diff options
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/authentication')
17 files changed, 1770 insertions, 1807 deletions
diff --git a/pki/base/common/src/com/netscape/cms/authentication/AVAPattern.java b/pki/base/common/src/com/netscape/cms/authentication/AVAPattern.java index 1b76f77a..e0a37eb4 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/AVAPattern.java +++ b/pki/base/common/src/com/netscape/cms/authentication/AVAPattern.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.authentication; + import java.io.IOException; import java.io.PushbackReader; import java.io.StringReader; @@ -35,27 +36,24 @@ import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.authentication.EAuthException; import com.netscape.certsrv.authentication.ECompSyntaxErr; + /** - * class for parsing a DN pattern used to construct a certificate subject name - * from ldap attributes and dn. - * <p> - * - * dnpattern is a string representing a subject name pattern to formulate from - * the directory attributes and entry dn. If empty or not set, the ldap entry DN - * will be used as the certificate subject name. - * <p> + * class for parsing a DN pattern used to construct a certificate + * subject name from ldap attributes and dn.<p> * - * The syntax is + * dnpattern is a string representing a subject name pattern to formulate from + * the directory attributes and entry dn. If empty or not set, the + * ldap entry DN will be used as the certificate subject name. <p> * + * The syntax is * <pre> - * dnPattern := rdnPattern *[ "," rdnPattern ] - * rdnPattern := avaPattern *[ "+" avaPattern ] + * dnPattern := rdnPattern *[ "," rdnPattern ] + * rdnPattern := avaPattern *[ "+" avaPattern ] * avaPattern := name "=" value | - * name "=" "$attr" "." attrName [ "." attrNumber ] | - * name "=" "$dn" "." attrName [ "." attrNumber ] | - * "$dn" "." "$rdn" "." number + * name "=" "$attr" "." attrName [ "." attrNumber ] | + * name "=" "$dn" "." attrName [ "." attrNumber ] | + * "$dn" "." "$rdn" "." number * </pre> - * * <pre> * Example1: <i>E=$attr.mail.1, CN=$attr.cn, OU=$dn.ou.2, O=$dn.o, C=US </i> * Ldap entry: dn: UID=jjames, OU=IS, OU=people, O=acme.org @@ -82,12 +80,11 @@ import com.netscape.certsrv.authentication.ECompSyntaxErr; * E = the first 'mail' ldap attribute value in user's entry. <br> * CN = the (first) 'cn' ldap attribute value in the user's entry. <br> * OU = the second 'ou' value in the user's entry DN. note multiple AVAs - * in a RDN in this example. <br> + * in a RDN in this example. <br> * O = the (first) 'o' value in the user's entry DN. <br> * C = the string "US" * <p> * </pre> - * * <pre> * Example3: <i>CN=$attr.cn, $rdn.2, O=$dn.o, C=US</i> * Ldap entry: dn: UID=jjames, OU=IS+OU=people, O=acme.org @@ -112,16 +109,15 @@ import com.netscape.certsrv.authentication.ECompSyntaxErr; * <p> * CN = the (first) 'cn' ldap attribute value in the user's entry. <br> * OU = the second 'ou' value in the user's entry DN followed by the - * first 'ou' value in the user's entry. note multiple AVAs - * in a RDN in this example. <br> + * first 'ou' value in the user's entry. note multiple AVAs + * in a RDN in this example. <br> * O = the (first) 'o' value in the user's entry DN. <br> * C = the string "US" * <p> * </pre> - * - * If an attribute or subject DN component does not exist the attribute is - * skipped. - * + * If an attribute or subject DN component does not exist the attribute + * is skipped. + * * @version $Revision$, $Date$ */ class AVAPattern { @@ -134,7 +130,8 @@ class AVAPattern { private static final char[] endChars = new char[] { '+', ',' }; - private static final LdapV3DNStrConverter mLdapDNStrConverter = new LdapV3DNStrConverter(); + private static final LdapV3DNStrConverter mLdapDNStrConverter = + new LdapV3DNStrConverter(); /* ldap attributes needed by this AVA (to retrieve from ldap) */ protected String[] mLdapAttrs = null; @@ -143,7 +140,7 @@ class AVAPattern { protected String mType = null; /* the attribute in the AVA pair */ - protected String mAttr = null; + protected String mAttr = null; /* value - could be name of an ldap attribute or entry dn attribute. */ protected String mValue = null; @@ -153,288 +150,262 @@ class AVAPattern { protected String mTestDN = null; - public AVAPattern(String component) throws EAuthException { - if (component == null || component.length() == 0) - throw new ECompSyntaxErr(CMS.getUserMessage( - "CMS_AUTHENTICATION_COMPONENT_SYNTAX", component)); + public AVAPattern(String component) + throws EAuthException { + if (component == null || component.length() == 0) + throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", component)); parse(new PushbackReader(new StringReader(component))); } - public AVAPattern(PushbackReader in) throws EAuthException { + public AVAPattern(PushbackReader in) + throws EAuthException { parse(in); } - private void parse(PushbackReader in) throws EAuthException { + private void parse(PushbackReader in) + throws EAuthException { int c; // mark ava beginning. // skip spaces - // System.out.println("============ AVAPattern Begin ==========="); - // System.out.println("skip spaces"); + //System.out.println("============ AVAPattern Begin ==========="); + //System.out.println("skip spaces"); try { - while ((c = in.read()) == ' ' || c == '\t') {// System.out.println("spaces read "+(char)c); + while ((c = in.read()) == ' ' || c == '\t') {//System.out.println("spaces read "+(char)c); ; } } catch (IOException e) { - throw new ECompSyntaxErr(CMS.getUserMessage( - "CMS_AUTHENTICATION_COMPONENT_SYNTAX", "All blank")); + throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", "All blank")); } - if (c == -1) - throw new ECompSyntaxErr(CMS.getUserMessage( - "CMS_AUTHENTICATION_COMPONENT_SYNTAX", "All blank")); + if (c == -1) + throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", "All blank")); - // $rdn "." number syntax. + // $rdn "." number syntax. if (c == '$') { - // System.out.println("$rdn syntax"); + //System.out.println("$rdn syntax"); mType = TYPE_RDN; try { - if (in.read() != 'r' || in.read() != 'd' || in.read() != 'n' - || in.read() != '.') - throw new ECompSyntaxErr(CMS.getUserMessage( - "CMS_AUTHENTICATION_COMPONENT_SYNTAX", - "Invalid $ syntax, expecting $rdn")); + if (in.read() != 'r' || + in.read() != 'd' || + in.read() != 'n' || + in.read() != '.') + throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", "Invalid $ syntax, expecting $rdn")); } catch (IOException e) { - throw new ECompSyntaxErr(CMS.getUserMessage( - "CMS_AUTHENTICATION_COMPONENT_SYNTAX", - "Invalid $ syntax, expecting $rdn")); + throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", "Invalid $ syntax, expecting $rdn")); } StringBuffer rdnNumberBuf = new StringBuffer(); try { while ((c = in.read()) != ',' && c != -1 && c != '+') { - // System.out.println("rdnNumber read "+(char)c); + //System.out.println("rdnNumber read "+(char)c); rdnNumberBuf.append((char) c); } if (c != -1) // either ',' or '+' in.unread(c); } catch (IOException e) { - throw new EAuthException(CMS.getUserMessage( - "CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); + throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); } String rdnNumber = rdnNumberBuf.toString().trim(); - if (rdnNumber.length() == 0) - throw new ECompSyntaxErr(CMS.getUserMessage( - "CMS_AUTHENTICATION_COMPONENT_SYNTAX", - "$rdn number not set in ava pattern")); + if (rdnNumber.length() == 0) + throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", "$rdn number not set in ava pattern")); try { mElement = Integer.parseInt(rdnNumber) - 1; } catch (NumberFormatException e) { - throw new ECompSyntaxErr(CMS.getUserMessage( - "CMS_AUTHENTICATION_COMPONENT_SYNTAX", - "Invalid $rdn number in ava pattern")); + throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", "Invalid $rdn number in ava pattern")); } return; } - // name "=" ... syntax. + // name "=" ... syntax. - // read name - // System.out.println("reading name"); + // read name + //System.out.println("reading name"); - StringBuffer attrBuf = new StringBuffer(); + StringBuffer attrBuf = new StringBuffer(); try { while (c != '=' && c != -1 && c != ',' && c != '+') { attrBuf.append((char) c); c = in.read(); - // System.out.println("name read "+(char)c); - } - if (c == ',' || c == '+') + //System.out.println("name read "+(char)c); + } + if (c == ',' || c == '+') in.unread(c); } catch (IOException e) { - throw new EAuthException(CMS.getUserMessage( - "CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); + throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); } if (c != '=') - throw new ECompSyntaxErr(CMS.getUserMessage( - "CMS_AUTHENTICATION_COMPONENT_SYNTAX", - "Missing \"=\" in ava pattern")); + throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", "Missing \"=\" in ava pattern")); - // read value - // System.out.println("reading value"); + // read value + //System.out.println("reading value"); - // skip spaces - // System.out.println("skip spaces for value"); + // skip spaces + //System.out.println("skip spaces for value"); try { - while ((c = in.read()) == ' ' || c == '\t') {// System.out.println("spaces2 read "+(char)c); + while ((c = in.read()) == ' ' || c == '\t') {//System.out.println("spaces2 read "+(char)c); ; } } catch (IOException e) { - throw new EAuthException(CMS.getUserMessage( - "CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); + throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); } - if (c == -1) - throw new ECompSyntaxErr(CMS.getUserMessage( - "CMS_AUTHENTICATION_COMPONENT_SYNTAX", - "no value after = in ava pattern")); + if (c == -1) + throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", "no value after = in ava pattern")); if (c == '$') { - // check for $dn or $attr + // check for $dn or $attr try { c = in.read(); - // System.out.println("check $dn or $attr read "+(char)c); + //System.out.println("check $dn or $attr read "+(char)c); } catch (IOException e) { - throw new EAuthException(CMS.getUserMessage( - "CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); + throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); } - if (c == -1) - throw new ECompSyntaxErr(CMS.getUserMessage( - "CMS_AUTHENTICATION_COMPONENT_SYNTAX", - "expecting $dn or $attr in ava pattern")); + if (c == -1) + throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", + "expecting $dn or $attr in ava pattern")); if (c == 'a') { try { - if (in.read() != 't' || in.read() != 't' - || in.read() != 'r' || in.read() != '.') - throw new ECompSyntaxErr(CMS.getUserMessage( - "CMS_AUTHENTICATION_COMPONENT_SYNTAX", - "expecting $attr in ava pattern")); + if (in.read() != 't' || + in.read() != 't' || + in.read() != 'r' || + in.read() != '.') + throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", + "expecting $attr in ava pattern")); } catch (IOException e) { - throw new EAuthException(CMS.getUserMessage( - "CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); + throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); } mType = TYPE_ATTR; - // System.out.println("---- mtype $attr"); + //System.out.println("---- mtype $attr"); } else if (c == 'd') { try { - if (in.read() != 'n' || in.read() != '.') - throw new ECompSyntaxErr(CMS.getUserMessage( - "CMS_AUTHENTICATION_COMPONENT_SYNTAX", - "expecting $dn in ava pattern")); + if (in.read() != 'n' || + in.read() != '.') + throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", + "expecting $dn in ava pattern")); } catch (IOException e) { - throw new EAuthException(CMS.getUserMessage( - "CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); + throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); } mType = TYPE_DN; - // System.out.println("----- mtype $dn"); + //System.out.println("----- mtype $dn"); } else { - throw new ECompSyntaxErr(CMS.getUserMessage( - "CMS_AUTHENTICATION_COMPONENT_SYNTAX", - "unknown keyword. expecting $dn or $attr.")); + throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", + "unknown keyword. expecting $dn or $attr.")); } - // get attr name of dn pattern from above. + // get attr name of dn pattern from above. String attrName = attrBuf.toString().trim(); - // System.out.println("----- attrName "+attrName); - if (attrName.length() == 0) - throw new ECompSyntaxErr(CMS.getUserMessage( - "CMS_AUTHENTICATION_COMPONENT_SYNTAX", - "attribute name expected")); - try { - ObjectIdentifier attrOid = mLdapDNStrConverter - .parseAVAKeyword(attrName); + //System.out.println("----- attrName "+attrName); + if (attrName.length() == 0) + throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", "attribute name expected")); + try { + ObjectIdentifier attrOid = + mLdapDNStrConverter.parseAVAKeyword(attrName); - mAttr = mLdapDNStrConverter.encodeOID(attrOid); - // System.out.println("----- mAttr "+mAttr); + mAttr = mLdapDNStrConverter.encodeOID(attrOid); + //System.out.println("----- mAttr "+mAttr); } catch (IOException e) { - throw new ECompSyntaxErr(CMS.getUserMessage( - "CMS_AUTHENTICATION_COMPONENT_SYNTAX", e.getMessage())); + throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", e.getMessage())); } // get dn or attribute from ldap search. StringBuffer valueBuf = new StringBuffer(); try { - while ((c = in.read()) != ',' && c != -1 && c != '.' - && c != '+') { - // System.out.println("mValue read "+(char)c); + while ((c = in.read()) != ',' && + c != -1 && c != '.' && c != '+') { + //System.out.println("mValue read "+(char)c); valueBuf.append((char) c); } if (c == '+' || c == ',') // either ',' or '+' - in.unread(c); // pushback last , or + + in.unread(c); // pushback last , or + } catch (IOException e) { - throw new EAuthException(CMS.getUserMessage( - "CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); + throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); } mValue = valueBuf.toString().trim(); - if (mValue.length() == 0) - throw new ECompSyntaxErr(CMS.getUserMessage( - "CMS_AUTHENTICATION_COMPONENT_SYNTAX", - "$dn or $attr attribute name expected")); - // System.out.println("----- mValue "+mValue); + if (mValue.length() == 0) + throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", + "$dn or $attr attribute name expected")); + //System.out.println("----- mValue "+mValue); - // get nth dn or attribute from ldap search. + // get nth dn or attribute from ldap search. if (c == '.') { StringBuffer attrNumberBuf = new StringBuffer(); try { while ((c = in.read()) != ',' && c != -1 && c != '+') { - // System.out.println("mElement read "+(char)c); + //System.out.println("mElement read "+(char)c); attrNumberBuf.append((char) c); } if (c != -1) // either ',' or '+' - in.unread(c); // pushback last , or + + in.unread(c); // pushback last , or + } catch (IOException e) { - throw new EAuthException(CMS.getUserMessage( - "CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); + throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); } String attrNumber = attrNumberBuf.toString().trim(); - if (attrNumber.length() == 0) - throw new ECompSyntaxErr(CMS.getUserMessage( - "CMS_AUTHENTICATION_COMPONENT_SYNTAX", - "nth element $dn or $attr expected")); + if (attrNumber.length() == 0) + throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", + "nth element $dn or $attr expected")); try { mElement = Integer.parseInt(attrNumber) - 1; } catch (NumberFormatException e) { - throw new ECompSyntaxErr(CMS.getUserMessage( - "CMS_AUTHENTICATION_COMPONENT_SYNTAX", - "Invalid format in nth element $dn or $attr")); + throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", + "Invalid format in nth element $dn or $attr")); } } - // System.out.println("----- mElement "+mElement); + //System.out.println("----- mElement "+mElement); } else { // value is constant. treat as regular ava. mType = TYPE_CONSTANT; - // System.out.println("----- mType constant"); - // parse ava value. + //System.out.println("----- mType constant"); + // parse ava value. StringBuffer valueBuf = new StringBuffer(); valueBuf.append((char) c); try { - while ((c = in.read()) != ',' && c != -1) { + while ((c = in.read()) != ',' && + c != -1) { valueBuf.append((char) c); } if (c == '+' || c == ',') { // either ',' or '+' in.unread(c); // pushback last , or + } } catch (IOException e) { - throw new ECompSyntaxErr(CMS.getUserMessage( - "CMS_AUTHENTICATION_COMPONENT_SYNTAX", e.getMessage())); + throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", e.getMessage())); } - try { - AVA ava = mLdapDNStrConverter - .parseAVA(attrBuf + "=" + valueBuf); + try { + AVA ava = mLdapDNStrConverter.parseAVA(attrBuf + "=" + valueBuf); mValue = ava.toLdapDNString(); - // System.out.println("----- mValue "+mValue); + //System.out.println("----- mValue "+mValue); } catch (IOException e) { - throw new ECompSyntaxErr(CMS.getUserMessage( - "CMS_AUTHENTICATION_COMPONENT_SYNTAX", e.getMessage())); + throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", e.getMessage())); } } } - public String formAVA(LDAPEntry entry) throws EAuthException { - if (mType == TYPE_CONSTANT) + public String formAVA(LDAPEntry entry) + throws EAuthException { + if (mType == TYPE_CONSTANT) return mValue; if (mType == TYPE_RDN) { String dn = entry.getDN(); - if (mTestDN != null) + if (mTestDN != null) dn = mTestDN; - // System.out.println("AVAPattern Using dn "+mTestDN); + //System.out.println("AVAPattern Using dn "+mTestDN); String[] rdns = LDAPDN.explodeDN(dn, false); - if (mElement >= rdns.length) + if (mElement >= rdns.length) return null; return rdns[mElement]; } @@ -442,9 +413,9 @@ class AVAPattern { if (mType == TYPE_DN) { String dn = entry.getDN(); - if (mTestDN != null) + if (mTestDN != null) dn = mTestDN; - // System.out.println("AVAPattern Using dn "+mTestDN); + //System.out.println("AVAPattern Using dn "+mTestDN); String[] rdns = LDAPDN.explodeDN(dn, false); String value = null; int nFound = -1; @@ -455,14 +426,14 @@ class AVAPattern { for (int j = 0; j < avas.length; j++) { String[] exploded = explodeAVA(avas[j]); - if (exploded[0].equalsIgnoreCase(mValue) - && ++nFound == mElement) { + if (exploded[0].equalsIgnoreCase(mValue) && + ++nFound == mElement) { value = exploded[1]; break; } } } - if (value == null) + if (value == null) return null; return mAttr + "=" + value; } @@ -470,7 +441,7 @@ class AVAPattern { if (mType == TYPE_ATTR) { LDAPAttribute ldapAttr = entry.getAttribute(mValue); - if (ldapAttr == null) + if (ldapAttr == null) return null; String value = null; Enumeration ldapValues = ldapAttr.getStringValues(); @@ -483,7 +454,7 @@ class AVAPattern { break; } } - if (value == null) + if (value == null) return null; String v = escapeLdapString(value); @@ -503,8 +474,8 @@ class AVAPattern { for (int i = 0; i < c.length; i++) { // escape special characters that directory does not. - if ((c[i] == ',' || c[i] == '=' || c[i] == '+' || c[i] == '<' - || c[i] == '>' || c[i] == '#' || c[i] == ';')) { + if ((c[i] == ',' || c[i] == '=' || c[i] == '+' || c[i] == '<' || + c[i] == '>' || c[i] == '#' || c[i] == ';')) { if (i == 0 || c[i - 1] != '\\') { newc[j++] = '\\'; newc[j++] = c[i]; @@ -513,17 +484,17 @@ class AVAPattern { else if (c[i] == '\\') { int k = i + 1; - if (i == len - 1 - || (c[k] == ',' || c[k] == '=' || c[k] == '+' - || c[k] == '<' || c[k] == '>' || c[k] == '#' || c[k] == ';')) { + if (i == len - 1 || + (c[k] == ',' || c[k] == '=' || c[k] == '+' || c[k] == '<' || + c[k] == '>' || c[k] == '#' || c[k] == ';')) { newc[j++] = '\\'; newc[j++] = c[i]; } } // escape QUOTATION else if (c[i] == '"') { - if ((i == 0 && c[len - 1] != '"') - || (i == len - 1 && c[0] != '"') - || (i > 0 && i < len - 1)) { + if ((i == 0 && c[len - 1] != '"') || + (i == len - 1 && c[0] != '"') || + (i > 0 && i < len - 1)) { newc[j++] = '\\'; newc[j++] = c[i]; } @@ -541,19 +512,20 @@ class AVAPattern { } /** - * Explode RDN into AVAs. Does not handle escaped '+' Java ldap library does - * not yet support multiple avas per rdn. If RDN is malformed returns empty - * array. + * Explode RDN into AVAs. + * Does not handle escaped '+' + * Java ldap library does not yet support multiple avas per rdn. + * If RDN is malformed returns empty array. */ public static String[] explodeRDN(String rdn) { int plus = rdn.indexOf('+'); - if (plus == -1) + if (plus == -1) return new String[] { rdn }; Vector avas = new Vector(); StringTokenizer token = new StringTokenizer(rdn, "+"); - while (token.hasMoreTokens()) + while (token.hasMoreTokens()) avas.addElement(token.nextToken()); String[] theAvas = new String[avas.size()]; @@ -562,15 +534,17 @@ class AVAPattern { } /** - * Explode AVA into name and value. Does not handle escaped '=' If AVA is - * malformed empty array is returned. + * Explode AVA into name and value. + * Does not handle escaped '=' + * If AVA is malformed empty array is returned. */ public static String[] explodeAVA(String ava) { int equals = ava.indexOf('='); - if (equals == -1) + if (equals == -1) return null; - return new String[] { ava.substring(0, equals).trim(), - ava.substring(equals + 1).trim() }; + return new String[] { + ava.substring(0, equals).trim(), ava.substring(equals + 1).trim()}; } } + diff --git a/pki/base/common/src/com/netscape/cms/authentication/AgentCertAuthentication.java b/pki/base/common/src/com/netscape/cms/authentication/AgentCertAuthentication.java index 23bc2b23..0b8bad8f 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/AgentCertAuthentication.java +++ b/pki/base/common/src/com/netscape/cms/authentication/AgentCertAuthentication.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.authentication; + import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.util.Enumeration; @@ -47,14 +48,16 @@ import com.netscape.certsrv.usrgrp.ICertUserLocator; import com.netscape.certsrv.usrgrp.IUGSubsystem; import com.netscape.certsrv.usrgrp.IUser; + /** - * Certificate server agent authentication. Maps a SSL client authenticate - * certificate to a user (agent) entry in the internal database. + * Certificate server agent authentication. + * Maps a SSL client authenticate certificate to a user (agent) entry in the + * internal database. * <P> - * + * * @version $Revision$, $Date$ */ -public class AgentCertAuthentication implements IAuthManager, +public class AgentCertAuthentication implements IAuthManager, IProfileAuthenticator { /* result auth token attributes */ @@ -88,15 +91,14 @@ public class AgentCertAuthentication implements IAuthManager, /** * initializes the CertUserDBAuthentication auth manager * <p> - * called by AuthSubsystem init() method, when initializing all available - * authentication managers. - * + * called by AuthSubsystem init() method, when initializing + * all available authentication managers. * @param name The name of this authentication manager instance. * @param implName The name of the authentication manager plugin. * @param config The configuration store for this authentication manager. */ public void init(String name, String implName, IConfigStore config) - throws EBaseException { + throws EBaseException { mName = name; mImplName = implName; mConfig = config; @@ -104,7 +106,7 @@ public class AgentCertAuthentication implements IAuthManager, mUGSub = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG); mCULocator = mUGSub.getCertUserLocator(); } - + /** * Gets the name of this authentication manager. */ @@ -118,7 +120,7 @@ public class AgentCertAuthentication implements IAuthManager, public String getImplName() { return mImplName; } - + public boolean isSSLClientRequired() { return true; } @@ -126,35 +128,33 @@ public class AgentCertAuthentication implements IAuthManager, /** * authenticates user(agent) by certificate * <p> - * called by other subsystems or their servlets to authenticate users - * (agents) - * - * @param authCred - authentication credential that contains an - * usrgrp.Certificates of the user (agent) + * called by other subsystems or their servlets to authenticate + * users (agents) + * @param authCred - authentication credential that contains + * an usrgrp.Certificates of the user (agent) * @return the authentication token that contains the following - * + * * @exception EMissingCredential If a required credential for this - * authentication manager is missing. + * authentication manager is missing. * @exception EInvalidCredentials If credentials cannot be authenticated. * @exception EBaseException If an internal error occurred. * @see com.netscape.certsrv.authentication.AuthToken * @see com.netscape.certsrv.usrgrp.Certificates */ public IAuthToken authenticate(IAuthCredentials authCred) - throws EMissingCredential, EInvalidCredentials, EBaseException { - + throws EMissingCredential, EInvalidCredentials, EBaseException { + CMS.debug("AgentCertAuthentication: start"); - CMS.debug("authenticator instance name is " + getName()); + CMS.debug("authenticator instance name is "+getName()); // force SSL handshake SessionContext context = SessionContext.getExistingContext(); - ISSLClientCertProvider provider = (ISSLClientCertProvider) context - .get("sslClientCertProvider"); + ISSLClientCertProvider provider = (ISSLClientCertProvider) + context.get("sslClientCertProvider"); if (provider == null) { CMS.debug("AgentCertAuthentication: No SSL Client Cert Provider Found"); - throw new EInvalidCredentials( - CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } CMS.debug("AgentCertAuthenticator: got provider"); CMS.debug("AgentCertAuthenticator: retrieving client certificate"); @@ -162,8 +162,7 @@ public class AgentCertAuthentication implements IAuthManager, if (allCerts == null) { CMS.debug("AgentCertAuthentication: No SSL Client Certs Found"); - throw new EInvalidCredentials( - CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } CMS.debug("AgentCertAuthenticator: got certificates"); @@ -186,16 +185,15 @@ public class AgentCertAuthentication implements IAuthManager, // check if certificate(s) is revoked boolean checkRevocation = true; try { - checkRevocation = mConfig.getBoolean("checkRevocation", true); + checkRevocation = mConfig.getBoolean("checkRevocation", true); } catch (EBaseException e) { - // do nothing; default to true + // do nothing; default to true } if (checkRevocation) { - if (CMS.isRevoked(ci)) { - CMS.debug("AgentCertAuthentication: certificate revoked"); - throw new EInvalidCredentials( - CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - } + if (CMS.isRevoked(ci)) { + CMS.debug("AgentCertAuthentication: certificate revoked"); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + } } // map cert to user @@ -205,39 +203,33 @@ public class AgentCertAuthentication implements IAuthManager, try { user = (IUser) mCULocator.locateUser(certs); } catch (EUsrGrpException e) { - throw new EInvalidCredentials( - CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } catch (netscape.ldap.LDAPException e) { - throw new EBaseException(CMS.getUserMessage( - "CMS_BASE_INTERNAL_ERROR", e.toString())); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", + e.toString())); } - // any unexpected error occurs like internal db down, + // any unexpected error occurs like internal db down, // UGSubsystem only returns null for user. if (user == null) { - throw new EInvalidCredentials( - CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } // get group name from configuration file IConfigStore sconfig = CMS.getConfigStore(); String groupname = ""; try { - groupname = sconfig.getString("auths.instance." + getName() - + ".agentGroup", ""); + groupname = sconfig.getString("auths.instance."