String usernameShort = StringTools.strip(remoteUser.substring(0, remoteUser.indexOf("@"))).replaceAll("/", "");
if (remoteUser == null || "".equals(remoteUser) || "(null)".equals(remoteUser)) {
response.getOutputStream().println("X-Remote-User was not supplied..");
return;
}
MSPKCS10RequestMessage req = null;
String certificateTemplate = null;
String command = request.getParameter("command");
if (command != null && "status".equalsIgnoreCase(command)) {
response.getOutputStream().println(returnStatus(internalAdmin, "Autoenrolled-" + usernameShort + "-" + request.getParameter("template")));
return;
} else {
// Default command "request"
}
req = new MSPKCS10RequestMessage(Base64.decode(requestData.getBytes()));
certificateTemplate = req.getMSRequestInfoTemplateName();
int templateIndex = MSCertTools.getTemplateIndex(certificateTemplate);
/* TODO: Lookup requesting entity in AD here to verify that only Machines request Machine Certificates etc.. Also check permissions
like who is allowed to enroll for what if possible. */
// Create or edit a user "Autoenrolled-Username-Templatename"
String username = "Autoenrolled-" + usernameShort + "-" + certificateTemplate;
log.info("Got autoenroll request from " + remoteUser + " (" + username + ") for a " + certificateTemplate + "-certificate.");
String fetchedSubjectDN = null;
if (MSCertTools.isRequired(templateIndex, MSCertTools.GET_SUBJECTDN_FROM_AD, 0)) {
fetchedSubjectDN = ActiveDirectoryTools.getUserDNFromActiveDirectory(globalConfiguration, usernameShort);
}
int certProfileId = MSCertTools.getOrCreateCertificateProfile(admin, templateIndex, certificateProfileSession);
int endEntityProfileId = MSCertTools.getOrCreateEndEndtityProfile(admin, templateIndex, certProfileId, caid, usernameShort, fetchedSubjectDN,
raAdminSession, endEntityProfileSession);
if (endEntityProfileId == -1) {
String msg = "Could not retrieve required information from AD.";
log.error(msg);
response.getOutputStream().println(msg);
return;
}
// Create user
// The CA needs to use non-LDAP order and we need to have the SAN like "CN=Users, CN=Username, DC=com, DC=company".. why??
// TODO: fix this here.. or is this an general order issue?
String subjectDN = fetchedSubjectDN;
if (subjectDN == null) {
if (MSCertTools.isRequired(templateIndex, DnComponents.COMMONNAME, 0)) {
subjectDN = "CN="+usernameShort;
}
}
String subjectAN = "";
if (MSCertTools.isRequired(templateIndex, DnComponents.UPN, 0)) {
subjectAN += (subjectAN.length() == 0 ? "" : ",") + "UPN=" +remoteUser;
}
if (MSCertTools.isRequired(templateIndex, DnComponents.GUID, 0)) {
String reqGUID = req.getMSRequestInfoSubjectAltnames()[0];
subjectAN += (subjectAN.length() == 0 ? "" : ",") + "GUID=" +reqGUID;
}
if (MSCertTools.isRequired(templateIndex, DnComponents.DNSNAME, 0)) {
String reqDNS = req.getMSRequestInfoSubjectAltnames()[1];
subjectAN += (subjectAN.length() == 0 ? "" : ",") + "DNSNAME=" +reqDNS;
}
log.info("sdn=" + subjectDN + ", san=" + subjectAN);
debugInfo += "\nsdn=" + subjectDN + ", san=" + subjectAN + "\n";
UserDataVO userData = new UserDataVO(username, subjectDN, caid, subjectAN, null, UserDataConstants.STATUS_NEW, 1,endEntityProfileId, certProfileId,
new Date(), new Date(), SecConst.TOKEN_SOFT_BROWSERGEN, 0, null);
String password = PasswordGeneratorFactory.getInstance(PasswordGeneratorFactory.PASSWORDTYPE_LETTERSANDDIGITS).getNewPassword(8,8);
userData.setPassword(password);
try {
if (userAdminSession.existsUser(admin, username)) {
userAdminSession.changeUser(admin, userData, true);
} else {
userAdminSession.addUser(admin, userData, true);
}
} catch (Exception e) {
log.error("Could not add user "+username, e);
}
Certificate cert=null;
debugInfo += "Request: " + requestData + "\n";
req.setUsername(username);
req.setPassword(password);
IResponseMessage resp;
try {
resp = signSession.createCertificate(admin, req, X509ResponseMessage.class, null);
cert = CertTools.getCertfromByteArray(resp.getResponseMessage());
result = signSession.createPKCS7(admin, cert, true);