Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hash enroll servlet free vlv #4756

Merged
merged 2 commits into from
May 29, 2024
Merged

Hash enroll servlet free vlv #4756

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
067688f
Replace VLV with paged based search in HashEnrollServlet
fmarco76 May 27, 2024
a5fa466
Tidyup HashEnrollServlet
fmarco76 May 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
133 changes: 39 additions & 94 deletions base/ca/src/main/java/com/netscape/cms/servlet/cert/HashEnrollServlet.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.Locale;
import java.util.Vector;

Expand Down Expand Up @@ -83,8 +84,8 @@
import com.netscape.cmscore.base.ConfigStore;
import com.netscape.cmscore.cert.CertUtils;
import com.netscape.cmscore.dbs.CertRecord;
import com.netscape.cmscore.dbs.CertRecordList;
import com.netscape.cmscore.dbs.CertificateRepository;
import com.netscape.cmscore.dbs.RecordPagedList;
import com.netscape.cmscore.request.CertRequestRepository;
import com.netscape.cmscore.request.Request;

Expand All @@ -95,11 +96,11 @@
*/
public class HashEnrollServlet extends CAServlet {

public static org.slf4j.Logger logger = org.slf4j.LoggerFactory.getLogger(HashEnrollServlet.class);
public static final org.slf4j.Logger logger = org.slf4j.LoggerFactory.getLogger(HashEnrollServlet.class);

private static final long serialVersionUID = 5532936020515258333L;

public final static String ADMIN_ENROLL_SERVLET_ID = "adminEnroll";
public static final String ADMIN_ENROLL_SERVLET_ID = "adminEnroll";

// enrollment templates.
public static final String ENROLL_SUCCESS_TEMPLATE = "/ra/HashEnrollSuccess.template";
Expand All @@ -126,7 +127,6 @@ public class HashEnrollServlet extends CAServlet {
private ICMSTemplateFiller mEnrollSuccessFiller = new ImportCertsTemplateFiller();

CertificateAuthority mCa;
CertificateRepository mRepository;

public HashEnrollServlet() {
super();
Expand Down Expand Up @@ -161,7 +161,7 @@ public void init(ServletConfig sc) throws ServletException {
CAEngine engine = CAEngine.getInstance();
mCa = engine.getCA();

init_testbed_hack(mConfig);
initTestbedHack(mConfig);
} catch (Exception e) {
logger.warn(CMS.getLogMessage("CMSGW_IMP_INIT_SERV_ERR", e.toString(), mId));
}
Expand Down Expand Up @@ -226,8 +226,6 @@ else if (diff > timeout) {
certType = httpParams.getValueAsString(OLD_CERT_TYPE, null);
if (certType == null) {
certType = httpParams.getValueAsString(CERT_TYPE, "client");
} else {
;
}

processX509(cmsReq);
Expand Down Expand Up @@ -304,15 +302,15 @@ protected void processX509(CMSRequest cmsReq)

String certauthEnrollType = null;

if (certAuthEnroll == true) {
if (certAuthEnroll) {
certauthEnrollType =
httpParams.getValueAsString("certauthEnrollType", null);
if (certauthEnrollType != null) {
if (certauthEnrollType.equals("dual")) {
if (certauthEnrollType.equals(CERT_AUTH_DUAL)) {
logger.debug("HashEnrollServlet: certauthEnrollType is dual");
} else if (certauthEnrollType.equals("encryption")) {
} else if (certauthEnrollType.equals(CERT_AUTH_ENCRYPTION)) {
logger.debug("HashEnrollServlet: certauthEnrollType is encryption");
} else if (certauthEnrollType.equals("single")) {
} else if (certauthEnrollType.equals(CERT_AUTH_SINGLE)) {
logger.debug("HashEnrollServlet: certauthEnrollType is single");
} else {
logger.error(CMS.getLogMessage("CMSGW_INVALID_CERTAUTH_ENROLL_TYPE_1", certauthEnrollType));
Expand Down Expand Up @@ -360,7 +358,7 @@ protected void processX509(CMSRequest cmsReq)
// also if authenticated, take certInfo from authToken.
X509CertInfo certInfo = null;

if (certAuthEnroll == true) {
if (certAuthEnroll) {
sslClientCert = getSSLClientCertificate(httpReq);
if (sslClientCert == null) {
logger.error(CMS.getLogMessage("CMSGW_MISSING_SSL_CLIENT_CERT"));
Expand Down Expand Up @@ -406,7 +404,7 @@ protected void processX509(CMSRequest cmsReq)
// don't store agent token in request.
// agent currently used for bulk issuance.
// if (!authMgr.equals(IAuthSubsystem.CERTUSERDB_AUTHMGR_ID)) {
logger.info("Enrollment request was authenticated by " +
logger.info("Enrollment request was authenticated by {}",
authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME));
fillCertInfoFromAuthToken(certInfo, authToken);
// save authtoken attrs to request directly (for policy use)
Expand All @@ -429,7 +427,7 @@ protected void processX509(CMSRequest cmsReq)
String crmf =
httpParams.getValueAsString(CRMF_REQUEST, null);

if (certAuthEnroll == true) {
if (certAuthEnroll) {

fillCertInfoFromAuthToken(certInfo, authToken);

