summaryrefslogtreecommitdiffstats
path: root/pki/base/common
diff options
context:
space:
mode:
Diffstat (limited to 'pki/base/common')
-rw-r--r--pki/base/common/src/LogMessages.properties72
-rw-r--r--pki/base/common/src/com/netscape/certsrv/base/SessionContext.java5
-rw-r--r--pki/base/common/src/com/netscape/cms/authentication/TokenAuthentication.java6
-rw-r--r--pki/base/common/src/com/netscape/cms/publish/publishers/OCSPPublisher.java62
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/base/CMSServlet.java68
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/csadmin/AdminAuthenticatePanel.java3
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java4
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java68
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java99
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java3
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/csadmin/SizePanel.java70
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateOCSPConfig.java20
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java28
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java322
14 files changed, 688 insertions, 142 deletions
diff --git a/pki/base/common/src/LogMessages.properties b/pki/base/common/src/LogMessages.properties
index 9866175b..fa93e832 100644
--- a/pki/base/common/src/LogMessages.properties
+++ b/pki/base/common/src/LogMessages.properties
@@ -2198,19 +2198,38 @@ LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY_5=<type=CMC_SIGNED_REQUEST_SI
# - used for TPS to TKS to get a sessoin key for secure channel setup
# SubjectID must be the CUID of the token establishing the secure channel
# AgentID must be the trusted agent id used to make the request
+LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_3=<type=COMPUTE_SESSION_KEY_REQUEST>:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST][SubjectID={0}][Outcome={1}][AgentID={2}] TKS Compute session key request
+#
+#
+# LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS
+# - request for TPS to TKS to get a sessoin key for secure channel processed
+# SubjectID must be the CUID of the token establishing the secure channel
+# AgentID must be the trusted agent id used to make the request
+# Outcome is SUCCESS or FAILURE
+# Status is 0 for no error.
# IsCryptoValidate tells if the card cryptogram is to be validated
# IsServerSideKeygen tells if the keys are to be generated on server
-LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_5=<type=COMPUTE_SESSION_KEY_REQUEST>:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST][SubjectID={0}][Outcome={1}][AgentID={2}][IsCryptoValidate={3}[IsServerSideKeygen={4}] TKS Compute session key request
+# SelectedToken is the cryptographic token performing key operations
+# KeyNickName is the number keyset ex: #01#01
+#
+LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS_8=<type=COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS>:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS][SubjectID={0}][Outcome={1}][status={2}][AgentID={3}][IsCryptoValidate={4}][IsServerSideKeygen={5}][SelectedToken={6}][KeyNickName={7}] TKS Compute session key request processed successfully
+#
#
-# LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED
+# LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE
# - request for TPS to TKS to get a sessoin key for secure channel processed
# SubjectID must be the CUID of the token establishing the secure channel
+# Outcome is SUCCESS or FAILURE
+# Status is error code or 0 for no error.
# AgentID must be the trusted agent id used to make the request
# status is 0 for success, non-zero for various errors
# IsCryptoValidate tells if the card cryptogram is to be validated
# IsServerSideKeygen tells if the keys are to be generated on server
-LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_5=<type=COMPUTE_SESSION_KEY_REQUEST_PROCESSED>:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST_PROCESSED][SubjectID={0}][status={1}][AgentID={2}][IsCryptoValidate={3}[IsServerSideKeygen={4}] TKS Compute session key request processed
+# SelectedToken is the cryptographic token performing key operations
+# KeyNickName is the numeric keyset ex: #01#01
+# Error gives the error message
+LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE_9=<type=COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE>:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE][SubjectID={0}][Outcome={1}][status={2}][AgentID={3}][IsCryptoValidate={4}][IsServerSideKeygen={5}][SelectedToken={7}][KeyNickName={7}][Error={8}] TKS Compute session key request failed
#
+
# LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST
# - request for TPS to TKS to do key change over
# SubjectID must be the CUID of the token requesting key change over
@@ -2218,18 +2237,33 @@ LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_5=<type=COMPUTE_SESSI
# status is 0 for success, non-zero for various errors
# oldMasterKeyName is the old master key name
# newMasterKeyName is the new master key name
-LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_5=<type=DIVERSIFY_KEY_REQUEST>:[AuditEvent=DIVERSIFY_KEY_REQUEST][SubjectID={0}][status={1}][AgentID={2}][oldMasterKeyName={3}[newMasterKeyName={4}] TKS Key Change Over request
+LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_5=<type=DIVERSIFY_KEY_REQUEST>:[AuditEvent=DIVERSIFY_KEY_REQUEST][SubjectID={0}][Outcome={1}][AgentID={2}][oldMasterKeyName={3}][newMasterKeyName={4}] TKS Key Change Over request
#
###########################
-# LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED
+# LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS
# - request for TPS to TKS to do key change over request processed
# SubjectID must be the CUID of the token requesting key change over
# AgentID must be the trusted agent id used to make the request
+# Outcome is SUCCESS or FAILURE
# status is 0 for success, non-zero for various errors
# oldMasterKeyName is the old master key name
# newMasterKeyName is the new master key name
-LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_5=<type=DIVERSIFY_KEY_REQUEST_PROCESSED>:[AuditEvent=DIVERSIFY_KEY_REQUEST_PROCESSED][SubjectID={0}][status={1}][AgentID={2}][oldMasterKeyName={3}[newMasterKeyName={4}] TKS Key Change Over request processed
+LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS_6=<type=DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS>:[AuditEvent=DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS][SubjectID={0}][Outcome={1}][status={2}][AgentID={3}][oldMasterKeyName={4}][newMasterKeyName={5}] TKS Key Change Over request processed successfully
#
+#
+###########################
+# LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE
+# - request for TPS to TKS to do key change over request processed
+# SubjectID must be the CUID of the token requesting key change over
+# AgentID must be the trusted agent id used to make the request
+# Outcome is SUCCESS or FAILURE
+# status is 0 for success, non-zero for various errors
+# oldMasterKeyName is the old master key name
+# newMasterKeyName is the new master key name
+# Error gives the error message
+LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE_7=<type=DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE>:[AuditEvent=DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE][SubjectID={0}][Outcome={1}][status={2}][AgentID={3}][oldMasterKeyName={4}][newMasterKeyName={5}][Error={6}] TKS Key Change Over request failed
+#
+
# LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST
# - request from TPS to TKS to encrypt data
# (or generate random data and encrypt)
@@ -2237,19 +2271,39 @@ LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_5=<type=DIVERSIFY_KEY_REQUE
# AgentID must be the trusted agent id used to make the request
# status is 0 for success, non-zero for various errors
# isRandom tells if the data is randomly generated on TKS
-LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_4=<type=ENCRYPT_DATA_REQUEST>:[AuditEvent=ENCRYPT_DATA_REQUEST][SubjectID={0}][status={1}][AgentID={2}][isRandom={3} TKS encrypt data request
+LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_4=<type=ENCRYPT_DATA_REQUEST>:[AuditEvent=ENCRYPT_DATA_REQUEST][SubjectID={0}][status={1}][AgentID={2}][isRandom={3}] TKS encrypt data request
+#
+#
+# LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS
+# - request from TPS to TKS to encrypt data
+# (or generate random data and encrypt)
+# SubjectID must be the CUID of the token requesting encrypt data
+# AgentID must be the trusted agent id used to make the request
+# Outcome is SUCCESS or FAILURE
+# status is 0 for success, non-zero for various errors
+# isRandom tells if the data is randomly generated on TKS
+# SelectedToken is the cryptographic token performing key operations
+# KeyNickName is the numeric keyset ex: #01#01
+LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS_7=<type=ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS>:[AuditEvent=ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS][SubjectID={0}][Outcome={1}][status={2}][AgentID={3}][isRandom={4}][SelectedToken={5}][KeyNickName={6}] TKS encrypt data request processed successfully
+#
#
-# LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED
+# LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE
# - request from TPS to TKS to encrypt data
# (or generate random data and encrypt)
# SubjectID must be the CUID of the token requesting encrypt data
# AgentID must be the trusted agent id used to make the request
+# Outocme is SUCCESS or FAILURE
# status is 0 for success, non-zero for various errors
# isRandom tells if the data is randomly generated on TKS
-LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_4=<type=ENCRYPT_DATA_REQUEST_PROCESSED>:[AuditEvent=ENCRYPT_DATA_REQUEST_PROCESSED][SubjectID={0}][status={1}][AgentID={2}][isRandom={3} TKS encrypt data request processed
+# SelectedToken is the cryptographic token performing key operations
+# KeyNickName is the numeric keyset ex: #01#01
+# Error gives the error message
+LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE_8=<type=ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE>:[AuditEvent=ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE][SubjectID={0}][Outcome={1}][status={2}][AgentID={3}][isRandom={4}][SelectedToken={5}][KeyNickName={6}][Error={7}] TKS encrypt data request failed
#
#
#
+
+
###########################
#Unselectable signedAudit Events
#
diff --git a/pki/base/common/src/com/netscape/certsrv/base/SessionContext.java b/pki/base/common/src/com/netscape/certsrv/base/SessionContext.java
index ddd085f2..c5494c3c 100644
--- a/pki/base/common/src/com/netscape/certsrv/base/SessionContext.java
+++ b/pki/base/common/src/com/netscape/certsrv/base/SessionContext.java
@@ -60,6 +60,11 @@ public class SessionContext extends Hashtable implements IAuthInfo {
public static final String USER_ID = "userid"; // String
/**
+ * Group ID of the authenticated user in the current thread.
