// --- BEGIN COPYRIGHT BLOCK --- // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by // the Free Software Foundation; version 2 of the License. // // This program is distributed in the hope that it will be useful, // but WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the // GNU General Public License for more details. // // You should have received a copy of the GNU General Public License along // with this program; if not, write to the Free Software Foundation, Inc., // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. // // (C) 2007 Red Hat, Inc. // All rights reserved. // --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.cert; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.security.cert.CertificateEncodingException; import java.security.cert.X509Certificate; import java.util.Locale; import javax.servlet.ServletConfig; import javax.servlet.ServletException; import javax.servlet.ServletOutputStream; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import netscape.security.x509.CertificateChain; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.authentication.IAuthToken; import com.netscape.certsrv.authority.ICertAuthority; import com.netscape.certsrv.authorization.AuthzToken; import com.netscape.certsrv.authorization.EAuthzAccessDenied; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IArgBlock; import com.netscape.certsrv.base.ICertPrettyPrint; import com.netscape.certsrv.logging.ILogger; import com.netscape.cms.servlet.base.CMSServlet; import com.netscape.cms.servlet.base.UserInfo; import com.netscape.cms.servlet.common.CMSRequest; import com.netscape.cms.servlet.common.CMSTemplate; import com.netscape.cms.servlet.common.CMSTemplateParams; import com.netscape.cms.servlet.common.ECMSGWException; /** * Retrieve the Certificates comprising the CA Chain for this CA. * * @version $Revision$, $Date$ */ public class GetCAChain extends CMSServlet { /** * */ private static final long serialVersionUID = -8189048155415074581L; private final static String TPL_FILE = "displayCaCert.template"; private String mFormPath = null; public GetCAChain() { super(); } /** * initialize the servlet. * * @param sc servlet configuration, read from the web.xml file */ public void init(ServletConfig sc) throws ServletException { super.init(sc); // override success to display own output. mTemplates.remove(CMSRequest.SUCCESS); // coming from ee mFormPath = "/" + mAuthority.getId() + "/" + TPL_FILE; } /** * Process the HTTP request. * * * @param cmsReq the object holding the request and response information */ protected void process(CMSRequest cmsReq) throws EBaseException { HttpServletRequest httpReq = cmsReq.getHttpReq(); HttpServletResponse httpResp = cmsReq.getHttpResp(); IAuthToken authToken = authenticate(cmsReq); // Construct an ArgBlock IArgBlock args = cmsReq.getHttpParams(); // Get the operation code String op = null; op = args.getValueAsString("op", null); if (op == null) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_NO_OPTIONS_SELECTED")); throw new ECMSGWException( CMS.getUserMessage("CMS_GW_NO_OPTIONS_SELECTED")); } cmsReq.setStatus(CMSRequest.SUCCESS); AuthzToken authzToken = null; if (op.startsWith("download")) { try { authzToken = authorize(mAclMethod, authToken, mAuthzResourceName, "download"); } catch (EAuthzAccessDenied e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); } catch (Exception e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); } if (authzToken == null) { cmsReq.setStatus(CMSRequest.UNAUTHORIZED); return; } downloadChain(op, args, httpReq, httpResp, cmsReq); } else if (op.startsWith("display")) { try { authzToken = mAuthz.authorize(mAclMethod, authToken, mAuthzResourceName, "read"); } catch (EAuthzAccessDenied e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); } catch (Exception e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); } if (authzToken == null) { cmsReq.setStatus(CMSRequest.UNAUTHORIZED); return; } displayChain(op, args, httpReq, httpResp, cmsReq); } else { log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_INVALID_OPTIONS_CA_CHAIN")); throw new ECMSGWException( CMS.getUserMessage("CMS_GW_INVALID_OPTIONS_SELECTED")); } // cmsReq.setResult(null); return; } private void downloadChain(String op, IArgBlock args, HttpServletRequest httpReq, HttpServletResponse httpResp, CMSRequest cmsReq) throws EBaseException { /* check browser info ? */ /* check if pkcs7 will work for both nav and ie */ byte[] bytes = null; /* * Some IE actions - IE doesn't want PKCS7 for "download" CA Cert. * This means that we can only hand out the root CA, and not * the whole chain. */ if (clientIsMSIE(httpReq) && (op.equals("download") || op.equals("downloadBIN"))) { X509Certificate[] caCerts = ((ICertAuthority) mAuthority).getCACertChain().getChain(); try { bytes = caCerts[0].getEncoded(); } catch (CertificateEncodingException e) { cmsReq.setStatus(CMSRequest.ERROR); log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERROR_GETTING_CACERT_ENCODED", e.toString())); throw new ECMSGWException( CMS.getUserMessage("CMS_GW_GETTING_CA_CERT_ERROR")); } } else { CertificateChain certChain = ((ICertAuthority) mAuthority).getCACertChain(); if (certChain == null) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_CA_CHAIN_EMPTY")); throw new