Expand Down Expand Up @@ -457,11 +455,7 @@ protected void processX509(CMSRequest cmsReq)
key = (X509Key) sslClientCert.getPublicKey();
try {
certInfo.set(X509CertInfo.KEY, new CertificateX509Key(key));
} catch (CertificateException e) {
logger.error(CMS.getLogMessage("CMSGW_FAILED_SET_KEY_FROM_CERT_AUTH_ENROLL_1", e.toString()), e);
throw new ECMSGWException(
CMS.getUserMessage("CMS_GW_SET_KEY_FROM_CERT_AUTH_ENROLL_FAILED", e.toString()), e);
} catch (IOException e) {
} catch (CertificateException | IOException e) {
logger.error(CMS.getLogMessage("CMSGW_FAILED_SET_KEY_FROM_CERT_AUTH_ENROLL_1", e.toString()), e);
throw new ECMSGWException(
CMS.getUserMessage("CMS_GW_SET_KEY_FROM_CERT_AUTH_ENROLL_FAILED", e.toString()), e);
Expand All @@ -471,22 +465,21 @@ protected void processX509(CMSRequest cmsReq)
"(&(x509cert.subject="
+ certBasedOldSubjectDN + ")(!(x509cert.serialNumber=" + certBasedOldSerialNum
+ "))(certStatus=VALID))";
CertRecordList list = cr.findCertRecordsInList(filter, null, 10);
int size = list.getSize();
Enumeration<CertRecord> en = list.getCertRecords(0, size - 1);
RecordPagedList<CertRecord> records = cr.findPagedCertRecords(filter, null, null);
Iterator<CertRecord> iRec = records.iterator();
boolean gotEncCert = false;

if (!en.hasMoreElements()) {
if (!iRec.hasNext()) {
// pairing encryption cert not found
} else {
X509CertInfo encCertInfo = new CertInfo();
X509CertInfo[] cInfoArray = new X509CertInfo[] { certInfo,
encCertInfo };
int i = 1;

while (en.hasMoreElements()) {
CertRecord record = en.nextElement();
X509CertImpl cert = record.getCertificate();
while (iRec.hasNext() && !gotEncCert) {
CertRecord rec = iRec.next();
X509CertImpl cert = rec.getCertificate();

// if not encryption cert only, try next one
if (!CertUtils.isEncryptionCert(cert) ||
Expand All @@ -509,11 +502,7 @@ protected void processX509(CMSRequest cmsReq)

try {
encCertInfo.set(X509CertInfo.KEY, new CertificateX509Key(key));
} catch (CertificateException e) {
logger.error(CMS.getLogMessage("CMSGW_FAILED_SET_KEY_FROM_CERT_AUTH_ENROLL_1", e.toString()), e);
throw new ECMSGWException(
CMS.getUserMessage("CMS_GW_SET_KEY_FROM_CERT_AUTH_ENROLL_FAILED", e.toString()), e);
} catch (IOException e) {
} catch (CertificateException | IOException e) {
logger.error(CMS.getLogMessage("CMSGW_FAILED_SET_KEY_FROM_CERT_AUTH_ENROLL_1", e.toString()), e);
throw new ECMSGWException(
CMS.getUserMessage("CMS_GW_SET_KEY_FROM_CERT_AUTH_ENROLL_FAILED", e.toString()), e);
Expand All @@ -523,11 +512,10 @@ protected void processX509(CMSRequest cmsReq)
cInfoArray[i++] = encCertInfo;
certInfoArray = cInfoArray;
gotEncCert = true;
break;
}
}