+ */
+ public static final String GROUP_ID = "groupid"; //String
+
+ /**
* ID of the processing request in the current thread.
*/
public static final String REQUESTER_ID = "requesterID"; // String
diff --git a/pki/base/common/src/com/netscape/cms/authentication/TokenAuthentication.java b/pki/base/common/src/com/netscape/cms/authentication/TokenAuthentication.java
index 298fd43c..c807d5f8 100644
--- a/pki/base/common/src/com/netscape/cms/authentication/TokenAuthentication.java
+++ b/pki/base/common/src/com/netscape/cms/authentication/TokenAuthentication.java
@@ -192,6 +192,12 @@ public class TokenAuthentication implements IAuthManager,
authToken.set(TOKEN_UID, uid);
authToken.set(TOKEN_GID, gid);
+ if(context != null) {
+ CMS.debug("SessionContext.USER_ID " + uid + " SessionContext.GROUP_ID " + gid);
+ context.put(SessionContext.USER_ID, uid );
+ context.put(SessionContext.GROUP_ID, gid );
+ }
+
CMS.debug("TokenAuthentication: authenticated uid="+uid+", gid="+gid);
} catch (EBaseException e) {
throw e;
diff --git a/pki/base/common/src/com/netscape/cms/publish/publishers/OCSPPublisher.java b/pki/base/common/src/com/netscape/cms/publish/publishers/OCSPPublisher.java
index 4ae744e4..6a4a2b9a 100644
--- a/pki/base/common/src/com/netscape/cms/publish/publishers/OCSPPublisher.java
+++ b/pki/base/common/src/com/netscape/cms/publish/publishers/OCSPPublisher.java
@@ -44,11 +44,15 @@ public class OCSPPublisher implements ILdapPublisher, IExtendedPluginInfo {
private static final String PROP_HOST = "host";
private static final String PROP_PORT = "port";
private static final String PROP_PATH = "path";
+ private static final String PROP_NICK = "nickName";
+ private static final String PROP_CLIENT_AUTH_ENABLE = "enableClientAuth";
private IConfigStore mConfig = null;
private String mHost = null;
private String mPort = null;
private String mPath = null;
+ private String mNickname = null;
+ private boolean mClientAuthEnabled = true;
private ILogger mLogger = CMS.getLogger();
/**
@@ -67,9 +71,11 @@ public class OCSPPublisher implements ILdapPublisher, IExtendedPluginInfo {
public String[] getExtendedPluginInfo(Locale locale) {
String[] params = {
- PROP_HOST + ";string;Host of CMS's OCSP Secure EE service",
- PROP_PORT + ";string;Port of CMS's OCSP Secure EE service",
- PROP_PATH + ";string;URI of CMS's OCSP Secure EE service",
+ PROP_HOST + ";string;Host of CMS's OCSP Secure agent service",
+ PROP_PORT + ";string;Port of CMS's OCSP Secure agent service",
+ PROP_PATH + ";string;URI of CMS's OCSP Secure agent service",
+ PROP_NICK + ";string;Nickname of cert used for client authentication",
+ PROP_CLIENT_AUTH_ENABLE + ";boolean;Client Authentication enabled",
IExtendedPluginInfo.HELP_TOKEN +
";configuration-ldappublish-publisher-ocsppublisher",
IExtendedPluginInfo.HELP_TEXT +
@@ -87,6 +93,8 @@ public class OCSPPublisher implements ILdapPublisher, IExtendedPluginInfo {
String host = "";
String port = "";
String path = "";
+ String nickname = "";
+ String clientAuthEnabled = "";
try {
host = mConfig.getString(PROP_HOST);
@@ -103,6 +111,16 @@ public class OCSPPublisher implements ILdapPublisher, IExtendedPluginInfo {
} catch (EBaseException e) {
}
v.addElement(PROP_PATH + "=" + path);
+ try {
+ nickname = mConfig.getString(PROP_NICK);
+ } catch (EBaseException e) {
+ }
+ v.addElement(PROP_NICK + "=" + nickname);
+ try {
+ clientAuthEnabled = mConfig.getString(PROP_CLIENT_AUTH_ENABLE);
+ } catch (EBaseException e) {
+ }
+ v.addElement(PROP_CLIENT_AUTH_ENABLE + "=" + clientAuthEnabled);
return v;
}
@@ -112,9 +130,23 @@ public class OCSPPublisher implements ILdapPublisher, IExtendedPluginInfo {
public Vector getDefaultParams() {
Vector v = new Vector();
+ IConfigStore config = CMS.getConfigStore();
+ String nickname = "";
+ // get subsystem cert nickname as default for client auth
+ try {
+ nickname = config.getString("ca.subsystem.nickname", "");
+ String tokenname = config.getString("ca.subsystem.tokenname", "");
+ if (!tokenname.equals("internal") && !tokenname.equals("Internal Key Storage Token"))
+ nickname = tokenname+":"+nickname;
+ } catch (Exception e) {
+ }
+
+
v.addElement(PROP_HOST + "=");
v.addElement(PROP_PORT + "=");
- v.addElement(PROP_PATH + "=/ocsp/ee/ocsp/addCRL");
+ v.addElement(PROP_PATH + "=/ocsp/agent/ocsp/addCRL");
+ v.addElement(PROP_CLIENT_AUTH_ENABLE + "=true");
+ v.addElement(PROP_NICK + "=" + nickname);
return v;
}
@@ -127,6 +159,8 @@ public class OCSPPublisher implements ILdapPublisher, IExtendedPluginInfo {
mHost = mConfig.getString(PROP_HOST, "");
mPort = mConfig.getString(PROP_PORT, "");
mPath = mConfig.getString(PROP_PATH, "");
+ mNickname = mConfig.getString(PROP_NICK, "");
+ mClientAuthEnabled = mConfig.getBoolean(PROP_CLIENT_AUTH_ENABLE, true);
} catch (EBaseException e) {
}
}
@@ -135,7 +169,7 @@ public class OCSPPublisher implements ILdapPublisher, IExtendedPluginInfo {
return mConfig;
}
- protected Socket Connect(String host, boolean secure)
+ protected Socket Connect(String host, boolean secure, JssSSLSocketFactory factory)
{
Socket socket = null;
StringTokenizer st = new StringTokenizer(host, " ");
@@ -146,9 +180,7 @@ public class OCSPPublisher implements ILdapPublisher, IExtendedPluginInfo {
int p = Integer.parseInt(st1.nextToken());
try {
if (secure) {
- SSLSocket sec_socket = new SSLSocket(h, p);
- sec_socket.setUseClientMode(true);
- socket = sec_socket;
+ socket = factory.makeSocket(h, p);
} else {
socket = new Socket(h, p);
}
@@ -206,20 +238,24 @@ public class OCSPPublisher implements ILdapPublisher, IExtendedPluginInfo {
query.append("&noui=true");
Socket socket = null;
+ JssSSLSocketFactory factory;
+
+ if (mClientAuthEnabled) {
+ factory = new JssSSLSocketFactory(mNickname);
+ } else {
+ factory = new JssSSLSocketFactory();
+ }
if (mHost != null && mHost.indexOf(' ') != -1) {
// support failover hosts configuration
// host parameter can be
// "directory.knowledge.com:1050 people.catalog.com 199.254.1.2"
do {
- socket = Connect(mHost, secure);
+ socket = Connect(mHost, secure, factory);
} while (socket == null);
} else {
if (secure) {
- SSLSocket sec_socket = new SSLSocket(host, port);
-
- sec_socket.setUseClientMode(true);
- socket = sec_socket;
+ socket = factory.makeSocket(host, port);
} else {
