[Pki-devel] [PATCH] 644 Added support for directory-authenticated profiles in CLI.
Endi Sukma Dewata
edewata at redhat.com
Tue Sep 29 19:13:30 UTC 2015
On 9/22/2015 12:55 PM, Endi Sukma Dewata wrote:
> The pki client-cert-request CLI has been modified to support
> directory-authenticated profiles by sending the username and
> password as XML/JSON request attributes. The CertRequetService
> will then put the credentials into an AuthCredentials object.
>
> The ProfileSubmitServlet has also been modified to create an
> AuthCredentials object from the HTTP request object.
>
> The certificate processor classes have been modified to accept
> an AuthCredentials object instead of retrieving it from HTTP
> request object.
>
> https://fedorahosted.org/pki/ticket/1463
The patch has been revised and split into 3 patches. Please apply in the
following order: #645, #646, #644-1.
--
Endi S. Dewata
-------------- next part --------------
>From b936584aa94affa4d477b0265caa79a7059ad4a7 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata at redhat.com>
Date: Mon, 28 Sep 2015 10:40:32 +0200
Subject: [PATCH] Relocated legacy cert enrollment methods.
The EnrollmentProcessor.processEnrollment() and RenewalProcessor.
processRenewal() methods that take CMSRequest object have been
moved into ProfileSubmitServlet because they are only used by
the legacy servlet.
https://fedorahosted.org/pki/ticket/1463
---
.../cms/servlet/cert/EnrollmentProcessor.java | 23 +-------
.../cms/servlet/cert/RenewalProcessor.java | 24 +-------
.../cms/servlet/processors/CAProcessor.java | 12 +++-
.../cms/servlet/profile/ProfileSubmitServlet.java | 66 +++++++++++++++++++---
4 files changed, 73 insertions(+), 52 deletions(-)
diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java
index e5b9a14df99f29da8ad5c4f76c088c98ff766540..c1faabf399043593425f3294de606674d2ecf422 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java
@@ -29,8 +29,8 @@ import com.netscape.certsrv.base.BadRequestDataException;
import com.netscape.certsrv.base.EBaseException;
import com.netscape.certsrv.base.EPropertyNotFound;
import com.netscape.certsrv.base.SessionContext;
-import com.netscape.certsrv.cert.CertEnrollmentRequest;
import com.netscape.certsrv.ca.AuthorityID;
+import com.netscape.certsrv.cert.CertEnrollmentRequest;
import com.netscape.certsrv.profile.IEnrollProfile;
import com.netscape.certsrv.profile.IProfile;
import com.netscape.certsrv.profile.IProfileAuthenticator;
@@ -39,7 +39,6 @@ import com.netscape.certsrv.profile.IProfileInput;
import com.netscape.certsrv.profile.ProfileAttribute;
import com.netscape.certsrv.profile.ProfileInput;
import com.netscape.certsrv.request.IRequest;
-import com.netscape.cms.servlet.common.CMSRequest;
import com.netscape.cms.servlet.common.CMSTemplate;
import com.netscape.cms.servlet.profile.SSLClientCertProvider;
import com.netscape.cmsutil.ldap.LDAPUtil;
@@ -84,26 +83,6 @@ public class EnrollmentProcessor extends CertProcessor {
}
/**
- * Called by the legacy servlets to access the Processor function
- * @param request
- * @return
- * @throws EBaseException
- */
- public HashMap<String, Object> processEnrollment(CMSRequest cmsReq) throws EBaseException {
- HttpServletRequest req = cmsReq.getHttpReq();
- String profileId = (this.profileID == null) ? req.getParameter("profileId") : this.profileID;
- IProfile profile = ps.getProfile(profileId);
-
- if (profile == null) {
- CMS.debug(CMS.getUserMessage(locale, "CMS_PROFILE_NOT_FOUND", CMSTemplate.escapeJavaScriptStringHTML(profileId)));
- throw new BadRequestDataException(CMS.getUserMessage(locale, "CMS_PROFILE_NOT_FOUND",CMSTemplate.escapeJavaScriptStringHTML(profileId)));
- }
-
- CertEnrollmentRequest data = CertEnrollmentRequestFactory.create(cmsReq, profile, locale);
- return processEnrollment(data, cmsReq.getHttpReq(), null);
- }
-
- /**
* Process the HTTP request
* <P>
*
diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java
index efd1d7b0cf799dc399257502cb3f4e3196174b50..5ebbbff8fb3fd70fe4e1ebecbdce7c978d37a7a4 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java
@@ -26,9 +26,6 @@ import java.util.Locale;
import javax.servlet.http.HttpServletRequest;
-import netscape.security.x509.BasicConstraintsExtension;
-import netscape.security.x509.X509CertImpl;
-
import org.apache.commons.lang.StringUtils;
import com.netscape.certsrv.apps.CMS;
