diff options
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/authentication')
17 files changed, 1212 insertions, 1204 deletions
diff --git a/pki/base/common/src/com/netscape/cms/authentication/AVAPattern.java b/pki/base/common/src/com/netscape/cms/authentication/AVAPattern.java index 4cfe9a45..e9b1fb3d 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/AVAPattern.java +++ b/pki/base/common/src/com/netscape/cms/authentication/AVAPattern.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.authentication; - import java.io.IOException; import java.io.PushbackReader; import java.io.StringReader; @@ -36,24 +35,25 @@ import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.authentication.EAuthException; import com.netscape.certsrv.authentication.ECompSyntaxErr; - /** - * class for parsing a DN pattern used to construct a certificate - * subject name from ldap attributes and dn.<p> + * class for parsing a DN pattern used to construct a certificate + * subject name from ldap attributes and dn. + * <p> + * + * dnpattern is a string representing a subject name pattern to formulate from the directory attributes and entry dn. If empty or not set, the ldap entry DN will be used as the certificate subject name. + * <p> * - * dnpattern is a string representing a subject name pattern to formulate from - * the directory attributes and entry dn. If empty or not set, the - * ldap entry DN will be used as the certificate subject name. <p> + * The syntax is * - * The syntax is * <pre> - * dnPattern := rdnPattern *[ "," rdnPattern ] - * rdnPattern := avaPattern *[ "+" avaPattern ] + * dnPattern := rdnPattern *[ "," rdnPattern ] + * rdnPattern := avaPattern *[ "+" avaPattern ] * avaPattern := name "=" value | - * name "=" "$attr" "." attrName [ "." attrNumber ] | - * name "=" "$dn" "." attrName [ "." attrNumber ] | - * "$dn" "." "$rdn" "." number + * name "=" "$attr" "." attrName [ "." attrNumber ] | + * name "=" "$dn" "." attrName [ "." attrNumber ] | + * "$dn" "." "$rdn" "." number * </pre> + * * <pre> * Example1: <i>E=$attr.mail.1, CN=$attr.cn, OU=$dn.ou.2, O=$dn.o, C=US </i> * Ldap entry: dn: UID=jjames, OU=IS, OU=people, O=acme.org @@ -80,11 +80,12 @@ import com.netscape.certsrv.authentication.ECompSyntaxErr; * E = the first 'mail' ldap attribute value in user's entry. <br> * CN = the (first) 'cn' ldap attribute value in the user's entry. <br> * OU = the second 'ou' value in the user's entry DN. note multiple AVAs - * in a RDN in this example. <br> + * in a RDN in this example. <br> * O = the (first) 'o' value in the user's entry DN. <br> * C = the string "US" * <p> * </pre> + * * <pre> * Example3: <i>CN=$attr.cn, $rdn.2, O=$dn.o, C=US</i> * Ldap entry: dn: UID=jjames, OU=IS+OU=people, O=acme.org @@ -109,15 +110,15 @@ import com.netscape.certsrv.authentication.ECompSyntaxErr; * <p> * CN = the (first) 'cn' ldap attribute value in the user's entry. <br> * OU = the second 'ou' value in the user's entry DN followed by the - * first 'ou' value in the user's entry. note multiple AVAs - * in a RDN in this example. <br> + * first 'ou' value in the user's entry. note multiple AVAs + * in a RDN in this example. <br> * O = the (first) 'o' value in the user's entry DN. <br> * C = the string "US" * <p> * </pre> - * If an attribute or subject DN component does not exist the attribute - * is skipped. - * + * + * If an attribute or subject DN component does not exist the attribute is skipped. + * * @version $Revision$, $Date$ */ class AVAPattern { @@ -130,8 +131,8 @@ class AVAPattern { private static final char[] endChars = new char[] { '+', ',' }; - private static final LdapV3DNStrConverter mLdapDNStrConverter = - new LdapV3DNStrConverter(); + private static final LdapV3DNStrConverter mLdapDNStrConverter = + new LdapV3DNStrConverter(); /* ldap attributes needed by this AVA (to retrieve from ldap) */ protected String[] mLdapAttrs = null; @@ -140,7 +141,7 @@ class AVAPattern { protected String mType = null; /* the attribute in the AVA pair */ - protected String mAttr = null; + protected String mAttr = null; /* value - could be name of an ldap attribute or entry dn attribute. */ protected String mValue = null; @@ -151,19 +152,19 @@ class AVAPattern { protected String mTestDN = null; public AVAPattern(String component) - throws EAuthException { - if (component == null || component.length() == 0) + throws EAuthException { + if (component == null || component.length() == 0) throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", component)); parse(new PushbackReader(new StringReader(component))); } - public AVAPattern(PushbackReader in) - throws EAuthException { + public AVAPattern(PushbackReader in) + throws EAuthException { parse(in); } private void parse(PushbackReader in) - throws EAuthException { + throws EAuthException { int c; // mark ava beginning. @@ -179,19 +180,19 @@ class AVAPattern { } catch (IOException e) { throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", "All blank")); } - if (c == -1) + if (c == -1) throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", "All blank")); - // $rdn "." number syntax. + // $rdn "." number syntax. if (c == '$') { //System.out.println("$rdn syntax"); mType = TYPE_RDN; try { - if (in.read() != 'r' || - in.read() != 'd' || - in.read() != 'n' || - in.read() != '.') + if (in.read() != 'r' || + in.read() != 'd' || + in.read() != 'n' || + in.read() != '.') throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", "Invalid $ syntax, expecting $rdn")); } catch (IOException e) { throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", "Invalid $ syntax, expecting $rdn")); @@ -212,7 +213,7 @@ class AVAPattern { String rdnNumber = rdnNumberBuf.toString().trim(); - if (rdnNumber.length() == 0) + if (rdnNumber.length() == 0) throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", "$rdn number not set in ava pattern")); try { mElement = Integer.parseInt(rdnNumber) - 1; @@ -227,15 +228,15 @@ class AVAPattern { // read name //System.out.println("reading name"); - StringBuffer attrBuf = new StringBuffer(); + StringBuffer attrBuf = new StringBuffer(); try { while (c != '=' && c != -1 && c != ',' && c != '+') { attrBuf.append((char) c); c = in.read(); //System.out.println("name read "+(char)c); - } - if (c == ',' || c == '+') + } + if (c == ',' || c == '+') in.unread(c); } catch (IOException e) { throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); @@ -243,11 +244,11 @@ class AVAPattern { if (c != '=') throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", "Missing \"=\" in ava pattern")); - // read value - //System.out.println("reading value"); + // read value + //System.out.println("reading value"); - // skip spaces - //System.out.println("skip spaces for value"); + // skip spaces + //System.out.println("skip spaces for value"); try { while ((c = in.read()) == ' ' || c == '\t') {//System.out.println("spaces2 read "+(char)c); ; @@ -255,7 +256,7 @@ class AVAPattern { } catch (IOException e) { throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); } - if (c == -1) + if (c == -1) throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", "no value after = in ava pattern")); if (c == '$') { @@ -266,16 +267,16 @@ class AVAPattern { } catch (IOException e) { throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); } - if (c == -1) - throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", + if (c == -1) + throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", "expecting $dn or $attr in ava pattern")); if (c == 'a') { try { - if (in.read() != 't' || - in.read() != 't' || - in.read() != 'r' || - in.read() != '.') - throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", + if (in.read() != 't' || + in.read() != 't' || + in.read() != 'r' || + in.read() != '.') + throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", "expecting $attr in ava pattern")); } catch (IOException e) { throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); @@ -284,8 +285,8 @@ class AVAPattern { //System.out.println("---- mtype $attr"); } else if (c == 'd') { try { - if (in.read() != 'n' || - in.read() != '.') + if (in.read() != 'n' || + in.read() != '.') throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", "expecting $dn in ava pattern")); } catch (IOException e) { @@ -294,21 +295,21 @@ class AVAPattern { mType = TYPE_DN; //System.out.println("----- mtype $dn"); } else { - throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", - "unknown keyword. expecting $dn or $attr.")); + throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", + "unknown keyword. expecting $dn or $attr.")); } // get attr name of dn pattern from above. String attrName = attrBuf.toString().trim(); //System.out.println("----- attrName "+attrName); - if (attrName.length() == 0) + if (attrName.length() == 0) throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", "attribute name expected")); - try { - ObjectIdentifier attrOid = - mLdapDNStrConverter.parseAVAKeyword(attrName); + try { + ObjectIdentifier attrOid = + mLdapDNStrConverter.parseAVAKeyword(attrName); - mAttr = mLdapDNStrConverter.encodeOID(attrOid); + mAttr = mLdapDNStrConverter.encodeOID(attrOid); //System.out.println("----- mAttr "+mAttr); } catch (IOException e) { throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", e.getMessage())); @@ -318,8 +319,8 @@ class AVAPattern { StringBuffer valueBuf = new StringBuffer(); try { - while ((c = in.read()) != ',' && - c != -1 && c != '.' && c != '+') { + while ((c = in.read()) != ',' && + c != -1 && c != '.' && c != '+') { //System.out.println("mValue read "+(char)c); valueBuf.append((char) c); } @@ -330,12 +331,12 @@ class AVAPattern { } mValue = valueBuf.toString().trim(); - if (mValue.length() == 0) + if (mValue.length() == 0) throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", "$dn or $attr attribute name expected")); - //System.out.println("----- mValue "+mValue); + //System.out.println("----- mValue "+mValue); - // get nth dn or attribute from ldap search. + // get nth dn or attribute from ldap search. if (c == '.') { StringBuffer attrNumberBuf = new StringBuffer(); @@ -345,13 +346,13 @@ class AVAPattern { attrNumberBuf.append((char) c); } if (c != -1) // either ',' or '+' - in.unread(c); // pushback last , or + + in.unread(c); // pushback last , or + } catch (IOException e) { throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); } String attrNumber = attrNumberBuf.toString().trim(); - if (attrNumber.length() == 0) + if (attrNumber.length() == 0) throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", "nth element $dn or $attr expected")); try { @@ -372,7 +373,7 @@ class AVAPattern { valueBuf.append((char) c); try { while ((c = in.read()) != ',' && - c != -1) { + c != -1) { valueBuf.append((char) c); } if (c == '+' || c == ',') { // either ',' or '+' @@ -381,8 +382,8 @@ class AVAPattern { } catch (IOException e) { throw new ECompSyntaxErr(CMS.getUserMessage("CMS_AUTHENTICATION_COMPONENT_SYNTAX", e.getMessage())); } - try { - AVA ava = mLdapDNStrConverter.parseAVA(attrBuf + "=" + valueBuf); + try { + AVA ava = mLdapDNStrConverter.parseAVA(attrBuf + "=" + valueBuf); mValue = ava.toLdapDNString(); //System.out.println("----- mValue "+mValue); @@ -393,19 +394,19 @@ class AVAPattern { } public String formAVA(LDAPEntry entry) - throws EAuthException { - if (mType == TYPE_CONSTANT) + throws EAuthException { + if (mType == TYPE_CONSTANT) return mValue; if (mType == TYPE_RDN) { String dn = entry.getDN(); - if (mTestDN != null) + if (mTestDN != null) dn = mTestDN; - //System.out.println("AVAPattern Using dn "+mTestDN); + //System.out.println("AVAPattern Using dn "+mTestDN); String[] rdns = LDAPDN.explodeDN(dn, false); - if (mElement >= rdns.length) + if (mElement >= rdns.length) return null; return rdns[mElement]; } @@ -413,9 +414,9 @@ class AVAPattern { if (mType == TYPE_DN) { String dn = entry.getDN(); - if (mTestDN != null) + if (mTestDN != null) dn = mTestDN; - //System.out.println("AVAPattern Using dn "+mTestDN); + //System.out.println("AVAPattern Using dn "+mTestDN); String[] rdns = LDAPDN.explodeDN(dn, false); String value = null; int nFound = -1; @@ -426,14 +427,14 @@ class AVAPattern { for (int j = 0; j < avas.length; j++) { String[] exploded = explodeAVA(avas[j]); - if (exploded[0].equalsIgnoreCase(mValue) && - ++nFound == mElement) { + if (exploded[0].equalsIgnoreCase(mValue) && + ++nFound == mElement) { value = exploded[1]; break; } } } - if (value == null) + if (value == null) return null; return mAttr + "=" + value; } @@ -441,11 +442,11 @@ class AVAPattern { if (mType == TYPE_ATTR) { LDAPAttribute ldapAttr = entry.getAttribute(mValue); - if (ldapAttr == null) + if (ldapAttr == null) return null; String value = null; @SuppressWarnings("unchecked") - Enumeration<String> ldapValues = ldapAttr.getStringValues(); + Enumeration<String> ldapValues = ldapAttr.getStringValues(); for (int i = 0; ldapValues.hasMoreElements(); i++) { String val = (String) ldapValues.nextElement(); @@ -455,7 +456,7 @@ class AVAPattern { break; } } - if (value == null) + if (value == null) return null; String v = escapeLdapString(value); @@ -486,16 +487,16 @@ class AVAPattern { int k = i + 1; if (i == len - 1 || - (c[k] == ',' || c[k] == '=' || c[k] == '+' || c[k] == '<' || - c[k] == '>' || c[k] == '#' || c[k] == ';')) { + (c[k] == ',' || c[k] == '=' || c[k] == '+' || c[k] == '<' || + c[k] == '>' || c[k] == '#' || c[k] == ';')) { newc[j++] = '\\'; newc[j++] = c[i]; } } // escape QUOTATION else if (c[i] == '"') { - if ((i == 0 && c[len - 1] != '"') || - (i == len - 1 && c[0] != '"') || - (i > 0 && i < len - 1)) { + if ((i == 0 && c[len - 1] != '"') || + (i == len - 1 && c[0] != '"') || + (i > 0 && i < len - 1)) { newc[j++] = '\\'; newc[j++] = c[i]; } @@ -513,20 +514,20 @@ class AVAPattern { } /** - * Explode RDN into AVAs. - * Does not handle escaped '+' + * Explode RDN into AVAs. + * Does not handle escaped '+' * Java ldap library does not yet support multiple avas per rdn. - * If RDN is malformed returns empty array. + * If RDN is malformed returns empty array. */ public static String[] explodeRDN(String rdn) { int plus = rdn.indexOf('+'); - if (plus == -1) + if (plus == -1) return new String[] { rdn }; Vector<String> avas = new Vector<String>(); StringTokenizer token = new StringTokenizer(rdn, "+"); - while (token.hasMoreTokens()) + while (token.hasMoreTokens()) avas.addElement(token.nextToken()); String[] theAvas = new String[avas.size()]; @@ -535,17 +536,16 @@ class AVAPattern { } /** - * Explode AVA into name and value. + * Explode AVA into name and value. * Does not handle escaped '=' * If AVA is malformed empty array is returned. */ public static String[] explodeAVA(String ava) { int equals = ava.indexOf('='); - if (equals == -1) + if (equals == -1) return null; return new String[] { - ava.substring(0, equals).trim(), ava.substring(equals + 1).trim()}; + ava.substring(0, equals).trim(), ava.substring(equals + 1).trim() }; } } - diff --git a/pki/base/common/src/com/netscape/cms/authentication/AgentCertAuthentication.java b/pki/base/common/src/com/netscape/cms/authentication/AgentCertAuthentication.java index 270d1fa2..65ef434a 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/AgentCertAuthentication.java +++ b/pki/base/common/src/com/netscape/cms/authentication/AgentCertAuthentication.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.authentication; - import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.util.Enumeration; @@ -48,16 +47,15 @@ import com.netscape.certsrv.usrgrp.ICertUserLocator; import com.netscape.certsrv.usrgrp.IUGSubsystem; import com.netscape.certsrv.usrgrp.IUser; - /** - * Certificate server agent authentication. - * Maps a SSL client authenticate certificate to a user (agent) entry in the - * internal database. + * Certificate server agent authentication. + * Maps a SSL client authenticate certificate to a user (agent) entry in the + * internal database. * <P> - * + * * @version $Revision$, $Date$ */ -public class AgentCertAuthentication implements IAuthManager, +public class AgentCertAuthentication implements IAuthManager, IProfileAuthenticator { /* result auth token attributes */ @@ -91,14 +89,14 @@ public class AgentCertAuthentication implements IAuthManager, /** * initializes the CertUserDBAuthentication auth manager * <p> - * called by AuthSubsystem init() method, when initializing - * all available authentication managers. + * called by AuthSubsystem init() method, when initializing all available authentication managers. + * * @param name The name of this authentication manager instance. * @param implName The name of the authentication manager plugin. * @param config The configuration store for this authentication manager. */ public void init(String name, String implName, IConfigStore config) - throws EBaseException { + throws EBaseException { mName = name; mImplName = implName; mConfig = config; @@ -106,7 +104,7 @@ public class AgentCertAuthentication implements IAuthManager, mUGSub = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG); mCULocator = mUGSub.getCertUserLocator(); } - + /** * Gets the name of this authentication manager. */ @@ -120,7 +118,7 @@ public class AgentCertAuthentication implements IAuthManager, public String getImplName() { return mImplName; } - + public boolean isSSLClientRequired() { return true; } @@ -128,29 +126,29 @@ public class AgentCertAuthentication implements IAuthManager, /** * authenticates user(agent) by certificate * <p> - * called by other subsystems or their servlets to authenticate - * users (agents) + * called by other subsystems or their servlets to authenticate users (agents) + * * @param authCred - authentication credential that contains - * an usrgrp.Certificates of the user (agent) + * an usrgrp.Certificates of the user (agent) * @return the authentication token that contains the following - * + * * @exception EMissingCredential If a required credential for this - * authentication manager is missing. + * authentication manager is missing. * @exception EInvalidCredentials If credentials cannot be authenticated. * @exception EBaseException If an internal error occurred. * @see com.netscape.certsrv.authentication.AuthToken * @see com.netscape.certsrv.usrgrp.Certificates */ public IAuthToken authenticate(IAuthCredentials authCred) - throws EMissingCredential, EInvalidCredentials, EBaseException { - + throws EMissingCredential, EInvalidCredentials, EBaseException { + CMS.debug("AgentCertAuthentication: start"); - CMS.debug("authenticator instance name is "+getName()); + CMS.debug("authenticator instance name is " + getName()); // force SSL handshake SessionContext context = SessionContext.getExistingContext(); ISSLClientCertProvider provider = (ISSLClientCertProvider) - context.get("sslClientCertProvider"); + context.get("sslClientCertProvider"); if (provider == null) { CMS.debug("AgentCertAuthentication: No SSL Client Cert Provider Found"); @@ -185,15 +183,15 @@ public class AgentCertAuthentication implements IAuthManager, // check if certificate(s) is revoked boolean checkRevocation = true; try { - checkRevocation = mConfig.getBoolean("checkRevocation", true); + checkRevocation = mConfig.getBoolean("checkRevocation", true); } catch (EBaseException e) { - // do nothing; default to true + // do nothing; default to true } if (checkRevocation) { - if (CMS.isRevoked(ci)) { - CMS.debug("AgentCertAuthentication: certificate revoked"); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - } + if (CMS.isRevoked(ci)) { + CMS.debug("AgentCertAuthentication: certificate revoked"); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + } } // map cert to user @@ -205,7 +203,7 @@ public class AgentCertAuthentication implements IAuthManager, } catch (EUsrGrpException e) { throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } catch (netscape.ldap.LDAPException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", e.toString())); } @@ -219,16 +217,16 @@ public class AgentCertAuthentication implements IAuthManager, IConfigStore sconfig = CMS.getConfigStore(); String groupname = ""; try { - groupname = sconfig.getString("auths.instance."