socket = new Socket(host, port);
}
diff --git a/pki/base/common/src/com/netscape/cms/servlet/base/CMSServlet.java b/pki/base/common/src/com/netscape/cms/servlet/base/CMSServlet.java
index 0d41c40d..8c795cb5 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/base/CMSServlet.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/base/CMSServlet.java
@@ -1782,6 +1782,8 @@ public abstract class CMSServlet extends HttpServlet {
}
String userid = authToken.getInString(IAuthToken.USER_ID);
+ CMS.debug("CMSServlet: userid=" + userid);
+
if (userid != null) {
ctx.put(SessionContext.USER_ID, userid);
}
@@ -1806,8 +1808,7 @@ public abstract class CMSServlet extends HttpServlet {
auditSubjectID,
ILogger.FAILURE,
auditAuthMgrID,
- auditUID);
-
+ auditUID);
audit(auditMessage);
// rethrow the specific exception to be handled later
@@ -1850,9 +1851,23 @@ public abstract class CMSServlet extends HttpServlet {
throws EBaseException {
String auditMessage = null;
String auditSubjectID = auditSubjectID();
+ String auditGroupID = auditGroupID();
+ String auditID = auditSubjectID;
String auditACLResource = resource;
String auditOperation = operation;
+
+ SessionContext auditContext = SessionContext.getExistingContext();
+ String authManagerId = null;
+
+ if(auditContext != null) {
+ authManagerId = (String) auditContext.get(SessionContext.AUTH_MANAGER_ID);
+
+ if(authManagerId != null && authManagerId.equals("TokenAuth")) {
+ auditID = auditGroupID;
+ }
+ }
+
// "normalize" the "auditACLResource" value
if (auditACLResource != null) {
auditACLResource = auditACLResource.trim();
@@ -1895,7 +1910,7 @@ public abstract class CMSServlet extends HttpServlet {
// store a message in the signed audit log file
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
- auditSubjectID,
+ auditID,
ILogger.SUCCESS,
auditGroups(auditSubjectID));
@@ -1914,7 +1929,7 @@ public abstract class CMSServlet extends HttpServlet {
// store a message in the signed audit log file
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
- auditSubjectID,
+ auditID,
ILogger.FAILURE,
auditGroups(auditSubjectID));
@@ -1936,7 +1951,7 @@ public abstract class CMSServlet extends HttpServlet {
// store a message in the signed audit log file
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
- auditSubjectID,
+ auditID,
ILogger.FAILURE,
auditGroups(auditSubjectID));
@@ -2007,15 +2022,18 @@ public abstract class CMSServlet extends HttpServlet {
return null;
}
+ CMS.debug("CMSServlet: in auditSubjectID");
String subjectID = null;
// Initialize subjectID
SessionContext auditContext = SessionContext.getExistingContext();
+ CMS.debug("CMSServlet: auditSubjectID auditContext " + auditContext);
if (auditContext != null) {
subjectID = (String)
auditContext.get(SessionContext.USER_ID);
+ CMS.debug("CMSServlet auditSubjectID: subjectID: " + subjectID);
if (subjectID != null) {
subjectID = subjectID.trim();
} else {
@@ -2029,6 +2047,46 @@ public abstract class CMSServlet extends HttpServlet {
}
/**
+ * Signed Audit Log Group ID
+ *
+ * This method is inherited by all extended "CMSServlet"s,
+ * and is called to obtain the "gid" for
+ * a signed audit log message.
+ * <P>
+ *
+ * @return id string containing the signed audit log message SubjectID
+ */
+ protected String auditGroupID() {
+ // if no signed audit object exists, bail
+ if (mSignedAuditLogger == null) {
+ return null;
+ }
+
+ CMS.debug("CMSServlet: in auditGroupID");
+ String groupID = null;
+
+ // Initialize groupID
+ SessionContext auditContext = SessionContext.getExistingContext();
+
+ CMS.debug("CMSServlet: auditGroupID auditContext " + auditContext);
+ if (auditContext != null) {
+ groupID = (String)
+ auditContext.get(SessionContext.GROUP_ID);
+
+ CMS.debug("CMSServlet auditGroupID: groupID: " + groupID);
+ if (groupID != null) {
+ groupID = groupID.trim();
+ } else {
+ groupID = ILogger.NONROLEUSER;
+ }
+ } else {
+ groupID = ILogger.UNIDENTIFIED;
+ }
+
+ return groupID;
+ }
+
+ /**
* Signed Audit Groups
*
* This method is called to extract all "groups" associated
diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/AdminAuthenticatePanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/AdminAuthenticatePanel.java
index d94bb4c1..129bc0bf 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/AdminAuthenticatePanel.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/AdminAuthenticatePanel.java
@@ -221,6 +221,9 @@ public class AdminAuthenticatePanel extends WizardPanelBase {
c1.append(".keytype,");
c1.append("cloning.");
c1.append(t1);
+ c1.append(".keyalgorithm,");
+ c1.append("cloning.");
+ c1.append(t1);
c1.append(".privkey.id,");
c1.append("cloning.");
c1.append(t1);
diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java
index 8cedeb24..0e1c20d2 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java
@@ -312,6 +312,8 @@ public class CertRequestPanel extends WizardPanelBase {
// get public key
String pubKeyType = config.getString(
PCERT_PREFIX + certTag + ".keytype");
+ String algorithm = config.getString(
+ PCERT_PREFIX + certTag + ".keyalgorithm");
X509Key pubk = null;
if (pubKeyType.equals("rsa")) {
pubk = getRSAX509Key(config, certTag);
@@ -350,7 +352,7 @@ public class CertRequestPanel extends WizardPanelBase {
cert.setDN(caDN);
PKCS10 certReq = CryptoUtil.createCertificationRequest(caDN, pubk,
- privk);
+ privk, algorithm);
CMS.debug("CertRequestPanel: created cert request");
byte[] certReqb = certReq.toByteArray();
diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java
index 258c36b6..59231208 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java
@@ -128,6 +128,8 @@ public class CertUtil {
try {
String pubKeyType = config.getString(
prefix + certTag + ".keytype");
+ String algorithm = config.getString(
+ prefix + certTag + ".keyalgorithm");
if (pubKeyType.equals("rsa")) {
String pubKeyModulus = config.getString(
prefix + certTag + ".pubkey.modulus");
@@ -170,7 +172,7 @@ public class CertUtil {
PKCS10 certReq = null;
certReq = CryptoUtil.createCertificationRequest(dn, pubk,
- privk);
+ privk, algorithm);
byte[] certReqb = certReq.toByteArray();
String certReqs = CryptoUtil.base64Encode(certReqb);
@@ -250,7 +252,53 @@ public class CertUtil {
CMS.debug("CertUtil:updateLocalRequest - Exception:" + e.toString());
}
}
-
+
+/**
