diff options
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/servlet/cert/RevocationServlet.java')
-rw-r--r-- | pki/base/common/src/com/netscape/cms/servlet/cert/RevocationServlet.java | 202 |
1 files changed, 100 insertions, 102 deletions
diff --git a/pki/base/common/src/com/netscape/cms/servlet/cert/RevocationServlet.java b/pki/base/common/src/com/netscape/cms/servlet/cert/RevocationServlet.java index 6142d685..9b39acc7 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/cert/RevocationServlet.java +++ b/pki/base/common/src/com/netscape/cms/servlet/cert/RevocationServlet.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.cert; + import java.io.IOException; import java.math.BigInteger; import java.security.cert.CertificateEncodingException; @@ -56,9 +57,10 @@ import com.netscape.cms.servlet.common.CMSTemplate; import com.netscape.cms.servlet.common.CMSTemplateParams; import com.netscape.cms.servlet.common.ECMSGWException; + /** * Perform the first step in revoking a certificate - * + * * @version $Revision$, $Date$ */ public class RevocationServlet extends CMSServlet { @@ -70,11 +72,11 @@ public class RevocationServlet extends CMSServlet { // revocation templates. private final static String TPL_FILE = "reasonToRevoke.template"; - // http params + // http params public static final String SERIAL_NO = "serialNo"; - // XXX can't do pkcs10 cause it's got no serial no. + // XXX can't do pkcs10 cause it's got no serial no. // (unless put serial no in pki attributes) - // public static final String PKCS10 = "pkcs10"; + // public static final String PKCS10 = "pkcs10"; public static final String REASON_CODE = "reasonCode"; private String mFormPath = null; @@ -83,14 +85,15 @@ public class RevocationServlet extends CMSServlet { private Random mRandom = null; private Nonces mNonces = null; + public RevocationServlet() { super(); } /** - * initialize the servlet. This servlet uses the template file - * "reasonToRevoke.template" to render the result. - * + * initialize the servlet. This servlet uses + * the template file "reasonToRevoke.template" to render the + * result. * @param sc servlet configuration, read from the web.xml file */ public void init(ServletConfig sc) throws ServletException { @@ -100,7 +103,8 @@ public class RevocationServlet extends CMSServlet { mFormPath = "/" + TPL_FILE; try { - mFormPath = sc.getInitParameter(PROP_SUCCESS_TEMPLATE); + mFormPath = sc.getInitParameter( + PROP_SUCCESS_TEMPLATE); if (mFormPath == null) mFormPath = "/" + TPL_FILE; @@ -111,7 +115,7 @@ public class RevocationServlet extends CMSServlet { } } - // set to false by revokeByDN=false in web.xml + // set to false by revokeByDN=false in web.xml mRevokeByDN = false; String tmp = sc.getInitParameter(PROP_REVOKEBYDN); @@ -123,26 +127,28 @@ public class RevocationServlet extends CMSServlet { } } + /** - * Process the HTTP request. Note that this servlet does not actually - * perform the certificate revocation. This is the first step in the - * multi-step revocation process. (the next step is in the ReasonToRevoke - * servlet. - * + * Process the HTTP request. Note that this servlet does not + * actually perform the certificate revocation. This is the first + * step in the multi-step revocation process. (the next step is + * in the ReasonToRevoke servlet. + * * @param cmsReq the object holding the request and response information */ - protected void process(CMSRequest cmsReq) throws EBaseException { + protected void process(CMSRequest cmsReq) + throws EBaseException { IArgBlock httpParams = cmsReq.getHttpParams(); HttpServletRequest httpReq = cmsReq.getHttpReq(); HttpServletResponse httpResp = cmsReq.getHttpResp(); - // revocation requires either: - // - coming from ee: - // - old cert from ssl client auth - // - old certs from auth manager - // - coming from agent or trusted RA: - // - serial no of cert to be revoked. - + // revocation requires either: + // - coming from ee: + // - old cert from ssl client auth + // - old certs from auth manager + // - coming from agent or trusted RA: + // - serial no of cert to be revoked. + BigInteger old_serial_no = null; X509CertImpl old_cert = null; String revokeAll = null; @@ -153,11 +159,10 @@ public class RevocationServlet extends CMSServlet { try { form = getTemplate(mFormPath, httpReq, locale); } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", mFormPath, - e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", mFormPath, e.toString())); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); + CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); } IArgBlock header = CMS.createArgBlock(); @@ -169,50 +174,45 @@ public class RevocationServlet extends CMSServlet { AuthzToken authzToken = null; try { - authzToken = authorize(mAclMethod, authToken, mAuthzResourceName, - "submit"); + authzToken = authorize(mAclMethod, authToken, + mAuthzResourceName, "submit"); } catch (EAuthzAccessDenied e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); } catch (Exception e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); } if (authzToken == null) { cmsReq.setStatus(CMSRequest.UNAUTHORIZED); return; } - - // coming from agent - if (mAuthMgr != null - && mAuthMgr.equals(IAuthSubsystem.CERTUSERDB_AUTHMGR_ID)) { + + // coming from agent + if (mAuthMgr != null && mAuthMgr.equals(IAuthSubsystem.CERTUSERDB_AUTHMGR_ID)) { X509Certificate[] cert = new X509Certificate[1]; old_serial_no = getCertFromAgent(httpParams, cert); old_cert = (X509CertImpl) cert[0]; } // coming from client else { - // from auth manager + // from auth manager X509CertImpl[] cert = new X509CertImpl[1]; - + old_serial_no = getCertFromAuthMgr(authToken, cert); old_cert = cert[0]; } - header.addStringValue("serialNumber", old_cert.getSerialNumber() - .toString(16)); - header.addStringValue("serialNumberDecimal", old_cert.getSerialNumber() - .toString()); - // header.addStringValue("subject", old_cert.getSubjectDN().toString()); - // header.addLongValue("validNotBefore", - // old_cert.getNotBefore().getTime()/1000); - // header.addLongValue("validNotAfter", - // old_cert.getNotAfter().getTime()/1000); + header.addStringValue("serialNumber", old_cert.getSerialNumber().toString(16)); + header.addStringValue("serialNumberDecimal", old_cert.getSerialNumber().toString()); + // header.addStringValue("subject", old_cert.getSubjectDN().toString()); + // header.addLongValue("validNotBefore", old_cert.getNotBefore().getTime()/1000); + // header.addLongValue("validNotAfter", old_cert.getNotAfter().getTime()/1000); if (mNonces != null) { long n = mRandom.nextLong(); - long m = mNonces.addNonce(n, (X509Certificate) old_cert); + long m = mNonces.addNonce(n, (X509Certificate)old_cert); if ((n + m) != 0) { header.addStringValue("nonce", Long.toString(m)); } @@ -222,20 +222,19 @@ public class RevocationServlet extends CMSServlet { X509CertImpl[] certsToRevoke = null; if (mAuthority instanceof ICertificateAuthority) { - certsToRevoke = ((ICertificateAuthority) mAuthority) - .getCertificateRepository().getX509Certificates( - old_cert.getSubjectDN().toString(), - ICertificateRepository.ALL_UNREVOKED_CERTS); + certsToRevoke = ((ICertificateAuthority) mAuthority).getCertificateRepository().getX509Certificates( + old_cert.getSubjectDN().toString(), + ICertificateRepository.ALL_UNREVOKED_CERTS); } else if (mAuthority instanceof IRegistrationAuthority) { IRequest req = mRequestQueue.newRequest(IRequest.GETCERTS_REQUEST); - String filter = "(&(" + ICertRecord.ATTR_X509CERT + "." - + X509CertInfo.SUBJECT + "=" - + old_cert.getSubjectDN().toString() + ")(|(" - + ICertRecord.ATTR_CERT_STATUS + "=" - + ICertRecord.STATUS_VALID + ")(" - + ICertRecord.ATTR_CERT_STATUS + "=" - + ICertRecord.STATUS_EXPIRED + ")))"; + String filter = "(&(" + ICertRecord.ATTR_X509CERT + "." + + X509CertInfo.SUBJECT + "=" + + old_cert.getSubjectDN().toString() + ")(|(" + + ICertRecord.ATTR_CERT_STATUS + "=" + + ICertRecord.STATUS_VALID + ")(" + + ICertRecord.ATTR_CERT_STATUS + "=" + + ICertRecord.STATUS_EXPIRED + ")))"; req.setExtData(IRequest.CERT_FILTER, filter); mRequestQueue.processRequest(req); @@ -249,8 +248,7 @@ public class RevocationServlet extends CMSServlet { String name = (String) enum1.nextElement(); if (name.equals(IRequest.OLD_CERTS)) { - X509CertImpl[] certs = req - .getExtDataInCertArray(IRequest.OLD_CERTS); + X509CertImpl[] certs = req.getExtDataInCertArray(IRequest.OLD_CERTS); certsToRevoke = certs; } @@ -264,20 +262,18 @@ public class RevocationServlet extends CMSServlet { if (certsToRevoke != null && certsToRevoke.length > 0) { for (int i = 0; i < certsToRevoke.length; i++) { - if (old_cert.getSerialNumber().equals( - certsToRevoke[i].getSerialNumber())) { + if (old_cert.getSerialNumber().equals(certsToRevoke[i].getSerialNumber())) { authorized = true; break; } } } - if (!noInfo - && (certsToRevoke == null || certsToRevoke.length == 0 || (!authorized))) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CA_CERT_ALREADY_REVOKED_1", old_serial_no.toString(16))); - throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_CERT_ALREADY_REVOKED")); + if (!noInfo && (certsToRevoke == null || certsToRevoke.length == 0 || + (!authorized))) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CA_CERT_ALREADY_REVOKED_1", old_serial_no.toString(16))); + throw new ECMSGWException(CMS.getUserMessage("CMS_GW_CERT_ALREADY_REVOKED")); } if (!mRevokeByDN || noInfo) { @@ -287,8 +283,7 @@ public class RevocationServlet extends CMSServlet { byte[] ba = old_cert.getEncoded(); // Do base 64 encoding - header.addStringValue("b64eCertificate", - com.netscape.osutil.OSUtil.BtoA(ba)); + header.addStringValue("b64eCertificate", com.netscape.osutil.OSUtil.BtoA(ba)); } catch (CertificateEncodingException e) { } } @@ -300,16 +295,16 @@ public class RevocationServlet extends CMSServlet { for (int i = 0; i < certsToRevoke.length; i++) { IArgBlock rarg = CMS.createArgBlock(); - rarg.addStringValue("serialNumber", certsToRevoke[i] - .getSerialNumber().toString(16)); - rarg.addStringValue("serialNumberDecimal", certsToRevoke[i] - .getSerialNumber().toString()); - rarg.addStringValue("subject", certsToRevoke[i].getSubjectDN() - .toString()); - rarg.addLongValue("validNotBefore", certsToRevoke[i] - .getNotBefore().getTime() / 1000); - rarg.addLongValue("validNotAfter", certsToRevoke[i] - .getNotAfter().getTime() / 1000); + rarg.addStringValue("serialNumber", + certsToRevoke[i].getSerialNumber().toString(16)); + rarg.addStringValue("serialNumberDecimal", + certsToRevoke[i].getSerialNumber().toString()); + rarg.addStringValue("subject", + certsToRevoke[i].getSubjectDN().toString()); + rarg.addLongValue("validNotBefore", + certsToRevoke[i].getNotBefore().getTime() / 1000); + rarg.addLongValue("validNotAfter", + certsToRevoke[i].getNotAfter().getTime() / 1000); argSet.addRepeatRecord(rarg); } } else { @@ -318,7 +313,7 @@ public class RevocationServlet extends CMSServlet { } // set revocation reason, default to unspecified if not set. - int reasonCode = httpParams.getValueAsInt(REASON_CODE, 0); + int reasonCode = httpParams.getValueAsInt(REASON_CODE, 0); header.addIntegerValue("reason", reasonCode); @@ -329,11 +324,10 @@ public class RevocationServlet extends CMSServlet { form.renderOutput(out, argSet); cmsReq.setStatus(CMSRequest.SUCCESS); } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_ERR_OUT_STREAM_TEMPLATE", - e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_ERR_OUT_STREAM_TEMPLATE", e.toString())); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); + CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); } return; @@ -342,28 +336,29 @@ public class RevocationServlet extends CMSServlet { /** * get cert to revoke from agent. */ - private BigInteger getCertFromAgent(IArgBlock httpParams, - X509Certificate[] certContainer) throws EBaseException { + private BigInteger getCertFromAgent( + IArgBlock httpParams, X509Certificate[] certContainer) + throws EBaseException { BigInteger serialno = null; X509Certificate cert = null; // get serial no serialno = httpParams.getValueAsBigInteger(SERIAL_NO, null); if (serialno == null) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_MISSING_SERIALNO_FOR_REVOKE")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_MISSING_SERIALNO_FOR_REVOKE")); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_MISSING_SERIALNO_FOR_REVOKE")); + CMS.getUserMessage("CMS_GW_MISSING_SERIALNO_FOR_REVOKE")); } // get cert from db if we're cert authority. if (mAuthority instanceof ICertificateAuthority) { cert = getX509Certificate(serialno); if (cert == null) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_INVALID_CERT_FOR_REVOCATION")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_INVALID_CERT_FOR_REVOCATION")); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_INVALID_CERT_FOR_REVOCATION")); + CMS.getUserMessage("CMS_GW_INVALID_CERT_FOR_REVOCATION")); } } certContainer[0] = cert; @@ -373,21 +368,23 @@ public class RevocationServlet extends CMSServlet { /** * get cert to revoke from auth manager */ - private BigInteger getCertFromAuthMgr(IAuthToken authToken, - X509Certificate[] certContainer) throws EBaseException { - X509CertImpl cert = authToken.getInCert(AuthToken.TOKEN_CERT); + private BigInteger getCertFromAuthMgr( + IAuthToken authToken, X509Certificate[] certContainer) + throws EBaseException { + X509CertImpl cert = + authToken.getInCert(AuthToken.TOKEN_CERT); if (cert == null) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_MISSING_CERTS_REVOKE_FROM_AUTHMGR")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSGW_MISSING_CERTS_REVOKE_FROM_AUTHMGR")); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_MISSING_CERTS_REVOKE_FROM_AUTHMGR")); + CMS.getUserMessage("CMS_GW_MISSING_CERTS_REVOKE_FROM_AUTHMGR")); } - if (mAuthority instanceof ICertificateAuthority && !isCertFromCA(cert)) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSGW_INVALID_CERT_FOR_REVOCATION")); + if (mAuthority instanceof ICertificateAuthority && + !isCertFromCA(cert)) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_INVALID_CERT_FOR_REVOCATION")); throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_INVALID_CERT_FOR_REVOCATION")); + CMS.getUserMessage("CMS_GW_INVALID_CERT_FOR_REVOCATION")); } certContainer[0] = cert; BigInteger serialno = ((X509Certificate) cert).getSerialNumber(); @@ -396,3 +393,4 @@ public class RevocationServlet extends CMSServlet { } } + |