diff options
author | Ade Lee <alee@redhat.com> | 2012-01-11 13:58:57 -0500 |
---|---|---|
committer | Ade Lee <alee@redhat.com> | 2012-01-11 13:58:57 -0500 |
commit | fbbf6c77236902e726faafe380a5ddf1891e8dc9 (patch) | |
tree | 1e671265cbd3d4072838eeec51b6a2ec77bed7d1 /pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java | |
parent | f7a1d6a79d1b0367e556d5c53fe5e0c07c7b5c66 (diff) | |
download | pki-fbbf6c77236902e726faafe380a5ddf1891e8dc9.tar.gz pki-fbbf6c77236902e726faafe380a5ddf1891e8dc9.tar.xz pki-fbbf6c77236902e726faafe380a5ddf1891e8dc9.zip |
Formatting - no wrap in comments and code
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java')
-rw-r--r-- | pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java | 1040 |
1 files changed, 501 insertions, 539 deletions
diff --git a/pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java b/pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java index ca785565..3a6dda64 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java +++ b/pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java @@ -50,14 +50,12 @@ import com.netscape.cms.servlet.base.CMSServlet; import com.netscape.cms.servlet.common.CMSRequest; import com.netscape.symkey.SessionKey; - - /** * A class representings an administration servlet for Token Key - * Service Authority. This servlet is responsible to serve - * tks administrative operation such as configuration + * Service Authority. This servlet is responsible to serve + * tks administrative operation such as configuration * parameter updates. - * + * * @version $Revision$, $Date$ */ public class TokenServlet extends CMSServlet { @@ -66,66 +64,53 @@ public class TokenServlet extends CMSServlet { */ private static final long serialVersionUID = 8687436109695172791L; protected static final String PROP_ENABLED = "enabled"; - protected static final String TRANSPORT_KEY_NAME ="sharedSecret"; + protected static final String TRANSPORT_KEY_NAME = "sharedSecret"; private final static String INFO = "TokenServlet"; public static int ERROR = 1; private ITKSAuthority mTKS = null; private String mSelectedToken = null; private String mNewSelectedToken = null; String mKeyNickName = null; - String mNewKeyNickName = null; + String mNewKeyNickName = null; private final static String LOGGING_SIGNED_AUDIT_CONFIG_DRM = - "LOGGING_SIGNED_AUDIT_CONFIG_DRM_3"; + "LOGGING_SIGNED_AUDIT_CONFIG_DRM_3"; IPrettyPrintFormat pp = CMS.getPrettyPrintFormat(":"); - private final static String - LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST = - "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_3"; - - private final static String - LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS = - "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS_8"; + private final static String LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST = + "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_3"; - private final static String - LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE = - "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE_9"; + private final static String LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS = + "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS_8"; - private final static String - LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST = - "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_5"; + private final static String LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE = + "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE_9"; - private final static String - LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS = - "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS_6"; + private final static String LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST = + "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_5"; - private final static String - LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE = - "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE_7"; + private final static String LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS = + "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS_6"; + private final static String LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE = + "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE_7"; - private final static String - LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST = - "LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_4"; + private final static String LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST = + "LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_4"; - private final static String - LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS = - "LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS_7"; + private final static String LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS = + "LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS_7"; - private final static String - LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE = - "LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE_8"; + private final static String LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE = + "LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE_8"; - private final static String - LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST = - "LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_2"; + private final static String LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST = + "LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_2"; - private final static String - LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS = - "LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS_3"; + private final static String LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS = + "LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS_3"; - private final static String - LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE = - "LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE_4"; + private final static String LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE = + "LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE_4"; /** * Constructs tks servlet. @@ -135,14 +120,13 @@ public class TokenServlet extends CMSServlet { } - public static String trim(String a) - { - StringBuffer newa = new StringBuffer(); + public static String trim(String a) { + StringBuffer newa = new StringBuffer(); StringTokenizer tokens = new StringTokenizer(a, "\n"); - while (tokens.hasMoreTokens()) { - newa.append(tokens.nextToken()); - } - return newa.toString(); + while (tokens.hasMoreTokens()) { + newa.append(tokens.nextToken()); + } + return newa.toString(); } public void init(ServletConfig config) throws ServletException { @@ -151,18 +135,19 @@ public class TokenServlet extends CMSServlet { /** * Returns serlvet information. - * + * * @return name of this servlet */ - public String getServletInfo() { - return INFO; + public String getServletInfo() { + return