+ getName() +".agentGroup", + ""); } catch (EBaseException ee) { } if (!groupname.equals("")) { - CMS.debug("check if " + user.getUserID() + " is in group " - + groupname); - IUGSubsystem uggroup = (IUGSubsystem) CMS - .getSubsystem(CMS.SUBSYSTEM_UG); + CMS.debug("check if "+user.getUserID()+" is in group "+groupname); + IUGSubsystem uggroup = (IUGSubsystem)CMS.getSubsystem(CMS.SUBSYSTEM_UG); if (!uggroup.isMemberOf(user, groupname)) { - CMS.debug(user.getUserID() + " is not in this group " - + groupname); - throw new EInvalidCredentials( - CMS.getUserMessage("CMS_AUTHORIZATION_ERROR")); + CMS.debug(user.getUserID()+" is not in this group "+groupname); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHORIZATION_ERROR")); } } authToken.set(TOKEN_USERDN, user.getUserDN()); @@ -245,7 +237,7 @@ public class AgentCertAuthentication implements IAuthManager, authToken.set(TOKEN_USERID, user.getUserID()); authToken.set(TOKEN_UID, user.getUserID()); authToken.set(TOKEN_GROUP, groupname); - authToken.set(CRED_CERT, certs); + authToken.set(CRED_CERT, certs); CMS.debug("AgentCertAuthentication: authenticated " + user.getUserDN()); @@ -253,12 +245,11 @@ public class AgentCertAuthentication implements IAuthManager, } /** - * get the list of authentication credential attribute names required by - * this authentication manager. Generally used by the servlets that handle - * agent operations to authenticate its users. It calls this method to know - * which are the required credentials from the user (e.g. Javascript form - * data) - * + * get the list of authentication credential attribute names + * required by this authentication manager. Generally used by + * the servlets that handle agent operations to authenticate its + * users. It calls this method to know which are the + * required credentials from the user (e.g. Javascript form data) * @return attribute names in Vector */ public String[] getRequiredCreds() { @@ -266,15 +257,15 @@ public class AgentCertAuthentication implements IAuthManager, } /** - * get the list of configuration parameter names required by this - * authentication manager. Generally used by the Certificate Server Console - * to display the table for configuration purposes. CertUserDBAuthentication - * is currently not exposed in this case, so this method is not to be used. - * - * @return configuration parameter names in Hashtable of Vectors where each - * hashtable entry's key is the substore name, value is a Vector of - * parameter names. If no substore, the parameter name is the - * Hashtable key itself, with value same as key. + * get the list of configuration parameter names + * required by this authentication manager. Generally used by + * the Certificate Server Console to display the table for + * configuration purposes. CertUserDBAuthentication is currently not + * exposed in this case, so this method is not to be used. + * @return configuration parameter names in Hashtable of Vectors + * where each hashtable entry's key is the substore name, value is a + * Vector of parameter names. If no substore, the parameter name + * is the Hashtable key itself, with value same as key. */ public String[] getConfigParams() { return (mConfigParams); @@ -287,8 +278,8 @@ public class AgentCertAuthentication implements IAuthManager, } /** - * gets the configuretion substore used by this authentication manager - * + * gets the configuretion substore used by this authentication + * manager * @return configuration store */ public IConfigStore getConfigStore() { @@ -298,7 +289,7 @@ public class AgentCertAuthentication implements IAuthManager, // Profile-related methods public void init(IProfile profile, IConfigStore config) - throws EProfileException { + throws EProfileException { } /** @@ -327,13 +318,14 @@ public class AgentCertAuthentication implements IAuthManager, } /** - * Retrieves the descriptor of the given value parameter by name. + * Retrieves the descriptor of the given value + * parameter by name. */ public IDescriptor getValueDescriptor(Locale locale, String name) { return null; } public void populate(IAuthToken token, IRequest request) - throws EProfileException { + throws EProfileException { } } diff --git a/pki/base/common/src/com/netscape/cms/authentication/CMCAuth.java b/pki/base/common/src/com/netscape/cms/authentication/CMCAuth.java index f61d0a89..fef68c1c 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/CMCAuth.java +++ b/pki/base/common/src/com/netscape/cms/authentication/CMCAuth.java @@ -20,6 +20,7 @@ package com.netscape.cms.authentication; + /////////////////////// // import statements // /////////////////////// @@ -100,150 +101,157 @@ import com.netscape.cmsutil.util.Utils; /** * UID/CMC authentication plug-in * <P> - * + * * @version $Revision$, $Date$ */ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, IProfileAuthenticator { - // ////////////////////// + //////////////////////// // default parameters // - // ////////////////////// - - // /////////////////////////// + //////////////////////// + + + + ///////////////////////////// // IAuthManager parameters // - // /////////////////////////// - + ///////////////////////////// + /* authentication plug-in configuration store */ private IConfigStore mConfig; private static final String HEADER = "-----BEGIN NEW CERTIFICATE REQUEST-----"; private static final String TRAILER = "-----END NEW CERTIFICATE REQUEST-----"; - public static final String TOKEN_CERT_SERIAL = "certSerialToRevoke"; + public static final String TOKEN_CERT_SERIAL = "certSerialToRevoke"; public static final String REASON_CODE = "reasonCode"; /* authentication plug-in name */ private String mImplName = null; - + /* authentication plug-in instance name */ private String mName = null; - + /* authentication plug-in fields */ - - /* - * Holds authentication plug-in fields accepted by this implementation. This - * list is passed to the configuration console so configuration for - * instances of this implementation can be configured through the console. + + + + /* Holds authentication plug-in fields accepted by this implementation. + * This list is passed to the configuration console so configuration + * for instances of this implementation can be configured through the + * console. */ - protected static String[] mConfigParams = new String[] {}; - + protected static String[] mConfigParams = + new String[] {}; + /* authentication plug-in values */ - + /* authentication plug-in properties */ - + + /* required credentials to authenticate. UID and CMC are strings. */ public static final String CRED_CMC = "cmcRequest"; - + protected static String[] mRequiredCreds = {}; - - // ////////////////////////////////// + + //////////////////////////////////// // IExtendedPluginInfo parameters // - // ////////////////////////////////// - + //////////////////////////////////// + /* Vector of extendedPluginInfo strings */ protected static Vector mExtendedPluginInfo = null; - // public static final String AGENT_AUTHMGR_ID = "agentAuthMgr"; - // public static final String AGENT_PLUGIN_ID = "agentAuthPlugin"; - + //public static final String AGENT_AUTHMGR_ID = "agentAuthMgr"; + //public static final String AGENT_PLUGIN_ID = "agentAuthPlugin"; + + /* actual help messages */ static { mExtendedPluginInfo = new Vector(); - - mExtendedPluginInfo - .add(IExtendedPluginInfo.HELP_TEXT - + ";Authenticate the CMC request. The signer must be an agent. The \"Authentication Instance ID\" must be named \"CMCAuth\""); - mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TOKEN - + ";configuration-authentication"); + + mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TEXT + + ";Authenticate the CMC request. The signer must be an agent. The \"Authentication Instance ID\" must be named \"CMCAuth\""); + mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TOKEN + + ";configuration-authentication"); } - - // ///////////////////// + + /////////////////////// // Logger parameters // - // ///////////////////// - + /////////////////////// + /* the system's logger */ private ILogger mLogger = CMS.getLogger(); - + /* signed audit parameters */ private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); - private final static String SIGNED_AUDIT_ENROLLMENT_REQUEST_TYPE = "enrollment"; - private final static String SIGNED_AUDIT_REVOCATION_REQUEST_TYPE = "revocation"; - private final static String LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY = "LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY_5"; - - // /////////////////// + private final static String SIGNED_AUDIT_ENROLLMENT_REQUEST_TYPE = + "enrollment"; + private final static String SIGNED_AUDIT_REVOCATION_REQUEST_TYPE = + "revocation"; + private final static String + LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY = + "LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY_5"; + + ///////////////////// // default methods // - // /////////////////// - + ///////////////////// + /** * Default constructor, initialization must follow. */ public CMCAuth() { } - - // //////////////////////// + + ////////////////////////// // IAuthManager methods // - // //////////////////////// - + ////////////////////////// + /** * Initializes the CMCAuth authentication plug-in. * <p> - * * @param name The name for this authentication plug-in instance. * @param implName The name of the authentication plug-in. * @param config - The configuration store for this instance. * @exception EBaseException If an error occurs during initialization. */ public void init(String name, String implName, IConfigStore config) - throws EBaseException { + throws EBaseException { mName = name; mImplName = implName; mConfig = config; - + log(ILogger.LL_INFO, "Initialization complete!"); } - + /** - * Authenticates user by their CMC; resulting AuthToken sets a TOKEN_SUBJECT - * for the subject name. + * Authenticates user by their CMC; + * resulting AuthToken sets a TOKEN_SUBJECT for the subject name. * <P> - * + * * <ul> - * <li>signed.audit LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY used - * when CMC (agent-pre-signed) cert requests or revocation requests are - * submitted and signature is verified + * <li>signed.audit LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY + * used when CMC (agent-pre-signed) cert requests or revocation requests + * are submitted and signature is verified * </ul> - * * @param authCred Authentication credentials, CRED_UID and CRED_CMC. * @return an AuthToken - * @exception com.netscape.certsrv.authentication.EMissingCredential If a - * required authentication credential is missing. - * @exception com.netscape.certsrv.authentication.EInvalidCredentials If - * credentials failed authentication. - * @exception com.netscape.certsrv.base.EBaseException If an internal error - * occurred. + * @exception com.netscape.certsrv.authentication.EMissingCredential + * If a required authentication credential is missing. + * @exception com.netscape.certsrv.authentication.EInvalidCredentials + * If credentials failed authentication. + * @exception com.netscape.certsrv.base.EBaseException + * If an internal error occurred. * @see com.netscape.certsrv.authentication.AuthToken */ - public IAuthToken authenticate(IAuthCredentials authCred) - throws EMissingCredential, EInvalidCredentials, EBaseException { + public IAuthToken authenticate(IAuthCredentials authCred) throws EMissingCredential, EInvalidCredentials, EBaseException { String auditMessage = null; String auditSubjectID = auditSubjectID(); String auditReqType = ILogger.UNIDENTIFIED; String auditCertSubject = ILogger.UNIDENTIFIED; String auditSignerInfo = ILogger.UNIDENTIFIED; - + // ensure that any low-level exceptions are reported // to the signed audit log and stored as failures try { // get the CMC. - Object argblock = (Object) (authCred.getArgBlock()); + Object argblock = (Object)(authCred.getArgBlock()); Object returnVal = null; if (argblock == null) { returnVal = authCred.get("cert_request"); @@ -258,125 +266,140 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, if (cmc == null) { // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, ILogger.FAILURE, auditReqType, - auditCertSubject, auditSignerInfo); + LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, + auditSubjectID, + ILogger.FAILURE, + auditReqType, + auditCertSubject, + auditSignerInfo ); - audit(auditMessage); + audit( auditMessage ); throw new EMissingCredential(CMS.getUserMessage( - "CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_CMC)); + "CMS_AUTHENTICATION_NULL_CREDENTIAL",CRED_CMC)); } if (cmc.equals("")) { - log(ILogger.LL_FAILURE, "cmc : attempted login with empty CMC."); + log(ILogger.LL_FAILURE, + "cmc : attempted login with empty CMC."); // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, ILogger.FAILURE, auditReqType, - auditCertSubject, auditSignerInfo); + LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, + auditSubjectID, + ILogger.FAILURE, + auditReqType, + auditCertSubject, + auditSignerInfo ); - audit(auditMessage); + audit( auditMessage ); - throw new EInvalidCredentials( - CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + throw new EInvalidCredentials(CMS.getUserMessage( + "CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } - + // authenticate by checking CMC. - + // everything OK. // now formulate the certificate info. // set the subject name at a minimum. // set anything else like version, extensions, etc. // if nothing except subject name is set the rest of // cert info will be filled in by policies and CA defaults. - + AuthToken authToken = new AuthToken(this); - + try { String asciiBASE64Blob; - + int startIndex = cmc.indexOf(HEADER); int endIndex = cmc.indexOf(TRAILER); - if (startIndex != -1 && endIndex != -1) { + if (startIndex!= -1 && endIndex!=-1) { startIndex = startIndex + HEADER.length(); - asciiBASE64Blob = cmc.substring(startIndex, endIndex); - } else + asciiBASE64Blob=cmc.substring(startIndex, endIndex); + }else asciiBASE64Blob = cmc; - byte[] cmcBlob = CMS.AtoB(asciiBASE64Blob); - ByteArrayInputStream cmcBlobIn = new ByteArrayInputStream( - cmcBlob); - - org.mozilla.jss.pkix.cms.ContentInfo cmcReq = (org.mozilla.jss.pkix.cms.ContentInfo) org.mozilla.jss.pkix.cms.ContentInfo - .getTemplate().decode(cmcBlobIn); - if (!cmcReq.getContentType().equals( - org.mozilla.jss.pkix.cms.ContentInfo.SIGNED_DATA) - || !cmcReq.hasContent()) { + byte[] cmcBlob = CMS.AtoB(asciiBASE64Blob); + ByteArrayInputStream cmcBlobIn= new + ByteArrayInputStream(cmcBlob); + + org.mozilla.jss.pkix.cms.ContentInfo cmcReq = + (org.mozilla.jss.pkix.cms.ContentInfo) + org.mozilla.jss.pkix.cms.ContentInfo.getTemplate().decode( + cmcBlobIn); + + if(!cmcReq.getContentType().equals( + org.mozilla.jss.pkix.cms.ContentInfo.SIGNED_DATA) || + !cmcReq.hasContent()) { // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, ILogger.FAILURE, auditReqType, - auditCertSubject, auditSignerInfo); + LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, + auditSubjectID, + ILogger.FAILURE, + auditReqType, + auditCertSubject, + auditSignerInfo ); - audit(auditMessage); + audit( auditMessage ); // throw new ECMSGWException(CMSGWResources.NO_CMC_CONTENT); throw new EBaseException("NO_CMC_CONTENT"); } - - SignedData cmcFullReq = (SignedData) cmcReq - .getInterpretedContent(); - + + SignedData cmcFullReq = (SignedData) + cmcReq.getInterpretedContent(); + IConfigStore cmc_config = CMS.getConfigStore(); - boolean checkSignerInfo = cmc_config.getBoolean( - "cmc.signerInfo.verify", true); + boolean checkSignerInfo = + cmc_config.getBoolean("cmc.signerInfo.verify", true); String userid = "defUser"; String uid = "defUser"; if (checkSignerInfo) { - IAuthToken agentToken = verifySignerInfo(authToken, - cmcFullReq); + IAuthToken agentToken = verifySignerInfo(authToken,cmcFullReq); userid = agentToken.getInString("userid"); uid = agentToken.getInString("cn"); } else { CMS.debug("CMCAuth: authenticate() signerInfo verification bypassed"); } // reset value of auditSignerInfo - if (uid != null) { + if( uid != null ) { auditSignerInfo = uid.trim(); } EncapsulatedContentInfo ci = cmcFullReq.getContentInfo(); - + OBJECT_IDENTIFIER id = ci.getContentType(); - if (!id.equals(OBJECT_IDENTIFIER.id_cct_PKIData) - || !ci.hasContent()) { + if (!id.equals(OBJECT_IDENTIFIER.id_cct_PKIData) || + !ci.hasContent()) { // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, ILogger.FAILURE, auditReqType, - auditCertSubject, auditSignerInfo); + LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, + auditSubjectID, + ILogger.FAILURE, + auditReqType, + auditCertSubject, + auditSignerInfo ); - audit(auditMessage); + audit( auditMessage ); - // throw new ECMSGWException( + // throw new ECMSGWException( // CMSGWResources.NO_PKIDATA); throw new EBaseException("NO_PKIDATA"); } - + OCTET_STRING content = ci.getContent(); - - ByteArrayInputStream s = new ByteArrayInputStream( - content.toByteArray()); + + ByteArrayInputStream s = new + ByteArrayInputStream(content.toByteArray()); PKIData pkiData = (PKIData) (new PKIData.Template()).decode(s); - + SEQUENCE reqSequence = pkiData.getReqSequence(); - + int numReqs = reqSequence.size(); if (numReqs == 0) { @@ -390,14 +413,15 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, if (controlSize > 0) { for (int i = 0; i < controlSize; i++) { - TaggedAttribute taggedAttribute = (TaggedAttribute) controlSequence - .elementAt(i); + TaggedAttribute taggedAttribute = + (TaggedAttribute) controlSequence.elementAt(i); OBJECT_IDENTIFIER type = taggedAttribute.getType(); - if (type.equals(OBJECT_IDENTIFIER.id_cmc_revokeRequest)) { + if( type.equals( + OBJECT_IDENTIFIER.id_cmc_revokeRequest)) { // if( i ==1 ) { - // taggedAttribute.getType() == - // OBJECT_IDENTIFIER.id_cmc_revokeRequest + // taggedAttribute.getType() == + // OBJECT_IDENTIFIER.id_cmc_revokeRequest // } SET values = taggedAttribute.getValues(); @@ -406,49 +430,50 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, bigIntArray = new BigInteger[numVals]; for (int j = 0; j < numVals; j++) { - // serialNumber INTEGER - + // serialNumber INTEGER + // SEQUENCE RevRequest = (SEQUENCE) - // values.elementAt(j); - byte[] encoded = ASN1Util.encode(values - .elementAt(j)); - org.mozilla.jss.asn1.ASN1Template template = new org.mozilla.jss.pkix.cmmf.RevRequest.Template(); - org.mozilla.jss.pkix.cmmf.RevRequest revRequest = (org.mozilla.jss.pkix.cmmf.RevRequest) ASN1Util - .decode(template, encoded); - + // values.elementAt(j); + byte[] encoded = ASN1Util.encode( + values.elementAt(j)); + org.mozilla.jss.asn1.ASN1Template + template = new + org.mozilla.jss.pkix.cmmf.RevRequest.Template(); + org.mozilla.jss.pkix.cmmf.RevRequest + revRequest = + (org.mozilla.jss.pkix.cmmf.RevRequest) + ASN1Util.decode(template, encoded); + // SEQUENCE RevRequest = (SEQUENCE) - // ASN1Util.decode( - // SEQUENCE.getTemplate(), - // ASN1Util.encode( - // values.elementAt(j))); + // ASN1Util.decode( + // SEQUENCE.getTemplate(), + // ASN1Util.encode( + // values.elementAt(j))); // SEQUENCE RevRequest = - // values.elementAt(j); + // values.elementAt(j); // int revReqSize = RevRequest.size(); // if( revReqSize > 3 ) { - // INTEGER serialNumber = - // new INTEGER((long)0); + // INTEGER serialNumber = + // new INTEGER((long)0); // } INTEGER temp = revRequest.getSerialNumber(); int temp2 = temp.intValue(); - + bigIntArray[j] = temp; - authToken.set(TOKEN_CERT_SERIAL, - bigIntArray); - - long reasonCode = revRequest.getReason() - .getValue(); - Integer IntObject = Integer - .valueOf((int) reasonCode); - authToken.set(REASON_CODE, IntObject); - - authToken.set("uid", uid); - authToken.set("userid", userid); + authToken.set(TOKEN_CERT_SERIAL,bigIntArray); + + long reasonCode = revRequest.getReason().getValue(); + Integer IntObject = Integer.valueOf((int)reasonCode); + authToken.set(REASON_CODE,IntObject); + + authToken.set("uid",uid); + authToken.set("userid",userid); } } } - + } } else { // enrollment request @@ -461,50 +486,52 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, for (int i = 0; i < numReqs; i++) { // decode message. - TaggedRequest taggedRequest = (TaggedRequest) reqSequence - .elementAt(i); + TaggedRequest taggedRequest = + (TaggedRequest) reqSequence.elementAt(i); TaggedRequest.Type type = taggedRequest.getType(); if (type.equals(TaggedRequest.PKCS10)) { CMS.debug("CMCAuth: in PKCS10"); - TaggedCertificationRequest tcr = taggedRequest - .getTcr(); + TaggedCertificationRequest tcr = + taggedRequest.getTcr(); int p10Id = tcr.getBodyPartID().intValue(); reqIdArray[i] = String.valueOf(p10Id); - CertificationRequest p10 = tcr - .getCertificationRequest(); + CertificationRequest p10 = + tcr.getCertificationRequest(); // transfer to sun class - ByteArrayOutputStream ostream = new ByteArrayOutputStream(); + ByteArrayOutputStream ostream = + new ByteArrayOutputStream(); p10.encode(ostream); try { - PKCS10 pkcs10 = new PKCS10( - ostream.toByteArray()); + PKCS10 pkcs10 = + new PKCS10(ostream.toByteArray()); // xxx do we need to do anything else? - X509CertInfo certInfo = CMS - .getDefaultX509CertInfo(); + X509CertInfo certInfo = + CMS.getDefaultX509CertInfo(); // fillPKCS10(certInfo,pkcs10,authToken,null); // authToken.set( - // pkcs10.getSubjectPublicKeyInfo()); + // pkcs10.getSubjectPublicKeyInfo()); X500Name tempName = pkcs10.getSubjectName(); // reset value of auditCertSubject - if (tempName != null) { - auditCertSubject = tempName.toString() - .trim(); - if (auditCertSubject.equals("")) { - auditCertSubject = ILogger.SIGNED_AUDIT_EMPTY_VALUE; + if( tempName != null ) { + auditCertSubject = + tempName.toString().trim(); + if( auditCertSubject.equals( "" ) ) { + auditCertSubject = + ILogger.SIGNED_AUDIT_EMPTY_VALUE; } authToken.set(AuthToken.TOKEN_CERT_SUBJECT, - tempName.toString()); + tempName.toString()); } authToken.set("uid", uid); @@ -513,67 +540,67 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, certInfoArray[i] = certInfo; } catch (Exception e) { // store a message in the signed audit log file - auditMessage = CMS - .getLogMessage( - LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.FAILURE, auditReqType, - auditCertSubject, - auditSignerInfo); + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, + auditSubjectID, + ILogger.FAILURE, + auditReqType, + auditCertSubject, + auditSignerInfo ); - audit(auditMessage); + audit( auditMessage ); - // throw new ECMSGWException( - // CMSGWResources.ERROR_PKCS101, e.toString()); + //throw new ECMSGWException( + //CMSGWResources.ERROR_PKCS101, e.toString()); - e.printStackTrace(); + e.printStackTrace(); throw new EBaseException(e.toString()); } } else if (type.equals(TaggedRequest.CRMF)) { CMS.debug("CMCAuth: in CRMF"); try { - CertReqMsg crm = taggedRequest.getCrm(); + CertReqMsg crm = + taggedRequest.getCrm(); CertRequest certReq = crm.getCertReq(); INTEGER reqID = certReq.getCertReqId(); reqIdArray[i] = reqID.toString(); - CertTemplate template = certReq - .getCertTemplate(); + CertTemplate template = certReq.getCertTemplate(); Name name = template.getSubject(); // xxx do we need to do anything else? - X509CertInfo certInfo = CMS - .getDefaultX509CertInfo(); + X509CertInfo certInfo = + CMS.getDefaultX509CertInfo(); // reset value of auditCertSubject - if (name != null) { + if( name != null ) { String ss = name.getRFC1485(); auditCertSubject = ss; - if (auditCertSubject.equals("")) { - auditCertSubject = ILogger.SIGNED_AUDIT_EMPTY_VALUE; + if( auditCertSubject.equals( "" ) ) { + auditCertSubject = + ILogger.SIGNED_AUDIT_EMPTY_VALUE; } - authToken.set(AuthToken.TOKEN_CERT_SUBJECT, - ss); + authToken.set(AuthToken.TOKEN_CERT_SUBJECT, ss); authToken.set("uid", uid); authToken.set("userid", userid); } certInfoArray[i] = certInfo; } catch (Exception e) { // store a message in the signed audit log file - auditMessage = CMS - .getLogMessage( - LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.FAILURE, auditReqType, - auditCertSubject, - auditSignerInfo); + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, + auditSubjectID, + ILogger.FAILURE, + auditReqType, + auditCertSubject, + auditSignerInfo ); - audit(auditMessage); + audit( auditMessage ); - // throw new ECMSGWException( - // CMSGWResources.ERROR_PKCS101, e.toString()); + //throw new ECMSGWException( + //CMSGWResources.ERROR_PKCS101, e.toString()); e.printStackTrace(); throw new EBaseException(e.toString()); @@ -581,129 +608,141 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, } // authToken.set(AgentAuthentication.CRED_CERT, new - // com.netscape.certsrv.usrgrp.Certificates( - // x509Certs)); + // com.netscape.certsrv.usrgrp.Certificates( + // x509Certs)); } } } catch (Exception e) { // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, ILogger.FAILURE, auditReqType, - auditCertSubject, auditSignerInfo); + LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, + auditSubjectID, + ILogger.FAILURE, + auditReqType, + auditCertSubject, + auditSignerInfo ); - audit(auditMessage); + audit( auditMessage ); - // Debug.printStackTrace(e); - throw new EInvalidCredentials( - CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + //Debug.printStackTrace(e); + throw new EInvalidCredentials(CMS.getUserMessage( + "CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } - + // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, ILogger.SUCCESS, auditReqType, - auditCertSubject, auditSignerInfo); + LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, + auditSubjectID, + ILogger.SUCCESS, + auditReqType, + auditCertSubject, + auditSignerInfo ); - audit(auditMessage); + audit( auditMessage ); return authToken; - } catch (EMissingCredential eAudit1) { + } catch( EMissingCredential eAudit1 ) { // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, ILogger.FAILURE, auditReqType, - auditCertSubject, auditSignerInfo); + LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, + auditSubjectID, + ILogger.FAILURE, + auditReqType, + auditCertSubject, + auditSignerInfo ); - audit(auditMessage); + audit( auditMessage ); // rethrow the specific exception to be handled later throw eAudit1; - } catch (EInvalidCredentials eAudit2) { + } catch( EInvalidCredentials eAudit2 ) { // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, ILogger.FAILURE, auditReqType, - auditCertSubject, auditSignerInfo); + LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, + auditSubjectID, + ILogger.FAILURE, + auditReqType, + auditCertSubject, + auditSignerInfo ); - audit(auditMessage); + audit( auditMessage ); // rethrow the specific exception to be handled later throw eAudit2; - } catch (EBaseException eAudit3) { + } catch( EBaseException eAudit3 ) { // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, ILogger.FAILURE, auditReqType, - auditCertSubject, auditSignerInfo); + LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, + auditSubjectID, + ILogger.FAILURE, + auditReqType, + auditCertSubject, + auditSignerInfo ); - audit(auditMessage); + audit( auditMessage ); // rethrow the specific exception to be handled later throw eAudit3; } } - + /** - * Returns a list of configuration parameter names. The list is passed to - * the configuration console so instances of this implementation can be - * configured through the console. + * Returns a list of configuration parameter names. + * The list is passed to the configuration console so instances of + * this implementation can be configured through the console. * <p> - * * @return String array of configuration parameter names. */ public String[] getConfigParams() { return (mConfigParams); } - + /** - * gets the configuration substore used by this authentication plug-in + * gets the configuration substore used by this authentication + * plug-in * <p> - * * @return configuration store */ public IConfigStore getConfigStore() { return mConfig; } - + /** * gets the plug-in name of this authentication plug-in. */ public String getImplName() { return mImplName; } - + /** * gets the name of this authentication plug-in instance */ public String getName() { return mName; } - + /** * get the list of required credentials. * <p> - * * @return list of required credentials as strings. */ public String[] getRequiredCreds() { return (mRequiredCreds); } - + /** * prepares for shutdown. */ public void shutdown() { } - - // /////////////////////////////// + + ///////////////////////////////// // IExtendedPluginInfo methods // - // /////////////////////////////// - + ///////////////////////////////// + /** * Activate the help system. * <p> - * * @return help messages */ public String[] getExtendedPluginInfo() { @@ -716,15 +755,14 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, } return s; } - - // ////////////////// + + //////////////////// // Logger methods // - // ////////////////// - + //////////////////// + /** * Logs a message for