Cert.java revision bb78c648af50660f68c5799b974ce694f08681cd
/**
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2005 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: Cert.java,v 1.14 2009/03/13 20:54:42 beomsuk Exp $
*
*/
/**
* Portions Copyrighted 2013 ForgeRock Inc
*/
public class Cert extends AMLoginModule {
// from profile server.
// default: MUST HAVE where is the ldap server.
private String amAuthCert_serverHost;
// default: values stored in auth.certificate.ldap.server.context;
// think ok to be nil.
private String amAuthCert_startSearchLoc;
// none, simple or CRAM-MD5 (default to NONE)
private String amAuthCert_securityType;
// ldap user name [if missing default to amAuthCert_securityType to none.]
private String amAuthCert_principleUser;
// ldap user's passwd
// [if missing default to amAuthCert_securityType to none.]
private String amAuthCert_principlePasswd;
// use ssl to talk to ldap. default is false.
private String amAuthCert_useSSL;
// Field in Cert to user to access user profile. default to DN
private String amAuthCert_userProfileMapper;
// Alternate Field in Cert to userid to access user profile
// if above is "other"
private String amAuthCert_altUserProfileMapper;
// SubjectAltNameExtension Value Type OID
// This OID type of value is retrieved and used to access user profile
private String amAuthCert_subjectAltExtMapper;
// check user cert against revoke list in LDAP.
private String amAuthCert_chkCRL;
// check CA cert against revoke list in LDAP.
private String amAuthCert_validateCA;
// attr to use in search for user cert in CRL in LDAP
// attributes to use in searchfilter to find crlDistributionPoint entry in LDAP
// content of searchfilter is described in AMCRLStore to avoid duplication
// params to use in accessing CRL DP
// check user cert with cert in LDAP.
private String amAuthCert_chkCertInLDAP;
// attr to use in search for user cert in LDAP
// this is what appears in the user selectable choice field.
private String amAuthCert_emailAddrTag;
private int amAuthCert_serverPort =389;
private static boolean portal_gw_cert_auth_enabled = false;
// HTTP Header name to have clien certificate in servlet request.
private boolean ocspEnabled = false;
private boolean crlEnabled = false;
// configurations
private CertAuthPrincipal userPrincipal;
private CallbackHandler callbackHandler;
static final int ldap_version = 3;
static boolean usingJSSHandler = false;
private String amAuthCert_cacheCRL;
private boolean doCRLCaching = true;
//attribute and flag to check whether CRLs should be updated from CRL distribution point
private String amAuthCert_updateCRL;
private boolean doCRLUpdate = true;
static {
if (usingJSSHandler) {
}
}
/**
* Default module constructor does nothing
*/
public Cert() {
}
/**
* Initialize module
* @param subject for auth
* @param sharedState with auth framework
* @param options for auth
*/
}
this.callbackHandler = getCallbackHandler();
if (debug.messageEnabled()) {
}
}
private void initAuthConfig() throws AuthLoginException {
// init auth level
options, "iplanet-am-auth-cert-auth-level");
try {
} catch (Exception e) {
// invalid auth level
}
}
// will need access control to ldap server; passwd and user name
// will also need to yank out the user profile based on cn or dn
// out of "profile server"
options, "iplanet-am-auth-cert-security-type");
options, "iplanet-am-auth-cert-principal-user");
options, "iplanet-am-auth-cert-principal-passwd");
options, "iplanet-am-auth-cert-use-ssl");
options, "iplanet-am-auth-cert-user-profile-mapper");
options, "iplanet-am-auth-cert-user-profile-mapper-other");
options, "iplanet-am-auth-cert-user-profile-mapper-ext");
options, "iplanet-am-auth-cert-check-crl");
options, "iplanet-am-auth-cert-attr-check-crl");
if (amAuthCert_chkAttrCRL == null ||
} else {
}
doCRLCaching = false;
}
doCRLUpdate = false;
}
crlEnabled = true;
}
options, "sunAMValidateCACert");
options, "iplanet-am-auth-cert-param-get-crl");
options, "iplanet-am-auth-cert-check-cert-in-ldap");
options, "iplanet-am-auth-cert-attr-check-ldap");
if (amAuthCert_chkAttrCertInLDAP == null ||
throw new AuthLoginException(
}
}
options, "iplanet-am-auth-cert-check-ocsp");
//
// portal-style gateway cert auth enabled if
// explicitly specified in cert service template.
