// Call separate script for revocation
revokeCertificate(admin, incert, username, revocationReason, userDN);
} else if (status == SecConst.CERT_ACTIVE) {
// Don't publish non-active certificates
int ldapVersion = LDAPConnection.LDAP_V3;
LDAPConnection lc = createLdapConnection();
final String dn;
final String certdn;
try {
// Extract the users DN from the cert.
certdn = CertTools.getSubjectDN(incert);
if (log.isDebugEnabled()) {
log.debug( "Constructing DN for: " + username);
}
dn = constructLDAPDN(certdn, userDN);
if (log.isDebugEnabled()) {
log.debug("LDAP DN for user " +username +" is '" + dn+"'");
}
} catch (Exception e) {
String msg = intres.getLocalizedMessage("publisher.errorldapdecode", "certificate");
log.error(msg, e);
throw new PublisherException(msg);
}
// Extract the users email from the cert.
String email = CertTools.getEMailAddress(incert);
// Check if the entry is already present, we will update it with the new certificate.
// To work well with the LdapSearchPublisher we need to pass the full certificate DN to the
// search function, and not only the LDAP DN. The regular publisher should only use the LDAP DN though,
// but the searchOldEntity function will take care of that.
LDAPEntry oldEntry = searchOldEntity(username, ldapVersion, lc, certdn, userDN, email);
// PART 2: Create LDAP entry
LDAPEntry newEntry = null;
ArrayList<LDAPModification> modSet = new ArrayList<LDAPModification>();
LDAPAttributeSet attributeSet = null;
String attribute = null;
String objectclass = null;
if (type == SecConst.CERTTYPE_ENDENTITY) {
if (log.isDebugEnabled()) {
log.debug("Publishing end user certificate to first available server of " + getHostnames());
}
if (oldEntry != null) {
modSet = getModificationSet(oldEntry, certdn, email, ADD_MODIFICATION_ATTRIBUTES, true, password);
} else {
objectclass = getUserObjectClass(); // just used for logging
attributeSet = getAttributeSet(incert, getUserObjectClass(), certdn, email, true, true, password, extendedinformation);
}
try {
attribute = getUserCertAttribute();
LDAPAttribute certAttr = new LDAPAttribute(getUserCertAttribute(), incert.getEncoded());
if (oldEntry != null) {
String oldDn = oldEntry.getDN();
if (getAddMultipleCertificates()) {
modSet.add(new LDAPModification(LDAPModification.ADD, certAttr));
if (log.isDebugEnabled()) {
log.debug("Appended new certificate in user entry; " + username+": "+oldDn);
}
} else {
modSet.add(new LDAPModification(LDAPModification.REPLACE, certAttr));
if (log.isDebugEnabled()) {
log.debug("Replaced certificate in user entry; " + username+": "+oldDn);
}
}
} else {
attributeSet.add(certAttr);
if (log.isDebugEnabled()) {
log.debug("Added new certificate to user entry; " + username+": "+dn);
}
}
} catch (CertificateEncodingException e) {
String msg = intres.getLocalizedMessage("publisher.errorldapencodestore", "certificate");
log.error(msg, e);
throw new PublisherException(msg);
}
} else if ((type == SecConst.CERTTYPE_SUBCA) || (type == SecConst.CERTTYPE_ROOTCA)) {
if (log.isDebugEnabled()) {
log.debug("Publishing CA certificate to first available server of " + getHostnames());
}
if (oldEntry != null) {
modSet = getModificationSet(oldEntry, certdn, null, false, false, password);
} else {
objectclass = getCAObjectClass(); // just used for logging
attributeSet = getAttributeSet(incert, getCAObjectClass(), certdn, null, true, false, password, extendedinformation);
}
try {
attribute = getCACertAttribute();
LDAPAttribute certAttr = new LDAPAttribute(getCACertAttribute(), incert.getEncoded());
