summaryrefslogtreecommitdiffstats
path: root/pki/base/common/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
diff options
context:
space:
mode:
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/servlet/connector/ConnectorServlet.java')
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/connector/ConnectorServlet.java705
1 files changed, 329 insertions, 376 deletions
diff --git a/pki/base/common/src/com/netscape/cms/servlet/connector/ConnectorServlet.java b/pki/base/common/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
index ad48d18d..0681baca 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
@@ -72,12 +72,10 @@ import com.netscape.certsrv.request.RequestStatus;
import com.netscape.cms.servlet.base.CMSServlet;
import com.netscape.cms.servlet.common.CMSRequest;
-
/**
- * Connector servlet
- * process requests from remote authority -
- * service request or return status.
- *
+ * Connector servlet process requests from remote authority - service request or
+ * return status.
+ *
* @version $Revision$, $Date$
*/
public class ConnectorServlet extends CMSServlet {
@@ -95,14 +93,10 @@ public class ConnectorServlet extends CMSServlet {
protected ILogger mSignedAuditLogger = CMS.getSignedAuditLogger();
private final static String SIGNED_AUDIT_PROTECTION_METHOD_SSL = "ssl";
- private final static String SIGNED_AUDIT_PROTECTION_METHOD_UNKNOWN =
- "unknown";
- private final static String LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS =
- "LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS_5";
- private final static String LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST =
- "LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5";
- private final static String LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED =
- "LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED_5";
+ private final static String SIGNED_AUDIT_PROTECTION_METHOD_UNKNOWN = "unknown";
+ private final static String LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS = "LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS_5";
+ private final static String LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST = "LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5";
+ private final static String LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED = "LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED_5";
private final static byte EOL[] = { Character.LINE_SEPARATOR };
@@ -115,22 +109,19 @@ public class ConnectorServlet extends CMSServlet {
String authority = sc.getInitParameter(PROP_AUTHORITY);
if (authority != null)
- mAuthority = (IAuthority)
- CMS.getSubsystem(authority);
+ mAuthority = (IAuthority) CMS.getSubsystem(authority);
mReqEncoder = CMS.getHttpRequestEncoder();
-
+
mAuthSubsystem = (IAuthSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTH);
}
- public void service(HttpServletRequest request,
- HttpServletResponse response)
- throws ServletException, IOException {
+ public void service(HttpServletRequest request, HttpServletResponse response)
+ throws ServletException, IOException {
boolean running_state = CMS.isInRunningState();
if (!running_state)
- throw new IOException(
- "CMS server is not ready to serve.");
+ throw new IOException("CMS server is not ready to serve.");
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse resp = (HttpServletResponse) response;
@@ -163,14 +154,14 @@ public class ConnectorServlet extends CMSServlet {
IRequest r = null;
IRequest reply = null;
- // NOTE must read all bufer before redoing handshake for
+ // NOTE must read all bufer before redoing handshake for
// ssl client auth for client auth to work.
// get request method
- method = req.getMethod();
+ method = req.getMethod();
// get content length
- len = request.getContentLength();
+ len = request.getContentLength();
// get content, a base 64 encoded serialized request.
if (len > 0) {
@@ -191,16 +182,16 @@ public class ConnectorServlet extends CMSServlet {
}
// force client auth handshake, validate RA and get RA's Id.
- // NOTE must do this after all contents are read for ssl
- // redohandshake to work
+ // NOTE must do this after all contents are read for ssl
+ // redohandshake to work
X509Certificate peerCert;
try {
peerCert = getPeerCert(req);
- }catch (EBaseException e) {
- mAuthority.log(ILogger.LL_SECURITY,
- CMS.getLogMessage("CMSGW_HAS_NO_CLIENT_CERT"));
+ } catch (EBaseException e) {
+ mAuthority.log(ILogger.LL_SECURITY,
+ CMS.getLogMessage("CMSGW_HAS_NO_CLIENT_CERT"));
resp.sendError(HttpServletResponse.SC_UNAUTHORIZED);
return;
}
@@ -211,7 +202,7 @@ public class ConnectorServlet extends CMSServlet {
return;
}
- // authenticate RA
+ // authenticate RA
String RA_Id = null;
String raUserId = null;
@@ -231,15 +222,15 @@ public class ConnectorServlet extends CMSServlet {
return;
}
- mAuthority.log(ILogger.LL_INFO,
- "Remote Authority authenticated: " + peerCert.getSubjectDN());
+ mAuthority.log(ILogger.LL_INFO, "Remote Authority authenticated: "
+ + peerCert.getSubjectDN());
// authorize
AuthzToken authzToken = null;
try {
- authzToken = authorize(mAclMethod, token,
- mAuthzResourceName, "submit");
+ authzToken = authorize(mAclMethod, token, mAuthzResourceName,
+ "submit");
} catch (Exception e) {
// do nothing for now
}
@@ -265,20 +256,24 @@ public class ConnectorServlet extends CMSServlet {
try {
// decode request.
