sslClientCert.getIssuerDN().toString());
} else {
log(ILogger.LL_FAILURE,
CMS.getLogMessage("CMSGW_CANT_PROCESS_ENROLL_REQ") +
CMS.getLogMessage("CMSGW_MISSING_KEYGEN_INFO"));
// store a message in the signed audit log file
// (either an "admin" cert request for an admin
// certificate, an "agent" cert request for
// "bulk enrollment", or an "EE" standard cert request)
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
auditSubjectID,
ILogger.FAILURE,
auditRequesterID,
auditServiceID,
auditCertificateSubjectName);
audit(auditMessage);
throw new ECMSGWException(
CMS.getUserMessage(getLocale(httpReq), "CMS_GW_MISSING_KEYGEN_INFO"));
}
} else if (certauthEnrollType.equals(CERT_AUTH_SINGLE)) {
// have to be buried here to handle the issuer
if (keyGenInfo != null) {
KeyGenProcessor keyGenProc = new KeyGenProcessor(cmsReq,
this);
keyGenProc.fillCertInfo(null, certInfo,
authToken, httpParams);
} else if (pkcs10 != null) {
PKCS10Processor pkcs10Proc = new PKCS10Processor(cmsReq,
this);
pkcs10Proc.fillCertInfo(pkcs10, certInfo,
authToken, httpParams);
} else if (cmc != null && cmc != "") {
CMCProcessor cmcProc = new CMCProcessor(cmsReq, this, enforcePop);
certInfoArray = cmcProc.fillCertInfoArray(cmc,
authToken,
httpParams,
req);
} else if (crmf != null && crmf != "") {
CRMFProcessor crmfProc = new CRMFProcessor(cmsReq, this, enforcePop);
certInfoArray = crmfProc.fillCertInfoArray(crmf,
authToken,
httpParams,
req);
} else {
log(ILogger.LL_FAILURE,
CMS.getLogMessage("CMSGW_CANT_PROCESS_ENROLL_REQ") +
CMS.getLogMessage("CMSGW_MISSING_KEYGEN_INFO"));
// store a message in the signed audit log file
// (either an "admin" cert request for an admin
// certificate, an "agent" cert request for
// "bulk enrollment", or an "EE" standard cert request)
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
auditSubjectID,
ILogger.FAILURE,
auditRequesterID,
auditServiceID,
auditCertificateSubjectName);
audit(auditMessage);
throw new ECMSGWException(
CMS.getUserMessage(getLocale(httpReq), "CMS_GW_MISSING_KEYGEN_INFO"));
}
req.setExtData(CLIENT_ISSUER,
sslClientCert.getIssuerDN().toString());
}
} else if (keyGenInfo != null) {
CMS.debug("EnrollServlet: Trying KeyGen with no cert auth.");
KeyGenProcessor keyGenProc = new KeyGenProcessor(cmsReq, this);
keyGenProc.fillCertInfo(null, certInfo, authToken, httpParams);
} else if (pkcs10 != null) {
CMS.debug("EnrollServlet: Trying PKCS10 with no cert auth.");
PKCS10Processor pkcs10Proc = new PKCS10Processor(cmsReq, this);
pkcs10Proc.fillCertInfo(pkcs10, certInfo, authToken, httpParams);
} else if (cmc != null) {
CMS.debug("EnrollServlet: Trying CMC with no cert auth.");
CMCProcessor cmcProc = new CMCProcessor(cmsReq, this, enforcePop);
certInfoArray = cmcProc.fillCertInfoArray(cmc, authToken,
httpParams, req);
} else if (crmf != null && crmf != "") {
CMS.debug("EnrollServlet: Trying CRMF with no cert auth.");
CRMFProcessor crmfProc = new CRMFProcessor(cmsReq, this, enforcePop);
certInfoArray = crmfProc.fillCertInfoArray(crmf, authToken,
httpParams, req);
} else {
log(ILogger.LL_FAILURE,
CMS.getLogMessage("CMSGW_CANT_PROCESS_ENROLL_REQ") +
CMS.getLogMessage("CMSGW_MISSING_KEYGEN_INFO"));
// store a message in the signed audit log file
// (either an "admin" cert request for an admin certificate,
// an "agent" cert request for "bulk enrollment", or
// an "EE" standard cert request)
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
auditSubjectID,
ILogger.FAILURE,
auditRequesterID,
auditServiceID,
auditCertificateSubjectName);
audit(auditMessage);
throw new ECMSGWException(CMS.getUserMessage(getLocale(httpReq), "CMS_GW_MISSING_KEYGEN_INFO"));
}
// if ca, fill in default signing alg here
try {
ICertificateAuthority caSub =
(ICertificateAuthority) CMS.getSubsystem("ca");
if (certInfoArray != null && caSub != null) {