this class in the system log file. * <p> - * * @param level The log level. * @param msg The message to log. * @see com.netscape.certsrv.logging.ILogger @@ -732,48 +770,46 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, protected void log(int level, String msg) { if (mLogger == null) return; - mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHENTICATION, level, - "CMC Authentication: " + msg); + mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHENTICATION, + level, "CMC Authentication: " + msg); } - - protected IAuthToken verifySignerInfo(AuthToken authToken, - SignedData cmcFullReq) throws EInvalidCredentials { - + + protected IAuthToken verifySignerInfo(AuthToken authToken,SignedData cmcFullReq) throws EInvalidCredentials { + EncapsulatedContentInfo ci = cmcFullReq.getContentInfo(); OBJECT_IDENTIFIER id = ci.getContentType(); OCTET_STRING content = ci.getContent(); - + try { - ByteArrayInputStream s = new ByteArrayInputStream( - content.toByteArray()); + ByteArrayInputStream s = new ByteArrayInputStream(content.toByteArray()); PKIData pkiData = (PKIData) (new PKIData.Template()).decode(s); - + SET dais = cmcFullReq.getDigestAlgorithmIdentifiers(); int numDig = dais.size(); Hashtable digs = new Hashtable(); - // if request key is used for signing, there MUST be only one - // signerInfo - // object in the signedData object. + //if request key is used for signing, there MUST be only one signerInfo + //object in the signedData object. for (int i = 0; i < numDig; i++) { - AlgorithmIdentifier dai = (AlgorithmIdentifier) dais - .elementAt(i); - String name = DigestAlgorithm.fromOID(dai.getOID()).toString(); - - MessageDigest md = MessageDigest.getInstance(name); - + AlgorithmIdentifier dai = + (AlgorithmIdentifier) dais.elementAt(i); + String name = + DigestAlgorithm.fromOID(dai.getOID()).toString(); + + MessageDigest md = + MessageDigest.getInstance(name); + byte[] digest = md.digest(content.toByteArray()); digs.put(name, digest); } - + SET sis = cmcFullReq.getSignerInfos(); int numSis = sis.size(); - + for (int i = 0; i < numSis; i++) { - org.mozilla.jss.pkix.cms.SignerInfo si = (org.mozilla.jss.pkix.cms.SignerInfo) sis - .elementAt(i); - + org.mozilla.jss.pkix.cms.SignerInfo si = (org.mozilla.jss.pkix.cms.SignerInfo) sis.elementAt(i); + String name = si.getDigestAlgorithm().toString(); byte[] digest = (byte[]) digs.get(name); @@ -783,15 +819,13 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, pkiData.encode((OutputStream) ostream); digest = md.digest(ostream.toByteArray()); - + } - // signed by previously certified signature key + // signed by previously certified signature key SignerIdentifier sid = si.getSignerIdentifier(); - if (sid.getType().equals( - SignerIdentifier.ISSUER_AND_SERIALNUMBER)) { - IssuerAndSerialNumber issuerAndSerialNumber = sid - .getIssuerAndSerialNumber(); + if (sid.getType().equals(SignerIdentifier.ISSUER_AND_SERIALNUMBER)) { + IssuerAndSerialNumber issuerAndSerialNumber = sid.getIssuerAndSerialNumber(); // find from the certs in the signedData java.security.cert.X509Certificate cert = null; @@ -799,37 +833,30 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, SET certs = cmcFullReq.getCertificates(); int numCerts = certs.size(); java.security.cert.X509Certificate[] x509Certs = new java.security.cert.X509Certificate[1]; - byte[] certByteArray = new byte[0]; - for (int j = 0; j < numCerts; j++) { - Certificate certJss = (Certificate) certs - .elementAt(j); + byte[] certByteArray = new byte[0]; + for (int j = 0; j < numCerts; j++) { + Certificate certJss = (Certificate) certs.elementAt(j); CertificateInfo certI = certJss.getInfo(); Name issuer = certI.getIssuer(); - + byte[] issuerB = ASN1Util.encode(issuer); - INTEGER sn = certI.getSerialNumber(); - // if this cert is the signer cert, not a cert in - // the chain - if (new String(issuerB) - .equals(new String(ASN1Util - .encode(issuerAndSerialNumber - .getIssuer()))) - && sn.toString().equals( - issuerAndSerialNumber - .getSerialNumber() - .toString())) { - ByteArrayOutputStream os = new ByteArrayOutputStream(); + INTEGER sn = certI.getSerialNumber(); + // if this cert is the signer cert, not a cert in the chain + if (new String(issuerB).equals(new String(ASN1Util.encode(issuerAndSerialNumber.getIssuer()))) + && sn.toString().equals(issuerAndSerialNumber.getSerialNumber().toString()) ) + { + ByteArrayOutputStream os = new + ByteArrayOutputStream(); certJss.encode(os); - certByteArray = os.toByteArray(); - - X509CertImpl tempcert = new X509CertImpl( - os.toByteArray()); + certByteArray = os.toByteArray(); + + X509CertImpl tempcert = new X509CertImpl(os.toByteArray()); cert = tempcert; x509Certs[0] = cert; - // xxx validate the cert length - + // xxx validate the cert length + } } CMS.debug("CMCAuth: start checking signature"); @@ -847,63 +874,52 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, } else if (alg.equals("DSA")) { keyType = PrivateKey.DSA; } - PK11PubKey pubK = PK11PubKey.fromRaw(keyType, - ((X509Key) signKey).getKey()); + PK11PubKey pubK = PK11PubKey.fromRaw(keyType, ((X509Key) signKey).getKey()); CMS.debug("CMCAuth: verifying signature with public key"); si.verify(digest, id, pubK); } CMS.debug("CMCAuth: finished checking signature"); - // verify signer's certificate using the revocator - CryptoManager cm = CryptoManager.getInstance(); - if (!cm.isCertValid(certByteArray, true, - CryptoManager.CertUsage.SSLClient)) - throw new EInvalidCredentials( - CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - - // authenticate signer's certificate using the userdb - IAuthSubsystem authSS = (IAuthSubsystem) CMS - .getSubsystem(CMS.SUBSYSTEM_AUTH); - - IAuthManager agentAuth = authSS - .getAuthManager(IAuthSubsystem.CERTUSERDB_AUTHMGR_ID);// AGENT_AUTHMGR_ID); - IAuthCredentials agentCred = new com.netscape.certsrv.authentication.AuthCredentials(); - - agentCred.set(IAuthManager.CRED_SSL_CLIENT_CERT, - x509Certs); - - IAuthToken tempToken = agentAuth - .authenticate(agentCred); - netscape.security.x509.X500Name tempPrincipal = (X500Name) x509Certs[0] - .getSubjectDN(); - String CN = (String) tempPrincipal.getCommonName();// tempToken.get("userid"); - - BigInteger agentCertSerial = x509Certs[0] - .getSerialNumber(); - authToken.set(IAuthManager.CRED_SSL_CLIENT_CERT, - agentCertSerial.toString()); - tempToken.set("cn", CN); + // verify signer's certificate using the revocator + CryptoManager cm = CryptoManager.getInstance(); + if( ! cm.isCertValid( certByteArray, true,CryptoManager.CertUsage.SSLClient) ) + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + + // authenticate signer's certificate using the userdb + IAuthSubsystem authSS = (IAuthSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTH); + + IAuthManager agentAuth = authSS.getAuthManager(IAuthSubsystem.CERTUSERDB_AUTHMGR_ID);//AGENT_AUTHMGR_ID); + IAuthCredentials agentCred = new com.netscape.certsrv.authentication.AuthCredentials(); + + agentCred.set(IAuthManager.CRED_SSL_CLIENT_CERT, x509Certs); + + IAuthToken tempToken = agentAuth.authenticate(agentCred); + netscape.security.x509.X500Name tempPrincipal = (X500Name) x509Certs[0].getSubjectDN(); + String CN = (String) tempPrincipal.getCommonName();//tempToken.get("userid"); + + BigInteger agentCertSerial = x509Certs[0].getSerialNumber(); + authToken.set(IAuthManager.CRED_SSL_CLIENT_CERT,agentCertSerial.toString()); + tempToken.set("cn",CN); return tempToken; - + } // find from internaldb if it's ca. (ra does not have that.) // find from internaldb usrgrp info - + // find from certDB - si.verify(digest, id); - - } // + si.verify(digest, id); + + } // } - } catch (InvalidBERException e) { + }catch (InvalidBERException e) { CMS.debug("CMCAuth: " + e.toString()); } catch (IOException e) { CMS.debug("CMCAuth: " + e.toString()); } catch (Exception e) { - throw new EInvalidCredentials( - CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } return (IAuthToken) null; - + } public String[] getExtendedPluginInfo(Locale locale) { @@ -913,20 +929,22 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, // Profile-related methods public void init(IProfile profile, IConfigStore config) - throws EProfileException { + throws EProfileException { } /** * Retrieves the localizable name of this policy. */ - public String getName(Locale locale) { + public String getName(Locale locale) + { return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_CMS_SIGN_NAME"); } /** * Retrieves the localizable description of this policy. */ - public String getText(Locale locale) { + public String getText(Locale locale) + { return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_CMS_SIGN_TEXT"); } @@ -944,18 +962,19 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, } /** - * Retrieves the descriptor of the given value parameter by name. + * Retrieves the descriptor of the given value + * parameter by name. */ public IDescriptor getValueDescriptor(Locale locale, String name) { if (name.equals(CRED_CMC)) { return new Descriptor(IDescriptor.STRING_LIST, null, null, - "CMC request"); + "CMC request"); } return null; } public void populate(IAuthToken token, IRequest request) - throws EProfileException { + throws EProfileException { request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME, token.getInString(AuthToken.TOKEN_CERT_SUBJECT)); } @@ -966,10 +985,10 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, /** * Signed Audit Log - * + * * This method is called to store messages to the signed audit log. * <P> - * + * * @param msg signed audit log message */ private void audit(String msg) { @@ -980,17 +999,20 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, return; } - mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, null, - ILogger.S_SIGNED_AUDIT, ILogger.LL_SECURITY, msg); + mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, + null, + ILogger.S_SIGNED_AUDIT, + ILogger.LL_SECURITY, + msg); } /** * Signed Audit Log Subject ID - * - * This method is called to obtain the "SubjectID" for a signed audit log - * message. + * + * This method is called to obtain the "SubjectID" for + * a signed audit log message. * <P> - * + * * @return id string containing the signed audit log message SubjectID */ private String auditSubjectID() { @@ -1005,7 +1027,8 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, SessionContext auditContext = SessionContext.getExistingContext(); if (auditContext != null) { - subjectID = (String) auditContext.get(SessionContext.USER_ID); + subjectID = (String) + auditContext.get(SessionContext.USER_ID); if (subjectID != null) { subjectID = subjectID.trim(); @@ -1019,3 +1042,4 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, return subjectID; } } + diff --git a/pki/base/common/src/com/netscape/cms/authentication/Crypt.java b/pki/base/common/src/com/netscape/cms/authentication/Crypt.java index 975a81da..95012039 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/Crypt.java +++ b/pki/base/common/src/com/netscape/cms/authentication/Crypt.java @@ -17,92 +17,151 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.authentication; + public class Crypt { // Static data: - static byte[] IP = // Initial permutation - { 58, 50, 42, 34, 26, 18, 10, 2, 60, 52, 44, 36, 28, 20, 12, 4, 62, 54, 46, - 38, 30, 22, 14, 6, 64, 56, 48, 40, 32, 24, 16, 8, 57, 49, 41, 33, - 25, 17, 9, 1, 59, 51, 43, 35, 27, 19, 11, 3, 61, 53, 45, 37, 29, - 21, 13, 5, 63, 55, 47, 39, 31, 23, 15, 7 }, - FP = // Final permutation, FP = IP^(-1) - { 40, 8, 48, 16, 56, 24, 64, 32, 39, 7, 47, 15, 55, 23, 63, 31, 38, - 6, 46, 14, 54, 22, 62, 30, 37, 5, 45, 13, 53, 21, 61, 29, - 36, 4, 44, 12, 52, 20, 60, 28, 35, 3, 43, 11, 51, 19, 59, - 27, 34, 2, 42, 10, 50, 18, 58, 26, 33, 1, 41, 9, 49, 17, - 57, 25 }, - // Permuted-choice 1 from the key bits to yield C and D. - // Note that bits 8,16... are left out: - // They are intended for a parity check. - PC1_C = { 57, 49, 41, 33, 25, 17, 9, 1, 58, 50, 42, 34, 26, 18, 10, - 2, 59, 51, 43, 35, 27, 19, 11, 3, 60, 52, 44, 36 }, - PC1_D = { 63, 55, 47, 39, 31, 23, 15, 7, 62, 54, 46, 38, 30, 22, - 14, 6, 61, 53, 45, 37, 29, 21, 13, 5, 28, 20, 12, 4 }, - shifts = // Sequence of shifts used for the key schedule. - { 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1 }, - // Permuted-choice 2, to pick out the bits from - // the CD array that generate the key schedule. - PC2_C = { 14, 17, 11, 24, 1, 5, 3, 28, 15, 6, 21, 10, 23, 19, 12, - 4, 26, 8, 16, 7, 27, 20, 13, 2 }, PC2_D = { 41, 52, 31, 37, - 47, 55, 30, 40, 51, 45, 33, 48, 44, 49, 39, 56, 34, 53, 46, - 42, 50, 36, 29, 32 }, e2 = // The E-bit selection table. - // (see E below) - { 32, 1, 2, 3, 4, 5, 4, 5, 6, 7, 8, 9, 8, 9, 10, 11, 12, 13, 12, - 13, 14, 15, 16, 17, 16, 17, 18, 19, 20, 21, 20, 21, 22, 23, - 24, 25, 24, 25, 26, 27, 28, 29, 28, 29, 30, 31, 32, 1 }, - // P is a permutation on the selected combination of - // the current L and key. - P = { 16, 7, 20, 21, 29, 12, 28, 17, 1, 15, 23, 26, 5, 18, 31, 10, - 2, 8, 24, 14, 32, 27, 3, 9, 19, 13, 30, 6, 22, 11, 4, 25 }; - // The 8 selection functions. For some reason, they gave a 0-origin + static byte[] + IP = // Initial permutation + { + 58, 50, 42, 34, 26, 18, 10, 2, + 60, 52, 44, 36, 28, 20, 12, 4, + 62, 54, 46, 38, 30, 22, 14, 6, + 64, 56, 48, 40, 32, 24, 16, 8, + 57, 49, 41, 33, 25, 17, 9, 1, + 59, 51, 43, 35, 27, 19, 11, 3, + 61, 53, 45, 37, 29, 21, 13, 5, + 63, 55, 47, 39, 31, 23, 15, 7 + }, + FP = // Final permutation, FP = IP^(-1) + { + 40, 8, 48, 16, 56, 24, 64, 32, + 39, 7, 47, 15, 55, 23, 63, 31, + 38, 6, 46, 14, 54, 22, 62, 30, + 37, 5, 45, 13, 53, 21, 61, 29, + 36, 4, 44, 12, 52, 20, 60, 28, + 35, 3, 43, 11, 51, 19, 59, 27, + 34, 2, 42, 10, 50, 18, 58, 26, + 33, 1, 41, 9, 49, 17, 57, 25 + }, + // Permuted-choice 1 from the key bits to yield C and D. + // Note that bits 8,16... are left out: + // They are intended for a parity check. + PC1_C = + { + 57, 49, 41, 33, 25, 17, 9, + 1, 58, 50, 42, 34, 26, 18, + 10, 2, 59, 51, 43, 35, 27, + 19, 11, 3, 60, 52, 44, 36 + }, + PC1_D = + { + 63, 55, 47, 39, 31, 23, 15, + 7, 62, 54, 46, 38, 30, 22, + 14, 6, 61, 53, 45, 37, 29, + 21, 13, 5, 28, 20, 12, 4 + }, + shifts = // Sequence of shifts used for the key schedule. + { + 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1 + }, + // Permuted-choice 2, to pick out the bits from + // the CD array that generate the key schedule. + PC2_C = + { + 14, 17, 11, 24, 1, 5, + 3, 28, 15, 6, 21, 10, + 23, 19, 12, 4, 26, 8, + 16, 7, 27, 20, 13, 2 + }, + PC2_D = + { + 41, 52, 31, 37, 47, 55, + 30, 40, 51, 45, 33, 48, + 44, 49, 39, 56, 34, 53, + 46, 42, 50, 36, 29, 32 + }, + e2 = // The E-bit selection table. (see E below) + { + 32, 1, 2, 3, 4, 5, + 4, 5, 6, 7, 8, 9, + 8, 9, 10, 11, 12, 13, + 12, 13, 14, 15, 16, 17, + 16, 17, 18, 19, 20, 21, + 20, 21, 22, 23, 24, 25, + 24, 25, 26, 27, 28, 29, + 28, 29, 30, 31, 32, 1 + }, + // P is a permutation on the selected combination of + // the current L and key. + P = + { + 16, 7, 20, 21, + 29, 12, 28, 17, + 1, 15, 23, 26, + 5, 18, 31, 10, + 2, 8, 24, 14, + 32, 27, 3, 9, + 19, 13, 30, 6, + 22, 11, 4, 25 + }; + // The 8 selection functions. For some reason, they gave a 0-origin // index, unlike everything else. - static byte[][] S = { - { 14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7, 0, 15, 7, - 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8, 4, 1, 14, 8, - 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0, 15, 12, 8, 2, 4, - 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13 }, - { 15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10, 3, 13, 4, - 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5, 0, 14, 7, 11, - 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15, 13, 8, 10, 1, 3, - 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9 }, - { 10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8, 13, 7, 0, - 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1, 13, 6, 4, 9, 8, - 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7, 1, 10, 13, 0, 6, 9, - 8, 7, 4, 15, 14, 3, 11, 5, 2, 12 }, - { 7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15, 13, 8, 11, - 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9, 10, 6, 9, 0, 12, - 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4, 3, 15, 0, 6, 10, 1, - 13, 8, 9, 4, 5, 11, 12, 7, 2, 14 }, - { 2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9, 14, 11, 2, - 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6, 4, 2, 1, 11, 10, - 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14, 11, 8, 12, 7, 1, 14, - 2, 13, 6, 15, 0, 9, 10, 4, 5, 3 }, - { 12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11, 10, 15, 4, - 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8, 9, 14, 15, 5, 2, - 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6, 4, 3, 2, 12, 9, 5, 15, - 10, 11, 14, 1, 7, 6, 0, 8, 13 }, - { 4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1, 13, 0, 11, - 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6, 1, 4, 11, 13, - 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2, 6, 11, 13, 8, 1, 4, - 10, 7, 9, 5, 0, 15, 14, 2, 3, 12 }, - { 13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7, 1, 15, 13, - 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2, 7, 11, 4, 1, 9, - 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8, 2, 1, 14, 7, 4, 10, - 8, 13, 15, 12, 9, 0, 3, 5, 6, 11 } }; + static byte[][] S = + { + { + 14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7, + 0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8, + 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0, + 15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13 + }, { + 15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10, + 3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5, + 0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15, + 13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9 + }, { + 10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8, + 13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1, + 13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7, + 1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12 + }, { + 7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15, + 13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9, + 10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4, + 3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14 + }, { + 2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9, + 14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6, + 4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14, + 11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3 + }, { + 12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11, + 10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8, + 9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6, + 4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13 + }, { + 4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1, + 13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6, + 1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2, + 6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12 + }, { + 13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7, + 1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2, + 7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8, + 2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11 + } + }; // Dynamic data: - byte[] C = new byte[28], // The C and D arrays used to - D = new byte[28], // calculate the key schedule. - E = new byte[48], // The E bit-selection table. - L = new byte[32], // The current block, - R = new byte[32], // divided into two halves. - tempL = new byte[32], f = new byte[32], preS = new byte[48]; // The - // combination - // of - // the - // key - // and + byte[] C = new byte[28], // The C and D arrays used to + D = new byte[28], // calculate the key schedule. + E = new byte[48], // The E bit-selection table. + L = new byte[32], // The current block, + R = new byte[32], // divided into two halves. + tempL = new byte[32], + f = new byte[32], + preS = new byte[48]; // The combination of the key and // the input, before selection. - // The key schedule. Generated from the key. + // The key schedule. Generated from the key. byte[][] KS = new byte[16][48]; // Object fields: @@ -110,17 +169,17 @@ public class Crypt { // Public methods: /** - * Create Crypt object with no passwd or salt set. Must use setPasswd() and - * setSalt() before getEncryptedPasswd(). + * Create Crypt object with no passwd or salt set. Must use setPasswd() + * and setSalt() before getEncryptedPasswd(). */ public Crypt() { Passwd = Salt = Encrypt = ""; } /** - * Create a Crypt object with specified salt. Use setPasswd() before + * Create a Crypt object with specified salt. Use setPasswd() before * getEncryptedPasswd(). - * + * * @param salt the salt string for encryption */ public Crypt(String salt) { @@ -130,9 +189,10 @@ public class Crypt { } /** - * Create a Crypt object with specified passwd and salt (often the already - * encypted passwd). Get the encrypted result with getEncryptedPasswd(). - * + * Create a Crypt object with specified passwd and salt (often the + * already encypted passwd). Get the encrypted result with + * getEncryptedPasswd(). + * * @param passwd the passwd to encrypt * @param salt the salt string for encryption */ @@ -144,7 +204,7 @@ public class Crypt { /** * Retrieve the passwd string currently being encrypted. - * + * * @return the current passwd string */ public String getPasswd() { @@ -153,7 +213,7 @@ public class Crypt { /** * Retrieve the salt string currently being used for encryption. - * + * * @return the current salt string */ public String getSalt() { @@ -161,9 +221,9 @@ public class Crypt { } /** - * Retrieve the resulting encrypted string from the current passwd and salt - * settings. - * + * Retrieve the resulting encrypted string from the current passwd and + * salt settings. + * * @return the encrypted passwd */ public String getEncryptedPasswd() { @@ -171,9 +231,9 @@ public class Crypt { } /** - * Set a new passwd string for encryption. Use getEncryptedPasswd() to + * Set a new passwd string for encryption. Use getEncryptedPasswd() to * retrieve the new result. - * + * * @param passwd the new passwd string */ public void setPasswd(String passwd) { @@ -182,9 +242,9 @@ public class Crypt { } /** - * Set a new salt string for encryption. Use getEncryptedPasswd() to + * Set a new salt string for encryption. Use getEncryptedPasswd() to * retrieve the new result. - * + * * @param salt the new salt string */ public void setSalt(String salt) { @@ -194,18 +254,19 @@ public class Crypt { // Internal crypt methods: String crypt() { - if (Salt.length() == 0) - return ""; + if (Salt.length() == 0) return ""; int i, j, pwi; byte c, temp; - byte[] block = new byte[66], iobuf = new byte[16], salt = new byte[2], pw = Passwd - .getBytes(), // jdk1.1 - saltbytes = Salt.getBytes(); // jdk1.1 + byte[] block = new byte[66], + iobuf = new byte[16], + salt = new byte[2], + pw = Passwd.getBytes(), //jdk1.1 + saltbytes = Salt.getBytes(); //jdk1.1 - // pw = new byte[Passwd.length()], //jdk1.0.2 - // saltbytes = new byte[Salt.length()]; //jdk1.0.2 - // Passwd.getBytes(0,Passwd.length(),pw,0); //jdk1.0.2 - // Salt.getBytes(0,Salt.length(),saltbytes,0); //jdk1.0.2 + // pw = new byte[Passwd.length()], //jdk1.0.2 + // saltbytes = new byte[Salt.length()]; //jdk1.0.2 + //Passwd.getBytes(0,Passwd.length(),pw,0); //jdk1.0.2 + //Salt.getBytes(0,Salt.length(),saltbytes,0); //jdk1.0.2 salt[0] = saltbytes[0]; salt[1] = (saltbytes.length > 1) ? saltbytes[1] : 0; @@ -227,10 +288,8 @@ public class Crypt { for (i = 0; i < 2; i++) { c = salt[i]; iobuf[i] = c; - if (c > 'Z') - c -= 6; - if (c > '9') - c -= 7; + if (c > 'Z') c -= 6; + if (c > '9') c -= 7; c -= '.'; for (j = 0; j < 6; j++) { if (((c >> j) & 1) != 0) { @@ -252,10 +311,8 @@ public class Crypt { c |= block[6 * i + j]; } c += '.'; - if (c > '9') - c += 7; - if (c > 'Z') - c += 6; + if (c > '9') c += 7; + if (c > 'Z') c += 6; iobuf[i + 2] = c; } @@ -263,16 +320,16 @@ public class Crypt { if (iobuf[1] == 0) iobuf[1] = iobuf[0]; - return new String(iobuf); // jdk1.1 - // return new String(iobuf,0); //jdk1.0.2 + return new String(iobuf); //jdk1.1 + //return new String(iobuf,0); //jdk1.0.2 } - void setkey(byte[] key) // Set up the key schedule from the key. + void setkey(byte[] key) // Set up the key schedule from the key. { int i, j, k; byte t; - // First, generate C and D by permuting the key. The low order bit + // First, generate C and D by permuting the key. The low order bit // of each 8-bit char is not used, so C and D are only 28 bits apiece. for (i = 0; i < 28; i++) { C[i] = key[PC1_C[i] - 1]; @@ -312,38 +369,41 @@ public class Crypt { byte k; // First, permute the bits in the input - // for (j = 0; j < 64; j++) - // { - // L[j] = block[IP[j]-1]; - // } + //for (j = 0; j < 64; j++) + //{ + // L[j] = block[IP[j]-1]; + //} for (j = 0; j < 32; j++) L[j] = block[IP[j] - 1]; for (j = 32; j < 64; j++) R[j - 32] = block[IP[j] - 1]; - // Perform an encryption operation 16 times. + // Perform an encryption operation 16 times. for (ii = 0; ii < 16; ii++) { i = ii; // Save the R array, which will be the new L. for (j = 0; j < 32; j++) tempL[j] = R[j]; - // Expand R to 48 bits using the E selector; - // exclusive-or with the current key bits. + // Expand R to 48 bits using the E selector; + // exclusive-or with the current key bits. for (j = 0; j < 48; j++) preS[j] = (byte) (R[E[j] - 1] ^ KS[i][j]); - // The pre-select bits are now considered in 8 groups of - // 6 bits each. The 8 selection functions map these 6-bit - // quantities into 4-bit quantities and the results permuted - // to make an f(R, K). The indexing into the selection functions - // is peculiar; it could be simplified by rewriting the tables. + // The pre-select bits are now considered in 8 groups of + // 6 bits each. The 8 selection functions map these 6-bit + // quantities into 4-bit quantities and the results permuted + // to make an f(R, K). The indexing into the selection functions + // is peculiar; it could be simplified by rewriting the tables. for (j = 0; j < 8; j++) { t = 6 * j; - k = S[j][(preS[t] << 5) + (preS[t + 1] << 3) - + (preS[t + 2] << 2) + (preS[t + 3] << 1) - + (preS[t + 4]) + (preS[t + 5] << 4)]; + k = S[j][ (preS[t ] << 5) + + (preS[t + 1] << 3) + + (preS[t + 2] << 2) + + (preS[t + 3] << 1) + + (preS[t + 4]) + + (preS[t + 5] << 4) ]; t = 4 * j; - f[t] = (byte) ((k >> 3) & 1); + f[t ] = (byte) ((k >> 3) & 1); f[t + 1] = (byte) ((k >> 2) & 1); f[t + 2] = (byte) ((k >> 1) & 1); f[t + 3] = (byte) ((k) & 1); @@ -370,7 +430,7 @@ public class Crypt { // The final output gets the inverse permutation of the very original. for (j = 0; j < 64; j++) { - // block[j] = L[FP[j]-1]; + //block[j] = L[FP[j]-1]; block[j] = (FP[j] > 32) ? R[FP[j] - 33] : L[FP[j] - 1]; } } diff --git a/pki/base/common/src/com/netscape/cms/authentication/DNPattern.java b/pki/base/common/src/com/netscape/cms/authentication/DNPattern.java index a00cc376..1f2eb69a 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/DNPattern.java +++ b/pki/base/common/src/com/netscape/cms/authentication/DNPattern.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.authentication; + import java.io.IOException; import java.io.PushbackReader; import java.io.StringReader; @@ -27,27 +28,24 @@ import netscape.ldap.LDAPEntry; import com.netscape.certsrv.authentication.EAuthException; import com.netscape.certsrv.base.EBaseException; + /** - * class for parsing a DN pattern used to construct a certificate subject name - * from ldap attributes and dn. - * <p> + * class for parsing a DN pattern used to construct a certificate + * subject name from ldap attributes and dn.