[Pki-devel] [PATCH] 644 Added support for directory-authenticated profiles in CLI.
Endi Sukma Dewata
edewata at redhat.com
Tue Sep 22 17:55:26 UTC 2015
The pki client-cert-request CLI has been modified to support
directory-authenticated profiles by sending the username and
password as XML/JSON request attributes. The CertRequetService
will then put the credentials into an AuthCredentials object.
The ProfileSubmitServlet has also been modified to create an
AuthCredentials object from the HTTP request object.
The certificate processor classes have been modified to accept
an AuthCredentials object instead of retrieving it from HTTP
request object.
https://fedorahosted.org/pki/ticket/1463
--
Endi S. Dewata
-------------- next part --------------
From 899a87d956cdfc9be24fb9bf3111bd3e1e5d36bb Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata at redhat.com>
Date: Thu, 17 Sep 2015 00:33:32 +0200
Subject: [PATCH] Added support for directory-authenticated profiles in CLI.
The pki client-cert-request CLI has been modified to support
directory-authenticated profiles by sending the username and
password as XML/JSON request attributes. The CertRequetService
will then put the credentials into an AuthCredentials object.
The ProfileSubmitServlet has also been modified to create an
AuthCredentials object from the HTTP request object.
The certificate processor classes have been modified to accept
an AuthCredentials object instead of retrieving it from HTTP
request object.
https://fedorahosted.org/pki/ticket/1463
---
.../server/ca/rest/CertRequestService.java | 6 +-
.../certsrv/cert/CertEnrollmentRequest.java | 12 +-
.../cmstools/client/ClientCertRequestCLI.java | 83 ++++++++--
.../cms/authentication/DirBasedAuthentication.java | 49 +++---
.../netscape/cms/servlet/cert/CertProcessor.java | 38 ++---
.../netscape/cms/servlet/cert/CertRequestDAO.java | 179 ++++++++++++++++++++-
.../cms/servlet/cert/EnrollmentProcessor.java | 61 ++-----
.../cms/servlet/cert/RenewalProcessor.java | 128 +++++----------
.../cms/servlet/processors/CAProcessor.java | 56 ++++---
.../cms/servlet/profile/ProfileSubmitServlet.java | 178 +++++++++++++++++++-
.../cmscore/authentication/AuthSubsystem.java | 4 +
11 files changed, 560 insertions(+), 234 deletions(-)
diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java b/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java
index a11cb470b21240127b405a694c92fc665dd9ed69..1974b9279f685f0ef07995eca7a1010505ce729e 100644
--- a/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java
@@ -132,7 +132,11 @@ public class CertRequestService extends PKIService implements CertRequestResourc
CertRequestInfos infos;
try {
- infos = dao.submitRequest(data, servletRequest, uriInfo, getLocale(headers));
+ if (data.isRenewal()) {
+ infos = dao.submitRenewalRequest(data, servletRequest, uriInfo, getLocale(headers));
+ } else {
+ infos = dao.submitEnrollmentRequest(data, servletRequest, uriInfo, getLocale(headers));
+ }
} catch (EAuthException e) {
CMS.debug("enrollCert: authentication failed: " + e);
throw new UnauthorizedException(e.toString());
diff --git a/base/common/src/com/netscape/certsrv/cert/CertEnrollmentRequest.java b/base/common/src/com/netscape/certsrv/cert/CertEnrollmentRequest.java
index 72aad330fecc63290c9e6d82e576971df499028e..ba43e884df944af857fa69e6bf663a7dead6e601 100644
--- a/base/common/src/com/netscape/certsrv/cert/CertEnrollmentRequest.java
+++ b/base/common/src/com/netscape/certsrv/cert/CertEnrollmentRequest.java
@@ -37,6 +37,7 @@ import javax.xml.bind.annotation.XmlAccessorType;
import javax.xml.bind.annotation.XmlElement;
import javax.xml.bind.annotation.XmlRootElement;
+import com.netscape.certsrv.base.ResourceMessage;
import com.netscape.certsrv.profile.ProfileAttribute;
import com.netscape.certsrv.profile.ProfileInput;
import com.netscape.certsrv.profile.ProfileOutput;
@@ -48,7 +49,7 @@ import com.netscape.certsrv.profile.ProfileOutput;
@XmlRootElement(name = "CertEnrollmentRequest")
@XmlAccessorType(XmlAccessType.FIELD)
-public class CertEnrollmentRequest {
+public class CertEnrollmentRequest extends ResourceMessage {
private static final String PROFILE_ID = "profileId";
private static final String RENEWAL = "renewal";
@@ -278,7 +279,7 @@ public class CertEnrollmentRequest {
@Override
public int hashCode() {
final int prime = 31;
- int result = 1;
+ int result = super.hashCode();
result = prime * result + ((inputs == null) ? 0 : inputs.hashCode());
result = prime * result + ((outputs == null) ? 0 : outputs.hashCode());
result = prime * result + ((profileId == null) ? 0 : profileId.hashCode());
@@ -293,7 +294,7 @@ public class CertEnrollmentRequest {
public boolean equals(Object obj) {
if (this == obj)
return true;
- if (obj == null)
+ if (!super.equals(obj))
return false;
if (getClass() != obj.getClass())
return false;
@@ -338,8 +339,6 @@ public class CertEnrollmentRequest {
before.setProfileId("caUserCert");
before.setRenewal(false);
- //Simulate a "caUserCert" Profile enrollment
-
ProfileInput certReq = before.createInput("KeyGenInput");
certReq.addAttribute(new ProfileAttribute("cert_request_type", "crmf", null));
certReq.addAttribute(new ProfileAttribute(
@@ -363,6 +362,9 @@ public class CertEnrollmentRequest {
submitter.addAttribute(new ProfileAttribute("requestor_email", "admin at redhat.com", null));
submitter.addAttribute(new ProfileAttribute("requestor_phone", "650-555-5555", null));
+ before.setAttribute("uid", "testuser");
+ before.setAttribute("pwd", "password");
+
String xml = before.toXML();
System.out.println(xml);
diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
index e6bd0d98120295ef8e798925f4e9aceb3a0d43f6..813140745b5f1f526e859011de4080f36e7a9994 100644
--- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
@@ -19,13 +19,13 @@
package com.netscape.cmstools.client;
import java.io.ByteArrayOutputStream;
+import java.io.Console;
import java.io.File;
import java.security.KeyPair;
+import java.util.HashMap;
+import java.util.Map;
import java.util.Vector;
-import netscape.ldap.util.DN;
-import netscape.ldap.util.RDN;
-
import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.Option;
import org.apache.commons.io.FileUtils;
@@ -50,6 +50,9 @@ import com.netscape.cmstools.cli.MainCLI;
import com.netscape.cmsutil.util.Cert;
import com.netscape.cmsutil.util.Utils;
+import netscape.ldap.util.DN;
+import netscape.ldap.util.RDN;
+
/**
* @author Endi S. Dewata
*/
@@ -73,6 +76,10 @@ public class ClientCertRequestCLI extends CLI {
option.setArgName("request type");
options.addOption(option);
+ option = new Option(null, "password", true, "Request password");
+ option.setArgName("password");
+ options.addOption(option);
+
option = new Option(null, "attribute-encoding", false, "Enable Attribute encoding");
options.addOption(option);
@@ -265,20 +272,72 @@ public class ClientCertRequestCLI extends CLI {
}
}
+ // parse subject DN and put the values in a map
+ DN dn = new DN(subjectDN);
+ Vector<?> rdns = dn.getRDNs();
+
+ Map<String, String> subjectAttributes = new HashMap<String, String>();
+ for (int i=0; i< rdns.size(); i++) {
+ RDN rdn = (RDN)rdns.elementAt(i);
+ String type = rdn.getTypes()[0].toLowerCase();
