diff options
| author | Ade Lee <alee@redhat.com> | 2011-12-07 16:58:12 -0500 |
|---|---|---|
| committer | Ade Lee <alee@redhat.com> | 2011-12-07 16:58:12 -0500 |
| commit | 32150d3ee32f8ac27118af7c792794b538c78a2f (patch) | |
| tree | 52dd96f664a6fa51be25b28b6f10adc5f2c9f660 /pki/base/common/src/com/netscape/cms/servlet/connector | |
| parent | f05d58a46795553beb8881039cc922974b40db34 (diff) | |
| download | pki-32150d3ee32f8ac27118af7c792794b538c78a2f.tar.gz pki-32150d3ee32f8ac27118af7c792794b538c78a2f.tar.xz pki-32150d3ee32f8ac27118af7c792794b538c78a2f.zip | |
Formatting
Formatted project according to eclipse project settings
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/servlet/connector')
4 files changed, 664 insertions, 820 deletions
diff --git a/pki/base/common/src/com/netscape/cms/servlet/connector/CloneServlet.java b/pki/base/common/src/com/netscape/cms/servlet/connector/CloneServlet.java index b3809579..7f8b0953 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/connector/CloneServlet.java +++ b/pki/base/common/src/com/netscape/cms/servlet/connector/CloneServlet.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.connector; - import java.io.BufferedReader; import java.io.IOException; import java.io.InputStream; @@ -58,12 +57,10 @@ import com.netscape.certsrv.request.RequestStatus; import com.netscape.cms.servlet.base.CMSServlet; import com.netscape.cms.servlet.common.CMSRequest; - /** - * Clone servlet - part of the Clone Authority (CLA) - * processes Revoked certs from its dependant clone CAs - * service request and return status. - * + * Clone servlet - part of the Clone Authority (CLA) processes Revoked certs + * from its dependant clone CAs service request and return status. + * * @version $Revision$, $Date$ */ public class CloneServlet extends CMSServlet { @@ -88,19 +85,17 @@ public class CloneServlet extends CMSServlet { String authority = sc.getInitParameter(PROP_AUTHORITY); if (authority != null) - mAuthority = (IAuthority) - CMS.getSubsystem(authority); + mAuthority = (IAuthority) CMS.getSubsystem(authority); mReqEncoder = CMS.getHttpRequestEncoder(); mAuthSubsystem = (IAuthSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTH); } - public void service(HttpServletRequest req, - HttpServletResponse resp) throws ServletException, IOException { + public void service(HttpServletRequest req, HttpServletResponse resp) + throws ServletException, IOException { boolean running_state = CMS.isInRunningState(); if (!running_state) - throw new IOException( - "CMS server is not ready to serve."); + throw new IOException("CMS server is not ready to serve."); ServletContext servletContext = mConfig.getServletContext(); @@ -130,14 +125,14 @@ public class CloneServlet extends CMSServlet { IRequest r = null; IRequest reply = null; - // NOTE must read all bufer before redoing handshake for + // NOTE must read all bufer before redoing handshake for // ssl client auth for client auth to work. // get request method - method = req.getMethod(); + method = req.getMethod(); // get content length - len = req.getContentLength(); + len = req.getContentLength(); // get content, a base 64 encoded serialized request. if (len > 0) { @@ -159,16 +154,16 @@ public class CloneServlet extends CMSServlet { // force client auth handshake, validate clone CA (CCA) // and get CCA's Id. - // NOTE must do this after all contents are read for ssl - // redohandshake to work + // NOTE must do this after all contents are read for ssl + // redohandshake to work X509Certificate peerCert; try { peerCert = getPeerCert(req); - }catch (EBaseException e) { - mAuthority.log(ILogger.LL_SECURITY, - CMS.getLogMessage("CMSGW_HAS_NO_CLIENT_CERT")); + } catch (EBaseException e) { + mAuthority.log(ILogger.LL_SECURITY, + CMS.getLogMessage("CMSGW_HAS_NO_CLIENT_CERT")); resp.sendError(HttpServletResponse.SC_UNAUTHORIZED); return; } @@ -190,7 +185,7 @@ public class CloneServlet extends CMSServlet { CMS.debug("CloneServlet: about to authenticate"); token = authenticate(peerCert); // cfu maybe don't need CCA_Id, because the above check - // was good enough + // was good enough CCAUserId = token.getInString("userid"); CCA_Id = (String) peerCert.getSubjectDN().toString(); } catch (EInvalidCredentials e) { @@ -203,15 +198,17 @@ public class CloneServlet extends CMSServlet { return; } - mAuthority.log(ILogger.LL_INFO, - "Clone Certificate Authority authenticated: " + peerCert.getSubjectDN()); + mAuthority.log( + ILogger.LL_INFO, + "Clone Certificate Authority authenticated: " + + peerCert.getSubjectDN()); // authorize, any authenticated user are authorized AuthzToken authzToken = null; try { - authzToken = authorize(mAclMethod, token, - mAuthzResourceName, "submit"); + authzToken = authorize(mAclMethod, token, mAuthzResourceName, + "submit"); } catch (Exception e) { // do nothing for now } @@ -232,29 +229,34 @@ public class CloneServlet extends CMSServlet { } // now process CCA request - should just be posting revoked - // certs for now + // certs for now try { // decode request. - CMS.debug("Cloneservlet: before decoding request, encodedreq= " + encodedreq); + CMS.debug("Cloneservlet: before decoding request, encodedreq= " + + encodedreq); msg = (IPKIMessage) mReqEncoder.decode(encodedreq); - // process request + // process request CMS.debug("Cloneservlet: decoded request"); replymsg = processRequest(CCA_Id, CCAUserId, msg, token); } catch (IOException e) { e.printStackTrace(); - mAuthority.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_IO_ERROR_REMOTE_REQUEST", e.toString())); + mAuthority.log( + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_IO_ERROR_REMOTE_REQUEST", + e.toString())); resp.sendError(HttpServletResponse.SC_BAD_REQUEST); return; } catch (EBaseException e) { - mAuthority.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_IO_ERROR_REMOTE_REQUEST", e.toString())); + mAuthority.log( + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_IO_ERROR_REMOTE_REQUEST", + e.toString())); resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); return; } - // encode reply + // encode reply String encodedrep = mReqEncoder.encode(replymsg); resp.setStatus(HttpServletResponse.SC_OK); @@ -271,46 +273,47 @@ public class CloneServlet extends CMSServlet { out.flush(); } - //cfu ++change this to just check the subject and signer - protected IAuthToken authenticate( - X509Certificate peerCert) - throws EBaseException { + // cfu ++change this to just check the subject and signer + protected IAuthToken authenticate(X509Certificate peerCert) + throws EBaseException { try { - // XXX using agent authentication now since we're only - // verifying that the cert belongs to a user in the db. - // XXX change this to ACL in the future. + // XXX using agent authentication now since we're only + // verifying that the cert belongs to a user in the db. + // XXX change this to ACL in the future. // build JAVA X509Certificate from peerCert. X509CertImpl cert = new X509CertImpl(peerCert.getEncoded()); AuthCredentials creds = new AuthCredentials(); - creds.set(IAuthManager.CRED_SSL_CLIENT_CERT, - new X509Certificate[] {cert} - ); + creds.set(IAuthManager.CRED_SSL_CLIENT_CERT, + new X509Certificate[] { cert }); - IAuthToken token = mAuthSubsystem.authenticate(creds, + IAuthToken token = mAuthSubsystem.authenticate(creds, IAuthSubsystem.CERTUSERDB_AUTHMGR_ID); return token; } catch (CertificateException e) { - mAuthority.log(ILogger.LL_SECURITY, - CMS.getLogMessage("CMSGW_REMOTE_AUTHORITY_AUTH_FAILURE", peerCert.getSubjectDN().toString())); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", e.toString())); + mAuthority.log(ILogger.LL_SECURITY, CMS.getLogMessage( + "CMSGW_REMOTE_AUTHORITY_AUTH_FAILURE", peerCert + .getSubjectDN().toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INTERNAL_ERROR", e.toString())); } catch (EInvalidCredentials e) { - mAuthority.log(ILogger.LL_SECURITY, - CMS.getLogMessage("CMSGW_REMOTE_AUTHORITY_AUTH_FAILURE", peerCert.getSubjectDN().toString())); + mAuthority.log(ILogger.LL_SECURITY, CMS.getLogMessage( + "CMSGW_REMOTE_AUTHORITY_AUTH_FAILURE", peerCert + .getSubjectDN().toString())); throw e; } catch (EBaseException e) { - mAuthority.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_REMOTE_AUTHORITY_AUTH_FAILURE", peerCert.getSubjectDN().toString())); + mAuthority.log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSGW_REMOTE_AUTHORITY_AUTH_FAILURE", peerCert + .getSubjectDN().toString())); throw e; } } - protected IPKIMessage processRequest( - String source, String sourceUserId, IPKIMessage msg, IAuthToken token) - throws EBaseException { + protected IPKIMessage processRequest(String source, String sourceUserId, + IPKIMessage msg, IAuthToken token) throws EBaseException { IPKIMessage replymsg = null; IRequest r = null; IRequestQueue queue = mAuthority.getRequestQueue(); @@ -326,13 +329,14 @@ public class CloneServlet extends CMSServlet { thisreq = queue.findRequest(thisreqid); if (thisreq == null) { // strange case. - String errormsg = "Cannot find request in request queue " + thisreqid; + String errormsg = "Cannot find request in request queue " + + thisreqid; mAuthority.log(ILogger.LL_FAILURE, errormsg); throw new EBaseException(errormsg); } else { - mAuthority.log(ILogger.LL_INFO, - "Found request " + thisreqid + " for " + srcid); + mAuthority.log(ILogger.LL_INFO, "Found request " + thisreqid + + " for " + srcid); replymsg = CMS.getHttpPKIMessage(); replymsg.fromRequest(thisreq); return replymsg; @@ -347,8 +351,7 @@ public class CloneServlet extends CMSServlet { // setting requestor type must come after copy contents. because // requestor is a regular attribute. - thisreq.setExtData(IRequest.REQUESTOR_TYPE, - IRequest.REQUESTOR_RA); + thisreq.setExtData(IRequest.REQUESTOR_TYPE, IRequest.REQUESTOR_RA); mAuthority.log(ILogger.LL_INFO, "Processing remote request " + srcid); // Set this so that request's updateBy is recorded @@ -362,55 +365,47 @@ public class CloneServlet extends CMSServlet { replymsg = CMS.getHttpPKIMessage(); replymsg.fromRequest(thisreq); - //for audit log + // for audit log String agentID = sourceUserId; - String initiative = AuditFormat.FROMRA + " trustedManagerID: " + - agentID + " remote reqID " + msg.getReqId(); + String initiative = AuditFormat.FROMRA + " trustedManagerID: " + + agentID + " remote reqID " + msg.getReqId(); String authMgr = AuditFormat.NOAUTH; if (token != null) { - authMgr = - token.