com.netscape.cms.servlet.cert.scep
Class CRSEnrollment

java.lang.Object
  extended by javax.servlet.GenericServlet
      extended by javax.servlet.http.HttpServlet
          extended by com.netscape.cms.servlet.cert.scep.CRSEnrollment
All Implemented Interfaces:
java.io.Serializable, javax.servlet.Servlet, javax.servlet.ServletConfig

public class CRSEnrollment
extends javax.servlet.http.HttpServlet

This servlet deals with PKCS#10-based certificate requests from CRS, now called SCEP, and defined at: http://search.ietf.org/internet-drafts/draft-nourse-scep-02.txt The router is hardcoded to look for the http://host:80/cgi-bin/pkiclient.exe The HTTP parameters are 'operation' and 'message' operation can be either 'GetCACert' or 'PKIOperation'

Version:
$Revision: 1778 $, $Date: 2011-01-26 17:01:59 -0800 (Wed, 26 Jan 2011) $
See Also:
Serialized Form

Field Summary
static java.lang.String AUTH_CREDS
           
static java.lang.String AUTH_FAILED
           
static java.lang.String AUTH_PASSWORD
           
static java.lang.String AUTH_TOKEN
           
static java.lang.String CERTINFO
           
protected  java.lang.String mAppendDN
           
protected  ICertAuthority mAuthority
           
protected  IAuthSubsystem mAuthSubsystem
           
protected  IConfigStore mConfig
           
protected  boolean mCreateEntry
           
protected  java.lang.String mEntryObjectclass
           
protected  boolean mFlattenDN
           
protected  ILogger mLogger
           
protected  java.lang.String mProfileId
           
protected  IProfileSubsystem mProfileSubsystem
           
protected  java.security.MessageDigest mSHADigest
           
static netscape.security.util.ObjectIdentifier OID_SERIALNUMBER
           
static netscape.security.util.ObjectIdentifier OID_UNSTRUCTUREDADDRESS
           
static netscape.security.util.ObjectIdentifier OID_UNSTRUCTUREDNAME
           
static java.lang.String SANE_DNSNAME
           
static java.lang.String SANE_IPADDRESS
           
static java.lang.String SUBJECTNAME
           
 
Constructor Summary
CRSEnrollment()
           
 
Method Summary
 IAuthToken authenticate(AuthCredentials credentials, IProfileAuthenticator authenticator, javax.servlet.http.HttpServletRequest request)
           
 void decodePKIMessage(javax.servlet.http.HttpServletRequest httpReq, javax.servlet.http.HttpServletResponse httpResp, java.lang.String msg)
          Decodes the PKI message and return information to RA.
 IRequest findRequestByTransactionID(java.lang.String txid, boolean ignoreRejected)
          finds a request with this transaction ID.
 java.lang.String getPasswordFromP10(netscape.security.pkcs.PKCS10 p10)
           
 void handleGetCACert(javax.servlet.http.HttpServletRequest httpReq, javax.servlet.http.HttpServletResponse httpResp)
          Return the CA certificate back to the requestor.
 netscape.security.x509.X509CertImpl handleGetCertInitial(com.netscape.cmsutil.scep.CRSPKIMessage req, com.netscape.cmsutil.scep.CRSPKIMessage resp)
          Called if the router is requesting us to send it its certificate Examine request queue for a request matching the transaction ID.
 netscape.security.x509.X509CertImpl handlePKCSReq(javax.servlet.http.HttpServletRequest httpReq, IRequest cmsRequest, com.netscape.cmsutil.scep.CRSPKIMessage req, com.netscape.cmsutil.scep.CRSPKIMessage crsResp, com.netscape.cms.servlet.cert.scep.CRSEnrollment.CryptoContext cx)
           
 void handlePKIOperation(javax.servlet.http.HttpServletRequest httpReq, javax.servlet.http.HttpServletResponse httpResp, java.lang.String msg)
          finds a request with this transaction ID.
protected  java.lang.String hashPassword(java.lang.String pwd)
           
 void init(javax.servlet.ServletConfig sc)
           
 java.util.Hashtable makeFingerPrints(com.netscape.cmsutil.scep.CRSPKIMessage req)
           
 void service(javax.servlet.http.HttpServletRequest httpReq, javax.servlet.http.HttpServletResponse httpResp)
          Service a CRS Request.
static java.util.Hashtable toHashtable(javax.servlet.http.HttpServletRequest req)
           
 void unwrapPKCS10(com.netscape.cmsutil.scep.CRSPKIMessage req, com.netscape.cms.servlet.cert.scep.CRSEnrollment.CryptoContext cx)
          Here we decrypt the PKCS10 message from the client
 void verifyRequest(com.netscape.cmsutil.scep.CRSPKIMessage req, com.netscape.cms.servlet.cert.scep.CRSEnrollment.CryptoContext cx)
           