msg = (IPKIMessage) mReqEncoder.decode(encodedreq);
- // process request
+ // process request
replymsg = processRequest(RA_Id, raUserId, msg, token);
} catch (IOException e) {
CMS.debug("ConnectorServlet: service " + e.toString());
CMS.debug(e);
- mAuthority.log(ILogger.LL_FAILURE,
- CMS.getLogMessage("CMSGW_IO_ERROR_REMOTE_REQUEST", e.toString()));
+ mAuthority.log(
+ ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSGW_IO_ERROR_REMOTE_REQUEST",
+ e.toString()));
resp.sendError(HttpServletResponse.SC_BAD_REQUEST);
return;
} catch (EBaseException e) {
CMS.debug("ConnectorServlet: service " + e.toString());
CMS.debug(e);
- mAuthority.log(ILogger.LL_FAILURE,
- CMS.getLogMessage("CMSGW_IO_ERROR_REMOTE_REQUEST", e.toString()));
+ mAuthority.log(
+ ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSGW_IO_ERROR_REMOTE_REQUEST",
+ e.toString()));
resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
return;
} catch (Exception e) {
@@ -288,7 +283,7 @@ public class ConnectorServlet extends CMSServlet {
CMS.debug("ConnectorServlet: done processRequest");
- // encode reply
+ // encode reply
try {
String encodedrep = mReqEncoder.encode(replymsg);
@@ -326,10 +321,12 @@ public class ConnectorServlet extends CMSServlet {
ByteArrayOutputStream byteStream;
try {
- info = request.getExtDataInCertInfo(IEnrollProfile.REQUEST_CERTINFO);
+ info = request
+ .getExtDataInCertInfo(IEnrollProfile.REQUEST_CERTINFO);
- // request.set(IEnrollProfile.REQUEST_SEQ_NUM, new Integer("0"));
- CertificateX509Key certKey = (CertificateX509Key)info.get(X509CertInfo.KEY);
+ // request.set(IEnrollProfile.REQUEST_SEQ_NUM, new Integer("0"));
+ CertificateX509Key certKey = (CertificateX509Key) info
+ .get(X509CertInfo.KEY);
if (certKey != null) {
byteStream = new ByteArrayOutputStream();
certKey.encode(byteStream);
@@ -337,15 +334,15 @@ public class ConnectorServlet extends CMSServlet {
byteStream.toByteArray());
}
- CertificateSubjectName certSubject = (CertificateSubjectName)
- info.get(X509CertInfo.SUBJECT);
+ CertificateSubjectName certSubject = (CertificateSubjectName) info
+ .get(X509CertInfo.SUBJECT);
if (certSubject != null) {
request.setExtData(IEnrollProfile.REQUEST_SUBJECT_NAME,
certSubject);
}
- CertificateValidity certValidity = (CertificateValidity)
- info.get(X509CertInfo.VALIDITY);
+ CertificateValidity certValidity = (CertificateValidity) info
+ .get(X509CertInfo.VALIDITY);
if (certValidity != null) {
byteStream = new ByteArrayOutputStream();
certValidity.encode(byteStream);
@@ -353,15 +350,15 @@ public class ConnectorServlet extends CMSServlet {
byteStream.toByteArray());
}
- CertificateExtensions extensions = (CertificateExtensions)
- info.get(X509CertInfo.EXTENSIONS);
+ CertificateExtensions extensions = (CertificateExtensions) info
+ .get(X509CertInfo.EXTENSIONS);
if (extensions != null) {
request.setExtData(IEnrollProfile.REQUEST_EXTENSIONS,
extensions);
}
- CertificateAlgorithmId certAlg = (CertificateAlgorithmId)
- info.get(X509CertInfo.ALGORITHM_ID);
+ CertificateAlgorithmId certAlg = (CertificateAlgorithmId) info
+ .get(X509CertInfo.ALGORITHM_ID);
if (certAlg != null) {
ByteArrayOutputStream certAlgOut = new ByteArrayOutputStream();
certAlg.encode(certAlgOut);
@@ -369,16 +366,14 @@ public class ConnectorServlet extends CMSServlet {
certAlgOut.toByteArray());
}
} catch (Exception e) {
- CMS.debug("ConnectorServlet: profile normalization " +
- e.toString());
+ CMS.debug("ConnectorServlet: profile normalization " + e.toString());
}
String profileId = request.getExtDataInString("profileId");
- IProfileSubsystem ps = (IProfileSubsystem)
- CMS.getSubsystem("profile");
+ IProfileSubsystem ps = (IProfileSubsystem) CMS.getSubsystem("profile");
IEnrollProfile profile = null;
- // profile subsystem may not be available. In case of KRA for
+ // profile subsystem may not be available. In case of KRA for
// example
if (ps == null) {
CMS.debug("ConnectorServlet: Profile Subsystem not found ");
@@ -388,7 +383,8 @@ public class ConnectorServlet extends CMSServlet {
profile = (IEnrollProfile) (ps.getProfile(profileId));
profile.setDefaultCertInfo(request);
} catch (EProfileException e) {
- CMS.debug("ConnectorServlet: normalizeProfileRequest Exception: " + e.toString());
+ CMS.debug("ConnectorServlet: normalizeProfileRequest Exception: "
+ + e.toString());
}
if (profile == null) {
CMS.debug("ConnectorServlet: Profile not found " + profileId);
@@ -399,15 +395,15 @@ public class ConnectorServlet extends CMSServlet {
/**
* Process request
* <P>
- *
+ *
* (Certificate Request - all "agent" profile cert requests made through a