+ * reads from the admin cert profile caAdminCert.profile and takes the first
+ * entry in the list of allowed algorithms. Users that wish a different algorithm
+ * can specify it in the profile using default.params.signingAlg
+ */
+
+ public static String getAdminProfileAlgorithm(IConfigStore config) {
+ String algorithm = "SHA1withRSA";
+ try {
+ String caSigningKeyType = config.getString("preop.cert.signing.keytype","rsa");
+ String pfile = config.getString("profile.caAdminCert.config");
+ FileInputStream fis = new FileInputStream(pfile);
+ DataInputStream in = new DataInputStream(fis);
+ BufferedReader br = new BufferedReader(new InputStreamReader(in));
+
+ String strLine;
+ while ((strLine = br.readLine()) != null) {
+ String marker2 = "default.params.signingAlg=";
+ int indx = strLine.indexOf(marker2);
+ if (indx != -1) {
+ String alg = strLine.substring(indx + marker2.length());
+ if ((alg.length() > 0) && (!alg.equals("-"))) {
+ algorithm = alg;
+ break;
+ };
+ };
+
+ String marker = "signingAlgsAllowed=";
+ indx = strLine.indexOf(marker);
+ if (indx != -1) {
+ String[] algs = strLine.substring(indx + marker.length()).split(",");
+ for (int i=0; i<algs.length; i++) {
+ if ((caSigningKeyType.equals("rsa") && (algs[i].indexOf("RSA") != -1)) ||
+ (caSigningKeyType.equals("ecc") && (algs[i].indexOf("EC" ) != -1)) ) {
+ algorithm = algs[i];
+ break;
+ }
+ }
+ }
+ }
+ in.close();
+ } catch (Exception e) {
+ CMS.debug("getAdminProfleAlgorithm: exception: " + e);
+ }
+ return algorithm;
+ }
public static X509CertImpl createLocalCert(IConfigStore config, X509Key x509key,
String prefix, String certTag, String type, Context context) throws IOException {
@@ -272,10 +320,16 @@ public class CertUtil {
try {
String dn = config.getString(prefix + certTag + ".dn");
+ String keyAlgorithm = null;
Date date = new Date();
X509CertInfo info = null;
+ if (certTag.equals("admin")) {
+ keyAlgorithm = getAdminProfileAlgorithm(config);
+ } else {
+ keyAlgorithm = config.getString(prefix + certTag + ".keyalgorithm");
+ }
ca = (ICertificateAuthority) CMS.getSubsystem(
ICertificateAuthority.ID);
cr = (ICertificateRepository) ca.getCertificateRepository();
@@ -284,14 +338,14 @@ public class CertUtil {
CMS.debug("Creating local certificate... issuerdn=" + dn);
CMS.debug("Creating local certificate... dn=" + dn);
info = CryptoUtil.createX509CertInfo(x509key, serialNo.intValue(), dn, dn, date,
- date);
+ date, keyAlgorithm);
} else {
String issuerdn = config.getString("preop.cert.signing.dn", "");
CMS.debug("Creating local certificate... issuerdn=" + issuerdn);
CMS.debug("Creating local certificate... dn=" + dn);
info = CryptoUtil.createX509CertInfo(x509key,
- serialNo.intValue(), issuerdn, dn, date, date);
+ serialNo.intValue(), issuerdn, dn, date, date, keyAlgorithm);
}
CMS.debug("Cert Template: " + info.toString());
@@ -352,13 +406,13 @@ public class CertUtil {
String caSigningKeyType =
config.getString("preop.cert.signing.keytype","rsa");
CMS.debug("CA Signing Key type " + caSigningKeyType);
+
if (caSigningKeyType.equals("ecc")) {
CMS.debug("Signing ECC certificate");
- cert = CryptoUtil.signECCCert(caPrik, info);
+ cert = CryptoUtil.signECCCert(caPrik, info, keyAlgorithm);
} else {
CMS.debug("Signing RSA certificate");
- cert = CryptoUtil.signCert(caPrik, info,
- SignatureAlgorithm.RSASignatureWithSHA1Digest);
+ cert = CryptoUtil.signCert(caPrik, info, keyAlgorithm);
}
if (cert != null) {
diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java
index ae9acf9f..84361682 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java
@@ -435,48 +435,7 @@ public class DonePanel extends WizardPanelBase {
context.put("errorString", "Failed to update connector information.");
return;
}
-
- // retrieve CA subsystem certificate from the CA
- IUGSubsystem system =
- (IUGSubsystem) (CMS.getSubsystem(IUGSubsystem.ID));
- String id = "";
- try {
- String b64 = getCASubsystemCert();
- if (b64 != null) {
- int num = cs.getInteger("preop.subsystem.count", 0);
- id = getCAUserId();
- num++;
- cs.putInteger("preop.subsystem.count", num);
- cs.putInteger("subsystem.count", num);
- IUser user = system.createUser(id);
- user.setFullName(id);
- user.setEmail("");
- user.setPassword("");
- user.setUserType("agentType");
- user.setState("1");
- user.setPhone("");
- X509CertImpl[] certs = new X509CertImpl[1];
- certs[0] = new X509CertImpl(CMS.AtoB(b64));
- user.setX509Certificates(certs);
- system.addUser(user);
- CMS.debug("DonePanel display: successfully add the user");
- system.addUserCert(user);
- CMS.debug("DonePanel display: successfully add the user certificate");
- cs.commit(false);
- }
- } catch (Exception e) {
- }
-
- try {
- String groupName = "Trusted Managers";
- IGroup group = system.getGroupFromName(groupName);
- if (!group.isMember(id)) {
- group.addMemberName(id);
- system.modifyGroup(group);
- CMS.debug("DonePanel display: successfully added the user to the group.");
- }
- } catch (Exception e) {
- }
+ setupClientAuthUser();
} // if KRA
// import the CA certificate into the OCSP
@@ -494,6 +453,8 @@ public class DonePanel extends WizardPanelBase {
} catch (Exception e) {
CMS.debug("DonePanel display: Failed to update OCSP information in CA.");
}
+
+ setupClientAuthUser();
}
if (!select.equals("clone")) {
@@ -565,6 +526,7 @@ public class DonePanel extends WizardPanelBase {
cs.putString("cloning." + ss + ".nickname", cs.getString("preop.cert." + ss + ".nickname", ""));
cs.putString("cloning." + ss + ".dn", cs.getString("preop.cert." + ss + ".dn", ""));
cs.putString("cloning." + ss + ".keytype", cs.getString("preop.cert." + ss + ".keytype", ""));
+ cs.putString("cloning." + ss + ".keyalgorithm", cs.getString("preop.cert." + ss + ".keyalgorithm", ""));
cs.putString("cloning." + ss + ".privkey.id", cs.getString("preop.cert." + ss + ".privkey.id", ""));
cs.putString("cloning." + ss + ".pubkey.exponent", cs.getString("preop.cert." + ss + ".pubkey.exponent", ""));
cs.putString("cloning." + ss + ".pubkey.modulus", cs.getString("preop.cert." + ss + ".pubkey.modulus", ""));
@@ -613,6 +575,54 @@ public class DonePanel extends WizardPanelBase {
context.put("csstate", "1");
}
+ private void setupClientAuthUser()
+ {
+ IConfigStore cs = CMS.getConfigStore();
+