+ String value = rdn.getValues()[0];
+ subjectAttributes.put(type, value);
+ }
+
ProfileInput sn = request.getInput("Subject Name");
if (sn != null) {
- DN dn = new DN(subjectDN);
- Vector<?> rdns = dn.getRDNs();
-
- for (int i=0; i< rdns.size(); i++) {
- RDN rdn = (RDN)rdns.elementAt(i);
- String type = rdn.getTypes()[0].toLowerCase();
- String value = rdn.getValues()[0];
- ProfileAttribute uidAttr = sn.getAttribute("sn_" + type);
- uidAttr.setValue(value);
+ if (verbose) System.out.println("Subject Name:");
+
+ for (ProfileAttribute attribute : sn.getAttributes()) {
+ String name = attribute.getName();
+ String value = null;
+
+ if (name.equals("subject")) {
+ // get the whole subject DN
+ value = subjectDN;
+
+ } else if (name.startsWith("sn_")) {
+ // get value from subject DN
+ value = subjectAttributes.get(name.substring(3));
+
+ } else {
+ // unknown attribute, ignore
+ if (verbose) System.out.println(" - " + name);
+ continue;
+ }
+
+ if (value == null) continue;
+
+ if (verbose) System.out.println(" - " + name + ": " + value);
+ attribute.setValue(value);
}
}
+ // get password from CLI option
+ String requestPassword = cmd.getOptionValue("password");
+
+ // get credentials for LDAP-authenticated profiles
+ // TODO: remove hard-coded profile names
+ if (profileID.equals("caDirUserCert")
+ || profileID.equals("caECDirUserCert")
+ || profileID.equals("caDirUserRenewal")) {
+
+ // get UID from subject DN
+ String value = subjectAttributes.get("uid");
+ request.setAttribute("uid", value);
+
+ // if not specified, get from console
+ if (requestPassword == null) {
+ Console console = System.console();
+ requestPassword = new String(console.readPassword("Password: "));
+ }
+ }
+
+ // store password if specified
+ if (requestPassword != null) {
+ request.setAttribute("pwd", requestPassword);
+ }
+
if (verbose) {
System.out.println("Sending certificate request.");
}
diff --git a/base/server/cms/src/com/netscape/cms/authentication/DirBasedAuthentication.java b/base/server/cms/src/com/netscape/cms/authentication/DirBasedAuthentication.java
index a8a95284df14bd287f7a9a0f5ccba43bf174c4a8..efbfb8053828c741d11b2a6ee574fda660a0f767 100644
--- a/base/server/cms/src/com/netscape/cms/authentication/DirBasedAuthentication.java
+++ b/base/server/cms/src/com/netscape/cms/authentication/DirBasedAuthentication.java
@@ -26,18 +26,6 @@ import java.util.Locale;
import java.util.StringTokenizer;
import java.util.Vector;
-import netscape.ldap.LDAPAttribute;
-import netscape.ldap.LDAPConnection;
-import netscape.ldap.LDAPEntry;
-import netscape.ldap.LDAPException;
-import netscape.ldap.LDAPSearchResults;
-import netscape.ldap.LDAPv2;
-import netscape.security.x509.CertificateExtensions;
-import netscape.security.x509.CertificateSubjectName;
-import netscape.security.x509.CertificateValidity;
-import netscape.security.x509.X500Name;
-import netscape.security.x509.X509CertInfo;
-
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.authentication.AuthToken;
import com.netscape.certsrv.authentication.EAuthException;
@@ -56,6 +44,18 @@ import com.netscape.certsrv.ldap.ILdapConnFactory;
import com.netscape.certsrv.logging.ILogger;
import com.netscape.cmsutil.util.Utils;
+import netscape.ldap.LDAPAttribute;
+import netscape.ldap.LDAPConnection;
+import netscape.ldap.LDAPEntry;
+import netscape.ldap.LDAPException;
+import netscape.ldap.LDAPSearchResults;
+import netscape.ldap.LDAPv2;
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.CertificateSubjectName;
+import netscape.security.x509.CertificateValidity;
+import netscape.security.x509.X500Name;
+import netscape.security.x509.X509CertInfo;
+
/**
* Abstract class for directory based authentication managers
* Uses a pattern for formulating subject names.
@@ -256,26 +256,35 @@ public abstract class DirBasedAuthentication
mImplName = implName;
mConfig = config;
+ CMS.debug(name + ": initialization");
+
/* initialize ldap server configuration */
mLdapConfig = mConfig.getSubStore(PROP_LDAP);
+
+ CMS.debug(name + ": needBaseDN: " + needBaseDN);
if (needBaseDN) {
+
mBaseDN = mLdapConfig.getString(PROP_BASEDN);
- if (mBaseDN == null || mBaseDN.trim().equals(""))
+ if (mBaseDN == null || mBaseDN.trim().equals("")) {
+ CMS.debug(name + ": missing basedn");
throw new EPropertyNotFound(CMS.getUserMessage("CMS_BASE_GET_PROPERTY_FAILED", "basedn"));
+ }
+ CMS.debug(name + ": basedn: " + mBaseDN);
+
mGroupsEnable = mLdapConfig.getBoolean(PROP_GROUPS_ENABLE, false);
- CMS.debug("DirBasedAuthentication: mGroupsEnable=" + (mGroupsEnable ? "true" : "false"));
+ CMS.debug(name + ": groupsEnable: " + mGroupsEnable);
mGroupsBaseDN = mLdapConfig.getString(PROP_GROUPS_BASEDN, mBaseDN);
- CMS.debug("DirBasedAuthentication: mGroupsBaseDN="+ mGroupsBaseDN);
+ CMS.debug(name + ": groupsBaseDN: " + mGroupsBaseDN);
mGroups= mLdapConfig.getString(PROP_GROUPS, "ou=groups");
- CMS.debug("DirBasedAuthentication: mGroups="+ mGroups);
+ CMS.debug(name + ": groups: " + mGroups);
mGroupObjectClass = mLdapConfig.getString(PROP_GROUP_OBJECT_CLASS, "groupofuniquenames");
- CMS.debug("DirBasedAuthentication: mGroupObjectClass="+ mGroupObjectClass);
+ CMS.debug(name + ": groupObjectClass: " + mGroupObjectClass);
mUserIDName = mLdapConfig.getString(PROP_USERID_NAME, "uid");
- CMS.debug("DirBasedAuthentication: mUserIDName="+ mUserIDName);
+ CMS.debug(name + ": userIDName: " + mUserIDName);
mSearchGroupUserByUserdn = mLdapConfig.getBoolean(PROP_SEARCH_GROUP_USER_BY_USERDN, true);
- CMS.debug("DirBasedAuthentication: mSearchGroupUserByUserdn="+ mSearchGroupUserByUserdn);
+ CMS.debug(name + ": searchGroupUserByUserdn: " + mSearchGroupUserByUserdn);
mGroupUserIDName = mLdapConfig.getString(PROP_GROUP_USERID_NAME, "cn");
- CMS.debug("DirBasedAuthentication: mGroupUserIDName="+ mGroupUserIDName);
+ CMS.debug(name + ": groupUserIDName: " + mGroupUserIDName);
}
mConnFactory = CMS.getLdapAnonConnFactory("DirBasedAuthentication");
mConnFactory.init(mLdapConfig);
diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java
index 4cd54a25719bcd82728ef803f225bac481211584..d235b247bf132a6b3038ac592b3a677b66158ab2 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java
@@ -23,8 +23,6 @@ import java.util.Enumeration;
import java.util.HashMap;
import java.util.Locale;
-import javax.servlet.http.HttpServletRequest;
-
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.authentication.IAuthToken;
import com.netscape.certsrv.base.EBaseException;
@@ -42,6 +40,7 @@ import com.netscape.certsrv.profile.ProfileInput;
import com.netscape.certsrv.request.INotify;
import com.netscape.certsrv.request.IRequest;
import com.netscape.certsrv.request.RequestStatus;
+import com.netscape.cms.servlet.common.AuthCredentials;
import com.netscape.cms.servlet.processors.CAProcessor;
import com.netscape.cmsutil.ldap.LDAPUtil;
@@ -51,26 +50,27 @@ public class CertProcessor extends CAProcessor {
super(id, locale);
}
- protected void setCredentialsIntoContext(HttpServletRequest request, IProfileAuthenticator authenticator,
- IProfileContext ctx) {
- Enumeration<String> authIds = authenticator.getValueNames();
+ /**
+ * Copy credentials required by profile authenticator into profile context.