INFO; } - /** - * Process the HTTP request. - * + + /** + * Process the HTTP request. + * * @param s The URL to decode. */ - protected String URLdecode(String s) { + protected String URLdecode(String s) { if (s == null) return null; ByteArrayOutputStream out = new ByteArrayOutputStream(s.length()); @@ -182,62 +167,59 @@ public class TokenServlet extends CMSServlet { } } // end for return out.toString(); - } + } + + private void setDefaultSlotAndKeyName(HttpServletRequest req) { + try { - private void setDefaultSlotAndKeyName(HttpServletRequest req) - { - try { + String keySet = req.getParameter("keySet"); + if (keySet == null || keySet.equals("")) { + keySet = "defKeySet"; + } + CMS.debug("keySet selected: " + keySet); - String keySet = req.getParameter("keySet"); - if (keySet == null || keySet.equals("")) { - keySet = "defKeySet"; - } - CMS.debug("keySet selected: " + keySet); + mNewSelectedToken = null; - mNewSelectedToken = null; - - mSelectedToken = CMS.getConfigStore().getString("tks.defaultSlot"); - String masterKeyPrefix = CMS.getConfigStore().getString("tks.master_key_prefix", null); - String temp = req.getParameter("KeyInfo"); //#xx#xx - String keyInfoMap = "tks." + keySet + ".mk_mappings." + temp; - String mappingValue = CMS.getConfigStore().getString(keyInfoMap, null); - if(mappingValue!=null) - { - StringTokenizer st = new StringTokenizer(mappingValue, ":"); - int tokenNumber=0; - while (st.hasMoreTokens()) { - - String currentToken= st.nextToken(); - if(tokenNumber==0) - mSelectedToken = currentToken; - else if(tokenNumber==1) - mKeyNickName = currentToken; - tokenNumber++; - - } + mSelectedToken = CMS.getConfigStore().getString("tks.defaultSlot"); + String masterKeyPrefix = CMS.getConfigStore().getString("tks.master_key_prefix", null); + String temp = req.getParameter("KeyInfo"); //#xx#xx + String keyInfoMap = "tks." + keySet + ".mk_mappings." + temp; + String mappingValue = CMS.getConfigStore().getString(keyInfoMap, null); + if (mappingValue != null) { + StringTokenizer st = new StringTokenizer(mappingValue, ":"); + int tokenNumber = 0; + while (st.hasMoreTokens()) { + + String currentToken = st.nextToken(); + if (tokenNumber == 0) + mSelectedToken = currentToken; + else if (tokenNumber == 1) + mKeyNickName = currentToken; + tokenNumber++; + + } } - if(req.getParameter("newKeyInfo")!=null) // for diversification + if (req.getParameter("newKeyInfo") != null) // for diversification { - temp = req.getParameter("newKeyInfo"); //#xx#xx - String newKeyInfoMap = "tks." + keySet + ".mk_mappings." + temp; - String newMappingValue = CMS.getConfigStore().getString(newKeyInfoMap, null); - if(newMappingValue!=null) - { - StringTokenizer st = new StringTokenizer(newMappingValue, ":"); - int tokenNumber=0; - while (st.hasMoreTokens()) { - String currentToken= st.nextToken(); - if(tokenNumber==0) - mNewSelectedToken = currentToken; - else if(tokenNumber==1) - mNewKeyNickName = currentToken; - tokenNumber++; - - } + temp = req.getParameter("newKeyInfo"); //#xx#xx + String newKeyInfoMap = "tks." + keySet + ".mk_mappings." + temp; + String newMappingValue = CMS.getConfigStore().getString(newKeyInfoMap, null); + if (newMappingValue != null) { + StringTokenizer st = new StringTokenizer(newMappingValue, ":"); + int tokenNumber = 0; + while (st.hasMoreTokens()) { + String currentToken = st.nextToken(); + if (tokenNumber == 0) + mNewSelectedToken = currentToken; + else if (tokenNumber == 1) + mNewKeyNickName = currentToken; + tokenNumber++; + + } } - } + } - SessionKey.SetDefaultPrefix(masterKeyPrefix); + SessionKey.SetDefaultPrefix(masterKeyPrefix); } catch (Exception e) { e.printStackTrace(); @@ -247,9 +229,8 @@ public class TokenServlet extends CMSServlet { } private void processComputeSessionKey(HttpServletRequest req, - HttpServletResponse resp) throws EBaseException - { - byte[] card_challenge ,host_challenge,keyInfo, xCUID, CUID, session_key; + HttpServletResponse resp) throws EBaseException { + byte[] card_challenge, host_challenge, keyInfo, xCUID, CUID, session_key; byte[] card_crypto, host_cryptogram, input_card_crypto; byte[] xcard_challenge, xhost_challenge; byte[] enc_session_key, xkeyInfo; @@ -257,18 +238,18 @@ public class TokenServlet extends CMSServlet { String errorMsg = ""; String badParams = ""; String transportKeyName = ""; - - String rCUID = req.getParameter("CUID"); + + String rCUID = req.getParameter("CUID"); String keySet = req.getParameter("keySet"); if (keySet == null || keySet.equals("")) { - keySet = "defKeySet"; + keySet = "defKeySet"; } CMS.debug("keySet selected: " + keySet); boolean serversideKeygen = false; byte[] drm_trans_wrapped_desKey = null; - PK11SymKey desKey = null; - // PK11SymKey kek_session_key; + PK11SymKey desKey = null; + // PK11SymKey kek_session_key; PK11SymKey kek_key; IConfigStore sconfig = CMS.getConfigStore(); @@ -278,14 +259,14 @@ public class TokenServlet extends CMSServlet { card_crypto = null; host_cryptogram = null; enc_session_key = null; - // kek_session_key = null; + // kek_session_key = null; SessionContext sContext = SessionContext.getContext(); - String agentId=""; + String agentId = ""; if (sContext != null) { agentId = - (String) sContext.get(SessionContext.USER_ID); + (String) sContext.get(SessionContext.USER_ID); } auditMessage = CMS.getLogMessage( @@ -297,19 +278,19 @@ public class TokenServlet extends CMSServlet { audit(auditMessage); String kek_wrapped_desKeyString = null; - String keycheck_s = null; + String keycheck_s = null; CMS.debug("processComputeSessionKey:"); String useSoftToken_s = CMS.getConfigStore().getString("tks.useSoftToken", "true"); - if (!useSoftToken_s.equalsIgnoreCase("true")) - useSoftToken_s = "false"; + if (!useSoftToken_s.equalsIgnoreCase("true")) + useSoftToken_s = "false"; - String rServersideKeygen = (String) req.getParameter("serversideKeygen"); + String rServersideKeygen = (String) req.getParameter("serversideKeygen"); if (rServersideKeygen.equals("true")) { - CMS.debug("TokenServlet: serversideKeygen requested"); - serversideKeygen = true; + CMS.debug("TokenServlet: serversideKeygen requested"); + serversideKeygen = true; } else { - CMS.debug("TokenServlet: serversideKeygen not requested"); + CMS.debug("TokenServlet: serversideKeygen not requested"); } try { @@ -318,13 +299,12 @@ public class TokenServlet extends CMSServlet { } try { - transportKeyName = sconfig.getString("tks.tksSharedSymKeyName",TRANSPORT_KEY_NAME); + transportKeyName = sconfig.getString("tks.tksSharedSymKeyName", TRANSPORT_KEY_NAME); } catch (EBaseException e) { } CMS.debug("TokenServlet: ComputeSessionKey(): tksSharedSymKeyName: " + transportKeyName); - String rcard_challenge = req.getParameter("card_challenge"); String rhost_challenge = req.getParameter("host_challenge"); String rKeyInfo = req.getParameter("KeyInfo"); @@ -353,7 +333,6 @@ public class TokenServlet extends CMSServlet { missingParam = true; } - String