+ getName() +".agentGroup", - ""); + groupname = sconfig.getString("auths.instance." + getName() + ".agentGroup", + ""); } catch (EBaseException ee) { } if (!groupname.equals("")) { - CMS.debug("check if "+user.getUserID()+" is in group "+groupname); - IUGSubsystem uggroup = (IUGSubsystem)CMS.getSubsystem(CMS.SUBSYSTEM_UG); + CMS.debug("check if " + user.getUserID() + " is in group " + groupname); + IUGSubsystem uggroup = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG); if (!uggroup.isMemberOf(user, groupname)) { - CMS.debug(user.getUserID()+" is not in this group "+groupname); + CMS.debug(user.getUserID() + " is not in this group " + groupname); throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHORIZATION_ERROR")); } } @@ -237,7 +235,7 @@ public class AgentCertAuthentication implements IAuthManager, authToken.set(TOKEN_USERID, user.getUserID()); authToken.set(TOKEN_UID, user.getUserID()); authToken.set(TOKEN_GROUP, groupname); - authToken.set(CRED_CERT, certs); + authToken.set(CRED_CERT, certs); CMS.debug("AgentCertAuthentication: authenticated " + user.getUserDN()); @@ -246,10 +244,11 @@ public class AgentCertAuthentication implements IAuthManager, /** * get the list of authentication credential attribute names - * required by this authentication manager. Generally used by - * the servlets that handle agent operations to authenticate its - * users. It calls this method to know which are the - * required credentials from the user (e.g. Javascript form data) + * required by this authentication manager. Generally used by + * the servlets that handle agent operations to authenticate its + * users. It calls this method to know which are the + * required credentials from the user (e.g. Javascript form data) + * * @return attribute names in Vector */ public String[] getRequiredCreds() { @@ -258,14 +257,15 @@ public class AgentCertAuthentication implements IAuthManager, /** * get the list of configuration parameter names - * required by this authentication manager. Generally used by - * the Certificate Server Console to display the table for - * configuration purposes. CertUserDBAuthentication is currently not - * exposed in this case, so this method is not to be used. + * required by this authentication manager. Generally used by + * the Certificate Server Console to display the table for + * configuration purposes. CertUserDBAuthentication is currently not + * exposed in this case, so this method is not to be used. + * * @return configuration parameter names in Hashtable of Vectors - * where each hashtable entry's key is the substore name, value is a - * Vector of parameter names. If no substore, the parameter name - * is the Hashtable key itself, with value same as key. + * where each hashtable entry's key is the substore name, value is a + * Vector of parameter names. If no substore, the parameter name + * is the Hashtable key itself, with value same as key. */ public String[] getConfigParams() { return (mConfigParams); @@ -279,7 +279,8 @@ public class AgentCertAuthentication implements IAuthManager, /** * gets the configuretion substore used by this authentication - * manager + * manager + * * @return configuration store */ public IConfigStore getConfigStore() { @@ -289,7 +290,7 @@ public class AgentCertAuthentication implements IAuthManager, // Profile-related methods public void init(IProfile profile, IConfigStore config) - throws EProfileException { + throws EProfileException { } /** @@ -326,6 +327,6 @@ public class AgentCertAuthentication implements IAuthManager, } public void populate(IAuthToken token, IRequest request) - throws EProfileException { + throws EProfileException { } } diff --git a/pki/base/common/src/com/netscape/cms/authentication/CMCAuth.java b/pki/base/common/src/com/netscape/cms/authentication/CMCAuth.java index fef68c1c..c699be92 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/CMCAuth.java +++ b/pki/base/common/src/com/netscape/cms/authentication/CMCAuth.java @@ -20,7 +20,6 @@ package com.netscape.cms.authentication; - /////////////////////// // import statements // /////////////////////// @@ -101,7 +100,7 @@ import com.netscape.cmsutil.util.Utils; /** * UID/CMC authentication plug-in * <P> - * + * * @version $Revision$, $Date$ */ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, @@ -110,133 +109,126 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, //////////////////////// // default parameters // //////////////////////// - - - + ///////////////////////////// // IAuthManager parameters // ///////////////////////////// - + /* authentication plug-in configuration store */ private IConfigStore mConfig; private static final String HEADER = "-----BEGIN NEW CERTIFICATE REQUEST-----"; private static final String TRAILER = "-----END NEW CERTIFICATE REQUEST-----"; - public static final String TOKEN_CERT_SERIAL = "certSerialToRevoke"; + public static final String TOKEN_CERT_SERIAL = "certSerialToRevoke"; public static final String REASON_CODE = "reasonCode"; /* authentication plug-in name */ private String mImplName = null; - + /* authentication plug-in instance name */ private String mName = null; - + /* authentication plug-in fields */ - - - + /* Holds authentication plug-in fields accepted by this implementation. * This list is passed to the configuration console so configuration * for instances of this implementation can be configured through the * console. */ protected static String[] mConfigParams = - new String[] {}; - + new String[] {}; + /* authentication plug-in values */ - + /* authentication plug-in properties */ - - + /* required credentials to authenticate. UID and CMC are strings. */ public static final String CRED_CMC = "cmcRequest"; - + protected static String[] mRequiredCreds = {}; - + //////////////////////////////////// // IExtendedPluginInfo parameters // //////////////////////////////////// - + /* Vector of extendedPluginInfo strings */ protected static Vector mExtendedPluginInfo = null; //public static final String AGENT_AUTHMGR_ID = "agentAuthMgr"; //public static final String AGENT_PLUGIN_ID = "agentAuthPlugin"; - - + /* actual help messages */ static { mExtendedPluginInfo = new Vector(); - + mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TEXT + - ";Authenticate the CMC request. The signer must be an agent. The \"Authentication Instance ID\" must be named \"CMCAuth\""); + ";Authenticate the CMC request. The signer must be an agent. The \"Authentication Instance ID\" must be named \"CMCAuth\""); mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TOKEN + - ";configuration-authentication"); + ";configuration-authentication"); } - + /////////////////////// // Logger parameters // /////////////////////// - + /* the system's logger */ private ILogger mLogger = CMS.getLogger(); - + /* signed audit parameters */ private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); private final static String SIGNED_AUDIT_ENROLLMENT_REQUEST_TYPE = - "enrollment"; + "enrollment"; private final static String SIGNED_AUDIT_REVOCATION_REQUEST_TYPE = - "revocation"; - private final static String - LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY = - "LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY_5"; + "revocation"; + private final static String LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY = + "LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY_5"; ///////////////////// // default methods // ///////////////////// - + /** * Default constructor, initialization must follow. */ public CMCAuth() { } - + ////////////////////////// // IAuthManager methods // ////////////////////////// - + /** * Initializes the CMCAuth authentication plug-in. * <p> + * * @param name The name for this authentication plug-in instance. * @param implName The name of the authentication plug-in. * @param config - The configuration store for this instance. * @exception EBaseException If an error occurs during initialization. */ public void init(String name, String implName, IConfigStore config) - throws EBaseException { + throws EBaseException { mName = name; mImplName = implName; mConfig = config; - + log(ILogger.LL_INFO, "Initialization complete!"); } - + /** * Authenticates user by their CMC; * resulting AuthToken sets a TOKEN_SUBJECT for the subject name. * <P> - * + * * <ul> - * <li>signed.audit LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY - * used when CMC (agent-pre-signed) cert requests or revocation requests - * are submitted and signature is verified + * <li>signed.audit LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY used when CMC (agent-pre-signed) cert requests or revocation requests are submitted and signature is verified * </ul> + * * @param authCred Authentication credentials, CRED_UID and CRED_CMC. * @return an AuthToken * @exception com.netscape.certsrv.authentication.EMissingCredential - * If a required authentication credential is missing. + * If a required authentication credential is missing. * @exception com.netscape.certsrv.authentication.EInvalidCredentials - * If credentials failed authentication. + * If credentials failed authentication. * @exception com.netscape.certsrv.base.EBaseException - * If an internal error occurred. + * If an internal error occurred. * @see com.netscape.certsrv.authentication.AuthToken */ public IAuthToken authenticate(IAuthCredentials authCred) throws EMissingCredential, EInvalidCredentials, EBaseException { @@ -245,13 +237,13 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, String auditReqType = ILogger.UNIDENTIFIED; String auditCertSubject = ILogger.UNIDENTIFIED; String auditSignerInfo = ILogger.UNIDENTIFIED; - + // ensure that any low-level exceptions are reported // to the signed audit log and stored as failures try { // get the CMC. - Object argblock = (Object)(authCred.getArgBlock()); + Object argblock = (Object) (authCred.getArgBlock()); Object returnVal = null; if (argblock == null) { returnVal = authCred.get("cert_request"); @@ -266,140 +258,139 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, if (cmc == null) { // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.FAILURE, - auditReqType, - auditCertSubject, - auditSignerInfo ); + LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, + auditSubjectID, + ILogger.FAILURE, + auditReqType, + auditCertSubject, + auditSignerInfo); - audit( auditMessage ); + audit(auditMessage); throw new EMissingCredential(CMS.getUserMessage( - "CMS_AUTHENTICATION_NULL_CREDENTIAL",CRED_CMC)); + "CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_CMC)); } if (cmc.equals("")) { log(ILogger.LL_FAILURE, - "cmc : attempted login with empty CMC."); + "cmc : attempted login with empty CMC."); // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.FAILURE, - auditReqType, - auditCertSubject, - auditSignerInfo ); + LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, + auditSubjectID, + ILogger.FAILURE, + auditReqType, + auditCertSubject, + auditSignerInfo); - audit( auditMessage ); + audit(auditMessage); throw new EInvalidCredentials(CMS.getUserMessage( - "CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + "CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } - + // authenticate by checking CMC. - + // everything OK. // now formulate the certificate info. // set the subject name at a minimum. // set anything else like version, extensions, etc. // if nothing except subject name is set the rest of // cert info will be filled in by policies and CA defaults. - + AuthToken authToken = new AuthToken(this); - + try { String asciiBASE64Blob; - + int startIndex = cmc.indexOf(HEADER); int endIndex = cmc.indexOf(TRAILER); - if (startIndex!= -1 && endIndex!=-1) { + if (startIndex != -1 && endIndex != -1) { startIndex = startIndex + HEADER.length(); - asciiBASE64Blob=cmc.substring(startIndex, endIndex); - }else + asciiBASE64Blob = cmc.substring(startIndex, endIndex); + } else asciiBASE64Blob = cmc; - byte[] cmcBlob = CMS.AtoB(asciiBASE64Blob); - ByteArrayInputStream cmcBlobIn= new + ByteArrayInputStream cmcBlobIn = new ByteArrayInputStream(cmcBlob); - + org.mozilla.jss.pkix.cms.ContentInfo cmcReq = - (org.mozilla.jss.pkix.cms.ContentInfo) - org.mozilla.jss.pkix.cms.ContentInfo.getTemplate().decode( - cmcBlobIn); + (org.mozilla.jss.pkix.cms.ContentInfo) + org.mozilla.jss.pkix.cms.ContentInfo.getTemplate().decode( + cmcBlobIn); - if(!cmcReq.getContentType().equals( - org.mozilla.jss.pkix.cms.ContentInfo.SIGNED_DATA) || - !cmcReq.hasContent()) { + if (!cmcReq.getContentType().equals( + org.mozilla.jss.pkix.cms.ContentInfo.SIGNED_DATA) || + !cmcReq.hasContent()) { // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.FAILURE, - auditReqType, - auditCertSubject, - auditSignerInfo ); + LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, + auditSubjectID, + ILogger.FAILURE, + auditReqType, + auditCertSubject, + auditSignerInfo); - audit( auditMessage ); + audit(auditMessage); // throw new ECMSGWException(CMSGWResources.NO_CMC_CONTENT); throw new EBaseException("NO_CMC_CONTENT"); } - + SignedData cmcFullReq = (SignedData) cmcReq.getInterpretedContent(); - + IConfigStore cmc_config = CMS.getConfigStore(); boolean checkSignerInfo = - cmc_config.getBoolean("cmc.signerInfo.verify", true); + cmc_config.getBoolean("cmc.signerInfo.verify", true); String userid = "defUser"; String uid = "defUser"; if (checkSignerInfo) { - IAuthToken agentToken = verifySignerInfo(authToken,cmcFullReq); + IAuthToken agentToken = verifySignerInfo(authToken, cmcFullReq); userid = agentToken.getInString("userid"); uid = agentToken.getInString("cn"); } else { CMS.debug("CMCAuth: authenticate() signerInfo verification bypassed"); } // reset value of auditSignerInfo - if( uid != null ) { + if (uid != null) { auditSignerInfo = uid.trim(); } EncapsulatedContentInfo ci = cmcFullReq.getContentInfo(); - + OBJECT_IDENTIFIER id = ci.getContentType(); if (!id.equals(OBJECT_IDENTIFIER.id_cct_PKIData) || - !ci.hasContent()) { + !ci.hasContent()) { // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.FAILURE, - auditReqType, - auditCertSubject, - auditSignerInfo ); + LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, + auditSubjectID, + ILogger.FAILURE, + auditReqType, + auditCertSubject, + auditSignerInfo); - audit( auditMessage ); + audit(auditMessage); // throw new ECMSGWException( // CMSGWResources.NO_PKIDATA); throw new EBaseException("NO_PKIDATA"); } - + OCTET_STRING content = ci.getContent(); - + ByteArrayInputStream s = new - ByteArrayInputStream(content.toByteArray()); + ByteArrayInputStream(content.toByteArray()); PKIData pkiData = (PKIData) (new PKIData.Template()).decode(s); - + SEQUENCE reqSequence = pkiData.getReqSequence(); - + int numReqs = reqSequence.size(); if (numReqs == 0) { @@ -414,11 +405,11 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, if (controlSize > 0) { for (int i = 0; i < controlSize; i++) { TaggedAttribute taggedAttribute = - (TaggedAttribute) controlSequence.elementAt(i); + (TaggedAttribute) controlSequence.elementAt(i); OBJECT_IDENTIFIER type = taggedAttribute.getType(); - if( type.equals( - OBJECT_IDENTIFIER.id_cmc_revokeRequest)) { + if (type.equals( + OBJECT_IDENTIFIER.id_cmc_revokeRequest)) { // if( i ==1 ) { // taggedAttribute.getType() == // OBJECT_IDENTIFIER.id_cmc_revokeRequest @@ -431,19 +422,17 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, bigIntArray = new BigInteger[numVals]; for (int j = 0; j < numVals; j++) { // serialNumber INTEGER - + // SEQUENCE RevRequest = (SEQUENCE) // values.elementAt(j); byte[] encoded = ASN1Util.encode( - values.elementAt(j)); - org.mozilla.jss.asn1.ASN1Template - template = new - org.mozilla.jss.pkix.cmmf.RevRequest.Template(); - org.mozilla.jss.pkix.cmmf.RevRequest - revRequest = - (org.mozilla.jss.pkix.cmmf.RevRequest) - ASN1Util.decode(template, encoded); - + values.elementAt(j)); + org.mozilla.jss.asn1.ASN1Template template = new + org.mozilla.jss.pkix.cmmf.RevRequest.Template(); + org.mozilla.jss.pkix.cmmf.RevRequest revRequest = + (org.mozilla.jss.pkix.cmmf.RevRequest) + ASN1Util.decode(template, encoded); + // SEQUENCE RevRequest = (SEQUENCE) // ASN1Util.decode( // SEQUENCE.getTemplate(), @@ -460,20 +449,20 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, INTEGER temp = revRequest.getSerialNumber(); int temp2 = temp.intValue(); - + bigIntArray[j] = temp; - authToken.set(TOKEN_CERT_SERIAL,bigIntArray); - + authToken.set(TOKEN_CERT_SERIAL, bigIntArray); + long reasonCode = revRequest.getReason().getValue(); - Integer IntObject = Integer.valueOf((int)reasonCode); - authToken.set(REASON_CODE,IntObject); - - authToken.set("uid",uid); - authToken.set("userid",userid); + Integer IntObject = Integer.valueOf((int) reasonCode); + authToken.set(REASON_CODE, IntObject); + + authToken.set("uid", uid); + authToken.set("userid", userid); } } } - + } } else { // enrollment request @@ -487,33 +476,33 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, for (int i = 0; i < numReqs; i++) { // decode message. TaggedRequest taggedRequest = - (TaggedRequest) reqSequence.elementAt(i); + (TaggedRequest) reqSequence.elementAt(i); TaggedRequest.Type type = taggedRequest.getType(); if (type.equals(TaggedRequest.PKCS10)) { CMS.debug("CMCAuth: in PKCS10"); TaggedCertificationRequest tcr = - taggedRequest.getTcr(); + taggedRequest.getTcr(); int p10Id = tcr.getBodyPartID().intValue(); reqIdArray[i] = String.valueOf(p10Id); CertificationRequest p10 = - tcr.getCertificationRequest(); + tcr.getCertificationRequest(); // transfer to sun class ByteArrayOutputStream ostream = - new ByteArrayOutputStream(); + new ByteArrayOutputStream(); p10.encode(ostream); try { PKCS10 pkcs10 = - new PKCS10(ostream.toByteArray()); + new PKCS10(ostream.toByteArray()); // xxx do we need to do anything else? X509CertInfo certInfo = - CMS.getDefaultX509CertInfo(); + CMS.getDefaultX509CertInfo(); // fillPKCS10(certInfo,pkcs10,authToken,null); @@ -523,12 +512,12 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, X500Name tempName = pkcs10.getSubjectName(); // reset value of auditCertSubject - if( tempName != null ) { + if (tempName != null) { auditCertSubject = - tempName.toString().trim(); - if( auditCertSubject.equals( "" ) ) { + tempName.toString().trim(); + if (auditCertSubject.equals("")) { auditCertSubject = - ILogger.SIGNED_AUDIT_EMPTY_VALUE; + ILogger.SIGNED_AUDIT_EMPTY_VALUE; } authToken.set(AuthToken.TOKEN_CERT_SUBJECT, tempName.toString()); @@ -541,19 +530,19 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, } catch (Exception e) { // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.FAILURE, - auditReqType, - auditCertSubject, - auditSignerInfo ); + LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, + auditSubjectID, + ILogger.FAILURE, + auditReqType, + auditCertSubject, + auditSignerInfo); - audit( auditMessage ); + audit(auditMessage); //throw new ECMSGWException( //CMSGWResources.ERROR_PKCS101, e.toString()); - e.printStackTrace(); + e.printStackTrace(); throw new EBaseException(e.toString()); } } else if (type.equals(TaggedRequest.CRMF)) { @@ -561,7 +550,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, CMS.debug("CMCAuth: in CRMF"); try { CertReqMsg crm = - taggedRequest.getCrm(); + taggedRequest.getCrm(); CertRequest certReq = crm.getCertReq(); INTEGER reqID = certReq.getCertReqId(); reqIdArray[i] = reqID.toString(); @@ -570,16 +559,16 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, // xxx do we need to do anything else? X509CertInfo certInfo = - CMS.getDefaultX509CertInfo(); + CMS.getDefaultX509CertInfo(); // reset value of auditCertSubject - if( name != null ) { + if (name != null) { String ss = name.getRFC1485(); auditCertSubject = ss; - if( auditCertSubject.equals( "" ) ) { + if (auditCertSubject.equals("")) { auditCertSubject = - ILogger.SIGNED_AUDIT_EMPTY_VALUE; + ILogger.SIGNED_AUDIT_EMPTY_VALUE; } authToken.set(AuthToken.TOKEN_CERT_SUBJECT, ss); @@ -590,14 +579,14 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, } catch (Exception e) { // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.FAILURE, - auditReqType, - auditCertSubject, - auditSignerInfo ); + LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, + auditSubjectID, + ILogger.FAILURE, + auditReqType, + auditCertSubject, + auditSignerInfo); - audit( auditMessage ); + audit(auditMessage); //throw new ECMSGWException( //CMSGWResources.ERROR_PKCS101, e.toString()); @@ -615,134 +604,138 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, } catch (Exception e) { // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.FAILURE, - auditReqType, - auditCertSubject, - auditSignerInfo ); + LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, + auditSubjectID, + ILogger.FAILURE, + auditReqType, + auditCertSubject, + auditSignerInfo); - audit( auditMessage ); + audit(auditMessage); //Debug.printStackTrace(e); throw new EInvalidCredentials(CMS.getUserMessage( - "CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + "CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } - + // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.SUCCESS, - auditReqType, - auditCertSubject, - auditSignerInfo ); + LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, + auditSubjectID, + ILogger.SUCCESS, + auditReqType, + auditCertSubject, + auditSignerInfo); - audit( auditMessage ); + audit(auditMessage); return authToken; - } catch( EMissingCredential eAudit1 ) { + } catch (EMissingCredential eAudit1) { // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.FAILURE, - auditReqType, - auditCertSubject, - auditSignerInfo ); + LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, + auditSubjectID, + ILogger.FAILURE, + auditReqType, + auditCertSubject, + auditSignerInfo); - audit( auditMessage ); + audit(auditMessage); // rethrow the specific exception to be handled later throw eAudit1; - } catch( EInvalidCredentials eAudit2 ) { + } catch (EInvalidCredentials eAudit2) { // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.FAILURE, - auditReqType, - auditCertSubject, - auditSignerInfo ); + LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, + auditSubjectID, + ILogger.FAILURE, + auditReqType, + auditCertSubject, + auditSignerInfo); - audit( auditMessage ); + audit(auditMessage); // rethrow the specific exception to be handled later throw eAudit2; - } catch( EBaseException eAudit3 ) { + } catch (EBaseException eAudit3) { // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.FAILURE, - auditReqType, - auditCertSubject, - auditSignerInfo ); + LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, + auditSubjectID, + ILogger.FAILURE, + auditReqType, + auditCertSubject, + auditSignerInfo); - audit( auditMessage ); + audit(auditMessage); // rethrow the specific exception to be handled later throw eAudit3; } } - + /** * Returns a list of configuration parameter names. * The list is passed to the configuration console so instances of * this implementation can be configured through the console. * <p> + * * @return String array of configuration