- * connector)
+ * connector)
* <P>
- *
- * (Certificate Request Processed - all automated "agent" profile based
- * cert acceptance made through a connector)
+ *
+ * (Certificate Request Processed - all automated "agent" profile based cert
+ * acceptance made through a connector)
* <P>
- *
+ *
* <ul>
* <li>signed.audit LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST used when a
* profile cert request is made (before approval process)
@@ -417,6 +413,7 @@ public class ConnectorServlet extends CMSServlet {
* inter-CIMC_Boundary data transfer is successful (this is used when data
* does not need to be captured)
* </ul>
+ *
* @param source string containing source
* @param sourceUserId string containing source user ID
* @param msg PKI message
@@ -424,9 +421,8 @@ public class ConnectorServlet extends CMSServlet {
* @exception EBaseException an error has occurred
* @return PKI message
*/
- protected IPKIMessage processRequest(
- String source, String sourceUserId, IPKIMessage msg, IAuthToken token)
- throws EBaseException {
+ protected IPKIMessage processRequest(String source, String sourceUserId,
+ IPKIMessage msg, IAuthToken token) throws EBaseException {
String auditMessage = null;
String auditSubjectID = sourceUserId;
String auditProtectionMethod = SIGNED_AUDIT_PROTECTION_METHOD_SSL;
@@ -476,50 +472,45 @@ public class ConnectorServlet extends CMSServlet {
thisreq = queue.findRequest(thisreqid);
if (thisreq == null) {
// strange case.
- String errormsg = "Cannot find request in request queue " +
- thisreqid;
+ String errormsg = "Cannot find request in request queue "
+ + thisreqid;
- mAuthority.log(ILogger.LL_FAILURE,
- CMS.getLogMessage(
+ mAuthority.log(ILogger.LL_FAILURE, CMS.getLogMessage(
"CMSGW_REQUEST_ID_NOT_FOUND_1",
thisreqid.toString()));
// store a message in the signed audit log file
auditMessage = CMS.getLogMessage(
- LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS,
- auditSubjectID,
- ILogger.FAILURE,
- auditProtectionMethod,
- auditRequestType,
- auditRequesterID);
+ LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS,
+ auditSubjectID, ILogger.FAILURE,
+ auditProtectionMethod, auditRequestType,
+ auditRequesterID);
audit(auditMessage);
- // NOTE: The signed audit event
- // LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST
- // does not yet matter at this point!
+ // NOTE: The signed audit event
+ // LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST
+ // does not yet matter at this point!
throw new EBaseException(errormsg);
} else {
- mAuthority.log(ILogger.LL_INFO,
- "Found request " + thisreqid + " for " + srcid);
+ mAuthority.log(ILogger.LL_INFO, "Found request "
+ + thisreqid + " for " + srcid);
replymsg = CMS.getHttpPKIMessage();
replymsg.fromRequest(thisreq);
// store a message in the signed audit log file
auditMessage = CMS.getLogMessage(
- LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS,
- auditSubjectID,
- ILogger.SUCCESS,
- auditProtectionMethod,
- auditRequestType,
- auditRequesterID);
+ LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS,
+ auditSubjectID, ILogger.SUCCESS,
+ auditProtectionMethod, auditRequestType,
+ auditRequesterID);
audit(auditMessage);
- // NOTE: The signed audit event
- // LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST
- // does not yet matter at this point!
+ // NOTE: The signed audit event
+ // LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST
+ // does not yet matter at this point!
return replymsg;
}
@@ -527,77 +518,67 @@ public class ConnectorServlet extends CMSServlet {
// if not found process request.
thisreq = queue.newRequest(msg.getReqType());
- CMS.debug("ConnectorServlet: created requestId=" +
- thisreq.getRequestId().toString());
+ CMS.debug("ConnectorServlet: created requestId="
+ + thisreq.getRequestId().toString());
thisreq.setSourceId(srcid);
- // NOTE: For the following signed audit message, since we only
- // care about the "msg.toRequest( thisreq );" command, and
- // since this command does not throw an EBaseException
- // (which is the only exception designated by this method),
- // then this code does NOT need to be contained within its
- // own special try/catch block.
- msg.toRequest( thisreq );
+ // NOTE: For the following signed audit message, since we only
+ // care about the "msg.toRequest( thisreq );" command, and
+ // since this command does not throw an EBaseException
+ // (which is the only exception designated by this method),
+ // then this code does NOT need to be contained within its
+ // own special try/catch block.