<p> * - * dnpattern is a string representing a subject name pattern to formulate from - * the directory attributes and entry dn. If empty or not set, the ldap entry DN - * will be used as the certificate subject name. - * <p> - * - * The syntax is + * dnpattern is a string representing a subject name pattern to formulate from + * the directory attributes and entry dn. If empty or not set, the + * ldap entry DN will be used as the certificate subject name. <p> * + * The syntax is * <pre> - * dnPattern := rdnPattern *[ "," rdnPattern ] - * rdnPattern := avaPattern *[ "+" avaPattern ] + * dnPattern := rdnPattern *[ "," rdnPattern ] + * rdnPattern := avaPattern *[ "+" avaPattern ] * avaPattern := name "=" value | - * name "=" "$attr" "." attrName [ "." attrNumber ] | - * name "=" "$dn" "." attrName [ "." attrNumber ] | - * "$dn" "." "$rdn" "." number + * name "=" "$attr" "." attrName [ "." attrNumber ] | + * name "=" "$dn" "." attrName [ "." attrNumber ] | + * "$dn" "." "$rdn" "." number * </pre> - * * <pre> * Example1: <i>E=$attr.mail.1, CN=$attr.cn, OU=$dn.ou.2, O=$dn.o, C=US </i> * Ldap entry: dn: UID=jjames, OU=IS, OU=people, O=acme.org @@ -74,12 +72,11 @@ import com.netscape.certsrv.base.EBaseException; * E = the first 'mail' ldap attribute value in user's entry. <br> * CN = the (first) 'cn' ldap attribute value in the user's entry. <br> * OU = the second 'ou' value in the user's entry DN. note multiple AVAs - * in a RDN in this example. <br> + * in a RDN in this example. <br> * O = the (first) 'o' value in the user's entry DN. <br> * C = the string "US" * <p> * </pre> - * * <pre> * Example3: <i>CN=$attr.cn, $rdn.2, O=$dn.o, C=US</i> * Ldap entry: dn: UID=jjames, OU=IS+OU=people, O=acme.org @@ -104,16 +101,15 @@ import com.netscape.certsrv.base.EBaseException; * <p> * CN = the (first) 'cn' ldap attribute value in the user's entry. <br> * OU = the second 'ou' value in the user's entry DN followed by the - * first 'ou' value in the user's entry. note multiple AVAs - * in a RDN in this example. <br> + * first 'ou' value in the user's entry. note multiple AVAs + * in a RDN in this example. <br> * O = the (first) 'o' value in the user's entry DN. <br> * C = the string "US" * <p> * </pre> - * - * If an attribute or subject DN component does not exist the attribute is - * skipped. - * + * If an attribute or subject DN component does not exist the attribute + * is skipped. + * * @version $Revision$, $Date$ */ public class DNPattern { @@ -129,15 +125,15 @@ public class DNPattern { protected String mTestDN = null; - /** + /** * Construct a DN pattern by parsing a pattern string. - * * @param pattern the DN pattern - * @exception EBaseException If parsing error occurs. + * @exception EBaseException If parsing error occurs. */ - public DNPattern(String pattern) throws EAuthException { + public DNPattern(String pattern) + throws EAuthException { if (pattern == null || pattern.equals("")) { - // create an attribute list that is the dn. + // create an attribute list that is the dn. mLdapAttrs = new String[] { "dn" }; } else { mPatternString = pattern; @@ -147,11 +143,13 @@ public class DNPattern { } } - public DNPattern(PushbackReader in) throws EAuthException { + public DNPattern(PushbackReader in) + throws EAuthException { parse(in); } - private void parse(PushbackReader in) throws EAuthException { + private void parse(PushbackReader in) + throws EAuthException { Vector rdnPatterns = new Vector(); RDNPattern rdnPattern = null; int lastChar = -1; @@ -162,10 +160,10 @@ public class DNPattern { try { lastChar = in.read(); } catch (IOException e) { - throw new EAuthException("CMS_AUTHENTICATION_INTERNAL_ERROR", - e.toString()); + throw new EAuthException("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString()); } - } while (lastChar == ','); + } + while (lastChar == ','); mRDNPatterns = new RDNPattern[rdnPatterns.size()]; rdnPatterns.copyInto(mRDNPatterns); @@ -175,8 +173,8 @@ public class DNPattern { for (int i = 0; i < mRDNPatterns.length; i++) { String[] rdnAttrs = mRDNPatterns[i].getLdapAttrs(); - if (rdnAttrs != null && rdnAttrs.length > 0) - for (int j = 0; j < rdnAttrs.length; j++) + if (rdnAttrs != null && rdnAttrs.length > 0) + for (int j = 0; j < rdnAttrs.length; j++) ldapAttrs.addElement(rdnAttrs[j]); } mLdapAttrs = new String[ldapAttrs.size()]; @@ -185,11 +183,11 @@ public class DNPattern { /** * Form a Ldap v3 DN string from results of a ldap search. - * * @param entry LDAPentry from a ldap search - * @return Ldap v3 DN string to use for a subject name. + * @return Ldap v3 DN string to use for a subject name. */ - public String formDN(LDAPEntry entry) throws EAuthException { + public String formDN(LDAPEntry entry) + throws EAuthException { StringBuffer formedDN = new StringBuffer(); for (int i = 0; i < mRDNPatterns.length; i++) { @@ -199,13 +197,13 @@ public class DNPattern { if (rdn != null) { if (rdn != null && rdn.length() != 0) { - if (formedDN.length() != 0) + if (formedDN.length() != 0) formedDN.append(","); formedDN.append(rdn); } } } - // System.out.println("formed DN "+formedDN.toString()); + //System.out.println("formed DN "+formedDN.toString()); return formedDN.toString(); } diff --git a/pki/base/common/src/com/netscape/cms/authentication/DirBasedAuthentication.java b/pki/base/common/src/com/netscape/cms/authentication/DirBasedAuthentication.java index 02e458bc..3260af6e 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/DirBasedAuthentication.java +++ b/pki/base/common/src/com/netscape/cms/authentication/DirBasedAuthentication.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.authentication; + // ldap java sdk import java.io.IOException; import java.security.cert.CertificateException; @@ -56,28 +57,29 @@ import com.netscape.certsrv.ldap.ILdapConnFactory; import com.netscape.certsrv.logging.ILogger; import com.netscape.cmsutil.util.Utils; + /** - * Abstract class for directory based authentication managers Uses a pattern for - * formulating subject names. The pattern is read from configuration file. + * Abstract class for directory based authentication managers + * Uses a pattern for formulating subject names. + * The pattern is read from configuration file. * Syntax of the pattern is described in the init() method. * * <P> - * * @version $Revision$, $Date$ */ -public abstract class DirBasedAuthentication implements IAuthManager, - IExtendedPluginInfo { +public abstract class DirBasedAuthentication + implements IAuthManager, IExtendedPluginInfo { - protected static final String USER_DN = "userDN"; + protected static final String USER_DN = "userDN"; /* configuration parameter keys */ - protected static final String PROP_LDAP = "ldap"; - protected static final String PROP_BASEDN = "basedn"; - protected static final String PROP_DNPATTERN = "dnpattern"; + protected static final String PROP_LDAP = "ldap"; + protected static final String PROP_BASEDN = "basedn"; + protected static final String PROP_DNPATTERN = "dnpattern"; protected static final String PROP_LDAPSTRINGATTRS = "ldapStringAttributes"; protected static final String PROP_LDAPBYTEATTRS = "ldapByteAttributes"; - // members + // members /* name of this authentication manager instance */ protected String mName = null; @@ -103,57 +105,52 @@ public abstract class DirBasedAuthentication implements IAuthManager, /* the subject DN pattern */ protected DNPattern mPattern = null; - /* - * the list of LDAP attributes with string values to retrieve to save in the - * auth token including ones from the dn pattern. - */ + /* the list of LDAP attributes with string values to retrieve to + * save in the auth token including ones from the dn pattern. */ protected String[] mLdapStringAttrs = null; - /* - * the list of LDAP attributes with byte[] values to retrive to save in - * authtoken. - */ + /* the list of LDAP attributes with byte[] values to retrive to save + * in authtoken. */ protected String[] mLdapByteAttrs = null; - /* the combined list of LDAP attriubutes to retrieve */ + /* the combined list of LDAP attriubutes to retrieve*/ protected String[] mLdapAttrs = null; /* default dn pattern if left blank or not set in the config */ - protected static String DEFAULT_DNPATTERN = "E=$attr.mail, CN=$attr.cn, O=$dn.o, C=$dn.c"; + protected static String DEFAULT_DNPATTERN = + "E=$attr.mail, CN=$attr.cn, O=$dn.o, C=$dn.c"; /* Vector of extendedPluginInfo strings */ protected static Vector mExtendedPluginInfo = null; static { mExtendedPluginInfo = new Vector(); - mExtendedPluginInfo.add(PROP_DNPATTERN + ";string;Template for cert" - + " Subject Name. ($dn.xxx - get value from user's LDAP " - + "DN. $attr.yyy - get value from LDAP attributes in " - + "user's entry.) Default: " + DEFAULT_DNPATTERN); - mExtendedPluginInfo.add(PROP_LDAPSTRINGATTRS + ";string;" - + "Comma-separated list of LDAP attributes to copy from " - + "the user's LDAP entry into the AuthToken. e.g use " - + "'mail' to copy user's email address for subjectAltName"); - mExtendedPluginInfo.add(PROP_LDAPBYTEATTRS + ";string;" - + "Comma-separated list of binary LDAP attributes to copy" - + " from the user's LDAP entry into the AuthToken"); - mExtendedPluginInfo.add("ldap.ldapconn.host;string,required;" - + "LDAP host to connect to"); - mExtendedPluginInfo.add("ldap.ldapconn.port;number,required;" - + "LDAP port number (use 389, or 636 if SSL)"); - mExtendedPluginInfo.add("ldap.ldapconn.secureConn;boolean;" - + "Use SSL to connect to directory?"); - mExtendedPluginInfo.add("ldap.ldapconn.version;choice(3,2);" - + "LDAP protocol version"); - mExtendedPluginInfo - .add("ldap.basedn;string,required;Base DN to start searching " - + "under. If your user's DN is 'uid=jsmith, o=company', you " - + "might want to use 'o=company' here"); - mExtendedPluginInfo.add("ldap.minConns;number;number of connections " - + "to keep open to directory server. Default 5."); - mExtendedPluginInfo - .add("ldap.maxConns;number;when needed, connection " - + "pool can grow to this many (multiplexed) connections. Default 1000."); + mExtendedPluginInfo.add(PROP_DNPATTERN + ";string;Template for cert" + + " Subject Name. ($dn.xxx - get value from user's LDAP " + + "DN. $attr.yyy - get value from LDAP attributes in " + + "user's entry.) Default: " + DEFAULT_DNPATTERN); + mExtendedPluginInfo.add(PROP_LDAPSTRINGATTRS + ";string;" + + "Comma-separated list of LDAP attributes to copy from " + + "the user's LDAP entry into the AuthToken. e.g use " + + "'mail' to copy user's email address for subjectAltName"); + mExtendedPluginInfo.add(PROP_LDAPBYTEATTRS + ";string;" + + "Comma-separated list of binary LDAP attributes to copy" + + " from the user's LDAP entry into the AuthToken"); + mExtendedPluginInfo.add("ldap.ldapconn.host;string,required;" + + "LDAP host to connect to"); + mExtendedPluginInfo.add("ldap.ldapconn.port;number,required;" + + "LDAP port number (use 389, or 636 if SSL)"); + mExtendedPluginInfo.add("ldap.ldapconn.secureConn;boolean;" + + "Use SSL to connect to directory?"); + mExtendedPluginInfo.add("ldap.ldapconn.version;choice(3,2);" + + "LDAP protocol version"); + mExtendedPluginInfo.add("ldap.basedn;string,required;Base DN to start searching " + + "under. If your user's DN is 'uid=jsmith, o=company', you " + + "might want to use 'o=company' here"); + mExtendedPluginInfo.add("ldap.minConns;number;number of connections " + + "to keep open to directory server. Default 5."); + mExtendedPluginInfo.add("ldap.maxConns;number;when needed, connection " + + "pool can grow to this many (multiplexed) connections. Default 1000."); } /** @@ -166,26 +163,24 @@ public abstract class DirBasedAuthentication implements IAuthManager, * Initializes the UidPwdDirBasedAuthentication auth manager. * * Takes the following configuration parameters: <br> - * * <pre> - * ldap.basedn - the ldap base dn. - * ldap.ldapconn.host - the ldap host. - * ldap.ldapconn.port - the ldap port - * ldap.ldapconn.secureConn - whether port should be secure - * ldap.minConns - minimum connections - * ldap.maxConns - max connections - * dnpattern - dn pattern. + * ldap.basedn - the ldap base dn. + * ldap.ldapconn.host - the ldap host. + * ldap.ldapconn.port - the ldap port + * ldap.ldapconn.secureConn - whether port should be secure + * ldap.minConns - minimum connections + * ldap.maxConns - max connections + * dnpattern - dn pattern. * </pre> * <p> - * <i><b>dnpattern</b></i> is a string representing a subject name pattern - * to formulate from the directory attributes and entry dn. If empty or not - * set, the ldap entry DN will be used as the certificate subject name. + * <i><b>dnpattern</b></i> is a string representing a subject name pattern + * to formulate from the directory attributes and entry dn. If empty or + * not set, the ldap entry DN will be used as the certificate subject name. * <p> - * The syntax is - * + * The syntax is * <pre> * dnpattern = SubjectNameComp *[ "," SubjectNameComp ] - * + * * SubjectNameComponent = DnComp | EntryComp | ConstantComp * DnComp = CertAttr "=" "$dn" "." DnAttr "." Num * EntryComp = CertAttr "=" "$attr" "." EntryAttr "." Num @@ -195,12 +190,11 @@ public abstract class DirBasedAuthentication implements IAuthManager, * CertAttr = a Component in the Certificate Subject Name * (multiple AVA in one RDN not supported) * Num = the nth value of tha attribute in the dn or entry. - * Constant = Constant String, with any accepted ldap string value. + * Constant = Constant String, with any accepted ldap string value. * * </pre> * <p> * <b>Example:</b> - * * <pre> * dnpattern: * E=$attr.mail.1, CN=$attr.cn, OU=$attr.ou.2, O=$dn.o, C=US @@ -219,7 +213,6 @@ public abstract class DirBasedAuthentication implements IAuthManager, * </pre> * <p> * The subject name formulated in the cert will be : <br> - * * <pre> * E=joesmith@acme.com, CN=Joe Smith, OU=Human Resources, O=Acme.com, C=US * @@ -236,32 +229,28 @@ public abstract class DirBasedAuthentication implements IAuthManager, * @exception EBaseException If an error occurs during initialization. */ public void init(String name, String implName, IConfigStore config) - throws EBaseException { + throws EBaseException { init(name, implName, config, true); } - public void init(String name, String implName, IConfigStore config, - boolean needBaseDN) throws EBaseException { + public void init(String name, String implName, IConfigStore config, boolean needBaseDN) + throws EBaseException { mName = name; mImplName = implName; mConfig = config; /* initialize ldap server configuration */ mLdapConfig = mConfig.getSubStore(PROP_LDAP); - if (needBaseDN) - mBaseDN = mLdapConfig.getString(PROP_BASEDN); - if (needBaseDN - && ((mBaseDN == null) || (mBaseDN.length() == 0) || (mBaseDN - .trim().equals("")))) - throw new EPropertyNotFound(CMS.getUserMessage( - "CMS_BASE_GET_PROPERTY_FAILED", "basedn")); + if (needBaseDN) mBaseDN = mLdapConfig.getString(PROP_BASEDN); + if (needBaseDN && ((mBaseDN == null) || (mBaseDN.length() == 0) || (mBaseDN.trim().equals("")))) + throw new EPropertyNotFound(CMS.getUserMessage("CMS_BASE_GET_PROPERTY_FAILED", "basedn")); mConnFactory = CMS.getLdapAnonConnFactory(); mConnFactory.init(mLdapConfig); /* initialize dn pattern */ String pattern = mConfig.getString(PROP_DNPATTERN, null); - if (pattern == null || pattern.length() == 0) + if (pattern == null || pattern.length() == 0) pattern = DEFAULT_DNPATTERN; mPattern = new DNPattern(pattern); String[] patternLdapAttrs = mPattern.getLdapAttrs(); @@ -272,15 +261,15 @@ public abstract class DirBasedAuthentication implements IAuthManager, if (ldapStringAttrs == null) { mLdapStringAttrs = patternLdapAttrs; } else { - StringTokenizer pAttrs = new StringTokenizer(ldapStringAttrs, ",", - false); + StringTokenizer pAttrs = + new StringTokenizer(ldapStringAttrs, ",", false); int begin = 0; if (patternLdapAttrs != null && patternLdapAttrs.length > 0) { - mLdapStringAttrs = new String[patternLdapAttrs.length - + pAttrs.countTokens()]; - System.arraycopy(patternLdapAttrs, 0, mLdapStringAttrs, 0, - patternLdapAttrs.length); + mLdapStringAttrs = new String[ + patternLdapAttrs.length + pAttrs.countTokens()]; + System.arraycopy(patternLdapAttrs, 0, + mLdapStringAttrs, 0, patternLdapAttrs.length); begin = patternLdapAttrs.length; } else { mLdapStringAttrs = new String[pAttrs.countTokens()]; @@ -296,21 +285,22 @@ public abstract class DirBasedAuthentication implements IAuthManager, if (ldapByteAttrs == null) { mLdapByteAttrs = new String[0]; } else { - StringTokenizer byteAttrs = new StringTokenizer(ldapByteAttrs, ",", - false); + StringTokenizer byteAttrs = + new StringTokenizer(ldapByteAttrs, ",", false); mLdapByteAttrs = new String[byteAttrs.countTokens()]; - for (int j = 0; j < mLdapByteAttrs.length; j++) { + for (int j = 0; j < mLdapByteAttrs.length; j++) { mLdapByteAttrs[j] = ((String) byteAttrs.nextElement()).trim(); } } /* make the combined list */ - mLdapAttrs = new String[mLdapStringAttrs.length + mLdapByteAttrs.length]; - System.arraycopy(mLdapStringAttrs, 0, mLdapAttrs, 0, - mLdapStringAttrs.length); - System.arraycopy(mLdapByteAttrs, 0, mLdapAttrs, - mLdapStringAttrs.length, mLdapByteAttrs.length); + mLdapAttrs = + new String[mLdapStringAttrs.length + mLdapByteAttrs.length]; + System.arraycopy(mLdapStringAttrs, 0, mLdapAttrs, + 0, mLdapStringAttrs.length); + System.arraycopy(mLdapByteAttrs, 0, mLdapAttrs, + mLdapStringAttrs.length, mLdapByteAttrs.length); log(ILogger.LL_INFO, CMS.getLogMessage("CMS_AUTH_INIT_DONE")); } @@ -330,22 +320,21 @@ public abstract class DirBasedAuthentication implements IAuthManager, } /** - * Authenticates user through LDAP by a set of credentials. Resulting - * AuthToken a TOKEN_CERTINFO field of a X509CertInfo + * Authenticates user through LDAP by a set of credentials. + * Resulting AuthToken a TOKEN_CERTINFO field of a X509CertInfo * <p> - * * @param authCred Authentication credentials, CRED_UID and CRED_PWD. * @return A AuthToken with a TOKEN_SUBJECT of X500name type. - * @exception com.netscape.certsrv.authentication.EMissingCredential If a - * required authentication credential is missing. - * @exception com.netscape.certsrv.authentication.EInvalidCredentials If - * credentials failed authentication. - * @exception com.netscape.certsrv.base.EBaseException If an internal error - * occurred. + * @exception com.netscape.certsrv.authentication.EMissingCredential + * If a required authentication credential is missing. + * @exception com.netscape.certsrv.authentication.EInvalidCredentials + * If credentials failed authentication. + * @exception com.netscape.certsrv.base.EBaseException + * If an internal error occurred. * @see com.netscape.certsrv.authentication.AuthToken */ public IAuthToken authenticate(IAuthCredentials authCred) - throws EMissingCredential, EInvalidCredentials, EBaseException { + throws EMissingCredential, EInvalidCredentials, EBaseException { String userdn = null; LDAPConnection conn = null; AuthToken authToken = new AuthToken(this); @@ -370,31 +359,29 @@ public abstract class DirBasedAuthentication implements IAuthManager, // set subject name. try { - CertificateSubjectName subjectname = (CertificateSubjectName) certInfo - .get(X509CertInfo.SUBJECT); + CertificateSubjectName subjectname = (CertificateSubjectName) + certInfo.get(X509CertInfo.SUBJECT); if (subjectname != null) - authToken.set(AuthToken.TOKEN_CERT_SUBJECT, - subjectname.toString()); + authToken.set(AuthToken.TOKEN_CERT_SUBJECT, + subjectname.toString()); } // error means it's not set. catch (CertificateException e) { } catch (IOException e) { } - // set validity if any + // set validity if any try { - CertificateValidity validity = (CertificateValidity) certInfo - .get(X509CertInfo.VALIDITY); + CertificateValidity validity = (CertificateValidity) + certInfo.get(X509CertInfo.VALIDITY); if (validity != null) { - // the gets throws IOException but only if attribute - // not recognized. In these cases they are always. - authToken - .set(AuthToken.TOKEN_CERT_NOTBEFORE, - (Date) validity - .get(CertificateValidity.NOT_BEFORE)); - authToken.set(AuthToken.TOKEN_CERT_NOTAFTER, - (Date) validity.get(CertificateValidity.NOT_AFTER)); + // the gets throws IOException but only if attribute + // not recognized. In these cases they are always. + authToken.set(AuthToken.TOKEN_CERT_NOTBEFORE, + (Date)validity.get(CertificateValidity.NOT_BEFORE)); + authToken.set(AuthToken.TOKEN_CERT_NOTAFTER, + (Date)validity.get(CertificateValidity.NOT_AFTER)); } } // error means it's not set. catch (CertificateException e) { @@ -403,8 +390,8 @@ public abstract class DirBasedAuthentication implements IAuthManager, // set extensions if any. try { - CertificateExtensions extensions = (CertificateExtensions) certInfo - .get(X509CertInfo.EXTENSIONS); + CertificateExtensions extensions = (CertificateExtensions) + certInfo.get(X509CertInfo.EXTENSIONS); if (extensions != null) authToken.set(AuthToken.TOKEN_CERT_EXTENSIONS, extensions); @@ -414,7 +401,7 @@ public abstract class DirBasedAuthentication implements IAuthManager, } } finally { - if (conn != null) + if (conn != null) mConnFactory.returnConn(conn); } @@ -423,16 +410,15 @@ public abstract class DirBasedAuthentication implements IAuthManager, /** * get the list of required credentials. - * * @return list of required credentials as strings. */ public abstract String[] getRequiredCreds(); /** - * Returns a list of configuration parameter names. The list is passed to - * the configuration console so instances of this implementation can be - * configured through the console. - * + * Returns a list of configuration parameter names. + * The list is passed to the configuration console so instances of + * this implementation can be configured through the console. + * * @return String array of configuration parameter names. */ public abstract String[] getConfigParams(); @@ -448,14 +434,12 @@ public abstract class DirBasedAuthentication implements IAuthManager, } } catch (ELdapException e) { // ignore - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMS_AUTH_SHUTDOWN_ERROR", e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_SHUTDOWN_ERROR", e.toString())); } } /** * Gets the configuration substore used by this authentication manager - * * @return configuration store */ public IConfigStore getConfigStore() { @@ -468,10 +452,11 @@ public abstract class DirBasedAuthentication implements IAuthManager, * @param authCreds The authentication credentials. * @return The user's ldap entry dn. * @exception EInvalidCredentials If the uid and password are not valid - * @exception EBaseException If an internal error occurs. + * @exception EBaseException If an internal error occurs. */ - protected abstract String authenticate(LDAPConnection conn, - IAuthCredentials authCreds, AuthToken token) throws EBaseException; + protected abstract String authenticate( + LDAPConnection conn, IAuthCredentials authCreds, AuthToken token) + throws EBaseException; /** * Formulate the cert info. @@ -480,34 +465,36 @@ public abstract class DirBasedAuthentication implements IAuthManager, * @param userdn The user's dn. * @param certinfo A certinfo object to fill. * @param token A authentication token to fill. - * @exception EBaseException If an internal error occurs. + * @exception EBaseException If an internal error occurs. */ - protected void formCertInfo(LDAPConnection conn, String userdn, - X509CertInfo certinfo, AuthToken token) throws EBaseException { + protected void formCertInfo(LDAPConnection conn, + String userdn, + X509CertInfo certinfo, + AuthToken token) + throws EBaseException { String dn = null; // get ldap attributes to retrieve. String[] attrs = getLdapAttrs(); - // retrieve the attributes. + // retrieve the attributes. try { if (conn != null) { LDAPEntry entry = null; - LDAPSearchResults results = conn.search(userdn, - LDAPv2.SCOPE_BASE, "objectclass=*", attrs, false); + LDAPSearchResults results = + conn.search(userdn, LDAPv2.SCOPE_BASE, "objectclass=*", + attrs, false); if (!results.hasMoreElements()) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMS_AUTH_NO_ATTR_ERROR")); - throw new EAuthException( - CMS.getUserMessage("CMS_AUTHENTICATION_LDAPATTRIBUTES_NOT_FOUND")); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_NO_ATTR_ERROR")); + throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_LDAPATTRIBUTES_NOT_FOUND")); } entry = results.next(); - // formulate the subject dn + // formulate the subject dn try { dn = formSubjectName(entry); } catch (EBaseException e) { - // e.printStackTrace(); + //e.printStackTrace(); throw e; } // Put selected values from the entry into the token @@ -517,73 +504,64 @@ public abstract class DirBasedAuthentication implements IAuthManager, } // add anything else in cert info such as validity, extensions - // (nothing now) + // (nothing now) // pack the dn into X500name and set subject name. if (dn.length() == 0) { - EBaseException ex = new EAuthException(CMS.getUserMessage( - "CMS_AUTHENTICATION_EMPTY_DN_FORMED", mName)); + EBaseException ex = + new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_EMPTY_DN_FORMED", mName)); - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMS_AUTH_NO_DN_ERROR", ex.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_NO_DN_ERROR", ex.toString())); throw ex; } X500Name subjectdn = new X500Name(dn); - certinfo.set(X509CertInfo.SUBJECT, new CertificateSubjectName( - subjectdn)); + certinfo.set(X509CertInfo.SUBJECT, + new CertificateSubjectName(subjectdn)); } catch (LDAPException e) { switch (e.getLDAPResultCode()) { - case LDAPException.SERVER_DOWN: - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMS_AUTH_NO_AUTH_ATTR_ERROR")); - throw new ELdapException(CMS.getUserMessage( - "CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), "" - + conn.getPort())); + case LDAPException.SERVER_DOWN: + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_NO_AUTH_ATTR_ERROR")); + throw new ELdapException( + CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), "" + conn.getPort())); case LDAPException.NO_SUCH_OBJECT: case LDAPException.LDAP_PARTIAL_RESULTS: - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMS_AUTH_NO_USER_ENTRY_ERROR", userdn)); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_NO_USER_ENTRY_ERROR", userdn)); // fall to below. default: - log(ILogger.LL_FAILURE, - CMS.getLogMessage("LDAP_ERROR", e.toString())); - throw new ELdapException(CMS.getUserMessage( - "CMS_LDAP_OTHER_LDAP_EXCEPTION", e.errorCodeToString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage("LDAP_ERROR", e.toString())); + throw new ELdapException( + CMS.getUserMessage("CMS_LDAP_OTHER_LDAP_EXCEPTION", + e.errorCodeToString())); } } catch (IOException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMS_AUTH_CREATE_SUBJECT_ERROR", userdn, e.getMessage())); - throw new EFormSubjectDN( - CMS.getUserMessage("CMS_AUTHENTICATION_FORM_SUBJECTDN_ERROR")); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_CREATE_SUBJECT_ERROR", userdn, e.getMessage())); + throw new EFormSubjectDN(CMS.getUserMessage("CMS_AUTHENTICATION_FORM_SUBJECTDN_ERROR")); } catch (CertificateException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMS_AUTH_CREATE_CERTINFO_ERROR", userdn, e.getMessage())); - throw new EFormSubjectDN( - CMS.getUserMessage("CMS_AUTHENTICATION_FORM_SUBJECTDN_ERROR")); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_CREATE_CERTINFO_ERROR", userdn, e.getMessage())); + throw new EFormSubjectDN(CMS.getUserMessage("CMS_AUTHENTICATION_FORM_SUBJECTDN_ERROR")); } } /** - * Copy values from the LDAPEntry into the AuthToken. The list of values - * that should be store this way is given in a the ldapAttributes - * configuration parameter. + * Copy values from the LDAPEntry into the AuthToken. The + * list of values that should be store this way is given in + * a the ldapAttributes configuration parameter. */ protected void setAuthTokenValues(LDAPEntry e, AuthToken tok) { for (int i = 0; i < mLdapStringAttrs.length; i++) setAuthTokenStringValue(mLdapStringAttrs[i], e, tok); - for (int j = 0; j < mLdapByteAttrs.length; j++) + for (int j = 0; j < mLdapByteAttrs.length; j++) setAuthTokenByteValue(mLdapByteAttrs[j], e, tok); } - protected void setAuthTokenStringValue(String name, LDAPEntry entry, - AuthToken tok) { + protected void setAuthTokenStringValue( + String name, LDAPEntry entry, AuthToken tok) { LDAPAttribute values = entry.getAttribute(name); - if (values == null) - return; + if (values == null) return; Vector v = new Vector(); Enumeration e = values.getStringValues(); @@ -599,12 +577,11 @@ public abstract class DirBasedAuthentication implements IAuthManager, tok.set(name, a); } - protected void setAuthTokenByteValue(String name, LDAPEntry entry, - AuthToken tok) { + protected void setAuthTokenByteValue( + String name, LDAPEntry entry, AuthToken tok) { LDAPAttribute values = entry.getAttribute(name); - if (values == null) - return; + if (values == null) return; Vector v = new Vector(); Enumeration e = values.getByteValues(); @@ -623,7 +600,6 @@ public abstract class DirBasedAuthentication implements IAuthManager, /** * Return a list of LDAP attributes with String values to retrieve. * Subclasses can override to return any set of attributes. - * * @return Array of LDAP attributes to retrieve from the directory. */ protected String[] getLdapAttrs() { @@ -633,7 +609,6 @@ public abstract class DirBasedAuthentication implements IAuthManager, /** * Return a list of LDAP attributes with byte[] values to retrieve. * Subclasses can override to return any set of attributes. - * * @return Array of LDAP attributes to retrieve from the directory. */ protected String[] getLdapByteAttrs() { @@ -641,20 +616,22 @@ public abstract class DirBasedAuthentication implements IAuthManager, } /** - * Formulate the subject name - * + * Formulate the subject name * @param entry The LDAP entry * @return The subject name string. * @exception EBaseException If an internal error occurs. */ - protected String formSubjectName(LDAPEntry entry) throws EAuthException { - if (mPattern.mPatternString == null) + protected String formSubjectName(LDAPEntry entry) + throws EAuthException { + if (mPattern.mPatternString == null) return entry.getDN(); - - /* - * if (mTestDNString != null) { mPattern.mTestDN = mTestDNString; - * //System.out.println("Set DNPattern.mTestDN to "+mPattern.mTestDN); } - */ + + /* + if (mTestDNString != null) { + mPattern.mTestDN = mTestDNString; + //System.out.println("Set DNPattern.mTestDN to "+mPattern.mTestDN); + } + */ String dn = mPattern.formDN(entry); @@ -664,7 +641,6 @@ public abstract class DirBasedAuthentication implements IAuthManager, /** * Logs a message for this class in the system log file. - * * @param level The log level. * @param msg The message to log. * @see com.netscape.certsrv.logging.ILogger @@ -672,15 +648,16 @@ public abstract class DirBasedAuthentication implements IAuthManager, protected void log(int level, String msg) { if (mLogger == null) return; - mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHENTICATION, level, - msg); + mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHENTICATION, + level, msg); } public String[] getExtendedPluginInfo(Locale locale) { String[] s = Utils.getStringArrayFromVector(mExtendedPluginInfo); return s; - + } } + diff --git a/pki/base/common/src/com/netscape/cms/authentication/FlatFileAuth.java b/pki/base/common/src/com/netscape/cms/authentication/FlatFileAuth.java index 67092c29..ab59c499 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/FlatFileAuth.java +++ b/pki/base/common/src/com/netscape/cms/authentication/FlatFileAuth.