parameter names. */ public String[] getConfigParams() { return (mConfigParams); } - + /** * gets the configuration substore used by this authentication - * plug-in + * plug-in * <p> + * * @return configuration store */ public IConfigStore getConfigStore() { return mConfig; } - + /** * gets the plug-in name of this authentication plug-in. */ public String getImplName() { return mImplName; } - + /** * gets the name of this authentication plug-in instance */ public String getName() { return mName; } - + /** * get the list of required credentials. * <p> + * * @return list of required credentials as strings. */ public String[] getRequiredCreds() { return (mRequiredCreds); } - + /** * prepares for shutdown. */ public void shutdown() { } - + ///////////////////////////////// // IExtendedPluginInfo methods // ///////////////////////////////// - + /** * Activate the help system. * <p> + * * @return help messages */ public String[] getExtendedPluginInfo() { @@ -755,14 +748,15 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, } return s; } - + //////////////////// // Logger methods // //////////////////// - + /** * Logs a message for this class in the system log file. * <p> + * * @param level The log level. * @param msg The message to log. * @see com.netscape.certsrv.logging.ILogger @@ -771,19 +765,19 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, if (mLogger == null) return; mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHENTICATION, - level, "CMC Authentication: " + msg); + level, "CMC Authentication: " + msg); } - - protected IAuthToken verifySignerInfo(AuthToken authToken,SignedData cmcFullReq) throws EInvalidCredentials { - + + protected IAuthToken verifySignerInfo(AuthToken authToken, SignedData cmcFullReq) throws EInvalidCredentials { + EncapsulatedContentInfo ci = cmcFullReq.getContentInfo(); OBJECT_IDENTIFIER id = ci.getContentType(); OCTET_STRING content = ci.getContent(); - + try { ByteArrayInputStream s = new ByteArrayInputStream(content.toByteArray()); PKIData pkiData = (PKIData) (new PKIData.Template()).decode(s); - + SET dais = cmcFullReq.getDigestAlgorithmIdentifiers(); int numDig = dais.size(); Hashtable digs = new Hashtable(); @@ -792,24 +786,24 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, //object in the signedData object. for (int i = 0; i < numDig; i++) { AlgorithmIdentifier dai = - (AlgorithmIdentifier) dais.elementAt(i); + (AlgorithmIdentifier) dais.elementAt(i); String name = - DigestAlgorithm.fromOID(dai.getOID()).toString(); - + DigestAlgorithm.fromOID(dai.getOID()).toString(); + MessageDigest md = - MessageDigest.getInstance(name); - + MessageDigest.getInstance(name); + byte[] digest = md.digest(content.toByteArray()); digs.put(name, digest); } - + SET sis = cmcFullReq.getSignerInfos(); int numSis = sis.size(); - + for (int i = 0; i < numSis; i++) { org.mozilla.jss.pkix.cms.SignerInfo si = (org.mozilla.jss.pkix.cms.SignerInfo) sis.elementAt(i); - + String name = si.getDigestAlgorithm().toString(); byte[] digest = (byte[]) digs.get(name); @@ -819,7 +813,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, pkiData.encode((OutputStream) ostream); digest = md.digest(ostream.toByteArray()); - + } // signed by previously certified signature key SignerIdentifier sid = si.getSignerIdentifier(); @@ -833,30 +827,29 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, SET certs = cmcFullReq.getCertificates(); int numCerts = certs.size(); java.security.cert.X509Certificate[] x509Certs = new java.security.cert.X509Certificate[1]; - byte[] certByteArray = new byte[0]; - for (int j = 0; j < numCerts; j++) { + byte[] certByteArray = new byte[0]; + for (int j = 0; j < numCerts; j++) { Certificate certJss = (Certificate) certs.elementAt(j); CertificateInfo certI = certJss.getInfo(); Name issuer = certI.getIssuer(); - + byte[] issuerB = ASN1Util.encode(issuer); - INTEGER sn = certI.getSerialNumber(); + INTEGER sn = certI.getSerialNumber(); // if this cert is the signer cert, not a cert in the chain if (new String(issuerB).equals(new String(ASN1Util.encode(issuerAndSerialNumber.getIssuer()))) - && sn.toString().equals(issuerAndSerialNumber.getSerialNumber().toString()) ) - { + && sn.toString().equals(issuerAndSerialNumber.getSerialNumber().toString())) { ByteArrayOutputStream os = new - ByteArrayOutputStream(); + ByteArrayOutputStream(); certJss.encode(os); - certByteArray = os.toByteArray(); - + certByteArray = os.toByteArray(); + X509CertImpl tempcert = new X509CertImpl(os.toByteArray()); cert = tempcert; x509Certs[0] = cert; - // xxx validate the cert length - + // xxx validate the cert length + } } CMS.debug("CMCAuth: start checking signature"); @@ -880,38 +873,38 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, si.verify(digest, id, pubK); } CMS.debug("CMCAuth: finished checking signature"); - // verify signer's certificate using the revocator - CryptoManager cm = CryptoManager.getInstance(); - if( ! cm.isCertValid( certByteArray, true,CryptoManager.CertUsage.SSLClient) ) + // verify signer's certificate using the revocator + CryptoManager cm = CryptoManager.getInstance(); + if (!cm.isCertValid(certByteArray, true, CryptoManager.CertUsage.SSLClient)) throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - // authenticate signer's certificate using the userdb + // authenticate signer's certificate using the userdb IAuthSubsystem authSS = (IAuthSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTH); - + IAuthManager agentAuth = authSS.getAuthManager(IAuthSubsystem.CERTUSERDB_AUTHMGR_ID);//AGENT_AUTHMGR_ID); - IAuthCredentials agentCred = new com.netscape.certsrv.authentication.AuthCredentials(); - + IAuthCredentials agentCred = new com.netscape.certsrv.authentication.AuthCredentials(); + agentCred.set(IAuthManager.CRED_SSL_CLIENT_CERT, x509Certs); - + IAuthToken tempToken = agentAuth.authenticate(agentCred); netscape.security.x509.X500Name tempPrincipal = (X500Name) x509Certs[0].getSubjectDN(); String CN = (String) tempPrincipal.getCommonName();//tempToken.get("userid"); - - BigInteger agentCertSerial = x509Certs[0].getSerialNumber(); - authToken.set(IAuthManager.CRED_SSL_CLIENT_CERT,agentCertSerial.toString()); - tempToken.set("cn",CN); + + BigInteger agentCertSerial = x509Certs[0].getSerialNumber(); + authToken.set(IAuthManager.CRED_SSL_CLIENT_CERT, agentCertSerial.toString()); + tempToken.set("cn", CN); return tempToken; - + } // find from internaldb if it's ca. (ra does not have that.) // find from internaldb usrgrp info - + // find from certDB - si.verify(digest, id); - + si.verify(digest, id); + } // } - }catch (InvalidBERException e) { + } catch (InvalidBERException e) { CMS.debug("CMCAuth: " + e.toString()); } catch (IOException e) { CMS.debug("CMCAuth: " + e.toString()); @@ -919,7 +912,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } return (IAuthToken) null; - + } public String[] getExtendedPluginInfo(Locale locale) { @@ -929,22 +922,20 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, // Profile-related methods public void init(IProfile profile, IConfigStore config) - throws EProfileException { + throws EProfileException { } /** * Retrieves the localizable name of this policy. */ - public String getName(Locale locale) - { + public String getName(Locale locale) { return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_CMS_SIGN_NAME"); } /** * Retrieves the localizable description of this policy. */ - public String getText(Locale locale) - { + public String getText(Locale locale) { return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_CMS_SIGN_TEXT"); } @@ -968,13 +959,13 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, public IDescriptor getValueDescriptor(Locale locale, String name) { if (name.equals(CRED_CMC)) { return new Descriptor(IDescriptor.STRING_LIST, null, null, - "CMC request"); + "CMC request"); } return null; } public void populate(IAuthToken token, IRequest request) - throws EProfileException { + throws EProfileException { request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME, token.getInString(AuthToken.TOKEN_CERT_SUBJECT)); } @@ -985,10 +976,10 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, /** * Signed Audit Log - * + * * This method is called to store messages to the signed audit log. * <P> - * + * * @param msg signed audit log message */ private void audit(String msg) { @@ -1000,19 +991,19 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, } mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, - null, - ILogger.S_SIGNED_AUDIT, - ILogger.LL_SECURITY, - msg); + null, + ILogger.S_SIGNED_AUDIT, + ILogger.LL_SECURITY, + msg); } /** * Signed Audit Log Subject ID - * + * * This method is called to obtain the "SubjectID" for * a signed audit log message. * <P> - * + * * @return id string containing the signed audit log message SubjectID */ private String auditSubjectID() { @@ -1042,4 +1033,3 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, return subjectID; } } - diff --git a/pki/base/common/src/com/netscape/cms/authentication/Crypt.java b/pki/base/common/src/com/netscape/cms/authentication/Crypt.java index 95012039..e6dd7087 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/Crypt.java +++ b/pki/base/common/src/com/netscape/cms/authentication/Crypt.java @@ -17,149 +17,148 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.authentication; - public class Crypt { // Static data: static byte[] - IP = // Initial permutation - { - 58, 50, 42, 34, 26, 18, 10, 2, - 60, 52, 44, 36, 28, 20, 12, 4, - 62, 54, 46, 38, 30, 22, 14, 6, - 64, 56, 48, 40, 32, 24, 16, 8, - 57, 49, 41, 33, 25, 17, 9, 1, - 59, 51, 43, 35, 27, 19, 11, 3, - 61, 53, 45, 37, 29, 21, 13, 5, - 63, 55, 47, 39, 31, 23, 15, 7 + IP = // Initial permutation + { + 58, 50, 42, 34, 26, 18, 10, 2, + 60, 52, 44, 36, 28, 20, 12, 4, + 62, 54, 46, 38, 30, 22, 14, 6, + 64, 56, 48, 40, 32, 24, 16, 8, + 57, 49, 41, 33, 25, 17, 9, 1, + 59, 51, 43, 35, 27, 19, 11, 3, + 61, 53, 45, 37, 29, 21, 13, 5, + 63, 55, 47, 39, 31, 23, 15, 7 }, - FP = // Final permutation, FP = IP^(-1) - { - 40, 8, 48, 16, 56, 24, 64, 32, - 39, 7, 47, 15, 55, 23, 63, 31, - 38, 6, 46, 14, 54, 22, 62, 30, - 37, 5, 45, 13, 53, 21, 61, 29, - 36, 4, 44, 12, 52, 20, 60, 28, - 35, 3, 43, 11, 51, 19, 59, 27, - 34, 2, 42, 10, 50, 18, 58, 26, - 33, 1, 41, 9, 49, 17, 57, 25 + FP = // Final permutation, FP = IP^(-1) + { + 40, 8, 48, 16, 56, 24, 64, 32, + 39, 7, 47, 15, 55, 23, 63, 31, + 38, 6, 46, 14, 54, 22, 62, 30, + 37, 5, 45, 13, 53, 21, 61, 29, + 36, 4, 44, 12, 52, 20, 60, 28, + 35, 3, 43, 11, 51, 19, 59, 27, + 34, 2, 42, 10, 50, 18, 58, 26, + 33, 1, 41, 9, 49, 17, 57, 25 }, - // Permuted-choice 1 from the key bits to yield C and D. - // Note that bits 8,16... are left out: - // They are intended for a parity check. - PC1_C = + // Permuted-choice 1 from the key bits to yield C and D. + // Note that bits 8,16... are left out: + // They are intended for a parity check. + PC1_C = { - 57, 49, 41, 33, 25, 17, 9, - 1, 58, 50, 42, 34, 26, 18, - 10, 2, 59, 51, 43, 35, 27, - 19, 11, 3, 60, 52, 44, 36 + 57, 49, 41, 33, 25, 17, 9, + 1, 58, 50, 42, 34, 26, 18, + 10, 2, 59, 51, 43, 35, 27, + 19, 11, 3, 60, 52, 44, 36 }, - PC1_D = + PC1_D = { - 63, 55, 47, 39, 31, 23, 15, - 7, 62, 54, 46, 38, 30, 22, - 14, 6, 61, 53, 45, 37, 29, - 21, 13, 5, 28, 20, 12, 4 + 63, 55, 47, 39, 31, 23, 15, + 7, 62, 54, 46, 38, 30, 22, + 14, 6, 61, 53, 45, 37, 29, + 21, 13, 5, 28, 20, 12, 4 }, - shifts = // Sequence of shifts used for the key schedule. - { - 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1 + shifts = // Sequence of shifts used for the key schedule. + { + 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1 }, - // Permuted-choice 2, to pick out the bits from - // the CD array that generate the key schedule. - PC2_C = + // Permuted-choice 2, to pick out the bits from + // the CD array that generate the key schedule. + PC2_C = { - 14, 17, 11, 24, 1, 5, - 3, 28, 15, 6, 21, 10, - 23, 19, 12, 4, 26, 8, - 16, 7, 27, 20, 13, 2 + 14, 17, 11, 24, 1, 5, + 3, 28, 15, 6, 21, 10, + 23, 19, 12, 4, 26, 8, + 16, 7, 27, 20, 13, 2 }, - PC2_D = + PC2_D = { - 41, 52, 31, 37, 47, 55, - 30, 40, 51, 45, 33, 48, - 44, 49, 39, 56, 34, 53, - 46, 42, 50, 36, 29, 32 + 41, 52, 31, 37, 47, 55, + 30, 40, 51, 45, 33, 48, + 44, 49, 39, 56, 34, 53, + 46, 42, 50, 36, 29, 32 }, - e2 = // The E-bit selection table. (see E below) - { - 32, 1, 2, 3, 4, 5, - 4, 5, 6, 7, 8, 9, - 8, 9, 10, 11, 12, 13, - 12, 13, 14, 15, 16, 17, - 16, 17, 18, 19, 20, 21, - 20, 21, 22, 23, 24, 25, - 24, 25, 26, 27, 28, 29, - 28, 29, 30, 31, 32, 1 + e2 = // The E-bit selection table. (see E below) + { + 32, 1, 2, 3, 4, 5, + 4, 5, 6, 7, 8, 9, + 8, 9, 10, 11, 12, 13, + 12, 13, 14, 15, 16, 17, + 16, 17, 18, 19, 20, 21, + 20, 21, 22, 23, 24, 25, + 24, 25, 26, 27, 28, 29, + 28, 29, 30, 31, 32, 1 }, - // P is a permutation on the selected combination of - // the current L and key. - P = + // P is a permutation on the selected combination of + // the current L and key. + P = { - 16, 7, 20, 21, - 29, 12, 28, 17, - 1, 15, 23, 26, - 5, 18, 31, 10, - 2, 8, 24, 14, - 32, 27, 3, 9, - 19, 13, 30, 6, - 22, 11, 4, 25 + 16, 7, 20, 21, + 29, 12, 28, 17, + 1, 15, 23, 26, + 5, 18, 31, 10, + 2, 8, 24, 14, + 32, 27, 3, 9, + 19, 13, 30, 6, + 22, 11, 4, 25 }; // The 8 selection functions. For some reason, they gave a 0-origin // index, unlike everything else. static byte[][] S = { - { - 14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7, - 0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8, - 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0, - 15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13 - }, { - 15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10, - 3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5, - 0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15, - 13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9 - }, { - 10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8, - 13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1, - 13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7, - 1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12 - }, { - 7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15, - 13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9, - 10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4, - 3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14 - }, { - 2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9, - 14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6, - 4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14, - 11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3 - }, { - 12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11, - 10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8, - 9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6, - 4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13 - }, { - 4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1, - 13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6, - 1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2, - 6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12 - }, { - 13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7, - 1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2, - 7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8, - 2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11 - } + { + 14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7, + 0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8, + 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0, + 15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13 + }, { + 15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10, + 3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5, + 0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15, + 13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9 + }, { + 10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8, + 13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1, + 13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7, + 1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12 + }, { + 7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15, + 13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9, + 10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4, + 3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14 + }, { + 2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9, + 14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6, + 4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14, + 11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3 + }, { + 12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11, + 10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8, + 9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6, + 4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13 + }, { + 4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1, + 13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6, + 1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2, + 6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12 + }, { + 13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7, + 1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2, + 7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8, + 2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11 + } }; // Dynamic data: - byte[] C = new byte[28], // The C and D arrays used to - D = new byte[28], // calculate the key schedule. - E = new byte[48], // The E bit-selection table. - L = new byte[32], // The current block, - R = new byte[32], // divided into two halves. - tempL = new byte[32], - f = new byte[32], - preS = new byte[48]; // The combination of the key and + byte[] C = new byte[28], // The C and D arrays used to + D = new byte[28], // calculate the key schedule. + E = new byte[48], // The E bit-selection table. + L = new byte[32], // The current block, + R = new byte[32], // divided into two halves. + tempL = new byte[32], + f = new byte[32], + preS = new byte[48]; // The combination of the key and // the input, before selection. // The key schedule. Generated from the key. byte[][] KS = new byte[16][48]; @@ -169,7 +168,7 @@ public class Crypt { // Public methods: /** - * Create Crypt object with no passwd or salt set. Must use setPasswd() + * Create Crypt object with no passwd or salt set. Must use setPasswd() * and setSalt() before getEncryptedPasswd(). */ public Crypt() { @@ -177,9 +176,9 @@ public class Crypt { } /** - * Create a Crypt object with specified salt. Use setPasswd() before + * Create a Crypt object with specified salt. Use setPasswd() before * getEncryptedPasswd(). - * + * * @param salt the salt string for encryption */ public Crypt(String salt) { @@ -190,9 +189,9 @@ public class Crypt { /** * Create a Crypt object with specified passwd and salt (often the - * already encypted passwd). Get the encrypted result with + * already encypted passwd). Get the encrypted result with * getEncryptedPasswd(). - * + * * @param passwd the passwd to encrypt * @param salt the salt string for encryption */ @@ -204,7 +203,7 @@ public class Crypt { /** * Retrieve the passwd string currently being encrypted. - * + * * @return the current passwd string */ public String getPasswd() { @@ -213,7 +212,7 @@ public class Crypt { /** * Retrieve the salt string currently being used for encryption. - * + * * @return the current salt string */ public String getSalt() { @@ -223,7 +222,7 @@ public class Crypt { /** * Retrieve the resulting encrypted string from the current passwd and * salt settings. - * + * * @return the encrypted passwd */ public String getEncryptedPasswd() { @@ -231,9 +230,9 @@ public class Crypt { } /** - * Set a new passwd string for encryption. Use getEncryptedPasswd() to + * Set a new passwd string for encryption. Use getEncryptedPasswd() to * retrieve the new result. - * + * * @param passwd the new passwd string */ public void setPasswd(String passwd) { @@ -242,9 +241,9 @@ public class Crypt { } /** - * Set a new salt string for encryption. Use getEncryptedPasswd() to + * Set a new salt string for encryption. Use getEncryptedPasswd() to * retrieve the new result. - * + * * @param salt the new salt string */ public void setSalt(String salt) { @@ -254,14 +253,12 @@ public class Crypt { // Internal crypt methods: String crypt() { - if (Salt.length() == 0) return ""; + if (Salt.length() == 0) + return ""; int i, j, pwi; byte c, temp; - byte[] block = new byte[66], - iobuf = new byte[16], - salt = new byte[2], - pw = Passwd.getBytes(), //jdk1.1 - saltbytes = Salt.getBytes(); //jdk1.1 + byte[] block = new byte[66], iobuf = new byte[16], salt = new byte[2], pw = Passwd.getBytes(), //jdk1.1 + saltbytes = Salt.getBytes(); //jdk1.1 // pw = new byte[Passwd.length()], //jdk1.0.2 // saltbytes = new byte[Salt.length()]; //jdk1.0.2 @@ -288,8 +285,10 @@ public class Crypt { for (i = 0; i < 2; i++) { c = salt[i]; iobuf[i] = c; - if (c > 'Z') c -= 6; - if (c > '9') c -= 7; + if (c > 'Z') + c -= 6; + if (c > '9') + c -= 7; c -= '.'; for (j = 0; j < 6; j++) { if (((c >> j) & 1) != 0) { @@ -311,8 +310,10 @@ public class Crypt { c |= block[6 * i + j]; } c += '.'; - if (c > '9') c += 7; - if (c > 'Z') c += 6; + if (c > '9') + c += 7; + if (c > 'Z') + c += 6; iobuf[i + 2] = c; } @@ -320,11 +321,11 @@ public class Crypt { if (iobuf[1] == 0) iobuf[1] = iobuf[0]; - return new String(iobuf); //jdk1.1 + return new String(iobuf); //jdk1.1 //return new String(iobuf,0); //jdk1.0.2 } - void setkey(byte[] key) // Set up the key schedule from the key. + void setkey(byte[] key) // Set up the key schedule from the key. { int i, j, k; byte t; @@ -378,32 +379,32 @@ public class Crypt { for (j = 32; j < 64; j++) R[j - 32] = block[IP[j] - 1]; - // Perform an encryption operation 16 times. + // Perform an encryption operation 16 times. for (ii = 0; ii < 16; ii++) { i = ii; // Save the R array, which will be the new L. for (j = 0; j < 32; j++) tempL[j] = R[j]; - // Expand R to 48 bits using the E selector; - // exclusive-or with the current key bits. + // Expand R to 48 bits using the E selector; + // exclusive-or with the current key bits. for (j = 0; j < 48; j++) preS[j] = (byte) (R[E[j] - 1] ^ KS[i][j]); - // The pre-select bits are now considered in 8 groups of - // 6 bits each. The 8 selection functions map these 6-bit - // quantities into 4-bit quantities and the results permuted - // to make an f(R, K). The indexing into the selection functions - // is peculiar; it could be simplified by rewriting the tables. + // The pre-select bits are now considered in 8 groups of + // 6 bits each. The 8 selection functions map these 6-bit + // quantities into 4-bit quantities and the results permuted + // to make an f(R, K). The indexing into the selection functions + // is peculiar; it could be simplified by rewriting the tables. for (j = 0; j < 8; j++) { t = 6 * j; - k = S[j][ (preS[t ] << 5) + + k = S[j][(preS[t] << 5) + (preS[t + 1] << 3) + (preS[t + 2] << 2) + (preS[t + 3] << 1) + (preS[t + 4]) + - (preS[t + 5] << 4) ]; + (preS[t + 5] << 4)]; t = 4 * j; - f[t ] = (byte) ((k >> 3) & 1); + f[t] = (byte) ((k >> 3) & 1); f[t + 1] = (byte) ((k >> 2) & 1); f[t + 2] = (byte) ((k >> 1) & 1); f[t + 3] = (byte) ((k) & 1); diff --git a/pki/base/common/src/com/netscape/cms/authentication/DNPattern.java b/pki/base/common/src/com/netscape/cms/authentication/DNPattern.java index 1f2eb69a..21280f0f 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/DNPattern.java +++ b/pki/base/common/src/com/netscape/cms/authentication/DNPattern.