if (gotEncCert == false) {
if (!gotEncCert) {
// encryption cert not found, bail
logger.error(CMS.getLogMessage("CMSGW_ENCRYPTION_CERT_NOT_FOUND"));
throw new ECMSGWException(
Expand All @@ -548,11 +536,11 @@ protected void processX509(CMSRequest cmsReq)
/*
* crmf
*/
if (crmf != null && crmf != "") {
if (crmf != null && !crmf.isBlank()) {
certInfoArray = fillCRMF(crmf, authToken, httpParams, req);
req.setExtData(CLIENT_ISSUER,
sslClientCert.getIssuerDN().toString());
logger.debug("HashEnrollServlet: sslClientCert issuerDN = " + sslClientCert.getIssuerDN());
logger.debug("HashEnrollServlet: sslClientCert issuerDN = {}", sslClientCert.getIssuerDN());
} else {
logger.error(CMS.getLogMessage("CMSGW_MISSING_KEYGEN_INFO"));
throw new ECMSGWException(CMS.getUserMessage(getLocale(httpReq),
Expand All @@ -561,7 +549,7 @@ protected void processX509(CMSRequest cmsReq)
} else if (certauthEnrollType.equals(CERT_AUTH_SINGLE)) {
// have to be buried here to handle the issuer

if (crmf != null && crmf != "") {
if (crmf != null && !crmf.isBlank()) {
certInfoArray = fillCRMF(crmf, authToken, httpParams, req);
} else {
logger.error(CMS.getLogMessage("CMSGW_MISSING_KEYGEN_INFO"));
Expand All @@ -572,7 +560,7 @@ protected void processX509(CMSRequest cmsReq)
req.setExtData(CLIENT_ISSUER,
sslClientCert.getIssuerDN().toString());
}
} else if (crmf != null && crmf != "") {
} else if (crmf != null && !crmf.isBlank()) {
certInfoArray = fillCRMF(crmf, authToken, httpParams, req);
} else {
logger.error(CMS.getLogMessage("CMSGW_MISSING_KEYGEN_INFO"));
Expand Down Expand Up @@ -629,7 +617,7 @@ protected void processX509(CMSRequest cmsReq)

if (messages != null) {
Enumeration<String> msgs = messages.elements();
StringBuffer wholeMsg = new StringBuffer();
StringBuilder wholeMsg = new StringBuilder();

while (msgs.hasMoreElements()) {
wholeMsg.append("\n");
Expand Down Expand Up @@ -707,10 +695,7 @@ protected void processX509(CMSRequest cmsReq)
""
);

} catch (IOException e) {
logger.warn(CMS.getLogMessage("CMSGW_CANT_GET_CERT_SUBJ_AUDITING", e.toString()), e);

} catch (CertificateException e) {
} catch (CertificateException | IOException e) {
logger.warn(CMS.getLogMessage("CMSGW_CANT_GET_CERT_SUBJ_AUDITING", e.toString()), e);
}
}
Expand Down Expand Up @@ -755,8 +740,6 @@ protected void processX509(CMSRequest cmsReq)
throw new ECMSGWException(
CMS.getUserMessage("CMS_GW_RETURNING_RESULT_ERROR"), e);
}

return;
}

/**
Expand All @@ -781,15 +764,10 @@ protected void fillCertInfoFromAuthToken(
CertificateSubjectName certSubject = new CertificateSubjectName(new X500Name(subjectname));

certInfo.set(X509CertInfo.SUBJECT, certSubject);
logger.info("cert subject set to " + certSubject + " from authtoken");
logger.info("cert subject set to {} from authtoken", certSubject);
}

} catch (CertificateException e) {
logger.error(CMS.getLogMessage("CMSGW_ERROR_SET_SUBJECT_NAME_1", e.toString()), e);
throw new ECMSGWException(
CMS.getUserMessage("CMS_GW_SET_SUBJECT_NAME_ERROR"), e);

} catch (IOException e) {
} catch (CertificateException | IOException e) {
logger.error(CMS.getLogMessage("CMSGW_ERROR_SET_SUBJECT_NAME_1", e.toString()), e);
throw new ECMSGWException(
CMS.getUserMessage("CMS_GW_SET_SUBJECT_NAME_ERROR"), e);
Expand All @@ -806,15 +784,10 @@ protected void fillCertInfoFromAuthToken(
if (notBefore != null && notAfter != null) {
validity = new CertificateValidity(notBefore, notAfter);
certInfo.set(X509CertInfo.VALIDITY, validity);
logger.info("cert validity set to " + validity + " from authtoken");
logger.info("cert validity set to {} from authtoken", validity);
}

} catch (CertificateException e) {
logger.error(CMS.getLogMessage("CMSGW_ERROR_SET_VALIDITY_1", e.toString()), e);
throw new ECMSGWException(
CMS.getUserMessage("CMS_GW_SET_VALIDITY_ERROR"), e);