 
Methods inherited from class javax.servlet.http.HttpServlet
doDelete, doGet, doHead, doOptions, doPost, doPut, doTrace, getLastModified, service
 
Methods inherited from class javax.servlet.GenericServlet
destroy, getInitParameter, getInitParameterNames, getServletConfig, getServletContext, getServletInfo, getServletName, init, log, log
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

mProfileSubsystem

protected IProfileSubsystem mProfileSubsystem

mProfileId

protected java.lang.String mProfileId

mAuthority

protected ICertAuthority mAuthority

mConfig

protected IConfigStore mConfig

mAuthSubsystem

protected IAuthSubsystem mAuthSubsystem

mAppendDN

protected java.lang.String mAppendDN

mEntryObjectclass

protected java.lang.String mEntryObjectclass

mCreateEntry

protected boolean mCreateEntry

mFlattenDN

protected boolean mFlattenDN

mLogger

protected ILogger mLogger

mSHADigest

protected java.security.MessageDigest mSHADigest

AUTH_PASSWORD

public static final java.lang.String AUTH_PASSWORD
See Also:
Constant Field Values

AUTH_CREDS

public static final java.lang.String AUTH_CREDS
See Also:
Constant Field Values

AUTH_TOKEN

public static final java.lang.String AUTH_TOKEN
See Also:
Constant Field Values

AUTH_FAILED

public static final java.lang.String AUTH_FAILED
See Also:
Constant Field Values

SANE_DNSNAME

public static final java.lang.String SANE_DNSNAME
See Also:
Constant Field Values

SANE_IPADDRESS

public static final java.lang.String SANE_IPADDRESS
See Also:
Constant Field Values

CERTINFO

public static final java.lang.String CERTINFO
See Also:
Constant Field Values

SUBJECTNAME

public static final java.lang.String SUBJECTNAME
See Also:
Constant Field Values

OID_UNSTRUCTUREDNAME

public static netscape.security.util.ObjectIdentifier OID_UNSTRUCTUREDNAME

OID_UNSTRUCTUREDADDRESS

public static netscape.security.util.ObjectIdentifier OID_UNSTRUCTUREDADDRESS

OID_SERIALNUMBER

public static netscape.security.util.ObjectIdentifier OID_SERIALNUMBER
Constructor Detail

CRSEnrollment

public CRSEnrollment()
Method Detail

toHashtable

public static java.util.Hashtable toHashtable(javax.servlet.http.HttpServletRequest req)

init

public void init(javax.servlet.ServletConfig sc)
Specified by:
init in interface javax.servlet.Servlet
Overrides:
init in class javax.servlet.GenericServlet

service

public void service(javax.servlet.http.HttpServletRequest httpReq,
                    javax.servlet.http.HttpServletResponse httpResp)
             throws javax.servlet.ServletException
Service a CRS Request. It all starts here. This is where the message from the router is processed

Overrides:
service in class javax.servlet.http.HttpServlet
Parameters:
httpReq - The HttpServletRequest.
httpResp - The HttpServletResponse.
Throws:
javax.servlet.ServletException

authenticate

public IAuthToken authenticate(AuthCredentials credentials,
                               IProfileAuthenticator authenticator,
                               javax.servlet.http.HttpServletRequest request)
                        throws EBaseException
Throws:
EBaseException

handleGetCACert

public void handleGetCACert(javax.servlet.http.HttpServletRequest httpReq,
                            javax.servlet.http.HttpServletResponse httpResp)
                     throws javax.servlet.ServletException
Return the CA certificate back to the requestor. This needs to be changed so that if the CA has a certificate chain, the whole thing should get packaged as a PKIMessage (degnerate PKCS7 - no signerInfo)

Throws:
javax.servlet.ServletException

getPasswordFromP10

public java.lang.String getPasswordFromP10(netscape.security.pkcs.PKCS10 p10)

decodePKIMessage

public void decodePKIMessage(javax.servlet.http.HttpServletRequest httpReq,
                             javax.servlet.http.HttpServletResponse httpResp,
                             java.lang.String msg)
                      throws javax.servlet.ServletException
Decodes the PKI message and return information to RA.