+ // retrieve CA subsystem certificate from the CA
+ IUGSubsystem system =
+ (IUGSubsystem) (CMS.getSubsystem(IUGSubsystem.ID));
+ String id = "";
+ try {
+ String b64 = getCASubsystemCert();
+ if (b64 != null) {
+ int num = cs.getInteger("preop.subsystem.count", 0);
+ id = getCAUserId();
+ num++;
+ cs.putInteger("preop.subsystem.count", num);
+ cs.putInteger("subsystem.count", num);
+ IUser user = system.createUser(id);
+ user.setFullName(id);
+ user.setEmail("");
+ user.setPassword("");
+ user.setUserType("agentType");
+ user.setState("1");
+ user.setPhone("");
+ X509CertImpl[] certs = new X509CertImpl[1];
+ certs[0] = new X509CertImpl(CMS.AtoB(b64));
+ user.setX509Certificates(certs);
+ system.addUser(user);
+ CMS.debug("DonePanel display: successfully add the user");
+ system.addUserCert(user);
+ CMS.debug("DonePanel display: successfully add the user certificate");
+ cs.commit(false);
+ }
+ } catch (Exception e) {
+ }
+
+ try {
+ String groupName = "Trusted Managers";
+ IGroup group = system.getGroupFromName(groupName);
+ if (!group.isMember(id)) {
+ group.addMemberName(id);
+ system.modifyGroup(group);
+ CMS.debug("DonePanel display: successfully added the user to the group.");
+ }
+ } catch (Exception e) {
+ }
+ }
+
+
private void updateOCSPConfig(HttpServletResponse response)
throws IOException {
IConfigStore config = CMS.getConfigStore();
@@ -629,8 +639,9 @@ public class DonePanel extends WizardPanelBase {
} catch (Exception e) {
}
- String ocsphost = CMS.getEESSLHost();
- int ocspport = Integer.parseInt(CMS.getEESSLPort());
+ String ocsphost = CMS.getAgentHost();
+ int ocspport = Integer.parseInt(CMS.getAgentPort());
+ int ocspagentport = Integer.parseInt(CMS.getAgentPort());
String session_id = CMS.getConfigSDSessionId();
String content = "xmlOutput=true&sessionID="+session_id+"&ocsp_host="+ocsphost+"&ocsp_port="+ocspport;
diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java
index 167d9b81..475ac46d 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java
@@ -391,6 +391,9 @@ public class RestoreKeyCertPanel extends WizardPanelBase {
c1.append(".keytype,");
c1.append("cloning.");
c1.append(t1);
+ c1.append(".keyalgorithm,");
+ c1.append("cloning.");
+ c1.append(t1);
c1.append(".privkey.id,");
c1.append("cloning.");
c1.append(t1);
diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/SizePanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/SizePanel.java
index 032724eb..39cc2c21 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/SizePanel.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/SizePanel.java
@@ -130,6 +130,29 @@ public class SizePanel extends WizardPanelBase {
}
context.put("select", select);
+
+ String ecclist = "";
+ try {
+ ecclist = config.getString("preop.ecc.algorithm.list", "SHA256withEC,SHA1withEC,SHA384withEC,SHA512withEC");
+ } catch (Exception e) {
+ }
+ context.put("ecclist", ecclist);
+
+ String rsalist = "";
+ try {
+ rsalist = config.getString("preop.rsa.algorithm.list", "SHA256withRSA,SHA1withRSA,SHA512withRSA,MD5withRSA,MD2withRSA");
+ } catch (Exception e) {
+ }
+
+ context.put("rsalist", rsalist);
+
+ String subsystemType = "";
+ try {
+ subsystemType = config.getString("pkicreate.subsystem_type");
+ } catch (Exception e) {
+ }
+ context.put("subsystemtype", subsystemType);
+
try {
// same token for now
String token = config.getString(PRE_CONF_CA_TOKEN);
@@ -229,6 +252,15 @@ public class SizePanel extends WizardPanelBase {
continue;
String keytype = HttpInput.getKeyType(request, ct + "_keytype"); // rsa or ecc
+ String keyalgorithm = HttpInput.getString(request, ct + "_keyalgorithm");
+
+ if (keyalgorithm == null) {
+ if (keytype != null && keytype.equals("ecc")) {
+ keyalgorithm = "SHA256withEC";
+ } else {
+ keyalgorithm = "SHA256withRSA";
+ }
+ }
String select = HttpInput.getID(request, ct + "_choice");
@@ -243,6 +275,8 @@ public class SizePanel extends WizardPanelBase {
config.getString(PCERT_PREFIX+ct+".keysize.size", "");
String oldkeytype =
config.getString(PCERT_PREFIX + ct + ".keytype", "");
+ String oldkeyalgorithm =
+ config.getString(PCERT_PREFIX + ct + ".keyalgorithm", "");
if (select.equals("default")) {
// XXXrenaming these...keep for now just in case
@@ -258,6 +292,7 @@ public class SizePanel extends WizardPanelBase {
}
config.putString(PCERT_PREFIX + ct + ".keytype", keytype);
+ config.putString(PCERT_PREFIX + ct + ".keyalgorithm", keyalgorithm);
config.putString(PCERT_PREFIX + ct + ".keysize.select",
"default");
if (keytype != null && keytype.equals("ecc")) {
@@ -282,6 +317,7 @@ public class SizePanel extends WizardPanelBase {
HttpInput.getKeySize(request, ct + "_custom_size", keytype));
config.putString(PCERT_PREFIX + ct + ".keytype", keytype);
+ config.putString(PCERT_PREFIX + ct + ".keyalgorithm", keyalgorithm);
config.putString(PCERT_PREFIX + ct + ".keysize.select",
"custom");
config.putString(PCERT_PREFIX + ct + ".keysize.custom_size",
@@ -297,8 +333,11 @@ public class SizePanel extends WizardPanelBase {
config.getString(PCERT_PREFIX+ct+".keysize.size", "");
String newkeytype =
config.getString(PCERT_PREFIX + ct + ".keytype", "");
+ String newkeyalgorithm =
+ config.getString(PCERT_PREFIX + ct + ".keyalgorithm", "");
if (!oldkeysize.equals(newkeysize) ||
- !oldkeytype.equals(newkeytype))
+ !oldkeytype.equals(newkeytype) ||
+ !oldkeyalgorithm.equals(newkeyalgorithm))
hasChanged = true;
}// while
@@ -342,9 +381,10 @@ public class SizePanel extends WizardPanelBase {
try {
String keytype = config.getString(PCERT_PREFIX + ct + ".keytype");
+ String keyalgorithm = config.getString(PCERT_PREFIX + ct + ".keyalgorithm");
int keysize = config.getInteger(
PCERT_PREFIX + ct + ".keysize.size");
-
+
if (keytype.equals("rsa")) {
createRSAKeyPair(token, keysize, config, ct);
@@ -442,6 +482,12 @@ public class SizePanel extends WizardPanelBase {
config.putString(PCERT_PREFIX + ct + ".pubkey.encoded",
CryptoUtil.byte2string(encoded));
+ String keyAlgo = "";
+ try {
+ keyAlgo = config.getString(PCERT_PREFIX + ct + ".keyalgorithm");
+ } catch (Exception e1) {
+ }
+
// set default signing algorithm for CA
String systemType = "";
try {
@@ -452,20 +498,20 @@ public class SizePanel extends WizardPanelBase {
if (systemType.equals("OCSP")) {
if (ct.equals("signing")) {