for (int ix = 0; ix < certInfoArray.length; ix++) {
X509CertInfo ci = certInfoArray[ix];
String defaultSig = caSub.getDefaultAlgorithm();
AlgorithmId algid = AlgorithmId.get(defaultSig);
ci.set(X509CertInfo.ALGORITHM_ID,
new CertificateAlgorithmId(algid));
}
}
} catch (Exception e) {
CMS.debug("Failed to set signing alg to certinfo " + e.toString());
}
req.setExtData(IRequest.CERT_INFO, certInfoArray);
if (challengePassword != null && !challengePassword.equals("")) {
String pwd = hashPassword(challengePassword);
req.setExtData(CHALLENGE_PASSWORD, pwd);
}
// store a message in the signed audit log file
// (either an "admin" cert request for an admin certificate,
// an "agent" cert request for "bulk enrollment", or
// an "EE" standard cert request)
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
auditSubjectID,
ILogger.SUCCESS,
auditRequesterID,
auditServiceID,
auditCertificateSubjectName);
audit(auditMessage);
} catch (EBaseException eAudit1) {
// store a message in the signed audit log file
// (either an "admin" cert request for an admin certificate,
// an "agent" cert request for "bulk enrollment", or
// an "EE" standard cert request)
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
auditSubjectID,
ILogger.FAILURE,
auditRequesterID,
auditServiceID,
auditCertificateSubjectName);
audit(auditMessage);
throw eAudit1;
}
X509CertImpl[] issuedCerts = null;
// ensure that any low-level exceptions are reported
// to the signed audit log and stored as failures
try {
// send request to request queue.
mRequestQueue.processRequest(req);
// process result.
// render OLD_CERT_TYPE's response differently, we
// do not want any javascript in HTML, and need to
// override the default render.
if (httpParams.getValueAsString(OLD_CERT_TYPE, null) != null) {
try {
renderServerEnrollResult(cmsReq);
cmsReq.setStatus(CMSRequest.SUCCESS); // no default render
issuedCerts =
cmsReq.getIRequest().getExtDataInCertArray(
IRequest.ISSUED_CERTS);
for (int i = 0; i < issuedCerts.length; i++) {
// (automated "agent" cert request processed
// - "accepted")
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
auditSubjectID,
ILogger.SUCCESS,
auditRequesterID,
ILogger.SIGNED_AUDIT_ACCEPTANCE,
auditInfoCertValue(issuedCerts[i]));
audit(auditMessage);
}
} catch (IOException ex) {
cmsReq.setStatus(CMSRequest.ERROR);
// (automated "agent" cert request processed - "rejected")
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
auditSubjectID,
ILogger.FAILURE,
auditRequesterID,
ILogger.SIGNED_AUDIT_REJECTION,
SIGNED_AUDIT_AUTOMATED_REJECTION_REASON[0]);
audit(auditMessage);
}
return;
}
boolean completed = handleEnrollAuditLog(req, cmsReq,
mAuthMgr, authToken,
certInfo, startTime);
if (completed == false) {
// (automated "agent" cert request processed - "rejected")
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
auditSubjectID,
ILogger.FAILURE,
auditRequesterID,
ILogger.SIGNED_AUDIT_REJECTION,
SIGNED_AUDIT_AUTOMATED_REJECTION_REASON[1]);
audit(auditMessage);
return;
}
// service success
cmsReq.setStatus(CMSRequest.SUCCESS);
issuedCerts = req.getExtDataInCertArray(IRequest.ISSUED_CERTS);
String initiative = null;
String agentID;
if (authToken == null) {
// request is from eegateway, so fromUser.
initiative = AuditFormat.FROMUSER;
} else {
agentID = authToken.getInString("userid");
initiative = AuditFormat.FROMAGENT + " agentID: " + agentID;
}
// audit log the success.
long endTime = CMS.getCurrentDate().getTime();
mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER,
AuditFormat.LEVEL,
AuditFormat.ENROLLMENTFORMAT,
new Object[]
{ req.getRequestId(),
initiative,
mAuthMgr,
"completed",
issuedCerts[0].getSubjectDN(),
"cert issued serial number: 0x" +
issuedCerts[0].getSerialNumber().toString(16) +
" time: " +
(endTime - startTime) }
);
// handle initial admin enrollment if in adminEnroll mode.