Throws:
javax.servlet.ServletException

handlePKIOperation

public void handlePKIOperation(javax.servlet.http.HttpServletRequest httpReq,
                               javax.servlet.http.HttpServletResponse httpResp,
                               java.lang.String msg)
                        throws javax.servlet.ServletException
finds a request with this transaction ID. If could not find any request - return null If could only find 'rejected' or 'cancelled' requests, return null If found 'pending' or 'completed' request - return that request

Throws:
javax.servlet.ServletException

findRequestByTransactionID

public IRequest findRequestByTransactionID(java.lang.String txid,
                                           boolean ignoreRejected)
                                    throws EBaseException
finds a request with this transaction ID. If could not find any request - return null If could only find 'rejected' or 'cancelled' requests, return null If found 'pending' or 'completed' request - return that request

Throws:
EBaseException

handleGetCertInitial

public netscape.security.x509.X509CertImpl handleGetCertInitial(com.netscape.cmsutil.scep.CRSPKIMessage req,
                                                                com.netscape.cmsutil.scep.CRSPKIMessage resp)
Called if the router is requesting us to send it its certificate Examine request queue for a request matching the transaction ID. Ignore any rejected or cancelled requests. If a request is found in the pending state, the response should be 'pending' If a request is found in the completed state, the response should be to return the certificate If no request is found, the response should be to return null


verifyRequest

public void verifyRequest(com.netscape.cmsutil.scep.CRSPKIMessage req,
                          com.netscape.cms.servlet.cert.scep.CRSEnrollment.CryptoContext cx)
                   throws com.netscape.cms.servlet.cert.scep.CRSEnrollment.CRSInvalidSignatureException
Throws:
com.netscape.cms.servlet.cert.scep.CRSEnrollment.CRSInvalidSignatureException

unwrapPKCS10

public void unwrapPKCS10(com.netscape.cmsutil.scep.CRSPKIMessage req,
                         com.netscape.cms.servlet.cert.scep.CRSEnrollment.CryptoContext cx)
                  throws javax.servlet.ServletException,
                         org.mozilla.jss.CryptoManager.NotInitializedException,
                         com.netscape.cms.servlet.cert.scep.CRSEnrollment.CryptoContext.CryptoContextException,
                         com.netscape.cms.servlet.cert.scep.CRSEnrollment.CRSFailureException
Here we decrypt the PKCS10 message from the client

Throws:
javax.servlet.ServletException
org.mozilla.jss.CryptoManager.NotInitializedException
com.netscape.cms.servlet.cert.scep.CRSEnrollment.CryptoContext.CryptoContextException
com.netscape.cms.servlet.cert.scep.CRSEnrollment.CRSFailureException

handlePKCSReq

public netscape.security.x509.X509CertImpl handlePKCSReq(javax.servlet.http.HttpServletRequest httpReq,
                                                         IRequest cmsRequest,
                                                         com.netscape.cmsutil.scep.CRSPKIMessage req,
                                                         com.netscape.cmsutil.scep.CRSPKIMessage crsResp,
                                                         com.netscape.cms.servlet.cert.scep.CRSEnrollment.CryptoContext cx)
                                                  throws javax.servlet.ServletException,
                                                         org.mozilla.jss.CryptoManager.NotInitializedException,
                                                         com.netscape.cms.servlet.cert.scep.CRSEnrollment.CRSFailureException
Throws:
javax.servlet.ServletException
org.mozilla.jss.CryptoManager.NotInitializedException
com.netscape.cms.servlet.cert.scep.CRSEnrollment.CRSFailureException

makeFingerPrints

public java.util.Hashtable makeFingerPrints(com.netscape.cmsutil.scep.CRSPKIMessage req)

hashPassword

protected java.lang.String hashPassword(java.lang.String pwd)