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.authentication; - import java.io.IOException; import java.io.PushbackReader; import java.io.StringReader; @@ -28,24 +27,25 @@ import netscape.ldap.LDAPEntry; import com.netscape.certsrv.authentication.EAuthException; import com.netscape.certsrv.base.EBaseException; - /** - * class for parsing a DN pattern used to construct a certificate - * subject name from ldap attributes and dn.<p> + * class for parsing a DN pattern used to construct a certificate + * subject name from ldap attributes and dn. + * <p> * - * dnpattern is a string representing a subject name pattern to formulate from - * the directory attributes and entry dn. If empty or not set, the - * ldap entry DN will be used as the certificate subject name. <p> + * dnpattern is a string representing a subject name pattern to formulate from the directory attributes and entry dn. If empty or not set, the ldap entry DN will be used as the certificate subject name. + * <p> + * + * The syntax is * - * The syntax is * <pre> - * dnPattern := rdnPattern *[ "," rdnPattern ] - * rdnPattern := avaPattern *[ "+" avaPattern ] + * dnPattern := rdnPattern *[ "," rdnPattern ] + * rdnPattern := avaPattern *[ "+" avaPattern ] * avaPattern := name "=" value | - * name "=" "$attr" "." attrName [ "." attrNumber ] | - * name "=" "$dn" "." attrName [ "." attrNumber ] | - * "$dn" "." "$rdn" "." number + * name "=" "$attr" "." attrName [ "." attrNumber ] | + * name "=" "$dn" "." attrName [ "." attrNumber ] | + * "$dn" "." "$rdn" "." number * </pre> + * * <pre> * Example1: <i>E=$attr.mail.1, CN=$attr.cn, OU=$dn.ou.2, O=$dn.o, C=US </i> * Ldap entry: dn: UID=jjames, OU=IS, OU=people, O=acme.org @@ -72,11 +72,12 @@ import com.netscape.certsrv.base.EBaseException; * E = the first 'mail' ldap attribute value in user's entry. <br> * CN = the (first) 'cn' ldap attribute value in the user's entry. <br> * OU = the second 'ou' value in the user's entry DN. note multiple AVAs - * in a RDN in this example. <br> + * in a RDN in this example. <br> * O = the (first) 'o' value in the user's entry DN. <br> * C = the string "US" * <p> * </pre> + * * <pre> * Example3: <i>CN=$attr.cn, $rdn.2, O=$dn.o, C=US</i> * Ldap entry: dn: UID=jjames, OU=IS+OU=people, O=acme.org @@ -101,15 +102,15 @@ import com.netscape.certsrv.base.EBaseException; * <p> * CN = the (first) 'cn' ldap attribute value in the user's entry. <br> * OU = the second 'ou' value in the user's entry DN followed by the - * first 'ou' value in the user's entry. note multiple AVAs - * in a RDN in this example. <br> + * first 'ou' value in the user's entry. note multiple AVAs + * in a RDN in this example. <br> * O = the (first) 'o' value in the user's entry DN. <br> * C = the string "US" * <p> * </pre> - * If an attribute or subject DN component does not exist the attribute - * is skipped. - * + * + * If an attribute or subject DN component does not exist the attribute is skipped. + * * @version $Revision$, $Date$ */ public class DNPattern { @@ -125,13 +126,14 @@ public class DNPattern { protected String mTestDN = null; - /** + /** * Construct a DN pattern by parsing a pattern string. + * * @param pattern the DN pattern - * @exception EBaseException If parsing error occurs. + * @exception EBaseException If parsing error occurs. */ public DNPattern(String pattern) - throws EAuthException { + throws EAuthException { if (pattern == null || pattern.equals("")) { // create an attribute list that is the dn. mLdapAttrs = new String[] { "dn" }; @@ -143,13 +145,13 @@ public class DNPattern { } } - public DNPattern(PushbackReader in) - throws EAuthException { + public DNPattern(PushbackReader in) + throws EAuthException { parse(in); } private void parse(PushbackReader in) - throws EAuthException { + throws EAuthException { Vector rdnPatterns = new Vector(); RDNPattern rdnPattern = null; int lastChar = -1; @@ -162,8 +164,7 @@ public class DNPattern { } catch (IOException e) { throw new EAuthException("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString()); } - } - while (lastChar == ','); + } while (lastChar == ','); mRDNPatterns = new RDNPattern[rdnPatterns.size()]; rdnPatterns.copyInto(mRDNPatterns); @@ -173,8 +174,8 @@ public class DNPattern { for (int i = 0; i < mRDNPatterns.length; i++) { String[] rdnAttrs = mRDNPatterns[i].getLdapAttrs(); - if (rdnAttrs != null && rdnAttrs.length > 0) - for (int j = 0; j < rdnAttrs.length; j++) + if (rdnAttrs != null && rdnAttrs.length > 0) + for (int j = 0; j < rdnAttrs.length; j++) ldapAttrs.addElement(rdnAttrs[j]); } mLdapAttrs = new String[ldapAttrs.size()]; @@ -183,11 +184,12 @@ public class DNPattern { /** * Form a Ldap v3 DN string from results of a ldap search. + * * @param entry LDAPentry from a ldap search - * @return Ldap v3 DN string to use for a subject name. + * @return Ldap v3 DN string to use for a subject name. */ public String formDN(LDAPEntry entry) - throws EAuthException { + throws EAuthException { StringBuffer formedDN = new StringBuffer(); for (int i = 0; i < mRDNPatterns.length; i++) { @@ -197,7 +199,7 @@ public class DNPattern { if (rdn != null) { if (rdn != null && rdn.length() != 0) { - if (formedDN.length() != 0) + if (formedDN.length() != 0) formedDN.append(","); formedDN.append(rdn); } diff --git a/pki/base/common/src/com/netscape/cms/authentication/DirBasedAuthentication.java b/pki/base/common/src/com/netscape/cms/authentication/DirBasedAuthentication.java index c9b64fca..4b6e4aa3 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/DirBasedAuthentication.java +++ b/pki/base/common/src/com/netscape/cms/authentication/DirBasedAuthentication.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.authentication; - // ldap java sdk import java.io.IOException; import java.security.cert.CertificateException; @@ -57,25 +56,25 @@ import com.netscape.certsrv.ldap.ILdapConnFactory; import com.netscape.certsrv.logging.ILogger; import com.netscape.cmsutil.util.Utils; - /** * Abstract class for directory based authentication managers - * Uses a pattern for formulating subject names. - * The pattern is read from configuration file. + * Uses a pattern for formulating subject names. + * The pattern is read from configuration file. * Syntax of the pattern is described in the init() method. * * <P> + * * @version $Revision$, $Date$ */ -public abstract class DirBasedAuthentication - implements IAuthManager, IExtendedPluginInfo { +public abstract class DirBasedAuthentication + implements IAuthManager, IExtendedPluginInfo { - protected static final String USER_DN = "userDN"; + protected static final String USER_DN = "userDN"; /* configuration parameter keys */ - protected static final String PROP_LDAP = "ldap"; - protected static final String PROP_BASEDN = "basedn"; - protected static final String PROP_DNPATTERN = "dnpattern"; + protected static final String PROP_LDAP = "ldap"; + protected static final String PROP_BASEDN = "basedn"; + protected static final String PROP_DNPATTERN = "dnpattern"; protected static final String PROP_LDAPSTRINGATTRS = "ldapStringAttributes"; protected static final String PROP_LDAPBYTEATTRS = "ldapByteAttributes"; @@ -117,8 +116,8 @@ public abstract class DirBasedAuthentication protected String[] mLdapAttrs = null; /* default dn pattern if left blank or not set in the config */ - protected static String DEFAULT_DNPATTERN = - "E=$attr.mail, CN=$attr.cn, O=$dn.o, C=$dn.c"; + protected static String DEFAULT_DNPATTERN = + "E=$attr.mail, CN=$attr.cn, O=$dn.o, C=$dn.c"; /* Vector of extendedPluginInfo strings */ protected static Vector<String> mExtendedPluginInfo = null; @@ -126,31 +125,31 @@ public abstract class DirBasedAuthentication static { mExtendedPluginInfo = new Vector<String>(); mExtendedPluginInfo.add(PROP_DNPATTERN + ";string;Template for cert" + - " Subject Name. ($dn.xxx - get value from user's LDAP " + - "DN. $attr.yyy - get value from LDAP attributes in " + - "user's entry.) Default: " + DEFAULT_DNPATTERN); + " Subject Name. ($dn.xxx - get value from user's LDAP " + + "DN. $attr.yyy - get value from LDAP attributes in " + + "user's entry.) Default: " + DEFAULT_DNPATTERN); mExtendedPluginInfo.add(PROP_LDAPSTRINGATTRS + ";string;" + - "Comma-separated list of LDAP attributes to copy from " + - "the user's LDAP entry into the AuthToken. e.g use " + - "'mail' to copy user's email address for subjectAltName"); + "Comma-separated list of LDAP attributes to copy from " + + "the user's LDAP entry into the AuthToken. e.g use " + + "'mail' to copy user's email address for subjectAltName"); mExtendedPluginInfo.add(PROP_LDAPBYTEATTRS + ";string;" + - "Comma-separated list of binary LDAP attributes to copy" + - " from the user's LDAP entry into the AuthToken"); + "Comma-separated list of binary LDAP attributes to copy" + + " from the user's LDAP entry into the AuthToken"); mExtendedPluginInfo.add("ldap.ldapconn.host;string,required;" + - "LDAP host to connect to"); + "LDAP host to connect to"); mExtendedPluginInfo.add("ldap.ldapconn.port;number,required;" + - "LDAP port number (use 389, or 636 if SSL)"); + "LDAP port number (use 389, or 636 if SSL)"); mExtendedPluginInfo.add("ldap.ldapconn.secureConn;boolean;" + - "Use SSL to connect to directory?"); + "Use SSL to connect to directory?"); mExtendedPluginInfo.add("ldap.ldapconn.version;choice(3,2);" + - "LDAP protocol version"); + "LDAP protocol version"); mExtendedPluginInfo.add("ldap.basedn;string,required;Base DN to start searching " + - "under. If your user's DN is 'uid=jsmith, o=company', you " + - "might want to use 'o=company' here"); + "under. If your user's DN is 'uid=jsmith, o=company', you " + + "might want to use 'o=company' here"); mExtendedPluginInfo.add("ldap.minConns;number;number of connections " + - "to keep open to directory server. Default 5."); + "to keep open to directory server. Default 5."); mExtendedPluginInfo.add("ldap.maxConns;number;when needed, connection " + - "pool can grow to this many (multiplexed) connections. Default 1000."); + "pool can grow to this many (multiplexed) connections. Default 1000."); } /** @@ -163,24 +162,24 @@ public abstract class DirBasedAuthentication * Initializes the UidPwdDirBasedAuthentication auth manager. * * Takes the following configuration parameters: <br> + * * <pre> - * ldap.basedn - the ldap base dn. - * ldap.ldapconn.host - the ldap host. - * ldap.ldapconn.port - the ldap port - * ldap.ldapconn.secureConn - whether port should be secure - * ldap.minConns - minimum connections - * ldap.maxConns - max connections - * dnpattern - dn pattern. + * ldap.basedn - the ldap base dn. + * ldap.ldapconn.host - the ldap host. + * ldap.ldapconn.port - the ldap port + * ldap.ldapconn.secureConn - whether port should be secure + * ldap.minConns - minimum connections + * ldap.maxConns - max connections + * dnpattern - dn pattern. * </pre> * <p> - * <i><b>dnpattern</b></i> is a string representing a subject name pattern - * to formulate from the directory attributes and entry dn. If empty or - * not set, the ldap entry DN will be used as the certificate subject name. + * <i><b>dnpattern</b></i> is a string representing a subject name pattern to formulate from the directory attributes and entry dn. If empty or not set, the ldap entry DN will be used as the certificate subject name. * <p> - * The syntax is + * The syntax is + * * <pre> * dnpattern = SubjectNameComp *[ "," SubjectNameComp ] - * + * * SubjectNameComponent = DnComp | EntryComp | ConstantComp * DnComp = CertAttr "=" "$dn" "." DnAttr "." Num * EntryComp = CertAttr "=" "$attr" "." EntryAttr "." Num @@ -190,11 +189,12 @@ public abstract class DirBasedAuthentication * CertAttr = a Component in the Certificate Subject Name * (multiple AVA in one RDN not supported) * Num = the nth value of tha attribute in the dn or entry. - * Constant = Constant String, with any accepted ldap string value. + * Constant = Constant String, with any accepted ldap string value. * * </pre> * <p> * <b>Example:</b> + * * <pre> * dnpattern: * E=$attr.mail.1, CN=$attr.cn, OU=$attr.ou.2, O=$dn.o, C=US @@ -213,6 +213,7 @@ public abstract class DirBasedAuthentication * </pre> * <p> * The subject name formulated in the cert will be : <br> + * * <pre> * E=joesmith@acme.com, CN=Joe Smith, OU=Human Resources, O=Acme.com, C=US * @@ -229,19 +230,20 @@ public abstract class DirBasedAuthentication * @exception EBaseException If an error occurs during initialization. */ public void init(String name, String implName, IConfigStore config) - throws EBaseException { + throws EBaseException { init(name, implName, config, true); } public void init(String name, String implName, IConfigStore config, boolean needBaseDN) - throws EBaseException { + throws EBaseException { mName = name; mImplName = implName; mConfig = config; /* initialize ldap server configuration */ mLdapConfig = mConfig.getSubStore(PROP_LDAP); - if (needBaseDN) mBaseDN = mLdapConfig.getString(PROP_BASEDN); + if (needBaseDN) + mBaseDN = mLdapConfig.getString(PROP_BASEDN); if (needBaseDN && ((mBaseDN == null) || (mBaseDN.length() == 0) || (mBaseDN.trim().equals("")))) throw new EPropertyNotFound(CMS.getUserMessage("CMS_BASE_GET_PROPERTY_FAILED", "basedn")); mConnFactory = CMS.getLdapAnonConnFactory(); @@ -250,7 +252,7 @@ public abstract class DirBasedAuthentication /* initialize dn pattern */ String pattern = mConfig.getString(PROP_DNPATTERN, null); - if (pattern == null || pattern.length() == 0) + if (pattern == null || pattern.length() == 0) pattern = DEFAULT_DNPATTERN; mPattern = new DNPattern(pattern); String[] patternLdapAttrs = mPattern.getLdapAttrs(); @@ -261,15 +263,15 @@ public abstract class DirBasedAuthentication if (ldapStringAttrs == null) { mLdapStringAttrs = patternLdapAttrs; } else { - StringTokenizer pAttrs = - new StringTokenizer(ldapStringAttrs, ",", false); + StringTokenizer pAttrs = + new StringTokenizer(ldapStringAttrs, ",", false); int begin = 0; if (patternLdapAttrs != null && patternLdapAttrs.length > 0) { - mLdapStringAttrs = new String[ + mLdapStringAttrs = new String[ patternLdapAttrs.length + pAttrs.countTokens()]; - System.arraycopy(patternLdapAttrs, 0, - mLdapStringAttrs, 0, patternLdapAttrs.length); + System.arraycopy(patternLdapAttrs, 0, + mLdapStringAttrs, 0, patternLdapAttrs.length); begin = patternLdapAttrs.length; } else { mLdapStringAttrs = new String[pAttrs.countTokens()]; @@ -285,11 +287,11 @@ public abstract class DirBasedAuthentication if (ldapByteAttrs == null) { mLdapByteAttrs = new String[0]; } else { - StringTokenizer byteAttrs = - new StringTokenizer(ldapByteAttrs, ",", false); + StringTokenizer byteAttrs = + new StringTokenizer(ldapByteAttrs, ",", false); mLdapByteAttrs = new String[byteAttrs.countTokens()]; - for (int j = 0; j < mLdapByteAttrs.length; j++) { + for (int j = 0; j < mLdapByteAttrs.length; j++) { mLdapByteAttrs[j] = ((String) byteAttrs.nextElement()).trim(); } } @@ -297,10 +299,10 @@ public abstract class DirBasedAuthentication /* make the combined list */ mLdapAttrs = new String[mLdapStringAttrs.length + mLdapByteAttrs.length]; - System.arraycopy(mLdapStringAttrs, 0, mLdapAttrs, - 0, mLdapStringAttrs.length); - System.arraycopy(mLdapByteAttrs, 0, mLdapAttrs, - mLdapStringAttrs.length, mLdapByteAttrs.length); + System.arraycopy(mLdapStringAttrs, 0, mLdapAttrs, + 0, mLdapStringAttrs.length); + System.arraycopy(mLdapByteAttrs, 0, mLdapAttrs, + mLdapStringAttrs.length, mLdapByteAttrs.length); log(ILogger.LL_INFO, CMS.getLogMessage("CMS_AUTH_INIT_DONE")); } @@ -320,21 +322,22 @@ public abstract class DirBasedAuthentication } /** - * Authenticates user through LDAP by a set of credentials. + * Authenticates user through LDAP by a set of credentials. * Resulting AuthToken a TOKEN_CERTINFO field of a X509CertInfo * <p> + * * @param authCred Authentication credentials, CRED_UID and CRED_PWD. * @return A AuthToken with a TOKEN_SUBJECT of X500name type. * @exception com.netscape.certsrv.authentication.EMissingCredential - * If a required authentication credential is missing. + * If a required authentication credential is missing. * @exception com.netscape.certsrv.authentication.EInvalidCredentials - * If credentials failed authentication. - * @exception com.netscape.certsrv.base.EBaseException - * If an internal error occurred. + * If credentials failed authentication. + * @exception com.netscape.certsrv.base.EBaseException + * If an internal error occurred. * @see com.netscape.certsrv.authentication.AuthToken */ public IAuthToken authenticate(IAuthCredentials authCred) - throws EMissingCredential, EInvalidCredentials, EBaseException { + throws EMissingCredential, EInvalidCredentials, EBaseException { String userdn = null; LDAPConnection conn = null; AuthToken authToken = new AuthToken(this); @@ -360,11 +363,11 @@ public abstract class DirBasedAuthentication // set subject name. try { CertificateSubjectName subjectname = (CertificateSubjectName) - certInfo.get(X509CertInfo.SUBJECT); + certInfo.get(X509CertInfo.SUBJECT); if (subjectname != null) - authToken.set(AuthToken.TOKEN_CERT_SUBJECT, - subjectname.toString()); + authToken.set(AuthToken.TOKEN_CERT_SUBJECT, + subjectname.toString()); } // error means it's not set. catch (CertificateException e) { } catch (IOException e) { @@ -373,15 +376,15 @@ public abstract class DirBasedAuthentication // set validity if any try { CertificateValidity validity = (CertificateValidity) - certInfo.get(X509CertInfo.VALIDITY); + certInfo.get(X509CertInfo.VALIDITY); if (validity != null) { // the gets throws IOException but only if attribute // not recognized. In these cases they are always. - authToken.set(AuthToken.TOKEN_CERT_NOTBEFORE, - (Date)validity.get(CertificateValidity.NOT_BEFORE)); - authToken.set(AuthToken.TOKEN_CERT_NOTAFTER, - (Date)validity.get(CertificateValidity.NOT_AFTER)); + authToken.set(AuthToken.TOKEN_CERT_NOTBEFORE, + (Date) validity.get(CertificateValidity.NOT_BEFORE)); + authToken.set(AuthToken.TOKEN_CERT_NOTAFTER, + (Date) validity.get(CertificateValidity.NOT_AFTER)); } } // error means it's not set. catch (CertificateException e) { @@ -391,7 +394,7 @@ public abstract class DirBasedAuthentication // set extensions if any. try { CertificateExtensions extensions = (CertificateExtensions) - certInfo.get(X509CertInfo.EXTENSIONS); + certInfo.get(X509CertInfo.EXTENSIONS); if (extensions != null) authToken.set(AuthToken.TOKEN_CERT_EXTENSIONS, extensions); @@ -401,7 +404,7 @@ public abstract class DirBasedAuthentication } } finally { - if (conn != null) + if (conn != null) mConnFactory.returnConn(conn); } @@ -410,15 +413,16 @@ public abstract class DirBasedAuthentication /** * get the list of required credentials. + * * @return list of required credentials as strings. */ public abstract String[] getRequiredCreds(); /** - * Returns a list of configuration parameter names. - * The list is passed to the configuration console so instances of + * Returns a list of configuration parameter names. + * The list is passed to the configuration console so instances of * this implementation can be configured through the console. - * + * * @return String array of configuration parameter names. */ public abstract String[] getConfigParams(); @@ -440,6 +444,7 @@ public abstract class DirBasedAuthentication /** * Gets the configuration substore used by this authentication manager + * * @return configuration store */ public IConfigStore getConfigStore() { @@ -452,11 +457,11 @@ public abstract class DirBasedAuthentication * @param authCreds The authentication credentials. * @return The user's ldap entry dn. * @exception EInvalidCredentials If the uid and password