checkAdminEnroll(cmsReq, issuedCerts);
// return cert as mime type binary if requested.
if (checkImportCertToNav(cmsReq.getHttpResp(),
httpParams, issuedCerts[0])) {
cmsReq.setStatus(CMSRequest.SUCCESS);
for (int i = 0; i < issuedCerts.length; i++) {
// (automated "agent" cert request processed - "accepted")
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
auditSubjectID,
ILogger.SUCCESS,
auditRequesterID,
ILogger.SIGNED_AUDIT_ACCEPTANCE,
auditInfoCertValue(issuedCerts[i]));
audit(auditMessage);
}
return;
}
// use success template.
try {
cmsReq.setResult(issuedCerts);
renderTemplate(cmsReq, mEnrollSuccessTemplate,
mEnrollSuccessFiller);
cmsReq.setStatus(CMSRequest.SUCCESS);
for (int i = 0; i < issuedCerts.length; i++) {
// (automated "agent" cert request processed - "accepted")
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
auditSubjectID,
ILogger.SUCCESS,
auditRequesterID,
ILogger.SIGNED_AUDIT_ACCEPTANCE,
auditInfoCertValue(issuedCerts[i]));
audit(auditMessage);
}
} catch (IOException e) {
log(ILogger.LL_FAILURE,
CMS.getLogMessage("CMSGW_TEMP_REND_ERR",
mEnrollSuccessFiller.toString(),
e.toString()));
// (automated "agent" cert request processed - "rejected")
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
auditSubjectID,
ILogger.FAILURE,
auditRequesterID,
ILogger.SIGNED_AUDIT_REJECTION,
SIGNED_AUDIT_AUTOMATED_REJECTION_REASON[2]);
audit(auditMessage);
throw new ECMSGWException(
CMS.getUserMessage("CMS_GW_RETURNING_RESULT_ERROR"));
}
} catch (EBaseException eAudit1) {
// store a message in the signed audit log file
// (automated "agent" cert request processed - "rejected")
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
auditSubjectID,
ILogger.FAILURE,
auditRequesterID,
ILogger.SIGNED_AUDIT_REJECTION,
SIGNED_AUDIT_AUTOMATED_REJECTION_REASON[3]);
audit(auditMessage);
throw eAudit1;
}
return;
}
/**
* check if this is first enroll from admin enroll.
* If so disable admin enroll from here on.
*/
protected void checkAdminEnroll(CMSRequest cmsReq, X509CertImpl[] issuedCerts)
throws EBaseException {
// this is special case, get the admin certificate
if (mAuthMgr != null && mAuthMgr.equals(IAuthSubsystem.PASSWDUSERDB_AUTHMGR_ID)) {
addAdminAgent(cmsReq, issuedCerts);
CMSGateway.disableAdminEnroll();
}
}
protected void addAdminAgent(CMSRequest cmsReq, X509CertImpl[] issuedCerts)
throws EBaseException {
String userid = cmsReq.getHttpParams().getValueAsString("uid");
IUGSubsystem ug = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG);
IUser adminuser = ug.createUser(userid);
adminuser.setX509Certificates(issuedCerts);
try {
ug.addUserCert(adminuser);
} catch (netscape.ldap.LDAPException e) {
CMS.debug(
"EnrollServlet: Cannot add admin's certificate to its entry in the " +
"user group database. Error " + e);
throw new ECMSGWException(
CMS.getUserMessage("CMS_GW_ADDING_ADMIN_CERT_ERROR", e.toString()));
}
IGroup agentGroup =
ug.getGroupFromName(CA_AGENT_GROUP);
if (agentGroup != null) {
// add user to the group if necessary
if (!agentGroup.isMember(userid)) {
agentGroup.addMemberName(userid);
ug.modifyGroup(agentGroup);
mLogger.log(ILogger.EV_AUDIT, ILogger.S_USRGRP,
AuditFormat.LEVEL, AuditFormat.ADDUSERGROUPFORMAT,
new Object[] { userid, userid, CA_AGENT_GROUP }
);
}
} else {
String msg = "Cannot add admin to the " +
CA_AGENT_GROUP +
" group: Group does not exist.";
CMS.debug("EnrollServlet: " + msg);
throw new ECMSGWException(CMS.getUserMessage("CMS_GW_ADDING_ADMIN_ERROR"));
}
}
protected void renderServerEnrollResult(CMSRequest cmsReq) throws
IOException {
HttpServletResponse httpResp = cmsReq.getHttpResp();
httpResp.setContentType("text/html");
ServletOutputStream out = null;
out = httpResp.getOutputStream();
// get template based on request status
out.println("");
out.println("");
out.println("Server Enrollment");
out.println("");
// out.println("");
if (cmsReq.getIRequest().getRequestStatus().equals(RequestStatus.COMPLETE)) {
out.println("");
out.println("SUCCESS");
out.println("