@@ -45,33 +42,18 @@ import com.netscape.certsrv.profile.IProfileAuthenticator;
import com.netscape.certsrv.profile.IProfileContext;
import com.netscape.certsrv.profile.IProfileInput;
import com.netscape.certsrv.request.IRequest;
-import com.netscape.cms.servlet.common.CMSRequest;
import com.netscape.cms.servlet.common.CMSTemplate;
import com.netscape.cms.servlet.profile.SSLClientCertProvider;
+import netscape.security.x509.BasicConstraintsExtension;
+import netscape.security.x509.X509CertImpl;
+
public class RenewalProcessor extends CertProcessor {
public RenewalProcessor(String id, Locale locale) throws EPropertyNotFound, EBaseException {
super(id, locale);
}
- public HashMap<String, Object> processRenewal(CMSRequest cmsReq) throws EBaseException {
- HttpServletRequest req = cmsReq.getHttpReq();
- String profileId = (this.profileID == null) ? req.getParameter("profileId") : this.profileID;
- IProfile profile = ps.getProfile(profileId);
- if (profile == null) {
- throw new BadRequestDataException(CMS.getUserMessage(locale, "CMS_PROFILE_NOT_FOUND",
- CMSTemplate.escapeJavaScriptStringHTML(profileId)));
- }
-
- CertEnrollmentRequest data = CertEnrollmentRequestFactory.create(cmsReq, profile, locale);
-
- //only used in renewal
- data.setSerialNum(req.getParameter("serial_num"));
-
- return processRenewal(data, req);
- }
-
/*
* Renewal - Renewal is retrofitted into the Profile Enrollment
* Framework. The authentication and authorization are taken from
diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
index b9af84bc9b5b878f895707c266b1df1fa5b1e26f..5f6f45cb8a2dc4ada2f61fdd808a30fad9358cc2 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
@@ -34,8 +34,6 @@ import java.util.StringTokenizer;
import javax.servlet.http.HttpServletRequest;
-import netscape.security.x509.X509CertImpl;
-
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.authentication.AuthToken;
import com.netscape.certsrv.authentication.IAuthToken;
@@ -69,6 +67,8 @@ import com.netscape.cms.servlet.common.CMSGateway;
import com.netscape.cms.servlet.common.ServletUtils;
import com.netscape.cmsutil.util.Utils;
+import netscape.security.x509.X509CertImpl;
+
public class CAProcessor extends Processor {
public final static String ARG_AUTH_TOKEN = "auth_token";
@@ -196,6 +196,14 @@ public class CAProcessor extends Processor {
}
}
+ public String getProfileID() {
+ return profileID;
+ }
+
+ public IProfileSubsystem getProfileSubsystem() {
+ return ps;
+ }
+
/******************************************
* Stats - to be moved to Stats module
******************************************/
diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java
index 3f8d4c4791ed3fa49b1e0f3af68b62eba207de0c..c26853db5a40b6c69bc0ede23d8b6b848fd019cf 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java
@@ -26,9 +26,6 @@ import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-import netscape.security.x509.X509CertImpl;
-import netscape.security.x509.X509CertInfo;
-
import org.w3c.dom.Node;
import com.netscape.certsrv.apps.CMS;
@@ -36,21 +33,28 @@ import com.netscape.certsrv.authentication.EAuthException;
import com.netscape.certsrv.authorization.EAuthzException;
import com.netscape.certsrv.base.BadRequestDataException;
import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.cert.CertEnrollmentRequest;
import com.netscape.certsrv.profile.EProfileException;
import com.netscape.certsrv.profile.IEnrollProfile;
import com.netscape.certsrv.profile.IProfile;
import com.netscape.certsrv.profile.IProfileOutput;
+import com.netscape.certsrv.profile.IProfileSubsystem;
import com.netscape.certsrv.property.IDescriptor;
import com.netscape.certsrv.request.IRequest;
import com.netscape.certsrv.template.ArgList;
import com.netscape.certsrv.template.ArgSet;
+import com.netscape.cms.servlet.cert.CertEnrollmentRequestFactory;
import com.netscape.cms.servlet.cert.EnrollmentProcessor;
import com.netscape.cms.servlet.cert.RenewalProcessor;
import com.netscape.cms.servlet.common.CMSRequest;
+import com.netscape.cms.servlet.common.CMSTemplate;
import com.netscape.cms.servlet.processors.CAProcessor;
import com.netscape.cmsutil.util.Cert;
import com.netscape.cmsutil.xml.XMLObject;
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509CertInfo;
+
/**
* This servlet submits end-user request into the profile framework.