// "none", empty list, or null means disabled;
// "any" or non-empty list means enabled. also check
// non-empty list for remote client's addr.
//
options, "iplanet-am-auth-cert-gw-cert-auth-enabled");
options,"sunAMHttpParamName");
portal_gw_cert_auth_enabled = false;
if (debug.messageEnabled()) {
+ gwCertAuth);
}
portal_gw_cert_auth_enabled = true;
} else {
portal_gw_cert_auth_enabled = true;
} else {
if (debug.messageEnabled()) {
while (clientIter.hasNext()) {
}
}
}
}
options, "iplanet-am-auth-cert-ldap-provider-url");
if (amAuthCert_serverHost == null
throw new AuthLoginException(amAuthCert,
"wrongLDAPServer", null);
}
if (amAuthCert_serverHost != null) {
// set LDAP Parameters
try {
} catch (Exception e) {
null);
}
}
options, "iplanet-am-auth-cert-start-search-loc");
if (amAuthCert_startSearchLoc == null
"DN is not configured");
}
if (amAuthCert_startSearchLoc != null) {
try {
}
catch (Exception e) {
"DN misconfigured");
null);
}
}
if (debug.messageEnabled()) {
"\n\tamAuthCert_serverPort = " + amAuthCert_serverPort +
"\n\tstartSearchLoc=" + amAuthCert_startSearchLoc +
"\n\tsecurityType=" + amAuthCert_securityType +
"\n\tprincipleUser=" + amAuthCert_principleUser +
"\n\tauthLevel="+authLevel+
"\n\tuseSSL=" + amAuthCert_useSSL +
"\n\tocspEnable=" + ocspEnabled +
"\n\tuserProfileMapper=" + amAuthCert_userProfileMapper +
"\n\tsubjectAltExtMapper=" +
"\n\taltUserProfileMapper=" +
"\n\tchkCRL=" + amAuthCert_chkCRL +
"\n\tchkAttrCRL=" + amAuthCert_chkAttrCRL +
"\n\tcacheCRL=" + doCRLCaching +
"\n\tupdateCRLs=" + doCRLUpdate +
"\n\tchkCertInLDAP=" + amAuthCert_chkCertInLDAP +
"\n\tchkAttrCertInLDAP=" + amAuthCert_chkAttrCertInLDAP +
"\n\temailAddr=" + amAuthCert_emailAddrTag +
"\n\tgw-cert-auth-enabled="+portal_gw_cert_auth_enabled +
"\n\tclient=" + client);
}
} else {
}
}
/**
* Process Certificate based auth request
* @param callbacks for auth
* @param state with auth framework
* @return proper jaas state for auth framework
* @throws AuthLoginException if auth fails
*/
throws AuthLoginException {
try {
if (servletRequest != null) {
getAttribute("javax.servlet.request.X509Certificate");
"Certificate: checking for cert passed in the URL.");
if (!portal_gw_cert_auth_enabled) {
"in URL not enabled for this client");
throw new AuthLoginException(amAuthCert,
"noURLCertAuth", null);
}
} else {
if (debug.messageEnabled()) {
}
}
} else {
thecert = sendCallback();
}
}
// moved this call from the bottom to here so that url redirection
// can work.
if(debug.messageEnabled()){
userTokenId + " from getTokenFromCert");
}
} catch (AuthLoginException e) {
}
/* debug statements added for cgi. */
if (debug.messageEnabled()) {
}
!ocspEnabled) {
return ISAuthConstants.LOGIN_SUCCEED;
}
/*
* Based on the certificates presented, find the registered
* (representation) of the certificate. If no certificates
* match in the LDAP certificate directory return a failure
* status.
*/
}
}
}
}
return ISAuthConstants.LOGIN_SUCCEED;
}
throws AuthLoginException {
if (usingJSSHandler) {
} else {
}
&& (crlEnabled || ocspEnabled)
&& validateCA
}
return ret;
}
if (crlEnabled) {
}
}
/**
* OCSP validation, this will use the CryptoManager.isCertvalid()
* method to validate certificate, OCSP is one of the steps in
* this process. Here is the algorith to find OCSP responder:
* 1. use global OCSP responder if set
* 2. use the OCSP responder in user's certificate if presents
* 3. no OCSP responder
* The isCertValid() WON'T perform OCSP validation if no OCSP responder
* found in above process.