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME); + authMgr = token.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME); } - + // Get the certificate info from the request - X509CertInfo certInfo[] = thisreq.getExtDataInCertInfoArray(IRequest.CERT_INFO); + X509CertInfo certInfo[] = thisreq + .getExtDataInCertInfoArray(IRequest.CERT_INFO); try { if (!thisreq.getRequestStatus().equals(RequestStatus.COMPLETE)) { if (certInfo != null) { for (int i = 0; i < certInfo.length; i++) { - mLogger.log(ILogger.EV_AUDIT, - ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.FORMAT, - new Object[] { - thisreq.getRequestType(), - thisreq.getRequestId(), - initiative, - authMgr, - thisreq.getRequestStatus(), - certInfo[i].get(X509CertInfo.SUBJECT), - ""} - ); + mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, + AuditFormat.LEVEL, AuditFormat.FORMAT, + new Object[] { thisreq.getRequestType(), + thisreq.getRequestId(), initiative, + authMgr, thisreq.getRequestStatus(), + certInfo[i].get(X509CertInfo.SUBJECT), + "" }); } } else { - mLogger.log(ILogger.EV_AUDIT, - ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.NODNFORMAT, - new Object[] { - thisreq.getRequestType(), - thisreq.getRequestId(), - initiative, - authMgr, - thisreq.getRequestStatus()} - ); + mLogger.log( + ILogger.EV_AUDIT, + ILogger.S_OTHER, + AuditFormat.LEVEL, + AuditFormat.NODNFORMAT, + new Object[] { thisreq.getRequestType(), + thisreq.getRequestId(), initiative, + authMgr, thisreq.getRequestStatus() }); } } else { - if - (thisreq.getRequestType().equals(IRequest.CLA_CERT4CRL_REQUEST)) { - Integer result = thisreq.getExtDataInInteger(IRequest.RESULT); + if (thisreq.getRequestType().equals( + IRequest.CLA_CERT4CRL_REQUEST)) { + Integer result = thisreq + .getExtDataInInteger(IRequest.RESULT); if (result.equals(IRequest.RES_ERROR)) { CMS.debug("CloneServlet: error in CLA_CERT4CRL_REQUEST"); @@ -420,155 +415,83 @@ public class CloneServlet extends CMSServlet { } } - /* cfu --- - if (thisreq.getRequestType().equals(IRequest.ENROLLMENT_REQUEST)) { - // XXX make the repeat record. - // Get the certificate(s) from the request - X509CertImpl issuedCerts[] = - (X509CertImpl[])thisreq.get(IRequest.ISSUED_CERTS); - // return potentially more than one certificates. - if (issuedCerts != null) { - for (int i = 0; i < issuedCerts.length; i++) { - mLogger.log(ILogger.EV_AUDIT, - ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.FORMAT, - new Object[] { - thisreq.getRequestType(), - thisreq.getRequestId() , - initiative , - authMgr , - "completed", - issuedCerts[i].getSubjectDN() , - "cert issued serial number: 0x" + - issuedCerts[i].getSerialNumber().toString(16)} - ); - } - } else { - mLogger.log(ILogger.EV_AUDIT, - ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.NODNFORMAT, - new Object[] { - thisreq.getRequestType(), - thisreq.getRequestId() , - initiative , - authMgr , - "completed"} - ); - } - } else if (thisreq.getRequestType().equals(IRequest.RENEWAL_REQUEST)) { - X509CertImpl[] certs = (X509CertImpl[])thisreq.get(IRequest.OLD_CERTS); - X509CertImpl old_cert = certs[0]; - certs = (X509CertImpl[])thisreq.get(IRequest.ISSUED_CERTS); - X509CertImpl renewed_cert = certs[0]; - if (old_cert != null && renewed_cert != null) { - mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.RENEWALFORMAT, - new Object[] { - thisreq.getRequestId(), - initiative , - authMgr , - "completed", - old_cert.getSubjectDN() , - old_cert.getSerialNumber().toString(16) , - "new serial number: 0x" + - renewed_cert.getSerialNumber().toString(16)} - ); - } else { - mLogger.log(ILogger.EV_AUDIT, - ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.NODNFORMAT, - new Object[] { - thisreq.getRequestType(), - thisreq.getRequestId() , - initiative , - authMgr , - "completed with error"} - ); - } - } else if (thisreq.getRequestType().equals(IRequest.REVOCATION_REQUEST)) { - X509CertImpl[] oldCerts = (X509CertImpl[])thisreq.get(IRequest.OLD_CERTS); - RevokedCertImpl crlentries[] = - (RevokedCertImpl[])thisreq.get(IRequest.REVOKED_CERTS); - CRLExtensions crlExts = crlentries[0].getExtensions(); - int reason = 0; - if (crlExts != null) { - Enumeration enum = crlExts.getElements(); - while(enum.hasMoreElements()){ - Extension ext = (Extension) enum.nextElement(); - if (ext instanceof CRLReasonExtension) { - reason = ((CRLReasonExtension)ext).getReason().toInt - (); - break; - } - } - } - - int count = oldCerts.length; - Integer result = (Integer)thisreq.get(IRequest.RESULT); - if (result.equals(IRequest.RES_ERROR)) { - EBaseException ex = (EBaseException)thisreq.get(IRequest.ERROR); - EBaseException[] svcErrors = - (EBaseException[])thisreq.get(IRequest.SVCERRORS); - if (svcErrors != null && svcErrors.length > 0) { - for (int i = 0; i < svcErrors.length; i++) { - EBaseException err = svcErrors[i]; - if (err != null) { - for (int j = 0; j < count; j++) { - if (oldCerts[j] != null) { - mLogger.log(ILogger.EV_AUDIT, - ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.DOREVOKEFORMAT, - new Object[] { - thisreq.getRequestId(), - initiative , - "completed with error: " + - err.toString() , - oldCerts[j].getSubjectDN() , - oldCerts[j].getSerialNumber().toString(16), - RevocationReason.fromInt(reason).toString()} - ); - } - } - } - } - } - } else { - // the success. - for (int j = 0; j < count; j++) { - if (oldCerts[j] != null) { - mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.DOREVOKEFORMAT, - new Object[] { - thisreq.getRequestId(), - initiative , - "completed" , - oldCerts[j].getSubjectDN() , - oldCerts[j].getSerialNumber().toString(16), - RevocationReason.fromInt(reason).toString()} - ); - } - } - } - } else { - mLogger.log(ILogger.EV_AUDIT, - ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.NODNFORMAT, - new Object[] { - thisreq.getRequestType(), - thisreq.getRequestId() , - initiative , - authMgr , - "completed"} - ); - } - cfu */ + /* + * cfu --- if + * (thisreq.getRequestType().equals(IRequest.ENROLLMENT_REQUEST + * )) { // XXX make the repeat record. // Get the certificate(s) + * from the request X509CertImpl issuedCerts[] = + * (X509CertImpl[])thisreq.get(IRequest.ISSUED_CERTS); // return + * potentially more than one certificates. if (issuedCerts != + * null) { for (int i = 0; i < issuedCerts.length; i++) { + * mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, + * AuditFormat.LEVEL, AuditFormat.FORMAT, new Object[] { + * thisreq.getRequestType(), thisreq.getRequestId() , initiative + * , authMgr , "completed", issuedCerts[i].getSubjectDN() , + * "cert issued serial number: 0x" + + * issuedCerts[i].getSerialNumber().toString(16)} ); } } else { + * mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, + * AuditFormat.LEVEL, AuditFormat.NODNFORMAT, new Object[] { + * thisreq.getRequestType(), thisreq.getRequestId() , initiative + * , authMgr , "completed"} ); } } else if + * (thisreq.getRequestType().equals(IRequest.RENEWAL_REQUEST)) { + * X509CertImpl[] certs = + * (X509CertImpl[])thisreq.get(IRequest.OLD_CERTS); X509CertImpl + * old_cert = certs[0]; certs = + * (X509CertImpl[])thisreq.get(IRequest.ISSUED_CERTS); + * X509CertImpl renewed_cert = certs[0]; if (old_cert != null && + * renewed_cert != null) { mLogger.log(ILogger.EV_AUDIT, + * ILogger.S_OTHER, AuditFormat.LEVEL, + * AuditFormat.RENEWALFORMAT, new Object[] { + * thisreq.getRequestId(), initiative , authMgr , "completed", + * old_cert.getSubjectDN() , + * old_cert.getSerialNumber().toString(16) , + * "new serial number: 0x" + + * renewed_cert.getSerialNumber().toString(16)} ); } else { + * mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, + * AuditFormat.LEVEL, AuditFormat.NODNFORMAT, new Object[] { + * thisreq.getRequestType(), thisreq.getRequestId() , initiative + * , authMgr , "completed with error"} ); } } else if + * (thisreq.getRequestType + * ().equals(IRequest.REVOCATION_REQUEST)) { X509CertImpl[] + * oldCerts = (X509CertImpl[])thisreq.get(IRequest.OLD_CERTS); + * RevokedCertImpl crlentries[] = + * (RevokedCertImpl[])thisreq.get(IRequest.REVOKED_CERTS); + * CRLExtensions crlExts = crlentries[0].getExtensions(); int + * reason = 0; if (crlExts != null) { Enumeration enum = + * crlExts.getElements(); while(enum.hasMoreElements()){ + * Extension ext = (Extension) enum.nextElement(); if (ext + * instanceof CRLReasonExtension) { reason = + * ((CRLReasonExtension)ext).getReason().toInt (); break; } } } + * + * int count = oldCerts.length; Integer result = + * (Integer)thisreq.get(IRequest.RESULT); if + * (result.equals(IRequest.RES_ERROR)) { EBaseException ex = + * (EBaseException)thisreq.get(IRequest.ERROR); EBaseException[] + * svcErrors = + * (EBaseException[])thisreq.get(IRequest.SVCERRORS); if + * (svcErrors != null && svcErrors.length > 0) { for (int i = 0; + * i < svcErrors.length; i++) { EBaseException err = + * svcErrors[i]; if (err != null) { for (int j = 0; j < count; + * j++) { if (oldCerts[j] != null) { + * mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, + * AuditFormat.LEVEL, AuditFormat.DOREVOKEFORMAT, new Object[] { + * thisreq.getRequestId(), initiative , "completed with error: " + * + err.toString() , oldCerts[j].getSubjectDN() , + * oldCerts[j].getSerialNumber().toString(16), + * RevocationReason.fromInt(reason).toString()} ); } } } } } } + * else { // the success. for (int j = 0; j < count; j++) { if + * (oldCerts[j] != null) { mLogger.log(ILogger.EV_AUDIT, + * ILogger.S_OTHER, AuditFormat.LEVEL, + * AuditFormat.DOREVOKEFORMAT, new Object[] { + * thisreq.getRequestId(), initiative , "completed" , + * oldCerts[j].getSubjectDN() , + * oldCerts[j].getSerialNumber().toString(16), + * RevocationReason.fromInt(reason).toString()} ); } } } } else + * { mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, + * AuditFormat.LEVEL, AuditFormat.NODNFORMAT, new Object[] { + * thisreq.getRequestType(), thisreq.getRequestId() , initiative + * , authMgr , "completed"} ); } cfu + */ } } catch (IOException e) { } catch (CertificateException e) { @@ -577,8 +500,8 @@ public class CloneServlet extends CMSServlet { return replymsg; } - protected X509Certificate - getPeerCert(HttpServletRequest req) throws EBaseException { + protected X509Certificate getPeerCert(HttpServletRequest req) + throws EBaseException { return getSSLClientCertificate(req); } diff --git a/pki/base/common/src/com/netscape/cms/servlet/connector/ConnectorServlet.java b/pki/base/common/src/com/netscape/cms/servlet/connector/ConnectorServlet.java index ad48d18d..0681baca 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/connector/ConnectorServlet.java +++ b/pki/base/common/src/com/netscape/cms/servlet/connector/ConnectorServlet.java @@ -72,12 +72,10 @@ import com.netscape.certsrv.request.RequestStatus; import com.netscape.cms.servlet.base.CMSServlet; import com.netscape.cms.servlet.common.CMSRequest; - /** - * Connector servlet - * process requests from remote authority - - * service request or return status. - * + * Connector servlet process requests from remote authority - service request or + * return status. + * * @version $Revision$, $Date$ */ public class ConnectorServlet extends CMSServlet { @@ -95,14 +93,10 @@ public class ConnectorServlet extends CMSServlet { protected ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); private final static String SIGNED_AUDIT_PROTECTION_METHOD_SSL = "ssl"; - private final static String SIGNED_AUDIT_PROTECTION_METHOD_UNKNOWN = - "unknown"; - private final static String LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS = - "LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS_5"; - private final static String LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST = - "LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5"; - private final static String LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED = - "LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED_5"; + private final static String SIGNED_AUDIT_PROTECTION_METHOD_UNKNOWN = "unknown"; + private final static String LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS = "LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS_5"; + private final static String LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST = "LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5"; + private final static String LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED = "LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED_5"; private final static byte EOL[] = { Character.LINE_SEPARATOR }; @@ -115,22 +109,19 @@ public class ConnectorServlet extends CMSServlet { String authority = sc.getInitParameter(PROP_AUTHORITY); if (authority != null) - mAuthority = (IAuthority) - CMS.getSubsystem(authority); + mAuthority = (IAuthority) CMS.getSubsystem(authority); mReqEncoder = CMS.getHttpRequestEncoder(); - + mAuthSubsystem = (IAuthSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTH); } - public void service(HttpServletRequest request, - HttpServletResponse response) - throws ServletException, IOException { + public void service(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { boolean running_state = CMS.isInRunningState(); if (!running_state) - throw new IOException( - "CMS server is not ready to serve."); + throw new IOException("CMS server is not ready to serve."); HttpServletRequest req = (HttpServletRequest) request; HttpServletResponse resp = (HttpServletResponse) response; @@ -163,14 +154,14 @@ public class ConnectorServlet extends CMSServlet { IRequest r = null; IRequest reply = null; - // NOTE must read all bufer before redoing handshake for + // NOTE must read all bufer before redoing handshake for // ssl client auth for client auth to work. // get request method - method = req.getMethod(); + method = req.getMethod(); // get content length - len = request.getContentLength(); + len = request.getContentLength(); // get content, a base 64 encoded serialized request. if (len > 0) { @@ -191,16 +182,16 @@ public class ConnectorServlet extends CMSServlet { } // force client auth handshake, validate RA and get RA's Id. - // NOTE must do this after all contents are read for ssl - // redohandshake to work + // NOTE must do this after all contents are read for ssl + // redohandshake to work X509Certificate peerCert; try { peerCert = getPeerCert(req); - }catch (EBaseException e) { - mAuthority.log(ILogger.LL_SECURITY, - CMS.getLogMessage("CMSGW_HAS_NO_CLIENT_CERT")); + } catch (EBaseException e) { + mAuthority.log(ILogger.LL_SECURITY, + CMS.getLogMessage("CMSGW_HAS_NO_CLIENT_CERT")); resp.sendError(HttpServletResponse.SC_UNAUTHORIZED); return; } @@ -211,7 +202,7 @@ public class ConnectorServlet extends CMSServlet { return; } - // authenticate RA + // authenticate RA String RA_Id = null; String raUserId = null; @@ -231,15 +222,15 @@ public class ConnectorServlet extends CMSServlet { return; } - mAuthority.log(ILogger.LL_INFO, - "Remote Authority authenticated: " + peerCert.getSubjectDN()); + mAuthority.log(ILogger.LL_INFO, "Remote Authority authenticated: " + + peerCert.getSubjectDN()); // authorize AuthzToken authzToken = null; try { - authzToken = authorize(mAclMethod, token, - mAuthzResourceName, "submit"); + authzToken = authorize(mAclMethod, token, mAuthzResourceName, + "submit"); } catch (Exception e) { // do nothing for now } @@ -265,20 +256,24 @@ public class ConnectorServlet extends CMSServlet { try { // decode request. msg = (IPKIMessage) mReqEncoder.decode(encodedreq); - // process request + // process request replymsg = processRequest(RA_Id, raUserId, msg, token); } catch (IOException e) { CMS.debug("ConnectorServlet: service " + e.toString()); CMS.debug(e); - mAuthority.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_IO_ERROR_REMOTE_REQUEST", e.toString())); + mAuthority.log( + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_IO_ERROR_REMOTE_REQUEST", + e.toString())); resp.sendError(HttpServletResponse.SC_BAD_REQUEST); return; } catch (EBaseException e) { CMS.debug("ConnectorServlet: service " + e.toString()); CMS.debug(e); - mAuthority.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_IO_ERROR_REMOTE_REQUEST", e.toString())); + mAuthority.log( + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_IO_ERROR_REMOTE_REQUEST", + e.toString())); resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); return; } catch (Exception e) { @@ -288,7 +283,7 @@ public class ConnectorServlet extends CMSServlet { CMS.debug("ConnectorServlet: done processRequest"); - // encode reply + // encode reply try { String encodedrep = mReqEncoder.encode(replymsg); @@ -326,10 +321,12 @@ public class ConnectorServlet extends CMSServlet { ByteArrayOutputStream byteStream; try { - info = request.getExtDataInCertInfo(IEnrollProfile.REQUEST_CERTINFO); + info = request + .getExtDataInCertInfo(IEnrollProfile.REQUEST_CERTINFO); - // request.set(IEnrollProfile.REQUEST_SEQ_NUM, new Integer("0")); - CertificateX509Key certKey = (CertificateX509Key)info.get(X509CertInfo.KEY); + // request.set(IEnrollProfile.REQUEST_SEQ_NUM, new Integer("0")); + CertificateX509Key certKey = (CertificateX509Key) info + .get(X509CertInfo.KEY); if (certKey != null) { byteStream = new ByteArrayOutputStream(); certKey.encode(byteStream); @@ -337,15 +334,15 @@ public class ConnectorServlet extends CMSServlet { byteStream.toByteArray()); } - CertificateSubjectName certSubject = (CertificateSubjectName) - info.get(X509CertInfo.SUBJECT); + CertificateSubjectName certSubject = (CertificateSubjectName) info + .get(X509CertInfo.SUBJECT); if (certSubject != null) { request.setExtData(IEnrollProfile.REQUEST_SUBJECT_NAME, certSubject); } - CertificateValidity certValidity = (CertificateValidity) - info.get(X509CertInfo.VALIDITY); + CertificateValidity certValidity = (CertificateValidity) info + .get(X509CertInfo.VALIDITY); if (certValidity != null) { byteStream = new ByteArrayOutputStream(); certValidity.encode(byteStream); @@ -353,15 +350,15 @@ public class ConnectorServlet extends CMSServlet { byteStream.toByteArray()); } - CertificateExtensions extensions = (CertificateExtensions) - info.get(X509CertInfo.EXTENSIONS); + CertificateExtensions extensions = (CertificateExtensions) info + .get(X509CertInfo.EXTENSIONS); if (extensions != null) { request.setExtData(IEnrollProfile.REQUEST_EXTENSIONS, extensions); } - CertificateAlgorithmId certAlg = (CertificateAlgorithmId) - info.get(X509CertInfo.ALGORITHM_ID); + CertificateAlgorithmId certAlg = (CertificateAlgorithmId) info + .get(X509CertInfo.ALGORITHM_ID); if (certAlg != null) { ByteArrayOutputStream certAlgOut = new ByteArrayOutputStream(); certAlg.encode(certAlgOut); @@ -369,16 +366,14 @@ public class ConnectorServlet extends CMSServlet { certAlgOut.toByteArray()); } } catch (Exception e) { - CMS.debug("ConnectorServlet: profile normalization " + - e.toString()); + CMS.debug("ConnectorServlet: profile normalization " + e.toString()); } String profileId = request.getExtDataInString("profileId"); - IProfileSubsystem ps = (IProfileSubsystem) - CMS.getSubsystem("profile"); + IProfileSubsystem ps = (IProfileSubsystem) CMS.getSubsystem("profile"); IEnrollProfile profile = null; - // profile subsystem may not be available. In case of KRA for + // profile subsystem may not be available. In case of KRA for // example if (ps == null) { CMS.debug("ConnectorServlet: Profile Subsystem not found "); @@ -388,7 +383,8 @@ public class ConnectorServlet extends CMSServlet { profile = (IEnrollProfile) (ps.getProfile(profileId)); profile.setDefaultCertInfo(request); } catch (EProfileException e) { - CMS.debug("ConnectorServlet: normalizeProfileRequest Exception: " + e.toString()); + CMS.debug("ConnectorServlet: normalizeProfileRequest Exception: " + + e.toString()); } if (profile == null) { CMS.debug("ConnectorServlet: Profile not found " + profileId); @@ -399,15 +395,15 @@ public class ConnectorServlet extends CMSServlet { /** * Process request * <P> - * + * * (Certificate Request - all "agent" profile cert requests made through a - * connector) + * connector) * <P> - * - * (Certificate Request Processed - all automated "agent" profile based - * cert acceptance made through a connector) + * + * (Certificate Request Processed - all automated "agent" profile based cert + * acceptance made through a connector) * <P> - * + * * <ul> * <li>signed.audit LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST used when a * profile cert request is made (before approval process) @@ -417,6 +413,7 @@ public class ConnectorServlet extends CMSServlet { * inter-CIMC_Boundary data transfer is successful (this is used when data * does not need to be captured) * </ul> + * * @param source string containing source * @param sourceUserId string containing source user ID * @param msg PKI message @@ -424,9 +421,8 @@ public class ConnectorServlet extends CMSServlet { * @exception EBaseException an error has occurred * @return PKI message */ - protected IPKIMessage processRequest( - String source, String sourceUserId, IPKIMessage msg, IAuthToken token) - throws EBaseException { + protected IPKIMessage processRequest(String source, String sourceUserId, + IPKIMessage msg, IAuthToken token) throws EBaseException { String auditMessage = null; String auditSubjectID = sourceUserId; String auditProtectionMethod = SIGNED_AUDIT_PROTECTION_METHOD_SSL; @@ -476,50 +472,45 @@ public class ConnectorServlet extends CMSServlet { thisreq = queue.findRequest(thisreqid); if (thisreq == null) { // strange case. - String errormsg = "Cannot find request in request queue " + - thisreqid; + String errormsg = "Cannot find request in request queue " + + thisreqid; - mAuthority.log(ILogger.LL_FAILURE, - CMS.getLogMessage( + mAuthority.log(ILogger.LL_FAILURE, CMS.getLogMessage( "CMSGW_REQUEST_ID_NOT_FOUND_1", thisreqid.toString())); // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS, - auditSubjectID, - ILogger.FAILURE, - auditProtectionMethod, - auditRequestType, - auditRequesterID); + LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS, + auditSubjectID, ILogger.FAILURE, + auditProtectionMethod, auditRequestType, + auditRequesterID); audit(auditMessage); - // NOTE: The signed audit event - // LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST - // does not yet matter at this point! + // NOTE: The signed audit event + // LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST + // does not yet matter at this point! throw new EBaseException(errormsg); } else { - mAuthority.log(ILogger.LL_INFO, - "Found request " + thisreqid + " for " + srcid); + mAuthority.log(ILogger.LL_INFO, "Found request " + + thisreqid + " for " + srcid); replymsg = CMS.getHttpPKIMessage(); replymsg.fromRequest(thisreq); // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS, - auditSubjectID, - ILogger.SUCCESS, - auditProtectionMethod, - auditRequestType, - auditRequesterID); + LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS, + auditSubjectID, ILogger.SUCCESS, + auditProtectionMethod, auditRequestType, + auditRequesterID); audit(auditMessage); - // NOTE: The signed audit event - // LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST - // does not yet matter at this point! + // NOTE: The signed audit event + // LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST + // does not yet matter at this point! return replymsg; } @@ -527,77 +518,67 @@ public class ConnectorServlet extends CMSServlet { // if not found process request. thisreq = queue.newRequest(msg.getReqType()); - CMS.debug("ConnectorServlet: created requestId=" + - thisreq.getRequestId().toString()); + CMS.debug("ConnectorServlet: created requestId=" + + thisreq.getRequestId().toString()); thisreq.setSourceId(srcid); - // NOTE: For the following signed audit message, since we only - // care about the "msg.toRequest( thisreq );" command, and - // since this command does not throw an EBaseException - // (which is the only exception designated by this method), - // then this code does NOT need to be contained within its - // own special try/catch block. - msg.toRequest( thisreq ); + // NOTE: For the following signed audit message, since we only + // care about the "msg.toRequest( thisreq );" command, and + // since this command does not throw an EBaseException + // (which is the only exception designated by this method), + // then this code does NOT need to be contained within its + // own special try/catch block. + msg.toRequest(thisreq); - if( isProfileRequest( thisreq ) ) { - X509CertInfo info = - thisreq.getExtDataInCertInfo( - IEnrollProfile.REQUEST_CERTINFO ); + if (isProfileRequest(thisreq)) { + X509CertInfo info = thisreq + .getExtDataInCertInfo(IEnrollProfile.REQUEST_CERTINFO); try { - CertificateSubjectName sn = ( CertificateSubjectName ) - info.get( X509CertInfo.SUBJECT ); + CertificateSubjectName sn = (CertificateSubjectName) info + .get(X509CertInfo.SUBJECT); // if the cert subject name is NOT MISSING, retrieve the // actual "auditCertificateSubjectName" and "normalize" // it - if( sn != null ) { + if (sn != null) { subject = sn.toString(); - if( subject != null ) { - // NOTE: This is ok even if the cert subject - // name is "" (empty)! + if (subject != null) { + // NOTE: This is ok even if the cert subject + // name is "" (empty)! auditCertificateSubjectName = subject.trim(); } } // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST, - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, - auditProfileID(), - auditCertificateSubjectName ); - - audit( auditMessage ); - } catch( CertificateException e ) { - CMS.debug( "ConnectorServlet: processRequest " - + e.toString() ); + LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST, + auditSubjectID, ILogger.SUCCESS, auditRequesterID, + auditProfileID(), auditCertificateSubjectName); + + audit(auditMessage); + } catch (CertificateException e) { + CMS.debug("ConnectorServlet: processRequest " + + e.toString()); // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, - auditProfileID(), - auditCertificateSubjectName ); - - audit( auditMessage ); - } catch( IOException e ) { - CMS.debug( "ConnectorServlet: processRequest " - + e.toString() ); + LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST, + auditSubjectID, ILogger.FAILURE, auditRequesterID, + auditProfileID(), auditCertificateSubjectName); + + audit(auditMessage); + } catch (IOException e) { + CMS.debug("ConnectorServlet: processRequest " + + e.toString()); // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, - auditProfileID(), - auditCertificateSubjectName ); - - audit( auditMessage ); + LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST, + auditSubjectID, ILogger.FAILURE, auditRequesterID, + auditProfileID(), auditCertificateSubjectName); + + audit(auditMessage); } } @@ -605,10 +586,9 @@ public class ConnectorServlet extends CMSServlet { // setting requestor type must come after copy contents. because // requestor is a regular attribute. - thisreq.setExtData(IRequest.REQUESTOR_TYPE, - IRequest.REQUESTOR_RA); - mAuthority.log(ILogger.LL_INFO, "Processing remote request " + - srcid); + thisreq.setExtData(IRequest.REQUESTOR_TYPE, IRequest.REQUESTOR_RA); + mAuthority.log(ILogger.LL_INFO, "Processing remote request " + + srcid); // Set this so that request's updateBy is recorded SessionContext s = SessionContext.getContext(); @@ -621,53 +601,53 @@ public class ConnectorServlet extends CMSServlet { s.put(SessionContext.REQUESTER_ID, msg.getReqId()); } - CMS.debug("ConnectorServlet: calling processRequest instance=" + - thisreq); + CMS.debug("ConnectorServlet: calling processRequest instance=" + + thisreq); if (isProfileRequest(thisreq)) { normalizeProfileRequest(thisreq); } try { - queue.processRequest( thisreq ); + queue.processRequest(thisreq); - if( isProfileRequest( thisreq ) ) { + if (isProfileRequest(thisreq)) { // reset the "auditInfoCertValue" - auditInfoCertValue = auditInfoCertValue( thisreq ); + auditInfoCertValue = auditInfoCertValue(thisreq); - if( auditInfoCertValue != null ) { - if( !