");
out.println("Your request is submitted and approved. Please cut and paste the certificate into your server."); // XXX - localize the message
out.println("");
out.println("Request Creation Time: ");
out.println(cmsReq.getIRequest().getCreationTime().toString());
out.println("
");
out.println("Request Status: ");
out.println(cmsReq.getStatus().toString());
out.println("
");
out.println("Request ID: ");
out.println(cmsReq.getIRequest().getRequestId().toString());
out.println("
");
out.println("Certificate: ");
out.println("
");
out.println("
");
X509CertImpl certs[] =
cmsReq.getIRequest().getExtDataInCertArray(IRequest.ISSUED_CERTS);
out.println(CMS.getEncodedCert(certs[0]));
out.println("");
out.println("");
out.println("");
out.println("");
out.println("");
out.println("");
} else if (cmsReq.getIRequest().getRequestStatus().equals(RequestStatus.PENDING)) {
out.println("
");
out.println("PENDING");
out.println("
");
out.println("Your request is submitted. You can check on the status of your request with an authorized agent or local administrator by referring to the request ID."); // XXX - localize the message
out.println("");
out.println("Request Creation Time: ");
out.println(cmsReq.getIRequest().getCreationTime().toString());
out.println("
");
out.println("Request Status: ");
out.println(cmsReq.getStatus().toString());
out.println("
");
out.println("Request ID: ");
out.println(cmsReq.getIRequest().getRequestId().toString());
out.println("
");
out.println("");
out.println("");
out.println("");
} else {
out.println("
");
out.println("ERROR");
out.println("
");
out.println("");
out.println("Please consult your local administrator for assistance."); // XXX - localize the message
out.println("");
out.println("");
out.println("Request Status: ");
out.println(cmsReq.getStatus().toString());
out.println("
");
out.println("Error: ");
out.println(cmsReq.getError()); // XXX - need to parse in Locale
out.println("
");
out.println("");
out.println("");
}
/**
* // include all the input data
* ArgBlock args = cmsReq.getHttpParams();
* Enumeration ele = args.getElements();
* while (ele.hasMoreElements()) {
* String eleT = (String)ele.nextElement();
* out.println("");
* }
**/
out.println("");
}
// XXX ALERT !!
// Remove the following and calls to them when we bundle a cartman
// later than alpha1.
// These are here to cover up problem in cartman where the
// key usage extension always ends up being digital signature only
// and for rsa-ex ends up having no bits set.
@SuppressWarnings("unused")
private boolean mIsTestBed;
private void init_testbed_hack(IConfigStore config)
throws EBaseException {
mIsTestBed = config.getBoolean("isTestBed", true);
}
/**
* Signed Audit Log Info Certificate Value
*
* This method is called to obtain the certificate from the passed in
* "X509CertImpl" for a signed audit log message.
*
*
* @param x509cert an X509CertImpl
* @return cert string containing the certificate
*/
private String auditInfoCertValue(X509CertImpl x509cert) {
// if no signed audit object exists, bail
if (mSignedAuditLogger == null) {
return null;
}
if (x509cert == null) {
return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
}
byte rawData[] = null;
try {
rawData = x509cert.getEncoded();
} catch (CertificateEncodingException e) {
return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
}
String cert = null;
// convert "rawData" into "base64Data"
if (rawData != null) {
String base64Data = null;
base64Data = Utils.base64encode(rawData).trim();
StringBuffer sb = new StringBuffer();
// extract all line separators from the "base64Data"
for (int i = 0; i < base64Data.length(); i++) {
if (base64Data.substring(i, i).getBytes() != EOL) {
sb.append(base64Data.substring(i, i));
}
}
cert = sb.toString();
}
if (cert != null) {
cert = cert.trim();
if (cert.equals("")) {
return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
} else {
return cert;
}
} else {
return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
}
}
}