+ */
+ protected void setCredentialsIntoContext(
+ IProfileAuthenticator authenticator,
+ IProfileContext ctx,
+ AuthCredentials credentials) {
- if (authIds != null) {
- CMS.debug("CertRequestSubmitter:setCredentialsIntoContext() authNames not null");
- while (authIds.hasMoreElements()) {
- String authName = authIds.nextElement();
+ if (authenticator != null) {
- CMS.debug("CertRequestSubmitter:setCredentialsIntoContext() authName:" +
- authName);
- if (request.getParameter(authName) != null) {
- CMS.debug("CertRequestSubmitter:setCredentialsIntoContext() authName found in request");
- ctx.set(authName, request.getParameter(authName));
- } else {
- CMS.debug("CertRequestSubmitter:setCredentialsIntoContext() authName not found in request");
- }
+ CMS.debug("CertProcessor: getting credentials for " + authenticator.getName());
+ Enumeration<String> names = authenticator.getValueNames();
+ if (names == null) return;
+
+ while (names.hasMoreElements()) {
+ String name = names.nextElement();
+ Object value = credentials.get(name);
+ if (value == null) continue;
+
+ ctx.set(name, value.toString());
}
- } else {
- CMS.debug("CertRequestSubmitter:setCredentialsIntoContext() authIds` null");
}
}
diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestDAO.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestDAO.java
index c94ee14961ef39681a53f506b24e4ca5ab06a27e..5fc89b3e936fb05adc6c72cdf72aa0a1aaaaee23 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestDAO.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestDAO.java
@@ -17,7 +17,9 @@
// --- END COPYRIGHT BLOCK ---
package com.netscape.cms.servlet.cert;
+import java.math.BigInteger;
import java.util.Collection;
+import java.util.Enumeration;
import java.util.HashMap;
import java.util.List;
import java.util.Locale;
@@ -28,14 +30,20 @@ import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.core.UriInfo;
+import org.apache.commons.lang.StringUtils;
+
import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.BadRequestDataException;
import com.netscape.certsrv.base.EBaseException;
import com.netscape.certsrv.ca.ICertificateAuthority;
import com.netscape.certsrv.cert.CertEnrollmentRequest;
import com.netscape.certsrv.cert.CertRequestInfo;
import com.netscape.certsrv.cert.CertRequestInfos;
import com.netscape.certsrv.cert.CertReviewResponse;
+import com.netscape.certsrv.dbs.certdb.ICertRecord;
+import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.profile.IProfileAuthenticator;
import com.netscape.certsrv.profile.IProfileSubsystem;
import com.netscape.certsrv.request.CMSRequestInfo;
import com.netscape.certsrv.request.CMSRequestInfos;
@@ -43,6 +51,7 @@ import com.netscape.certsrv.request.IRequest;
import com.netscape.certsrv.request.IRequestQueue;
import com.netscape.certsrv.request.RequestId;
import com.netscape.certsrv.request.RequestNotFoundException;
+import com.netscape.cms.servlet.common.AuthCredentials;
import com.netscape.cms.servlet.processors.CAProcessor;
import com.netscape.cms.servlet.request.CMSRequestDAO;
@@ -164,20 +173,176 @@ public class CertRequestDAO extends CMSRequestDAO {
* @throws EBaseException
* @throws ServletException
*/
- public CertRequestInfos submitRequest(CertEnrollmentRequest data, HttpServletRequest request, UriInfo uriInfo,
+ public CertRequestInfos submitEnrollmentRequest(
+ CertEnrollmentRequest data,
+ HttpServletRequest request,
+ UriInfo uriInfo,
Locale locale) throws EBaseException {
CertRequestInfos ret = new CertRequestInfos();
- HashMap<String, Object> results = null;
- if (data.isRenewal()) {
- RenewalProcessor processor = new RenewalProcessor("caProfileSubmit", locale);
- results = processor.processRenewal(data, request);
+ EnrollmentProcessor processor = new EnrollmentProcessor("caProfileSubmit", locale);
+ String profileId = processor.getProfileID() == null ? data.getProfileId() : processor.getProfileID();
+ CMS.debug("CertRequestDAO: profile: " + profileId);
+
+ IProfile profile = ps.getProfile(profileId);
+ if (profile == null) {
+ CMS.debug("CertRequestDAO: Profile " + profileId + " not found");
+ throw new BadRequestDataException("Profile " + profileId + " not found");
+ }
+
+ if (!ps.isProfileEnable(profileId)) {
+ CMS.debug("CertRequestDAO: Profile " + profileId + " not enabled");
+ throw new BadRequestDataException("Profile " + profileId + " not enabled");
+ }
+
+ AuthCredentials credentials = new AuthCredentials();
+
+ // get credentials from request attributes
+ IProfileAuthenticator authenticator = profile.getAuthenticator();
+ if (authenticator != null) {
+
+ Enumeration<String> names = authenticator.getValueNames();
+ if (names != null) {
+ while (names.hasMoreElements()) {
+ String name = names.nextElement();
+ String value = data.getAttribute(name);
+ if (value == null) continue;
+
+ credentials.set(name, value);
+ }
+ }
+ }
+
+ HashMap<String, Object> results = processor.processEnrollment(profile, data, request, credentials);
+
+ IRequest reqs[] = (IRequest[]) results.get(CAProcessor.ARG_REQUESTS);
+ for (IRequest req : reqs) {
+ CertRequestInfo info = CertRequestInfoFactory.create(req, uriInfo);
+ ret.addEntry(info);
+ }
+
+ ret.setTotal(ret.getEntries().size());
+
+ // TODO - what happens if the errorCode is internal error ?
+
+ return ret;
+ }
+
+ /**
+ * Submits a renewal request and processes it.
+ *
+ * @param data
+ * @return info for the request submitted.