selectedToken = null; String keyNickName = null; boolean sameCardCrypto = true; @@ -362,48 +341,48 @@ public class TokenServlet extends CMSServlet { xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); if (xCUID == null || xCUID.length != 10) { - badParams += " CUID length,"; - CMS.debug("TokenServlet: Invalid CUID length"); - missingParam = true; + badParams += " CUID length,"; + CMS.debug("TokenServlet: Invalid CUID length"); + missingParam = true; } xkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); if (xkeyInfo == null || xkeyInfo.length != 2) { - badParams += " KeyInfo length,"; - CMS.debug("TokenServlet: Invalid key info length."); - missingParam = true; + badParams += " KeyInfo length,"; + CMS.debug("TokenServlet: Invalid key info length."); + missingParam = true; } - xcard_challenge = - com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_challenge); + xcard_challenge = + com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_challenge); if (xcard_challenge == null || xcard_challenge.length != 8) { - badParams += " card_challenge length,"; - CMS.debug("TokenServlet: Invalid card challenge length."); - missingParam = true; + badParams += " card_challenge length,"; + CMS.debug("TokenServlet: Invalid card challenge length."); + missingParam = true; } - + xhost_challenge = com.netscape.cmsutil.util.Utils.SpecialDecode(rhost_challenge); if (xhost_challenge == null || xhost_challenge.length != 8) { - badParams += " host_challenge length,"; - CMS.debug("TokenServlet: Invalid host challenge length"); - missingParam = true; + badParams += " host_challenge length,"; + CMS.debug("TokenServlet: Invalid host challenge length"); + missingParam = true; } - + } CUID = null; if (!missingParam) { - card_challenge = - com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_challenge); - + card_challenge = + com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_challenge); + host_challenge = com.netscape.cmsutil.util.Utils.SpecialDecode(rhost_challenge); keyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); - CUID =com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); + CUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); String keyInfoMap = "tks." + keySet + ".mk_mappings." + rKeyInfo; //#xx#xx String mappingValue = CMS.getConfigStore().getString(keyInfoMap, null); if (mappingValue == null) { - selectedToken = - CMS.getConfigStore().getString("tks.defaultSlot", "internal"); + selectedToken = + CMS.getConfigStore().getString("tks.defaultSlot", "internal"); keyNickName = rKeyInfo; } else { StringTokenizer st = new StringTokenizer(mappingValue, ":"); @@ -419,133 +398,128 @@ public class TokenServlet extends CMSServlet { byte macKeyArray[] = com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." + keySet + ".mac_key")); CMS.debug("TokenServlet about to try ComputeSessionKey selectedToken=" + selectedToken + " keyNickName=" + keyNickName); - session_key = SessionKey.ComputeSessionKey( - selectedToken,keyNickName,card_challenge, - host_challenge,keyInfo,CUID, macKeyArray, useSoftToken_s, keySet, transportKeyName ); + session_key = SessionKey.ComputeSessionKey( + selectedToken, keyNickName, card_challenge, + host_challenge, keyInfo, CUID, macKeyArray, useSoftToken_s, keySet, transportKeyName); - if(session_key == null) - { + if (session_key == null) { CMS.debug("TokenServlet:Tried ComputeSessionKey, got NULL "); - throw new Exception("Can't compute session key!"); + throw new Exception("Can't compute session key!"); - } + } byte encKeyArray[] = com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." + keySet + ".auth_key")); enc_session_key = SessionKey.ComputeEncSessionKey( - selectedToken,keyNickName,card_challenge, - host_challenge,keyInfo,CUID, encKeyArray, useSoftToken_s, keySet); + selectedToken, keyNickName, card_challenge, + host_challenge, keyInfo, CUID, encKeyArray, useSoftToken_s, keySet); - if(enc_session_key == null) - { + if (enc_session_key == null) { CMS.debug("TokenServlet:Tried ComputeEncSessionKey, got NULL "); - throw new Exception("Can't compute enc session key!"); - + throw new Exception("Can't compute enc session key!"); + } if (serversideKeygen == true) { /** - * 0. generate des key + * 0. generate des key * 1. encrypt des key with kek key * 2. encrypt des key with DRM transport key * These two wrapped items are to be sent back to - * TPS. 2nd item is to DRM + * TPS. 2nd item is to DRM **/ CMS.debug("TokenServlet: calling ComputeKekKey"); - byte kekKeyArray[] = com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." + keySet + ".kek_key")); - + byte kekKeyArray[] = com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." + keySet + ".kek_key")); kek_key = SessionKey.ComputeKekKey( - selectedToken,keyNickName,card_challenge, - host_challenge,keyInfo,CUID, kekKeyArray, useSoftToken_s,keySet); - + selectedToken, keyNickName, card_challenge, + host_challenge, keyInfo, CUID, kekKeyArray, useSoftToken_s, keySet); CMS.debug("TokenServlet: called ComputeKekKey"); - if(kek_key == null) - { + if (kek_key == null) { CMS.debug("TokenServlet:Tried ComputeKekKey, got NULL "); - throw new Exception("Can't compute kek key!"); - + throw new Exception("Can't compute kek key!"); + } // now use kek key to wrap kek session key.. - CMS.debug("computeSessionKey:kek key len ="+ - kek_key.getLength()); - - // (1) generate DES key - /* applet does not support DES3 - org.mozilla.jss.crypto.KeyGenerator kg = - internalToken.getKeyGenerator(KeyGenAlgorithm.DES3); - desKey = kg.generate();*/ - - /* - * XXX GenerateSymkey firt generates a 16 byte DES2 key. - * It then pads it into a 24 byte key with last - * 8 bytes copied from the 1st 8 bytes. Effectively - * making it a 24 byte DES2 key. We need this for - * wrapping private keys on DRM. - */ - /*generate it on whichever token the master key is at*/ - if (useSoftToken_s.equals("true")) { - CMS.debug("TokenServlet: key encryption key generated on internal"); -//cfu audit here? sym key gen - desKey = SessionKey.GenerateSymkey("internal"); -//cfu audit here? sym key gen done + CMS.debug("computeSessionKey:kek key len =" + + kek_key.getLength()); + + // (1) generate DES key + /* applet does not support DES3 + org.mozilla.jss.crypto.KeyGenerator kg = + internalToken.getKeyGenerator(KeyGenAlgorithm.DES3); + desKey = kg.generate();*/ + + /* + * XXX GenerateSymkey firt generates a 16 byte DES2 key. + * It then pads it into a 24 byte key with last + * 8 bytes copied from the 1st 8 bytes. Effectively + * making it a 24 byte DES2 key. We need this for + * wrapping private keys on DRM. + */ + /*generate it on whichever token the master key is at*/ + if (useSoftToken_s.equals("true")) { + CMS.debug("TokenServlet: key encryption key generated on internal"); + //cfu audit here? sym key gen + desKey = SessionKey.GenerateSymkey("internal"); + //cfu audit here? sym key gen done } else { - CMS.debug("TokenServlet: key encryption