*
@@ -114,12 +118,10 @@ public class ProfileSubmitServlet extends ProfileServlet {
try {
if ((renewal != null) && (renewal.equalsIgnoreCase("true"))) {
CMS.debug("ProfileSubmitServlet: isRenewal true");
- RenewalProcessor processor = new RenewalProcessor("caProfileSubmit", locale);
- results = processor.processRenewal(cmsReq);
+ results = processRenewal(cmsReq);
} else {
CMS.debug("ProfileSubmitServlet: isRenewal false");
- EnrollmentProcessor processor = new EnrollmentProcessor("caProfileSubmit", locale);
- results = processor.processEnrollment(cmsReq);
+ results = processEnrollment(cmsReq);
}
} catch (BadRequestDataException e) {
CMS.debug("ProfileSubmitServlet: bad data provided in processing request: " + e.toString());
@@ -199,6 +201,56 @@ public class ProfileSubmitServlet extends ProfileServlet {
}
}
+ public HashMap<String, Object> processEnrollment(CMSRequest cmsReq) throws EBaseException {
+
+ HttpServletRequest request = cmsReq.getHttpReq();
+ Locale locale = getLocale(request);
+
+ EnrollmentProcessor processor = new EnrollmentProcessor("caProfileSubmit", locale);
+
+ String profileId = processor.getProfileID() == null ? request.getParameter("profileId") : processor.getProfileID();
+ CMS.debug("ProfileSubmitServlet: profile: " + profileId);
+
+ IProfileSubsystem ps = processor.getProfileSubsystem();
+ IProfile profile = ps.getProfile(profileId);
+
+ if (profile == null) {
+ CMS.debug("ProfileSubmitServlet: Profile " + profileId + " not found");
+ throw new BadRequestDataException(CMS.getUserMessage(locale, "CMS_PROFILE_NOT_FOUND",
+ CMSTemplate.escapeJavaScriptStringHTML(profileId)));
+ }
+
+ CertEnrollmentRequest data = CertEnrollmentRequestFactory.create(cmsReq, profile, locale);
+ return processor.processEnrollment(data, request, null);
+ }
+
+ public HashMap<String, Object> processRenewal(CMSRequest cmsReq) throws EBaseException {
+
+ HttpServletRequest request = cmsReq.getHttpReq();
+ Locale locale = getLocale(request);
+
+ RenewalProcessor processor = new RenewalProcessor("caProfileSubmit", locale);
+
+ String profileId = processor.getProfileID() == null ? request.getParameter("profileId") : processor.getProfileID();
+ CMS.debug("ProfileSubmitServlet: profile: " + profileId);
+
+ IProfileSubsystem ps = processor.getProfileSubsystem();
+ IProfile profile = ps.getProfile(profileId);
+
+ if (profile == null) {
+ CMS.debug("ProfileSubmitServlet: Profile " + profileId + " not found");
+ throw new BadRequestDataException(CMS.getUserMessage(locale, "CMS_PROFILE_NOT_FOUND",
+ CMSTemplate.escapeJavaScriptStringHTML(profileId)));
+ }
+
+ CertEnrollmentRequest data = CertEnrollmentRequestFactory.create(cmsReq, profile, locale);
+
+ //only used in renewal
+ data.setSerialNum(request.getParameter("serial_num"));
+
+ return processor.processRenewal(data, request);
+ }
+
private void setOutputIntoArgs(IProfile profile, ArgList outputlist, Locale locale, IRequest req) {
Enumeration<String> outputIds = profile.getProfileOutputIds();
--
2.4.3
-------------- next part --------------
>From f560636a1ff8c26acaa725a5d62be31410257d8c Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata at redhat.com>
Date: Mon, 28 Sep 2015 22:37:02 +0200
Subject: [PATCH] Refactored certificate processors.
The CertProcessor.setCredentialsIntoContext() and CAProcessor.
authenticate() methods have been modified such that they can
accept credentials provided via the AuthCredentials (for REST
services) or via the HttpServletRequest (for legacy servlets).
The CertEnrollmentRequest has been modified to inherit from
ResourceMessage such that REST clients can provide the credentials
via request attributes.
https://fedorahosted.org/pki/ticket/1463
---
.../server/ca/rest/CertRequestService.java | 2 +
.../certsrv/cert/CertEnrollmentRequest.java | 12 ++--
.../netscape/cms/servlet/cert/CertProcessor.java | 38 +++++++------
.../netscape/cms/servlet/cert/CertRequestDAO.java | 15 ++++-
.../cms/servlet/cert/EnrollmentProcessor.java | 8 ++-
.../cms/servlet/cert/RenewalProcessor.java | 12 ++--
.../cms/servlet/common/AuthCredentials.java | 2 +-
.../cms/servlet/processors/CAProcessor.java | 64 ++++++++++++++++------
.../cms/servlet/profile/ProfileSubmitServlet.java | 4 +-
.../cmscore/authentication/AuthSubsystem.java | 4 ++
10 files changed, 111 insertions(+), 50 deletions(-)
diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java b/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java
index 7cb4ff71e18b6e29bf55c11dc99bbfb9b83dd60f..cddbeb1ba47741673ab5eb3d22e2bf7c53c4c33d 100644
--- a/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java
@@ -67,6 +67,7 @@ import com.netscape.certsrv.request.RequestNotFoundException;
import com.netscape.cms.servlet.base.PKIService;
import com.netscape.cms.servlet.cert.CertRequestDAO;
import com.netscape.cmsutil.ldap.LDAPUtil;
+
import netscape.security.x509.X500Name;
/**
@@ -175,6 +176,7 @@ public class CertRequestService extends PKIService implements CertRequestResourc
CMS.debug("enrollCert: bad request data: " + e);