+ * @throws EBaseException
+ * @throws ServletException
+ */
+ public CertRequestInfos submitRenewalRequest(
+ CertEnrollmentRequest data,
+ HttpServletRequest request,
+ UriInfo uriInfo,
+ Locale locale) throws EBaseException {
+
+ CertRequestInfos ret = new CertRequestInfos();
+
+ RenewalProcessor processor = new RenewalProcessor("caProfileSubmit", locale);
+ String profileId = processor.getProfileID() == null ? data.getProfileId() : processor.getProfileID();
+ CMS.debug("CertRequestDAO: profile: " + profileId);
+
+ IProfile profile = ps.getProfile(profileId);
+ if (profile == null) {
+ CMS.debug("CertRequestDAO: Profile " + profileId + " not found");
+ throw new BadRequestDataException("Profile " + profileId + " not found");
+ }
+
+ if (!ps.isProfileEnable(profileId)) {
+ CMS.debug("CertRequestDAO: Profile " + profileId + " not enabled");
+ throw new BadRequestDataException("Profile " + profileId + " not enabled");
+ }
+
+ String serial = request.getParameter("serial_num");
+ BigInteger certSerial = null;
+
+ if (StringUtils.isNotEmpty(serial)) {
+ // if serial number is sent with request, then the authentication
+ // method is not ssl client auth. In this case, an alternative
+ // authentication method is used (default: ldap based)
+ // usr_origreq evaluator should be used to authorize ownership
+ // of the cert
+ CMS.debug("CertRequestDAO: renewal: serial number: " + serial);
+ certSerial = new BigInteger(serial);
+
} else {
- EnrollmentProcessor processor = new EnrollmentProcessor("caProfileSubmit", locale);
- results = processor.processEnrollment(data, request);
+ // ssl client auth is to be used
+ // this is not authentication. Just use the cert to search
+ // for orig request and find the right profile
+ CMS.debug("CertRequestDAO: renewal: serial_num not found, must do ssl client auth");
+ certSerial = processor.getSerialNumberFromCert(request);
+
+ if (certSerial == null) {
+ CMS.debug(CMS.getUserMessage(locale, "CMS_GW_MISSING_CERTS_RENEW_FROM_AUTHMGR"));
+ throw new EBaseException(CMS.getUserMessage(locale, "CMS_GW_MISSING_CERTS_RENEW_FROM_AUTHMGR"));
+ }
}
+ ICertificateAuthority authority = (ICertificateAuthority) CMS.getSubsystem("ca");
+ ICertificateRepository certdb = authority.getCertificateRepository();
+
+ CMS.debug("CertRequestDAO: serial number of cert to renew: " + certSerial);
+ ICertRecord record = certdb.readCertificateRecord(certSerial);
+ if (record == null) {
+ CMS.debug("CertRequestDAO: cert record not found for serial number " + certSerial);
+ throw new EBaseException(CMS.getUserMessage(locale, "CMS_INTERNAL_ERROR"));
+ }
+
+ IRequest origReq = processor.getOriginalRequest(certSerial, record);
+ if (origReq == null) {
+ CMS.debug("CertRequestDAO: original request not found");
+ throw new EBaseException(CMS.getUserMessage(locale, "CMS_INTERNAL_ERROR"));
+ }
+
+ String origProfileId = origReq.getExtDataInString("profileId");
+ IProfile origProfile = ps.getProfile(origProfileId);
+
+ AuthCredentials credentials = new AuthCredentials();
+
+ // get credentials from request attributes
+ IProfileAuthenticator authenticator = profile.getAuthenticator();
+ if (authenticator != null) {
+ CMS.debug("CertRequestDAO: authenticator " + authenticator.getName() + " found");
+
+ Enumeration<String> names = authenticator.getValueNames();
+ if (names != null) {
+ while (names.hasMoreElements()) {
+ String name = names.nextElement();
+ String value = data.getAttribute(name);
+ if (value == null) continue;
+
+ credentials.set(name, value);
+ }
+ }
+ }
+
+ // for renewal, this will override or add auth info to the profile context
+ IProfileAuthenticator origAuthenticator = origProfile.getAuthenticator();
+ if (origAuthenticator != null) {
+ CMS.debug("RenewalProcessor: for renewal, original authenticator " +
+ origAuthenticator.getName() + " found");
+
+ Enumeration<String> names = origAuthenticator.getValueNames();
+ if (names != null) {
+ while (names.hasMoreElements()) {
+ String name = names.nextElement();
+ String value = data.getAttribute(name);
+ if (value == null) continue;
+
+ credentials.set(name, value);
+ }
+ }
+ }
+
+ HashMap<String, Object> results = processor.processRenewal(profile, origProfile, record, data, request, credentials);
+
IRequest reqs[] = (IRequest[]) results.get(CAProcessor.ARG_REQUESTS);
for (IRequest req : reqs) {
CertRequestInfo info = CertRequestInfoFactory.create(req, uriInfo);
diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java
index 8d9d05cb7676f012eed8ef199f4e65f34d5e6ebe..d9d0ef725fc97fcd4d3b9459e41295f317902ec2 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java
@@ -25,7 +25,6 @@ import javax.servlet.http.HttpServletRequest;
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.authentication.IAuthToken;
-import com.netscape.certsrv.base.BadRequestDataException;
import com.netscape.certsrv.base.EBaseException;
import com.netscape.certsrv.base.EPropertyNotFound;
import com.netscape.certsrv.base.SessionContext;
@@ -37,8 +36,7 @@ import com.netscape.certsrv.profile.IProfileInput;
import com.netscape.certsrv.profile.ProfileAttribute;
import com.netscape.certsrv.profile.ProfileInput;
import com.netscape.certsrv.request.IRequest;
-import com.netscape.cms.servlet.common.CMSRequest;
-import com.netscape.cms.servlet.common.CMSTemplate;
+import com.netscape.cms.servlet.common.AuthCredentials;
import com.netscape.cms.servlet.profile.SSLClientCertProvider;
import com.netscape.cmsutil.ldap.LDAPUtil;
@@ -82,26 +80,6 @@ public class EnrollmentProcessor extends CertProcessor {
}
/**
- * Called by the legacy servlets to access the Processor function
- * @param request
- * @return
- * @throws EBaseException
- */
- public HashMap<String, Object> processEnrollment(CMSRequest cmsReq) throws EBaseException {
- HttpServletRequest req = cmsReq.getHttpReq();
- String profileId = (this.profileID == null) ? req.getParameter("profileId") : this.profileID;
- IProfile profile = ps.getProfile(profileId);
-
- if (profile == null) {
- CMS.debug(CMS.getUserMessage(locale, "CMS_PROFILE_NOT_FOUND", CMSTemplate.escapeJavaScriptStringHTML(profileId)));
- throw new BadRequestDataException(CMS.getUserMessage(locale, "CMS_PROFILE_NOT_FOUND",CMSTemplate.escapeJavaScriptStringHTML(profileId)));
- }
-
- CertEnrollmentRequest data = CertEnrollmentRequestFactory.create(cmsReq, profile, locale);
- return processEnrollment(data, cmsReq.getHttpReq());
- }
-
- /**
* Process the HTTP request
* <P>
*
@@ -118,7 +96,11 @@ public class EnrollmentProcessor extends CertProcessor {
* @param cmsReq the object holding the request and response information
* @exception EBaseException an error has occurred
*/
- public HashMap<String, Object> processEnrollment(CertEnrollmentRequest data, HttpServletRequest request)
+ public HashMap<String, Object> processEnrollment(