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.authentication; + // ldap java sdk import java.io.BufferedReader; import java.io.BufferedWriter; @@ -48,13 +49,15 @@ import com.netscape.certsrv.profile.IProfileAuthenticator; import com.netscape.certsrv.property.IDescriptor; import com.netscape.certsrv.request.IRequest; + /** - * This represents the authentication manager that authenticates user against a - * file where id, and password are stored. + * This represents the authentication manager that authenticates + * user against a file where id, and password are stored. * * @version $Revision$, $Date$ */ -public class FlatFileAuth implements IProfileAuthenticator, IExtendedPluginInfo { +public class FlatFileAuth + implements IProfileAuthenticator, IExtendedPluginInfo { /* configuration parameter keys */ protected static final String PROP_FILENAME = "fileName"; @@ -63,36 +66,39 @@ public class FlatFileAuth implements IProfileAuthenticator, IExtendedPluginInfo protected static final String PROP_DEFERONFAILURE = "deferOnFailure"; protected String mFilename = "config/pwfile"; - protected long mFileLastRead = 0; + protected long mFileLastRead = 0; protected String mKeyAttributes = "UID"; protected String mAuthAttrs = "PWD"; protected boolean mDeferOnFailure = true; private static final String DATE_PATTERN = "yyyy-MM-dd-HH-mm-ss"; - private static SimpleDateFormat mDateFormat = new SimpleDateFormat( - DATE_PATTERN); + private static SimpleDateFormat mDateFormat = new SimpleDateFormat(DATE_PATTERN); - protected static String[] mConfigParams = new String[] { PROP_FILENAME, - PROP_KEYATTRIBUTES, PROP_AUTHATTRS, PROP_DEFERONFAILURE }; + protected static String[] mConfigParams = + new String[] { + PROP_FILENAME, + PROP_KEYATTRIBUTES, + PROP_AUTHATTRS, + PROP_DEFERONFAILURE + }; public String[] getExtendedPluginInfo(Locale locale) { String s[] = { PROP_FILENAME + ";string;Pathname of password file", - PROP_KEYATTRIBUTES - + ";string;Comma-separated list of attributes" - + " which together form a unique identifier for the user", - PROP_AUTHATTRS + ";string;Comma-separated list of attributes" - + " which are used for further authentication", - PROP_DEFERONFAILURE - + ";boolean;if user is not found, defer the " - + "request to the queue for manual-authentication (true), or " - + "simply rejected the request (false)" }; + PROP_KEYATTRIBUTES + ";string;Comma-separated list of attributes" + + " which together form a unique identifier for the user", + PROP_AUTHATTRS + ";string;Comma-separated list of attributes" + + " which are used for further authentication", + PROP_DEFERONFAILURE + ";boolean;if user is not found, defer the " + + "request to the queue for manual-authentication (true), or " + + "simply rejected the request (false)" + }; return s; } - + /** name of this authentication manager instance */ protected String mName = null; - + protected String FFAUTH = "FlatFileAuth"; /** name of the authentication manager plugin */ @@ -103,31 +109,30 @@ public class FlatFileAuth implements IProfileAuthenticator, IExtendedPluginInfo /** system logger */ protected ILogger mLogger = CMS.getLogger(); - - /** - * This array is created as to include all the requested attributes - * + + /** This array is created as to include all the requested attributes + * */ String[] reqCreds = null; String[] authAttrs = null; String[] keyAttrs = null; - /** - * Hashtable of entries from Auth File. Hash index is the concatenation of - * the attributes from matchAttributes property + /** Hashtable of entries from Auth File. Hash index is the + * concatenation of the attributes from matchAttributes property */ protected Hashtable entries = null; /** - * Get the named property If the property is not set, use s as the default, - * and create a new value for the property in the config file. + * Get the named property + * If the property is not set, use s as the default, and create + * a new value for the property in the config file. * * @param propertyName Property name * @param s The default value of the property */ protected String getPropertyS(String propertyName, String s) - throws EBaseException { + throws EBaseException { String p; try { @@ -144,14 +149,15 @@ public class FlatFileAuth implements IProfileAuthenticator, IExtendedPluginInfo } /** - * Get the named property, If the property is not set, use b as the default, - * and create a new value for the property in the config file. + * Get the named property, + * If the property is not set, use b as the default, and create + * a new value for the property in the config file. * * @param propertyName Property name * @param b The default value of the property */ protected boolean getPropertyB(String propertyName, boolean b) - throws EBaseException { + throws EBaseException { boolean p; try { @@ -164,7 +170,7 @@ public class FlatFileAuth implements IProfileAuthenticator, IExtendedPluginInfo } public void init(String name, String implName, IConfigStore config) - throws EBaseException { + throws EBaseException { mName = name; mImplName = implName; mConfig = config; @@ -192,8 +198,7 @@ public class FlatFileAuth implements IProfileAuthenticator, IExtendedPluginInfo print("mAuthAttrs = " + mAuthAttrs); for (int i = 0; i < stringArrays.length; i++) { for (int j = 0; j < stringArrays[i].length; j++) { - print("stringArrays[" + i + "][" + j + "] = " - + stringArrays[i][j]); + print("stringArrays[" + i + "][" + j + "] = " + stringArrays[i][j]); } } @@ -202,40 +207,35 @@ public class FlatFileAuth implements IProfileAuthenticator, IExtendedPluginInfo mFileLastRead = file.lastModified(); entries = readFile(file, keyAttrs); - CMS.debug("FlatFileAuth: " - + CMS.getLogMessage("CMS_AUTH_READ_ENTRIES", mFilename)); + CMS.debug("FlatFileAuth: " + CMS.getLogMessage("CMS_AUTH_READ_ENTRIES", mFilename)); // printAllEntries(); } catch (IOException e) { - throw new EBaseException(mName - + " authentication: Could not open file " + mFilename - + " (" + e.getMessage() + ")"); + throw new EBaseException(mName + " authentication: Could not open file " + mFilename + " (" + e.getMessage() + ")"); } catch (java.lang.StringIndexOutOfBoundsException ee) { - CMS.debug("FlatFileAuth: " - + CMS.getLogMessage("OPERATION_ERROR", ee.toString())); + CMS.debug("FlatFileAuth: " + CMS.getLogMessage("OPERATION_ERROR", ee.toString())); } } /** * Log a message. - * * @param level The logging level. * @param msg The message to log. */ private void log(int level, String msg) { if (mLogger == null) return; - mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHENTICATION, level, - msg); + mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHENTICATION, + level, msg); } - + void print(String s) { CMS.debug("FlatFileAuth: " + s); } /** - * Return a string array which is the union of all the string arrays passed - * in. The strings are treated as case sensitive + * Return a string array which is the union of all the string arrays + * passed in. The strings are treated as case sensitive */ public String[] unionOfStrings(String[][] stringArrays) { @@ -257,11 +257,12 @@ public class FlatFileAuth implements IProfileAuthenticator, IExtendedPluginInfo s[i] = (String) e.nextElement(); } return s; - + } - + /** - * Split a comma-delimited String into an array of individual Strings. + * Split a comma-delimited String into an array of individual + * Strings. */ private String[] splitOnComma(String s) { print("Splitting String: " + s + " on commas"); @@ -281,8 +282,8 @@ public class FlatFileAuth implements IProfileAuthenticator, IExtendedPluginInfo } /** - * Join an array of Strings into one string, with the specified string - * between each string + * Join an array of Strings into one string, with + * the specified string between each string */ private String joinStringArray(String[] s, String sep) { @@ -297,9 +298,9 @@ public class FlatFileAuth implements IProfileAuthenticator, IExtendedPluginInfo return sb.toString(); } - private synchronized void updateFile(String key) { + private synchronized void updateFile (String key) { try { - String name = writeFile(key); + String name = writeFile (key); if (name != null) { File orgFile = new File(mFilename); long lastModified = orgFile.lastModified(); @@ -309,28 +310,23 @@ public class FlatFileAuth implements IProfileAuthenticator, IExtendedPluginInfo } else { mFileLastRead = newFile.lastModified(); } - if (orgFile.renameTo(new File(name.substring(0, - name.length() - 1)))) { + if (orgFile.renameTo(new File(name.substring(0, name.length()-1)))) { if (!newFile.renameTo(new File(mFilename))) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "RENAME_FILE_ERROR", name, mFilename)); - File file = new File(name.substring(0, - name.length() - 1)); + log(ILogger.LL_FAILURE, CMS.getLogMessage("RENAME_FILE_ERROR", name, mFilename)); + File file = new File(name.substring(0, name.length()-1)); file.renameTo(new File(mFilename)); } } else { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "RENAME_FILE_ERROR", mFilename, - name.substring(0, name.length() - 1))); + log(ILogger.LL_FAILURE, CMS.getLogMessage("RENAME_FILE_ERROR", mFilename, + name.substring(0, name.length()-1))); } } } catch (Exception e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("FILE_ERROR", e.getMessage())); + log(ILogger.LL_FAILURE, CMS.getLogMessage("FILE_ERROR", e.getMessage())); } } - private String writeFile(String key) { + private String writeFile (String key) { BufferedReader reader = null; BufferedWriter writer = null; String name = null; @@ -338,9 +334,9 @@ public class FlatFileAuth implements IProfileAuthenticator, IExtendedPluginInfo boolean done = false; String line = null; try { - reader = new BufferedReader(new FileReader(mFilename)); - name = mFilename + "." + mDateFormat.format(new Date()) + "~"; - writer = new BufferedWriter(new FileWriter(name)); + reader = new BufferedReader (new FileReader (mFilename)); + name = mFilename+"."+mDateFormat.format(new Date())+"~"; + writer = new BufferedWriter (new FileWriter(name)); if (reader != null && writer != null) { while ((line = reader.readLine()) != null) { if (commentOutNextLine) { @@ -357,8 +353,7 @@ public class FlatFileAuth implements IProfileAuthenticator, IExtendedPluginInfo done = true; } } catch (Exception e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("FILE_ERROR", e.getMessage())); + log(ILogger.LL_FAILURE, CMS.getLogMessage("FILE_ERROR", e.getMessage())); } try { @@ -370,8 +365,7 @@ public class FlatFileAuth implements IProfileAuthenticator, IExtendedPluginInfo writer.close(); } } catch (Exception e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("FILE_ERROR", e.getMessage())); + log(ILogger.LL_FAILURE, CMS.getLogMessage("FILE_ERROR", e.getMessage())); } try { @@ -380,45 +374,43 @@ public class FlatFileAuth implements IProfileAuthenticator, IExtendedPluginInfo long s2 = 0; File f1 = new File(mFilename); File f2 = new File(name); - if (f1.exists()) - s1 = f1.length(); - if (f2.exists()) - s2 = f2.length(); + if (f1.exists()) s1 = f1.length(); + if (f2.exists()) s2 = f2.length(); if (s1 > 0 && s2 > 0 && s2 > s1) { done = true; } else { - if (f2.exists()) - f2.delete(); + if (f2.exists()) f2.delete(); name = null; } } } catch (Exception e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("FILE_ERROR", e.getMessage())); + log(ILogger.LL_FAILURE, CMS.getLogMessage("FILE_ERROR", e.getMessage())); } return name; } + /** - * Read a file with the following format: - * <p> - * - * <pre> + * Read a file with the following format: <p><pre> * param1: valuea * param2: valueb * -blank-line- * param1: valuec * param2: valued * </pre> - * + * * @param f The file to read - * @param keys The parameters to concat together to form the hash key + * @param keys The parameters to concat together to form the hash + * key * @return a hashtable of hashtables. */ - protected Hashtable readFile(File f, String[] keys) throws IOException { + protected Hashtable readFile(File f, String[] keys) + throws IOException { log(ILogger.LL_INFO, "Reading file: " + f.getName()); - BufferedReader file = new BufferedReader(new FileReader(f)); + BufferedReader file = new BufferedReader( + new FileReader(f) + ); String line; Hashtable allusers = new Hashtable(); @@ -437,14 +429,13 @@ public class FlatFileAuth implements IProfileAuthenticator, IExtendedPluginInfo entry = new Hashtable(); } - if (colon == -1) { // no colon -> empty line signifies end of record + if (colon == -1) { // no colon -> empty line signifies end of record if (!line.trim().equals("")) { if (file != null) { file.close(); } - throw new IOException(FFAUTH + ": Parsing error, " - + "colon missing from line " + linenum + " of " - + f.getName()); + throw new IOException(FFAUTH + ": Parsing error, " + + "colon missing from line " + linenum + " of " + f.getName()); } if (entry.size() > 0) { putEntry(allusers, entry, keys); @@ -466,7 +457,9 @@ public class FlatFileAuth implements IProfileAuthenticator, IExtendedPluginInfo return allusers; } - private void putEntry(Hashtable allUsers, Hashtable entry, String[] keys) { + private void putEntry(Hashtable allUsers, + Hashtable entry, + String[] keys) { if (entry == null) { return; } @@ -504,24 +497,22 @@ public class FlatFileAuth implements IProfileAuthenticator, IExtendedPluginInfo } /** - * Compare attributes provided by the user with those in in flat file. - * + * Compare attributes provided by the user with those in + * in flat file. + * */ - private IAuthToken doAuthentication(Hashtable user, - IAuthCredentials authCred) throws EMissingCredential, - EInvalidCredentials, EBaseException { + private IAuthToken doAuthentication(Hashtable user, IAuthCredentials authCred) + throws EMissingCredential, EInvalidCredentials, EBaseException { AuthToken authToken = new AuthToken(this); for (int i = 0; i < authAttrs.length; i++) { String ffvalue = (String) user.get(authAttrs[i]); String uservalue = (String) authCred.get(authAttrs[i]); - // print("checking authentication token (" + authAttrs[i] + ": " + - // uservalue + " against ff value: " + ffvalue); + // print("checking authentication token (" + authAttrs[i] + ": " + uservalue + " against ff value: " + ffvalue); if (!ffvalue.equals(uservalue)) { - throw new EInvalidCredentials( - CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } } return authToken; @@ -539,18 +530,16 @@ public class FlatFileAuth implements IProfileAuthenticator, IExtendedPluginInfo // printAllEntries(); } } catch (Exception e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("READ_FILE_ERROR", mFilename, - e.getMessage())); + log(ILogger.LL_FAILURE, CMS.getLogMessage("READ_FILE_ERROR", mFilename, e.getMessage())); } } /** * Authenticate the request - * + * */ public IAuthToken authenticate(IAuthCredentials authCred) - throws EMissingCredential, EInvalidCredentials, EBaseException { + throws EMissingCredential, EInvalidCredentials, EBaseException { IAuthToken authToken = null; String keyForUser = ""; @@ -561,13 +550,11 @@ public class FlatFileAuth implements IProfileAuthenticator, IExtendedPluginInfo /* Find the user in our hashtable */ for (int i = 0; i < keyAttrs.length; i++) { - print("concatenating string i=" + i + " keyAttrs[" + i + "] = " - + keyAttrs[i]); + print("concatenating string i=" + i + " keyAttrs[" + i + "] = " + keyAttrs[i]); String credential = (String) authCred.get(keyAttrs[i]); if (credential == null) { - throw new EMissingCredential(CMS.getUserMessage( - "CMS_AUTHENTICATION_NULL_CREDENTIAL", keyAttrs[i])); + throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", keyAttrs[i])); } keyForUser = keyForUser.concat((String) authCred.get(keyAttrs[i])); } @@ -579,10 +566,8 @@ public class FlatFileAuth implements IProfileAuthenticator, IExtendedPluginInfo if (user != null) { authToken = doAuthentication(user, authCred); } else { - CMS.debug("FlatFileAuth: " - + CMS.getLogMessage("CMS_AUTH_USER_NOT_FOUND")); - throw new EInvalidCredentials( - CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + CMS.debug("FlatFileAuth: " + CMS.getLogMessage("CMS_AUTH_USER_NOT_FOUND")); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } } catch (EInvalidCredentials e) { // If defer on failure is false, then we re-throw the exception @@ -594,7 +579,7 @@ public class FlatFileAuth implements IProfileAuthenticator, IExtendedPluginInfo } } - // if a dn was specified in the password file for this user, + // if a dn was specified in the password file for this user, // replace the requested dn with the one in the pwfile if (user != null) { String dn = (String) user.get("dn"); @@ -616,21 +601,21 @@ public class FlatFileAuth implements IProfileAuthenticator, IExtendedPluginInfo } /** - * Return a list of HTTP parameters which will be taken from the request - * posting and placed into the AuthCredentials block - * - * Note that this method will not be called until after the init() method is - * called + * Return a list of HTTP parameters which will be taken from the + * request posting and placed into the AuthCredentials block + * + * Note that this method will not be called until after the + * init() method is called */ public String[] getRequiredCreds() { print("getRequiredCreds returning: " + joinStringArray(reqCreds, ",")); return reqCreds; - + } /** - * Returns a list of configuration parameters, so the console can prompt the - * user when configuring. + * Returns a list of configuration parameters, so the console + * can prompt the user when configuring. */ public String[] getConfigParams() { return mConfigParams; @@ -655,7 +640,7 @@ public class FlatFileAuth implements IProfileAuthenticator, IExtendedPluginInfo } public void init(IProfile profile, IConfigStore config) - throws EProfileException { + throws EProfileException { } /** @@ -681,7 +666,7 @@ public class FlatFileAuth implements IProfileAuthenticator, IExtendedPluginInfo } public void populate(IAuthToken token, IRequest request) - throws EProfileException { + throws EProfileException { } /** diff --git a/pki/base/common/src/com/netscape/cms/authentication/HashAuthData.java b/pki/base/common/src/com/netscape/cms/authentication/HashAuthData.java index 19e4f0e3..19bfab69 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/HashAuthData.java +++ b/pki/base/common/src/com/netscape/cms/authentication/HashAuthData.java @@ -17,16 +17,17 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.authentication; + // java sdk imports. import java.util.Hashtable; import java.util.Vector; + /** - * The structure stores the information of which machine is enabled for the - * agent-initiated user enrollment, and whom agents enable this feature, and the - * value of the timeout. + * The structure stores the information of which machine is enabled for + * the agent-initiated user enrollment, and whom agents enable this feature, + * and the value of the timeout. * <P> - * * @version $Revision$, $Date$ */ public class HashAuthData extends Hashtable { @@ -53,7 +54,7 @@ public class HashAuthData extends Hashtable { Vector val = (Vector) get(hostname); if (val == null) { - val = new Vector(); + val = new Vector(); put(hostname, val); } val.setElementAt(agentName, 0); @@ -116,3 +117,4 @@ public class HashAuthData extends Hashtable { val.setElementAt(Long.valueOf(lastLogin), 3); } } + diff --git a/pki/base/common/src/com/netscape/cms/authentication/HashAuthentication.java b/pki/base/common/src/com/netscape/cms/authentication/HashAuthentication.java index 9875b2a3..24a10e0a 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/HashAuthentication.java +++ b/pki/base/common/src/com/netscape/cms/authentication/HashAuthentication.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.authentication; + // ldap java sdk import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; @@ -39,10 +40,11 @@ import com.netscape.certsrv.base.IExtendedPluginInfo; import com.netscape.certsrv.logging.ILogger; import com.netscape.cmsutil.util.Utils; + /** * Hash uid/pwd directory based authentication manager * <P> - * + * * @version $Revision$, $Date$ */ public class HashAuthentication implements IAuthManager, IExtendedPluginInfo { @@ -52,8 +54,8 @@ public class HashAuthentication implements IAuthManager, IExtendedPluginInfo { public static final String CRED_FINGERPRINT = "fingerprint"; public static final String CRED_PAGEID = "pageID"; public static final String CRED_HOST = "hostname"; - protected static String[] mRequiredCreds = { CRED_UID, CRED_PAGEID, - CRED_FINGERPRINT, CRED_HOST }; + protected static String[] mRequiredCreds = { CRED_UID, + CRED_PAGEID, CRED_FINGERPRINT, CRED_HOST }; public static final long DEFAULT_TIMEOUT = 600000; private boolean mEnable = false; private long mTimeout = DEFAULT_TIMEOUT; // in milliseconds @@ -69,17 +71,18 @@ public class HashAuthentication implements IAuthManager, IExtendedPluginInfo { private ILogger mLogger = CMS.getLogger(); private static Vector mExtendedPluginInfo = null; private HashAuthData mHosts = null; - - static String[] mConfigParams = new String[] {}; + + static String[] mConfigParams = + new String[] {}; static { mExtendedPluginInfo = new Vector(); - mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TEXT - + ";Authenticate the username and password provided " - + "by the user against an LDAP directory. Works with the " - + "Dir Based Enrollment HTML form"); - mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TOKEN - + ";configuration-authrules-uidpwddirauth"); + mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TEXT + + ";Authenticate the username and password provided " + + "by the user against an LDAP directory. Works with the " + + "Dir Based Enrollment HTML form"); + mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TOKEN + + ";configuration-authrules-uidpwddirauth"); }; /** @@ -88,8 +91,8 @@ public class HashAuthentication implements IAuthManager, IExtendedPluginInfo { public HashAuthentication() { } - public void init(String name, String implName, IConfigStore config) - throws EBaseException { + public void init(String name, String implName, IConfigStore config) + throws EBaseException { mName = name; mImplName = implName; mConfig = config; @@ -99,8 +102,7 @@ public class HashAuthentication implements IAuthManager, IExtendedPluginInfo { try { mSHADigest = MessageDigest.getInstance("SHA1"); } catch (NoSuchAlgorithmException e) { - throw new EAuthException(CMS.getUserMessage( - "CMS_AUTHENTICATION_INTERNAL_ERROR", e.getMessage())); + throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.getMessage())); } } @@ -122,7 +124,7 @@ public class HashAuthentication implements IAuthManager, IExtendedPluginInfo { } public void createEntry(String host, String dn, long timeout, - String secret, long lastLogin) { + String secret, long lastLogin) { Vector v = new Vector(); v.addElement(dn); @@ -139,7 +141,7 @@ public class HashAuthentication implements IAuthManager, IExtendedPluginInfo { public String getAgentName(String hostname) { return mHosts.getAgentName(hostname); } - + public void setAgentName(String hostname, String agentName) { mHosts.setAgentName(hostname, agentName); } @@ -181,17 +183,16 @@ public class HashAuthentication implements IAuthManager, IExtendedPluginInfo { public void log(int level, String msg) { if (mLogger == null) return; - mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHENTICATION, level, - msg); + mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHENTICATION, + level, msg); } - public boolean validFingerprint(String host, String pageID, String uid, - String fingerprint) { + public boolean validFingerprint(String host, String pageID, String uid, String fingerprint) { String val = hashFingerprint(host, pageID, uid); if (val.equals(fingerprint)) return true; - return false; + return false; } public Enumeration getHosts() { @@ -199,8 +200,8 @@ public class HashAuthentication implements IAuthManager, IExtendedPluginInfo { } public String hashFingerprint(String host, String pageID, String uid) { - byte[] hash = mSHADigest.digest((SALT + pageID + getSecret(host) + uid) - .getBytes()); + byte[] hash = + mSHADigest.digest((SALT + pageID + getSecret(host) + uid).getBytes()); String b64E = com.netscape.osutil.OSUtil.BtoA(hash); return "{SHA}" + b64E; @@ -215,20 +216,19 @@ public class HashAuthentication implements IAuthManager, IExtendedPluginInfo { * @param authCreds The authentication credentials. * @return The user's ldap entry dn. * @exception EInvalidCredentials If the uid and password are not valid - * @exception EBaseException If an internal error occurs. + * @exception EBaseException If an internal error occurs. */ public IAuthToken authenticate(IAuthCredentials authCreds) - throws EBaseException { + throws EBaseException { AuthToken token = new AuthToken(this); String fingerprint = (String) authCreds.get(CRED_FINGERPRINT); String pageID = (String) authCreds.get(CRED_PAGEID); String uid = (String) authCreds.get(CRED_UID); String host = (String) authCreds.get(CRED_HOST); - if (fingerprint.equals("") - || !validFingerprint(host, pageID, uid, fingerprint)) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMS_AUTH_INVALID_FINGER_PRINT")); + if (fingerprint.equals("") || + !validFingerprint(host, pageID, uid, fingerprint)) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_INVALID_FINGER_PRINT")); throw new EAuthException("Invalid Fingerprint"); } @@ -240,7 +240,6 @@ public class HashAuthentication implements IAuthManager, IExtendedPluginInfo { /** * Returns array of required credentials for this authentication manager. - * * @return Array of required credentials. */ public String[] getRequiredCreds() { @@ -249,7 +248,6 @@ public class HashAuthentication implements IAuthManager, IExtendedPluginInfo { /** * Gets the configuration substore used by this authentication manager - * * @return configuration store */ public IConfigStore getConfigStore() { @@ -278,13 +276,14 @@ public class HashAuthentication implements IAuthManager, IExtendedPluginInfo { } /** - * Returns a list of configuration parameter names. The list is passed to - * the configuration console so instances of this implementation can be - * configured through the console. - * + * Returns a list of configuration parameter names. + * The list is passed to the configuration console so instances of + * this implementation can be configured through the console. + * * @return String array of configuration parameter names. */ public String[] getConfigParams() { return (mConfigParams); } } + diff --git a/pki/base/common/src/com/netscape/cms/authentication/PortalEnroll.java b/pki/base/common/src/com/netscape/cms/authentication/PortalEnroll.java index 74a5392a..56c8739a 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/PortalEnroll.java +++ b/pki/base/common/src/com/netscape/cms/authentication/PortalEnroll.