throw new BadRequestException(e.toString());
} catch (EBaseException e) {
+ CMS.debug(e);
throw new PKIException(e);
} catch (Exception e) {
CMS.debug(e);
diff --git a/base/common/src/com/netscape/certsrv/cert/CertEnrollmentRequest.java b/base/common/src/com/netscape/certsrv/cert/CertEnrollmentRequest.java
index d55b5b4e1007516fef8fa6f9820c44d522f4bde4..2b914e85667dc525947f7357ceaf6bbe464a2480 100644
--- a/base/common/src/com/netscape/certsrv/cert/CertEnrollmentRequest.java
+++ b/base/common/src/com/netscape/certsrv/cert/CertEnrollmentRequest.java
@@ -37,6 +37,7 @@ import javax.xml.bind.annotation.XmlAccessorType;
import javax.xml.bind.annotation.XmlElement;
import javax.xml.bind.annotation.XmlRootElement;
+import com.netscape.certsrv.base.ResourceMessage;
import com.netscape.certsrv.profile.ProfileAttribute;
import com.netscape.certsrv.profile.ProfileInput;
import com.netscape.certsrv.profile.ProfileOutput;
@@ -48,7 +49,7 @@ import com.netscape.certsrv.profile.ProfileOutput;
@XmlRootElement(name = "CertEnrollmentRequest")
@XmlAccessorType(XmlAccessType.FIELD)
-public class CertEnrollmentRequest {
+public class CertEnrollmentRequest extends ResourceMessage {
private static final String PROFILE_ID = "profileId";
private static final String RENEWAL = "renewal";
@@ -286,7 +287,7 @@ public class CertEnrollmentRequest {
@Override
public int hashCode() {
final int prime = 31;
- int result = 1;
+ int result = super.hashCode();
result = prime * result + ((inputs == null) ? 0 : inputs.hashCode());
result = prime * result + ((outputs == null) ? 0 : outputs.hashCode());
result = prime * result + ((profileId == null) ? 0 : profileId.hashCode());
@@ -301,7 +302,7 @@ public class CertEnrollmentRequest {
public boolean equals(Object obj) {
if (this == obj)
return true;
- if (obj == null)
+ if (!super.equals(obj))
return false;
if (getClass() != obj.getClass())
return false;
@@ -346,8 +347,6 @@ public class CertEnrollmentRequest {
before.setProfileId("caUserCert");
before.setRenewal(false);
- //Simulate a "caUserCert" Profile enrollment
-
ProfileInput certReq = before.createInput("KeyGenInput");
certReq.addAttribute(new ProfileAttribute("cert_request_type", "crmf", null));
certReq.addAttribute(new ProfileAttribute(
@@ -371,6 +370,9 @@ public class CertEnrollmentRequest {
submitter.addAttribute(new ProfileAttribute("requestor_email", "admin at redhat.com", null));
submitter.addAttribute(new ProfileAttribute("requestor_phone", "650-555-5555", null));
+ before.setAttribute("uid", "testuser");
+ before.setAttribute("pwd", "password");
+
String xml = before.toXML();
System.out.println(xml);
diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java
index f1a147eb475a8a1378cac829dcaee765ab2c3e70..e5daf78fd6e006c6f559a6fc3bf9cad6485b64e9 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java
@@ -42,6 +42,7 @@ import com.netscape.certsrv.profile.ProfileInput;
import com.netscape.certsrv.request.INotify;
import com.netscape.certsrv.request.IRequest;
import com.netscape.certsrv.request.RequestStatus;
+import com.netscape.cms.servlet.common.AuthCredentials;
import com.netscape.cms.servlet.processors.CAProcessor;
import com.netscape.cmsutil.ldap.LDAPUtil;
@@ -51,26 +52,31 @@ public class CertProcessor extends CAProcessor {
super(id, locale);
}
- protected void setCredentialsIntoContext(HttpServletRequest request, IProfileAuthenticator authenticator,
+ protected void setCredentialsIntoContext(
+ HttpServletRequest request,
+ AuthCredentials creds,
+ IProfileAuthenticator authenticator,
IProfileContext ctx) {
- Enumeration<String> authIds = authenticator.getValueNames();
- if (authIds != null) {
- CMS.debug("CertRequestSubmitter:setCredentialsIntoContext() authNames not null");
- while (authIds.hasMoreElements()) {
- String authName = authIds.nextElement();
+ Enumeration<String> names = authenticator.getValueNames();
+ if (names == null) {
+ CMS.debug("CertProcessor: No authenticator credentials required");
+ return;
+ }
- CMS.debug("CertRequestSubmitter:setCredentialsIntoContext() authName:" +
- authName);
- if (request.getParameter(authName) != null) {
- CMS.debug("CertRequestSubmitter:setCredentialsIntoContext() authName found in request");
- ctx.set(authName, request.getParameter(authName));
- } else {
- CMS.debug("CertRequestSubmitter:setCredentialsIntoContext() authName not found in request");
- }
+ CMS.debug("CertProcessor: Authentication credentials:");
+ while (names.hasMoreElements()) {
+ String name = names.nextElement();
+
+ Object value;
+ if (creds == null) {
+ value = request.getParameter(name);
+ } else {
+ value = creds.get(name);
}
- } else {
- CMS.debug("CertRequestSubmitter:setCredentialsIntoContext() authIds` null");
+
+ if (value == null) continue;
+ ctx.set(name, value.toString());
}
}
diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestDAO.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestDAO.java
index a2e4b583d318ac8412361850d91233b77a447e13..6fbcd3c37ae46dd8ea71673d3c862890cbc9f3e4 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestDAO.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestDAO.java
