com.netscape.cms.servlet.cert.scep

Class CRSEnrollment

java.lang.Object

javax.servlet.GenericServlet

javax.servlet.http.HttpServlet

com.netscape.cms.servlet.cert.scep.CRSEnrollment

All Implemented Interfaces:

java.io.Serializable, javax.servlet.Servlet, javax.servlet.ServletConfig

public class CRSEnrollment
extends javax.servlet.http.HttpServlet

This servlet deals with PKCS#10-based certificate requests from CRS, now called SCEP, and defined at: http://search.ietf.org/internet-drafts/draft-nourse-scep-02.txt The router is hardcoded to look for the http://host:80/cgi-bin/pkiclient.exe The HTTP parameters are 'operation' and 'message' operation can be either 'GetCACert' or 'PKIOperation'

Version:

$Revision$, $Date$

See Also:

Serialized Form

Field Summary

Fields

Modifier and Type	Field and Description
static java.lang.String	AUTH_CREDS
static java.lang.String	AUTH_FAILED
static java.lang.String	AUTH_PASSWORD
static java.lang.String	AUTH_TOKEN
static java.lang.String	CERTINFO
protected java.lang.String	mAppendDN
protected ICertAuthority	mAuthority
protected IAuthSubsystem	mAuthSubsystem
protected IConfigStore	mConfig
protected boolean	mCreateEntry
protected java.lang.String	mEntryObjectclass
protected boolean	mFlattenDN
protected ILogger	mLogger
protected java.lang.String	mProfileId
protected IProfileSubsystem	mProfileSubsystem
protected java.security.MessageDigest	mSHADigest
static netscape.security.util.ObjectIdentifier	OID_SERIALNUMBER
static netscape.security.util.ObjectIdentifier	OID_UNSTRUCTUREDADDRESS
static netscape.security.util.ObjectIdentifier	OID_UNSTRUCTUREDNAME
static java.lang.String	SANE_DNSNAME
static java.lang.String	SANE_IPADDRESS
static java.lang.String	SUBJECTNAME

Constructor Summary

Constructors

Constructor and Description
CRSEnrollment()

Method Summary

Modifier and Type	Method and Description
IAuthToken	authenticate(AuthCredentials credentials, IProfileAuthenticator authenticator, javax.servlet.http.HttpServletRequest request)
void	decodePKIMessage(javax.servlet.http.HttpServletRequest httpReq, javax.servlet.http.HttpServletResponse httpResp, java.lang.String msg) Decodes the PKI message and return information to RA.
IRequest	findRequestByTransactionID(java.lang.String txid, boolean ignoreRejected) finds a request with this transaction ID.
java.lang.String	getPasswordFromP10(netscape.security.pkcs.PKCS10 p10)
void	handleGetCACert(javax.servlet.http.HttpServletRequest httpReq, javax.servlet.http.HttpServletResponse httpResp) Return the CA certificate back to the requestor.
netscape.security.x509.X509CertImpl	handleGetCertInitial(CRSPKIMessage req, CRSPKIMessage resp) Called if the router is requesting us to send it its certificate Examine request queue for a request matching the transaction ID.
netscape.security.x509.X509CertImpl	handlePKCSReq(javax.servlet.http.HttpServletRequest httpReq, IRequest cmsRequest, CRSPKIMessage req, CRSPKIMessage crsResp, com.netscape.cms.servlet.cert.scep.CRSEnrollment.CryptoContext cx)
void	handlePKIOperation(javax.servlet.http.HttpServletRequest httpReq, javax.servlet.http.HttpServletResponse httpResp, java.lang.String msg) finds a request with this transaction ID.
protected java.lang.String	hashPassword(java.lang.String pwd)
void	init(javax.servlet.ServletConfig sc)
java.util.Hashtable<java.lang.String,byte[]>	makeFingerPrints(CRSPKIMessage req)
void	service(javax.servlet.http.HttpServletRequest httpReq, javax.servlet.http.HttpServletResponse httpResp) Service a CRS Request.
static java.util.Hashtable<java.lang.String,java.lang.String>	toHashtable(javax.servlet.http.HttpServletRequest req)
void	unwrapPKCS10(CRSPKIMessage req, com.netscape.cms.servlet.cert.scep.CRSEnrollment.CryptoContext cx) Here we decrypt the PKCS10 message from the client
void	verifyRequest(CRSPKIMessage req, com.netscape.cms.servlet.cert.scep.CRSEnrollment.CryptoContext cx)