+ msg.toRequest(thisreq);
- if( isProfileRequest( thisreq ) ) {
- X509CertInfo info =
- thisreq.getExtDataInCertInfo(
- IEnrollProfile.REQUEST_CERTINFO );
+ if (isProfileRequest(thisreq)) {
+ X509CertInfo info = thisreq
+ .getExtDataInCertInfo(IEnrollProfile.REQUEST_CERTINFO);
try {
- CertificateSubjectName sn = ( CertificateSubjectName )
- info.get( X509CertInfo.SUBJECT );
+ CertificateSubjectName sn = (CertificateSubjectName) info
+ .get(X509CertInfo.SUBJECT);
// if the cert subject name is NOT MISSING, retrieve the
// actual "auditCertificateSubjectName" and "normalize"
// it
- if( sn != null ) {
+ if (sn != null) {
subject = sn.toString();
- if( subject != null ) {
- // NOTE: This is ok even if the cert subject
- // name is "" (empty)!
+ if (subject != null) {
+ // NOTE: This is ok even if the cert subject
+ // name is "" (empty)!
auditCertificateSubjectName = subject.trim();
}
}
// store a message in the signed audit log file
auditMessage = CMS.getLogMessage(
- LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST,
- auditSubjectID,
- ILogger.SUCCESS,
- auditRequesterID,
- auditProfileID(),
- auditCertificateSubjectName );
-
- audit( auditMessage );
- } catch( CertificateException e ) {
- CMS.debug( "ConnectorServlet: processRequest "
- + e.toString() );
+ LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST,
+ auditSubjectID, ILogger.SUCCESS, auditRequesterID,
+ auditProfileID(), auditCertificateSubjectName);
+
+ audit(auditMessage);
+ } catch (CertificateException e) {
+ CMS.debug("ConnectorServlet: processRequest "
+ + e.toString());
// store a message in the signed audit log file
auditMessage = CMS.getLogMessage(
- LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST,
- auditSubjectID,
- ILogger.FAILURE,
- auditRequesterID,
- auditProfileID(),
- auditCertificateSubjectName );
-
- audit( auditMessage );
- } catch( IOException e ) {
- CMS.debug( "ConnectorServlet: processRequest "
- + e.toString() );
+ LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST,
+ auditSubjectID, ILogger.FAILURE, auditRequesterID,
+ auditProfileID(), auditCertificateSubjectName);
+
+ audit(auditMessage);
+ } catch (IOException e) {
+ CMS.debug("ConnectorServlet: processRequest "
+ + e.toString());
// store a message in the signed audit log file
auditMessage = CMS.getLogMessage(
- LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST,
- auditSubjectID,
- ILogger.FAILURE,
- auditRequesterID,
- auditProfileID(),
- auditCertificateSubjectName );
-
- audit( auditMessage );
+ LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST,
+ auditSubjectID, ILogger.FAILURE, auditRequesterID,
+ auditProfileID(), auditCertificateSubjectName);
+
+ audit(auditMessage);
}
}
@@ -605,10 +586,9 @@ public class ConnectorServlet extends CMSServlet {
// setting requestor type must come after copy contents. because
// requestor is a regular attribute.
- thisreq.setExtData(IRequest.REQUESTOR_TYPE,
- IRequest.REQUESTOR_RA);
- mAuthority.log(ILogger.LL_INFO, "Processing remote request " +
- srcid);
+ thisreq.setExtData(IRequest.REQUESTOR_TYPE, IRequest.REQUESTOR_RA);
+ mAuthority.log(ILogger.LL_INFO, "Processing remote request "
+ + srcid);
// Set this so that request's updateBy is recorded
SessionContext s = SessionContext.getContext();
@@ -621,53 +601,53 @@ public class ConnectorServlet extends CMSServlet {
s.put(SessionContext.REQUESTER_ID, msg.getReqId());
}
- CMS.debug("ConnectorServlet: calling processRequest instance=" +
- thisreq);
+ CMS.debug("ConnectorServlet: calling processRequest instance="
+ + thisreq);
if (isProfileRequest(thisreq)) {
normalizeProfileRequest(thisreq);
}
try {
- queue.processRequest( thisreq );
+ queue.processRequest(thisreq);
- if( isProfileRequest( thisreq ) ) {
+ if (isProfileRequest(thisreq)) {
// reset the "auditInfoCertValue"
- auditInfoCertValue = auditInfoCertValue( thisreq );
+ auditInfoCertValue = auditInfoCertValue(thisreq);
- if( auditInfoCertValue != null ) {
- if( !( auditInfoCertValue.equals(
- ILogger.SIGNED_AUDIT_EMPTY_VALUE ) ) ) {
+ if (auditInfoCertValue != null) {
+ if (!(auditInfoCertValue
+ .equals(ILogger.SIGNED_AUDIT_EMPTY_VALUE))) {
// store a message in the signed audit log file
- auditMessage = CMS.getLogMessage(
- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
- auditSubjectID,
- ILogger.SUCCESS,
- auditRequesterID,
- ILogger.SIGNED_AUDIT_ACCEPTANCE,
- auditInfoCertValue );
-
- audit( auditMessage );
+ auditMessage = CMS
+ .getLogMessage(
+ LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+ auditSubjectID, ILogger.SUCCESS,