@@ -44,6 +44,7 @@ import com.netscape.certsrv.request.IRequest;
import com.netscape.certsrv.request.IRequestQueue;
import com.netscape.certsrv.request.RequestId;
import com.netscape.certsrv.request.RequestNotFoundException;
+import com.netscape.cms.servlet.common.AuthCredentials;
import com.netscape.cms.servlet.processors.CAProcessor;
import com.netscape.cms.servlet.request.CMSRequestDAO;
@@ -175,13 +176,23 @@ public class CertRequestDAO extends CMSRequestDAO {
CertRequestInfos ret = new CertRequestInfos();
+ AuthCredentials credentials = new AuthCredentials();
+ String uid = data.getAttribute("uid");
+ if (uid != null) {
+ credentials.set("uid", uid);
+ }
+ String password = data.getAttribute("pwd");
+ if (password != null) {
+ credentials.set("pwd", password);
+ }
+
HashMap<String, Object> results = null;
if (data.isRenewal()) {
RenewalProcessor processor = new RenewalProcessor("caProfileSubmit", locale);
- results = processor.processRenewal(data, request);
+ results = processor.processRenewal(data, request, credentials);
} else {
EnrollmentProcessor processor = new EnrollmentProcessor("caProfileSubmit", locale);
- results = processor.processEnrollment(data, request, aid);
+ results = processor.processEnrollment(data, request, aid, credentials);
}
IRequest reqs[] = (IRequest[]) results.get(CAProcessor.ARG_REQUESTS);
diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java
index c1faabf399043593425f3294de606674d2ecf422..dadd34cfe8b74ebbefa1af2d2141d5baee04755e 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java
@@ -39,6 +39,7 @@ import com.netscape.certsrv.profile.IProfileInput;
import com.netscape.certsrv.profile.ProfileAttribute;
import com.netscape.certsrv.profile.ProfileInput;
import com.netscape.certsrv.request.IRequest;
+import com.netscape.cms.servlet.common.AuthCredentials;
import com.netscape.cms.servlet.common.CMSTemplate;
import com.netscape.cms.servlet.profile.SSLClientCertProvider;
import com.netscape.cmsutil.ldap.LDAPUtil;
@@ -102,7 +103,8 @@ public class EnrollmentProcessor extends CertProcessor {
public HashMap<String, Object> processEnrollment(
CertEnrollmentRequest data,
HttpServletRequest request,
- AuthorityID aid)
+ AuthorityID aid,
+ AuthCredentials credentials)
throws EBaseException {
try {
@@ -140,7 +142,7 @@ public class EnrollmentProcessor extends CertProcessor {
IProfileAuthenticator authenticator = profile.getAuthenticator();
if (authenticator != null) {
CMS.debug("EnrollmentProcessor: authenticator " + authenticator.getName() + " found");
- setCredentialsIntoContext(request, authenticator, ctx);
+ setCredentialsIntoContext(request, credentials, authenticator, ctx);
}
// for ssl authentication; pass in servlet for retrieving ssl client certificates
@@ -151,7 +153,7 @@ public class EnrollmentProcessor extends CertProcessor {
CMS.debug("EnrollmentProcessor: set sslClientCertProvider");
// before creating the request, authenticate the request
- IAuthToken authToken = authenticate(request, null, authenticator, context, false);
+ IAuthToken authToken = authenticate(request, null, authenticator, context, false, credentials);
// authentication success, now authorize
authorize(profileId, profile, authToken);
diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java
index 5ebbbff8fb3fd70fe4e1ebecbdce7c978d37a7a4..7e34e4d5eb89b1287bf27ff410eb02bed4afdc1a 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java
@@ -42,6 +42,7 @@ import com.netscape.certsrv.profile.IProfileAuthenticator;
import com.netscape.certsrv.profile.IProfileContext;
import com.netscape.certsrv.profile.IProfileInput;
import com.netscape.certsrv.request.IRequest;
+import com.netscape.cms.servlet.common.AuthCredentials;
import com.netscape.cms.servlet.common.CMSTemplate;
import com.netscape.cms.servlet.profile.SSLClientCertProvider;
@@ -63,7 +64,10 @@ public class RenewalProcessor extends CertProcessor {
* Things to note:
* * the renew request will contain the original profile instead of the new
*/
- public HashMap<String, Object> processRenewal(CertEnrollmentRequest data, HttpServletRequest request)
+ public HashMap<String, Object> processRenewal(
+ CertEnrollmentRequest data,
+ HttpServletRequest request,
+ AuthCredentials credentials)
throws EBaseException {
try {
if (CMS.debugOn()) {
@@ -170,14 +174,14 @@ public class RenewalProcessor extends CertProcessor {
if (authenticator != null) {
CMS.debug("RenewalSubmitter: authenticator " + authenticator.getName() + " found");
- setCredentialsIntoContext(request, authenticator, ctx);
+ setCredentialsIntoContext(request, credentials, authenticator, ctx);
}
// for renewal, this will override or add auth info to the profile context
if (origAuthenticator != null) {
CMS.debug("RenewalSubmitter: for renewal, original authenticator " +
origAuthenticator.getName() + " found");
- setCredentialsIntoContext(request, origAuthenticator, ctx);
+ setCredentialsIntoContext(request, credentials, origAuthenticator, ctx);