config.putString("ocsp.signing.defaultSigningAlgorithm",
- "SHA1withEC");
+ keyAlgo);
}
}
if (systemType.equals("CA")) {
if (ct.equals("signing")) {
config.putString("ca.signing.defaultSigningAlgorithm",
- "SHA1withEC");
+ keyAlgo);
config.putString("ca.crl.MasterCRL.signingAlgorithm",
- "SHA1withEC");
+ keyAlgo);
}
if (ct.equals("ocsp_signing")) {
config.putString("ca.ocsp_signing.defaultSigningAlgorithm",
- "SHA1withEC");
+ keyAlgo);
}
}
@@ -498,15 +544,21 @@ public class SizePanel extends WizardPanelBase {
config.putString(PCERT_PREFIX + ct + ".pubkey.exponent",
CryptoUtil.byte2string(exponent));
+ String keyAlgo = "";
+ try {
+ keyAlgo = config.getString(PCERT_PREFIX + ct + ".keyalgorithm");
+ } catch (Exception e1) {
+ }
+
if (ct.equals("signing")) {
config.putString("ca.signing.defaultSigningAlgorithm",
- "SHA1withRSA");
+ keyAlgo);
config.putString("ca.crl.MasterCRL.signingAlgorithm",
- "SHA1withRSA");
+ keyAlgo);
}
if (ct.equals("ocsp_signing")) {
config.putString("ca.ocsp_signing.defaultSigningAlgorithm",
- "SHA1withRSA");
+ keyAlgo);
}
}
diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateOCSPConfig.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateOCSPConfig.java
index f105ea95..b2b8b5d2 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateOCSPConfig.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateOCSPConfig.java
@@ -99,18 +99,34 @@ public class UpdateOCSPConfig extends CMSServlet {
return;
}
+ IConfigStore cs = CMS.getConfigStore();
+ String nickname = "";
+
+ // get nickname
+ try {
+ nickname = cs.getString("ca.subsystem.nickname", "");
+ String tokenname = cs.getString("ca.subsystem.tokenname", "");
+ if (!tokenname.equals("internal") && !tokenname.equals("Internal Key Storage Token"))
+ nickname = tokenname+":"+nickname;
+ } catch (Exception e) {
+ }
+
+ CMS.debug("UpdateOCSPConfig process: nickname="+nickname);
+
String ocsphost = httpReq.getParameter("ocsp_host");
String ocspport = httpReq.getParameter("ocsp_port");
try {
- IConfigStore cs = CMS.getConfigStore();
cs.putString("ca.publish.enable", "true");
cs.putString("ca.publish.publisher.instance.OCSPPublisher.host",
ocsphost);
cs.putString("ca.publish.publisher.instance.OCSPPublisher.port",
ocspport);
+ cs.putString("ca.publish.publisher.instance.OCSPPublisher.nickName",
+ nickname);
cs.putString("ca.publish.publisher.instance.OCSPPublisher.path",
- "/ocsp/ee/ocsp/addCRL");
+ "/ocsp/agent/ocsp/addCRL");
cs.putString("ca.publish.publisher.instance.OCSPPublisher.pluginName", "OCSPPublisher");
+ cs.putString("ca.publish.publisher.instance.OCSPPublisher.enableClientAuth", "true");
cs.putString("ca.publish.rule.instance.ocsprule.enable", "true");
cs.putString("ca.publish.rule.instance.ocsprule.mapper", "NoMap");
cs.putString("ca.publish.rule.instance.ocsprule.pluginName", "Rule");
diff --git a/pki/base/common/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/pki/base/common/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
index 6e99f0ba..533667ef 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
@@ -30,6 +30,7 @@ import com.netscape.certsrv.template.*;
import com.netscape.certsrv.profile.*;
import com.netscape.certsrv.request.*;
import com.netscape.certsrv.authentication.*;
+import com.netscape.certsrv.authorization.*;
import com.netscape.certsrv.logging.*;
import com.netscape.cms.servlet.common.*;
import com.netscape.cms.servlet.common.AuthCredentials;
@@ -395,6 +396,33 @@ profile, IRequest req) {
e.toString());
return;
}
+
+ //authorization only makes sense when request is authenticated
+ AuthzToken authzToken = null;
+ if (authToken != null) {
+ CMS.debug("ProfileSubmitCMCServlet authToken not null");
+ try {
+ authzToken = authorize(mAclMethod, authToken,
+ mAuthzResourceName, "submit");
+ } catch (Exception e) {
+ CMS.debug("ProfileSubmitCMCServlet authorization failure: "+e.toString());
+ }
+ }
+
+ if (authzToken == null) {
+ CMS.debug("ProfileSubmitCMCServlet authorization failure: authzToken is null");
+ CMCOutputTemplate template = new CMCOutputTemplate();
+ SEQUENCE seq = new SEQUENCE();
+ seq.addElement(new INTEGER(0));
+ UTF8String s = null;
+ try {
+ s = new UTF8String("ProfileSubmitCMCServlet authorization failure");
+ } catch (Exception ee) {
+ }
+ template.createFullResponseWithFailedStatus(response, seq,
+ OtherInfo.BAD_REQUEST, s);
+ return;
+ }
}
IRequest reqs[] = null;
diff --git a/pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java b/pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java
index d4f3d1de..25059cac 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java
@@ -75,13 +75,41 @@ public class TokenServlet extends CMSServlet {
private final static String
LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST =
- "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_5";
+ "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_3";
- private final static String
- LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED =
- "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_5";
+ private final static String
+ LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS =
+ "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS_8";
+
+ private final static String
+ LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE =
+ "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE_9";
+
+ private final static String
+ LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST =
+ "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_5";
+
+ private final static String
+ LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS =
+ "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS_6";
+
+ private final static String
+ LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE =
+ "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE_7";
+ private final static String
+ LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST =
+ "LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_4";
+
+ private final static String
+ LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS =
+ "LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS_7";
+
+ private final static String
+ LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE =
+ "LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE_8";
+
/**
* Constructs tks servlet.