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.authentication; + // ldap java sdk import java.util.Enumeration; import java.util.Locale; @@ -48,25 +49,26 @@ import com.netscape.certsrv.ldap.ELdapException; import com.netscape.certsrv.ldap.ILdapConnFactory; import com.netscape.certsrv.logging.ILogger; + /** * uid/pwd directory based authentication manager * <P> - * + * * @version $Revision$, $Date$ */ public class PortalEnroll extends DirBasedAuthentication { /* configuration parameter keys */ - protected static final String PROP_LDAPAUTH = "ldapauth"; - protected static final String PROP_AUTHTYPE = "authtype"; - protected static final String PROP_BINDDN = "bindDN"; - protected static final String PROP_BINDPW = "bindPW"; - protected static final String PROP_LDAPCONN = "ldapconn"; - protected static final String PROP_HOST = "host"; - protected static final String PROP_PORT = "port"; - protected static final String PROP_SECURECONN = "secureConn"; - protected static final String PROP_VERSION = "version"; - protected static final String PROP_OBJECTCLASS = "objectclass"; + protected static final String PROP_LDAPAUTH = "ldapauth"; + protected static final String PROP_AUTHTYPE = "authtype"; + protected static final String PROP_BINDDN = "bindDN"; + protected static final String PROP_BINDPW = "bindPW"; + protected static final String PROP_LDAPCONN = "ldapconn"; + protected static final String PROP_HOST = "host"; + protected static final String PROP_PORT = "port"; + protected static final String PROP_SECURECONN = "secureConn"; + protected static final String PROP_VERSION = "version"; + protected static final String PROP_OBJECTCLASS = "objectclass"; /* required credentials to authenticate. uid and pwd are strings. */ public static final String CRED_UID = "uid"; @@ -78,77 +80,83 @@ public class PortalEnroll extends DirBasedAuthentication { private String mObjectClass = null; private String mBindDN = null; private String mBaseDN = null; - private ILdapConnFactory mLdapFactory = null; - private LDAPConnection mLdapConn = null; + private ILdapConnFactory mLdapFactory = null; + private LDAPConnection mLdapConn = null; // contains all nested superiors' required attrs in the form of a - // vector of "required" attributes in Enumeration + // vector of "required" attributes in Enumeration Vector mRequiredAttrs = null; - + // contains all nested superiors' optional attrs in the form of a - // vector of "optional" attributes in Enumeration + // vector of "optional" attributes in Enumeration Vector mOptionalAttrs = null; // contains all the objclasses, including superiors and itself Vector mObjClasses = null; - - /* - * Holds configuration parameters accepted by this implementation. This list - * is passed to the configuration console so configuration for instances of - * this implementation can be configured through the console. + + /* Holds configuration parameters accepted by this implementation. + * This list is passed to the configuration console so configuration + * for instances of this implementation can be configured through the + * console. */ - protected static String[] mConfigParams = new String[] { PROP_DNPATTERN, - "ldap.ldapconn.host", "ldap.ldapconn.port", - "ldap.ldapconn.secureConn", "ldap.ldapconn.version", - "ldap.ldapauth.bindDN", "ldap.ldapauth.bindPWPrompt", - "ldap.ldapauth.clientCertNickname", "ldap.ldapauth.authtype", - "ldap.basedn", "ldap.objectclass", "ldap.minConns", - "ldap.maxConns", }; - + protected static String[] mConfigParams = + new String[] { + PROP_DNPATTERN, + "ldap.ldapconn.host", + "ldap.ldapconn.port", + "ldap.ldapconn.secureConn", + "ldap.ldapconn.version", + "ldap.ldapauth.bindDN", + "ldap.ldapauth.bindPWPrompt", + "ldap.ldapauth.clientCertNickname", + "ldap.ldapauth.authtype", + "ldap.basedn", + "ldap.objectclass", + "ldap.minConns", + "ldap.maxConns", + }; + /** * Default constructor, initialization must follow. */ - public PortalEnroll() throws EBaseException { + public PortalEnroll() + throws EBaseException { super(); } /** * Initializes the PortalEnrollment auth manager. * <p> - * * @param name - The name for this authentication manager instance. * @param implName - The name of the authentication manager plugin. * @param config - The configuration store for this instance. * @exception EBaseException If an error occurs during initialization. */ public void init(String name, String implName, IConfigStore config) - throws EBaseException { + throws EBaseException { super.init(name, implName, config); - + /* Get Bind DN for directory server */ mConfig = mLdapConfig.getSubStore(PROP_LDAPAUTH); mBindDN = mConfig.getString(PROP_BINDDN); - if ((mBindDN == null) || (mBindDN.length() == 0) || (mBindDN == "")) - throw new EPropertyNotFound(CMS.getUserMessage( - "CMS_BASE_GET_PROPERTY_FAILED", "binddn")); - - /* Get Bind DN for directory server */ + if ( (mBindDN == null) || (mBindDN.length() == 0) || (mBindDN == "")) + throw new EPropertyNotFound(CMS.getUserMessage("CMS_BASE_GET_PROPERTY_FAILED", "binddn")); + + /* Get Bind DN for directory server */ mBaseDN = mLdapConfig.getString(PROP_BASEDN); if ((mBaseDN == null) || (mBaseDN.length() == 0) || (mBaseDN == "")) - throw new EPropertyNotFound(CMS.getUserMessage( - "CMS_BASE_GET_PROPERTY_FAILED", "basedn")); - - /* Get Object clase name for enrollment */ + throw new EPropertyNotFound(CMS.getUserMessage("CMS_BASE_GET_PROPERTY_FAILED", "basedn")); + + /* Get Object clase name for enrollment */ mObjectClass = mLdapConfig.getString(PROP_OBJECTCLASS); - if (mObjectClass == null || mObjectClass.length() == 0) - throw new EPropertyNotFound(CMS.getUserMessage( - "CMS_BASE_GET_PROPERTY_FAILED", "objectclass")); + if (mObjectClass == null || mObjectClass.length() == 0) + throw new EPropertyNotFound(CMS.getUserMessage("CMS_BASE_GET_PROPERTY_FAILED", "objectclass")); - /* Get connect parameter */ + /* Get connect parameter */ mLdapFactory = CMS.getLdapBoundConnFactory(); mLdapFactory.init(mLdapConfig); mLdapConn = mLdapFactory.getConn(); - + log(ILogger.LL_INFO, CMS.getLogMessage("CMS_AUTH_PORTAL_INIT")); } @@ -158,53 +166,48 @@ public class PortalEnroll extends DirBasedAuthentication { * @param authCreds The authentication credentials. * @return The user's ldap entry dn. * @exception EInvalidCredentials If the uid and password are not valid - * @exception EBaseException If an internal error occurs. + * @exception EBaseException If an internal error occurs. */ - protected String authenticate(LDAPConnection conn, - IAuthCredentials authCreds, AuthToken token) throws EBaseException { + protected String authenticate(LDAPConnection conn, + IAuthCredentials authCreds, + AuthToken token) + throws EBaseException { String uid = null; String pwd = null; String dn = null; argblk = authCreds.getArgBlock(); - + // authenticate by binding to ldap server with password. try { // get the uid. uid = (String) authCreds.get(CRED_UID); if (uid == null) { - throw new EMissingCredential(CMS.getUserMessage( - "CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_UID)); + throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_UID)); } - + // get the password. pwd = (String) authCreds.get(CRED_PWD); if (pwd == null) { - throw new EMissingCredential(CMS.getUserMessage( - "CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_PWD)); + throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_PWD)); } if (pwd.equals("")) { // anonymous binding not allowed - throw new EInvalidCredentials( - CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } // get user dn. - LDAPSearchResults res = conn.search(mBaseDN, LDAPv2.SCOPE_SUB, - "(uid=" + uid + ")", null, false); + LDAPSearchResults res = conn.search(mBaseDN, + LDAPv2.SCOPE_SUB, "(uid=" + uid + ")", null, false); if (res.hasMoreElements()) { LDAPEntry entry = (LDAPEntry) res.nextElement(); - throw new EAuthUserError(CMS.getUserMessage( - "CMS_AUTHENTICATION_INVALID_ATTRIBUTE_VALUE", - "UID already exists.")); + throw new EAuthUserError(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_ATTRIBUTE_VALUE", "UID already exists.")); } else { dn = regist(token, uid); - if (dn == null) - throw new EAuthUserError(CMS.getUserMessage( - "CMS_AUTHENTICATION_INVALID_ATTRIBUTE_VALUE", - "Could not add user " + uid + ".")); + if (dn == null) + throw new EAuthUserError(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_ATTRIBUTE_VALUE","Could not add user " + uid + ".")); } // bind as user dn and pwd - authenticates user with pwd. @@ -214,57 +217,47 @@ public class PortalEnroll extends DirBasedAuthentication { token.set(CRED_UID, uid); log(ILogger.LL_INFO, "portal authentication is done"); - + return dn; } catch (ELdapException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("LDAP_ERROR", e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage("LDAP_ERROR", e.toString())); throw e; } catch (LDAPException e) { switch (e.getLDAPResultCode()) { - case LDAPException.NO_SUCH_OBJECT: - case LDAPException.LDAP_PARTIAL_RESULTS: - log(ILogger.LL_SECURITY, - CMS.getLogMessage("CMS_AUTH_ADD_USER_ERROR", - conn.getHost(), - Integer.toString(conn.getPort()))); - throw new EAuthInternalError(CMS.getUserMessage( - "CMS_AUTHENTICATION_INTERNAL_ERROR", - "Check Configuration detail.")); + case LDAPException.NO_SUCH_OBJECT: + case LDAPException.LDAP_PARTIAL_RESULTS: + log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_ADD_USER_ERROR", conn.getHost(), Integer.toString(conn.getPort()))); + throw new + EAuthInternalError(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", "Check Configuration detail.")); case LDAPException.INVALID_CREDENTIALS: - log(ILogger.LL_SECURITY, - CMS.getLogMessage("CMS_AUTH_BAD_PASSWORD", uid)); - throw new EInvalidCredentials( - CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + log(ILogger.LL_SECURITY, + CMS.getLogMessage("CMS_AUTH_BAD_PASSWORD", uid)); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); case LDAPException.SERVER_DOWN: log(ILogger.LL_FAILURE, CMS.getLogMessage("LDAP_SERVER_DOWN")); - throw new ELdapException(CMS.getUserMessage( - "CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), "" - + conn.getPort())); - - default: - log(ILogger.LL_FAILURE, - CMS.getLogMessage("LDAP_ERROR", e.getMessage())); - throw new ELdapException(CMS.getUserMessage( - "CMS_LDAP_OTHER_LDAP_EXCEPTION", e.errorCodeToString())); + throw new ELdapException( + CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), "" + conn.getPort())); + + default: + log(ILogger.LL_FAILURE, CMS.getLogMessage("LDAP_ERROR", e.getMessage())); + throw new ELdapException( + CMS.getUserMessage("CMS_LDAP_OTHER_LDAP_EXCEPTION", + e.errorCodeToString())); } } catch (EBaseException e) { - if (e.getMessage().equalsIgnoreCase( - CMS.getUserMessage("CMS_BASE_ATTRIBUTE_NOT_FOUND")) == true) - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMS_AUTH_MAKE_DN_ERROR", - e.toString())); + if (e.getMessage().equalsIgnoreCase(CMS.getUserMessage("CMS_BASE_ATTRIBUTE_NOT_FOUND")) == true) + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_MAKE_DN_ERROR", e.toString())); throw e; - } + } } /** - * Returns a list of configuration parameter names. The list is passed to - * the configuration console so instances of this implementation can be - * configured through the console. - * + * Returns a list of configuration parameter names. + * The list is passed to the configuration console so instances of + * this implementation can be configured through the console. + * * @return String array of configuration parameter names. */ public String[] getConfigParams() { @@ -273,49 +266,44 @@ public class PortalEnroll extends DirBasedAuthentication { public String[] getExtendedPluginInfo(Locale locale) { String[] s = { - PROP_DNPATTERN - + ";string;Template for cert" - + " Subject Name. ($dn.xxx - get value from user's LDAP " - + "DN. $attr.yyy - get value from LDAP attributes in " - + "user's entry.) Default: " + DEFAULT_DNPATTERN, - "ldap.ldapconn.host;string,required;" - + "LDAP host to connect to", - "ldap.ldapconn.port;number,required;" - + "LDAP port number (default 389, or 636 if SSL)", + PROP_DNPATTERN + ";string;Template for cert" + + " Subject Name. ($dn.xxx - get value from user's LDAP " + + "DN. $attr.yyy - get value from LDAP attributes in " + + "user's entry.) Default: " + DEFAULT_DNPATTERN, + "ldap.ldapconn.host;string,required;" + "LDAP host to connect to", + "ldap.ldapconn.port;number,required;" + "LDAP port number (default 389, or 636 if SSL)", "ldap.objectclass;string,required;SEE DOCUMENTATION for Object Class. " - + "Default is inetOrgPerson.", - "ldap.ldapconn.secureConn;boolean;" - + "Use SSL to connect to directory?", + + "Default is inetOrgPerson.", + "ldap.ldapconn.secureConn;boolean;" + "Use SSL to connect to directory?", "ldap.ldapconn.version;choice(3,2);" + "LDAP protocol version", "ldap.ldapauth.bindDN;string,required;DN to bind as for Directory Manager. " - + "For example 'CN=Directory Manager'", - "ldap.ldapauth.bindPWPrompt;password;Enter password used to bind as " - + "the above user", + + "For example 'CN=Directory Manager'", + "ldap.ldapauth.bindPWPrompt;password;Enter password used to bind as " + + "the above user", "ldap.ldapauth.authtype;choice(BasicAuth,SslClientAuth);" - + "How to bind to the directory (for pin removal only)", + + "How to bind to the directory (for pin removal only)", "ldap.ldapauth.clientCertNickname;string;If you want to use " - + "SSL client auth to the directory, set the client " - + "cert nickname here", - "ldap.basedn;string,required;Base DN to start searching " - + "under. If your user's DN is 'uid=jsmith, o=company', you " - + "might want to use 'o=company' here", - "ldap.minConns;number;number of connections " - + "to keep open to directory server", - "ldap.maxConns;number;when needed, connection " - + "pool can grow to this many connections", - IExtendedPluginInfo.HELP_TEXT - + ";This authentication plugin checks to see if a user " - + "exists in the directory. If not, then the user is created " - + "with the requested password.", - IExtendedPluginInfo.HELP_TOKEN - + ";configuration-authrules-portalauth" }; - + + "SSL client auth to the directory, set the client " + + "cert nickname here", + "ldap.basedn;string,required;Base DN to start searching " + + "under. If your user's DN is 'uid=jsmith, o=company', you " + + "might want to use 'o=company' here", + "ldap.minConns;number;number of connections " + + "to keep open to directory server", + "ldap.maxConns;number;when needed, connection " + + "pool can grow to this many connections", + IExtendedPluginInfo.HELP_TEXT + + ";This authentication plugin checks to see if a user " + + "exists in the directory. If not, then the user is created " + + "with the requested password.", + IExtendedPluginInfo.HELP_TOKEN + ";configuration-authrules-portalauth" + }; + return s; } /** * Returns array of required credentials for this authentication manager. - * * @return Array of required credentials. */ public String[] getRequiredCreds() { @@ -324,7 +312,6 @@ public class PortalEnroll extends DirBasedAuthentication { /** * adds a user to the directory. - * * @return dn upon success and null upon failure. * @param token authentication token * @param uid the user's id. @@ -334,7 +321,7 @@ public class PortalEnroll extends DirBasedAuthentication { /* Specify the attributes of the entry */ Vector objectclass_values = null; - + LDAPAttributeSet attrs = new LDAPAttributeSet(); LDAPAttribute attr = new LDAPAttribute("objectclass"); @@ -347,17 +334,14 @@ public class PortalEnroll extends DirBasedAuthentication { try { - /* - * Construct a new LDAPSchema object to hold the schema that you - * want to retrieve. - */ + /* Construct a new LDAPSchema object to hold + the schema that you want to retrieve. */ dirSchema = new LDAPSchema(); /* Get the schema from the Directory. Anonymous access okay. */ dirSchema.fetchSchema(mLdapConn); } catch (LDAPException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("LDAP_ERROR", e.getMessage())); + log(ILogger.LL_FAILURE, CMS.getLogMessage("LDAP_ERROR", e.getMessage())); } // complete mRequiredAttrs, mOptionalAttrs, and mObjClasses initLdapAttrs(dirSchema, mObjectClass); @@ -383,10 +367,9 @@ public class PortalEnroll extends DirBasedAuthentication { try { attrval = (String) argblk.getValueAsString(attrname); } catch (EBaseException e) { - if (e.getMessage().equalsIgnoreCase( - CMS.getUserMessage("CMS_BASE_ATTRIBUTE_NOT_FOUND")) == true) + if (e.getMessage().equalsIgnoreCase(CMS.getUserMessage("CMS_BASE_ATTRIBUTE_NOT_FOUND")) == true) continue; - } + } CMS.debug("PortalEnroll: " + attrname + " = " + attrval); attrs.add(new LDAPAttribute(attrname, attrval)); @@ -403,18 +386,17 @@ public class PortalEnroll extends DirBasedAuthentication { while (attrnames.hasMoreElements()) { String attrname = (String) attrnames.nextElement(); String attrval = null; - + CMS.debug("PortalEnroll: attrname is: " + attrname); try { attrval = (String) argblk.getValueAsString(attrname); } catch (EBaseException e) { - if (e.getMessage().equalsIgnoreCase( - CMS.getUserMessage("CMS_BASE_ATTRIBUTE_NOT_FOUND")) == true) + if (e.getMessage().equalsIgnoreCase(CMS.getUserMessage("CMS_BASE_ATTRIBUTE_NOT_FOUND")) == true) continue; - } + } CMS.debug("PortalEnroll: " + attrname + " = " + attrval); if (attrval != null) { - attrs.add(new LDAPAttribute(attrname, attrval)); + attrs.add(new LDAPAttribute(attrname, attrval)); } } } @@ -428,24 +410,22 @@ public class PortalEnroll extends DirBasedAuthentication { mLdapConn.add(entry); } catch (LDAPException e) { if (e.getLDAPResultCode() == LDAPException.ENTRY_ALREADY_EXISTS) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("LDAP_ERROR", e.getMessage())); + log(ILogger.LL_FAILURE, CMS.getLogMessage("LDAP_ERROR", e.getMessage())); } else - log(ILogger.LL_FAILURE, - CMS.getLogMessage("LDAP_ERROR", e.getMessage())); + log(ILogger.LL_FAILURE, CMS.getLogMessage("LDAP_ERROR", e.getMessage())); return null; } log(ILogger.LL_INFO, CMS.getLogMessage("CMS_AUTH_REGISTRATION_DONE")); - + return dn; } /* - * get the superiors of "inetOrgPerson" so the "required - * attributes", "optional qttributes", and "object classes" are complete; - * should build up mRequiredAttrs, mOptionalAttrs, and mObjClasses when - * returned + * get the superiors of "inetOrgPerson" so the "required + * attributes", "optional qttributes", and "object classes" are complete; + * should build up + * mRequiredAttrs, mOptionalAttrs, and mObjClasses when returned */ public void initLdapAttrs(LDAPSchema dirSchema, String oclass) { CMS.debug("PortalEnroll: in initLdapAttrsAttrs"); @@ -468,8 +448,7 @@ public class PortalEnroll extends DirBasedAuthentication { CMS.debug("PortalEnroll: getting superiors for: " + oclass); String superiors[] = objClass.getSuperiors(); - CMS.debug("PortalEnroll: got superiors, superiors.length=" - + superiors.length); + CMS.debug("PortalEnroll: got superiors, superiors.length=" + superiors.length); if (superiors.length == 0) return; for (int i = 0; i < superiors.length; i++) { @@ -478,8 +457,8 @@ public class PortalEnroll extends DirBasedAuthentication { initLdapAttrs(dirSchema, superiors[i]); } } catch (Exception e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("LDAP_ERROR", e.getMessage())); + log(ILogger.LL_FAILURE, CMS.getLogMessage("LDAP_ERROR", e.getMessage())); } } } + diff --git a/pki/base/common/src/com/netscape/cms/authentication/RDNPattern.java b/pki/base/common/src/com/netscape/cms/authentication/RDNPattern.java index c5aeee7c..1f21bc1d 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/RDNPattern.java +++ b/pki/base/common/src/com/netscape/cms/authentication/RDNPattern.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.authentication; + import java.io.IOException; import java.io.PushbackReader; import java.io.StringReader; @@ -28,27 +29,24 @@ import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.authentication.EAuthException; import com.netscape.certsrv.base.EBaseException; + /** - * class for parsing a DN pattern used to construct a certificate subject name - * from ldap attributes and dn. - * <p> + * class for parsing a DN pattern used to construct a certificate + * subject name from ldap attributes and dn.<p> * - * dnpattern is a string representing a subject name pattern to formulate from - * the directory attributes and entry dn. If empty or not set, the ldap entry DN - * will be used as the certificate subject name. - * <p> - * - * The syntax is + * dnpattern is a string representing a subject name pattern to formulate from + * the directory attributes and entry dn. If empty or not set, the + * ldap entry DN will be used as the certificate subject name. <p> * + * The syntax is * <pre> - * dnPattern := rdnPattern *[ "," rdnPattern ] - * rdnPattern := avaPattern *[ "+" avaPattern ] + * dnPattern := rdnPattern *[ "," rdnPattern ] + * rdnPattern := avaPattern *[ "+" avaPattern ] * avaPattern := name "=" value | - * name "=" "$attr" "." attrName [ "." attrNumber ] | - * name "=" "$dn" "." attrName [ "." attrNumber ] | - * "$dn" "." "$rdn" "." number + * name "=" "$attr" "." attrName [ "." attrNumber ] | + * name "=" "$dn" "." attrName [ "." attrNumber ] | + * "$dn" "." "$rdn" "." number * </pre> - * * <pre> * Example1: <i>E=$attr.mail.1, CN=$attr.cn, OU=$dn.ou.2, O=$dn.o, C=US </i> * Ldap entry: dn: UID=jjames, OU=IS, OU=people, O=acme.org @@ -75,12 +73,11 @@ import com.netscape.certsrv.base.EBaseException; * E = the first 'mail' ldap attribute value in user's entry. <br> * CN = the (first) 'cn' ldap attribute value in the user's entry. <br> * OU = the second 'ou' value in the user's entry DN. note multiple AVAs - * in a RDN in this example. <br> + * in a RDN in this example. <br> * O = the (first) 'o' value in the user's entry DN. <br> * C = the string "US" * <p> * </pre> - * * <pre> * Example3: <i>CN=$attr.cn, $rdn.2, O=$dn.o, C=US</i> * Ldap entry: dn: UID=jjames, OU=IS+OU=people, O=acme.org @@ -105,16 +102,15 @@ import com.netscape.certsrv.base.EBaseException; * <p> * CN = the (first) 'cn' ldap attribute value in the user's entry. <br> * OU = the second 'ou' value in the user's entry DN followed by the - * first 'ou' value in the user's entry. note multiple AVAs - * in a RDN in this example. <br> + * first 'ou' value in the user's entry. note multiple AVAs + * in a RDN in this example. <br> * O = the (first) 'o' value in the user's entry DN. <br> * C = the string "US" * <p> * </pre> - * - * If an attribute or subject DN component does not exist the attribute is - * skipped. - * + * If an attribute or subject DN component does not exist the attribute + * is skipped. + * * @version $Revision$, $Date$ */ class RDNPattern { @@ -130,15 +126,15 @@ class RDNPattern { protected String mTestDN = null; - /** + /** * Construct a DN pattern by parsing a pattern string. - * * @param pattenr the DN pattern - * @exception EBaseException If parsing error occurs. + * @exception EBaseException If parsing error occurs. */ - public RDNPattern(String pattern) throws EAuthException { + public RDNPattern(String pattern) + throws EAuthException { if (pattern == null || pattern.equals("")) { - // create an attribute list that is the dn. + // create an attribute list that is the dn. mLdapAttrs = new String[] { "dn" }; } else { mPatternString = pattern; @@ -149,14 +145,16 @@ class RDNPattern { } /** - * Construct a DN pattern from a input stream of pattern + * Construct a DN pattern from a input stream of pattern */ - public RDNPattern(PushbackReader in) throws EAuthException { + public RDNPattern(PushbackReader in) + throws EAuthException { parse(in); } - private void parse(PushbackReader in) throws EAuthException { - // System.out.println("_________ begin rdn _________"); + private void parse(PushbackReader in) + throws EAuthException { + //System.out.println("_________ begin rdn _________"); Vector avaPatterns = new Vector(); AVAPattern avaPattern = null; int lastChar; @@ -164,25 +162,24 @@ class RDNPattern { do { avaPattern = new AVAPattern(in); avaPatterns.addElement(avaPattern); - // System.out.println("added AVAPattern"+ - // " mType "+avaPattern.mType+ - // " mAttr "+avaPattern.mAttr+ - // " mValue "+avaPattern.mValue+ - // " mElement "+avaPattern.mElement); - try { - lastChar = in.read(); + //System.out.println("added AVAPattern"+ + //" mType "+avaPattern.mType+ + //" mAttr "+avaPattern.mAttr+ + //" mValue "+avaPattern.mValue+ + //" mElement "+avaPattern.mElement); + try { + lastChar = in.read(); } catch (IOException e) { - throw new EAuthException(CMS.getUserMessage( - "CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); + throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); } - } while (lastChar == '+'); + } + while (lastChar == '+'); if (lastChar != -1) { try { - in.unread(lastChar); // pushback last , + in.unread(lastChar); // pushback last , } catch (IOException e) { - throw new EAuthException(CMS.getUserMessage( - "CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); + throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); } } @@ -194,7 +191,7 @@ class RDNPattern { for (int i = 0; i < mAVAPatterns.length; i++) { String avaAttr = mAVAPatterns[i].getLdapAttr(); - if (avaAttr == null || avaAttr.length() == 0) + if (avaAttr == null || avaAttr.length() == 0) continue; ldapAttrs.addElement(avaAttr); } @@ -204,15 +201,15 @@ class RDNPattern { /** * Form a Ldap v3 DN string from results of a ldap search. - * * @param entry LDAPentry from a ldap search - * @return Ldap v3 DN string to use for a subject name. + * @return Ldap v3 DN string to use for a subject name. */ - public String formRDN(LDAPEntry entry) throws EAuthException { + public String formRDN(LDAPEntry entry) + throws EAuthException { StringBuffer formedRDN = new StringBuffer(); for (int i = 0; i < mAVAPatterns.length; i++) { - if (mTestDN != null) + if (mTestDN != null) mAVAPatterns[i].mTestDN = mTestDN; String ava = mAVAPatterns[i].formAVA(entry); @@ -222,7 +219,7 @@ class RDNPattern { formedRDN.append(ava); } } - // System.out.println("formed RDN "+formedRDN.toString()); + //System.out.println("formed RDN "+formedRDN.toString()); return formedRDN.toString(); } diff --git a/pki/base/common/src/com/netscape/cms/authentication/SSLclientCertAuthentication.java b/pki/base/common/src/com/netscape/cms/authentication/SSLclientCertAuthentication.java index 00bf88c3..3092d00a 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/SSLclientCertAuthentication.java +++ b/pki/base/common/src/com/netscape/cms/authentication/SSLclientCertAuthentication.