}
// for renewal, input needs to be retrieved from the orig req record
@@ -197,7 +201,7 @@ public class RenewalProcessor extends CertProcessor {
context.put("origSubjectDN", origSubjectDN);
// before creating the request, authenticate the request
- IAuthToken authToken = authenticate(request, origReq, authenticator, context, true);
+ IAuthToken authToken = authenticate(request, origReq, authenticator, context, true, credentials);
// authentication success, now authorize
authorize(profileId, renewProfile, authToken);
diff --git a/base/server/cms/src/com/netscape/cms/servlet/common/AuthCredentials.java b/base/server/cms/src/com/netscape/cms/servlet/common/AuthCredentials.java
index 32ae0fcc815bb2afc304726266bccc4c9fef6a6a..b4d5fa9c858a8326a55365395cca5384f69499df 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/common/AuthCredentials.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/common/AuthCredentials.java
@@ -54,7 +54,7 @@ public class AuthCredentials implements IAuthCredentials {
*/
public void set(String name, Object cred) throws EAuthException {
if (cred == null) {
- throw new EAuthException("AuthCredentials.set()");
+ throw new EAuthException("Missing credential: " + name);
}
authCreds.put(name, cred);
diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
index 5f6f45cb8a2dc4ada2f61fdd808a30fad9358cc2..e3b3d3497fa63c3986fbb33af77f30aad1e7146d 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
@@ -36,6 +36,7 @@ import javax.servlet.http.HttpServletRequest;
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.authentication.AuthToken;
+import com.netscape.certsrv.authentication.EAuthException;
import com.netscape.certsrv.authentication.IAuthToken;
import com.netscape.certsrv.authorization.AuthzToken;
import com.netscape.certsrv.authorization.IAuthzSubsystem;
@@ -358,10 +359,14 @@ public class CAProcessor extends Processor {
* authenticate for renewal - more to add necessary params/values
* to the session context
*/
- public IAuthToken authenticate(IProfileAuthenticator authenticator,
- HttpServletRequest request, IRequest origReq, SessionContext context) throws EBaseException
+ public IAuthToken authenticate(
+ IProfileAuthenticator authenticator,
+ HttpServletRequest request,
+ IRequest origReq,
+ SessionContext context,
+ AuthCredentials credentials) throws EBaseException
{
- IAuthToken authToken = authenticate(authenticator, request);
+ IAuthToken authToken = authenticate(authenticator, request, credentials);
// For renewal, fill in necessary params
if (authToken != null) {
String ouid = origReq.getExtDataInString("auth_token.uid");
@@ -417,18 +422,23 @@ public class CAProcessor extends Processor {
return authToken;
}
- public IAuthToken authenticate(IProfileAuthenticator authenticator,
- HttpServletRequest request) throws EBaseException {
- AuthCredentials credentials = new AuthCredentials();
+ public IAuthToken authenticate(
+ IProfileAuthenticator authenticator,
+ HttpServletRequest request,
+ AuthCredentials credentials) throws EBaseException {
- // build credential
- Enumeration<String> authNames = authenticator.getValueNames();
+ if (credentials == null) {
+ credentials = new AuthCredentials();
- if (authNames != null) {
- while (authNames.hasMoreElements()) {
- String authName = authNames.nextElement();
+ // build credential
+ Enumeration<String> authNames = authenticator.getValueNames();
- credentials.set(authName, request.getParameter(authName));
+ if (authNames != null) {
+ while (authNames.hasMoreElements()) {
+ String authName = authNames.nextElement();
+
+ credentials.set(authName, request.getParameter(authName));
+ }
}
}
@@ -447,8 +457,13 @@ public class CAProcessor extends Processor {
return authToken;
}
- public IAuthToken authenticate(HttpServletRequest request, IRequest origReq, IProfileAuthenticator authenticator,
- SessionContext context, boolean isRenewal) throws EBaseException {
+ public IAuthToken authenticate(
+ HttpServletRequest request,
+ IRequest origReq,
+ IProfileAuthenticator authenticator,
+ SessionContext context,
+ boolean isRenewal,
+ AuthCredentials credentials) throws EBaseException {
startTiming("profile_authentication");
IAuthToken authToken = null;
@@ -475,12 +490,27 @@ public class CAProcessor extends Processor {
String auditMessage = null;
try {
if (isRenewal) {
- authToken = authenticate(authenticator, request, origReq, context);
+ authToken = authenticate(authenticator, request, origReq, context, credentials);
} else {
- authToken = authenticate(authenticator, request);
+ authToken = authenticate(authenticator, request, credentials);
}
+
+ } catch (EAuthException e) {
+ CMS.debug("CAProcessor: authentication error: " + e);
+
+ authSubjectID += " : " + uid_cred;
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_AUTH_FAIL,
+ authSubjectID,
+ ILogger.FAILURE,
+ authMgrID,
+ uid_attempted_cred);
+ audit(auditMessage);
+
+ throw e;
+
} catch (EBaseException e) {
- CMS.debug("CertProcessor: authentication error " + e.toString());