+ auditRequesterID,
+ ILogger.SIGNED_AUDIT_ACCEPTANCE,
+ auditInfoCertValue);
+
+ audit(auditMessage);
}
}
}
- } catch( EBaseException eAudit1 ) {
- if( isProfileRequest( thisreq ) ) {
+ } catch (EBaseException eAudit1) {
+ if (isProfileRequest(thisreq)) {
// reset the "auditInfoCertValue"
- auditInfoCertValue = auditInfoCertValue( thisreq );
+ auditInfoCertValue = auditInfoCertValue(thisreq);
- if( auditInfoCertValue != null ) {
- if( !( auditInfoCertValue.equals(
- ILogger.SIGNED_AUDIT_EMPTY_VALUE ) ) ) {
+ if (auditInfoCertValue != null) {
+ if (!(auditInfoCertValue
+ .equals(ILogger.SIGNED_AUDIT_EMPTY_VALUE))) {
// store a message in the signed audit log file
- auditMessage = CMS.getLogMessage(
- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
- auditSubjectID,
- ILogger.FAILURE,
- auditRequesterID,
- ILogger.SIGNED_AUDIT_ACCEPTANCE,
- auditInfoCertValue );
-
- audit( auditMessage );
+ auditMessage = CMS
+ .getLogMessage(
+ LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+ auditSubjectID, ILogger.FAILURE,
+ auditRequesterID,
+ ILogger.SIGNED_AUDIT_ACCEPTANCE,
+ auditInfoCertValue);
+
+ audit(auditMessage);
}
}
}
@@ -680,158 +660,146 @@ public class ConnectorServlet extends CMSServlet {
replymsg = CMS.getHttpPKIMessage();
replymsg.fromRequest(thisreq);
- CMS.debug("ConnectorServlet: replymsg.reqStatus=" +
- replymsg.getReqStatus());
+ CMS.debug("ConnectorServlet: replymsg.reqStatus="
+ + replymsg.getReqStatus());
- //for audit log
+ // for audit log
String agentID = sourceUserId;
- String initiative = AuditFormat.FROMRA + " trustedManagerID: " +
- agentID + " remote reqID " + msg.getReqId();
+ String initiative = AuditFormat.FROMRA + " trustedManagerID: "
+ + agentID + " remote reqID " + msg.getReqId();
String authMgr = AuditFormat.NOAUTH;
if (token != null) {
- authMgr =
- token.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME);
+ authMgr = token.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME);
}
if (isProfileRequest(thisreq)) {
// XXX audit log
- CMS.debug("ConnectorServlet: done requestId=" +
- thisreq.getRequestId().toString());
+ CMS.debug("ConnectorServlet: done requestId="
+ + thisreq.getRequestId().toString());
// store a message in the signed audit log file
auditMessage = CMS.getLogMessage(
- LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS,
- auditSubjectID,
- ILogger.SUCCESS,
- auditProtectionMethod,
- auditRequestType,
- auditRequesterID);
+ LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS,
+ auditSubjectID, ILogger.SUCCESS, auditProtectionMethod,
+ auditRequestType, auditRequesterID);
audit(auditMessage);
- // NOTE: The signed audit event
- // LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST
- // has already been logged at this point!
+ // NOTE: The signed audit event
+ // LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST
+ // has already been logged at this point!
return replymsg;
}
// Get the certificate info from the request
- X509CertInfo x509Info[] = thisreq.getExtDataInCertInfoArray(IRequest.CERT_INFO);
+ X509CertInfo x509Info[] = thisreq
+ .getExtDataInCertInfoArray(IRequest.CERT_INFO);
try {
if (!thisreq.getRequestStatus().equals(RequestStatus.COMPLETE)) {
if (x509Info != null) {
for (int i = 0; i < x509Info.length; i++) {
- mLogger.log(ILogger.EV_AUDIT,
- ILogger.S_OTHER,
- AuditFormat.LEVEL,
- AuditFormat.FORMAT,
- new Object[] {
- thisreq.getRequestType(),
- thisreq.getRequestId(),
- initiative,
- authMgr,
- thisreq.getRequestStatus(),
- x509Info[i].get(X509CertInfo.SUBJECT),
- ""}
- );
+ mLogger.log(
+ ILogger.EV_AUDIT,
+ ILogger.S_OTHER,
+ AuditFormat.LEVEL,
+ AuditFormat.FORMAT,
+ new Object[] {
+ thisreq.getRequestType(),
+ thisreq.getRequestId(),
+ initiative,
+ authMgr,
+ thisreq.getRequestStatus(),
+ x509Info[i]
+ .get(X509CertInfo.SUBJECT),
+ "" });
}
} else {
- mLogger.log(ILogger.EV_AUDIT,
- ILogger.S_OTHER,
- AuditFormat.LEVEL,
- AuditFormat.NODNFORMAT,
- new Object[] {
- thisreq.getRequestType(),
- thisreq.getRequestId(),
- initiative,
- authMgr,
- thisreq.getRequestStatus()}
- );
+ mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER,
+ AuditFormat.LEVEL, AuditFormat.NODNFORMAT,
+ new Object[] { thisreq.getRequestType(),
+ thisreq.getRequestId(), initiative,
+ authMgr, thisreq.getRequestStatus() });
}
} else {
- if (thisreq.getRequestType().equals(IRequest.ENROLLMENT_REQUEST)) {
+ if (thisreq.getRequestType().equals(
+ IRequest.ENROLLMENT_REQUEST)) {
// XXX make the repeat record.