are not valid - * @exception EBaseException If an internal error occurs. + * @exception EBaseException If an internal error occurs. */ protected abstract String authenticate( - LDAPConnection conn, IAuthCredentials authCreds, AuthToken token) - throws EBaseException; + LDAPConnection conn, IAuthCredentials authCreds, AuthToken token) + throws EBaseException; /** * Formulate the cert info. @@ -465,13 +470,13 @@ public abstract class DirBasedAuthentication * @param userdn The user's dn. * @param certinfo A certinfo object to fill. * @param token A authentication token to fill. - * @exception EBaseException If an internal error occurs. + * @exception EBaseException If an internal error occurs. */ - protected void formCertInfo(LDAPConnection conn, - String userdn, - X509CertInfo certinfo, - AuthToken token) - throws EBaseException { + protected void formCertInfo(LDAPConnection conn, + String userdn, + X509CertInfo certinfo, + AuthToken token) + throws EBaseException { String dn = null; // get ldap attributes to retrieve. String[] attrs = getLdapAttrs(); @@ -480,9 +485,9 @@ public abstract class DirBasedAuthentication try { if (conn != null) { LDAPEntry entry = null; - LDAPSearchResults results = - conn.search(userdn, LDAPv2.SCOPE_BASE, "objectclass=*", - attrs, false); + LDAPSearchResults results = + conn.search(userdn, LDAPv2.SCOPE_BASE, "objectclass=*", + attrs, false); if (!results.hasMoreElements()) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_NO_ATTR_ERROR")); @@ -508,19 +513,19 @@ public abstract class DirBasedAuthentication // pack the dn into X500name and set subject name. if (dn.length() == 0) { - EBaseException ex = - new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_EMPTY_DN_FORMED", mName)); + EBaseException ex = + new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_EMPTY_DN_FORMED", mName)); log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_NO_DN_ERROR", ex.toString())); throw ex; } X500Name subjectdn = new X500Name(dn); - certinfo.set(X509CertInfo.SUBJECT, - new CertificateSubjectName(subjectdn)); + certinfo.set(X509CertInfo.SUBJECT, + new CertificateSubjectName(subjectdn)); } catch (LDAPException e) { switch (e.getLDAPResultCode()) { - case LDAPException.SERVER_DOWN: + case LDAPException.SERVER_DOWN: log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_NO_AUTH_ATTR_ERROR")); throw new ELdapException( CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), "" + conn.getPort())); @@ -534,7 +539,7 @@ public abstract class DirBasedAuthentication log(ILogger.LL_FAILURE, CMS.getLogMessage("LDAP_ERROR", e.toString())); throw new ELdapException( CMS.getUserMessage("CMS_LDAP_OTHER_LDAP_EXCEPTION", - e.errorCodeToString())); + e.errorCodeToString())); } } catch (IOException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_CREATE_SUBJECT_ERROR", userdn, e.getMessage())); @@ -553,19 +558,20 @@ public abstract class DirBasedAuthentication protected void setAuthTokenValues(LDAPEntry e, AuthToken tok) { for (int i = 0; i < mLdapStringAttrs.length; i++) setAuthTokenStringValue(mLdapStringAttrs[i], e, tok); - for (int j = 0; j < mLdapByteAttrs.length; j++) + for (int j = 0; j < mLdapByteAttrs.length; j++) setAuthTokenByteValue(mLdapByteAttrs[j], e, tok); } protected void setAuthTokenStringValue( - String name, LDAPEntry entry, AuthToken tok) { + String name, LDAPEntry entry, AuthToken tok) { LDAPAttribute values = entry.getAttribute(name); - if (values == null) return; + if (values == null) + return; Vector<String> v = new Vector<String>(); @SuppressWarnings("unchecked") - Enumeration<String> e = values.getStringValues(); + Enumeration<String> e = values.getStringValues(); while (e.hasMoreElements()) { v.addElement(e.nextElement()); @@ -579,14 +585,15 @@ public abstract class DirBasedAuthentication } protected void setAuthTokenByteValue( - String name, LDAPEntry entry, AuthToken tok) { + String name, LDAPEntry entry, AuthToken tok) { LDAPAttribute values = entry.getAttribute(name); - if (values == null) return; + if (values == null) + return; Vector<byte[]> v = new Vector<byte[]>(); @SuppressWarnings("unchecked") - Enumeration<byte[]> e = values.getByteValues(); + Enumeration<byte[]> e = values.getByteValues(); while (e.hasMoreElements()) { v.addElement(e.nextElement()); @@ -602,6 +609,7 @@ public abstract class DirBasedAuthentication /** * Return a list of LDAP attributes with String values to retrieve. * Subclasses can override to return any set of attributes. + * * @return Array of LDAP attributes to retrieve from the directory. */ protected String[] getLdapAttrs() { @@ -611,6 +619,7 @@ public abstract class DirBasedAuthentication /** * Return a list of LDAP attributes with byte[] values to retrieve. * Subclasses can override to return any set of attributes. + * * @return Array of LDAP attributes to retrieve from the directory. */ protected String[] getLdapByteAttrs() { @@ -618,22 +627,23 @@ public abstract class DirBasedAuthentication } /** - * Formulate the subject name + * Formulate the subject name + * * @param entry The LDAP entry * @return The subject name string. * @exception EBaseException If an internal error occurs. */ protected String formSubjectName(LDAPEntry entry) - throws EAuthException { - if (mPattern.mPatternString == null) + throws EAuthException { + if (mPattern.mPatternString == null) return entry.getDN(); - - /* - if (mTestDNString != null) { - mPattern.mTestDN = mTestDNString; - //System.out.println("Set DNPattern.mTestDN to "+mPattern.mTestDN); - } - */ + + /* + if (mTestDNString != null) { + mPattern.mTestDN = mTestDNString; + //System.out.println("Set DNPattern.mTestDN to "+mPattern.mTestDN); + } + */ String dn = mPattern.formDN(entry); @@ -643,6 +653,7 @@ public abstract class DirBasedAuthentication /** * Logs a message for this class in the system log file. + * * @param level The log level. * @param msg The message to log. * @see com.netscape.certsrv.logging.ILogger @@ -651,15 +662,14 @@ public abstract class DirBasedAuthentication if (mLogger == null) return; mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHENTICATION, - level, msg); + level, msg); } public String[] getExtendedPluginInfo(Locale locale) { String[] s = Utils.getStringArrayFromVector(mExtendedPluginInfo); return s; - + } } - diff --git a/pki/base/common/src/com/netscape/cms/authentication/FlatFileAuth.java b/pki/base/common/src/com/netscape/cms/authentication/FlatFileAuth.java index ab59c499..d2142ea3 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/FlatFileAuth.java +++ b/pki/base/common/src/com/netscape/cms/authentication/FlatFileAuth.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.authentication; - // ldap java sdk import java.io.BufferedReader; import java.io.BufferedWriter; @@ -49,15 +48,14 @@ import com.netscape.certsrv.profile.IProfileAuthenticator; import com.netscape.certsrv.property.IDescriptor; import com.netscape.certsrv.request.IRequest; - /** * This represents the authentication manager that authenticates * user against a file where id, and password are stored. * * @version $Revision$, $Date$ */ -public class FlatFileAuth - implements IProfileAuthenticator, IExtendedPluginInfo { +public class FlatFileAuth + implements IProfileAuthenticator, IExtendedPluginInfo { /* configuration parameter keys */ protected static final String PROP_FILENAME = "fileName"; @@ -66,39 +64,39 @@ public class FlatFileAuth protected static final String PROP_DEFERONFAILURE = "deferOnFailure"; protected String mFilename = "config/pwfile"; - protected long mFileLastRead = 0; + protected long mFileLastRead = 0; protected String mKeyAttributes = "UID"; protected String mAuthAttrs = "PWD"; protected boolean mDeferOnFailure = true; private static final String DATE_PATTERN = "yyyy-MM-dd-HH-mm-ss"; private static SimpleDateFormat mDateFormat = new SimpleDateFormat(DATE_PATTERN); - protected static String[] mConfigParams = - new String[] { - PROP_FILENAME, - PROP_KEYATTRIBUTES, - PROP_AUTHATTRS, - PROP_DEFERONFAILURE + protected static String[] mConfigParams = + new String[] { + PROP_FILENAME, + PROP_KEYATTRIBUTES, + PROP_AUTHATTRS, + PROP_DEFERONFAILURE }; public String[] getExtendedPluginInfo(Locale locale) { String s[] = { PROP_FILENAME + ";string;Pathname of password file", PROP_KEYATTRIBUTES + ";string;Comma-separated list of attributes" + - " which together form a unique identifier for the user", + " which together form a unique identifier for the user", PROP_AUTHATTRS + ";string;Comma-separated list of attributes" + - " which are used for further authentication", + " which are used for further authentication", PROP_DEFERONFAILURE + ";boolean;if user is not found, defer the " + - "request to the queue for manual-authentication (true), or " + - "simply rejected the request (false)" + "request to the queue for manual-authentication (true), or " + + "simply rejected the request (false)" }; return s; } - + /** name of this authentication manager instance */ protected String mName = null; - + protected String FFAUTH = "FlatFileAuth"; /** name of the authentication manager plugin */ @@ -109,17 +107,19 @@ public class FlatFileAuth /** system logger */ protected ILogger mLogger = CMS.getLogger(); - - /** This array is created as to include all the requested attributes - * + + /** + * This array is created as to include all the requested attributes + * */ String[] reqCreds = null; String[] authAttrs = null; String[] keyAttrs = null; - /** Hashtable of entries from Auth File. Hash index is the - * concatenation of the attributes from matchAttributes property + /** + * Hashtable of entries from Auth File. Hash index is the + * concatenation of the attributes from matchAttributes property */ protected Hashtable entries = null; @@ -132,7 +132,7 @@ public class FlatFileAuth * @param s The default value of the property */ protected String getPropertyS(String propertyName, String s) - throws EBaseException { + throws EBaseException { String p; try { @@ -157,7 +157,7 @@ public class FlatFileAuth * @param b The default value of the property */ protected boolean getPropertyB(String propertyName, boolean b) - throws EBaseException { + throws EBaseException { boolean p; try { @@ -170,7 +170,7 @@ public class FlatFileAuth } public void init(String name, String implName, IConfigStore config) - throws EBaseException { + throws EBaseException { mName = name; mImplName = implName; mConfig = config; @@ -219,6 +219,7 @@ public class FlatFileAuth /** * Log a message. + * * @param level The logging level. * @param msg The message to log. */ @@ -226,9 +227,9 @@ public class FlatFileAuth if (mLogger == null) return; mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHENTICATION, - level, msg); + level, msg); } - + void print(String s) { CMS.debug("FlatFileAuth: " + s); } @@ -257,9 +258,9 @@ public class FlatFileAuth s[i] = (String) e.nextElement(); } return s; - + } - + /** * Split a comma-delimited String into an array of individual * Strings. @@ -298,9 +299,9 @@ public class FlatFileAuth return sb.toString(); } - private synchronized void updateFile (String key) { + private synchronized void updateFile(String key) { try { - String name = writeFile (key); + String name = writeFile(key); if (name != null) { File orgFile = new File(mFilename); long lastModified = orgFile.lastModified(); @@ -310,15 +311,15 @@ public class FlatFileAuth } else { mFileLastRead = newFile.lastModified(); } - if (orgFile.renameTo(new File(name.substring(0, name.length()-1)))) { + if (orgFile.renameTo(new File(name.substring(0, name.length() - 1)))) { if (!newFile.renameTo(new File(mFilename))) { log(ILogger.LL_FAILURE, CMS.getLogMessage("RENAME_FILE_ERROR", name, mFilename)); - File file = new File(name.substring(0, name.length()-1)); + File file = new File(name.substring(0, name.length() - 1)); file.renameTo(new File(mFilename)); } } else { log(ILogger.LL_FAILURE, CMS.getLogMessage("RENAME_FILE_ERROR", mFilename, - name.substring(0, name.length()-1))); + name.substring(0, name.length() - 1))); } } } catch (Exception e) { @@ -326,7 +327,7 @@ public class FlatFileAuth } } - private String writeFile (String key) { + private String writeFile(String key) { BufferedReader reader = null; BufferedWriter writer = null; String name = null; @@ -334,9 +335,9 @@ public class FlatFileAuth boolean done = false; String line = null; try { - reader = new BufferedReader (new FileReader (mFilename)); - name = mFilename+"."+mDateFormat.format(new Date())+"~"; - writer = new BufferedWriter (new FileWriter(name)); + reader = new BufferedReader(new FileReader(mFilename)); + name = mFilename + "." + mDateFormat.format(new Date()) + "~"; + writer = new BufferedWriter(new FileWriter(name)); if (reader != null && writer != null) { while ((line = reader.readLine()) != null) { if (commentOutNextLine) { @@ -374,12 +375,15 @@ public class FlatFileAuth long s2 = 0; File f1 = new File(mFilename); File f2 = new File(name); - if (f1.exists()) s1 = f1.length(); - if (f2.exists()) s2 = f2.length(); + if (f1.exists()) + s1 = f1.length(); + if (f2.exists()) + s2 = f2.length(); if (s1 > 0 && s2 > 0 && s2 > s1) { done = true; } else { - if (f2.exists()) f2.delete(); + if (f2.exists()) + f2.delete(); name = null; } } @@ -390,27 +394,29 @@ public class FlatFileAuth return name; } - /** - * Read a file with the following format: <p><pre> + * Read a file with the following format: + * <p> + * + * <pre> * param1: valuea * param2: valueb * -blank-line- * param1: valuec * param2: valued * </pre> - * + * * @param f The file to read * @param keys The parameters to concat together to form the hash - * key + * key * @return a hashtable of hashtables. */ protected Hashtable readFile(File f, String[] keys) - throws IOException { + throws IOException { log(ILogger.LL_INFO, "Reading file: " + f.getName()); BufferedReader file = new BufferedReader( new FileReader(f) - ); + ); String line; Hashtable allusers = new Hashtable(); @@ -429,7 +435,7 @@ public class FlatFileAuth entry = new Hashtable(); } - if (colon == -1) { // no colon -> empty line signifies end of record + if (colon == -1) { // no colon -> empty line signifies end of record if (!line.trim().equals("")) { if (file != null) { file.close(); @@ -458,8 +464,8 @@ public class FlatFileAuth } private void putEntry(Hashtable allUsers, - Hashtable entry, - String[] keys) { + Hashtable entry, + String[] keys) { if (entry == null) { return; } @@ -499,11 +505,11 @@ public class FlatFileAuth /** * Compare attributes provided by the user with those in * in flat file. - * + * */ private IAuthToken doAuthentication(Hashtable user, IAuthCredentials authCred) - throws EMissingCredential, EInvalidCredentials, EBaseException { + throws EMissingCredential, EInvalidCredentials, EBaseException { AuthToken authToken = new AuthToken(this); for (int i = 0; i < authAttrs.length; i++) { @@ -536,10 +542,10 @@ public class FlatFileAuth /** * Authenticate the request - * + * */ public IAuthToken authenticate(IAuthCredentials authCred) - throws EMissingCredential, EInvalidCredentials, EBaseException { + throws EMissingCredential, EInvalidCredentials, EBaseException { IAuthToken authToken = null; String keyForUser = ""; @@ -603,14 +609,14 @@ public class FlatFileAuth /** * Return a list of HTTP parameters which will be taken from the * request posting and placed into the AuthCredentials block - * + * * Note that this method will not be called until after the * init() method is called */ public String[] getRequiredCreds() { print("getRequiredCreds returning: " + joinStringArray(reqCreds, ",")); return reqCreds; - + } /** @@ -640,7 +646,7 @@ public class FlatFileAuth } public void init(IProfile profile, IConfigStore config) - throws EProfileException { + throws EProfileException { } /** @@ -666,7 +672,7 @@ public class FlatFileAuth } public void populate(IAuthToken token, IRequest request) - throws EProfileException { + throws EProfileException { } /** diff --git a/pki/base/common/src/com/netscape/cms/authentication/HashAuthData.java b/pki/base/common/src/com/netscape/cms/authentication/HashAuthData.java index 19bfab69..a2d3bc72 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/HashAuthData.java +++ b/pki/base/common/src/com/netscape/cms/authentication/HashAuthData.java @@ -17,17 +17,16 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.authentication; - // java sdk imports. import java.util.Hashtable; import java.util.Vector; - /** * The structure stores the information of which machine is enabled for * the agent-initiated user enrollment, and whom agents enable this feature, * and the value of the timeout. * <P> + * * @version $Revision$, $Date$ */ public class HashAuthData extends Hashtable { @@ -54,7 +53,7 @@ public class HashAuthData extends Hashtable { Vector val = (Vector) get(hostname); if (val == null) { - val = new Vector(); + val = new Vector(); put(hostname, val); } val.setElementAt(agentName, 0); @@ -117,4 +116,3 @@ public class HashAuthData extends Hashtable { val.setElementAt(Long.valueOf(lastLogin), 3); } } - diff --git a/pki/base/common/src/com/netscape/cms/authentication/HashAuthentication.java b/pki/base/common/src/com/netscape/cms/authentication/HashAuthentication.java index 24a10e0a..a0199a9b 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/HashAuthentication.java +++ b/pki/base/common/src/com/netscape/cms/authentication/HashAuthentication.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.authentication; - // ldap java sdk import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; @@ -40,11 +39,10 @@ import com.netscape.certsrv.base.IExtendedPluginInfo; import com.netscape.certsrv.logging.ILogger; import com.netscape.cmsutil.util.Utils; - /** * Hash uid/pwd directory based authentication manager * <P> - * + * * @version $Revision$, $Date$ */ public class HashAuthentication implements IAuthManager, IExtendedPluginInfo { @@ -71,18 +69,18 @@ public class HashAuthentication implements IAuthManager, IExtendedPluginInfo { private ILogger mLogger = CMS.getLogger(); private static Vector mExtendedPluginInfo = null; private HashAuthData mHosts = null; - + static String[] mConfigParams = - new String[] {}; + new String[] {}; static { mExtendedPluginInfo = new Vector(); mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TEXT + - ";Authenticate the username and password provided " + - "by the user against an LDAP directory. Works with the " + - "Dir Based Enrollment HTML form"); + ";Authenticate the username and password provided " + + "by the user against an LDAP directory. Works with the " + + "Dir Based Enrollment HTML form"); mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TOKEN + - ";configuration-authrules-uidpwddirauth"); + ";configuration-authrules-uidpwddirauth"); }; /** @@ -91,8 +89,8 @@ public class HashAuthentication implements IAuthManager, IExtendedPluginInfo { public HashAuthentication() { } - public void init(String name, String implName, IConfigStore config) - throws EBaseException { + public void init(String name, String implName, IConfigStore config) + throws EBaseException { mName = name; mImplName = implName; mConfig = config; @@ -124,7 +122,7 @@ public class HashAuthentication implements IAuthManager, IExtendedPluginInfo { } public void createEntry(String host, String dn, long timeout, - String secret, long lastLogin) { + String secret, long lastLogin) { Vector v = new Vector(); v.addElement(dn); @@ -141,7 +139,7 @@ public class HashAuthentication implements IAuthManager, IExtendedPluginInfo { public String getAgentName(String hostname) { return mHosts.getAgentName(hostname); } - + public void setAgentName(String hostname, String agentName) { mHosts.setAgentName(hostname, agentName); } @@ -184,7 +182,7 @@ public class HashAuthentication implements IAuthManager, IExtendedPluginInfo { if (mLogger == null) return; mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHENTICATION, - level, msg); + level, msg); } public boolean validFingerprint(String host, String pageID, String uid, String fingerprint) { @@ -192,7 +190,7 @@ public class HashAuthentication implements IAuthManager, IExtendedPluginInfo { if (val.equals(fingerprint)) return true; - return false; + return false; } public Enumeration getHosts() { @@ -200,8 +198,8 @@ public class HashAuthentication implements IAuthManager, IExtendedPluginInfo { } public String hashFingerprint(String host, String pageID, String uid) { - byte[] hash = - mSHADigest.digest((SALT + pageID + getSecret(host) + uid).getBytes()); + byte[] hash = + mSHADigest.digest((SALT + pageID + getSecret(host) + uid).getBytes()); String b64E = com.netscape.osutil.OSUtil.BtoA(hash); return "{SHA}" + b64E; @@ -216,18 +214,18 @@ public class HashAuthentication implements IAuthManager, IExtendedPluginInfo { * @param authCreds The authentication credentials. * @return The user's ldap entry dn. * @exception EInvalidCredentials If the uid and password are not valid - * @exception EBaseException If an internal error occurs. + * @exception EBaseException If an internal error occurs. */ public IAuthToken authenticate(IAuthCredentials authCreds) - throws EBaseException { + throws EBaseException { AuthToken token = new AuthToken(this); String fingerprint = (String) authCreds.get(CRED_FINGERPRINT); String pageID = (String) authCreds.get(CRED_PAGEID); String uid = (String) authCreds.get(CRED_UID); String host = (String) authCreds.get(CRED_HOST); - if (fingerprint.equals("") || - !validFingerprint(host, pageID, uid, fingerprint)) { + if (fingerprint.equals("") || + !validFingerprint(host, pageID, uid, fingerprint)) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_INVALID_FINGER_PRINT")); throw new EAuthException("Invalid Fingerprint"); } @@ -240,6 +238,7 @@ public class HashAuthentication implements IAuthManager, IExtendedPluginInfo { /** * Returns array of required credentials for this authentication manager. + * * @return Array of required credentials. */ public String[] getRequiredCreds() { @@ -248,6 +247,7 @@ public class HashAuthentication implements IAuthManager, IExtendedPluginInfo { /** * Gets the configuration substore used by this authentication manager + * * @return configuration store */ public IConfigStore getConfigStore() { @@ -276,14 +276,13 @@ public class HashAuthentication implements IAuthManager, IExtendedPluginInfo { } /** - * Returns a list of configuration parameter names. - * The list is passed to the configuration console so instances of + * Returns a list of configuration parameter names. + * The list is passed to the configuration console so instances of * this implementation can be configured through the console. - * + * * @return String array of configuration parameter names. */ public String[] getConfigParams() { return (mConfigParams); } } - diff --git a/pki/base/common/src/com/netscape/cms/authentication/PortalEnroll.java b/pki/base/common/src/com/netscape/cms/authentication/PortalEnroll.java index 56c8739a..ac13a02f 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/PortalEnroll.java +++ b/pki/base/common/src/com/netscape/cms/authentication/PortalEnroll.