*/
@@ -209,7 +237,10 @@ public class TokenServlet extends CMSServlet {
byte[] xcard_challenge, xhost_challenge;
byte[] enc_session_key, xkeyInfo;
String auditMessage = null;
-
+ String errorMsg = "";
+ String badParams = "";
+
+ String rCUID = req.getParameter("CUID");
String keySet = req.getParameter("keySet");
if (keySet == null || keySet.equals("")) {
keySet = "defKeySet";
@@ -231,6 +262,22 @@ public class TokenServlet extends CMSServlet {
enc_session_key = null;
// kek_session_key = null;
+ SessionContext sContext = SessionContext.getContext();
+
+ String agentId="";
+ if (sContext != null) {
+ agentId =
+ (String) sContext.get(SessionContext.USER_ID);
+ }
+
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST,
+ rCUID,
+ ILogger.SUCCESS,
+ agentId);
+
+ audit(auditMessage);
+
String kek_wrapped_desKeyString = null;
String keycheck_s = null;
@@ -255,32 +302,27 @@ public class TokenServlet extends CMSServlet {
String rcard_challenge = req.getParameter("card_challenge");
String rhost_challenge = req.getParameter("host_challenge");
String rKeyInfo = req.getParameter("KeyInfo");
- String rCUID = req.getParameter("CUID");
String rcard_cryptogram = req.getParameter("card_cryptogram");
if ((rCUID == null) || (rCUID.equals(""))) {
CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: CUID");
+ badParams += " CUID,";
missingParam = true;
}
- SessionContext sContext = SessionContext.getContext();
-
- String agentId="";
- if (sContext != null) {
- agentId =
- (String) sContext.get(SessionContext.USER_ID);
- }
-
if ((rcard_challenge == null) || (rcard_challenge.equals(""))) {
+ badParams += " card_challenge,";
CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: card challenge");
missingParam = true;
}
if ((rhost_challenge == null) || (rhost_challenge.equals(""))) {
+ badParams += " host_challenge,";
CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: host challenge");
missingParam = true;
}
if ((rKeyInfo == null) || (rKeyInfo.equals(""))) {
+ badParams += " KeyInfo,";
CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: key info");
missingParam = true;
}
@@ -291,38 +333,34 @@ public class TokenServlet extends CMSServlet {
boolean sameCardCrypto = true;
if (!missingParam) {
- auditMessage = CMS.getLogMessage(
- LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST,
- rCUID,
- ILogger.SUCCESS,
- agentId,
- isCryptoValidate? "true":"false",
- serversideKeygen? "true":"false");
-
- audit(auditMessage);
- xCUID =com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID);
+ xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID);
if (xCUID == null || xCUID.length != 10) {
+ badParams += " CUID length,";
CMS.debug("TokenServlet: Invalid CUID length");
missingParam = true;
}
xkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo);
if (xkeyInfo == null || xkeyInfo.length != 2) {
- CMS.debug("TokenServlet: Invalid key info length");
+ badParams += " KeyInfo length,";
+ CMS.debug("TokenServlet: Invalid key info length.");
missingParam = true;
}
xcard_challenge =
com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_challenge);
if (xcard_challenge == null || xcard_challenge.length != 8) {
- CMS.debug("TokenServlet: Invalid card challenge length");
+ badParams += " card_challenge length,";
+ CMS.debug("TokenServlet: Invalid card challenge length.");
missingParam = true;
}
xhost_challenge = com.netscape.cmsutil.util.Utils.SpecialDecode(rhost_challenge);
if (xhost_challenge == null || xhost_challenge.length != 8) {
+ badParams += " host_challenge length,";
CMS.debug("TokenServlet: Invalid host challenge length");
missingParam = true;
}
+
}
CUID = null;
@@ -565,42 +603,73 @@ public class TokenServlet extends CMSServlet {
if (session_key != null && session_key.length > 0) {
outputString =
com.netscape.cmsutil.util.Utils.SpecialEncode(session_key);
- } else
+ } else {
+
status = "1";
+ }
if (enc_session_key != null && enc_session_key.length > 0) {
encSessionKeyString =
com.netscape.cmsutil.util.Utils.SpecialEncode(enc_session_key);
- } else
+ } else {
status = "1";
+ }
+
if (serversideKeygen == true) {
if ( drm_trans_wrapped_desKey != null && drm_trans_wrapped_desKey.length > 0)
drm_trans_wrapped_desKeyString =
com.netscape.cmsutil.util.Utils.SpecialEncode(drm_trans_wrapped_desKey);
- else
+ else {
status = "1";
+ }
}
+
if (host_cryptogram != null && host_cryptogram.length > 0) {
cryptogram =
com.netscape.cmsutil.util.Utils.SpecialEncode(host_cryptogram);
- } else
+ } else {
status = "2";
+ }
- if (selectedToken == null || keyNickName == null)
+ if (selectedToken == null || keyNickName == null) {
status = "4";
+ }
- if (!sameCardCrypto)
+ if (!sameCardCrypto) {
status = "3";
+ }
- if (missingParam)
+ if (missingParam) {
status = "3";
-
- if (!status.equals("0"))
+ }
+
+ if (!status.equals("0")) {
+
+
+ if(status.equals("1")) {
+ errorMsg = "Problem generating session key info.";
+ }
+
+ if(status.equals("2")) {
+ errorMsg = "Problem creating host_cryptogram.";
+ }
+
+ if(status.equals("4")) {
+ errorMsg = "Problem obtaining token information.";
+ }
+
+ if(status.equals("3")) {
+ if(badParams.endsWith(",")) {
+ badParams = badParams.substring(0,badParams.length() -1);
+ }
+ errorMsg = "Missing input parameters :" + badParams;
+ }
+
value = "status="+status;
+ }
else {
-
if (serversideKeygen == true) {
StringBuffer sb = new StringBuffer();
sb.append("status=0&");
@@ -642,14 +711,35 @@ public class TokenServlet extends CMSServlet {
} catch (IOException e) {
CMS.debug("TokenServlet: " + e.toString());
}
- auditMessage = CMS.getLogMessage(
- LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED,
+
+ if(status.equals("0")) {
+
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS,
rCUID,
+ ILogger.SUCCESS,
status,
agentId,
isCryptoValidate? "true":"false",
- serversideKeygen? "true":"false");
+ serversideKeygen? "true":"false",
+ selectedToken,
+ keyNickName);
+
+ } else {
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,
+ rCUID,
+ ILogger.FAILURE,
+ status,
+ agentId,
+ isCryptoValidate? "true":"false",
+ serversideKeygen? "true":"false",
+ selectedToken,
+ keyNickName,
+ errorMsg);
+ }
+
audit(auditMessage);
}
@@ -658,12 +748,15 @@ public class TokenServlet extends CMSServlet {
byte[] KeySetData,KeysValues,CUID,xCUID;
byte[] xkeyInfo,xnewkeyInfo;
boolean missingParam = false;
+ String errorMsg = "";
+ String badParams = "";
IConfigStore sconfig = CMS.getConfigStore();
String rnewKeyInfo = req.getParameter("newKeyInfo");
String newMasterKeyName = req.getParameter("newKeyInfo");
String oldMasterKeyName = req.getParameter("KeyInfo");
String rCUID =req.getParameter("CUID");
+ String auditMessage="";
String keySet = req.getParameter("keySet");
if (keySet == null || keySet.equals("")) {
@@ -671,15 +764,37 @@ public class TokenServlet extends CMSServlet {
}
CMS.debug("keySet selected: " + keySet);
+ SessionContext sContext = SessionContext.getContext();
+
+ String agentId="";
+ if (sContext != null) {
+ agentId =
+ (String) sContext.get(SessionContext.USER_ID);
+ }
+
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST,
+ rCUID,
+ ILogger.SUCCESS,
+ agentId,
+ oldMasterKeyName,
+ newMasterKeyName);
+
+ audit(auditMessage);
+
+
if ((rCUID == null) || (rCUID.equals(""))) {
+ badParams += " CUID,";
CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: CUID");
missingParam = true;
}
if ((rnewKeyInfo == null) || (rnewKeyInfo.equals(""))) {
+ badParams += " newKeyInfo,";
CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: newKeyInfo");
missingParam = true;