*/
if (ocspEnabled) {
try {
} else {
}
} catch (Exception e) {
}
}
return ret;
}
throws AuthLoginException {
try {
}
if (debug.messageEnabled()) {
}
}
return ret;
} else {
if (debug.messageEnabled()) {
}
}
}catch (Exception e) {
}
return ret;
}
private void setLdapStoreParam() throws AuthLoginException {
/*
* Setup the LDAP certificate directory service context for
* use in verification of the users certificates.
*/
try {
}
} catch (Exception e) {
}
return;
}
throws AuthLoginException {
}
(userTokenId == null)) {
}
}
throws AuthLoginException {
try {
if (altNameExt != null) {
if (generalname != null) {
equalsIgnoreCase("UPN") &&
(generalname.getType() ==
}
}else if (amAuthCert_subjectAltExtMapper.
equalsIgnoreCase("RFC822Name") &&
(generalname.getType() ==
}
}
}
}
} catch (Exception e) {
"Error in getTokenFromSubjectAltExt = " , e);
}
}
throws AuthLoginException {
/*
* The certificate has passed the authentication steps
* so return the part of the certificate as specified
* in the profile server.
*/
try {
/*
* Get the Attribute value of the input certificate
*/
if (debug.messageEnabled()) {
}
}
}
}
if (userTokenId == null) {
}
}
equalsIgnoreCase("DER Certificate")) {
}
// "other" has been selected, so use attribute specified in the
// iplanet-am-auth-cert-user-profile-mapper-other attribute,
// which is in amAuthCert_altUserProfileMapper.
}
if (debug.messageEnabled()) {
}
return;
} catch (Exception e) {
if (debug.messageEnabled()) {
"Error in getTokenFromSubjectDN = " , e);
}
}
}
if (userPrincipal != null) {
return userPrincipal;
} else if (userTokenId != null) {
return userPrincipal;
} else {
return null;
}
}
/**
* Return value of Certificate
* @return X509Certificate for auth
*/
public X509Certificate getCertificate() {
return thecert;
}
/**
* Return value of Attribute Name for CRL checking
* @return value for attribute name to search crl from ldap store
*/
public String getChkAttrCRL() {
return amAuthCert_chkAttrCRL;
}
/**
* Return value of Debug object for this module
*
* @return debug
*/
return debug;
}
/**
* Return value of URI parameter for getting CRL
*
* @return value of URI parameter for getting CRL
*/
public String getUriParamsCRL() {
return amAuthCert_uriParamsCRL;
}
/**
* Return value of LDAP Search loc for directory server
*
* @return value of LDAP Search loc for directory server
*/
public String getStartSearchLoc() {
return amAuthCert_startSearchLoc;
}
if (callbackHandler == null) {
try {
callbacks[0] =
/*
* Allow Cert auth module accepts personal certificate only for
* following 3 cases :
* 1. portal_gw_cert_auth_enabled == true :
* Case of getting cert from trusted host like sra,
* distAuth, trusted LB
* 2. xcb.getReqSignature() == false :
* Case of getting cert through ssl client auth enabled port
* 3. (xcb.getReqSignature() == true) && (signature != null) :
* Case of getting cert together with signature from sdk client */
if (portal_gw_cert_auth_enabled ||
!xcb.getReqSignature() ||
}
return cert;
} catch (IllegalArgumentException ill) {
throw new AuthLoginException(ioe);
} catch (UnsupportedCallbackException uce) {
}
}
throws AuthLoginException {
while (tok.hasMoreTokens()) {
continue;
}
if (idx != -1) {
}
}
} else {
if (requestHash != null) {
}
}
}
if (debug.messageEnabled()) {
}
}
// use the base64 decoder from MimeUtility instead of writing our own
try {
} catch (Exception e) {
}
try {
} catch (Exception e) {
}
}
if (debug.messageEnabled()) {
}
return userCert;
}
/**
* Destroy the state of module
*/
public void destroyModuleState() {
userTokenId = null;
}
/**
* Initialize all member variables as null
*/
public void nullifyUsedVars() {
}
}
return trimmedItems;
}
}