<%@page import="com.sap.security.api.ssf.ISsfData"%> <%@page import="com.sap.security.core.server.ssf.SsfDataPKCS7"%> <%@page import="java.io.ByteArrayInputStream"%> <%@page import="javax.naming.InitialContext"%> <%@page import="java.lang.reflect.Method"%> <%@page import="java.security.KeyStore"%> <%@page import="com.sap.security.core.server.ssf.SsfProfileKeyStore"%> <%@page import="com.sap.security.core.server.ssf.SsfProfileBasicImpl"%> <%@page import="java.io.ByteArrayOutputStream"%> <%@page import="iaik.utils.Util"%> <%@page import="java.security.cert.Certificate"%> <%@page import="iaik.x509.X509Certificate"%> <%@page import="iaik.asn1.structures.Name"%> <%@page import="iaik.pkcs.pkcs9.ExtensionRequest"%> <%@page import="iaik.x509.extensions.SubjectAltName"%> <%@page import="iaik.asn1.ObjectID"%> <%@page import="iaik.pkcs.pkcs10.CertificateRequest"%> <%@page import="java.security.PrivateKey"%> <%@page import="com.sap.tc.logging.Location"%> <%@page import="com.sap.tc.logging.Severity"%> <%@page import="javax.naming.InitialContext"%> <%@page import="com.sap.engine.services.configuration.appconfiguration.*"%> <%@page import="java.util.Properties"%> <%@page import="java.util.Enumeration"%> <%@page import="com.sap.engine.frame.core.configuration.*"%> <%! static Location LOCATION =Location.getLocation("com.sap.security.core.server.tcsra.signreq"); %> <% LOCATION.debugT("entering sign.jsp"); String errorMessage = null; String errmsg_1 ="Generation of Certificate Request failed."; String errmsg_2 = "Name mismatch."; String userdn = (String) session.getAttribute("tcs.j2ee-ra.userdn"); String userEmail = (String) session.getAttribute("tcs.j2ee-ra.userEmail"); LOCATION.debugT("user info: " + "userdn=" + userdn+", userEmail=" + userEmail ); String oldservice = (String)session.getAttribute("OLDSERVICE"); if (oldservice==null) oldservice="/"; String redirecturl=request.getScheme() +"://" +request.getServerName()+":"+request.getServerPort(); redirecturl +="/enrollapp/response.jsp"; if (userdn==null ||"".equals(userdn.trim()) ) { LOCATION.debugT("direct access to enrollapp/signreq.jsp not allowed"); response.sendRedirect("/"); return; } String caurl="https://tcs.mysap.com/invoke/tc/usercert"; String certrequest = request.getParameter("certrequest"); String _s1="-----BEGIN NEW CERTIFICATE REQUEST-----"; String _s2="-----END NEW CERTIFICATE REQUEST-----"; String signedRequest =""; try { InitialContext ctx = new InitialContext(); //get ApplicationConfigHandlerFactory instance from JNDI ApplicationConfigHandlerFactory appCfgHdlFctry = (ApplicationConfigHandlerFactory)ctx.lookup("ApplicationConfiguration"); if (appCfgHdlFctry != null) { Properties props = appCfgHdlFctry.getApplicationProperties(); if ( props !=null ) { errmsg_1 = props.getProperty ("tcsra.signreq_errmsg_1"); errmsg_2 = props.getProperty ("tcsra.signreq_errmsg_2"); } } } catch (Exception e) { LOCATION.traceThrowableT(Severity.DEBUG, "Problem with ApplicationConfigHandlerFactory", e); //we continue with default values .. } try { if (certrequest== null || "".equals(certrequest.trim())) { errorMessage =errmsg_1; throw new Exception("No certificate request transmitted by user: " + userdn); } if (certrequest.startsWith(_s1)) certrequest = certrequest.substring(_s1.length()); if (certrequest.endsWith(_s2)) certrequest = certrequest.substring(0,certrequest.length()-_s2.length()); ISsfData data=null; if (request.getHeader("User-Agent").indexOf("MSIE")!=-1 ) { //we need to compare the subject of cert. request with the expected value CertificateRequest certreq = new CertificateRequest(certrequest.getBytes() ); String subjectName =certreq.getSubject().toString(); if (! subjectName.equals(userdn)) { LOCATION.debugT("SubjectName expected: "+userdn +". SubjectName provided:"+subjectName); errorMessage =errmsg_2; throw new Exception("Name mismatch"); } LOCATION.debugT("CertReq contains correct DN"); //TODO: we need to check EMail String email_from_req= null; ExtensionRequest ereq = (ExtensionRequest)certreq.getAttributeValue(ExtensionRequest.oid); if (ereq !=null ){ SubjectAltName v3ext = (SubjectAltName)ereq.getExtension(SubjectAltName.oid); if (v3ext!=null) email_from_req = v3ext.getGeneralNames().getNames(1)[0].getName().toString(); } if ( email_from_req != null ) { if (!email_from_req.equals(userEmail) ) { LOCATION.debugT("SubjectAltName contains wrong EMail: "+email_from_req); errorMessage =errmsg_2; throw new Exception("SubjectAltName mismatch"); } LOCATION.debugT("SubjectAltName check ok"); } else { LOCATION.debugT("Certificate Request doesn't contain any SubjectAltName Extension Request"); } data = new SsfDataPKCS7(new ByteArrayInputStream(certrequest.getBytes())); } else { // other handling if browser is not MSIE StringBuffer tbs = new StringBuffer(); tbs.append ("SubjectName "); tbs.append(userdn); tbs.append("\n"); tbs.append("SPKAC "); //remove spaces tbs.append(certrequest.replace("\r\n","")); tbs.append("\r\n"); data = new SsfDataPKCS7(new ByteArrayInputStream(tbs.toString().getBytes())); } PrivateKey raPK = (PrivateKey)session.getAttribute("rakey") ; X509Certificate raCert= (X509Certificate)session.getAttribute("racert") ; String alias = "j2ee-ra"; SsfProfileBasicImpl profile= null; profile = new SsfProfileBasicImpl (raPK, new X509Certificate [] {raCert}); data.sign(profile,ISsfData.ALG_SHA,ISsfData.INC_CERT_CHAIN,false); ByteArrayOutputStream bos = new ByteArrayOutputStream(); data.writeTo(bos); signedRequest = new String( Util.Base64Encode(bos.toByteArray())); }catch (Exception e) { if (errorMessage ==null) errorMessage = e.getMessage(); } %> <% if (errorMessage!=null) { %> <% return ;} %>