} catch (IOException e) {
} catch (CertificateException | IOException e) {
logger.error(CMS.getLogMessage("CMSGW_ERROR_SET_VALIDITY_1", e.toString()), e);
throw new ECMSGWException(
CMS.getUserMessage("CMS_GW_SET_VALIDITY_ERROR"), e);
Expand All @@ -830,12 +803,7 @@ protected void fillCertInfoFromAuthToken(
logger.info("cert extensions set from authtoken");
}

} catch (CertificateException e) {
logger.error(CMS.getLogMessage("CMSGW_ERROR_SET_EXTENSIONS_1", e.toString()), e);
throw new ECMSGWException(
CMS.getUserMessage("CMS_GW_SET_EXTENSIONS_ERROR"), e);

} catch (IOException e) {
} catch (CertificateException | IOException e) {
logger.error(CMS.getLogMessage("CMSGW_ERROR_SET_EXTENSIONS_1", e.toString()), e);
throw new ECMSGWException(
CMS.getUserMessage("CMS_GW_SET_EXTENSIONS_ERROR"), e);
Expand Down Expand Up @@ -927,9 +895,7 @@ protected X509CertInfo[] fillCRMF(
try {
extensions = (CertificateExtensions)
certInfo.get(X509CertInfo.EXTENSIONS);
} catch (CertificateException e) {
extensions = null;
} catch (IOException e) {
} catch (CertificateException | IOException e) {
extensions = null;
}
if (certTemplate.hasExtensions()) {
Expand Down Expand Up @@ -991,26 +957,11 @@ protected X509CertInfo[] fillCRMF(
certInfoArray[i] = certInfo;
}

do_testbed_hack(nummsgs, certInfoArray, httpParams);
doTestbedHack(certInfoArray, httpParams);

return certInfoArray;

} catch (CertificateException e) {
logger.error(CMS.getLogMessage("CMSGW_ERROR_CRMF_TO_CERTINFO_1", e.toString()), e);
throw new ECMSGWException(
CMS.getUserMessage("CMS_GW_CRMF_TO_CERTINFO_ERROR"), e);

} catch (IOException e) {
logger.error(CMS.getLogMessage("CMSGW_ERROR_CRMF_TO_CERTINFO_1", e.toString()), e);
throw new ECMSGWException(
CMS.getUserMessage("CMS_GW_CRMF_TO_CERTINFO_ERROR"), e);

} catch (InvalidBERException e) {
logger.error(CMS.getLogMessage("CMSGW_ERROR_CRMF_TO_CERTINFO_1", e.toString()), e);
throw new ECMSGWException(
CMS.getUserMessage("CMS_GW_CRMF_TO_CERTINFO_ERROR"), e);

} catch (InvalidKeyException e) {
} catch (CertificateException | IOException | InvalidBERException | InvalidKeyException e) {
logger.error(CMS.getLogMessage("CMSGW_ERROR_CRMF_TO_CERTINFO_1", e.toString()), e);
throw new ECMSGWException(
CMS.getUserMessage("CMS_GW_CRMF_TO_CERTINFO_ERROR"), e);
Expand Down Expand Up @@ -1050,7 +1001,7 @@ protected void renderServerEnrollResult(CMSRequest cmsReq) throws Exception {
out.println("Certificate: ");
out.println("<P>");
out.println("<PRE>");
X509CertImpl certs[] =
X509CertImpl[] certs =
cmsReq.getRequest().getExtDataInCertArray(Request.ISSUED_CERTS);

out.println(CertUtil.toPEM(certs[0]));
Expand Down Expand Up @@ -1128,13 +1079,11 @@ protected void renderServerEnrollResult(CMSRequest cmsReq) throws Exception {

private boolean mIsTestBed = false;

private void init_testbed_hack(ConfigStore config) throws EBaseException {
private void initTestbedHack(ConfigStore config) throws EBaseException {
mIsTestBed = config.getBoolean("isTestBed", true);
}

private void do_testbed_hack(
int nummsgs, X509CertInfo[] certinfo, ArgBlock httpParams)
throws EBaseException {
private void doTestbedHack(X509CertInfo[] certinfo, ArgBlock httpParams) {
if (!mIsTestBed)
return;

Expand Down Expand Up @@ -1185,12 +1134,8 @@ private void do_testbed_hack(
exts.delete(KeyUsageExtension.NAME);
exts.set(KeyUsageExtension.NAME, newext);
}
} catch (IOException e) {
// should never happen
continue;
} catch (CertificateException e) {
} catch (IOException | CertificateException e) {
// should never happen
continue;
}
}

Expand Down
Loading