key generated on " + selectedToken); - desKey = SessionKey.GenerateSymkey(selectedToken); + CMS.debug("TokenServlet: key encryption key generated on " + selectedToken); + desKey = SessionKey.GenerateSymkey(selectedToken); + } + if (desKey != null) + CMS.debug("TokenServlet: key encryption key generated for " + rCUID); + else { + CMS.debug("TokenServlet: key encryption key generation failed for " + rCUID); + throw new Exception("can't generate key encryption key"); } - if (desKey != null) - CMS.debug("TokenServlet: key encryption key generated for "+rCUID); - else { - CMS.debug("TokenServlet: key encryption key generation failed for "+rCUID); - throw new Exception ("can't generate key encryption key"); - } - - /* - * XXX ECBencrypt actually takes the 24 byte DES2 key - * and discard the last 8 bytes before it encrypts. - * This is done so that the applet can digest it - */ - byte[] encDesKey = - SessionKey.ECBencrypt( kek_key, - desKey); - /* - CMS.debug("computeSessionKey:encrypted desKey size = "+encDesKey.length); - CMS.debug(encDesKey); - */ + + /* + * XXX ECBencrypt actually takes the 24 byte DES2 key + * and discard the last 8 bytes before it encrypts. + * This is done so that the applet can digest it + */ + byte[] encDesKey = + SessionKey.ECBencrypt(kek_key, + desKey); + /* + CMS.debug("computeSessionKey:encrypted desKey size = "+encDesKey.length); + CMS.debug(encDesKey); + */ kek_wrapped_desKeyString = - com.netscape.cmsutil.util.Utils.SpecialEncode(encDesKey); - - // get keycheck - byte[] keycheck = - SessionKey.ComputeKeyCheck(desKey); - /* - CMS.debug("computeSessionKey:keycheck size = "+keycheck.length); - CMS.debug(keycheck); - */ - keycheck_s = - com.netscape.cmsutil.util.Utils.SpecialEncode(keycheck); + com.netscape.cmsutil.util.Utils.SpecialEncode(encDesKey); + + // get keycheck + byte[] keycheck = + SessionKey.ComputeKeyCheck(desKey); + /* + CMS.debug("computeSessionKey:keycheck size = "+keycheck.length); + CMS.debug(keycheck); + */ + keycheck_s = + com.netscape.cmsutil.util.Utils.SpecialEncode(keycheck); //XXX use DRM transport cert to wrap desKey - String drmTransNickname = CMS.getConfigStore().getString("tks.drm_transport_cert_nickname", ""); + String drmTransNickname = CMS.getConfigStore().getString("tks.drm_transport_cert_nickname", ""); - if ((drmTransNickname == null) || (drmTransNickname == "")) { - CMS.debug("TokenServlet:did not find DRM transport certificate nickname"); - throw new Exception("can't find DRM transport certificate nickname"); - } else { - CMS.debug("TokenServlet:drmtransport_cert_nickname="+drmTransNickname); - } + if ((drmTransNickname == null) || (drmTransNickname == "")) { + CMS.debug("TokenServlet:did not find DRM transport certificate nickname"); + throw new Exception("can't find DRM transport certificate nickname"); + } else { + CMS.debug("TokenServlet:drmtransport_cert_nickname=" + drmTransNickname); + } X509Certificate drmTransCert = null; drmTransCert = CryptoManager.getInstance().findCertByNickname(drmTransNickname); // wrap kek session key with DRM transport public key - CryptoToken token = null; - if (useSoftToken_s.equals("true")) { - //token = CryptoManager.getInstance().getTokenByName(selectedToken); - token = CryptoManager.getInstance().getInternalCryptoToken(); + CryptoToken token = null; + if (useSoftToken_s.equals("true")) { + //token = CryptoManager.getInstance().getTokenByName(selectedToken); + token = CryptoManager.getInstance().getInternalCryptoToken(); } else { token = CryptoManager.getInstance().getTokenByName(selectedToken); } @@ -561,31 +535,29 @@ public class TokenServlet extends CMSServlet { keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.RSA); keyWrapper.initWrap(pubKey, null); } - CMS.debug("desKey token " + desKey.getOwningToken().getName() + " token: " + token.getName() ); + CMS.debug("desKey token " + desKey.getOwningToken().getName() + " token: " + token.getName()); drm_trans_wrapped_desKey = keyWrapper.wrap(desKey); - CMS.debug("computeSessionKey:desKey wrapped with drm transportation key."); + CMS.debug("computeSessionKey:desKey wrapped with drm transportation key."); } // if (serversideKeygen == true) byte authKeyArray[] = com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." + keySet + ".auth_key")); host_cryptogram = SessionKey.ComputeCryptogram( - selectedToken,keyNickName,card_challenge, - host_challenge,keyInfo,CUID,0, authKeyArray, useSoftToken_s, keySet); + selectedToken, keyNickName, card_challenge, + host_challenge, keyInfo, CUID, 0, authKeyArray, useSoftToken_s, keySet); - if(host_cryptogram == null) - { + if (host_cryptogram == null) { CMS.debug("TokenServlet:Tried ComputeCryptogram, got NULL "); - throw new Exception("Can't compute host cryptogram!"); + throw new Exception("Can't compute host cryptogram!"); } card_crypto = SessionKey.ComputeCryptogram( - selectedToken,keyNickName,card_challenge, - host_challenge,keyInfo,CUID,1, authKeyArray, useSoftToken_s, keySet); + selectedToken, keyNickName, card_challenge, + host_challenge, keyInfo, CUID, 1, authKeyArray, useSoftToken_s, keySet); - if(card_crypto == null) - { + if (card_crypto == null) { CMS.debug("TokenServlet:Tried ComputeCryptogram, got NULL "); - throw new Exception("Can't compute card cryptogram!"); + throw new Exception("Can't compute card cryptogram!"); } @@ -595,9 +567,9 @@ public class TokenServlet extends CMSServlet { throw new Exception("Missing card cryptogram"); } input_card_crypto = - com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_cryptogram); + com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_cryptogram); if (card_crypto.length == input_card_crypto.length) { - for (int i=0; i<card_crypto.length; i++) { + for (int i = 0; i < card_crypto.length; i++) { if (card_crypto[i] != input_card_crypto[i]) { sameCardCrypto = false; break; @@ -611,15 +583,15 @@ public class TokenServlet extends CMSServlet { CMS.getLogger().log(ILogger.EV_AUDIT, ILogger.S_TKS, - ILogger.LL_INFO,"processComputeSessionKey for CUID=" + - trim(pp.toHexString(CUID))); - } catch (Exception e) { + ILogger.LL_INFO, "processComputeSessionKey for CUID=" + + trim(pp.toHexString(CUID))); + } catch (Exception e) { CMS.debug(e); CMS.debug("TokenServlet Computing Session Key: " + e.toString()); if (isCryptoValidate) sameCardCrypto = false; } - } + } } // ! missingParam String value = ""; @@ -632,34 +604,32 @@ public class TokenServlet extends CMSServlet { String cryptogram = ""; String status = "0"; if (session_key != null && session_key.length > 0) { - outputString = - com.netscape.cmsutil.util.Utils.SpecialEncode(session_key); - } else { - + outputString = + com.netscape.cmsutil.util.Utils.SpecialEncode(session_key); + } else { + status = "1"; } if (enc_session_key != null && enc_session_key.length > 0) { - encSessionKeyString = - com.netscape.cmsutil.util.Utils.SpecialEncode(enc_session_key); - } else { + encSessionKeyString = + com.netscape.cmsutil.util.Utils.SpecialEncode(enc_session_key); + } else { status = "1"; } - if (serversideKeygen == true) { - if ( drm_trans_wrapped_desKey != null && drm_trans_wrapped_desKey.length > 0) - drm_trans_wrapped_desKeyString = - com.netscape.cmsutil.util.Utils.SpecialEncode(drm_trans_wrapped_desKey); - else { - status = "1"; + if (drm_trans_wrapped_desKey != null && drm_trans_wrapped_desKey.length > 0) + drm_trans_wrapped_desKeyString = + com.netscape.cmsutil.util.Utils.SpecialEncode(drm_trans_wrapped_desKey); + else { + status = "1"; } - } + } - if (host_cryptogram != null && host_cryptogram.length > 0) { - cryptogram = - com.netscape.cmsutil.util.Utils.SpecialEncode(host_cryptogram); + cryptogram = + com.netscape.cmsutil.util.Utils.SpecialEncode(host_cryptogram); } else { status = "2"; } @@ -675,32 +645,30 @@ public class TokenServlet extends CMSServlet { if (missingParam) { status = "3"; } - - if (!status.equals("0")) { - - - if(status.equals("1")) { - errorMsg = "Problem generating session key info."; - } - - if(status.equals("2")) { - errorMsg = "Problem creating host_cryptogram."; - } - - if(status.equals("4")) { - errorMsg = "Problem obtaining token information."; - } - - if(status.equals("3")) { - if(badParams.endsWith(",")) { - badParams = badParams.substring(0,badParams.length() -1); - } - errorMsg = "Missing input parameters :" + badParams; - } - - value = "status="+status; - } - else { + + if (!status.equals("0")) { + + if (status.equals("1")) { + errorMsg = "Problem generating session key info."; + } + + if (status.equals("2")) { + errorMsg = "Problem creating host_cryptogram."; + } + + if (status.equals("4")) { + errorMsg = "Problem obtaining token information."; + } + + if (status.equals("3")) { + if (badParams.endsWith(",")) { + badParams = badParams.substring(0, badParams.length() - 1); + } + errorMsg = "Missing input parameters :" + badParams; + } + + value = "status=" + status; + } else { if (serversideKeygen == true) { StringBuffer sb = new StringBuffer(); sb.append("status=0&"); @@ -709,10 +677,10 @@ public class TokenServlet extends CMSServlet { sb.append("&hostCryptogram="); sb.append(cryptogram); sb.append("&encSessionKey="); - sb.append(encSessionKeyString); + sb.append(encSessionKeyString); sb.append("&kek_wrapped_desKey="); sb.append(kek_wrapped_desKeyString); - sb.append("&keycheck="); + sb.append("&keycheck="); sb.append(keycheck_s); sb.append("&drm_trans_wrapped_desKey="); sb.append(drm_trans_wrapped_desKeyString); @@ -722,19 +690,19 @@ public class TokenServlet extends CMSServlet { sb.append("status=0&"); sb.append("sessionKey="); sb.append(outputString); - sb.append("&hostCryptogram="); - sb.append(cryptogram); + sb.append("&hostCryptogram="); + sb.append(cryptogram); sb.append("&encSessionKey="); sb.append(encSessionKeyString); value = sb.toString(); } } - CMS.debug("TokenServlet:outputString.encode " +value); + CMS.debug("TokenServlet:outputString.encode " + value); - try{ + try { resp.setContentLength(value.length()); - CMS.debug("TokenServlet:outputString.length " +value.length()); + CMS.debug("TokenServlet:outputString.length " + value.length()); OutputStream ooss = resp.getOutputStream(); ooss.write(value.getBytes()); ooss.flush(); @@ -742,65 +710,65 @@ public class TokenServlet extends CMSServlet { } catch (IOException e) { CMS.debug("TokenServlet: " + e.toString()); } - - if(status.equals("0")) { - auditMessage = CMS.getLogMessage( + if (status.equals("0")) { + + auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, rCUID, ILogger.SUCCESS, status, agentId, - isCryptoValidate? "true":"false", - serversideKeygen? "true":"false", + isCryptoValidate ? "true" : "false", + serversideKeygen ? "true" : "false", selectedToken, keyNickName); } else { - auditMessage = CMS.getLogMessage( + auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE, rCUID, ILogger.FAILURE, status, agentId, - isCryptoValidate? "true":"false", - serversideKeygen? "true":"false", + isCryptoValidate ? "true" : "false", + serversideKeygen ? "true" : "false", selectedToken, keyNickName, errorMsg); - } - + } + audit(auditMessage); } private void processDiversifyKey(HttpServletRequest req, - HttpServletResponse resp) throws EBaseException { - byte[] KeySetData,KeysValues,CUID,xCUID; - byte[] xkeyInfo,xnewkeyInfo; + HttpServletResponse resp) throws EBaseException { + byte[] KeySetData, KeysValues, CUID, xCUID; + byte[] xkeyInfo, xnewkeyInfo; boolean missingParam = false; String errorMsg = ""; String badParams = ""; IConfigStore sconfig = CMS.getConfigStore(); - String rnewKeyInfo = req.getParameter("newKeyInfo"); + String rnewKeyInfo = req.getParameter("newKeyInfo"); String newMasterKeyName = req.getParameter("newKeyInfo"); String oldMasterKeyName = req.getParameter("KeyInfo"); - String rCUID =req.getParameter("CUID"); - String auditMessage=""; + String rCUID = req.getParameter("CUID"); + String auditMessage = ""; String keySet = req.getParameter("keySet"); if (keySet == null || keySet.equals("")) { - keySet = "defKeySet"; + keySet = "defKeySet"; } CMS.debug("keySet selected: " + keySet); SessionContext sContext = SessionContext.getContext(); - String agentId=""; + String agentId = ""; if (sContext != null) { agentId = - (String) sContext.get(SessionContext.USER_ID); + (String) sContext.get(SessionContext.USER_ID); } auditMessage = CMS.getLogMessage( @@ -813,7 +781,6 @@ public class TokenServlet extends CMSServlet { audit(auditMessage); - if ((rCUID == null) || (rCUID.equals(""))) { badParams += " CUID,"; CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: CUID"); @@ -824,101 +791,101 @@ public class TokenServlet extends CMSServlet { CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: newKeyInfo"); missingParam = true; } - if ((oldMasterKeyName == null) || (oldMasterKeyName.equals(""))){ + if ((oldMasterKeyName == null) || (oldMasterKeyName.equals(""))) { badParams += " KeyInfo,"; CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: KeyInfo"); missingParam = true; } if (!missingParam) { - xkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(oldMasterKeyName); - if (xkeyInfo == null || xkeyInfo.length != 2) { - badParams += " KeyInfo length,"; - CMS.debug("TokenServlet: Invalid key info length"); - missingParam = true; - } - xnewkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(newMasterKeyName); - if (xnewkeyInfo == null || xnewkeyInfo.length != 2) { - badParams += " NewKeyInfo length,"; - CMS.debug("TokenServlet: Invalid new key info length"); - missingParam = true; - } - } + xkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(oldMasterKeyName); + if (xkeyInfo == null || xkeyInfo.length != 2) { + badParams += " KeyInfo length,"; + CMS.debug("TokenServlet: Invalid key info length"); + missingParam = true; + } + xnewkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(newMasterKeyName); + if (xnewkeyInfo == null || xnewkeyInfo.length != 2) { + badParams += " NewKeyInfo length,"; + CMS.debug("TokenServlet: Invalid new key info length"); + missingParam = true; + } + } String useSoftToken_s = CMS.getConfigStore().getString("tks.useSoftToken", "true"); - if (!useSoftToken_s.equalsIgnoreCase("true")) - useSoftToken_s = "false"; + if (!useSoftToken_s.equalsIgnoreCase("true")) + useSoftToken_s = "false"; KeySetData = null; String outputString = null; if (!missingParam) { - xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); - if (xCUID == null || xCUID.length != 10) { - badParams += " CUID length,"; - CMS.debug("TokenServlet: Invalid CUID length"); - missingParam = true; - } - } + xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); + if (xCUID == null || xCUID.length != 10) { + badParams += " CUID length,"; + CMS.debug("TokenServlet: Invalid CUID length"); + missingParam = true; + } + } if (!missingParam) { - CUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); - - if (mKeyNickName!