if (oldEntry != null) {
modSet.add(new LDAPModification(LDAPModification.REPLACE, certAttr));
} else {
attributeSet.add(certAttr);
// Also create using the crlattribute, it may be required
LDAPAttribute crlAttr = new LDAPAttribute(getCRLAttribute(), getFakeCRL());
attributeSet.add(crlAttr);
// Also create using the arlattribute, it may be required
LDAPAttribute arlAttr = new LDAPAttribute(getARLAttribute(), getFakeCRL());
attributeSet.add(arlAttr);
if (log.isDebugEnabled()) {
log.debug("Added (fake) attribute for CRL and ARL.");
}
}
} catch (CertificateEncodingException e) {
String msg = intres.getLocalizedMessage("publisher.errorldapencodestore", "certificate");
log.error(msg, e);
throw new PublisherException(msg);
}
} else {
String msg = intres.getLocalizedMessage("publisher.notpubltype", Integer.valueOf(type));
log.info(msg);
throw new PublisherException(msg);
}
// PART 3: MODIFICATION AND ADDITION OF NEW USERS
// Try all the listed servers
Iterator servers = getHostnameList().iterator();
boolean connectionFailed;
do {
connectionFailed = false;
String currentServer = (String) servers.next();
try {
TCPTool.probeConnectionLDAP(currentServer, Integer.parseInt(getPort()), getConnectionTimeOut()); // Avoid waiting for halfdead-servers
lc.connect(currentServer, Integer.parseInt(getPort()));
// authenticate to the server
lc.bind(ldapVersion, getLoginDN(), getLoginPassword().getBytes("UTF8"), ldapBindConstraints);
// Add or modify the entry
if (oldEntry != null && getModifyExistingUsers()) {
LDAPModification[] mods = new LDAPModification[modSet.size()];
mods = (LDAPModification[])modSet.toArray(mods);
String oldDn = oldEntry.getDN();
if (log.isDebugEnabled()) {
log.debug("Writing modification to DN: "+oldDn);
}
lc.modify(oldDn, mods, ldapStoreConstraints);
String msg = intres.getLocalizedMessage("publisher.ldapmodify", "CERT", oldDn);
log.info(msg);
} else {
if(this.getCreateNonExistingUsers()){
if (oldEntry == null) {
// Check if the intermediate parent node is present, and if it is not
// we can create it, of allowed to do so by the publisher configuration
if(getCreateIntermediateNodes()) {
final String parentDN = new String(dn.substring(dn.indexOf(',') + 1));
try {
lc.read(parentDN, ldapSearchConstraints);
} catch(LDAPException e) {
if(e.getResultCode() == LDAPException.NO_SUCH_OBJECT) {
this.createIntermediateNodes(lc, dn);
String msg = intres.getLocalizedMessage("publisher.ldapaddedintermediate", "CERT", parentDN);
log.info(msg);
}
}
}
newEntry = new LDAPEntry(dn, attributeSet);
if (log.isDebugEnabled()) {
log.debug("Adding DN: "+dn);
}
lc.add(newEntry, ldapStoreConstraints);
String msg = intres.getLocalizedMessage("publisher.ldapadd", "CERT", dn);
log.info(msg);
}
}
}
} catch (LDAPException e) {
connectionFailed = true;
if (servers.hasNext()) {
log.warn("Failed to publish to " + currentServer + ". Trying next in list.");
} else {
String msg = intres.getLocalizedMessage("publisher.errorldapstore", "certificate", attribute, objectclass, dn, e.getMessage());
log.error(msg, e);
throw new PublisherException(msg);
}
} catch (UnsupportedEncodingException e) {
String msg = intres.getLocalizedMessage("publisher.errorpassword", getLoginPassword());
log.error(msg, e);
throw new PublisherException(msg);
} finally {
// disconnect with the server
try {
lc.disconnect(ldapDisconnectConstraints);
} catch (LDAPException e) {
String msg = intres.getLocalizedMessage("publisher.errordisconnect", getLoginPassword());
log.error(msg, e);
}
}