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.authentication; + import java.security.Principal; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; @@ -46,14 +47,15 @@ import com.netscape.certsrv.property.IDescriptor; import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.usrgrp.Certificates; + /** - * Certificate server SSL client authentication. - * + * Certificate server SSL client authentication. + * * @author Christina Fu - * <P> - * + * <P> + * */ -public class SSLclientCertAuthentication implements IAuthManager, +public class SSLclientCertAuthentication implements IAuthManager, IProfileAuthenticator { /* result auth token attributes */ @@ -84,20 +86,19 @@ public class SSLclientCertAuthentication implements IAuthManager, /** * initializes the SSLClientCertAuthentication auth manager * <p> - * called by AuthSubsystem init() method, when initializing all available - * authentication managers. - * + * called by AuthSubsystem init() method, when initializing + * all available authentication managers. * @param name The name of this authentication manager instance. * @param implName The name of the authentication manager plugin. * @param config The configuration store for this authentication manager. */ public void init(String name, String implName, IConfigStore config) - throws EBaseException { + throws EBaseException { mName = name; mImplName = implName; mConfig = config; } - + /** * Gets the name of this authentication manager. */ @@ -111,7 +112,7 @@ public class SSLclientCertAuthentication implements IAuthManager, public String getImplName() { return mImplName; } - + public boolean isSSLClientRequired() { return true; } @@ -119,34 +120,33 @@ public class SSLclientCertAuthentication implements IAuthManager, /** * authenticates user by certificate * <p> - * called by other subsystems or their servlets to authenticate users - * - * @param authCred - authentication credential that contains an - * usrgrp.Certificates of the user (agent) + * called by other subsystems or their servlets to authenticate + * users + * @param authCred - authentication credential that contains + * an usrgrp.Certificates of the user (agent) * @return the authentication token that contains the following - * + * * @exception EMissingCredential If a required credential for this - * authentication manager is missing. + * authentication manager is missing. * @exception EInvalidCredentials If credentials cannot be authenticated. * @exception EBaseException If an internal error occurred. * @see com.netscape.certsrv.authentication.AuthToken * @see com.netscape.certsrv.usrgrp.Certificates */ public IAuthToken authenticate(IAuthCredentials authCred) - throws EMissingCredential, EInvalidCredentials, EBaseException { - + throws EMissingCredential, EInvalidCredentials, EBaseException { + CMS.debug("SSLclientCertAuthentication: start"); - CMS.debug("authenticator instance name is " + getName()); + CMS.debug("authenticator instance name is "+getName()); // force SSL handshake SessionContext context = SessionContext.getExistingContext(); - ISSLClientCertProvider provider = (ISSLClientCertProvider) context - .get("sslClientCertProvider"); + ISSLClientCertProvider provider = (ISSLClientCertProvider) + context.get("sslClientCertProvider"); if (provider == null) { CMS.debug("SSLclientCertAuthentication: No SSL Client Cert Provider Found"); - throw new EInvalidCredentials( - CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } CMS.debug("SSLclientCertAuthentication: got provider"); CMS.debug("SSLclientCertAuthentication: retrieving client certificate"); @@ -154,8 +154,7 @@ public class SSLclientCertAuthentication implements IAuthManager, if (allCerts == null) { CMS.debug("SSLclientCertAuthentication: No SSL Client Certs Found"); - throw new EInvalidCredentials( - CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } CMS.debug("SSLclientCertAuthentication: got certificates"); @@ -174,7 +173,7 @@ public class SSLclientCertAuthentication implements IAuthManager, // find out which one is the leaf cert clientCert = ci[i]; - byte[] extBytes = clientCert.getExtensionValue("2.5.29.19"); + byte [] extBytes = clientCert.getExtensionValue("2.5.29.19"); // try to see if this is a leaf cert // look for BasicConstraint extension if (extBytes == null) { @@ -187,46 +186,42 @@ public class SSLclientCertAuthentication implements IAuthManager, // so it's not likely to be a leaf cert, // however, check the isCA field regardless try { - BasicConstraintsExtension bce = new BasicConstraintsExtension( - true, extBytes); - if (bce != null) { - if (!(Boolean) bce.get("is_ca")) { - CMS.debug("SSLclientCertAuthentication: authenticate: found CA cert in chain"); - break; - } // else found a ca cert, continue - } - } catch (Exception e) { - CMS.debug("SSLclientCertAuthentication: authenticate: exception:" - + e.toString()); - throw new EInvalidCredentials( - CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - } - } + BasicConstraintsExtension bce = + new BasicConstraintsExtension(true, extBytes); + if (bce != null) { + if (!(Boolean)bce.get("is_ca")) { + CMS.debug("SSLclientCertAuthentication: authenticate: found CA cert in chain"); + break; + } // else found a ca cert, continue + } + } catch (Exception e) { + CMS.debug("SSLclientCertAuthentication: authenticate: exception:"+ + e.toString()); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + } + } } if (clientCert == null) { - CMS.debug("SSLclientCertAuthentication: authenticate: client cert not found"); - throw new EInvalidCredentials( - CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + CMS.debug("SSLclientCertAuthentication: authenticate: client cert not found"); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } } catch (CertificateException e) { CMS.debug(e.toString()); - throw new EInvalidCredentials( - CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } // check if certificate(s) is revoked boolean checkRevocation = true; try { - checkRevocation = mConfig.getBoolean("checkRevocation", true); + checkRevocation = mConfig.getBoolean("checkRevocation", true); } catch (EBaseException e) { - // do nothing; default to true + // do nothing; default to true } if (checkRevocation) { - if (CMS.isRevoked(ci)) { - CMS.debug("SSLclientCertAuthentication: certificate revoked"); - throw new EInvalidCredentials( - CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - } + if (CMS.isRevoked(ci)) { + CMS.debug("SSLclientCertAuthentication: certificate revoked"); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + } } Certificates certs = new Certificates(ci); Principal p_dn = clientCert.getSubjectDN(); @@ -237,13 +232,13 @@ public class SSLclientCertAuthentication implements IAuthManager, authToken.set(TOKEN_UID, uid); authToken.set(TOKEN_USERID, uid); } - /* - * authToken.set(TOKEN_USER_DN, user.getUserDN()); - * authToken.set(TOKEN_USERID, user.getUserID()); - * authToken.set(TOKEN_UID, user.getUserID()); - * authToken.set(TOKEN_GROUP, groupname); - */ - authToken.set(CRED_CERT, certs); +/* + authToken.set(TOKEN_USER_DN, user.getUserDN()); + authToken.set(TOKEN_USERID, user.getUserID()); + authToken.set(TOKEN_UID, user.getUserID()); + authToken.set(TOKEN_GROUP, groupname); +*/ + authToken.set(CRED_CERT, certs); CMS.debug("SSLclientCertAuthentication: authenticated "); @@ -262,8 +257,7 @@ public class SSLclientCertAuthentication implements IAuthManager, String n = t.substring(0, i); if (n.equalsIgnoreCase("uid")) { String v = t.substring(i + 1); - CMS.debug("SSLclientCertAuthentication: getUidFromDN(): uid found:" - + v); + CMS.debug("SSLclientCertAuthentication: getUidFromDN(): uid found:"+v); return v; } else { continue; @@ -273,12 +267,11 @@ public class SSLclientCertAuthentication implements IAuthManager, } /** - * get the list of authentication credential attribute names required by - * this authentication manager. Generally used by the servlets that handle - * agent operations to authenticate its users. It calls this method to know - * which are the required credentials from the user (e.g. Javascript form - * data) - * + * get the list of authentication credential attribute names + * required by this authentication manager. Generally used by + * the servlets that handle agent operations to authenticate its + * users. It calls this method to know which are the + * required credentials from the user (e.g. Javascript form data) * @return attribute names in Vector */ public String[] getRequiredCreds() { @@ -286,15 +279,15 @@ public class SSLclientCertAuthentication implements IAuthManager, } /** - * get the list of configuration parameter names required by this - * authentication manager. Generally used by the Certificate Server Console - * to display the table for configuration purposes. CertUserDBAuthentication - * is currently not exposed in this case, so this method is not to be used. - * - * @return configuration parameter names in Hashtable of Vectors where each - * hashtable entry's key is the substore name, value is a Vector of - * parameter names. If no substore, the parameter name is the - * Hashtable key itself, with value same as key. + * get the list of configuration parameter names + * required by this authentication manager. Generally used by + * the Certificate Server Console to display the table for + * configuration purposes. CertUserDBAuthentication is currently not + * exposed in this case, so this method is not to be used. + * @return configuration parameter names in Hashtable of Vectors + * where each hashtable entry's key is the substore name, value is a + * Vector of parameter names. If no substore, the parameter name + * is the Hashtable key itself, with value same as key. */ public String[] getConfigParams() { return (mConfigParams); @@ -307,8 +300,8 @@ public class SSLclientCertAuthentication implements IAuthManager, } /** - * gets the configuretion substore used by this authentication manager - * + * gets the configuretion substore used by this authentication + * manager * @return configuration store */ public IConfigStore getConfigStore() { @@ -318,7 +311,7 @@ public class SSLclientCertAuthentication implements IAuthManager, // Profile-related methods public void init(IProfile profile, IConfigStore config) - throws EProfileException { + throws EProfileException { } /** @@ -347,14 +340,15 @@ public class SSLclientCertAuthentication implements IAuthManager, } /** - * Retrieves the descriptor of the given value parameter by name. + * Retrieves the descriptor of the given value + * parameter by name. */ public IDescriptor getValueDescriptor(Locale locale, String name) { return null; } public void populate(IAuthToken token, IRequest request) - throws EProfileException { + throws EProfileException { request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME, token.getInString(TOKEN_USERDN)); request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME, diff --git a/pki/base/common/src/com/netscape/cms/authentication/SharedSecret.java b/pki/base/common/src/com/netscape/cms/authentication/SharedSecret.java index 7a0784c5..8b0a7b9b 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/SharedSecret.java +++ b/pki/base/common/src/com/netscape/cms/authentication/SharedSecret.java @@ -26,7 +26,7 @@ import com.netscape.certsrv.authentication.ISharedToken; public class SharedSecret implements ISharedToken { public SharedSecret() { - } + } public String getSharedToken(PKIData cmcdata) { return "testing"; diff --git a/pki/base/common/src/com/netscape/cms/authentication/TokenAuthentication.java b/pki/base/common/src/com/netscape/cms/authentication/TokenAuthentication.java index 39084395..bb393767 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/TokenAuthentication.java +++ b/pki/base/common/src/com/netscape/cms/authentication/TokenAuthentication.java @@ -46,12 +46,14 @@ import com.netscape.cmsutil.http.JssSSLSocketFactory; import com.netscape.cmsutil.xml.XMLObject; /** - * Token authentication. Checked if the given token is valid. + * Token authentication. + * Checked if the given token is valid. * <P> - * + * * @version $Revision$, $Date$ */ -public class TokenAuthentication implements IAuthManager, IProfileAuthenticator { +public class TokenAuthentication implements IAuthManager, + IProfileAuthenticator { /* result auth token attributes */ public static final String TOKEN_UID = "uid"; @@ -77,22 +79,21 @@ public class TokenAuthentication implements IAuthManager, IProfileAuthenticator /** * initializes the TokenAuthentication auth manager * <p> - * called by AuthSubsystem init() method, when initializing all available - * authentication managers. - * + * called by AuthSubsystem init() method, when initializing + * all available authentication managers. * @param name The name of this authentication manager instance. * @param implName The name of the authentication manager plugin. * @param config The configuration store for this authentication manager. */ public void init(String name, String implName, IConfigStore config) - throws EBaseException { + throws EBaseException { mName = name; mImplName = implName; mConfig = config; mUGSub = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG); } - + /** * Gets the name of this authentication manager. */ @@ -106,7 +107,7 @@ public class TokenAuthentication implements IAuthManager, IProfileAuthenticator public String getImplName() { return mImplName; } - + public boolean isSSLClientRequired() { return false; } @@ -114,22 +115,21 @@ public class TokenAuthentication implements IAuthManager, IProfileAuthenticator /** * authenticates user(agent) by certificate * <p> - * called by other subsystems or their servlets to authenticate users - * (agents) - * - * @param authCred - authentication credential that contains an - * usrgrp.Certificates of the user (agent) + * called by other subsystems or their servlets to authenticate + * users (agents) + * @param authCred - authentication credential that contains + * an usrgrp.Certificates of the user (agent) * @return the authentication token that contains the following - * @exception EMissingCredential If a required credential for this - * authentication manager is missing. + * @exception EMissingCredential If a required credential for this + * authentication manager is missing. * @exception EInvalidCredentials If credentials cannot be authenticated. * @exception EBaseException If an internal error occurred. * @see com.netscape.certsrv.authentication.AuthToken * @see com.netscape.certsrv.usrgrp.Certificates */ public IAuthToken authenticate(IAuthCredentials authCred) - throws EMissingCredential, EInvalidCredentials, EBaseException { - + throws EMissingCredential, EInvalidCredentials, EBaseException { + CMS.debug("TokenAuthentication: start"); // force SSL handshake @@ -141,8 +141,8 @@ public class TokenAuthentication implements IAuthManager, IProfileAuthenticator // get group name from configuration file IConfigStore sconfig = CMS.getConfigStore(); - String sessionId = (String) authCred.get(CRED_SESSION_ID); - String givenHost = (String) authCred.get("clientHost"); + String sessionId = (String)authCred.get(CRED_SESSION_ID); + String givenHost = (String)authCred.get("clientHost"); String auth_host = sconfig.getString("securitydomain.host"); int auth_port = sconfig.getInteger("securitydomain.httpseeport"); @@ -151,8 +151,7 @@ public class TokenAuthentication implements IAuthManager, IProfileAuthenticator try { JssSSLSocketFactory factory = new JssSSLSocketFactory(); httpclient = new HttpClient(factory); - String content = CRED_SESSION_ID + "=" + sessionId + "&hostname=" - + givenHost; + String content = CRED_SESSION_ID+"="+sessionId+"&hostname="+givenHost; CMS.debug("TokenAuthentication: content=" + content); httpclient.connect(auth_host, auth_port); HttpRequest httprequest = new HttpRequest(); @@ -166,23 +165,21 @@ public class TokenAuthentication implements IAuthManager, IProfileAuthenticator HttpResponse httpresponse = httpclient.send(httprequest); c = httpresponse.getContent(); - } catch (Exception e) { - CMS.debug("TokenAuthentication authenticate Exception=" - + e.toString()); + } catch (Exception e) { + CMS.debug("TokenAuthentication authenticate Exception="+e.toString()); } if (c != null) { try { - ByteArrayInputStream bis = new ByteArrayInputStream( - c.getBytes()); + ByteArrayInputStream bis = new ByteArrayInputStream(c.getBytes()); XMLObject parser = null; try { parser = new XMLObject(bis); } catch (Exception e) { - CMS.debug("TokenAuthentication::authenticate() - " - + "Exception=" + e.toString()); - throw new EBaseException(e.toString()); + CMS.debug( "TokenAuthentication::authenticate() - " + + "Exception="+e.toString() ); + throw new EBaseException( e.toString() ); } String status = parser.getValue("Status"); @@ -198,15 +195,13 @@ public class TokenAuthentication implements IAuthManager, IProfileAuthenticator authToken.set(TOKEN_UID, uid); authToken.set(TOKEN_GID, gid); - if (context != null) { - CMS.debug("SessionContext.USER_ID " + uid - + " SessionContext.GROUP_ID " + gid); - context.put(SessionContext.USER_ID, uid); - context.put(SessionContext.GROUP_ID, gid); + if(context != null) { + CMS.debug("SessionContext.USER_ID " + uid + " SessionContext.GROUP_ID " + gid); + context.put(SessionContext.USER_ID, uid ); + context.put(SessionContext.GROUP_ID, gid ); } - CMS.debug("TokenAuthentication: authenticated uid=" + uid - + ", gid=" + gid); + CMS.debug("TokenAuthentication: authenticated uid="+uid+", gid="+gid); } catch (EBaseException e) { throw e; } catch (Exception e) { @@ -217,12 +212,11 @@ public class TokenAuthentication implements IAuthManager, IProfileAuthenticator } /** - * get the list of authentication credential attribute names required by - * this authentication manager. Generally used by the servlets that handle - * agent operations to authenticate its users. It calls this method to know - * which are the required credentials from the user (e.g. Javascript form - * data) - * + * get the list of authentication credential attribute names + * required by this authentication manager. Generally used by + * the servlets that handle agent operations to authenticate its + * users. It calls this method to know which are the + * required credentials from the user (e.g. Javascript form data) * @return attribute names in Vector */ public String[] getRequiredCreds() { @@ -230,15 +224,15 @@ public class TokenAuthentication implements IAuthManager, IProfileAuthenticator } /** - * get the list of configuration parameter names required by this - * authentication manager. Generally used by the Certificate Server Console - * to display the table for configuration purposes. CertUserDBAuthentication - * is currently not exposed in this case, so this method is not to be used. - * - * @return configuration parameter names in Hashtable of Vectors where each - * hashtable entry's key is the substore name, value is a Vector of - * parameter names. If no substore, the parameter name is the - * Hashtable key itself, with value same as key. + * get the list of configuration parameter names + * required by this authentication manager. Generally used by + * the Certificate Server Console to display the table for + * configuration purposes. CertUserDBAuthentication is currently not + * exposed in this case, so this method is not to be used. + * @return configuration parameter names in Hashtable of Vectors + * where each hashtable entry's key is the substore name, value is a + * Vector of parameter names. If no substore, the parameter name + * is the Hashtable key itself, with value same as key. */ public String[] getConfigParams() { return (mConfigParams); @@ -251,8 +245,8 @@ public class TokenAuthentication implements IAuthManager, IProfileAuthenticator } /** - * gets the configuretion substore used by this authentication manager - * + * gets the configuretion substore used by this authentication + * manager * @return configuration store */ public IConfigStore getConfigStore() { @@ -262,7 +256,7 @@ public class TokenAuthentication implements IAuthManager, IProfileAuthenticator // Profile-related methods public void init(IProfile profile, IConfigStore config) - throws EProfileException { + throws EProfileException { } /** @@ -294,13 +288,14 @@ public class TokenAuthentication implements IAuthManager, IProfileAuthenticator } /** - * Retrieves the descriptor of the given value parameter by name. + * Retrieves the descriptor of the given value + * parameter by name. */ public IDescriptor getValueDescriptor(Locale locale, String name) { return null; } public void populate(IAuthToken token, IRequest request) - throws EProfileException { + throws EProfileException { } } diff --git a/pki/base/common/src/com/netscape/cms/authentication/UdnPwdDirAuthentication.java b/pki/base/common/src/com/netscape/cms/authentication/UdnPwdDirAuthentication.java index 255645c1..565bca1a 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/UdnPwdDirAuthentication.java +++ b/pki/base/common/src/com/netscape/cms/authentication/UdnPwdDirAuthentication.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.authentication; + // ldap java sdk import netscape.ldap.LDAPConnection; import netscape.ldap.LDAPException; @@ -32,10 +33,11 @@ import com.netscape.certsrv.base.IExtendedPluginInfo; import com.netscape.certsrv.ldap.ELdapException; import com.netscape.certsrv.logging.ILogger; + /** * udn/pwd directory based authentication manager * <P> - * + * * @version $Revision$, $Date$ */ public class UdnPwdDirAuthentication extends DirBasedAuthentication { @@ -45,24 +47,30 @@ public class UdnPwdDirAuthentication extends DirBasedAuthentication { public static final String CRED_PWD = "pwd"; protected static String[] mRequiredCreds = { CRED_UDN, CRED_PWD }; - /* - * Holds configuration parameters accepted by this implementation. This list - * is passed to the configuration console so configuration for instances of - * this implementation can be configured through the console. + /* Holds configuration parameters accepted by this implementation. + * This list is passed to the configuration console so configuration + * for instances of this implementation can be configured through the + * console. */ - protected static String[] mConfigParams = new String[] { PROP_DNPATTERN, - PROP_LDAPSTRINGATTRS, PROP_LDAPBYTEATTRS, "ldap.ldapconn.host", - "ldap.ldapconn.port", "ldap.ldapconn.secureConn", - "ldap.ldapconn.version", "ldap.minConns", "ldap.maxConns", }; + protected static String[] mConfigParams = + new String[] { PROP_DNPATTERN, + PROP_LDAPSTRINGATTRS, + PROP_LDAPBYTEATTRS, + "ldap.ldapconn.host", + "ldap.ldapconn.port", + "ldap.ldapconn.secureConn", + "ldap.ldapconn.version", + "ldap.minConns", + "ldap.maxConns", + }; static { - mExtendedPluginInfo - .add(IExtendedPluginInfo.HELP_TEXT - + ";Authenticate the user distinguished name and password provided " - + "by the user against an LDAP directory. Works with the " - + "Dir Based Enrollment HTML form"); - mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TOKEN - + ";configuration-authentication"); + mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TEXT + + ";Authenticate the user distinguished name and password provided " + + "by the user against an LDAP directory. Works with the " + + "Dir Based Enrollment HTML form"); + mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TOKEN + + ";configuration-authentication"); }; /** @@ -75,14 +83,13 @@ public class UdnPwdDirAuthentication extends DirBasedAuthentication { /** * Initializes the UdnPwdDirAuthentication auth manager. * <p> - * * @param name - The name for this authentication manager instance. * @param implName - The name of the authentication manager plugin. * @param config - The configuration store for this instance. * @exception EBaseException If an error occurs during initialization. */ public void init(String name, String implName, IConfigStore config) - throws EBaseException { + throws EBaseException { super.init(name, implName, config, false); } @@ -92,10 +99,12 @@ public class UdnPwdDirAuthentication extends DirBasedAuthentication { * @param authCreds The authentication credentials. * @return The user's ldap entry dn. * @exception EInvalidCredentials If the udn and password are not valid - * @exception EBaseException If an internal error occurs. + * @exception EBaseException If an internal error occurs. */ - protected String authenticate(LDAPConnection conn, - IAuthCredentials authCreds, AuthToken token) throws EBaseException { + protected String authenticate(LDAPConnection conn, + IAuthCredentials authCreds, + AuthToken token) + throws EBaseException { String userdn = null; // authenticate by binding to ldap server with password. @@ -103,23 +112,20 @@ public class UdnPwdDirAuthentication extends DirBasedAuthentication { // get the udn. userdn = (String) authCreds.get(CRED_UDN); if (userdn == null) { - throw new EMissingCredential(CMS.getUserMessage( - "CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_UDN)); + throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_UDN)); } - + // get the password. String pwd = (String) authCreds.get(CRED_PWD); if (pwd == null) { - throw new EMissingCredential(CMS.getUserMessage( - "CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_PWD)); + throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_PWD)); } if (pwd.equals("")) { // anonymous binding not allowed - log(ILogger.LL_FAILURE, "user " + userdn - + " attempted login with empty password."); - throw new EInvalidCredentials( - CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + log(ILogger.LL_FAILURE, + "user " + userdn + " attempted login with empty password."); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } // bind as user dn and pwd - authenticates user with pwd. @@ -129,47 +135,43 @@ public class UdnPwdDirAuthentication extends DirBasedAuthentication { return userdn; } catch (ELdapException e) { - log(ILogger.LL_FAILURE, - "Couldn't get ldap connection. Error: " + e.toString()); + log(ILogger.LL_FAILURE, + "Couldn't get ldap connection. Error: " + e.toString()); throw e; } catch (LDAPException e) { switch (e.getLDAPResultCode()) { - case LDAPException.NO_SUCH_OBJECT: - case LDAPException.LDAP_PARTIAL_RESULTS: - log(ILogger.LL_SECURITY, - "user " + userdn - + " does not exist in ldap server host " - + conn.getHost() + ", port " + conn.getPort() - + "."); - throw new EInvalidCredentials( - CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + case LDAPException.NO_SUCH_OBJECT: + case LDAPException.LDAP_PARTIAL_RESULTS: + log(ILogger.LL_SECURITY, + "user " + userdn + " does not exist in ldap server host " + + conn.getHost() + ", port " + conn.getPort() + "."); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); case LDAPException.INVALID_CREDENTIALS: - log(ILogger.LL_SECURITY, "authenticate user " + userdn - + " with bad password."); - throw new EInvalidCredentials( - CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + log(ILogger.LL_SECURITY, + "authenticate user " + userdn + " with bad password."); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); case LDAPException.SERVER_DOWN: log(ILogger.LL_FAILURE, "Ldap server is down."); - throw new ELdapException(CMS.getUserMessage( - "CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), "" - + conn.getPort())); - - default: - log(ILogger.LL_FAILURE, - "Ldap error encountered. " + e.getMessage()); - throw new ELdapException(CMS.getUserMessage( - "CMS_LDAP_OTHER_LDAP_EXCEPTION", e.errorCodeToString())); + throw new ELdapException( + CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), "" + conn.getPort())); + + default: + log(ILogger.LL_FAILURE, + "Ldap error encountered. " + e.getMessage()); + throw new ELdapException( + CMS.getUserMessage("CMS_LDAP_OTHER_LDAP_EXCEPTION", + e.errorCodeToString())); } - } + } } /** - * Returns a list of configuration parameter names. The list is passed to - * the configuration console so instances of this implementation can be - * configured through the console. - * + * Returns a list of configuration parameter names. + * The list is passed to the configuration console so instances of + * this implementation can be configured through the console. + * * @return String array of configuration parameter names. */ public String[] getConfigParams() { @@ -178,7 +180,6 @@ public class UdnPwdDirAuthentication extends DirBasedAuthentication { /** * Returns array of required credentials for this authentication manager. - * * @return Array of required credentials. */ public String[] getRequiredCreds() { @@ -186,3 +187,4 @@ public class UdnPwdDirAuthentication extends DirBasedAuthentication { } } + diff --git a/pki/base/common/src/com/netscape/cms/authentication/UidPwdDirAuthentication.java b/pki/base/common/src/com/netscape/cms/authentication/UidPwdDirAuthentication.java index 9619e20f..e97fee8b 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/UidPwdDirAuthentication.java +++ b/pki/base/common/src/com/netscape/cms/authentication/UidPwdDirAuthentication.