=null) - oldMasterKeyName = mKeyNickName; - if (mNewKeyNickName!=null) - newMasterKeyName = mNewKeyNickName; - - String oldKeyInfoMap = "tks." + keySet + ".mk_mappings." + req.getParameter("KeyInfo"); //#xx#xx - String oldMappingValue = CMS.getConfigStore().getString(oldKeyInfoMap, null); - String oldSelectedToken = null; - String oldKeyNickName = null; - if (oldMappingValue == null) { - oldSelectedToken = CMS.getConfigStore().getString("tks.defaultSlot", "internal"); - oldKeyNickName = req.getParameter("KeyInfo"); - } else { - StringTokenizer st = new StringTokenizer(oldMappingValue, ":"); - oldSelectedToken = st.nextToken(); - oldKeyNickName = st.nextToken(); - } - - String newKeyInfoMap = "tks.mk_mappings." + rnewKeyInfo; //#xx#xx - String newMappingValue = CMS.getConfigStore().getString(newKeyInfoMap, null); - String newSelectedToken = null; - String newKeyNickName = null; - if (newMappingValue == null) { - newSelectedToken = CMS.getConfigStore().getString("tks.defaultSlot", "internal"); - newKeyNickName = rnewKeyInfo; - } else { - StringTokenizer st = new StringTokenizer(newMappingValue, ":"); - newSelectedToken = st.nextToken(); - newKeyNickName = st.nextToken(); - } - - CMS.debug("process DiversifyKey for oldSelectedToke="+ - oldSelectedToken + " newSelectedToken=" + newSelectedToken + - " oldKeyNickName=" + oldKeyNickName + " newKeyNickName=" + - newKeyNickName); - - byte kekKeyArray[] = com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." + keySet + ".kek_key")); - KeySetData = SessionKey.DiversifyKey(oldSelectedToken, + CUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); + + if (mKeyNickName != null) + oldMasterKeyName = mKeyNickName; + if (mNewKeyNickName != null) + newMasterKeyName = mNewKeyNickName; + + String oldKeyInfoMap = "tks." + keySet + ".mk_mappings." + req.getParameter("KeyInfo"); //#xx#xx + String oldMappingValue = CMS.getConfigStore().getString(oldKeyInfoMap, null); + String oldSelectedToken = null; + String oldKeyNickName = null; + if (oldMappingValue == null) { + oldSelectedToken = CMS.getConfigStore().getString("tks.defaultSlot", "internal"); + oldKeyNickName = req.getParameter("KeyInfo"); + } else { + StringTokenizer st = new StringTokenizer(oldMappingValue, ":"); + oldSelectedToken = st.nextToken(); + oldKeyNickName = st.nextToken(); + } + + String newKeyInfoMap = "tks.mk_mappings." + rnewKeyInfo; //#xx#xx + String newMappingValue = CMS.getConfigStore().getString(newKeyInfoMap, null); + String newSelectedToken = null; + String newKeyNickName = null; + if (newMappingValue == null) { + newSelectedToken = CMS.getConfigStore().getString("tks.defaultSlot", "internal"); + newKeyNickName = rnewKeyInfo; + } else { + StringTokenizer st = new StringTokenizer(newMappingValue, ":"); + newSelectedToken = st.nextToken(); + newKeyNickName = st.nextToken(); + } + + CMS.debug("process DiversifyKey for oldSelectedToke=" + + oldSelectedToken + " newSelectedToken=" + newSelectedToken + + " oldKeyNickName=" + oldKeyNickName + " newKeyNickName=" + + newKeyNickName); + + byte kekKeyArray[] = com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." + keySet + ".kek_key")); + KeySetData = SessionKey.DiversifyKey(oldSelectedToken, newSelectedToken, oldKeyNickName, - newKeyNickName,rnewKeyInfo,CUID, kekKeyArray, useSoftToken_s, keySet); - - if (KeySetData == null || KeySetData.length<=1) { - CMS.getLogger().log(ILogger.EV_AUDIT, - ILogger.S_TKS, - ILogger.LL_INFO,"process DiversifyKey: Missing MasterKey in Slot"); - } - - CMS.getLogger().log(ILogger.EV_AUDIT, - ILogger.S_TKS, - ILogger.LL_INFO,"process DiversifyKey for CUID ="+ trim(pp.toHexString(CUID)) - + ";from oldMasterKeyName="+oldSelectedToken + ":" + oldKeyNickName - +";to newMasterKeyName="+newSelectedToken + ":" + newKeyNickName); - - resp.setContentType("text/html"); - - if (KeySetData != null) { - outputString = new String(KeySetData); - } + newKeyNickName, rnewKeyInfo, CUID, kekKeyArray, useSoftToken_s, keySet); + + if (KeySetData == null || KeySetData.length <= 1) { + CMS.getLogger().log(ILogger.EV_AUDIT, + ILogger.S_TKS, + ILogger.LL_INFO, "process DiversifyKey: Missing MasterKey in Slot"); + } + + CMS.getLogger().log(ILogger.EV_AUDIT, + ILogger.S_TKS, + ILogger.LL_INFO, "process DiversifyKey for CUID =" + trim(pp.toHexString(CUID)) + + ";from oldMasterKeyName=" + oldSelectedToken + ":" + oldKeyNickName + + ";to newMasterKeyName=" + newSelectedToken + ":" + newKeyNickName); + + resp.setContentType("text/html"); + + if (KeySetData != null) { + outputString = new String(KeySetData); + } } // ! missingParam //CMS.debug("TokenServlet:processDiversifyKey " +outputString); @@ -928,26 +895,26 @@ public class TokenServlet extends CMSServlet { String status = "0"; if (KeySetData != null && KeySetData.length > 1) { - value = "status=0&"+"keySetData=" + + value = "status=0&" + "keySetData=" + com.netscape.cmsutil.util.Utils.SpecialEncode(KeySetData); - CMS.debug("TokenServlet:process DiversifyKey.encode " +value); + CMS.debug("TokenServlet:process DiversifyKey.encode " + value); } else if (missingParam) { status = "3"; - if(badParams.endsWith(",")) { - badParams = badParams.substring(0,badParams.length() -1); + if (badParams.endsWith(",")) { + badParams = badParams.substring(0, badParams.length() - 1); } errorMsg = "Missing input parameters: " + badParams; value = "status=" + status; - } else { + } else { errorMsg = "Problem diversifying key data."; status = "1"; value = "status=" + status; } resp.setContentLength(value.length()); - CMS.debug("TokenServlet:outputString.length " +value.length()); + CMS.debug("TokenServlet:outputString.length " + value.length()); - try{ + try { OutputStream ooss = resp.getOutputStream(); ooss.write(value.getBytes()); ooss.flush(); @@ -956,9 +923,9 @@ public class TokenServlet extends CMSServlet { CMS.debug("TokenServlet:process DiversifyKey: " + e.toString()); } - if(status.equals("0")) { + if (status.equals("0")) { - auditMessage = CMS.getLogMessage( + auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, rCUID, ILogger.SUCCESS, @@ -969,7 +936,7 @@ public class TokenServlet extends CMSServlet { } else { - auditMessage = CMS.getLogMessage( + auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE, rCUID, ILogger.FAILURE, @@ -978,13 +945,13 @@ public class TokenServlet extends CMSServlet { oldMasterKeyName, newMasterKeyName, errorMsg); - } + } - audit(auditMessage); + audit(auditMessage); } private void processEncryptData(HttpServletRequest req, - HttpServletResponse resp) throws EBaseException { + HttpServletResponse resp) throws EBaseException { byte[] keyInfo, CUID, xCUID, encryptedData, xkeyInfo; boolean missingParam = false; byte[] data = null; @@ -1004,10 +971,10 @@ public class TokenServlet extends CMSServlet { SessionContext sContext = SessionContext.getContext(); - String agentId=""; + String agentId = ""; if (sContext != null) { agentId = - (String) sContext.get(SessionContext.USER_ID); + (String) sContext.get(SessionContext.USER_ID); } CMS.debug("keySet selected: " + keySet); @@ -1032,20 +999,20 @@ public class TokenServlet extends CMSServlet { if (isRandom) { if ((rdata == null) || (rdata.equals(""))) { - CMS.debug("TokenServlet: processEncryptData(): no data in request. Generating random number as data"); + CMS.debug("TokenServlet: processEncryptData(): no data in request. Generating random number as data"); } else { - CMS.debug("TokenServlet: processEncryptData(): contain data in request, however, random generation on TKS is required. Generating..."); + CMS.debug("TokenServlet: processEncryptData(): contain data in request, however, random generation on TKS is required. Generating..."); } try { - SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); - data = new byte[16]; - random.nextBytes(data); + SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); + data = new byte[16]; + random.nextBytes(data); } catch (Exception e) { - CMS.debug("TokenServlet: processEncryptData():"+ e.toString()); - badParams += " Random Number,"; - missingParam = true; + CMS.debug("TokenServlet: processEncryptData():" + e.toString()); + badParams += " Random Number,"; + missingParam = true; } - } else if ((!isRandom) && (((rdata == null) || (rdata.equals(""))))){ + } else if ((!isRandom) && (((rdata == null) || (rdata.equals(""))))) { CMS.debug("TokenServlet: processEncryptData(): missing request parameter: data."); badParams += " data,"; missingParam = true; @@ -1056,75 +1023,74 @@ public class TokenServlet extends CMSServlet { CMS.debug("TokenServlet: processEncryptData(): missing request parameter: CUID"); missingParam = true; } - + if ((rKeyInfo == null) || (rKeyInfo.equals(""))) { badParams += " KeyInfo,"; CMS.debug("TokenServlet: processEncryptData(): missing request parameter: key info"); missingParam = true; } - if (!missingParam) { - xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); - if (xCUID == null || xCUID.length != 10) { - badParams += " CUID length,"; - CMS.debug("TokenServlet: Invalid CUID length"); - missingParam = true; - } - xkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); - if (xkeyInfo == null || xkeyInfo.length != 2) { - badParams += " KeyInfo length,"; - CMS.debug("TokenServlet: Invalid key info length"); - missingParam = true; - } + xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); + if (xCUID == null || xCUID.length != 10) { + badParams += " CUID length,"; + CMS.debug("TokenServlet: Invalid CUID length"); + missingParam = true; + } + xkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); + if (xkeyInfo == null || xkeyInfo.length != 2) { + badParams += " KeyInfo length,"; + CMS.debug("TokenServlet: Invalid key info length"); + missingParam = true; + } } - String useSoftToken_s = CMS.getConfigStore().getString("tks.useSoftToken","true"); - if (!useSoftToken_s.equalsIgnoreCase("true")) - useSoftToken_s = "false"; + String useSoftToken_s = CMS.getConfigStore().getString("tks.useSoftToken", "true"); + if (!useSoftToken_s.equalsIgnoreCase("true")) + useSoftToken_s = "false"; String selectedToken = null; String keyNickName = null; if (!missingParam) { - if (!isRandom) - data = com.netscape.cmsutil.util.Utils.SpecialDecode(rdata); - keyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); - CUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); - - String keyInfoMap = "tks." + keySet + ".mk_mappings." + rKeyInfo; - String mappingValue = CMS.getConfigStore().getString(keyInfoMap, null); - if (mappingValue == null) { - selectedToken = CMS.getConfigStore().getString("tks.defaultSlot", "internal"); - keyNickName = rKeyInfo; - } else { - StringTokenizer st = new StringTokenizer(mappingValue, ":"); - selectedToken = st.nextToken(); - keyNickName = st.nextToken(); - } - - byte kekKeyArray[] = com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." + keySet + ".kek_key")); - encryptedData = SessionKey.EncryptData( - selectedToken,keyNickName,data,keyInfo,CUID, kekKeyArray, useSoftToken_s, keySet); - - CMS.getLogger().log(ILogger.EV_AUDIT, + if (!isRandom) + data = com.netscape.cmsutil.util.Utils.SpecialDecode(rdata); + keyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); + CUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); + + String keyInfoMap = "tks." + keySet + ".mk_mappings." + rKeyInfo; + String mappingValue = CMS.getConfigStore().getString(keyInfoMap, null); + if (mappingValue == null) { + selectedToken = CMS.getConfigStore().getString("tks.defaultSlot", "internal"); + keyNickName = rKeyInfo; + } else { + StringTokenizer st = new StringTokenizer(mappingValue, ":"); + selectedToken = st.nextToken(); + keyNickName = st.nextToken(); + } + + byte kekKeyArray[] = com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." + keySet + ".kek_key")); + encryptedData = SessionKey.EncryptData( + selectedToken, keyNickName, data, keyInfo, CUID, kekKeyArray, useSoftToken_s, keySet); + + CMS.getLogger().log(ILogger.EV_AUDIT, ILogger.S_TKS, - ILogger.LL_INFO,"process EncryptData for CUID ="+ trim(pp.toHexString(CUID))); + ILogger.LL_INFO, "process EncryptData for CUID =" + trim(pp.toHexString(CUID))); } // !missingParam resp.setContentType("text/html"); - + String value = ""; - String status = "0"; - if (encryptedData != null && encryptedData.length > 0) { - String outputString = new String(encryptedData); + String status = "0"; + if (encryptedData != null && encryptedData.length > 0) { + String outputString = new String(encryptedData); // sending both the pre-encrypted and encrypted data back - value = "status=0&"+"data="+ - com.netscape.cmsutil.util.Utils.SpecialEncode(data)+ - "&encryptedData=" + + value = "status=0&" + "data=" + + com.netscape.cmsutil.util.Utils.SpecialEncode(data) + + "&encryptedData=" + com.netscape.cmsutil.util.Utils.SpecialEncode(encryptedData); } else if (missingParam) { - if(badParams.endsWith(",")) { - badParams = badParams.substring(0,badParams.length() -1); + if (badParams.endsWith(",")) { + badParams = badParams.substring(0, badParams.length() - 1); } errorMsg = "Missing input parameters: " + badParams; status = "3"; @@ -1135,12 +1101,12 @@ public class TokenServlet extends CMSServlet { value = "status=" + status; } - CMS.debug("TokenServlet:process EncryptData.encode " +value); + CMS.debug("TokenServlet:process EncryptData.encode " + value); try { resp.setContentLength(value.length()); - CMS.debug("TokenServlet:outputString.lenght " +value.length()); - + CMS.debug("TokenServlet:outputString.lenght " + value.length()); + OutputStream ooss = resp.getOutputStream(); ooss.write(value.getBytes()); ooss.flush(); @@ -1149,9 +1115,9 @@ public class TokenServlet extends CMSServlet { CMS.debug("TokenServlet: " + e.toString()); } - if(status.equals("0")) { + if (status.equals("0")) { - auditMessage = CMS.getLogMessage( + auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS, rCUID, ILogger.SUCCESS, @@ -1163,7 +1129,7 @@ public class TokenServlet extends CMSServlet { } else { - auditMessage = CMS.getLogMessage( + auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE, rCUID, ILogger.FAILURE, @@ -1173,9 +1139,9 @@ public class TokenServlet extends CMSServlet { selectedToken, keyNickName, errorMsg); - } + } - audit(auditMessage); + audit(auditMessage); } /* @@ -1194,9 +1160,9 @@ public class TokenServlet extends CMSServlet { */ private void processComputeRandomData(HttpServletRequest req, - HttpServletResponse resp) throws EBaseException { - - byte[] randomData = null; + HttpServletResponse resp) throws EBaseException { + + byte[] randomData = null; String status = "0"; String errorMsg = ""; String badParams = ""; @@ -1207,26 +1173,23 @@ public class TokenServlet extends CMSServlet { SessionContext sContext = SessionContext.getContext(); - String agentId=""; + String agentId = ""; if (sContext != null) { agentId = - (String) sContext.get(SessionContext.USER_ID); + (String) sContext.get(SessionContext.USER_ID); } String sDataSize = req.getParameter("dataNumBytes"); - if(sDataSize == null || sDataSize.equals("")) { + if (sDataSize == null || sDataSize.equals("")) { CMS.debug("TokenServlet::processComputeRandomData missing param dataNumBytes"); badParams += " Random Data size, "; missingParam = true; status = "1"; } else { - try - { - dataSize = Integer.parseInt(sDataSize.trim()); - } - catch (NumberFormatException nfe) - { + try { + dataSize = Integer.parseInt(sDataSize.trim()); + } catch (NumberFormatException nfe) { CMS.debug("TokenServlet::processComputeRandomData invalid data size input!"); badParams += " Random Data size, "; missingParam = true; @@ -1244,33 +1207,33 @@ public class TokenServlet extends CMSServlet { audit(auditMessage); - if(!missingParam) { + if (!missingParam) { try { - SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); - randomData = new byte[dataSize]; - random.nextBytes(randomData); - } catch (Exception e) { - CMS.debug("TokenServlet::processComputeRandomData:"+ e.toString()); - errorMsg = "Can't generate random data!"; - status = "2"; + SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); + randomData = new byte[dataSize]; + random.nextBytes(randomData); + } catch (Exception e) { + CMS.debug("TokenServlet::processComputeRandomData:" + e.toString()); + errorMsg = "Can't generate random data!"; + status = "2"; } } String randomDataOut = ""; - if(status.equals("0")) { + if (status.equals("0")) { if (randomData != null && randomData.length == dataSize) { randomDataOut = - com.netscape.cmsutil.util.Utils.SpecialEncode(randomData); + com.netscape.cmsutil.util.Utils.SpecialEncode(randomData); } else { status = "2"; errorMsg = "Can't convert random data!"; } } - if(status.equals("1") && missingParam) { + if (status.equals("1") && missingParam) { - if(badParams.endsWith(",")) { - badParams = badParams.substring(0,badParams.length() -1); + if (badParams.endsWith(",")) { + badParams = badParams.substring(0, badParams.length() - 1); } errorMsg = "Missing input parameters :" + badParams; } @@ -1278,15 +1241,15 @@ public class TokenServlet extends CMSServlet { resp.setContentType("text/html"); String value = ""; - value = "status="+status; - if(status.equals("0")) { - value = value + "&DATA="+randomDataOut; + value = "status=" + status; + if (status.equals("0")) { + value = value + "&DATA=" + randomDataOut; } - + try { resp.setContentLength(value.length()); - CMS.debug("TokenServler::processComputeRandomData :outputString.length " +value.length()); - + CMS.debug("TokenServler::processComputeRandomData :outputString.length " + value.length()); + OutputStream ooss = resp.getOutputStream(); ooss.write(value.getBytes()); ooss.flush(); @@ -1295,22 +1258,22 @@ public class TokenServlet extends CMSServlet { CMS.debug("TokenServlet::processComputeRandomData " + e.toString()); } - if(status.equals("0")) { + if (status.equals("0")) { auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS, ILogger.SUCCESS, status, agentId); - } else { - auditMessage = CMS.getLogMessage( + } else { + auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE, ILogger.FAILURE, status, agentId, errorMsg); - } + } - audit(auditMessage); + audit(auditMessage); } public void process(CMSRequest cmsReq) throws EBaseException { @@ -1328,7 +1291,7 @@ public class TokenServlet extends CMSServlet { if (authzToken == null) { - try{ + try { resp.setContentType("text/html"); String value = "unauthorized="; CMS.debug("TokenServlet: Unauthorized"); @@ -1338,7 +1301,7 @@ public class TokenServlet extends CMSServlet { ooss.write(value.getBytes()); ooss.flush(); mRenderResult = false; - }catch (Exception e) { + } catch (Exception e) { CMS.debug("TokenServlet: " + e.toString()); } @@ -1349,26 +1312,25 @@ public class TokenServlet extends CMSServlet { String temp = req.getParameter("card_challenge"); mSelectedToken = CMS.getConfigStore().getString("tks.defaultSlot"); setDefaultSlotAndKeyName(req); - if(temp!=null) - { - processComputeSessionKey(req,resp); - }else if(req.getParameter("data")!=null){ - processEncryptData(req,resp); - }else if(req.getParameter("newKeyInfo")!=null){ - processDiversifyKey(req,resp); - }else if(req.getParameter("dataNumBytes") !=null){ - processComputeRandomData(req,resp); + if (temp != null) { + processComputeSessionKey(req, resp); + } else if (req.getParameter("data") != null) { + processEncryptData(req, resp); + } else if (req.getParameter("newKeyInfo") != null) { + processDiversifyKey(req, resp); + } else if (req.getParameter("dataNumBytes") != null) { + processComputeRandomData(req, resp); } } /** * Serves HTTP admin request. - * + * * @param req HTTP request * @param resp HTTP response */ public void service(HttpServletRequest req, HttpServletResponse resp) - throws ServletException, IOException { + throws ServletException, IOException { String scope = req.getParameter(Constants.OP_SCOPE); String op = req.getParameter(Constants.OP_TYPE); |