+ IProfile profile,
+ CertEnrollmentRequest data,
+ HttpServletRequest request,
+ AuthCredentials credentials)
throws EBaseException {
try {
@@ -127,23 +109,10 @@ public class EnrollmentProcessor extends CertProcessor {
printParameterValues(params);
}
- CMS.debug("EnrollmentSubmitter: isRenewal false");
startTiming("enrollment");
- // if we did not configure profileId in xml file,
- // then accept the user-provided one
- String profileId = (this.profileID == null) ? data.getProfileId() : this.profileID;
- CMS.debug("EnrollmentSubmitter: profileId " + profileId);
-
- IProfile profile = ps.getProfile(profileId);
- if (profile == null) {
- CMS.debug(CMS.getUserMessage(locale, "CMS_PROFILE_NOT_FOUND", CMSTemplate.escapeJavaScriptStringHTML(profileId)));
- throw new BadRequestDataException(CMS.getUserMessage(locale, "CMS_PROFILE_NOT_FOUND", CMSTemplate.escapeJavaScriptStringHTML(profileId)));
- }
- if (!ps.isProfileEnable(profileId)) {
- CMS.debug("EnrollmentSubmitter: Profile " + profileId + " not enabled");
- throw new BadRequestDataException("Profile " + profileId + " not enabled");
- }
+ String profileId = profile.getId();
+ CMS.debug("EnrollmentProcessor: profile: " + profileId);
IProfileContext ctx = profile.createContext();
CMS.debug("EnrollmentSubmitter: set Inputs into profile Context");
@@ -151,8 +120,8 @@ public class EnrollmentProcessor extends CertProcessor {
IProfileAuthenticator authenticator = profile.getAuthenticator();
if (authenticator != null) {
- CMS.debug("EnrollmentSubmitter: authenticator " + authenticator.getName() + " found");
- setCredentialsIntoContext(request, authenticator, ctx);
+ CMS.debug("EnrollmentProcessor: authenticator " + authenticator.getName() + " found");
+ setCredentialsIntoContext(authenticator, ctx, credentials);
}
// for ssl authentication; pass in servlet for retrieving ssl client certificates
@@ -163,14 +132,17 @@ public class EnrollmentProcessor extends CertProcessor {
CMS.debug("EnrollmentSubmitter: set sslClientCertProvider");
// before creating the request, authenticate the request
- IAuthToken authToken = authenticate(request, null, authenticator, context, false);
+ CMS.debug("EnrollmentProcessor: authenticating request");
+ IAuthToken authToken = authenticate(request, null, authenticator, context, false, credentials);
// authentication success, now authorize
+ CMS.debug("EnrollmentProcessor: authorizing request");
authorize(profileId, profile, authToken);
///////////////////////////////////////////////
// create and populate request
///////////////////////////////////////////////
+ CMS.debug("EnrollmentProcessor: create and populate request");
startTiming("request_population");
IRequest[] reqs = profile.createRequests(ctx, locale);
populateRequests(data, false, locale, null, null, null, profileId, profile,
@@ -193,13 +165,10 @@ public class EnrollmentProcessor extends CertProcessor {
endTiming("enrollment");
return ret;
+
} finally {
SessionContext.releaseContext();
endAllEvents();
}
}
-
-
-
-
}
diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java
index efd1d7b0cf799dc399257502cb3f4e3196174b50..d0e20172774be591ce77d4b26cec6df9cfa44b5b 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java
@@ -26,11 +26,6 @@ import java.util.Locale;
import javax.servlet.http.HttpServletRequest;
-import netscape.security.x509.BasicConstraintsExtension;
-import netscape.security.x509.X509CertImpl;
-
-import org.apache.commons.lang.StringUtils;
-
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.authentication.IAuthToken;
import com.netscape.certsrv.base.BadRequestDataException;
@@ -45,33 +40,18 @@ import com.netscape.certsrv.profile.IProfileAuthenticator;
import com.netscape.certsrv.profile.IProfileContext;
import com.netscape.certsrv.profile.IProfileInput;
import com.netscape.certsrv.request.IRequest;
-import com.netscape.cms.servlet.common.CMSRequest;
-import com.netscape.cms.servlet.common.CMSTemplate;
+import com.netscape.cms.servlet.common.AuthCredentials;
import com.netscape.cms.servlet.profile.SSLClientCertProvider;
+import netscape.security.x509.BasicConstraintsExtension;
+import netscape.security.x509.X509CertImpl;
+
public class RenewalProcessor extends CertProcessor {
public RenewalProcessor(String id, Locale locale) throws EPropertyNotFound, EBaseException {
super(id, locale);
}
- public HashMap<String, Object> processRenewal(CMSRequest cmsReq) throws EBaseException {
- HttpServletRequest req = cmsReq.getHttpReq();
- String profileId = (this.profileID == null) ? req.getParameter("profileId") : this.profileID;
- IProfile profile = ps.getProfile(profileId);
- if (profile == null) {
- throw new BadRequestDataException(CMS.getUserMessage(locale, "CMS_PROFILE_NOT_FOUND",
- CMSTemplate.escapeJavaScriptStringHTML(profileId)));
- }
-
- CertEnrollmentRequest data = CertEnrollmentRequestFactory.create(cmsReq, profile, locale);
-
- //only used in renewal
- data.setSerialNum(req.getParameter("serial_num"));
-
- return processRenewal(data, req);
- }
-
/*
* Renewal - Renewal is retrofitted into the Profile Enrollment
* Framework. The authentication and authorization are taken from
@@ -81,8 +61,15 @@ public class RenewalProcessor extends CertProcessor {
* Things to note:
* * the renew request will contain the original profile instead of the new
*/
- public HashMap<String, Object> processRenewal(CertEnrollmentRequest data, HttpServletRequest request)
+ public HashMap<String, Object> processRenewal(
+ IProfile renewProfile,
+ IProfile origProfile,
+ ICertRecord record,
+ CertEnrollmentRequest data,
+ HttpServletRequest request,
+ AuthCredentials credentials)
throws EBaseException {
+
try {
if (CMS.debugOn()) {
HashMap<String, String> params = data.toParams();
@@ -98,58 +85,19 @@ public class RenewalProcessor extends CertProcessor {
String renewProfileId = (this.profileID == null) ? data.getProfileId() : this.profileID;
CMS.debug("processRenewal: renewProfileId " + renewProfileId);
- IProfile renewProfile = ps.getProfile(renewProfileId);
- if (renewProfile == null) {
- CMS.debug(CMS.getUserMessage(locale, "CMS_PROFILE_NOT_FOUND",
- CMSTemplate.escapeJavaScriptStringHTML(renewProfileId)));
- throw new BadRequestDataException(CMS.getUserMessage(locale, "CMS_PROFILE_NOT_FOUND",CMSTemplate.escapeJavaScriptStringHTML(renewProfileId)));
- }
- if (!ps.isProfileEnable(renewProfileId)) {
- CMS.debug("RenewalSubmitter: Profile " + renewProfileId + " not enabled");
- throw new BadRequestDataException("Profile " + renewProfileId + " not enabled");
- }
-
- String serial = data.getSerialNum();
- BigInteger certSerial = null;
-
- if (StringUtils.isNotEmpty(serial)) {
- // if serial number is sent with request, then the authentication
- // method is not ssl client auth. In this case, an alternative