+ CMS.debug(e);
authSubjectID += " : " + uid_cred;
auditMessage = CMS.getLogMessage(
diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java
index c26853db5a40b6c69bc0ede23d8b6b848fd019cf..f7b08ece99e11f1e1633e0d67fb4646a27417d80 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java
@@ -221,7 +221,7 @@ public class ProfileSubmitServlet extends ProfileServlet {
}
CertEnrollmentRequest data = CertEnrollmentRequestFactory.create(cmsReq, profile, locale);
- return processor.processEnrollment(data, request, null);
+ return processor.processEnrollment(data, request, null, null);
}
public HashMap<String, Object> processRenewal(CMSRequest cmsReq) throws EBaseException {
@@ -248,7 +248,7 @@ public class ProfileSubmitServlet extends ProfileServlet {
//only used in renewal
data.setSerialNum(request.getParameter("serial_num"));
- return processor.processRenewal(data, request);
+ return processor.processRenewal(data, request, null);
}
private void setOutputIntoArgs(IProfile profile, ArgList outputlist, Locale locale, IRequest req) {
diff --git a/base/server/cmscore/src/com/netscape/cmscore/authentication/AuthSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/authentication/AuthSubsystem.java
index 137edb5c5a75916fb8a2b2fdf07ab0a6aa56f0fe..8e2c59c26a6b142c8d600c28e3facd6eef4e1913 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/authentication/AuthSubsystem.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/authentication/AuthSubsystem.java
@@ -195,6 +195,8 @@ public class AuthSubsystem implements IAuthSubsystem {
while (instances.hasMoreElements()) {
String insName = instances.nextElement();
+ CMS.debug("AuthSubsystem: initializing authentication manager " + insName);
+
String implName = c.getString(insName + "." + PROP_PLUGIN);
AuthMgrPlugin plugin =
mAuthMgrPlugins.get(implName);
@@ -233,6 +235,7 @@ public class AuthSubsystem implements IAuthSubsystem {
throw new EAuthException(CMS.getUserMessage("CMS_ACL_CLASS_LOAD_FAIL", className), e);
} catch (EBaseException e) {
+ CMS.debug(e);
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_AUTH_AUTH_INIT_ERROR", insName, e.toString()));
// Skip the authenticaiton instance if
// it is mis-configurated. This give
@@ -240,6 +243,7 @@ public class AuthSubsystem implements IAuthSubsystem {
// fix the problem via console
} catch (Throwable e) {
+ CMS.debug(e);
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_AUTH_AUTH_INIT_ERROR", insName, e.toString()));
// Skip the authenticaiton instance if
// it is mis-configurated. This give
--
2.4.3
-------------- next part --------------
>From 5fc1eccd1e9b8c9503bbfe01bb7b6ef370d3474b Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata at redhat.com>
Date: Sun, 27 Sep 2015 17:23:48 +0200
Subject: [PATCH] Added support for directory-authenticated profiles in CLI.
The pki cert-request-submit and client-cert-request CLIs have been
modified to provide options to specify the username and password
for directory-authenticated certificate enrollments.
https://fedorahosted.org/pki/ticket/1463
---
.../cmstools/cert/CertRequestSubmitCLI.java | 47 ++++++++------
.../cmstools/client/ClientCertRequestCLI.java | 72 ++++++++++++++++++----
2 files changed, 89 insertions(+), 30 deletions(-)
diff --git a/base/java-tools/src/com/netscape/cmstools/cert/CertRequestSubmitCLI.java b/base/java-tools/src/com/netscape/cmstools/cert/CertRequestSubmitCLI.java
index 9611159681b65844c1fc32937ca0a65c2c31980d..cec1cff4f2c8167c7c16a3d095963039840b1486 100644
--- a/base/java-tools/src/com/netscape/cmstools/cert/CertRequestSubmitCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/cert/CertRequestSubmitCLI.java
@@ -1,5 +1,6 @@
package com.netscape.cmstools.cert;
+import java.io.Console;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.IOException;
@@ -17,6 +18,7 @@ import com.netscape.certsrv.cert.CertEnrollmentRequest;
import com.netscape.certsrv.cert.CertRequestInfos;
import com.netscape.cmstools.cli.CLI;
import com.netscape.cmstools.cli.MainCLI;
+
import netscape.security.x509.X500Name;
public class CertRequestSubmitCLI extends CLI {
@@ -27,13 +29,20 @@ public class CertRequestSubmitCLI extends CLI {
super("request-submit", "Submit certificate request", certCLI);
this.certCLI = certCLI;
- Option optAID = new Option(null, "issuer-id", true, "Authority ID (host authority if omitted)");
- optAID.setArgName("id");
- options.addOption(optAID);
+ Option option = new Option(null, "issuer-id", true, "Authority ID (host authority if omitted)");
+ option.setArgName("id");
+ options.addOption(option);
- Option optADN = new Option(null, "issuer-dn", true, "Authority DN (host authority if omitted)");
- optADN.setArgName("dn");
- options.addOption(optADN);
+ option = new Option(null, "issuer-dn", true, "Authority DN (host authority if omitted)");
+ option.setArgName("dn");
+ options.addOption(option);
+
+ option = new Option(null, "username", true, "Username for request authentication");
+ option.setArgName("username");
+ options.addOption(option);
+