// Get the certificate(s) from the request
X509CertImpl x509Certs[] = null;
if (x509Info != null)
- x509Certs =
- thisreq.getExtDataInCertArray(IRequest.ISSUED_CERTS);
+ x509Certs = thisreq
+ .getExtDataInCertArray(IRequest.ISSUED_CERTS);
- // return potentially more than one certificates.
+ // return potentially more than one certificates.
if (x509Certs != null) {
for (int i = 0; i < x509Certs.length; i++) {
- mLogger.log(ILogger.EV_AUDIT,
- ILogger.S_OTHER,
- AuditFormat.LEVEL,
- AuditFormat.FORMAT,
- new Object[] {
- thisreq.getRequestType(),
- thisreq.getRequestId(),
- initiative,
- authMgr,
- "completed",
- x509Certs[i].getSubjectDN(),
- "cert issued serial number: 0x" +
- x509Certs[i].getSerialNumber().toString(16)}
- );
+ mLogger.log(
+ ILogger.EV_AUDIT,
+ ILogger.S_OTHER,
+ AuditFormat.LEVEL,
+ AuditFormat.FORMAT,
+ new Object[] {
+ thisreq.getRequestType(),
+ thisreq.getRequestId(),
+ initiative,
+ authMgr,
+ "completed",
+ x509Certs[i].getSubjectDN(),
+ "cert issued serial number: 0x"
+ + x509Certs[i]
+ .getSerialNumber()
+ .toString(16) });
}
} else {
- mLogger.log(ILogger.EV_AUDIT,
- ILogger.S_OTHER,
- AuditFormat.LEVEL,
- AuditFormat.NODNFORMAT,
- new Object[] {
- thisreq.getRequestType(),
- thisreq.getRequestId(),
- initiative,
- authMgr,
- "completed"}
- );
+ mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER,
+ AuditFormat.LEVEL, AuditFormat.NODNFORMAT,
+ new Object[] { thisreq.getRequestType(),
+ thisreq.getRequestId(), initiative,
+ authMgr, "completed" });
}
- } else if (thisreq.getRequestType().equals(IRequest.RENEWAL_REQUEST)) {
- X509CertImpl[] certs =
- thisreq.getExtDataInCertArray(IRequest.OLD_CERTS);
+ } else if (thisreq.getRequestType().equals(
+ IRequest.RENEWAL_REQUEST)) {
+ X509CertImpl[] certs = thisreq
+ .getExtDataInCertArray(IRequest.OLD_CERTS);
X509CertImpl old_cert = certs[0];
- certs = thisreq.getExtDataInCertArray(IRequest.ISSUED_CERTS);
+ certs = thisreq
+ .getExtDataInCertArray(IRequest.ISSUED_CERTS);
X509CertImpl renewed_cert = certs[0];
if (old_cert != null && renewed_cert != null) {
mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER,
- AuditFormat.LEVEL,
- AuditFormat.RENEWALFORMAT,
- new Object[] {
- thisreq.getRequestId(),
- initiative,
- authMgr,
- "completed",
- old_cert.getSubjectDN(),
- old_cert.getSerialNumber().toString(16),
- "new serial number: 0x" +
- renewed_cert.getSerialNumber().toString(16)}
- );
+ AuditFormat.LEVEL,
+ AuditFormat.RENEWALFORMAT,
+ new Object[] {
+ thisreq.getRequestId(),
+ initiative,
+ authMgr,
+ "completed",
+ old_cert.getSubjectDN(),
+ old_cert.getSerialNumber()
+ .toString(16),
+ "new serial number: 0x"
+ + renewed_cert
+ .getSerialNumber()
+ .toString(16) });
} else {
- mLogger.log(ILogger.EV_AUDIT,
- ILogger.S_OTHER,
- AuditFormat.LEVEL,
- AuditFormat.NODNFORMAT,
- new Object[] {
- thisreq.getRequestType(),
- thisreq.getRequestId(),
- initiative,
- authMgr,
- "completed with error"}
- );
+ mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER,
+ AuditFormat.LEVEL, AuditFormat.NODNFORMAT,
+ new Object[] { thisreq.getRequestType(),
+ thisreq.getRequestId(), initiative,
+ authMgr, "completed with error" });
}
- } else if (thisreq.getRequestType().equals(IRequest.REVOCATION_REQUEST)) {
- Certificate[] oldCerts =
- thisreq.getExtDataInCertArray(IRequest.OLD_CERTS);
- RevokedCertImpl crlentries[] =
- thisreq.getExtDataInRevokedCertArray(IRequest.REVOKED_CERTS);
+ } else if (thisreq.getRequestType().equals(
+ IRequest.REVOCATION_REQUEST)) {
+ Certificate[] oldCerts = thisreq
+ .getExtDataInCertArray(IRequest.OLD_CERTS);
+ RevokedCertImpl crlentries[] = thisreq
+ .getExtDataInRevokedCertArray(IRequest.REVOKED_CERTS);
CRLExtensions crlExts = crlentries[0].getExtensions();
int reason = 0;
@@ -842,18 +810,20 @@ public class ConnectorServlet extends CMSServlet {
Extension ext = (Extension) enum1.nextElement();
if (ext instanceof CRLReasonExtension) {
- reason = ((CRLReasonExtension) ext).getReason().toInt();
+ reason = ((CRLReasonExtension) ext)