( auditInfoCertValue.equals( - ILogger.SIGNED_AUDIT_EMPTY_VALUE ) ) ) { + if (auditInfoCertValue != null) { + if (!(auditInfoCertValue + .equals(ILogger.SIGNED_AUDIT_EMPTY_VALUE))) { // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, - ILogger.SIGNED_AUDIT_ACCEPTANCE, - auditInfoCertValue ); - - audit( auditMessage ); + auditMessage = CMS + .getLogMessage( + LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, + auditSubjectID, ILogger.SUCCESS, + auditRequesterID, + ILogger.SIGNED_AUDIT_ACCEPTANCE, + auditInfoCertValue); + + audit(auditMessage); } } } - } catch( EBaseException eAudit1 ) { - if( isProfileRequest( thisreq ) ) { + } catch (EBaseException eAudit1) { + if (isProfileRequest(thisreq)) { // reset the "auditInfoCertValue" - auditInfoCertValue = auditInfoCertValue( thisreq ); + auditInfoCertValue = auditInfoCertValue(thisreq); - if( auditInfoCertValue != null ) { - if( !( auditInfoCertValue.equals( - ILogger.SIGNED_AUDIT_EMPTY_VALUE ) ) ) { + if (auditInfoCertValue != null) { + if (!(auditInfoCertValue + .equals(ILogger.SIGNED_AUDIT_EMPTY_VALUE))) { // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, - ILogger.SIGNED_AUDIT_ACCEPTANCE, - auditInfoCertValue ); - - audit( auditMessage ); + auditMessage = CMS + .getLogMessage( + LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, + auditSubjectID, ILogger.FAILURE, + auditRequesterID, + ILogger.SIGNED_AUDIT_ACCEPTANCE, + auditInfoCertValue); + + audit(auditMessage); } } } @@ -680,158 +660,146 @@ public class ConnectorServlet extends CMSServlet { replymsg = CMS.getHttpPKIMessage(); replymsg.fromRequest(thisreq); - CMS.debug("ConnectorServlet: replymsg.reqStatus=" + - replymsg.getReqStatus()); + CMS.debug("ConnectorServlet: replymsg.reqStatus=" + + replymsg.getReqStatus()); - //for audit log + // for audit log String agentID = sourceUserId; - String initiative = AuditFormat.FROMRA + " trustedManagerID: " + - agentID + " remote reqID " + msg.getReqId(); + String initiative = AuditFormat.FROMRA + " trustedManagerID: " + + agentID + " remote reqID " + msg.getReqId(); String authMgr = AuditFormat.NOAUTH; if (token != null) { - authMgr = - token.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME); + authMgr = token.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME); } if (isProfileRequest(thisreq)) { // XXX audit log - CMS.debug("ConnectorServlet: done requestId=" + - thisreq.getRequestId().toString()); + CMS.debug("ConnectorServlet: done requestId=" + + thisreq.getRequestId().toString()); // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS, - auditSubjectID, - ILogger.SUCCESS, - auditProtectionMethod, - auditRequestType, - auditRequesterID); + LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS, + auditSubjectID, ILogger.SUCCESS, auditProtectionMethod, + auditRequestType, auditRequesterID); audit(auditMessage); - // NOTE: The signed audit event - // LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST - // has already been logged at this point! + // NOTE: The signed audit event + // LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST + // has already been logged at this point! return replymsg; } // Get the certificate info from the request - X509CertInfo x509Info[] = thisreq.getExtDataInCertInfoArray(IRequest.CERT_INFO); + X509CertInfo x509Info[] = thisreq + .getExtDataInCertInfoArray(IRequest.CERT_INFO); try { if (!thisreq.getRequestStatus().equals(RequestStatus.COMPLETE)) { if (x509Info != null) { for (int i = 0; i < x509Info.length; i++) { - mLogger.log(ILogger.EV_AUDIT, - ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.FORMAT, - new Object[] { - thisreq.getRequestType(), - thisreq.getRequestId(), - initiative, - authMgr, - thisreq.getRequestStatus(), - x509Info[i].get(X509CertInfo.SUBJECT), - ""} - ); + mLogger.log( + ILogger.EV_AUDIT, + ILogger.S_OTHER, + AuditFormat.LEVEL, + AuditFormat.FORMAT, + new Object[] { + thisreq.getRequestType(), + thisreq.getRequestId(), + initiative, + authMgr, + thisreq.getRequestStatus(), + x509Info[i] + .get(X509CertInfo.SUBJECT), + "" }); } } else { - mLogger.log(ILogger.EV_AUDIT, - ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.NODNFORMAT, - new Object[] { - thisreq.getRequestType(), - thisreq.getRequestId(), - initiative, - authMgr, - thisreq.getRequestStatus()} - ); + mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, + AuditFormat.LEVEL, AuditFormat.NODNFORMAT, + new Object[] { thisreq.getRequestType(), + thisreq.getRequestId(), initiative, + authMgr, thisreq.getRequestStatus() }); } } else { - if (thisreq.getRequestType().equals(IRequest.ENROLLMENT_REQUEST)) { + if (thisreq.getRequestType().equals( + IRequest.ENROLLMENT_REQUEST)) { // XXX make the repeat record. // Get the certificate(s) from the request X509CertImpl x509Certs[] = null; if (x509Info != null) - x509Certs = - thisreq.getExtDataInCertArray(IRequest.ISSUED_CERTS); + x509Certs = thisreq + .getExtDataInCertArray(IRequest.ISSUED_CERTS); - // return potentially more than one certificates. + // return potentially more than one certificates. if (x509Certs != null) { for (int i = 0; i < x509Certs.length; i++) { - mLogger.log(ILogger.EV_AUDIT, - ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.FORMAT, - new Object[] { - thisreq.getRequestType(), - thisreq.getRequestId(), - initiative, - authMgr, - "completed", - x509Certs[i].getSubjectDN(), - "cert issued serial number: 0x" + - x509Certs[i].getSerialNumber().toString(16)} - ); + mLogger.log( + ILogger.EV_AUDIT, + ILogger.S_OTHER, + AuditFormat.LEVEL, + AuditFormat.FORMAT, + new Object[] { + thisreq.getRequestType(), + thisreq.getRequestId(), + initiative, + authMgr, + "completed", + x509Certs[i].getSubjectDN(), + "cert issued serial number: 0x" + + x509Certs[i] + .getSerialNumber() + .toString(16) }); } } else { - mLogger.log(ILogger.EV_AUDIT, - ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.NODNFORMAT, - new Object[] { - thisreq.getRequestType(), - thisreq.getRequestId(), - initiative, - authMgr, - "completed"} - ); + mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, + AuditFormat.LEVEL, AuditFormat.NODNFORMAT, + new Object[] { thisreq.getRequestType(), + thisreq.getRequestId(), initiative, + authMgr, "completed" }); } - } else if (thisreq.getRequestType().equals(IRequest.RENEWAL_REQUEST)) { - X509CertImpl[] certs = - thisreq.getExtDataInCertArray(IRequest.OLD_CERTS); + } else if (thisreq.getRequestType().equals( + IRequest.RENEWAL_REQUEST)) { + X509CertImpl[] certs = thisreq + .getExtDataInCertArray(IRequest.OLD_CERTS); X509CertImpl old_cert = certs[0]; - certs = thisreq.getExtDataInCertArray(IRequest.ISSUED_CERTS); + certs = thisreq + .getExtDataInCertArray(IRequest.ISSUED_CERTS); X509CertImpl renewed_cert = certs[0]; if (old_cert != null && renewed_cert != null) { mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.RENEWALFORMAT, - new Object[] { - thisreq.getRequestId(), - initiative, - authMgr, - "completed", - old_cert.getSubjectDN(), - old_cert.getSerialNumber().toString(16), - "new serial number: 0x" + - renewed_cert.getSerialNumber().toString(16)} - ); + AuditFormat.LEVEL, + AuditFormat.RENEWALFORMAT, + new Object[] { + thisreq.getRequestId(), + initiative, + authMgr, + "completed", + old_cert.getSubjectDN(), + old_cert.getSerialNumber() + .toString(16), + "new serial number: 0x" + + renewed_cert + .getSerialNumber() + .toString(16) }); } else { - mLogger.log(ILogger.EV_AUDIT, - ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.NODNFORMAT, - new Object[] { - thisreq.getRequestType(), - thisreq.getRequestId(), - initiative, - authMgr, - "completed with error"} - ); + mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, + AuditFormat.LEVEL, AuditFormat.NODNFORMAT, + new Object[] { thisreq.getRequestType(), + thisreq.getRequestId(), initiative, + authMgr, "completed with error" }); } - } else if (thisreq.getRequestType().equals(IRequest.REVOCATION_REQUEST)) { - Certificate[] oldCerts = - thisreq.getExtDataInCertArray(IRequest.OLD_CERTS); - RevokedCertImpl crlentries[] = - thisreq.getExtDataInRevokedCertArray(IRequest.REVOKED_CERTS); + } else if (thisreq.getRequestType().equals( + IRequest.REVOCATION_REQUEST)) { + Certificate[] oldCerts = thisreq + .getExtDataInCertArray(IRequest.OLD_CERTS); + RevokedCertImpl crlentries[] = thisreq + .getExtDataInRevokedCertArray(IRequest.REVOKED_CERTS); CRLExtensions crlExts = crlentries[0].getExtensions(); int