Methods inherited from class javax.servlet.http.HttpServlet

doDelete, doGet, doHead, doOptions, doPost, doPut, doTrace, getLastModified, service

Methods inherited from class javax.servlet.GenericServlet

destroy, getInitParameter, getInitParameterNames, getServletConfig, getServletContext, getServletInfo, getServletName, init, log, log

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

mProfileSubsystem

protected IProfileSubsystem mProfileSubsystem

mProfileId

protected java.lang.String mProfileId

mAuthority

protected ICertAuthority mAuthority

mConfig

protected IConfigStore mConfig

mAuthSubsystem

protected IAuthSubsystem mAuthSubsystem

mAppendDN

protected java.lang.String mAppendDN

mEntryObjectclass

protected java.lang.String mEntryObjectclass

mCreateEntry

protected boolean mCreateEntry

mFlattenDN

protected boolean mFlattenDN

mLogger

protected ILogger mLogger

mSHADigest

protected java.security.MessageDigest mSHADigest

AUTH_PASSWORD

public static final java.lang.String AUTH_PASSWORD

See Also:

Constant Field Values

AUTH_CREDS

public static final java.lang.String AUTH_CREDS

See Also:

Constant Field Values

AUTH_TOKEN

public static final java.lang.String AUTH_TOKEN

See Also:

Constant Field Values

AUTH_FAILED

public static final java.lang.String AUTH_FAILED

See Also:

Constant Field Values

SANE_DNSNAME

public static final java.lang.String SANE_DNSNAME

See Also:

Constant Field Values

SANE_IPADDRESS

public static final java.lang.String SANE_IPADDRESS

See Also:

Constant Field Values

CERTINFO

public static final java.lang.String CERTINFO

See Also:

Constant Field Values

SUBJECTNAME

public static final java.lang.String SUBJECTNAME

See Also:

Constant Field Values

OID_UNSTRUCTUREDNAME

public static netscape.security.util.ObjectIdentifier OID_UNSTRUCTUREDNAME

OID_UNSTRUCTUREDADDRESS

public static netscape.security.util.ObjectIdentifier OID_UNSTRUCTUREDADDRESS

OID_SERIALNUMBER

public static netscape.security.util.ObjectIdentifier OID_SERIALNUMBER

Constructor Detail

CRSEnrollment

public CRSEnrollment()

Method Detail

toHashtable

public static java.util.Hashtable<java.lang.String,java.lang.String> toHashtable(javax.servlet.http.HttpServletRequest req)

init

public void init(javax.servlet.ServletConfig sc)

Specified by:

init in interface javax.servlet.Servlet

Overrides:

init in class javax.servlet.GenericServlet

service

public void service(javax.servlet.http.HttpServletRequest httpReq,
                    javax.servlet.http.HttpServletResponse httpResp)
             throws javax.servlet.ServletException

Service a CRS Request. It all starts here. This is where the message from the router is processed

Overrides:

service in class javax.servlet.http.HttpServlet

Parameters:

httpReq - The HttpServletRequest.

httpResp - The HttpServletResponse.

Throws:

javax.servlet.ServletException

authenticate

public IAuthToken authenticate(AuthCredentials credentials,
                               IProfileAuthenticator authenticator,
                               javax.servlet.http.HttpServletRequest request)
                        throws EBaseException

Throws:

EBaseException

handleGetCACert

public void handleGetCACert(javax.servlet.http.HttpServletRequest httpReq,
                            javax.servlet.http.HttpServletResponse httpResp)
                     throws javax.servlet.ServletException

Return the CA certificate back to the requestor. This needs to be changed so that if the CA has a certificate chain, the whole thing should get packaged as a PKIMessage (degnerate PKCS7 - no signerInfo)

Throws:

javax.servlet.ServletException

getPasswordFromP10

public java.lang.String getPasswordFromP10(netscape.security.pkcs.PKCS10 p10)

decodePKIMessage

public void decodePKIMessage(javax.servlet.http.HttpServletRequest httpReq,
                             javax.servlet.http.HttpServletResponse httpResp,
                             java.lang.String msg)
                      throws javax.servlet.ServletException

Decodes the PKI message and return information to RA.