- // authentication method is used (default: ldap based)
- // usr_origreq evaluator should be used to authorize ownership
- // of the cert
- CMS.debug("RenewalSubmitter: renewal: serial number: " + serial);
- certSerial = new BigInteger(serial);
-
- } else {
- // ssl client auth is to be used
- // this is not authentication. Just use the cert to search
- // for orig request and find the right profile
- CMS.debug("RenewalSubmitter: renewal: serial_num not found, must do ssl client auth");
- certSerial = getSerialNumberFromCert(request);
-
- if (certSerial == null) {
- CMS.debug(CMS.getUserMessage(locale, "CMS_GW_MISSING_CERTS_RENEW_FROM_AUTHMGR"));
- throw new EBaseException(CMS.getUserMessage(locale, "CMS_GW_MISSING_CERTS_RENEW_FROM_AUTHMGR"));
- }
- }
+ BigInteger certSerial = record.getSerialNumber();
CMS.debug("processRenewal: serial number of cert to renew:" + certSerial.toString());
- ICertRecord rec = certdb.readCertificateRecord(certSerial);
- if (rec == null) {
- CMS.debug("processRenewal: cert record not found for serial number " + certSerial.toString());
- throw new EBaseException(CMS.getUserMessage(locale, "CMS_INTERNAL_ERROR"));
- }
// check to see if the cert is revoked or revoked_expired
- if ((rec.getStatus().equals(ICertRecord.STATUS_REVOKED))
- || (rec.getStatus().equals(ICertRecord.STATUS_REVOKED_EXPIRED))) {
+ if ((record.getStatus().equals(ICertRecord.STATUS_REVOKED))
+ || (record.getStatus().equals(ICertRecord.STATUS_REVOKED_EXPIRED))) {
CMS.debug("processRenewal: cert found to be revoked. Serial number = "
+ certSerial.toString());
throw new BadRequestDataException(CMS.getUserMessage(locale, "CMS_CA_CANNOT_RENEW_REVOKED_CERT"));
}
- X509CertImpl origCert = rec.getCertificate();
+ X509CertImpl origCert = record.getCertificate();
if (origCert == null) {
CMS.debug("processRenewal: original cert not found in cert record for serial number "
+ certSerial.toString());
@@ -162,45 +110,41 @@ public class RenewalProcessor extends CertProcessor {
String origSubjectDN = origCert.getSubjectDN().getName();
CMS.debug("processRenewal: orig subj dn =" + origSubjectDN);
- IRequest origReq = getOriginalRequest(certSerial, rec);
+ IRequest origReq = getOriginalRequest(certSerial, record);
if (origReq == null) {
CMS.debug("processRenewal: original request not found");
throw new EBaseException(CMS.getUserMessage(locale, "CMS_INTERNAL_ERROR"));
}
- String profileId = origReq.getExtDataInString("profileId");
- CMS.debug("RenewalSubmitter: renewal original profileId=" + profileId);
+ String origProfileId = origReq.getExtDataInString("profileId");
+ CMS.debug("RenewalSubmitter: renewal original profileId=" + origProfileId);
Integer origSeqNum = origReq.getExtDataInInteger(IEnrollProfile.REQUEST_SEQ_NUM);
- IProfile profile = ps.getProfile(profileId);
- if (profile == null) {
- CMS.debug(CMS.getUserMessage(locale, "CMS_PROFILE_NOT_FOUND",CMSTemplate.escapeJavaScriptStringHTML(profileId)));
- throw new EBaseException(CMS.getUserMessage(locale, "CMS_PROFILE_NOT_FOUND", CMSTemplate.escapeJavaScriptStringHTML(profileId)));
- }
- if (!ps.isProfileEnable(profileId)) {
- CMS.debug("RenewalSubmitter: Profile " + profileId + " not enabled");
- throw new BadRequestDataException("Profile " + profileId + " not enabled");
+
+ if (!ps.isProfileEnable(origProfileId)) {
+ CMS.debug("RenewalSubmitter: Profile " + origProfileId + " not enabled");
+ throw new BadRequestDataException("Profile " + origProfileId + " not enabled");
}
- IProfileContext ctx = profile.createContext();
+ IProfileContext ctx = origProfile.createContext();
IProfileAuthenticator authenticator = renewProfile.getAuthenticator();
- IProfileAuthenticator origAuthenticator = profile.getAuthenticator();
+ IProfileAuthenticator origAuthenticator = origProfile.getAuthenticator();
if (authenticator != null) {
CMS.debug("RenewalSubmitter: authenticator " + authenticator.getName() + " found");
- setCredentialsIntoContext(request, authenticator, ctx);
+ setCredentialsIntoContext(authenticator, ctx, credentials);
}
// for renewal, this will override or add auth info to the profile context
if (origAuthenticator != null) {
CMS.debug("RenewalSubmitter: for renewal, original authenticator " +
origAuthenticator.getName() + " found");
- setCredentialsIntoContext(request, origAuthenticator, ctx);
+ setCredentialsIntoContext(origAuthenticator, ctx, credentials);
}
// for renewal, input needs to be retrieved from the orig req record
CMS.debug("processRenewal: set original Inputs into profile Context");
- setInputsIntoContext(origReq, profile, ctx, locale);
+ setInputsIntoContext(origReq, origProfile, ctx, locale);
ctx.set(IEnrollProfile.CTX_RENEWAL, "true");
ctx.set("renewProfileId", renewProfileId);
ctx.set(IEnrollProfile.CTX_RENEWAL_SEQ_NUM, origSeqNum.toString());
@@ -215,31 +159,31 @@ public class RenewalProcessor extends CertProcessor {
context.put("origSubjectDN", origSubjectDN);
// before creating the request, authenticate the request
- IAuthToken authToken = authenticate(request, origReq, authenticator, context, true);
+ IAuthToken authToken = authenticate(request, origReq, authenticator, context, true, credentials);
// authentication success, now authorize
- authorize(profileId, renewProfile, authToken);
+ authorize(origProfileId, renewProfile, authToken);
///////////////////////////////////////////////
// create and populate requests
///////////////////////////////////////////////
startTiming("request_population");
- IRequest[] reqs = profile.createRequests(ctx, locale);
- populateRequests(data, true, locale, origNotAfter, origSubjectDN, origReq, profileId,
- profile, ctx, authenticator, authToken, reqs);
+ IRequest[] reqs = origProfile.createRequests(ctx, locale);
+ populateRequests(data, true, locale, origNotAfter, origSubjectDN, origReq, origProfileId,
+ origProfile, ctx, authenticator, authToken, reqs);
endTiming("request_population");
///////////////////////////////////////////////
// submit request
///////////////////////////////////////////////
- String errorCode = submitRequests(locale, profile, authToken, reqs);
+ String errorCode = submitRequests(locale, origProfile, authToken, reqs);
String errorReason = codeToReason(locale, errorCode);
HashMap<String, Object> ret = new HashMap<String, Object>();
ret.put(ARG_REQUESTS, reqs);
ret.put(ARG_ERROR_CODE, errorCode);
ret.put(ARG_ERROR_REASON, errorReason);
- ret.put(ARG_PROFILE, profile);
+ ret.put(ARG_PROFILE, origProfile);
CMS.debug("RenewalSubmitter: done serving");
endTiming("enrollment");
@@ -251,7 +195,7 @@ public class RenewalProcessor extends CertProcessor {
}
}
- private BigInteger getSerialNumberFromCert(HttpServletRequest request) throws EBaseException {
+ public BigInteger getSerialNumberFromCert(HttpServletRequest request) throws EBaseException {