reason = 0; @@ -842,18 +810,20 @@ public class ConnectorServlet extends CMSServlet { Extension ext = (Extension) enum1.nextElement(); if (ext instanceof CRLReasonExtension) { - reason = ((CRLReasonExtension) ext).getReason().toInt(); + reason = ((CRLReasonExtension) ext) + .getReason().toInt(); break; } } } int count = oldCerts.length; - Integer result = thisreq.getExtDataInInteger(IRequest.RESULT); + Integer result = thisreq + .getExtDataInInteger(IRequest.RESULT); if (result.equals(IRequest.RES_ERROR)) { - String[] svcErrors = - thisreq.getExtDataInStringArray(IRequest.SVCERRORS); + String[] svcErrors = thisreq + .getExtDataInStringArray(IRequest.SVCERRORS); if (svcErrors != null && svcErrors.length > 0) { for (int i = 0; i < svcErrors.length; i++) { @@ -865,19 +835,24 @@ public class ConnectorServlet extends CMSServlet { if (oldCerts[j] instanceof X509CertImpl) { X509CertImpl cert = (X509CertImpl) oldCerts[j]; - mLogger.log(ILogger.EV_AUDIT, - ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.DOREVOKEFORMAT, - new Object[] { - thisreq.getRequestId(), - initiative, - "completed with error: " + - err, - cert.getSubjectDN(), - cert.getSerialNumber().toString(16), - RevocationReason.fromInt(reason).toString()} - ); + mLogger.log( + ILogger.EV_AUDIT, + ILogger.S_OTHER, + AuditFormat.LEVEL, + AuditFormat.DOREVOKEFORMAT, + new Object[] { + thisreq.getRequestId(), + initiative, + "completed with error: " + + err, + cert.getSubjectDN(), + cert.getSerialNumber() + .toString( + 16), + RevocationReason + .fromInt( + reason) + .toString() }); } } } @@ -891,44 +866,39 @@ public class ConnectorServlet extends CMSServlet { if (oldCerts[j] instanceof X509CertImpl) { X509CertImpl cert = (X509CertImpl) oldCerts[j]; - mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.DOREVOKEFORMAT, - new Object[] { - thisreq.getRequestId(), - initiative, - "completed", - cert.getSubjectDN(), - cert.getSerialNumber().toString(16), - RevocationReason.fromInt(reason).toString()} - ); + mLogger.log( + ILogger.EV_AUDIT, + ILogger.S_OTHER, + AuditFormat.LEVEL, + AuditFormat.DOREVOKEFORMAT, + new Object[] { + thisreq.getRequestId(), + initiative, + "completed", + cert.getSubjectDN(), + cert.getSerialNumber() + .toString(16), + RevocationReason + .fromInt(reason) + .toString() }); } } } } } else { - mLogger.log(ILogger.EV_AUDIT, - ILogger.S_OTHER, - AuditFormat.LEVEL, - AuditFormat.NODNFORMAT, - new Object[] { - thisreq.getRequestType(), - thisreq.getRequestId(), - initiative, - authMgr, - "completed"} - ); + mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, + AuditFormat.LEVEL, AuditFormat.NODNFORMAT, + new Object[] { thisreq.getRequestType(), + thisreq.getRequestId(), initiative, + authMgr, "completed" }); } } // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS, - auditSubjectID, - ILogger.SUCCESS, - auditProtectionMethod, - auditRequestType, - auditRequesterID); + LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS, + auditSubjectID, ILogger.SUCCESS, auditProtectionMethod, + auditRequestType, auditRequesterID); audit(auditMessage); } catch (IOException e) { @@ -936,12 +906,9 @@ public class ConnectorServlet extends CMSServlet { // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS, - auditSubjectID, - ILogger.FAILURE, - auditProtectionMethod, - auditRequestType, - auditRequesterID); + LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS, + auditSubjectID, ILogger.FAILURE, auditProtectionMethod, + auditRequestType, auditRequesterID); audit(auditMessage); } catch (CertificateException e) { @@ -949,12 +916,9 @@ public class ConnectorServlet extends CMSServlet { // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS, - auditSubjectID, - ILogger.FAILURE, - auditProtectionMethod, - auditRequestType, - auditRequesterID); + LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS, + auditSubjectID, ILogger.FAILURE, auditProtectionMethod, + auditRequestType, auditRequesterID); audit(auditMessage); } catch (Exception e) { @@ -962,46 +926,40 @@ public class ConnectorServlet extends CMSServlet { // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS, - auditSubjectID, - ILogger.FAILURE, - auditProtectionMethod, - auditRequestType, - auditRequesterID); + LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS, + auditSubjectID, ILogger.FAILURE, auditProtectionMethod, + auditRequestType, auditRequesterID); audit(auditMessage); } finally { SessionContext.releaseContext(); } - // NOTE: The signed audit event - // LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST - // has already been logged at this point! + // NOTE: The signed audit event + // LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST + // has already been logged at this point! return replymsg; } catch (EBaseException e) { // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS, - auditSubjectID, - ILogger.FAILURE, - auditProtectionMethod, - auditRequestType, - auditRequesterID); + LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS, + auditSubjectID, ILogger.FAILURE, auditProtectionMethod, + auditRequestType, auditRequesterID); audit(auditMessage); - // NOTE: The signed audit event - // LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST - // has either already been logged, or - // does not yet matter at this point! + // NOTE: The signed audit event + // LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST + // has either already been logged, or + // does not yet matter at this point! return replymsg; } } - protected X509Certificate - getPeerCert(HttpServletRequest req) throws EBaseException { + protected X509Certificate getPeerCert(HttpServletRequest req) + throws EBaseException { return getSSLClientCertificate(req); } @@ -1011,11 +969,11 @@ public class ConnectorServlet extends CMSServlet { /** * Signed Audit Log - * - * This method is inherited by all extended "CMSServlet"s, - * and is called to store messages to the signed audit log. + * + * This method is inherited by all extended "CMSServlet"s, and is called to + * store messages to the signed audit log. * <P> - * + * * @param msg signed audit log message */ protected void audit(String msg) { @@ -1026,21 +984,17 @@ public class ConnectorServlet extends CMSServlet { return; } - mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, - null, - ILogger.S_SIGNED_AUDIT, - ILogger.LL_SECURITY, - msg); + mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, null, + ILogger.S_SIGNED_AUDIT, ILogger.LL_SECURITY, msg); } /** * Signed Audit Log Profile ID - * - * This method is inherited by all extended "EnrollProfile"s, - * and is called to obtain the "ProfileID" for - * a signed audit log message. + * + * This method is inherited by all extended "EnrollProfile"s, and is called + * to obtain the "ProfileID" for a signed audit log message. * <P> - * + * * @return id string containing the signed audit log message ProfileID */ protected String auditProfileID() { @@ -1062,11 +1016,11 @@ public class ConnectorServlet extends CMSServlet { /** * Signed Audit Log Info Certificate Value - * + * * This method is called to obtain the certificate from the passed in * "X509CertImpl" for a signed audit log message. * <P> - * + * * @param request a Request containing an X509CertImpl * @return cert string containing the certificate */ @@ -1076,8 +1030,8 @@ public class ConnectorServlet extends CMSServlet { return null; } - X509CertImpl x509cert = request.getExtDataInCert( - IEnrollProfile.REQUEST_ISSUED_CERT); + X509CertImpl x509cert = request + .getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT); if (x509cert == null) { return ILogger.SIGNED_AUDIT_EMPTY_VALUE; @@ -1122,4 +1076,3 @@ public class ConnectorServlet extends CMSServlet { } } } - diff --git a/pki/base/common/src/com/netscape/cms/servlet/connector/GenerateKeyPairServlet.java b/pki/base/common/src/com/netscape/cms/servlet/connector/GenerateKeyPairServlet.java index 2a024c3a..27b5200b 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/connector/GenerateKeyPairServlet.java +++ b/pki/base/common/src/com/netscape/cms/servlet/connector/GenerateKeyPairServlet.java @@ -40,17 +40,14 @@ import com.netscape.certsrv.request.IRequestQueue; import com.netscape.cms.servlet.base.CMSServlet; import com.netscape.cms.servlet.common.CMSRequest; - - /** - * GenerateKeyPairServlet - * handles "server-side key pair generation" requests from the - * netkey RA. - * + * GenerateKeyPairServlet handles "server-side key pair generation" requests + * from the netkey RA. + * * @author Christina Fu (cfu) * @version $Revision$, $Date$ */ -//XXX add auditing later +// XXX add auditing later public class GenerateKeyPairServlet extends CMSServlet { /** @@ -68,7 +65,7 @@ public class GenerateKeyPairServlet extends CMSServlet { /** * Constructs GenerateKeyPair servlet. - * + * */ public GenerateKeyPairServlet() { super(); @@ -80,37 +77,30 @@ public class GenerateKeyPairServlet extends CMSServlet { String authority = config.getInitParameter(PROP_AUTHORITY); if (authority != null) - mAuthority = (IAuthority) - CMS.getSubsystem(authority); - + mAuthority = (IAuthority) CMS.getSubsystem(authority); + mAuthSubsystem = (IAuthSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTH); } /** * Returns serlvet information. - * + * * @return name of this servlet */ - public String getServletInfo() { - return INFO; + public String getServletInfo() { + return