ECMSGWException( CMS.getUserMessage("CMS_GW_CA_CHAIN_EMPTY")); } try { ByteArrayOutputStream encoded = new ByteArrayOutputStream(); certChain.encode(encoded, false); bytes = encoded.toByteArray(); } catch (IOException e) { cmsReq.setStatus(CMSRequest.ERROR); log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERROR_ENCODING_CA_CHAIN_1", e.toString())); throw new ECMSGWException( CMS.getUserMessage("CMS_GW_ENCODING_CA_CHAIN_ERROR")); } } String mimeType = null; if (op.equals("downloadBIN")) { mimeType = "application/octet-stream"; } else { try { mimeType = args.getValueAsString("mimeType"); } catch (EBaseException e) { mimeType = "application/octet-stream"; } } try { if (op.equals("downloadBIN")) { // file suffixes changed to comply with RFC 5280 // requirements for AIA extensions if (clientIsMSIE(httpReq)) { httpResp.setHeader("Content-disposition", "attachment; filename=ca.cer"); } else { httpResp.setHeader("Content-disposition", "attachment; filename=ca.p7c"); } } httpResp.setContentType(mimeType); httpResp.getOutputStream().write(bytes); httpResp.setContentLength(bytes.length); httpResp.getOutputStream().flush(); } catch (IOException e) { cmsReq.setStatus(CMSRequest.ERROR); log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERROR_DISPLAYING_CACHAIN_1", e.toString())); throw new ECMSGWException( CMS.getUserMessage("CMS_GW_DISPLAYING_CACHAIN_ERROR")); } } private void displayChain(String op, IArgBlock args, HttpServletRequest httpReq, HttpServletResponse httpResp, CMSRequest cmsReq) throws EBaseException { CertificateChain certChain = ((ICertAuthority) mAuthority).getCACertChain(); if (certChain == null) { cmsReq.setStatus(CMSRequest.ERROR); log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_CA_CHAIN_NOT_AVAILABLE")); throw new ECMSGWException( CMS.getUserMessage("CMS_GW_CA_CHAIN_NOT_AVAILABLE")); } CMSTemplate form = null; Locale[] locale = new Locale[1]; if (mOutputTemplatePath != null) mFormPath = mOutputTemplatePath; try { form = getTemplate(mFormPath, httpReq, locale); } catch (IOException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", e.toString())); cmsReq.setError(new ECMSGWException( CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR"))); cmsReq.setStatus(CMSRequest.ERROR); return; } IArgBlock header = CMS.createArgBlock(); IArgBlock fixed = CMS.createArgBlock(); CMSTemplateParams argSet = new CMSTemplateParams(header, fixed); String displayFormat = null; if (op.equals("displayIND")) { displayFormat = "individual"; } else { try { displayFormat = args.getValueAsString("displayFormat"); } catch (EBaseException e) { displayFormat = "chain"; } } header.addStringValue("displayFormat", displayFormat); if (displayFormat.equals("chain")) { String subjectdn = null; byte[] bytes = null; try { subjectdn = certChain.getFirstCertificate().getSubjectDN().toString(); ByteArrayOutputStream encoded = new ByteArrayOutputStream(); certChain.encode(encoded); bytes = encoded.toByteArray(); } catch (IOException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERROR_ENCODING_CA_CHAIN_1", e.toString())); throw new ECMSGWException( CMS.getUserMessage("CMS_GW_ENCODING_CA_CHAIN_ERROR")); } String chainBase64 = getBase64(bytes); header.addStringValue("subjectdn", subjectdn); header.addStringValue("chainBase64", chainBase64); } else { try { X509Certificate[] certs = certChain.getChain(); header.addIntegerValue("length", certs.length); locale[0] = getLocale(httpReq); for (int i = 0; i < certs.length; i++) { byte[] bytes = null; try { bytes = certs[i].getEncoded(); } catch (CertificateEncodingException e) { throw new IOException("Internal Error"); } String subjectdn = certs[i].getSubjectDN().toString(); String finger = null; try { finger = CMS.getFingerPrints(certs[i]); } catch (Exception e) { throw new IOException("Internal Error"); } ICertPrettyPrint certDetails = CMS.getCertPrettyPrint(certs[i]); IArgBlock rarg = CMS.createArgBlock(); rarg.addStringValue("fingerprints", finger); rarg.addStringValue("subjectdn", subjectdn); rarg.addStringValue("base64", getBase64(bytes)); rarg.addStringValue("certDetails", certDetails.toString(locale[0])); argSet.addRepeatRecord(rarg); } } catch (IOException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERROR_DISPLAYING_CACHAIN_1", e.toString())); throw new ECMSGWException( CMS.getUserMessage("CMS_GW_DISPLAYING_CACHAIN_ERROR")); } } try { ServletOutputStream out = httpResp.getOutputStream(); httpResp.setContentType("text/html"); form.renderOutput(out, argSet); cmsReq.setStatus(CMSRequest.SUCCESS); } catch (IOException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERR_BAD_SERV_OUT_STREAM", "", e.toString())); cmsReq.setError(new ECMSGWException( CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR"))); cmsReq.setStatus(CMSRequest.ERROR); } } /** * gets base 64 encoded cert */ private String getBase64(byte[] certBytes) { String certBase64 = CMS.BtoA(certBytes); return certBase64; } /** * Retrieves locale based on the request. */ protected Locale getLocale(HttpServletRequest req) { Locale locale = null; String lang = req.getHeader("accept-language"); if (lang == null) { // use server locale locale = Locale.getDefault(); } else { locale = new Locale(UserInfo.getUserLanguage(lang), UserInfo.getUserCountry(lang)); } return locale; } }