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.authentication; - // ldap java sdk import java.util.Enumeration; import java.util.Locale; @@ -49,26 +48,25 @@ import com.netscape.certsrv.ldap.ELdapException; import com.netscape.certsrv.ldap.ILdapConnFactory; import com.netscape.certsrv.logging.ILogger; - /** * uid/pwd directory based authentication manager * <P> - * + * * @version $Revision$, $Date$ */ public class PortalEnroll extends DirBasedAuthentication { /* configuration parameter keys */ - protected static final String PROP_LDAPAUTH = "ldapauth"; - protected static final String PROP_AUTHTYPE = "authtype"; - protected static final String PROP_BINDDN = "bindDN"; - protected static final String PROP_BINDPW = "bindPW"; - protected static final String PROP_LDAPCONN = "ldapconn"; - protected static final String PROP_HOST = "host"; - protected static final String PROP_PORT = "port"; - protected static final String PROP_SECURECONN = "secureConn"; - protected static final String PROP_VERSION = "version"; - protected static final String PROP_OBJECTCLASS = "objectclass"; + protected static final String PROP_LDAPAUTH = "ldapauth"; + protected static final String PROP_AUTHTYPE = "authtype"; + protected static final String PROP_BINDDN = "bindDN"; + protected static final String PROP_BINDPW = "bindPW"; + protected static final String PROP_LDAPCONN = "ldapconn"; + protected static final String PROP_HOST = "host"; + protected static final String PROP_PORT = "port"; + protected static final String PROP_SECURECONN = "secureConn"; + protected static final String PROP_VERSION = "version"; + protected static final String PROP_OBJECTCLASS = "objectclass"; /* required credentials to authenticate. uid and pwd are strings. */ public static final String CRED_UID = "uid"; @@ -80,83 +78,84 @@ public class PortalEnroll extends DirBasedAuthentication { private String mObjectClass = null; private String mBindDN = null; private String mBaseDN = null; - private ILdapConnFactory mLdapFactory = null; - private LDAPConnection mLdapConn = null; + private ILdapConnFactory mLdapFactory = null; + private LDAPConnection mLdapConn = null; // contains all nested superiors' required attrs in the form of a // vector of "required" attributes in Enumeration Vector mRequiredAttrs = null; - + // contains all nested superiors' optional attrs in the form of a // vector of "optional" attributes in Enumeration Vector mOptionalAttrs = null; // contains all the objclasses, including superiors and itself Vector mObjClasses = null; - + /* Holds configuration parameters accepted by this implementation. * This list is passed to the configuration console so configuration * for instances of this implementation can be configured through the * console. */ - protected static String[] mConfigParams = - new String[] { - PROP_DNPATTERN, - "ldap.ldapconn.host", - "ldap.ldapconn.port", - "ldap.ldapconn.secureConn", - "ldap.ldapconn.version", - "ldap.ldapauth.bindDN", - "ldap.ldapauth.bindPWPrompt", - "ldap.ldapauth.clientCertNickname", - "ldap.ldapauth.authtype", - "ldap.basedn", - "ldap.objectclass", - "ldap.minConns", - "ldap.maxConns", + protected static String[] mConfigParams = + new String[] { + PROP_DNPATTERN, + "ldap.ldapconn.host", + "ldap.ldapconn.port", + "ldap.ldapconn.secureConn", + "ldap.ldapconn.version", + "ldap.ldapauth.bindDN", + "ldap.ldapauth.bindPWPrompt", + "ldap.ldapauth.clientCertNickname", + "ldap.ldapauth.authtype", + "ldap.basedn", + "ldap.objectclass", + "ldap.minConns", + "ldap.maxConns", }; - + /** * Default constructor, initialization must follow. */ - public PortalEnroll() - throws EBaseException { + public PortalEnroll() + throws EBaseException { super(); } /** * Initializes the PortalEnrollment auth manager. * <p> + * * @param name - The name for this authentication manager instance. * @param implName - The name of the authentication manager plugin. * @param config - The configuration store for this instance. * @exception EBaseException If an error occurs during initialization. */ public void init(String name, String implName, IConfigStore config) - throws EBaseException { + throws EBaseException { super.init(name, implName, config); - + /* Get Bind DN for directory server */ mConfig = mLdapConfig.getSubStore(PROP_LDAPAUTH); mBindDN = mConfig.getString(PROP_BINDDN); - if ( (mBindDN == null) || (mBindDN.length() == 0) || (mBindDN == "")) + if ((mBindDN == null) || (mBindDN.length() == 0) || (mBindDN == "")) throw new EPropertyNotFound(CMS.getUserMessage("CMS_BASE_GET_PROPERTY_FAILED", "binddn")); - - /* Get Bind DN for directory server */ + + /* Get Bind DN for directory server */ mBaseDN = mLdapConfig.getString(PROP_BASEDN); if ((mBaseDN == null) || (mBaseDN.length() == 0) || (mBaseDN == "")) throw new EPropertyNotFound(CMS.getUserMessage("CMS_BASE_GET_PROPERTY_FAILED", "basedn")); - - /* Get Object clase name for enrollment */ + + /* Get Object clase name for enrollment */ mObjectClass = mLdapConfig.getString(PROP_OBJECTCLASS); - if (mObjectClass == null || mObjectClass.length() == 0) + if (mObjectClass == null || mObjectClass.length() == 0) throw new EPropertyNotFound(CMS.getUserMessage("CMS_BASE_GET_PROPERTY_FAILED", "objectclass")); - /* Get connect parameter */ + /* Get connect parameter */ mLdapFactory = CMS.getLdapBoundConnFactory(); mLdapFactory.init(mLdapConfig); mLdapConn = mLdapFactory.getConn(); - + log(ILogger.LL_INFO, CMS.getLogMessage("CMS_AUTH_PORTAL_INIT")); } @@ -166,18 +165,18 @@ public class PortalEnroll extends DirBasedAuthentication { * @param authCreds The authentication credentials. * @return The user's ldap entry dn. * @exception EInvalidCredentials If the uid and password are not valid - * @exception EBaseException If an internal error occurs. + * @exception EBaseException If an internal error occurs. */ - protected String authenticate(LDAPConnection conn, - IAuthCredentials authCreds, - AuthToken token) - throws EBaseException { + protected String authenticate(LDAPConnection conn, + IAuthCredentials authCreds, + AuthToken token) + throws EBaseException { String uid = null; String pwd = null; String dn = null; argblk = authCreds.getArgBlock(); - + // authenticate by binding to ldap server with password. try { // get the uid. @@ -185,7 +184,7 @@ public class PortalEnroll extends DirBasedAuthentication { if (uid == null) { throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_UID)); } - + // get the password. pwd = (String) authCreds.get(CRED_PWD); if (pwd == null) { @@ -206,8 +205,8 @@ public class PortalEnroll extends DirBasedAuthentication { throw new EAuthUserError(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_ATTRIBUTE_VALUE", "UID already exists.")); } else { dn = regist(token, uid); - if (dn == null) - throw new EAuthUserError(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_ATTRIBUTE_VALUE","Could not add user " + uid + ".")); + if (dn == null) + throw new EAuthUserError(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_ATTRIBUTE_VALUE", "Could not add user " + uid + ".")); } // bind as user dn and pwd - authenticates user with pwd. @@ -217,22 +216,21 @@ public class PortalEnroll extends DirBasedAuthentication { token.set(CRED_UID, uid); log(ILogger.LL_INFO, "portal authentication is done"); - + return dn; } catch (ELdapException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("LDAP_ERROR", e.toString())); throw e; } catch (LDAPException e) { switch (e.getLDAPResultCode()) { - case LDAPException.NO_SUCH_OBJECT: - case LDAPException.LDAP_PARTIAL_RESULTS: + case LDAPException.NO_SUCH_OBJECT: + case LDAPException.LDAP_PARTIAL_RESULTS: log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_ADD_USER_ERROR", conn.getHost(), Integer.toString(conn.getPort()))); - throw new - EAuthInternalError(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", "Check Configuration detail.")); + throw new EAuthInternalError(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", "Check Configuration detail.")); case LDAPException.INVALID_CREDENTIALS: - log(ILogger.LL_SECURITY, - CMS.getLogMessage("CMS_AUTH_BAD_PASSWORD", uid)); + log(ILogger.LL_SECURITY, + CMS.getLogMessage("CMS_AUTH_BAD_PASSWORD", uid)); throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); case LDAPException.SERVER_DOWN: @@ -240,24 +238,24 @@ public class PortalEnroll extends DirBasedAuthentication { throw new ELdapException( CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), "" + conn.getPort())); - default: + default: log(ILogger.LL_FAILURE, CMS.getLogMessage("LDAP_ERROR", e.getMessage())); throw new ELdapException( - CMS.getUserMessage("CMS_LDAP_OTHER_LDAP_EXCEPTION", - e.errorCodeToString())); + CMS.getUserMessage("CMS_LDAP_OTHER_LDAP_EXCEPTION", + e.errorCodeToString())); } } catch (EBaseException e) { if (e.getMessage().equalsIgnoreCase(CMS.getUserMessage("CMS_BASE_ATTRIBUTE_NOT_FOUND")) == true) log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_MAKE_DN_ERROR", e.toString())); throw e; - } + } } /** - * Returns a list of configuration parameter names. - * The list is passed to the configuration console so instances of + * Returns a list of configuration parameter names. + * The list is passed to the configuration console so instances of * this implementation can be configured through the console. - * + * * @return String array of configuration parameter names. */ public String[] getConfigParams() { @@ -267,43 +265,44 @@ public class PortalEnroll extends DirBasedAuthentication { public String[] getExtendedPluginInfo(Locale locale) { String[] s = { PROP_DNPATTERN + ";string;Template for cert" + - " Subject Name. ($dn.xxx - get value from user's LDAP " + - "DN. $attr.yyy - get value from LDAP attributes in " + - "user's entry.) Default: " + DEFAULT_DNPATTERN, + " Subject Name. ($dn.xxx - get value from user's LDAP " + + "DN. $attr.yyy - get value from LDAP attributes in " + + "user's entry.) Default: " + DEFAULT_DNPATTERN, "ldap.ldapconn.host;string,required;" + "LDAP host to connect to", "ldap.ldapconn.port;number,required;" + "LDAP port number (default 389, or 636 if SSL)", "ldap.objectclass;string,required;SEE DOCUMENTATION for Object Class. " - + "Default is inetOrgPerson.", + + "Default is inetOrgPerson.", "ldap.ldapconn.secureConn;boolean;" + "Use SSL to connect to directory?", "ldap.ldapconn.version;choice(3,2);" + "LDAP protocol version", "ldap.ldapauth.bindDN;string,required;DN to bind as for Directory Manager. " - + "For example 'CN=Directory Manager'", + + "For example 'CN=Directory Manager'", "ldap.ldapauth.bindPWPrompt;password;Enter password used to bind as " + - "the above user", + "the above user", "ldap.ldapauth.authtype;choice(BasicAuth,SslClientAuth);" - + "How to bind to the directory (for pin removal only)", + + "How to bind to the directory (for pin removal only)", "ldap.ldapauth.clientCertNickname;string;If you want to use " - + "SSL client auth to the directory, set the client " - + "cert nickname here", + + "SSL client auth to the directory, set the client " + + "cert nickname here", "ldap.basedn;string,required;Base DN to start searching " + - "under. If your user's DN is 'uid=jsmith, o=company', you " + - "might want to use 'o=company' here", + "under. If your user's DN is 'uid=jsmith, o=company', you " + + "might want to use 'o=company' here", "ldap.minConns;number;number of connections " + - "to keep open to directory server", + "to keep open to directory server", "ldap.maxConns;number;when needed, connection " + - "pool can grow to this many connections", + "pool can grow to this many connections", IExtendedPluginInfo.HELP_TEXT + - ";This authentication plugin checks to see if a user " + - "exists in the directory. If not, then the user is created " + - "with the requested password.", + ";This authentication plugin checks to see if a user " + + "exists in the directory. If not, then the user is created " + + "with the requested password.", IExtendedPluginInfo.HELP_TOKEN + ";configuration-authrules-portalauth" }; - + return s; } /** * Returns array of required credentials for this authentication manager. + * * @return Array of required credentials. */ public String[] getRequiredCreds() { @@ -312,6 +311,7 @@ public class PortalEnroll extends DirBasedAuthentication { /** * adds a user to the directory. + * * @return dn upon success and null upon failure. * @param token authentication token * @param uid the user's id. @@ -321,7 +321,7 @@ public class PortalEnroll extends DirBasedAuthentication { /* Specify the attributes of the entry */ Vector objectclass_values = null; - + LDAPAttributeSet attrs = new LDAPAttributeSet(); LDAPAttribute attr = new LDAPAttribute("objectclass"); @@ -369,7 +369,7 @@ public class PortalEnroll extends DirBasedAuthentication { } catch (EBaseException e) { if (e.getMessage().equalsIgnoreCase(CMS.getUserMessage("CMS_BASE_ATTRIBUTE_NOT_FOUND")) == true) continue; - } + } CMS.debug("PortalEnroll: " + attrname + " = " + attrval); attrs.add(new LDAPAttribute(attrname, attrval)); @@ -386,17 +386,17 @@ public class PortalEnroll extends DirBasedAuthentication { while (attrnames.hasMoreElements()) { String attrname = (String) attrnames.nextElement(); String attrval = null; - + CMS.debug("PortalEnroll: attrname is: " + attrname); try { attrval = (String) argblk.getValueAsString(attrname); } catch (EBaseException e) { if (e.getMessage().equalsIgnoreCase(CMS.getUserMessage("CMS_BASE_ATTRIBUTE_NOT_FOUND")) == true) continue; - } + } CMS.debug("PortalEnroll: " + attrname + " = " + attrval); if (attrval != null) { - attrs.add(new LDAPAttribute(attrname, attrval)); + attrs.add(new LDAPAttribute(attrname, attrval)); } } } @@ -417,7 +417,7 @@ public class PortalEnroll extends DirBasedAuthentication { } log(ILogger.LL_INFO, CMS.getLogMessage("CMS_AUTH_REGISTRATION_DONE")); - + return dn; } @@ -461,4 +461,3 @@ public class PortalEnroll extends DirBasedAuthentication { } } } - diff --git a/pki/base/common/src/com/netscape/cms/authentication/RDNPattern.java b/pki/base/common/src/com/netscape/cms/authentication/RDNPattern.java index 1f21bc1d..3542570a 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/RDNPattern.java +++ b/pki/base/common/src/com/netscape/cms/authentication/RDNPattern.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.authentication; - import java.io.IOException; import java.io.PushbackReader; import java.io.StringReader; @@ -29,24 +28,25 @@ import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.authentication.EAuthException; import com.netscape.certsrv.base.EBaseException; - /** - * class for parsing a DN pattern used to construct a certificate - * subject name from ldap attributes and dn.<p> + * class for parsing a DN pattern used to construct a certificate + * subject name from ldap attributes and dn. + * <p> * - * dnpattern is a string representing a subject name pattern to formulate from - * the directory attributes and entry dn. If empty or not set, the - * ldap entry DN will be used as the certificate subject name. <p> + * dnpattern is a string representing a subject name pattern to formulate from the directory attributes and entry dn. If empty or not set, the ldap entry DN will be used as the certificate subject name. + * <p> + * + * The syntax is * - * The syntax is * <pre> - * dnPattern := rdnPattern *[ "," rdnPattern ] - * rdnPattern := avaPattern *[ "+" avaPattern ] + * dnPattern := rdnPattern *[ "," rdnPattern ] + * rdnPattern := avaPattern *[ "+" avaPattern ] * avaPattern := name "=" value | - * name "=" "$attr" "." attrName [ "." attrNumber ] | - * name "=" "$dn" "." attrName [ "." attrNumber ] | - * "$dn" "." "$rdn" "." number + * name "=" "$attr" "." attrName [ "." attrNumber ] | + * name "=" "$dn" "." attrName [ "." attrNumber ] | + * "$dn" "." "$rdn" "." number * </pre> + * * <pre> * Example1: <i>E=$attr.mail.1, CN=$attr.cn, OU=$dn.ou.2, O=$dn.o, C=US </i> * Ldap entry: dn: UID=jjames, OU=IS, OU=people, O=acme.org @@ -73,11 +73,12 @@ import com.netscape.certsrv.base.EBaseException; * E = the first 'mail' ldap attribute value in user's entry. <br> * CN = the (first) 'cn' ldap attribute value in the user's entry. <br> * OU = the second 'ou' value in the user's entry DN. note multiple AVAs - * in a RDN in this example. <br> + * in a RDN in this example. <br> * O = the (first) 'o' value in the user's entry DN. <br> * C = the string "US" * <p> * </pre> + * * <pre> * Example3: <i>CN=$attr.cn, $rdn.2, O=$dn.o, C=US</i> * Ldap entry: dn: UID=jjames, OU=IS+OU=people, O=acme.org @@ -102,15 +103,15 @@ import com.netscape.certsrv.base.EBaseException; * <p> * CN = the (first) 'cn' ldap attribute value in the user's entry. <br> * OU = the second 'ou' value in the user's entry DN followed by the - * first 'ou' value in the user's entry. note multiple AVAs - * in a RDN in this example. <br> + * first 'ou' value in the user's entry. note multiple AVAs + * in a RDN in this example. <br> * O = the (first) 'o' value in the user's entry DN. <br> * C = the string "US" * <p> * </pre> - * If an attribute or subject DN component does not exist the attribute - * is skipped. - * + * + * If an attribute or subject DN component does not exist the attribute is skipped. + * * @version $Revision$, $Date$ */ class RDNPattern { @@ -126,13 +127,14 @@ class RDNPattern { protected String mTestDN = null; - /** + /** * Construct a DN pattern by parsing a pattern string. + * * @param pattenr the DN pattern - * @exception EBaseException If parsing error occurs. + * @exception EBaseException If parsing error occurs. */ public RDNPattern(String pattern) - throws EAuthException { + throws EAuthException { if (pattern == null || pattern.equals("")) { // create an attribute list that is the dn. mLdapAttrs = new String[] { "dn" }; @@ -145,15 +147,15 @@ class RDNPattern { } /** - * Construct a DN pattern from a input stream of pattern + * Construct a DN pattern from a input stream of pattern */ - public RDNPattern(PushbackReader in) - throws EAuthException { + public RDNPattern(PushbackReader in) + throws EAuthException { parse(in); } private void parse(PushbackReader in) - throws EAuthException { + throws EAuthException { //System.out.println("_________ begin rdn _________"); Vector avaPatterns = new Vector(); AVAPattern avaPattern = null; @@ -167,17 +169,16 @@ class RDNPattern { //" mAttr "+avaPattern.mAttr+ //" mValue "+avaPattern.mValue+ //" mElement "+avaPattern.mElement); - try { - lastChar = in.read(); + try { + lastChar = in.read(); } catch (IOException e) { throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); } - } - while (lastChar == '+'); + } while (lastChar == '+'); if (lastChar != -1) { try { - in.unread(lastChar); // pushback last , + in.unread(lastChar); // pushback last , } catch (IOException e) { throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.toString())); } @@ -191,7 +192,7 @@ class RDNPattern { for (int i = 0; i < mAVAPatterns.length; i++) { String avaAttr = mAVAPatterns[i].getLdapAttr(); - if (avaAttr == null || avaAttr.length() == 0) + if (avaAttr == null || avaAttr.length() == 0) continue; ldapAttrs.addElement(avaAttr); } @@ -201,15 +202,16 @@ class RDNPattern { /** * Form a Ldap v3 DN string from results of a ldap search. + * * @param entry LDAPentry from a ldap search - * @return Ldap v3 DN string to use for a subject name. + * @return Ldap v3 DN string to use for a subject name. */ public String formRDN(LDAPEntry entry) - throws EAuthException { + throws EAuthException { StringBuffer formedRDN = new StringBuffer(); for (int i = 0; i < mAVAPatterns.length; i++) { - if (mTestDN != null) + if (mTestDN != null) mAVAPatterns[i].mTestDN = mTestDN; String ava = mAVAPatterns[i].formAVA(entry); diff --git a/pki/base/common/src/com/netscape/cms/authentication/SSLclientCertAuthentication.java b/pki/base/common/src/com/netscape/cms/authentication/SSLclientCertAuthentication.java index e73a112c..35c23bd0 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/SSLclientCertAuthentication.java +++ b/pki/base/common/src/com/netscape/cms/authentication/SSLclientCertAuthentication.