INFO; } /* - * processServerSideKeyGen - - * handles netkey DRM serverside keygen. - * netkey operations: - * 1. generate keypair (archive user priv key) - * 2. unwrap des key with transport key, then url decode it - * 3. wrap user priv key with des key - * 4. send the following to RA: - * * des key wrapped(user priv key) - * * user public key - * (note: RA should have kek-wrapped des key from TKS) - * * recovery blob (used for recovery) + * processServerSideKeyGen - handles netkey DRM serverside keygen. netkey + * operations: 1. generate keypair (archive user priv key) 2. unwrap des key + * with transport key, then url decode it 3. wrap user priv key with des key + * 4. send the following to RA: * des key wrapped(user priv key) * user + * public key (note: RA should have kek-wrapped des key from TKS) * recovery + * blob (used for recovery) */ private void processServerSideKeyGen(HttpServletRequest req, - HttpServletResponse resp) throws EBaseException - { + HttpServletResponse resp) throws EBaseException { IRequestQueue queue = mAuthority.getRequestQueue(); IRequest thisreq = null; @@ -123,8 +113,8 @@ public class GenerateKeyPairServlet extends CMSServlet { String rCUID = req.getParameter("CUID"); String rUserid = req.getParameter("userid"); String rdesKeyString = req.getParameter("drm_trans_desKey"); - String rArchive = req.getParameter("archive"); - String rKeysize = req.getParameter("keysize"); + String rArchive = req.getParameter("archive"); + String rKeysize = req.getParameter("keysize"); if ((rCUID == null) || (rCUID.equals(""))) { CMS.debug("GenerateKeyPairServlet: processServerSideKeygen(): missing request parameter: CUID"); @@ -136,19 +126,18 @@ public class GenerateKeyPairServlet extends CMSServlet { missingParam = true; } - if ((rKeysize == null) || (rKeysize.equals(""))) { - rKeysize = "1024"; // default to 1024 - } + if ((rKeysize == null) || (rKeysize.equals(""))) { + rKeysize = "1024"; // default to 1024 + } - if ((rdesKeyString == null) || - (rdesKeyString.equals(""))) { + if ((rdesKeyString == null) || (rdesKeyString.equals(""))) { CMS.debug("GenerateKeyPairServlet: processServerSideKeygen(): missing request parameter: DRM-transportKey-wrapped DES key"); missingParam = true; } if ((rArchive == null) || (rArchive.equals(""))) { CMS.debug("GenerateKeyPairServlet: processServerSideKeygen(): missing key archival flag 'archive' ,default to true"); - rArchive = "true"; + rArchive = "true"; } String selectedToken = null; @@ -156,21 +145,23 @@ public class GenerateKeyPairServlet extends CMSServlet { if (!missingParam) { thisreq = queue.newRequest(IRequest.NETKEY_KEYGEN_REQUEST); - thisreq.setExtData(IRequest.REQUESTOR_TYPE, IRequest.REQUESTOR_NETKEY_RA); + thisreq.setExtData(IRequest.REQUESTOR_TYPE, + IRequest.REQUESTOR_NETKEY_RA); thisreq.setExtData(IRequest.NETKEY_ATTR_CUID, rCUID); thisreq.setExtData(IRequest.NETKEY_ATTR_USERID, rUserid); - thisreq.setExtData(IRequest.NETKEY_ATTR_DRMTRANS_DES_KEY, rdesKeyString); - thisreq.setExtData(IRequest.NETKEY_ATTR_ARCHIVE_FLAG, rArchive); - thisreq.setExtData(IRequest.NETKEY_ATTR_KEY_SIZE, rKeysize); + thisreq.setExtData(IRequest.NETKEY_ATTR_DRMTRANS_DES_KEY, + rdesKeyString); + thisreq.setExtData(IRequest.NETKEY_ATTR_ARCHIVE_FLAG, rArchive); + thisreq.setExtData(IRequest.NETKEY_ATTR_KEY_SIZE, rKeysize); - queue.processRequest( thisreq ); + queue.processRequest(thisreq); Integer result = thisreq.getExtDataInInteger(IRequest.RESULT); if (result != null) { - // sighs! tps thinks 0 is good, and DRM thinks 1 is good - if (result.intValue() == 1) - status = "0"; - else - status = result.toString(); + // sighs! tps thinks 0 is good, and DRM thinks 1 is good + if (result.intValue() == 1) + status = "0"; + else + status = result.toString(); } else status = "7"; @@ -184,40 +175,40 @@ public class GenerateKeyPairServlet extends CMSServlet { String wrappedPrivKeyString = ""; String publicKeyString = ""; - if( thisreq == null ) { - CMS.debug( "GenerateKeyPairServlet::processServerSideKeyGen() - " - + "thisreq is null!" ); - throw new EBaseException( "thisreq is null" ); + if (thisreq == null) { + CMS.debug("GenerateKeyPairServlet::processServerSideKeyGen() - " + + "thisreq is null!"); + throw new EBaseException("thisreq is null"); } publicKeyString = thisreq.getExtDataInString("public_key"); wrappedPrivKeyString = thisreq.getExtDataInString("wrappedUserPrivate"); - String ivString = thisreq.getExtDataInString("iv_s"); + String ivString = thisreq.getExtDataInString("iv_s"); /* - if (selectedToken == null) - status = "4"; - */ - if (!status.equals("0")) - value = "status="+status; + * if (selectedToken == null) status = "4"; + */ + if (!status.equals("0")) + value = "status=" + status; else { StringBuffer sb = new StringBuffer(); sb.append("status=0&"); - sb.append("wrapped_priv_key="); - sb.append(wrappedPrivKeyString); - sb.append("&iv_param="); - sb.append(ivString); + sb.append("wrapped_priv_key="); + sb.append(wrappedPrivKeyString); + sb.append("&iv_param="); + sb.append(ivString); sb.append("&public_key="); - sb.append(publicKeyString); + sb.append(publicKeyString); value = sb.toString(); } - CMS.debug("processServerSideKeyGen:outputString.encode " +value); + CMS.debug("processServerSideKeyGen:outputString.encode " + value); - try{ + try { resp.setContentLength(value.length()); - CMS.debug("GenerateKeyPairServlet:outputString.length " +value.length()); + CMS.debug("GenerateKeyPairServlet:outputString.length " + + value.length()); OutputStream ooss = resp.getOutputStream(); ooss.write(value.getBytes()); ooss.flush(); @@ -227,20 +218,14 @@ public class GenerateKeyPairServlet extends CMSServlet { } } - - /* - - * For GenerateKeyPair: - * - * input: - * CUID=value0 - * trans-wrapped-desKey=value1 - * - * output: - * status=value0 - * publicKey=value1 - * desKey-wrapped-userPrivateKey=value2 - * proofOfArchival=value3 + /* + * + * For GenerateKeyPair: + * + * input: CUID=value0 trans-wrapped-desKey=value1 + * + * output: status=value0 publicKey=value1 + * desKey-wrapped-userPrivateKey=value2 proofOfArchival=value3 */ public void process(CMSRequest cmsReq) throws EBaseException { @@ -251,14 +236,14 @@ public class GenerateKeyPairServlet extends CMSServlet { AuthzToken authzToken = null; try { - authzToken = authorize(mAclMethod, authToken, - mAuthzResourceName, "execute"); + authzToken = authorize(mAclMethod, authToken, mAuthzResourceName, + "execute"); } catch (Exception e) { } if (authzToken == null) { - try{ + try { resp.setContentType("text/html"); String value = "unauthorized="; CMS.debug("GenerateKeyPairServlet: Unauthorized"); @@ -268,7 +253,7 @@ public class GenerateKeyPairServlet extends CMSServlet { ooss.write(value.getBytes()); ooss.flush(); mRenderResult = false; - }catch (Exception e) { + } catch (Exception e) { CMS.debug("GenerateKeyPairServlet: " + e.toString()); } @@ -277,28 +262,28 @@ public class GenerateKeyPairServlet extends CMSServlet { } // begin Netkey serverSideKeyGen and archival - CMS.debug("GenerateKeyPairServlet: processServerSideKeyGen would be called"); - processServerSideKeyGen(req, resp); - return; + CMS.debug("GenerateKeyPairServlet: processServerSideKeyGen would be called"); + processServerSideKeyGen(req, resp); + return; // end Netkey functions } - /** XXX remember tocheck peer SSL cert and get RA id later - * + /** + * XXX remember tocheck peer SSL cert and get RA id later + * * Serves HTTP admin request. - * + * * @param req HTTP request * @param resp HTTP response */ public void service(HttpServletRequest req, HttpServletResponse resp) - throws ServletException, IOException { + throws ServletException, IOException { String scope = req.getParameter(Constants.OP_SCOPE); String op = req.getParameter(Constants.OP_TYPE); - super.service(req, resp); + super.service(req, resp); - } } diff --git a/pki/base/common/src/com/netscape/cms/servlet/connector/TokenKeyRecoveryServlet.java b/pki/base/common/src/com/netscape/cms/servlet/connector/TokenKeyRecoveryServlet.java index fa454bd6..0c67eaf1 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/connector/TokenKeyRecoveryServlet.java +++ b/pki/base/common/src/com/netscape/cms/servlet/connector/TokenKeyRecoveryServlet.java @@ -39,16 +39,14 @@ import com.netscape.certsrv.request.IRequestQueue; import com.netscape.cms.servlet.base.CMSServlet; import com.netscape.cms.servlet.common.CMSRequest; - /** - * TokenKeyRecoveryServlet - * handles "key recovery service" requests from the + * TokenKeyRecoveryServlet handles "key recovery service" requests from the * netkey TPS - * + * * @author Christina Fu (cfu) * @version $Revision$, $Date$ */ -//XXX add auditing later +// XXX add auditing later public class TokenKeyRecoveryServlet extends CMSServlet { /** @@ -65,7 +63,7 @@ public class TokenKeyRecoveryServlet extends CMSServlet { /** * Constructs TokenKeyRecovery servlet. - * + * */ public TokenKeyRecoveryServlet() { super(); @@ -77,27 +75,26 @@ public class TokenKeyRecoveryServlet extends CMSServlet { String authority = config.getInitParameter(PROP_AUTHORITY); if (authority != null) - mAuthority = (IAuthority) - CMS.getSubsystem(authority); - + mAuthority = (IAuthority) CMS.getSubsystem(authority); + mAuthSubsystem = (IAuthSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTH); } /** * Returns serlvet information. - * + * * @return name of this servlet */ - public String getServletInfo() { - return INFO; + public String getServletInfo() { + return INFO; } - /** + /** * Process the HTTP request. - * + * * @param s The URL to decode */ - protected String URLdecode(String s) { + protected String URLdecode(String s) { if (s == null) return null; ByteArrayOutputStream out = new ByteArrayOutputStream(s.length()); @@ -117,39 +114,30 @@ public class TokenKeyRecoveryServlet extends CMSServlet { } } // end for return out.toString(); - } + } /* - * processTokenKeyRecovery - * handles netkey key recovery requests - * input params are: - * CUID - the CUID of the old token where the keys/certs were initially for - * userid - the userid that belongs to both the old token and the new token - * drm_trans_desKey - the des key generated for the NEW token - * wrapped with DRM transport key - * cert - the user cert corresponding to the key to be recovered - * - * operations: - * 1. unwrap des key with transport key, then url decode it - * 2. retrieve user private key - * 3. wrap user priv key with des key - * 4. send the following to RA: - * * des key wrapped(user priv key) - * (note: RA should have kek-wrapped des key from TKS) - * * recovery blob (used for recovery) - * - * output params are: - * status=value0 - * publicKey=value1 - * desKey-wrapped-userPrivateKey=value2 + * processTokenKeyRecovery handles netkey key recovery requests input params + * are: CUID - the CUID of the old token where the keys/certs were initially + * for userid - the userid that belongs to both the old token and the new + * token drm_trans_desKey - the des key generated for the NEW token wrapped + * with DRM transport key cert - the user cert corresponding to the key to + * be recovered + * + * operations: 1. unwrap des key with transport key, then url decode it 2. + * retrieve user private key 3. wrap user priv key with des key 4. send the + * following to RA: * des key wrapped(user priv key) (note: RA should have + * kek-wrapped des key from TKS) * recovery blob (used for recovery) + * + * output params are: status=value0 publicKey=value1 + * desKey-wrapped-userPrivateKey=value2 */ private void processTokenKeyRecovery(HttpServletRequest req, - HttpServletResponse resp) throws EBaseException - { + HttpServletResponse resp) throws EBaseException { IRequestQueue queue = mAuthority.getRequestQueue(); IRequest thisreq = null; - - // IConfigStore sconfig = CMS.getConfigStore(); + + // IConfigStore sconfig = CMS.getConfigStore(); boolean missingParam = false; String status = "0"; @@ -158,7 +146,7 @@ public class TokenKeyRecoveryServlet extends CMSServlet { String rCUID = req.getParameter("CUID"); String rUserid = req.getParameter("userid"); String rdesKeyString = req.getParameter("drm_trans_desKey"); - String rCert = req.getParameter("cert"); + String rCert = req.getParameter("cert"); if ((rCUID == null) || (rCUID.equals(""))) { CMS.debug("TokenKeyRecoveryServlet: processTokenKeyRecovery(): missing request parameter: CUID"); @@ -170,8 +158,7 @@ public class TokenKeyRecoveryServlet extends CMSServlet { missingParam = true; } - if ((rdesKeyString == null) || - (rdesKeyString.equals(""))) { + if ((rdesKeyString == null) || (rdesKeyString.equals(""))) { CMS.debug("TokenKeyRecoveryServlet: processTokenKeyRecovery(): missing request parameter: DRM-transportKey-wrapped des key"); missingParam = true; } @@ -186,24 +173,26 @@ public class TokenKeyRecoveryServlet extends CMSServlet { if (!missingParam) { thisreq = queue.newRequest(IRequest.NETKEY_KEYRECOVERY_REQUEST); - thisreq.setExtData(IRequest.REQUESTOR_TYPE, IRequest.REQUESTOR_NETKEY_RA); + thisreq.setExtData(IRequest.REQUESTOR_TYPE, + IRequest.REQUESTOR_NETKEY_RA); thisreq.setExtData(IRequest.NETKEY_ATTR_CUID, rCUID); thisreq.setExtData(IRequest.NETKEY_ATTR_USERID, rUserid); - thisreq.setExtData(IRequest.NETKEY_ATTR_DRMTRANS_DES_KEY, rdesKeyString); + thisreq.setExtData(IRequest.NETKEY_ATTR_DRMTRANS_DES_KEY, + rdesKeyString); thisreq.setExtData(IRequest.NETKEY_ATTR_USER_CERT, rCert); - //XXX auto process for netkey - queue.processRequest( thisreq ); - // IService svc = (IService) new TokenKeyRecoveryService(kra); - // svc.serviceRequest(thisreq); + // XXX auto process for netkey + queue.processRequest(thisreq); + // IService svc = (IService) new TokenKeyRecoveryService(kra); + // svc.serviceRequest(thisreq); Integer result = thisreq.getExtDataInInteger(IRequest.RESULT); if (result != null) { - // sighs! tps thinks 0 is good, and drm thinks 1 is good - if (result.intValue() == 1) - status ="0"; - else - status = result.toString(); + // sighs! tps thinks 0 is good, and drm thinks 1 is good + if (result.intValue() == 1) + status = "0"; + else + status = result.toString(); } else status = "7"; @@ -218,25 +207,25 @@ public class TokenKeyRecoveryServlet extends CMSServlet { String wrappedPrivKeyString = ""; String publicKeyString = ""; String ivString = ""; - /* if is RECOVERY_PROTOTYPE - String recoveryBlobString = ""; - - IKeyRecord kr = (IKeyRecord) thisreq.get("keyRecord"); - byte publicKey_b[] = kr.getPublicKeyData(); - - BigInteger serialNo = kr.getSerialNumber(); - - String serialNumberString = - com.netscape.cmsutil.util.Utils.SpecialEncode(serialNo.toByteArray()); - - recoveryBlobString = (String) - thisreq.get("recoveryBlob"); - */ - - if( thisreq == null ) { - CMS.debug( "TokenKeyRecoveryServlet::processTokenKeyRecovery() - " - + "thisreq is null!" ); - throw new EBaseException( "thisreq is null" ); + /* + * if is RECOVERY_PROTOTYPE String recoveryBlobString = ""; + * + * IKeyRecord kr = (IKeyRecord) thisreq.get("keyRecord"); byte + * publicKey_b[] = kr.getPublicKeyData(); + * + * BigInteger serialNo = kr.getSerialNumber(); + * + * String serialNumberString = + * com.netscape.cmsutil.util.Utils.SpecialEncode + * (serialNo.toByteArray()); + * + * recoveryBlobString = (String) thisreq.get("recoveryBlob"); + */ + + if (thisreq == null) { + CMS.debug("TokenKeyRecoveryServlet::processTokenKeyRecovery() - " + + "thisreq is null!"); + throw new EBaseException("thisreq is null"); } publicKeyString = thisreq.getExtDataInString("public_key"); @@ -244,11 +233,10 @@ public class TokenKeyRecoveryServlet extends CMSServlet { ivString = thisreq.getExtDataInString("iv_s"); /* - if (selectedToken == null) - status = "4"; - */ - if (!status.equals("0")) - value = "status="+status; + * if (selectedToken == null) status = "4"; + */ + if (!status.equals("0")) + value = "status=" + status; else { StringBuffer sb = new StringBuffer(); sb.append("status=0&"); @@ -259,13 +247,14 @@ public class TokenKeyRecoveryServlet extends CMSServlet { sb.append("&iv_param="); sb.append(ivString); value = sb.toString(); - + } - CMS.debug("ProcessTokenKeyRecovery:outputString.encode " +value); + CMS.debug("ProcessTokenKeyRecovery:outputString.encode " + value); - try{ + try { resp.setContentLength(value.length()); - CMS.debug("TokenKeyRecoveryServlet:outputString.length " +value.length()); + CMS.debug("TokenKeyRecoveryServlet:outputString.length " + + value.length()); OutputStream ooss = resp.getOutputStream(); ooss.write(value.getBytes()); ooss.flush(); @@ -275,19 +264,13 @@ public class TokenKeyRecoveryServlet extends CMSServlet { } } - - /* - * For TokenKeyRecovery - * - * input: - * CUID=value0 - * trans-wrapped-desKey=value1 - * - * output: - * status=value0 - * publicKey=value1 - * desKey-wrapped-userPrivateKey=value2 - * proofOfArchival=value3 + /* + * For TokenKeyRecovery + * + * input: CUID=value0 trans-wrapped-desKey=value1 + * + * output: status=value0 publicKey=value1 + * desKey-wrapped-userPrivateKey=value2 proofOfArchival=value3 */ public void process(CMSRequest cmsReq) throws EBaseException { @@ -298,14 +281,14 @@ public class TokenKeyRecoveryServlet extends CMSServlet { AuthzToken authzToken = null; try { - authzToken = authorize(mAclMethod, authToken, - mAuthzResourceName, "submit"); + authzToken = authorize(mAclMethod, authToken, mAuthzResourceName, + "submit"); } catch (Exception e) { } if (authzToken == null) { - try{ + try { resp.setContentType("text/html"); String value = "unauthorized="; CMS.debug("TokenKeyRecoveryServlet: Unauthorized"); @@ -315,7 +298,7 @@ public class TokenKeyRecoveryServlet extends CMSServlet { ooss.write(value.getBytes()); ooss.flush(); mRenderResult = false; - }catch (Exception e) { + } catch (Exception e) { CMS.debug("TokenKeyRecoveryServlet: " + e.toString()); } @@ -324,28 +307,28 @@ public class TokenKeyRecoveryServlet extends CMSServlet { } // begin Netkey serverSideKeyGen and archival - CMS.debug("TokenKeyRecoveryServlet: processTokenKeyRecovery would be called"); - processTokenKeyRecovery(req, resp); - return; + CMS.debug("TokenKeyRecoveryServlet: processTokenKeyRecovery would be called"); + processTokenKeyRecovery(req, resp); + return; // end Netkey functions } - /** XXX remember to check peer SSL cert and get RA id later - * + /** + * XXX remember to check peer SSL cert and get RA id later + * * Serves HTTP admin request. - * + * * @param req HTTP request * @param resp HTTP response */ public void service(HttpServletRequest req, HttpServletResponse resp) - throws ServletException, IOException { + throws ServletException, IOException { String scope = req.getParameter(Constants.OP_SCOPE); String op = req.getParameter(Constants.OP_TYPE); - super.service(req, resp); + super.service(req, resp); - } } |