BigInteger certSerial;
SSLClientCertProvider sslCCP = new SSLClientCertProvider(request);
X509Certificate[] certs = sslCCP.getClientCertificateChain();
diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
index 28b1b5130901297ad6eac199f32f5de588bee94d..e5b63f8cc25e60a7dd3a7dbab86dd653e88c7ad8 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
@@ -34,8 +34,6 @@ import java.util.StringTokenizer;
import javax.servlet.http.HttpServletRequest;
-import netscape.security.x509.X509CertImpl;
-
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.authentication.AuthToken;
import com.netscape.certsrv.authentication.IAuthToken;
@@ -69,6 +67,8 @@ import com.netscape.cms.servlet.common.CMSGateway;
import com.netscape.cms.servlet.common.ServletUtils;
import com.netscape.cmsutil.util.Utils;
+import netscape.security.x509.X509CertImpl;
+
public class CAProcessor extends Processor {
public final static String ARG_AUTH_TOKEN = "auth_token";
@@ -196,6 +196,10 @@ public class CAProcessor extends Processor {
}
}
+ public String getProfileID() {
+ return profileID;
+ }
+
/******************************************
* Stats - to be moved to Stats module
******************************************/
@@ -237,7 +241,7 @@ public class CAProcessor extends Processor {
return request;
}
- protected IRequest getOriginalRequest(BigInteger certSerial, ICertRecord rec) throws EBaseException {
+ public IRequest getOriginalRequest(BigInteger certSerial, ICertRecord rec) throws EBaseException {
MetaInfo metaInfo = (MetaInfo) rec.get(ICertRecord.ATTR_META_INFO);
if (metaInfo == null) {
CMS.debug("getOriginalRequest: cert record locating MetaInfo failed for serial number "
@@ -351,10 +355,14 @@ public class CAProcessor extends Processor {
* authenticate for renewal - more to add necessary params/values
* to the session context
*/
- public IAuthToken authenticate(IProfileAuthenticator authenticator,
- HttpServletRequest request, IRequest origReq, SessionContext context) throws EBaseException
+ public IAuthToken authenticate(
+ IProfileAuthenticator authenticator,
+ HttpServletRequest request,
+ IRequest origReq,
+ SessionContext context,
+ AuthCredentials credentials) throws EBaseException
{
- IAuthToken authToken = authenticate(authenticator, request);
+ IAuthToken authToken = authenticate(authenticator, request, credentials);
// For renewal, fill in necessary params
if (authToken != null) {
String ouid = origReq.getExtDataInString("auth_token.uid");
@@ -410,20 +418,10 @@ public class CAProcessor extends Processor {
return authToken;
}
- public IAuthToken authenticate(IProfileAuthenticator authenticator,
- HttpServletRequest request) throws EBaseException {
- AuthCredentials credentials = new AuthCredentials();
-
- // build credential
- Enumeration<String> authNames = authenticator.getValueNames();
-
- if (authNames != null) {
- while (authNames.hasMoreElements()) {
- String authName = authNames.nextElement();
-
- credentials.set(authName, request.getParameter(authName));
- }
- }
+ public IAuthToken authenticate(
+ IProfileAuthenticator authenticator,
+ HttpServletRequest request,
+ AuthCredentials credentials) throws EBaseException {
credentials.set("clientHost", request.getRemoteHost());
IAuthToken authToken = authenticator.authenticate(credentials);
@@ -440,8 +438,14 @@ public class CAProcessor extends Processor {
return authToken;
}
- public IAuthToken authenticate(HttpServletRequest request, IRequest origReq, IProfileAuthenticator authenticator,
- SessionContext context, boolean isRenewal) throws EBaseException {
+ public IAuthToken authenticate(
+ HttpServletRequest request,
+ IRequest origReq,
+ IProfileAuthenticator authenticator,
+ SessionContext context,
+ boolean isRenewal,
+ AuthCredentials credentials) throws EBaseException {
+
startTiming("profile_authentication");
IAuthToken authToken = null;
@@ -468,12 +472,14 @@ public class CAProcessor extends Processor {
String auditMessage = null;
try {
if (isRenewal) {
- authToken = authenticate(authenticator, request, origReq, context);
+ CMS.debug("CAProcessor: authenticating for renewal");
+ authToken = authenticate(authenticator, request, origReq, context, credentials);
} else {
- authToken = authenticate(authenticator, request);
+ CMS.debug("CAProcessor: authenticating for enrollment");
+ authToken = authenticate(authenticator, request, credentials);
}
} catch (EBaseException e) {
- CMS.debug("CertProcessor: authentication error " + e.toString());
+ CMS.debug("CAProcessor: authentication error " + e);
authSubjectID += " : " + uid_cred;
auditMessage = CMS.getLogMessage(
diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java
index 3f8d4c4791ed3fa49b1e0f3af68b62eba207de0c..c6ceb513c0c593da2b613c2aac5cd2f20886fd98 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java
@@ -17,6 +17,7 @@
// --- END COPYRIGHT BLOCK ---
package com.netscape.cms.servlet.profile;
+import java.math.BigInteger;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Locale;
@@ -26,9 +27,7 @@ import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-import netscape.security.x509.X509CertImpl;
-import netscape.security.x509.X509CertInfo;
-
+import org.apache.commons.lang.StringUtils;
import org.w3c.dom.Node;
import com.netscape.certsrv.apps.CMS;
@@ -36,21 +35,32 @@ import com.netscape.certsrv.authentication.EAuthException;
import com.netscape.certsrv.authorization.EAuthzException;
import com.netscape.certsrv.base.BadRequestDataException;
import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.ca.ICertificateAuthority;
+import com.netscape.certsrv.cert.CertEnrollmentRequest;
+import com.netscape.certsrv.dbs.certdb.ICertRecord;
+import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
import com.netscape.certsrv.profile.EProfileException;
import com.netscape.certsrv.profile.IEnrollProfile;
import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.profile.IProfileAuthenticator;
import com.netscape.certsrv.profile.IProfileOutput;
+import com.netscape.certsrv.profile.IProfileSubsystem;
import com.netscape.certsrv.property.IDescriptor;
import com.netscape.certsrv.request.IRequest;
import com.netscape.certsrv.template.ArgList;
import com.netscape.certsrv.template.ArgSet;
+import com.netscape.cms.servlet.cert.CertEnrollmentRequestFactory;
import com.netscape.cms.servlet.cert.EnrollmentProcessor;
import com.netscape.cms.servlet.cert.RenewalProcessor;
+import com.netscape.cms.servlet.common.AuthCredentials;
import com.netscape.cms.servlet.common.CMSRequest;
import com.netscape.cms.servlet.processors.CAProcessor;
import com.netscape.cmsutil.util.Cert;
import com.netscape.cmsutil.xml.XMLObject;
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509CertInfo;
+
/**
* This servlet submits end-user request into the profile framework.