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.authentication; - import java.security.Principal; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; @@ -47,15 +46,14 @@ import com.netscape.certsrv.property.IDescriptor; import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.usrgrp.Certificates; - /** - * Certificate server SSL client authentication. - * + * Certificate server SSL client authentication. + * * @author Christina Fu - * <P> - * + * <P> + * */ -public class SSLclientCertAuthentication implements IAuthManager, +public class SSLclientCertAuthentication implements IAuthManager, IProfileAuthenticator { /* result auth token attributes */ @@ -86,19 +84,19 @@ public class SSLclientCertAuthentication implements IAuthManager, /** * initializes the SSLClientCertAuthentication auth manager * <p> - * called by AuthSubsystem init() method, when initializing - * all available authentication managers. + * called by AuthSubsystem init() method, when initializing all available authentication managers. + * * @param name The name of this authentication manager instance. * @param implName The name of the authentication manager plugin. * @param config The configuration store for this authentication manager. */ public void init(String name, String implName, IConfigStore config) - throws EBaseException { + throws EBaseException { mName = name; mImplName = implName; mConfig = config; } - + /** * Gets the name of this authentication manager. */ @@ -112,7 +110,7 @@ public class SSLclientCertAuthentication implements IAuthManager, public String getImplName() { return mImplName; } - + public boolean isSSLClientRequired() { return true; } @@ -120,29 +118,29 @@ public class SSLclientCertAuthentication implements IAuthManager, /** * authenticates user by certificate * <p> - * called by other subsystems or their servlets to authenticate - * users + * called by other subsystems or their servlets to authenticate users + * * @param authCred - authentication credential that contains - * an usrgrp.Certificates of the user (agent) + * an usrgrp.Certificates of the user (agent) * @return the authentication token that contains the following - * + * * @exception EMissingCredential If a required credential for this - * authentication manager is missing. + * authentication manager is missing. * @exception EInvalidCredentials If credentials cannot be authenticated. * @exception EBaseException If an internal error occurred. * @see com.netscape.certsrv.authentication.AuthToken * @see com.netscape.certsrv.usrgrp.Certificates */ public IAuthToken authenticate(IAuthCredentials authCred) - throws EMissingCredential, EInvalidCredentials, EBaseException { - + throws EMissingCredential, EInvalidCredentials, EBaseException { + CMS.debug("SSLclientCertAuthentication: start"); - CMS.debug("authenticator instance name is "+getName()); + CMS.debug("authenticator instance name is " + getName()); // force SSL handshake SessionContext context = SessionContext.getExistingContext(); ISSLClientCertProvider provider = (ISSLClientCertProvider) - context.get("sslClientCertProvider"); + context.get("sslClientCertProvider"); if (provider == null) { CMS.debug("SSLclientCertAuthentication: No SSL Client Cert Provider Found"); @@ -173,7 +171,7 @@ public class SSLclientCertAuthentication implements IAuthManager, // find out which one is the leaf cert clientCert = ci[i]; - byte [] extBytes = clientCert.getExtensionValue("2.5.29.19"); + byte[] extBytes = clientCert.getExtensionValue("2.5.29.19"); // try to see if this is a leaf cert // look for BasicConstraint extension if (extBytes == null) { @@ -186,24 +184,24 @@ public class SSLclientCertAuthentication implements IAuthManager, // so it's not likely to be a leaf cert, // however, check the isCA field regardless try { - BasicConstraintsExtension bce = - new BasicConstraintsExtension(true, extBytes); - if (bce != null) { - if (!(Boolean)bce.get("is_ca")) { - CMS.debug("SSLclientCertAuthentication: authenticate: found CA cert in chain"); - break; - } // else found a ca cert, continue - } - } catch (Exception e) { - CMS.debug("SSLclientCertAuthentication: authenticate: exception:"+ + BasicConstraintsExtension bce = + new BasicConstraintsExtension(true, extBytes); + if (bce != null) { + if (!(Boolean) bce.get("is_ca")) { + CMS.debug("SSLclientCertAuthentication: authenticate: found CA cert in chain"); + break; + } // else found a ca cert, continue + } + } catch (Exception e) { + CMS.debug("SSLclientCertAuthentication: authenticate: exception:" + e.toString()); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - } - } + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + } + } } if (clientCert == null) { - CMS.debug("SSLclientCertAuthentication: authenticate: client cert not found"); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + CMS.debug("SSLclientCertAuthentication: authenticate: client cert not found"); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } } catch (CertificateException e) { CMS.debug(e.toString()); @@ -213,15 +211,15 @@ public class SSLclientCertAuthentication implements IAuthManager, // check if certificate(s) is revoked boolean checkRevocation = true; try { - checkRevocation = mConfig.getBoolean("checkRevocation", true); + checkRevocation = mConfig.getBoolean("checkRevocation", true); } catch (EBaseException e) { - // do nothing; default to true + // do nothing; default to true } if (checkRevocation) { - if (CMS.isRevoked(ci)) { - CMS.debug("SSLclientCertAuthentication: certificate revoked"); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - } + if (CMS.isRevoked(ci)) { + CMS.debug("SSLclientCertAuthentication: certificate revoked"); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + } } Certificates certs = new Certificates(ci); Principal p_dn = clientCert.getSubjectDN(); @@ -232,13 +230,13 @@ public class SSLclientCertAuthentication implements IAuthManager, authToken.set(TOKEN_UID, uid); authToken.set(TOKEN_USERID, uid); } -/* - authToken.set(TOKEN_USER_DN, user.getUserDN()); - authToken.set(TOKEN_USERID, user.getUserID()); - authToken.set(TOKEN_UID, user.getUserID()); - authToken.set(TOKEN_GROUP, groupname); -*/ - authToken.set(CRED_CERT, certs); + /* + authToken.set(TOKEN_USER_DN, user.getUserDN()); + authToken.set(TOKEN_USERID, user.getUserID()); + authToken.set(TOKEN_UID, user.getUserID()); + authToken.set(TOKEN_GROUP, groupname); + */ + authToken.set(CRED_CERT, certs); CMS.debug("SSLclientCertAuthentication: authenticated "); @@ -257,7 +255,7 @@ public class SSLclientCertAuthentication implements IAuthManager, String n = t.substring(0, i); if (n.equalsIgnoreCase("uid")) { String v = t.substring(i + 1); - CMS.debug("SSLclientCertAuthentication: getUidFromDN(): uid found:"+v); + CMS.debug("SSLclientCertAuthentication: getUidFromDN(): uid found:" + v); return v; } else { continue; @@ -268,10 +266,11 @@ public class SSLclientCertAuthentication implements IAuthManager, /** * get the list of authentication credential attribute names - * required by this authentication manager. Generally used by - * the servlets that handle agent operations to authenticate its - * users. It calls this method to know which are the - * required credentials from the user (e.g. Javascript form data) + * required by this authentication manager. Generally used by + * the servlets that handle agent operations to authenticate its + * users. It calls this method to know which are the + * required credentials from the user (e.g. Javascript form data) + * * @return attribute names in Vector */ public String[] getRequiredCreds() { @@ -280,14 +279,15 @@ public class SSLclientCertAuthentication implements IAuthManager, /** * get the list of configuration parameter names - * required by this authentication manager. Generally used by - * the Certificate Server Console to display the table for - * configuration purposes. CertUserDBAuthentication is currently not - * exposed in this case, so this method is not to be used. + * required by this authentication manager. Generally used by + * the Certificate Server Console to display the table for + * configuration purposes. CertUserDBAuthentication is currently not + * exposed in this case, so this method is not to be used. + * * @return configuration parameter names in Hashtable of Vectors - * where each hashtable entry's key is the substore name, value is a - * Vector of parameter names. If no substore, the parameter name - * is the Hashtable key itself, with value same as key. + * where each hashtable entry's key is the substore name, value is a + * Vector of parameter names. If no substore, the parameter name + * is the Hashtable key itself, with value same as key. */ public String[] getConfigParams() { return (mConfigParams); @@ -301,7 +301,8 @@ public class SSLclientCertAuthentication implements IAuthManager, /** * gets the configuretion substore used by this authentication - * manager + * manager + * * @return configuration store */ public IConfigStore getConfigStore() { @@ -311,7 +312,7 @@ public class SSLclientCertAuthentication implements IAuthManager, // Profile-related methods public void init(IProfile profile, IConfigStore config) - throws EProfileException { + throws EProfileException { } /** @@ -348,7 +349,7 @@ public class SSLclientCertAuthentication implements IAuthManager, } public void populate(IAuthToken token, IRequest request) - throws EProfileException { + throws EProfileException { request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME, token.getInString(TOKEN_USERDN)); request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME, diff --git a/pki/base/common/src/com/netscape/cms/authentication/SharedSecret.java b/pki/base/common/src/com/netscape/cms/authentication/SharedSecret.java index 8b0a7b9b..7a0784c5 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/SharedSecret.java +++ b/pki/base/common/src/com/netscape/cms/authentication/SharedSecret.java @@ -26,7 +26,7 @@ import com.netscape.certsrv.authentication.ISharedToken; public class SharedSecret implements ISharedToken { public SharedSecret() { - } + } public String getSharedToken(PKIData cmcdata) { return "testing"; diff --git a/pki/base/common/src/com/netscape/cms/authentication/TokenAuthentication.java b/pki/base/common/src/com/netscape/cms/authentication/TokenAuthentication.java index bb393767..5dcb80a6 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/TokenAuthentication.java +++ b/pki/base/common/src/com/netscape/cms/authentication/TokenAuthentication.java @@ -46,13 +46,13 @@ import com.netscape.cmsutil.http.JssSSLSocketFactory; import com.netscape.cmsutil.xml.XMLObject; /** - * Token authentication. + * Token authentication. * Checked if the given token is valid. * <P> - * + * * @version $Revision$, $Date$ */ -public class TokenAuthentication implements IAuthManager, +public class TokenAuthentication implements IAuthManager, IProfileAuthenticator { /* result auth token attributes */ @@ -79,21 +79,21 @@ public class TokenAuthentication implements IAuthManager, /** * initializes the TokenAuthentication auth manager * <p> - * called by AuthSubsystem init() method, when initializing - * all available authentication managers. + * called by AuthSubsystem init() method, when initializing all available authentication managers. + * * @param name The name of this authentication manager instance. * @param implName The name of the authentication manager plugin. * @param config The configuration store for this authentication manager. */ public void init(String name, String implName, IConfigStore config) - throws EBaseException { + throws EBaseException { mName = name; mImplName = implName; mConfig = config; mUGSub = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG); } - + /** * Gets the name of this authentication manager. */ @@ -107,7 +107,7 @@ public class TokenAuthentication implements IAuthManager, public String getImplName() { return mImplName; } - + public boolean isSSLClientRequired() { return false; } @@ -115,21 +115,21 @@ public class TokenAuthentication implements IAuthManager, /** * authenticates user(agent) by certificate * <p> - * called by other subsystems or their servlets to authenticate - * users (agents) + * called by other subsystems or their servlets to authenticate users (agents) + * * @param authCred - authentication credential that contains - * an usrgrp.Certificates of the user (agent) + * an usrgrp.Certificates of the user (agent) * @return the authentication token that contains the following - * @exception EMissingCredential If a required credential for this - * authentication manager is missing. + * @exception EMissingCredential If a required credential for this + * authentication manager is missing. * @exception EInvalidCredentials If credentials cannot be authenticated. * @exception EBaseException If an internal error occurred. * @see com.netscape.certsrv.authentication.AuthToken * @see com.netscape.certsrv.usrgrp.Certificates */ public IAuthToken authenticate(IAuthCredentials authCred) - throws EMissingCredential, EInvalidCredentials, EBaseException { - + throws EMissingCredential, EInvalidCredentials, EBaseException { + CMS.debug("TokenAuthentication: start"); // force SSL handshake @@ -141,8 +141,8 @@ public class TokenAuthentication implements IAuthManager, // get group name from configuration file IConfigStore sconfig = CMS.getConfigStore(); - String sessionId = (String)authCred.get(CRED_SESSION_ID); - String givenHost = (String)authCred.get("clientHost"); + String sessionId = (String) authCred.get(CRED_SESSION_ID); + String givenHost = (String) authCred.get("clientHost"); String auth_host = sconfig.getString("securitydomain.host"); int auth_port = sconfig.getInteger("securitydomain.httpseeport"); @@ -151,7 +151,7 @@ public class TokenAuthentication implements IAuthManager, try { JssSSLSocketFactory factory = new JssSSLSocketFactory(); httpclient = new HttpClient(factory); - String content = CRED_SESSION_ID+"="+sessionId+"&hostname="+givenHost; + String content = CRED_SESSION_ID + "=" + sessionId + "&hostname=" + givenHost; CMS.debug("TokenAuthentication: content=" + content); httpclient.connect(auth_host, auth_port); HttpRequest httprequest = new HttpRequest(); @@ -165,8 +165,8 @@ public class TokenAuthentication implements IAuthManager, HttpResponse httpresponse = httpclient.send(httprequest); c = httpresponse.getContent(); - } catch (Exception e) { - CMS.debug("TokenAuthentication authenticate Exception="+e.toString()); + } catch (Exception e) { + CMS.debug("TokenAuthentication authenticate Exception=" + e.toString()); } if (c != null) { @@ -177,9 +177,9 @@ public class TokenAuthentication implements IAuthManager, try { parser = new XMLObject(bis); } catch (Exception e) { - CMS.debug( "TokenAuthentication::authenticate() - " - + "Exception="+e.toString() ); - throw new EBaseException( e.toString() ); + CMS.debug("TokenAuthentication::authenticate() - " + + "Exception=" + e.toString()); + throw new EBaseException(e.toString()); } String status = parser.getValue("Status"); @@ -195,13 +195,13 @@ public class TokenAuthentication implements IAuthManager, authToken.set(TOKEN_UID, uid); authToken.set(TOKEN_GID, gid); - if(context != null) { + if (context != null) { CMS.debug("SessionContext.USER_ID " + uid + " SessionContext.GROUP_ID " + gid); - context.put(SessionContext.USER_ID, uid ); - context.put(SessionContext.GROUP_ID, gid ); + context.put(SessionContext.USER_ID, uid); + context.put(SessionContext.GROUP_ID, gid); } - CMS.debug("TokenAuthentication: authenticated uid="+uid+", gid="+gid); + CMS.debug("TokenAuthentication: authenticated uid=" + uid + ", gid=" + gid); } catch (EBaseException e) { throw e; } catch (Exception e) { @@ -213,10 +213,11 @@ public class TokenAuthentication implements IAuthManager, /** * get the list of authentication credential attribute names - * required by this authentication manager. Generally used by - * the servlets that handle agent operations to authenticate its - * users. It calls this method to know which are the - * required credentials from the user (e.g. Javascript form data) + * required by this authentication manager. Generally used by + * the servlets that handle agent operations to authenticate its + * users. It calls this method to know which are the + * required credentials from the user (e.g. Javascript form data) + * * @return attribute names in Vector */ public String[] getRequiredCreds() { @@ -225,14 +226,15 @@ public class TokenAuthentication implements IAuthManager, /** * get the list of configuration parameter names - * required by this authentication manager. Generally used by - * the Certificate Server Console to display the table for - * configuration purposes. CertUserDBAuthentication is currently not - * exposed in this case, so this method is not to be used. + * required by this authentication manager. Generally used by + * the Certificate Server Console to display the table for + * configuration purposes. CertUserDBAuthentication is currently not + * exposed in this case, so this method is not to be used. + * * @return configuration parameter names in Hashtable of Vectors - * where each hashtable entry's key is the substore name, value is a - * Vector of parameter names. If no substore, the parameter name - * is the Hashtable key itself, with value same as key. + * where each hashtable entry's key is the substore name, value is a + * Vector of parameter names. If no substore, the parameter name + * is the Hashtable key itself, with value same as key. */ public String[] getConfigParams() { return (mConfigParams); @@ -246,7 +248,8 @@ public class TokenAuthentication implements IAuthManager, /** * gets the configuretion substore used by this authentication - * manager + * manager + * * @return configuration store */ public IConfigStore getConfigStore() { @@ -256,7 +259,7 @@ public class TokenAuthentication implements IAuthManager, // Profile-related methods public void init(IProfile profile, IConfigStore config) - throws EProfileException { + throws EProfileException { } /** @@ -296,6 +299,6 @@ public class TokenAuthentication implements IAuthManager, } public void populate(IAuthToken token, IRequest request) - throws EProfileException { + throws EProfileException { } } diff --git a/pki/base/common/src/com/netscape/cms/authentication/UdnPwdDirAuthentication.java b/pki/base/common/src/com/netscape/cms/authentication/UdnPwdDirAuthentication.java index 565bca1a..c9fbbf9a 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/UdnPwdDirAuthentication.java +++ b/pki/base/common/src/com/netscape/cms/authentication/UdnPwdDirAuthentication.