Throws:

javax.servlet.ServletException

handlePKIOperation

public void handlePKIOperation(javax.servlet.http.HttpServletRequest httpReq,
                               javax.servlet.http.HttpServletResponse httpResp,
                               java.lang.String msg)
                        throws javax.servlet.ServletException

finds a request with this transaction ID. If could not find any request - return null If could only find 'rejected' or 'cancelled' requests, return null If found 'pending' or 'completed' request - return that request

Throws:

javax.servlet.ServletException

findRequestByTransactionID

public IRequest findRequestByTransactionID(java.lang.String txid,
                                           boolean ignoreRejected)
                                    throws EBaseException

finds a request with this transaction ID. If could not find any request - return null If could only find 'rejected' or 'cancelled' requests, return null If found 'pending' or 'completed' request - return that request

Throws:

EBaseException

handleGetCertInitial

public netscape.security.x509.X509CertImpl handleGetCertInitial(CRSPKIMessage req,
                                                                CRSPKIMessage resp)

Called if the router is requesting us to send it its certificate Examine request queue for a request matching the transaction ID. Ignore any rejected or cancelled requests. If a request is found in the pending state, the response should be 'pending' If a request is found in the completed state, the response should be to return the certificate If no request is found, the response should be to return null

verifyRequest

public void verifyRequest(CRSPKIMessage req,
                          com.netscape.cms.servlet.cert.scep.CRSEnrollment.CryptoContext cx)
                   throws com.netscape.cms.servlet.cert.scep.CRSEnrollment.CRSInvalidSignatureException

Throws:

com.netscape.cms.servlet.cert.scep.CRSEnrollment.CRSInvalidSignatureException

unwrapPKCS10

public void unwrapPKCS10(CRSPKIMessage req,
                         com.netscape.cms.servlet.cert.scep.CRSEnrollment.CryptoContext cx)
                  throws javax.servlet.ServletException,
                         org.mozilla.jss.CryptoManager.NotInitializedException,
                         com.netscape.cms.servlet.cert.scep.CRSEnrollment.CryptoContext.CryptoContextException,
                         com.netscape.cms.servlet.cert.scep.CRSEnrollment.CRSFailureException

Here we decrypt the PKCS10 message from the client

Throws:

javax.servlet.ServletException

org.mozilla.jss.CryptoManager.NotInitializedException

com.netscape.cms.servlet.cert.scep.CRSEnrollment.CryptoContext.CryptoContextException

com.netscape.cms.servlet.cert.scep.CRSEnrollment.CRSFailureException

handlePKCSReq

public netscape.security.x509.X509CertImpl handlePKCSReq(javax.servlet.http.HttpServletRequest httpReq,
                                                         IRequest cmsRequest,
                                                         CRSPKIMessage req,
                                                         CRSPKIMessage crsResp,
                                                         com.netscape.cms.servlet.cert.scep.CRSEnrollment.CryptoContext cx)
                                                  throws javax.servlet.ServletException,
                                                         org.mozilla.jss.CryptoManager.NotInitializedException,
                                                         com.netscape.cms.servlet.cert.scep.CRSEnrollment.CRSFailureException

Throws:

javax.servlet.ServletException

org.mozilla.jss.CryptoManager.NotInitializedException

com.netscape.cms.servlet.cert.scep.CRSEnrollment.CRSFailureException

makeFingerPrints

public java.util.Hashtable<java.lang.String,byte[]> makeFingerPrints(CRSPKIMessage req)

hashPassword

protected java.lang.String hashPassword(java.lang.String pwd)