+ .getReason().toInt();
break;
}
}
}
int count = oldCerts.length;
- Integer result = thisreq.getExtDataInInteger(IRequest.RESULT);
+ Integer result = thisreq
+ .getExtDataInInteger(IRequest.RESULT);
if (result.equals(IRequest.RES_ERROR)) {
- String[] svcErrors =
- thisreq.getExtDataInStringArray(IRequest.SVCERRORS);
+ String[] svcErrors = thisreq
+ .getExtDataInStringArray(IRequest.SVCERRORS);
if (svcErrors != null && svcErrors.length > 0) {
for (int i = 0; i < svcErrors.length; i++) {
@@ -865,19 +835,24 @@ public class ConnectorServlet extends CMSServlet {
if (oldCerts[j] instanceof X509CertImpl) {
X509CertImpl cert = (X509CertImpl) oldCerts[j];
- mLogger.log(ILogger.EV_AUDIT,
- ILogger.S_OTHER,
- AuditFormat.LEVEL,
- AuditFormat.DOREVOKEFORMAT,
- new Object[] {
- thisreq.getRequestId(),
- initiative,
- "completed with error: " +
- err,
- cert.getSubjectDN(),
- cert.getSerialNumber().toString(16),
- RevocationReason.fromInt(reason).toString()}
- );
+ mLogger.log(
+ ILogger.EV_AUDIT,
+ ILogger.S_OTHER,
+ AuditFormat.LEVEL,
+ AuditFormat.DOREVOKEFORMAT,
+ new Object[] {
+ thisreq.getRequestId(),
+ initiative,
+ "completed with error: "
+ + err,
+ cert.getSubjectDN(),
+ cert.getSerialNumber()
+ .toString(
+ 16),
+ RevocationReason
+ .fromInt(
+ reason)
+ .toString() });
}
}
}
@@ -891,44 +866,39 @@ public class ConnectorServlet extends CMSServlet {
if (oldCerts[j] instanceof X509CertImpl) {
X509CertImpl cert = (X509CertImpl) oldCerts[j];
- mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER,
- AuditFormat.LEVEL,
- AuditFormat.DOREVOKEFORMAT,
- new Object[] {
- thisreq.getRequestId(),
- initiative,
- "completed",
- cert.getSubjectDN(),
- cert.getSerialNumber().toString(16),
- RevocationReason.fromInt(reason).toString()}
- );
+ mLogger.log(
+ ILogger.EV_AUDIT,
+ ILogger.S_OTHER,
+ AuditFormat.LEVEL,
+ AuditFormat.DOREVOKEFORMAT,
+ new Object[] {
+ thisreq.getRequestId(),
+ initiative,
+ "completed",
+ cert.getSubjectDN(),
+ cert.getSerialNumber()
+ .toString(16),
+ RevocationReason
+ .fromInt(reason)
+ .toString() });
}
}
}
}
} else {
- mLogger.log(ILogger.EV_AUDIT,
- ILogger.S_OTHER,
- AuditFormat.LEVEL,
- AuditFormat.NODNFORMAT,
- new Object[] {
- thisreq.getRequestType(),
- thisreq.getRequestId(),
- initiative,
- authMgr,
- "completed"}
- );
+ mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER,
+ AuditFormat.LEVEL, AuditFormat.NODNFORMAT,
+ new Object[] { thisreq.getRequestType(),
+ thisreq.getRequestId(), initiative,
+ authMgr, "completed" });
}
}
// store a message in the signed audit log file
auditMessage = CMS.getLogMessage(
- LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS,
- auditSubjectID,
- ILogger.SUCCESS,
- auditProtectionMethod,
- auditRequestType,
- auditRequesterID);
+ LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS,
+ auditSubjectID, ILogger.SUCCESS, auditProtectionMethod,
+ auditRequestType, auditRequesterID);
audit(auditMessage);
} catch (IOException e) {
@@ -936,12 +906,9 @@ public class ConnectorServlet extends CMSServlet {
// store a message in the signed audit log file
auditMessage = CMS.getLogMessage(
- LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS,
- auditSubjectID,
- ILogger.FAILURE,
- auditProtectionMethod,
- auditRequestType,
- auditRequesterID);
+ LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS,
+ auditSubjectID, ILogger.FAILURE, auditProtectionMethod,
+ auditRequestType, auditRequesterID);
audit(auditMessage);
} catch (CertificateException e) {
@@ -949,12 +916,9 @@ public class ConnectorServlet extends CMSServlet {
// store a message in the signed audit log file
auditMessage = CMS.getLogMessage(
- LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS,
- auditSubjectID,
- ILogger.FAILURE,
- auditProtectionMethod,
- auditRequestType,
- auditRequesterID);
+ LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS,
+ auditSubjectID, ILogger.FAILURE, auditProtectionMethod,
+ auditRequestType, auditRequesterID);
audit(auditMessage);