+ option = new Option(null, "password", false, "Prompt password for request authentication");
+ options.addOption(option);
}
public void printHelp() {
@@ -41,7 +50,7 @@ public class CertRequestSubmitCLI extends CLI {
}
@Override
- public void execute(String[] args) {
+ public void execute(String[] args) throws Exception {
// Always check for "--help" prior to parsing
if (Arrays.asList(args).contains("--help")) {
// Display usage
@@ -97,20 +106,22 @@ public class CertRequestSubmitCLI extends CLI {
System.exit(-1);
}
- try {
- CertEnrollmentRequest erd = getEnrollmentRequest(cmdArgs[0]);
- CertRequestInfos cri = certCLI.certClient.enrollRequest(erd, aid, adn);
- MainCLI.printMessage("Submitted certificate request");
- CertCLI.printCertRequestInfos(cri);
+ CertEnrollmentRequest request = getEnrollmentRequest(cmdArgs[0]);
- } catch (FileNotFoundException e) {
- System.err.println("Error: " + e.getMessage());
- System.exit(-1);
+ String certRequestUsername = cmd.getOptionValue("username");
+ if (certRequestUsername != null) {
+ request.setAttribute("uid", certRequestUsername);
+ }
- } catch (JAXBException e) {
- System.err.println("Error: " + e.getMessage());
- System.exit(-1);
+ if (cmd.hasOption("password")) {
+ Console console = System.console();
+ String certRequestPassword = new String(console.readPassword("Password: "));
+ request.setAttribute("pwd", certRequestPassword);
}
+
+ CertRequestInfos cri = certCLI.certClient.enrollRequest(request, aid, adn);
+ MainCLI.printMessage("Submitted certificate request");
+ CertCLI.printCertRequestInfos(cri);
}
private CertEnrollmentRequest getEnrollmentRequest(String fileName) throws JAXBException, FileNotFoundException {
diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
index db71c8a0f7db4644290efb766178b76668c22377..370a7be5b1d09b8b445a82fce3c2185607e9ccae 100644
--- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
@@ -19,13 +19,13 @@
package com.netscape.cmstools.client;
import java.io.ByteArrayOutputStream;
+import java.io.Console;
import java.io.File;
import java.security.KeyPair;
+import java.util.HashMap;
+import java.util.Map;
import java.util.Vector;
-import netscape.ldap.util.DN;
-import netscape.ldap.util.RDN;
-
import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.Option;
import org.apache.commons.io.FileUtils;
@@ -50,6 +50,9 @@ import com.netscape.cmstools.cli.MainCLI;
import com.netscape.cmsutil.util.Cert;
import com.netscape.cmsutil.util.Utils;
+import netscape.ldap.util.DN;
+import netscape.ldap.util.RDN;
+
/**
* @author Endi S. Dewata
*/
@@ -73,6 +76,13 @@ public class ClientCertRequestCLI extends CLI {
option.setArgName("request type");
options.addOption(option);
+ option = new Option(null, "username", true, "Username for request authentication");
+ option.setArgName("username");
+ options.addOption(option);
+
+ option = new Option(null, "password", false, "Prompt password for request authentication");
+ options.addOption(option);
+
option = new Option(null, "attribute-encoding", false, "Enable Attribute encoding");
options.addOption(option);
@@ -265,20 +275,58 @@ public class ClientCertRequestCLI extends CLI {
}
}
+ // parse subject DN and put the values in a map
+ DN dn = new DN(subjectDN);
+ Vector<?> rdns = dn.getRDNs();
+
+ Map<String, String> subjectAttributes = new HashMap<String, String>();
+ for (int i=0; i< rdns.size(); i++) {
+ RDN rdn = (RDN)rdns.elementAt(i);
+ String type = rdn.getTypes()[0].toLowerCase();
+ String value = rdn.getValues()[0];
+ subjectAttributes.put(type, value);
+ }
+
ProfileInput sn = request.getInput("Subject Name");
if (sn != null) {
- DN dn = new DN(subjectDN);
- Vector<?> rdns = dn.getRDNs();
-
- for (int i=0; i< rdns.size(); i++) {
- RDN rdn = (RDN)rdns.elementAt(i);
- String type = rdn.getTypes()[0].toLowerCase();
- String value = rdn.getValues()[0];
- ProfileAttribute uidAttr = sn.getAttribute("sn_" + type);
- uidAttr.setValue(value);
+ if (verbose) System.out.println("Subject Name:");
+
+ for (ProfileAttribute attribute : sn.getAttributes()) {
+ String name = attribute.getName();
+ String value = null;
+
+ if (name.equals("subject")) {
+ // get the whole subject DN
+ value = subjectDN;
+
+ } else if (name.startsWith("sn_")) {
+ // get value from subject DN
+ value = subjectAttributes.get(name.substring(3));
+
+ } else {
+ // unknown attribute, ignore
+ if (verbose) System.out.println(" - " + name);
+ continue;
+ }
+
+ if (value == null) continue;
+
+ if (verbose) System.out.println(" - " + name + ": " + value);
+ attribute.setValue(value);
}
}
+ String certRequestUsername = cmd.getOptionValue("username");
+ if (certRequestUsername != null) {
+ request.setAttribute("uid", certRequestUsername);
+ }
+
+ if (cmd.hasOption("password")) {
+ Console console = System.console();
+ String certRequestPassword = new String(console.readPassword("Password: "));
+ request.setAttribute("pwd", certRequestPassword);
+ }
+
if (verbose) {
System.out.println("Sending certificate request.");
}
--
2.4.3
More information about the Pki-devel
mailing list