*
@@ -114,12 +124,10 @@ public class ProfileSubmitServlet extends ProfileServlet {
try {
if ((renewal != null) && (renewal.equalsIgnoreCase("true"))) {
CMS.debug("ProfileSubmitServlet: isRenewal true");
- RenewalProcessor processor = new RenewalProcessor("caProfileSubmit", locale);
- results = processor.processRenewal(cmsReq);
+ results = processRenewal(cmsReq, locale);
} else {
CMS.debug("ProfileSubmitServlet: isRenewal false");
- EnrollmentProcessor processor = new EnrollmentProcessor("caProfileSubmit", locale);
- results = processor.processEnrollment(cmsReq);
+ results = processEnrollment(cmsReq, locale);
}
} catch (BadRequestDataException e) {
CMS.debug("ProfileSubmitServlet: bad data provided in processing request: " + e.toString());
@@ -199,6 +207,162 @@ public class ProfileSubmitServlet extends ProfileServlet {
}
}
+ public HashMap<String, Object> processEnrollment(CMSRequest cmsReq, Locale locale) throws EBaseException {
+
+ IProfileSubsystem ps = (IProfileSubsystem) CMS.getSubsystem(IProfileSubsystem.ID);
+
+ EnrollmentProcessor processor = new EnrollmentProcessor("caProfileSubmit", locale);
+ HttpServletRequest req = cmsReq.getHttpReq();
+
+ // if we did not configure profileId in xml file,
+ // then accept the user-provided one
+ String profileId = processor.getProfileID() == null ? req.getParameter("profileId") : processor.getProfileID();
+ IProfile profile = ps.getProfile(profileId);
+
+ if (profile == null) {
+ CMS.debug("ProfileSubmitServlet: Profile " + profileId + " not found");
+ throw new BadRequestDataException("Profile " + profileId + " not found");
+ }
+
+ if (!ps.isProfileEnable(profileId)) {
+ CMS.debug("ProfileSubmitServlet: Profile " + profileId + " not enabled");
+ throw new BadRequestDataException("Profile " + profileId + " not enabled");
+ }
+
+ CertEnrollmentRequest data = CertEnrollmentRequestFactory.create(cmsReq, profile, locale);
+
+ IProfileAuthenticator authenticator = profile.getAuthenticator();
+ AuthCredentials credentials = new AuthCredentials();
+
+ if (authenticator != null) {
+ CMS.debug("ProfileSubmitServlet: getting credentials from request parameters");
+
+ Enumeration<String> names = authenticator.getValueNames();
+ if (names != null) {
+ while (names.hasMoreElements()) {
+ String name = names.nextElement();
+ String value = req.getParameter(name);
+
+ CMS.debug("ProfileSubmitServlet: - " + name + ": " + value);
+ if (value == null) continue;
+
+ credentials.set(name, value);
+ }
+ }
+ }
+
+ return processor.processEnrollment(profile, data, req, credentials);
+ }
+
+ public HashMap<String, Object> processRenewal(CMSRequest cmsReq, Locale locale) throws EBaseException {
+
+ IProfileSubsystem ps = (IProfileSubsystem) CMS.getSubsystem(IProfileSubsystem.ID);
+
+ RenewalProcessor processor = new RenewalProcessor("caProfileSubmit", locale);
+ HttpServletRequest req = cmsReq.getHttpReq();
+
+ String profileId = processor.getProfileID() == null ? req.getParameter("profileId") : processor.getProfileID();
+
+ IProfile renewProfile = ps.getProfile(profileId);
+ if (renewProfile == null) {
+ CMS.debug("ProfileSubmitServlet: Profile " + profileId + " not found");
+ throw new BadRequestDataException("Profile " + profileId + " not found");
+ }
+
+ if (!ps.isProfileEnable(profileId)) {
+ CMS.debug("ProfileSubmitServlet: Profile " + profileId + " not enabled");
+ throw new BadRequestDataException("Profile " + profileId + " not enabled");
+ }
+
+ String serial = req.getParameter("serial_num");
+ BigInteger certSerial = null;
+
+ if (StringUtils.isNotEmpty(serial)) {
+ // if serial number is sent with request, then the authentication
+ // method is not ssl client auth. In this case, an alternative
+ // authentication method is used (default: ldap based)
+ // usr_origreq evaluator should be used to authorize ownership
+ // of the cert
+ CMS.debug("ProfileSubmitServlet: renewal: serial number: " + serial);
+ certSerial = new BigInteger(serial);
+
+ } else {
+ // ssl client auth is to be used
+ // this is not authentication. Just use the cert to search
+ // for orig request and find the right profile
+ CMS.debug("ProfileSubmitServlet: renewal: serial_num not found, must do ssl client auth");
+ certSerial = processor.getSerialNumberFromCert(req);
+
+ if (certSerial == null) {
+ CMS.debug(CMS.getUserMessage(locale, "CMS_GW_MISSING_CERTS_RENEW_FROM_AUTHMGR"));
+ throw new EBaseException(CMS.getUserMessage(locale, "CMS_GW_MISSING_CERTS_RENEW_FROM_AUTHMGR"));
+ }
+ }
+
+ ICertificateAuthority authority = (ICertificateAuthority) CMS.getSubsystem("ca");
+ ICertificateRepository certdb = authority.getCertificateRepository();
+
+ CMS.debug("ProfileSubmitServlet: serial number of cert to renew: " + certSerial);
+ ICertRecord record = certdb.readCertificateRecord(certSerial);
+ if (record == null) {
+ CMS.debug("ProfileSubmitServlet: cert record not found for serial number " + certSerial);
+ throw new EBaseException(CMS.getUserMessage(locale, "CMS_INTERNAL_ERROR"));
+ }
+
+ IRequest origReq = processor.getOriginalRequest(certSerial, record);
+ if (origReq == null) {
+ CMS.debug("ProfileSubmitServlet: original request not found");
+ throw new EBaseException(CMS.getUserMessage(locale, "CMS_INTERNAL_ERROR"));
+ }
+
+ String origProfileId = origReq.getExtDataInString("profileId");
+ IProfile origProfile = ps.getProfile(origProfileId);
+
+ AuthCredentials credentials = new AuthCredentials();
+
+ // get credentials from request parameters
+ IProfileAuthenticator authenticator = renewProfile.getAuthenticator();
+ if (authenticator != null) {
+ CMS.debug("ProfileSubmitServlet: authenticator " + authenticator.getName() + " found");
+
+ Enumeration<String> names = authenticator.getValueNames();
+ if (names != null) {
+ while (names.hasMoreElements()) {
+ String name = names.nextElement();
+ String value = req.getParameter(name);
+ if (value == null) continue;
+
+ credentials.set(name, value);
+ }
+ }
+ }
+
+ // for renewal, this will override or add auth info to the profile context
+ IProfileAuthenticator origAuthenticator = origProfile.getAuthenticator();
+ if (origAuthenticator != null) {
+ CMS.debug("ProfileSubmitServlet: for renewal, original authenticator " +
+ origAuthenticator.getName() + " found");
+
+ Enumeration<String> names = origAuthenticator.getValueNames();
+ if (names != null) {
+ while (names.hasMoreElements()) {
+ String name = names.nextElement();
+ String value = req.getParameter(name);
+ if (value == null) continue;
+
+ credentials.set(name, value);
+ }
+ }
+ }
+
+ CertEnrollmentRequest data = CertEnrollmentRequestFactory.create(cmsReq, renewProfile, locale);
+
+ //only used in renewal
+ data.setSerialNum(serial);
+
+ return processor.processRenewal(renewProfile, origProfile, record, data, req, credentials);
+ }
+
private void setOutputIntoArgs(IProfile profile, ArgList outputlist, Locale locale, IRequest req) {
Enumeration<String> outputIds = profile.getProfileOutputIds();
diff --git a/base/server/cmscore/src/com/netscape/cmscore/authentication/AuthSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/authentication/AuthSubsystem.java
index 137edb5c5a75916fb8a2b2fdf07ab0a6aa56f0fe..8e2c59c26a6b142c8d600c28e3facd6eef4e1913 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/authentication/AuthSubsystem.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/authentication/AuthSubsystem.java
@@ -195,6 +195,8 @@ public class AuthSubsystem implements IAuthSubsystem {
while (instances.hasMoreElements()) {
String insName = instances.nextElement();
+ CMS.debug("AuthSubsystem: initializing authentication manager " + insName);
+
String implName = c.getString(insName + "." + PROP_PLUGIN);
AuthMgrPlugin plugin =
mAuthMgrPlugins.get(implName);
@@ -233,6 +235,7 @@ public class AuthSubsystem implements IAuthSubsystem {
throw new EAuthException(CMS.getUserMessage("CMS_ACL_CLASS_LOAD_FAIL", className), e);
} catch (EBaseException e) {
+ CMS.debug(e);
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_AUTH_AUTH_INIT_ERROR", insName, e.toString()));
// Skip the authenticaiton instance if
// it is mis-configurated. This give
@@ -240,6 +243,7 @@ public class AuthSubsystem implements IAuthSubsystem {
// fix the problem via console
} catch (Throwable e) {
+ CMS.debug(e);
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_AUTH_AUTH_INIT_ERROR", insName, e.toString()));
// Skip the authenticaiton instance if
// it is mis-configurated. This give
--
2.4.3
More information about the Pki-devel
mailing list