} catch (Exception e) {
@@ -962,46 +926,40 @@ public class ConnectorServlet extends CMSServlet {
// store a message in the signed audit log file
auditMessage = CMS.getLogMessage(
- LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS,
- auditSubjectID,
- ILogger.FAILURE,
- auditProtectionMethod,
- auditRequestType,
- auditRequesterID);
+ LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS,
+ auditSubjectID, ILogger.FAILURE, auditProtectionMethod,
+ auditRequestType, auditRequesterID);
audit(auditMessage);
} finally {
SessionContext.releaseContext();
}
- // NOTE: The signed audit event
- // LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST
- // has already been logged at this point!
+ // NOTE: The signed audit event
+ // LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST
+ // has already been logged at this point!
return replymsg;
} catch (EBaseException e) {
// store a message in the signed audit log file
auditMessage = CMS.getLogMessage(
- LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS,
- auditSubjectID,
- ILogger.FAILURE,
- auditProtectionMethod,
- auditRequestType,
- auditRequesterID);
+ LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS,
+ auditSubjectID, ILogger.FAILURE, auditProtectionMethod,
+ auditRequestType, auditRequesterID);
audit(auditMessage);
- // NOTE: The signed audit event
- // LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST
- // has either already been logged, or
- // does not yet matter at this point!
+ // NOTE: The signed audit event
+ // LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST
+ // has either already been logged, or
+ // does not yet matter at this point!
return replymsg;
}
}
- protected X509Certificate
- getPeerCert(HttpServletRequest req) throws EBaseException {
+ protected X509Certificate getPeerCert(HttpServletRequest req)
+ throws EBaseException {
return getSSLClientCertificate(req);
}
@@ -1011,11 +969,11 @@ public class ConnectorServlet extends CMSServlet {
/**
* Signed Audit Log
- *
- * This method is inherited by all extended "CMSServlet"s,
- * and is called to store messages to the signed audit log.
+ *
+ * This method is inherited by all extended "CMSServlet"s, and is called to
+ * store messages to the signed audit log.
* <P>
- *
+ *
* @param msg signed audit log message
*/
protected void audit(String msg) {
@@ -1026,21 +984,17 @@ public class ConnectorServlet extends CMSServlet {
return;
}
- mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT,
- null,
- ILogger.S_SIGNED_AUDIT,
- ILogger.LL_SECURITY,
- msg);
+ mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, null,
+ ILogger.S_SIGNED_AUDIT, ILogger.LL_SECURITY, msg);
}
/**
* Signed Audit Log Profile ID
- *
- * This method is inherited by all extended "EnrollProfile"s,
- * and is called to obtain the "ProfileID" for
- * a signed audit log message.
+ *
+ * This method is inherited by all extended "EnrollProfile"s, and is called
+ * to obtain the "ProfileID" for a signed audit log message.
* <P>
- *
+ *
* @return id string containing the signed audit log message ProfileID
*/
protected String auditProfileID() {
@@ -1062,11 +1016,11 @@ public class ConnectorServlet extends CMSServlet {
/**
* Signed Audit Log Info Certificate Value
- *
+ *
* This method is called to obtain the certificate from the passed in
* "X509CertImpl" for a signed audit log message.
* <P>
- *
+ *
* @param request a Request containing an X509CertImpl
* @return cert string containing the certificate
*/
@@ -1076,8 +1030,8 @@ public class ConnectorServlet extends CMSServlet {
return null;
}
- X509CertImpl x509cert = request.getExtDataInCert(
- IEnrollProfile.REQUEST_ISSUED_CERT);
+ X509CertImpl x509cert = request
+ .getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT);
if (x509cert == null) {
return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
@@ -1122,4 +1076,3 @@ public class ConnectorServlet extends CMSServlet {
}
}
}
-
generated by cgit (git 2.34.1) at 2024-05-05 20:01:56 +0000