}
if ((oldMasterKeyName == null) || (oldMasterKeyName.equals(""))){
+ badParams += " KeyInfo,";
CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: KeyInfo");
missingParam = true;
}
@@ -687,11 +802,13 @@ public class TokenServlet extends CMSServlet {
if (!missingParam) {
xkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(oldMasterKeyName);
if (xkeyInfo == null || xkeyInfo.length != 2) {
+ badParams += " KeyInfo length,";
CMS.debug("TokenServlet: Invalid key info length");
missingParam = true;
}
xnewkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(newMasterKeyName);
if (xnewkeyInfo == null || xnewkeyInfo.length != 2) {
+ badParams += " NewKeyInfo length,";
CMS.debug("TokenServlet: Invalid new key info length");
missingParam = true;
}
@@ -705,6 +822,7 @@ public class TokenServlet extends CMSServlet {
if (!missingParam) {
xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID);
if (xCUID == null || xCUID.length != 10) {
+ badParams += " CUID length,";
CMS.debug("TokenServlet: Invalid CUID length");
missingParam = true;
}
@@ -776,14 +894,24 @@ public class TokenServlet extends CMSServlet {
//String value="keySetData=%00" if the KeySetData=byte[0]=0;
String value = "";
+ String status = "0";
+
if (KeySetData != null && KeySetData.length > 1) {
value = "status=0&"+"keySetData=" +
com.netscape.cmsutil.util.Utils.SpecialEncode(KeySetData);
CMS.debug("TokenServlet:process DiversifyKey.encode " +value);
} else if (missingParam) {
- value = "status=3";
- } else
- value = "status=1";
+ status = "3";
+ if(badParams.endsWith(",")) {
+ badParams = badParams.substring(0,badParams.length() -1);
+ }
+ errorMsg = "Missing input parameters: " + badParams;
+ value = "status=" + status;
+ } else {
+ errorMsg = "Problem diversifying key data.";
+ status = "1";
+ value = "status=" + status;
+ }
resp.setContentLength(value.length());
CMS.debug("TokenServlet:outputString.length " +value.length());
@@ -796,6 +924,32 @@ public class TokenServlet extends CMSServlet {
} catch (Exception e) {
CMS.debug("TokenServlet:process DiversifyKey: " + e.toString());
}
+
+ if(status.equals("0")) {
+
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS,
+ rCUID,
+ ILogger.SUCCESS,
+ status,
+ agentId,
+ oldMasterKeyName,
+ newMasterKeyName);
+
+ } else {
+
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,
+ rCUID,
+ ILogger.FAILURE,
+ status,
+ agentId,
+ oldMasterKeyName,
+ newMasterKeyName,
+ errorMsg);
+ }
+
+ audit(auditMessage);
}
private void processEncryptData(HttpServletRequest req,
@@ -805,6 +959,8 @@ public class TokenServlet extends CMSServlet {
byte[] data = null;
boolean isRandom = true; // randomly generate the data to be encrypted
+ String errorMsg = "";
+ String badParams = "";
IConfigStore sconfig = CMS.getConfigStore();
encryptedData = null;
String rdata = req.getParameter("data");
@@ -814,6 +970,15 @@ public class TokenServlet extends CMSServlet {
if (keySet == null || keySet.equals("")) {
keySet = "defKeySet";
}
+
+ SessionContext sContext = SessionContext.getContext();
+
+ String agentId="";
+ if (sContext != null) {
+ agentId =
+ (String) sContext.get(SessionContext.USER_ID);
+ }
+
CMS.debug("keySet selected: " + keySet);
String s_isRandom = sconfig.getString("tks.EncryptData.isRandom", "true");
@@ -825,6 +990,15 @@ public class TokenServlet extends CMSServlet {
isRandom = true;
}
+ String auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST,
+ rCUID,
+ ILogger.SUCCESS,
+ agentId,
+ s_isRandom);
+
+ audit(auditMessage);
+
if (isRandom) {
if ((rdata == null) || (rdata.equals(""))) {
CMS.debug("TokenServlet: processEncryptData(): no data in request. Generating random number as data");
@@ -837,33 +1011,40 @@ public class TokenServlet extends CMSServlet {
random.nextBytes(data);
} catch (Exception e) {
CMS.debug("TokenServlet: processEncryptData():"+ e.toString());
- throw new EBaseException("processEncryptData:"+ e.toString());
+ badParams += " Random Number,";
+ missingParam = true;
}
} else if ((!isRandom) && (((rdata == null) || (rdata.equals(""))))){
CMS.debug("TokenServlet: processEncryptData(): missing request parameter: data.");
+ badParams += " data,";
missingParam = true;
}
if ((rCUID == null) || (rCUID.equals(""))) {
-
+ badParams += " CUID,";
CMS.debug("TokenServlet: processEncryptData(): missing request parameter: CUID");
missingParam = true;
}
+
if ((rKeyInfo == null) || (rKeyInfo.equals(""))) {
+ badParams += " KeyInfo,";
CMS.debug("TokenServlet: processEncryptData(): missing request parameter: key info");
missingParam = true;
}
+
if (!missingParam) {
xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID);
if (xCUID == null || xCUID.length != 10) {
+ badParams += " CUID length,";
CMS.debug("TokenServlet: Invalid CUID length");
- throw new EBaseException("Invalid CUID length");
+ missingParam = true;
}
xkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo);
if (xkeyInfo == null || xkeyInfo.length != 2) {
+ badParams += " KeyInfo length,";
CMS.debug("TokenServlet: Invalid key info length");
- throw new EBaseException("Invalid key info length");
+ missingParam = true;
}
}
@@ -871,6 +1052,8 @@ public class TokenServlet extends CMSServlet {
if (!useSoftToken_s.equalsIgnoreCase("true"))
useSoftToken_s = "false";
+ String selectedToken = null;
+ String keyNickName = null;
if (!missingParam) {
if (!isRandom)
data = com.netscape.cmsutil.util.Utils.SpecialDecode(rdata);
@@ -879,8 +1062,6 @@ public class TokenServlet extends CMSServlet {
String keyInfoMap = "tks." + keySet + ".mk_mappings." + rKeyInfo;
String mappingValue = CMS.getConfigStore().getString(keyInfoMap, null);
- String selectedToken = null;
- String keyNickName = null;
if (mappingValue == null) {
selectedToken = CMS.getConfigStore().getString("tks.defaultSlot", "internal");
keyNickName = rKeyInfo;
@@ -902,6 +1083,7 @@ public class TokenServlet extends CMSServlet {
resp.setContentType("text/html");
String value = "";
+ String status = "0";
if (encryptedData != null && encryptedData.length > 0) {
String outputString = new String(encryptedData);
// sending both the pre-encrypted and encrypted data back
@@ -910,9 +1092,17 @@ public class TokenServlet extends CMSServlet {
"&encryptedData=" +
com.netscape.cmsutil.util.Utils.SpecialEncode(encryptedData);
} else if (missingParam) {
- value = "status=3";
- } else
- value = "status=1";
+ if(badParams.endsWith(",")) {
+ badParams = badParams.substring(0,badParams.length() -1);
+ }
+ errorMsg = "Missing input parameters: " + badParams;
+ status = "3";
+ value = "status=" + status;
+ } else {
+ errorMsg = "Problem encrypting data.";
+ status = "1";
+ value = "status=" + status;
+ }
CMS.debug("TokenServlet:process EncryptData.encode " +value);
@@ -927,6 +1117,34 @@ public class TokenServlet extends CMSServlet {
} catch (Exception e) {
CMS.debug("TokenServlet: " + e.toString());
}
+
+ if(status.equals("0")) {
+
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,
+ rCUID,
+ ILogger.SUCCESS,
+ status,
+ agentId,
+ s_isRandom,
+ selectedToken,
+ keyNickName);
+
+ } else {
+
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,
+ rCUID,
+ ILogger.FAILURE,
+ status,
+ agentId,
+ s_isRandom,
+ selectedToken,
+ keyNickName,
+ errorMsg);
+ }
+
+ audit(auditMessage);
}
/*
@@ -953,7 +1171,7 @@ public class TokenServlet extends CMSServlet {
try {
authzToken = authorize(mAclMethod, authToken,
- mAuthzResourceName, "read");
+ mAuthzResourceName, "execute");
} catch (Exception e) {
}
generated by cgit (git 2.34.1) at 2024-11-10 01:08:27 +0000