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.authentication; - // ldap java sdk import netscape.ldap.LDAPConnection; import netscape.ldap.LDAPException; @@ -33,11 +32,10 @@ import com.netscape.certsrv.base.IExtendedPluginInfo; import com.netscape.certsrv.ldap.ELdapException; import com.netscape.certsrv.logging.ILogger; - /** * udn/pwd directory based authentication manager * <P> - * + * * @version $Revision$, $Date$ */ public class UdnPwdDirAuthentication extends DirBasedAuthentication { @@ -52,25 +50,25 @@ public class UdnPwdDirAuthentication extends DirBasedAuthentication { * for instances of this implementation can be configured through the * console. */ - protected static String[] mConfigParams = - new String[] { PROP_DNPATTERN, - PROP_LDAPSTRINGATTRS, - PROP_LDAPBYTEATTRS, - "ldap.ldapconn.host", - "ldap.ldapconn.port", - "ldap.ldapconn.secureConn", - "ldap.ldapconn.version", - "ldap.minConns", - "ldap.maxConns", + protected static String[] mConfigParams = + new String[] { PROP_DNPATTERN, + PROP_LDAPSTRINGATTRS, + PROP_LDAPBYTEATTRS, + "ldap.ldapconn.host", + "ldap.ldapconn.port", + "ldap.ldapconn.secureConn", + "ldap.ldapconn.version", + "ldap.minConns", + "ldap.maxConns", }; static { mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TEXT + - ";Authenticate the user distinguished name and password provided " + - "by the user against an LDAP directory. Works with the " + - "Dir Based Enrollment HTML form"); + ";Authenticate the user distinguished name and password provided " + + "by the user against an LDAP directory. Works with the " + + "Dir Based Enrollment HTML form"); mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TOKEN + - ";configuration-authentication"); + ";configuration-authentication"); }; /** @@ -83,13 +81,14 @@ public class UdnPwdDirAuthentication extends DirBasedAuthentication { /** * Initializes the UdnPwdDirAuthentication auth manager. * <p> + * * @param name - The name for this authentication manager instance. * @param implName - The name of the authentication manager plugin. * @param config - The configuration store for this instance. * @exception EBaseException If an error occurs during initialization. */ public void init(String name, String implName, IConfigStore config) - throws EBaseException { + throws EBaseException { super.init(name, implName, config, false); } @@ -99,12 +98,12 @@ public class UdnPwdDirAuthentication extends DirBasedAuthentication { * @param authCreds The authentication credentials. * @return The user's ldap entry dn. * @exception EInvalidCredentials If the udn and password are not valid - * @exception EBaseException If an internal error occurs. + * @exception EBaseException If an internal error occurs. */ - protected String authenticate(LDAPConnection conn, - IAuthCredentials authCreds, - AuthToken token) - throws EBaseException { + protected String authenticate(LDAPConnection conn, + IAuthCredentials authCreds, + AuthToken token) + throws EBaseException { String userdn = null; // authenticate by binding to ldap server with password. @@ -114,7 +113,7 @@ public class UdnPwdDirAuthentication extends DirBasedAuthentication { if (userdn == null) { throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_UDN)); } - + // get the password. String pwd = (String) authCreds.get(CRED_PWD); @@ -123,8 +122,8 @@ public class UdnPwdDirAuthentication extends DirBasedAuthentication { } if (pwd.equals("")) { // anonymous binding not allowed - log(ILogger.LL_FAILURE, - "user " + userdn + " attempted login with empty password."); + log(ILogger.LL_FAILURE, + "user " + userdn + " attempted login with empty password."); throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } @@ -135,21 +134,21 @@ public class UdnPwdDirAuthentication extends DirBasedAuthentication { return userdn; } catch (ELdapException e) { - log(ILogger.LL_FAILURE, - "Couldn't get ldap connection. Error: " + e.toString()); + log(ILogger.LL_FAILURE, + "Couldn't get ldap connection. Error: " + e.toString()); throw e; } catch (LDAPException e) { switch (e.getLDAPResultCode()) { - case LDAPException.NO_SUCH_OBJECT: - case LDAPException.LDAP_PARTIAL_RESULTS: - log(ILogger.LL_SECURITY, - "user " + userdn + " does not exist in ldap server host " + - conn.getHost() + ", port " + conn.getPort() + "."); + case LDAPException.NO_SUCH_OBJECT: + case LDAPException.LDAP_PARTIAL_RESULTS: + log(ILogger.LL_SECURITY, + "user " + userdn + " does not exist in ldap server host " + + conn.getHost() + ", port " + conn.getPort() + "."); throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); case LDAPException.INVALID_CREDENTIALS: - log(ILogger.LL_SECURITY, - "authenticate user " + userdn + " with bad password."); + log(ILogger.LL_SECURITY, + "authenticate user " + userdn + " with bad password."); throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); case LDAPException.SERVER_DOWN: @@ -157,21 +156,21 @@ public class UdnPwdDirAuthentication extends DirBasedAuthentication { throw new ELdapException( CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), "" + conn.getPort())); - default: - log(ILogger.LL_FAILURE, - "Ldap error encountered. " + e.getMessage()); + default: + log(ILogger.LL_FAILURE, + "Ldap error encountered. " + e.getMessage()); throw new ELdapException( - CMS.getUserMessage("CMS_LDAP_OTHER_LDAP_EXCEPTION", - e.errorCodeToString())); + CMS.getUserMessage("CMS_LDAP_OTHER_LDAP_EXCEPTION", + e.errorCodeToString())); } - } + } } /** - * Returns a list of configuration parameter names. - * The list is passed to the configuration console so instances of + * Returns a list of configuration parameter names. + * The list is passed to the configuration console so instances of * this implementation can be configured through the console. - * + * * @return String array of configuration parameter names. */ public String[] getConfigParams() { @@ -180,6 +179,7 @@ public class UdnPwdDirAuthentication extends DirBasedAuthentication { /** * Returns array of required credentials for this authentication manager. + * * @return Array of required credentials. */ public String[] getRequiredCreds() { @@ -187,4 +187,3 @@ public class UdnPwdDirAuthentication extends DirBasedAuthentication { } } - diff --git a/pki/base/common/src/com/netscape/cms/authentication/UidPwdDirAuthentication.java b/pki/base/common/src/com/netscape/cms/authentication/UidPwdDirAuthentication.java index e97fee8b..dd750614 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/UidPwdDirAuthentication.java +++ b/pki/base/common/src/com/netscape/cms/authentication/UidPwdDirAuthentication.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.authentication; - // ldap java sdk import java.util.Enumeration; import java.util.Locale; @@ -47,15 +46,14 @@ import com.netscape.certsrv.property.Descriptor; import com.netscape.certsrv.property.IDescriptor; import com.netscape.certsrv.request.IRequest; - /** * uid/pwd directory based authentication manager * <P> - * + * * @version $Revision$, $Date$ */ -public class UidPwdDirAuthentication extends DirBasedAuthentication - implements IProfileAuthenticator { +public class UidPwdDirAuthentication extends DirBasedAuthentication + implements IProfileAuthenticator { /* required credentials to authenticate. uid and pwd are strings. */ public static final String CRED_UID = "uid"; @@ -67,26 +65,26 @@ public class UidPwdDirAuthentication extends DirBasedAuthentication * for instances of this implementation can be configured through the * console. */ - protected static String[] mConfigParams = - new String[] { PROP_DNPATTERN, - PROP_LDAPSTRINGATTRS, - PROP_LDAPBYTEATTRS, - "ldap.ldapconn.host", - "ldap.ldapconn.port", - "ldap.ldapconn.secureConn", - "ldap.ldapconn.version", - "ldap.basedn", - "ldap.minConns", - "ldap.maxConns", + protected static String[] mConfigParams = + new String[] { PROP_DNPATTERN, + PROP_LDAPSTRINGATTRS, + PROP_LDAPBYTEATTRS, + "ldap.ldapconn.host", + "ldap.ldapconn.port", + "ldap.ldapconn.secureConn", + "ldap.ldapconn.version", + "ldap.basedn", + "ldap.minConns", + "ldap.maxConns", }; static { mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TEXT + - ";Authenticate the username and password provided " + - "by the user against an LDAP directory. Works with the " + - "Dir Based Enrollment HTML form"); + ";Authenticate the username and password provided " + + "by the user against an LDAP directory. Works with the " + + "Dir Based Enrollment HTML form"); mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TOKEN + - ";configuration-authrules-uidpwddirauth"); + ";configuration-authrules-uidpwddirauth"); }; /** @@ -102,12 +100,12 @@ public class UidPwdDirAuthentication extends DirBasedAuthentication * @param authCreds The authentication credentials. * @return The user's ldap entry dn. * @exception EInvalidCredentials If the uid and password are not valid - * @exception EBaseException If an internal error occurs. + * @exception EBaseException If an internal error occurs. */ - protected String authenticate(LDAPConnection conn, - IAuthCredentials authCreds, - AuthToken token) - throws EBaseException { + protected String authenticate(LDAPConnection conn, + IAuthCredentials authCreds, + AuthToken token) + throws EBaseException { String userdn = null; String uid = null; @@ -119,12 +117,12 @@ public class UidPwdDirAuthentication extends DirBasedAuthentication if (uid == null) { throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_UID)); } - + // get the password. String pwd = (String) authCreds.get(CRED_PWD); if (pwd == null) { - throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL",CRED_PWD)); + throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_PWD)); } if (pwd.equals("")) { // anonymous binding not allowed @@ -133,7 +131,7 @@ public class UidPwdDirAuthentication extends DirBasedAuthentication } // get user dn. - CMS.debug("Authenticating: Searching for UID=" + uid + + CMS.debug("Authenticating: Searching for UID=" + uid + " base DN=" + mBaseDN); LDAPSearchResults res = conn.search(mBaseDN, LDAPv2.SCOPE_SUB, "(uid=" + uid + ")", null, false); @@ -160,8 +158,8 @@ public class UidPwdDirAuthentication extends DirBasedAuthentication throw e; } catch (LDAPException e) { switch (e.getLDAPResultCode()) { - case LDAPException.NO_SUCH_OBJECT: - case LDAPException.LDAP_PARTIAL_RESULTS: + case LDAPException.NO_SUCH_OBJECT: + case LDAPException.LDAP_PARTIAL_RESULTS: log(ILogger.LL_SECURITY, CMS.getLogMessage("USER_NOT_EXIST", uid)); throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); @@ -174,20 +172,20 @@ public class UidPwdDirAuthentication extends DirBasedAuthentication throw new ELdapException( CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), "" + conn.getPort())); - default: + default: log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.getMessage())); throw new ELdapException( - CMS.getUserMessage("CMS_LDAP_OTHER_LDAP_EXCEPTION", - e.errorCodeToString())); + CMS.getUserMessage("CMS_LDAP_OTHER_LDAP_EXCEPTION", + e.errorCodeToString())); } - } + } } /** - * Returns a list of configuration parameter names. - * The list is passed to the configuration console so instances of + * Returns a list of configuration parameter names. + * The list is passed to the configuration console so instances of * this implementation can be configured through the console. - * + * * @return String array of configuration parameter names. */ public String[] getConfigParams() { @@ -196,6 +194,7 @@ public class UidPwdDirAuthentication extends DirBasedAuthentication /** * Returns array of required credentials for this authentication manager. + * * @return Array of required credentials. */ public String[] getRequiredCreds() { @@ -203,9 +202,9 @@ public class UidPwdDirAuthentication extends DirBasedAuthentication } // Profile-related methods - + public void init(IProfile profile, IConfigStore config) - throws EProfileException { + throws EProfileException { } /** @@ -247,19 +246,19 @@ public class UidPwdDirAuthentication extends DirBasedAuthentication * parameter by name. */ public IDescriptor getValueDescriptor(Locale locale, String name) { - if (name.equals(CRED_UID)) { + if (name.equals(CRED_UID)) { return new Descriptor(IDescriptor.STRING, null, null, CMS.getUserMessage(locale, "CMS_AUTHENTICATION_LDAP_UID")); } else if (name.equals(CRED_PWD)) { return new Descriptor(IDescriptor.PASSWORD, null, null, CMS.getUserMessage(locale, "CMS_AUTHENTICATION_LDAP_PWD")); - + } return null; } - public void populate(IAuthToken token, IRequest request) - throws EProfileException { + public void populate(IAuthToken token, IRequest request) + throws EProfileException { request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME, token.getInString(USER_DN)); } diff --git a/pki/base/common/src/com/netscape/cms/authentication/UidPwdPinDirAuthentication.java b/pki/base/common/src/com/netscape/cms/authentication/UidPwdPinDirAuthentication.java index ce60bf8d..2908d532 100644 --- a/pki/base/common/src/com/netscape/cms/authentication/UidPwdPinDirAuthentication.java +++ b/pki/base/common/src/com/netscape/cms/authentication/UidPwdPinDirAuthentication.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.authentication; - // ldap java sdk import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; @@ -53,15 +52,14 @@ import com.netscape.certsrv.property.Descriptor; import com.netscape.certsrv.property.IDescriptor; import com.netscape.certsrv.request.IRequest; - /** * uid/pwd/pin directory based authentication manager * <P> - * + * * @version $Revision$, $Date$ */ public class UidPwdPinDirAuthentication extends DirBasedAuthentication - implements IExtendedPluginInfo, IProfileAuthenticator { + implements IExtendedPluginInfo, IProfileAuthenticator { /* required credentials to authenticate. uid and pwd are strings. */ public static final String CRED_UID = "uid"; @@ -84,49 +82,49 @@ public class UidPwdPinDirAuthentication extends DirBasedAuthentication * for instances of this implementation can be configured through the * console. */ - protected static String[] mConfigParams = - new String[] { PROP_REMOVE_PIN, - PROP_PIN_ATTR, - PROP_DNPATTERN, - PROP_LDAPSTRINGATTRS, - PROP_LDAPBYTEATTRS, - "ldap.ldapconn.host", - "ldap.ldapconn.port", - "ldap.ldapconn.secureConn", - "ldap.ldapconn.version", - "ldap.ldapauth.bindDN", - "ldap.ldapauth.bindPWPrompt", - "ldap.ldapauth.clientCertNickname", - "ldap.ldapauth.authtype", - "ldap.basedn", - "ldap.minConns", - "ldap.maxConns", + protected static String[] mConfigParams = + new String[] { PROP_REMOVE_PIN, + PROP_PIN_ATTR, + PROP_DNPATTERN, + PROP_LDAPSTRINGATTRS, + PROP_LDAPBYTEATTRS, + "ldap.ldapconn.host", + "ldap.ldapconn.port", + "ldap.ldapconn.secureConn", + "ldap.ldapconn.version", + "ldap.ldapauth.bindDN", + "ldap.ldapauth.bindPWPrompt", + "ldap.ldapauth.clientCertNickname", + "ldap.ldapauth.authtype", + "ldap.basedn", + "ldap.minConns", + "ldap.maxConns", }; static { mExtendedPluginInfo.add( - PROP_REMOVE_PIN + ";boolean;SEE DOCUMENTATION for pin removal"); + PROP_REMOVE_PIN + ";boolean;SEE DOCUMENTATION for pin removal"); mExtendedPluginInfo.add( - PROP_PIN_ATTR + ";string;directory attribute to use for pin (default 'pin')"); + PROP_PIN_ATTR + ";string;directory attribute to use for pin (default 'pin')"); mExtendedPluginInfo.add( - "ldap.ldapauth.bindDN;string;DN to bind as for pin removal. " - + "For example 'CN=PinRemoval User'"); + "ldap.ldapauth.bindDN;string;DN to bind as for pin removal. " + + "For example 'CN=PinRemoval User'"); mExtendedPluginInfo.add( - "ldap.ldapauth.bindPWPrompt;password;Enter password used to bind as " + - "the above user"); + "ldap.ldapauth.bindPWPrompt;password;Enter password used to bind as " + + "the above user"); mExtendedPluginInfo.add( - "ldap.ldapauth.clientCertNickname;string;If you want to use " - + "SSL client auth to the directory, set the client " - + "cert nickname here"); + "ldap.ldapauth.clientCertNickname;string;If you want to use " + + "SSL client auth to the directory, set the client " + + "cert nickname here"); mExtendedPluginInfo.add( - "ldap.ldapauth.authtype;choice(BasicAuth,SslClientAuth),required;" - + "How to bind to the directory (for pin removal only)"); + "ldap.ldapauth.authtype;choice(BasicAuth,SslClientAuth),required;" + + "How to bind to the directory (for pin removal only)"); mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TEXT - + ";Authenticate the username, password and pin provided " - + "by the user against an LDAP directory. Works with the " - + "Dir/Pin Based Enrollment HTML form"); + + ";Authenticate the username, password and pin provided " + + "by the user against an LDAP directory. Works with the " + + "Dir/Pin Based Enrollment HTML form"); mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TOKEN + - ";configuration-authrules-uidpwdpindirauth"); + ";configuration-authrules-uidpwdpindirauth"); } @@ -135,12 +133,12 @@ public class UidPwdPinDirAuthentication extends DirBasedAuthentication protected MessageDigest mSHADigest = null; protected MessageDigest mMD5Digest = null; - private String mBindDN = null; - private String mBindPassword = null; + private String mBindDN = null; + private String mBindPassword = null; - private ILdapConnFactory removePinLdapFactory = null; - private LDAPConnection removePinLdapConnection = null; - private IConfigStore removePinLdapConfigStore = null; + private ILdapConnFactory removePinLdapFactory = null; + private LDAPConnection removePinLdapConnection = null; + private IConfigStore removePinLdapConfigStore = null; /** * Default constructor, initialization must follow. @@ -149,12 +147,12 @@ public class UidPwdPinDirAuthentication extends DirBasedAuthentication super(); } - public void init(String name, String implName, IConfigStore config) - throws EBaseException { + public void init(String name, String implName, IConfigStore config) + throws EBaseException { super.init(name, implName, config); - mRemovePin = + mRemovePin = config.getBoolean(PROP_REMOVE_PIN, DEF_REMOVE_PIN); - mPinAttr = + mPinAttr = config.getString(PROP_PIN_ATTR, DEF_PIN_ATTR); if (mPinAttr.equals("")) { mPinAttr = DEF_PIN_ATTR; @@ -166,7 +164,7 @@ public class UidPwdPinDirAuthentication extends DirBasedAuthentication removePinLdapFactory.init(removePinLdapConfigStore); removePinLdapConnection = removePinLdapFactory.getConn(); } - + try { mSHADigest = MessageDigest.getInstance("SHA1"); mMD5Digest = MessageDigest.getInstance("MD5"); @@ -177,7 +175,7 @@ public class UidPwdPinDirAuthentication extends DirBasedAuthentication } protected void verifyPassword(String Password) { - } + } /** * Authenticates a user based on its uid, pwd, pin in the directory. @@ -185,16 +183,16 @@ public class UidPwdPinDirAuthentication extends DirBasedAuthentication * @param authCreds The authentication credentials with uid, pwd, pin. * @return The user's ldap entry dn. * @exception EInvalidCredentials If the uid and password are not valid - * @exception EBaseException If an internal error occurs. + * @exception EBaseException If an internal error occurs. */ - protected String authenticate(LDAPConnection conn, - IAuthCredentials authCreds, - AuthToken token) - throws EBaseException { + protected String authenticate(LDAPConnection conn, + IAuthCredentials authCreds, + AuthToken token) + throws EBaseException { String userdn = null; - String uid = null; - String pwd = null; - String pin = null; + String uid = null; + String pwd = null; + String pin = null; try { // get the uid. @@ -202,7 +200,7 @@ public class UidPwdPinDirAuthentication extends DirBasedAuthentication if (uid == null) { throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_UID)); } - + // get the password. pwd = (String) authCreds.get(CRED_PWD); if (pwd == null) { @@ -256,8 +254,8 @@ public class UidPwdPinDirAuthentication extends DirBasedAuthentication throw e; } catch (LDAPException e) { switch (e.getLDAPResultCode()) { - case LDAPException.NO_SUCH_OBJECT: - case LDAPException.LDAP_PARTIAL_RESULTS: + case LDAPException.NO_SUCH_OBJECT: + case LDAPException.LDAP_PARTIAL_RESULTS: log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_USER_NOT_EXIST", uid)); throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); @@ -270,24 +268,24 @@ public class UidPwdPinDirAuthentication extends DirBasedAuthentication throw new ELdapException( CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), "" + conn.getPort())); - default: + default: log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.getMessage())); throw new ELdapException( - CMS.getUserMessage("CMS_LDAP_OTHER_LDAP_EXCEPTION", - e.errorCodeToString())); + CMS.getUserMessage("CMS_LDAP_OTHER_LDAP_EXCEPTION", + e.errorCodeToString())); } - } + } } - protected void checkpin(LDAPConnection conn, String userdn, - String uid, String pin) - throws EBaseException, LDAPException { + protected void checkpin(LDAPConnection conn, String userdn, + String uid, String pin) + throws EBaseException, LDAPException { LDAPSearchResults res = null; LDAPEntry entry = null; // get pin. - res = conn.search(userdn, LDAPv2.SCOPE_BASE, + res = conn.search(userdn, LDAPv2.SCOPE_BASE, "(objectclass=*)", new String[] { mPinAttr }, false); if (res.hasMoreElements()) { entry = (LDAPEntry) res.nextElement(); @@ -309,7 +307,7 @@ public class UidPwdPinDirAuthentication extends DirBasedAuthentication log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_NO_PIN_FOUND", uid)); throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } - byte[] entrypin = (byte[]) pinValues.nextElement(); + byte[] entrypin = (byte[]) pinValues.nextElement(); // compare value digest. @@ -317,14 +315,14 @@ public class UidPwdPinDirAuthentication extends DirBasedAuthentication log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_NO_PIN_FOUND", uid)); throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } - + byte hashtype = entrypin[0]; byte[] pinDigest = null; String toBeDigested = userdn + pin; if (hashtype == SENTINEL_SHA) { - + pinDigest = mSHADigest.digest(toBeDigested.getBytes()); } else if (hashtype == SENTINEL_MD5) { pinDigest = mMD5Digest.digest(toBeDigested.getBytes()); @@ -343,7 +341,7 @@ public class UidPwdPinDirAuthentication extends DirBasedAuthentication int i; for (i = 0; i < (entrypin.length - 1); i++) { - if (pinDigest[i] != entrypin[i + 1]) + if (pinDigest[i] != entrypin[i + 1]) break; } if (i != (entrypin.length - 1)) { @@ -354,17 +352,17 @@ public class UidPwdPinDirAuthentication extends DirBasedAuthentication // pin ok. remove pin if so configured // Note that this means that a policy may reject this request later, // but the user will not be able to enroll again as his pin is gone. - + // We remove the pin using a different connection which is bound as // a more privileged user. if (mRemovePin) { try { - removePinLdapConnection.modify(userdn, - new LDAPModification( - LDAPModification.DELETE, - new LDAPAttribute(mPinAttr, entrypin))); + removePinLdapConnection.modify(userdn, + new LDAPModification( + LDAPModification.DELETE, + new LDAPAttribute(mPinAttr, entrypin))); } catch (LDAPException e) { log(ILogger.LL_SECURITY, CMS.getLogMessage("CMS_AUTH_CANT_REMOVE_PIN", userdn)); @@ -374,10 +372,10 @@ public class UidPwdPinDirAuthentication extends DirBasedAuthentication } /** - * Returns a list of configuration parameter names. - * The list is passed to the configuration console so instances of + * Returns a list of configuration parameter names. + * The list is passed to the configuration console so instances of * this implementation can be configured through the console. - * + * * @return String array of configuration parameter names. */ public String[] getConfigParams() { @@ -386,6 +384,7 @@ public class UidPwdPinDirAuthentication extends DirBasedAuthentication /** * Returns array of required credentials for this authentication manager. + * * @return Array of required credentials. */ public String[] getRequiredCreds() { @@ -395,7 +394,7 @@ public class UidPwdPinDirAuthentication extends DirBasedAuthentication // Profile-related methods public void init(IProfile profile, IConfigStore config) - throws EProfileException { + throws EProfileException { } /** @@ -453,7 +452,7 @@ public class UidPwdPinDirAuthentication extends DirBasedAuthentication } public void populate(IAuthToken token, IRequest request) - throws EProfileException { + throws EProfileException { request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME, token.getInString(USER_DN)); } @@ -462,4 +461,3 @@ public class UidPwdPinDirAuthentication extends DirBasedAuthentication return false; } } - |