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.authentication; + // ldap java sdk import java.util.Enumeration; import java.util.Locale; @@ -46,38 +47,46 @@ import com.netscape.certsrv.property.Descriptor; import com.netscape.certsrv.property.IDescriptor; import com.netscape.certsrv.request.IRequest; + /** * uid/pwd directory based authentication manager * <P> - * + * * @version $Revision$, $Date$ */ -public class UidPwdDirAuthentication extends DirBasedAuthentication implements - IProfileAuthenticator { +public class UidPwdDirAuthentication extends DirBasedAuthentication + implements IProfileAuthenticator { /* required credentials to authenticate. uid and pwd are strings. */ public static final String CRED_UID = "uid"; public static final String CRED_PWD = "pwd"; protected static String[] mRequiredCreds = { CRED_UID, CRED_PWD }; - /* - * Holds configuration parameters accepted by this implementation. This list - * is passed to the configuration console so configuration for instances of - * this implementation can be configured through the console. + /* Holds configuration parameters accepted by this implementation. + * This list is passed to the configuration console so configuration + * for instances of this implementation can be configured through the + * console. */ - protected static String[] mConfigParams = new String[] { PROP_DNPATTERN, - PROP_LDAPSTRINGATTRS, PROP_LDAPBYTEATTRS, "ldap.ldapconn.host", - "ldap.ldapconn.port", "ldap.ldapconn.secureConn", - "ldap.ldapconn.version", "ldap.basedn", "ldap.minConns", - "ldap.maxConns", }; + protected static String[] mConfigParams = + new String[] { PROP_DNPATTERN, + PROP_LDAPSTRINGATTRS, + PROP_LDAPBYTEATTRS, + "ldap.ldapconn.host", + "ldap.ldapconn.port", + "ldap.ldapconn.secureConn", + "ldap.ldapconn.version", + "ldap.basedn", + "ldap.minConns", + "ldap.maxConns", + }; static { - mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TEXT - + ";Authenticate the username and password provided " - + "by the user against an LDAP directory. Works with the " - + "Dir Based Enrollment HTML form"); - mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TOKEN - + ";configuration-authrules-uidpwddirauth"); + mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TEXT + + ";Authenticate the username and password provided " + + "by the user against an LDAP directory. Works with the " + + "Dir Based Enrollment HTML form"); + mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TOKEN + + ";configuration-authrules-uidpwddirauth"); }; /** @@ -93,10 +102,12 @@ public class UidPwdDirAuthentication extends DirBasedAuthentication implements * @param authCreds The authentication credentials. * @return The user's ldap entry dn. * @exception EInvalidCredentials If the uid and password are not valid - * @exception EBaseException If an internal error occurs. + * @exception EBaseException If an internal error occurs. */ - protected String authenticate(LDAPConnection conn, - IAuthCredentials authCreds, AuthToken token) throws EBaseException { + protected String authenticate(LDAPConnection conn, + IAuthCredentials authCreds, + AuthToken token) + throws EBaseException { String userdn = null; String uid = null; @@ -106,42 +117,36 @@ public class UidPwdDirAuthentication extends DirBasedAuthentication implements uid = (String) authCreds.get(CRED_UID); CMS.debug("Authenticating UID=" + uid); if (uid == null) { - throw new EMissingCredential(CMS.getUserMessage( - "CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_UID)); + throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_UID)); } - + // get the password. String pwd = (String) authCreds.get(CRED_PWD); if (pwd == null) { - throw new EMissingCredential(CMS.getUserMessage( - "CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_PWD)); + throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL",CRED_PWD)); } if (pwd.equals("")) { // anonymous binding not allowed - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMS_AUTH_EMPTY_PASSWORD", uid)); - throw new EInvalidCredentials( - CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_EMPTY_PASSWORD", uid)); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } // get user dn. - CMS.debug("Authenticating: Searching for UID=" + uid + " base DN=" - + mBaseDN); - LDAPSearchResults res = conn.search(mBaseDN, LDAPv2.SCOPE_SUB, - "(uid=" + uid + ")", null, false); + CMS.debug("Authenticating: Searching for UID=" + uid + + " base DN=" + mBaseDN); + LDAPSearchResults res = conn.search(mBaseDN, + LDAPv2.SCOPE_SUB, "(uid=" + uid + ")", null, false); if (res.hasMoreElements()) { - // LDAPEntry entry = (LDAPEntry)res.nextElement(); + //LDAPEntry entry = (LDAPEntry)res.nextElement(); LDAPEntry entry = res.next(); userdn = entry.getDN(); CMS.debug("Authenticating: Found User DN=" + userdn); } else { - log(ILogger.LL_SECURITY, - CMS.getLogMessage("CMS_AUTH_USER_NOT_EXIST", uid)); - throw new EInvalidCredentials( - CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_USER_NOT_EXIST", uid)); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } // bind as user dn and pwd - authenticates user with pwd. @@ -151,44 +156,38 @@ public class UidPwdDirAuthentication extends DirBasedAuthentication implements return userdn; } catch (ELdapException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CANNOT_CONNECT_LDAP", e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CANNOT_CONNECT_LDAP", e.toString())); throw e; } catch (LDAPException e) { switch (e.getLDAPResultCode()) { - case LDAPException.NO_SUCH_OBJECT: - case LDAPException.LDAP_PARTIAL_RESULTS: - log(ILogger.LL_SECURITY, - CMS.getLogMessage("USER_NOT_EXIST", uid)); - throw new EInvalidCredentials( - CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + case LDAPException.NO_SUCH_OBJECT: + case LDAPException.LDAP_PARTIAL_RESULTS: + log(ILogger.LL_SECURITY, CMS.getLogMessage("USER_NOT_EXIST", uid)); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); case LDAPException.INVALID_CREDENTIALS: - log(ILogger.LL_SECURITY, - CMS.getLogMessage("CMS_AUTH_BAD_PASSWORD", uid)); - throw new EInvalidCredentials( - CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_BAD_PASSWORD", uid)); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); case LDAPException.SERVER_DOWN: log(ILogger.LL_FAILURE, CMS.getLogMessage("LDAP_SERVER_DOWN")); - throw new ELdapException(CMS.getUserMessage( - "CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), "" - + conn.getPort())); - - default: - log(ILogger.LL_FAILURE, - CMS.getLogMessage("OPERATION_ERROR", e.getMessage())); - throw new ELdapException(CMS.getUserMessage( - "CMS_LDAP_OTHER_LDAP_EXCEPTION", e.errorCodeToString())); + throw new ELdapException( + CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), "" + conn.getPort())); + + default: + log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.getMessage())); + throw new ELdapException( + CMS.getUserMessage("CMS_LDAP_OTHER_LDAP_EXCEPTION", + e.errorCodeToString())); } - } + } } /** - * Returns a list of configuration parameter names. The list is passed to - * the configuration console so instances of this implementation can be - * configured through the console. - * + * Returns a list of configuration parameter names. + * The list is passed to the configuration console so instances of + * this implementation can be configured through the console. + * * @return String array of configuration parameter names. */ public String[] getConfigParams() { @@ -197,7 +196,6 @@ public class UidPwdDirAuthentication extends DirBasedAuthentication implements /** * Returns array of required credentials for this authentication manager. - * * @return Array of required credentials. */ public String[] getRequiredCreds() { @@ -205,9 +203,9 @@ public class UidPwdDirAuthentication extends DirBasedAuthentication implements } // Profile-related methods - + public void init(IProfile profile, IConfigStore config) - throws EProfileException { + throws EProfileException { } /** @@ -245,22 +243,23 @@ public class UidPwdDirAuthentication extends DirBasedAuthentication implements } /** - * Retrieves the descriptor of the given value parameter by name. + * Retrieves the descriptor of the given value + * parameter by name. */ public IDescriptor getValueDescriptor(Locale locale, String name) { - if (name.equals(CRED_UID)) { + if (name.equals(CRED_UID)) { return new Descriptor(IDescriptor.STRING, null, null, CMS.getUserMessage(locale, "CMS_AUTHENTICATION_LDAP_UID")); } else if (name.equals(CRED_PWD)) { return new Descriptor(IDescriptor.PASSWORD, null, null, CMS.getUserMessage(locale, "CMS_AUTHENTICATION_LDAP_PWD")); - + } return null; } - public void populate(IAuthToken token, IRequest request) - throws EProfileException { + public void populate(IAuthToken token, IRequest request) + throws EProfileException { request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME, token.getInString(USER_DN)); } diff --git a/pki/base/common/src/com/netscape/cms/authentication/UidPwdPinDirAuthentication.java b/pki/base/common/src/com/netscape/cms/authentication/UidPwdPinDirAuthentication.java index 6bc32edb..11605418 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/UidPwdPinDirAuthentication.java +++ b/pki/base/common/src/com/netscape/cms/authentication/UidPwdPinDirAuthentication.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.authentication; + // ldap java sdk import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; @@ -52,14 +53,15 @@ import com.netscape.certsrv.property.Descriptor; import com.netscape.certsrv.property.IDescriptor; import com.netscape.certsrv.request.IRequest; + /** * uid/pwd/pin directory based authentication manager * <P> - * + * * @version $Revision$, $Date$ */ public class UidPwdPinDirAuthentication extends DirBasedAuthentication - implements IExtendedPluginInfo, IProfileAuthenticator { + implements IExtendedPluginInfo, IProfileAuthenticator { /* required credentials to authenticate. uid and pwd are strings. */ public static final String CRED_UID = "uid"; @@ -77,43 +79,54 @@ public class UidPwdPinDirAuthentication extends DirBasedAuthentication protected static final byte SENTINEL_MD5 = 1; protected static final byte SENTINEL_NONE = 0x2d; - /* - * Holds configuration parameters accepted by this implementation. This list - * is passed to the configuration console so configuration for instances of - * this implementation can be configured through the console. + /* Holds configuration parameters accepted by this implementation. + * This list is passed to the configuration console so configuration + * for instances of this implementation can be configured through the + * console. */ - protected static String[] mConfigParams = new String[] { PROP_REMOVE_PIN, - PROP_PIN_ATTR, PROP_DNPATTERN, PROP_LDAPSTRINGATTRS, - PROP_LDAPBYTEATTRS, "ldap.ldapconn.host", "ldap.ldapconn.port", - "ldap.ldapconn.secureConn", "ldap.ldapconn.version", - "ldap.ldapauth.bindDN", "ldap.ldapauth.bindPWPrompt", - "ldap.ldapauth.clientCertNickname", "ldap.ldapauth.authtype", - "ldap.basedn", "ldap.minConns", "ldap.maxConns", }; + protected static String[] mConfigParams = + new String[] { PROP_REMOVE_PIN, + PROP_PIN_ATTR, + PROP_DNPATTERN, + PROP_LDAPSTRINGATTRS, + PROP_LDAPBYTEATTRS, + "ldap.ldapconn.host", + "ldap.ldapconn.port", + "ldap.ldapconn.secureConn", + "ldap.ldapconn.version", + "ldap.ldapauth.bindDN", + "ldap.ldapauth.bindPWPrompt", + "ldap.ldapauth.clientCertNickname", + "ldap.ldapauth.authtype", + "ldap.basedn", + "ldap.minConns", + "ldap.maxConns", + }; static { - mExtendedPluginInfo.add(PROP_REMOVE_PIN - + ";boolean;SEE DOCUMENTATION for pin removal"); - mExtendedPluginInfo.add(PROP_PIN_ATTR - + ";string;directory attribute to use for pin (default 'pin')"); - mExtendedPluginInfo - .add("ldap.ldapauth.bindDN;string;DN to bind as for pin removal. " - + "For example 'CN=PinRemoval User'"); - mExtendedPluginInfo - .add("ldap.ldapauth.bindPWPrompt;password;Enter password used to bind as " - + "the above user"); - mExtendedPluginInfo - .add("ldap.ldapauth.clientCertNickname;string;If you want to use " - + "SSL client auth to the directory, set the client " - + "cert nickname here"); - mExtendedPluginInfo - .add("ldap.ldapauth.authtype;choice(BasicAuth,SslClientAuth),required;" - + "How to bind to the directory (for pin removal only)"); + mExtendedPluginInfo.add( + PROP_REMOVE_PIN + ";boolean;SEE DOCUMENTATION for pin removal"); + mExtendedPluginInfo.add( + PROP_PIN_ATTR + ";string;directory attribute to use for pin (default 'pin')"); + mExtendedPluginInfo.add( + "ldap.ldapauth.bindDN;string;DN to bind as for pin removal. " + + "For example 'CN=PinRemoval User'"); + mExtendedPluginInfo.add( + "ldap.ldapauth.bindPWPrompt;password;Enter password used to bind as " + + "the above user"); + mExtendedPluginInfo.add( + "ldap.ldapauth.clientCertNickname;string;If you want to use " + + "SSL client auth to the directory, set the client " + + "cert nickname here"); + mExtendedPluginInfo.add( + "ldap.ldapauth.authtype;choice(BasicAuth,SslClientAuth),required;" + + "How to bind to the directory (for pin removal only)"); mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TEXT - + ";Authenticate the username, password and pin provided " - + "by the user against an LDAP directory. Works with the " - + "Dir/Pin Based Enrollment HTML form"); - mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TOKEN - + ";configuration-authrules-uidpwdpindirauth"); + + ";Authenticate the username, password and pin provided " + + "by the user against an LDAP directory. Works with the " + + "Dir/Pin Based Enrollment HTML form"); + mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TOKEN + + ";configuration-authrules-uidpwdpindirauth"); } @@ -122,12 +135,12 @@ public class UidPwdPinDirAuthentication extends DirBasedAuthentication protected MessageDigest mSHADigest = null; protected MessageDigest mMD5Digest = null; - private String mBindDN = null; - private String mBindPassword = null; + private String mBindDN = null; + private String mBindPassword = null; - private ILdapConnFactory removePinLdapFactory = null; - private LDAPConnection removePinLdapConnection = null; - private IConfigStore removePinLdapConfigStore = null; + private ILdapConnFactory removePinLdapFactory = null; + private LDAPConnection removePinLdapConnection = null; + private IConfigStore removePinLdapConfigStore = null; /** * Default constructor, initialization must follow. @@ -136,11 +149,13 @@ public class UidPwdPinDirAuthentication extends DirBasedAuthentication super(); } - public void init(String name, String implName, IConfigStore config) - throws EBaseException { + public void init(String name, String implName, IConfigStore config) + throws EBaseException { super.init(name, implName, config); - mRemovePin = config.getBoolean(PROP_REMOVE_PIN, DEF_REMOVE_PIN); - mPinAttr = config.getString(PROP_PIN_ATTR, DEF_PIN_ATTR); + mRemovePin = + config.getBoolean(PROP_REMOVE_PIN, DEF_REMOVE_PIN); + mPinAttr = + config.getString(PROP_PIN_ATTR, DEF_PIN_ATTR); if (mPinAttr.equals("")) { mPinAttr = DEF_PIN_ATTR; } @@ -151,19 +166,18 @@ public class UidPwdPinDirAuthentication extends DirBasedAuthentication removePinLdapFactory.init(removePinLdapConfigStore); removePinLdapConnection = removePinLdapFactory.getConn(); } - + try { mSHADigest = MessageDigest.getInstance("SHA1"); mMD5Digest = MessageDigest.getInstance("MD5"); } catch (NoSuchAlgorithmException e) { - throw new EAuthException(CMS.getUserMessage( - "CMS_AUTHENTICATION_INTERNAL_ERROR", e.getMessage())); + throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.getMessage())); } } protected void verifyPassword(String Password) { - } + } /** * Authenticates a user based on its uid, pwd, pin in the directory. @@ -171,74 +185,66 @@ public class UidPwdPinDirAuthentication extends DirBasedAuthentication * @param authCreds The authentication credentials with uid, pwd, pin. * @return The user's ldap entry dn. * @exception EInvalidCredentials If the uid and password are not valid - * @exception EBaseException If an internal error occurs. + * @exception EBaseException If an internal error occurs. */ - protected String authenticate(LDAPConnection conn, - IAuthCredentials authCreds, AuthToken token) throws EBaseException { + protected String authenticate(LDAPConnection conn, + IAuthCredentials authCreds, + AuthToken token) + throws EBaseException { String userdn = null; - String uid = null; - String pwd = null; - String pin = null; + String uid = null; + String pwd = null; + String pin = null; try { // get the uid. uid = (String) authCreds.get(CRED_UID); if (uid == null) { - throw new EMissingCredential(CMS.getUserMessage( - "CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_UID)); + throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_UID)); } - + // get the password. pwd = (String) authCreds.get(CRED_PWD); if (pwd == null) { - throw new EMissingCredential(CMS.getUserMessage( - "CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_PWD)); + throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_PWD)); } if (pwd.equals("")) { // anonymous binding not allowed - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMS_AUTH_EMPTY_PASSWORD", uid)); - throw new EInvalidCredentials( - CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_EMPTY_PASSWORD", uid)); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } // get the pin. pin = (String) authCreds.get(CRED_PIN); if (pin == null) { - throw new EMissingCredential(CMS.getUserMessage( - "CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_PIN)); + throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_PIN)); } if (pin.equals("")) { // empty pin not allowed - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMS_AUTH_EMPTY_PIN", uid)); - throw new EInvalidCredentials( - CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_EMPTY_PIN", uid)); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } // get user dn. - LDAPSearchResults res = conn.search(mBaseDN, LDAPv2.SCOPE_SUB, - "(uid=" + uid + ")", null, false); + LDAPSearchResults res = conn.search(mBaseDN, + LDAPv2.SCOPE_SUB, "(uid=" + uid + ")", null, false); if (res.hasMoreElements()) { LDAPEntry entry = (LDAPEntry) res.nextElement(); userdn = entry.getDN(); } else { - log(ILogger.LL_SECURITY, - CMS.getLogMessage("CMS_AUTH_USER_NOT_EXIST", uid)); - throw new EInvalidCredentials( - CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_USER_NOT_EXIST", uid)); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } // bind as user dn and pwd - authenticates user with pwd. conn.authenticate(userdn, pwd); - log(ILogger.LL_SECURITY, - CMS.getLogMessage("CMS_AUTH_AUTHENTICATED", uid)); + log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_AUTHENTICATED", uid)); // log(ILogger.LL_SECURITY, "found user : " + userdn); - // check pin. + // check pin. checkpin(conn, userdn, uid, pin); // set uid in the token. @@ -246,151 +252,132 @@ public class UidPwdPinDirAuthentication extends DirBasedAuthentication return userdn; } catch (ELdapException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CANNOT_CONNECT_LDAP", e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CANNOT_CONNECT_LDAP", e.toString())); throw e; } catch (LDAPException e) { switch (e.getLDAPResultCode()) { - case LDAPException.NO_SUCH_OBJECT: - case LDAPException.LDAP_PARTIAL_RESULTS: - log(ILogger.LL_SECURITY, - CMS.getLogMessage("CMS_AUTH_USER_NOT_EXIST", uid)); - throw new EInvalidCredentials( - CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + case LDAPException.NO_SUCH_OBJECT: + case LDAPException.LDAP_PARTIAL_RESULTS: + log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_USER_NOT_EXIST", uid)); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); case LDAPException.INVALID_CREDENTIALS: - log(ILogger.LL_SECURITY, - CMS.getLogMessage("CMS_AUTH_BAD_PASSWORD", uid)); - throw new EInvalidCredentials( - CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_BAD_PASSWORD", uid)); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); case LDAPException.SERVER_DOWN: log(ILogger.LL_SECURITY, CMS.getLogMessage("LDAP_SERVER_DOWN")); - throw new ELdapException(CMS.getUserMessage( - "CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), "" - + conn.getPort())); - - default: - log(ILogger.LL_FAILURE, - CMS.getLogMessage("OPERATION_ERROR", e.getMessage())); - throw new ELdapException(CMS.getUserMessage( - "CMS_LDAP_OTHER_LDAP_EXCEPTION", e.errorCodeToString())); + throw new ELdapException( + CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), "" + conn.getPort())); + + default: + log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.getMessage())); + throw new ELdapException( + CMS.getUserMessage("CMS_LDAP_OTHER_LDAP_EXCEPTION", + e.errorCodeToString())); } - } + } } - protected void checkpin(LDAPConnection conn, String userdn, String uid, - String pin) throws EBaseException, LDAPException { + protected void checkpin(LDAPConnection conn, String userdn, + String uid, String pin) + throws EBaseException, LDAPException { LDAPSearchResults res = null; LDAPEntry entry = null; // get pin. - res = conn.search(userdn, LDAPv2.SCOPE_BASE, "(objectclass=*)", - new String[] { mPinAttr }, false); + res = conn.search(userdn, LDAPv2.SCOPE_BASE, + "(objectclass=*)", new String[] { mPinAttr }, false); if (res.hasMoreElements()) { entry = (LDAPEntry) res.nextElement(); } else { - log(ILogger.LL_SECURITY, CMS.getLogMessage( - "CMS_AUTH_NO_ENTRY_RETURNED", uid, userdn)); - throw new EInvalidCredentials( - CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_NO_ENTRY_RETURNED", uid, userdn)); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } LDAPAttribute pinAttr = entry.getAttribute(mPinAttr); if (pinAttr == null) { - log(ILogger.LL_SECURITY, - CMS.getLogMessage("CMS_AUTH_NO_PIN_FOUND", uid)); - throw new EInvalidCredentials( - CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_NO_PIN_FOUND", uid)); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } Enumeration pinValues = pinAttr.getByteValues(); if (!pinValues.hasMoreElements()) { - log(ILogger.LL_SECURITY, - CMS.getLogMessage("CMS_AUTH_NO_PIN_FOUND", uid)); - throw new EInvalidCredentials( - CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_NO_PIN_FOUND", uid)); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } - byte[] entrypin = (byte[]) pinValues.nextElement(); + byte[] entrypin = (byte[]) pinValues.nextElement(); // compare value digest. if (entrypin == null || entrypin.length < 2) { - log(ILogger.LL_SECURITY, - CMS.getLogMessage("CMS_AUTH_NO_PIN_FOUND", uid)); - throw new EInvalidCredentials( - CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_NO_PIN_FOUND", uid)); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } - + byte hashtype = entrypin[0]; byte[] pinDigest = null; String toBeDigested = userdn + pin; if (hashtype == SENTINEL_SHA) { - + pinDigest = mSHADigest.digest(toBeDigested.getBytes()); } else if (hashtype == SENTINEL_MD5) { pinDigest = mMD5Digest.digest(toBeDigested.getBytes()); } else if (hashtype == SENTINEL_NONE) { pinDigest = toBeDigested.getBytes(); } else { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMS_AUTH_UKNOWN_ENCODING_TYPE", mPinAttr, "*", userdn)); - throw new EInvalidCredentials( - CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_UKNOWN_ENCODING_TYPE", mPinAttr, "*", userdn)); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } if (pinDigest.length != (entrypin.length - 1)) { - log(ILogger.LL_SECURITY, - CMS.getLogMessage("CMS_AUTH_LENGTH_NOT_MATCHED", uid)); - throw new EInvalidCredentials( - CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_LENGTH_NOT_MATCHED", uid)); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } int i; for (i = 0; i < (entrypin.length - 1); i++) { - if (pinDigest[i] != entrypin[i + 1]) + if (pinDigest[i] != entrypin[i + 1]) break; } if (i != (entrypin.length - 1)) { - log(ILogger.LL_SECURITY, - CMS.getLogMessage("CMS_AUTH_BAD_PASSWORD", uid)); - throw new EInvalidCredentials( - CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_BAD_PASSWORD", uid)); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } // pin ok. remove pin if so configured // Note that this means that a policy may reject this request later, // but the user will not be able to enroll again as his pin is gone. - + // We remove the pin using a different connection which is bound as // a more privileged user. if (mRemovePin) { try { - removePinLdapConnection.modify(userdn, new LDAPModification( - LDAPModification.DELETE, new LDAPAttribute(mPinAttr, - entrypin))); + removePinLdapConnection.modify(userdn, + new LDAPModification( + LDAPModification.DELETE, + new LDAPAttribute(mPinAttr, entrypin))); } catch (LDAPException e) { - log(ILogger.LL_SECURITY, - CMS.getLogMessage("CMS_AUTH_CANT_REMOVE_PIN", userdn)); + log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_CANT_REMOVE_PIN", userdn)); } } } /** - * Returns a list of configuration parameter names. The list is passed to - * the configuration console so instances of this implementation can be - * configured through the console. - * + * Returns a list of configuration parameter names. + * The list is passed to the configuration console so instances of + * this implementation can be configured through the console. + * * @return String array of configuration parameter names. */ public String[] getConfigParams() { @@ -399,7 +386,6 @@ public class UidPwdPinDirAuthentication extends DirBasedAuthentication /** * Returns array of required credentials for this authentication manager. - * * @return Array of required credentials. */ public String[] getRequiredCreds() { @@ -409,23 +395,21 @@ public class UidPwdPinDirAuthentication extends DirBasedAuthentication // Profile-related methods public void init(IProfile profile, IConfigStore config) - throws EProfileException { + throws EProfileException { } /** * Retrieves the localizable name of this policy. */ public String getName(Locale locale) { - return CMS.getUserMessage(locale, - "CMS_AUTHENTICATION_LDAP_UID_PIN_NAME"); + return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_LDAP_UID_PIN_NAME"); } /** * Retrieves the localizable description of this policy. */ public String getText(Locale locale) { - return CMS.getUserMessage(locale, - "CMS_AUTHENTICATION_LDAP_UID_PIN_TEXT"); + return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_LDAP_UID_PIN_TEXT"); } /** @@ -450,7 +434,8 @@ public class UidPwdPinDirAuthentication extends DirBasedAuthentication } /** - * Retrieves the descriptor of the given value parameter by name. + * Retrieves the descriptor of the given value + * parameter by name. */ public IDescriptor getValueDescriptor(Locale locale, String name) { if (name.equals(CRED_UID)) { @@ -468,7 +453,7 @@ public class UidPwdPinDirAuthentication extends DirBasedAuthentication } public void populate(IAuthToken token, IRequest request) - throws EProfileException { + throws EProfileException { request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME, token.getInString(USER_DN)); } @@ -477,3 +462,4 @@ public class UidPwdPinDirAuthentication extends DirBasedAuthentication return false; } } + |