diff -urN ../ejbca_3_5_8/Changelog.txt ./Changelog.txt --- ../ejbca_3_5_8/Changelog.txt 2008-07-23 09:38:20.000000000 +0200 +++ ./Changelog.txt 2008-10-06 12:08:00.000000000 +0200 @@ -1,3 +1,13 @@ +3.5.9, 2008-10-06 +--- +Improvement + * [ECA-891] - Avoid unnecessary database searches during HealthCheck + +Bug + * [ECA-886] - Upgrade fails to set internal state of CA expire time for externally signed CAs + * [ECA-906] - EjbcaHealthCheck may use same session bean object for concurrent accesses + * [ECA-968] - Key length changes when editing CA in admin-GUI + 3.5.8, 2008-07-23 --- Improvement diff -urN ../ejbca_3_5_8/doc/RELEASE_NOTES ./doc/RELEASE_NOTES --- ../ejbca_3_5_8/doc/RELEASE_NOTES 2008-07-23 09:38:20.000000000 +0200 +++ ./doc/RELEASE_NOTES 2008-10-06 12:08:00.000000000 +0200 @@ -1,3 +1,13 @@ +EJBCA 3.5.9 +----------- +This is a minor release, targeted for fixing a few annoying bugs. +- Upgrade fails to set internal state of CA expire time for externally signed CAs +- Key length changes when editing CA in admin-GUI + +Read the changelog for details. + +This is a plug-in upgrade from 3.5.x. See UPGRADE for the simple instructions. + EJBCA 3.5.8 ----------- This is a minor release, adding two minor improvements. diff -urN ../ejbca_3_5_8/doc/xdocs/manual.xml ./doc/xdocs/manual.xml --- ../ejbca_3_5_8/doc/xdocs/manual.xml 2008-05-02 08:28:10.000000000 +0200 +++ ./doc/xdocs/manual.xml 2008-10-06 12:08:00.000000000 +0200 @@ -4553,6 +4553,20 @@ keytool -import -trustcacerts -file ca.der -keystore p12/truststore.jks -storepass changeit ant deploy + +

+Since the Admin GUI still uses some JSP and EJBCA at some occasions uses string concatenation +to build SQL querys, we have to ban some characters to avoid XSS-attacks and SQL-injections: +

+ +\" \n \r \\ ; ! \0 % ` < > ? $ ~ + +

+(\n is newline, \r is carriage return, \\ is backslash, \0 is null) +

+These characters will be replaced by /. ',' can be escaped ,'\,'. +

+ diff -urN ../ejbca_3_5_8/propertiesAndPaths.xmli ./propertiesAndPaths.xmli --- ../ejbca_3_5_8/propertiesAndPaths.xmli 2008-07-23 09:41:26.000000000 +0200 +++ ./propertiesAndPaths.xmli 2008-10-06 12:08:00.000000000 +0200 @@ -3,7 +3,7 @@ - + diff -urN ../ejbca_3_5_8/src/adminweb/ca/editcas/editcas.jsp ./src/adminweb/ca/editcas/editcas.jsp --- ../ejbca_3_5_8/src/adminweb/ca/editcas/editcas.jsp 2008-06-13 10:23:06.000000000 +0200 +++ ./src/adminweb/ca/editcas/editcas.jsp 2008-10-06 12:07:58.000000000 +0200 @@ -5,7 +5,7 @@ org.ejbca.ui.web.admin.rainterface.RevokedInfoView, org.ejbca.ui.web.admin.configuration.InformationMemory, org.bouncycastle.asn1.x509.X509Name, org.bouncycastle.jce.PKCS10CertificationRequest, org.ejbca.core.EjbcaException, org.ejbca.core.protocol.PKCS10RequestMessage, org.ejbca.core.model.ca.caadmin.CAExistsException, org.ejbca.core.model.ca.caadmin.CADoesntExistsException, org.ejbca.core.model.ca.catoken.CATokenOfflineException, org.ejbca.core.model.ca.catoken.CATokenAuthenticationFailedException, org.ejbca.core.model.ca.caadmin.extendedcaservices.OCSPCAServiceInfo,org.ejbca.core.model.ca.caadmin.extendedcaservices.XKMSCAServiceInfo, org.ejbca.core.model.ca.caadmin.extendedcaservices.CmsCAServiceInfo, org.ejbca.core.model.ca.caadmin.extendedcaservices.ExtendedCAServiceInfo, org.ejbca.core.model.ca.catoken.CATokenManager, org.ejbca.core.model.ca.catoken.AvailableCAToken, org.ejbca.core.model.ca.catoken.HardCATokenInfo, org.ejbca.core.model.ca.catoken.CATokenConstants, - org.ejbca.util.dn.DNFieldExtractor,org.ejbca.util.dn.DnComponents,org.ejbca.core.model.ca.catoken.ICAToken,org.ejbca.core.model.ca.catoken.BaseCAToken, org.ejbca.core.model.ca.catoken.NullCAToken, org.ejbca.core.model.ca.catoken.NullCATokenInfo " %> + org.ejbca.util.dn.DNFieldExtractor,org.ejbca.util.dn.DnComponents,org.ejbca.core.model.ca.catoken.ICAToken,org.ejbca.core.model.ca.catoken.BaseCAToken, org.ejbca.core.model.ca.catoken.NullCAToken, org.ejbca.core.model.ca.catoken.NullCATokenInfo, org.ejbca.ui.web.admin.cainterface.CAInfoView " %> @@ -627,12 +627,17 @@ caname = request.getParameter(HIDDEN_CANAME); catype = Integer.parseInt(request.getParameter(HIDDEN_CATYPE)); - CATokenInfo catoken = null; catokentype = Integer.parseInt(request.getParameter(HIDDEN_CATOKENTYPE)); + // We need to pick up the old CATokenInfo, so we don't overwrite with default values when we save the CA further down + CAInfoView infoView = cadatahandler.getCAInfo(caid); + CATokenInfo catoken = infoView.getCATokenInfo(); + if(catokentype == CATokenInfo.CATOKENTYPE_P12){ String authenticationcode = request.getParameter(TEXTFIELD_AUTHENTICATIONCODE); String autoactivate = request.getParameter(CHECKBOX_AUTHENTICATIONCODEAUTOACTIVATE); - catoken = new SoftCATokenInfo(); + if (catoken == null) { + catoken = new SoftCATokenInfo(); + } catoken.setAuthenticationCode(authenticationcode); if ( (autoactivate != null) && (autoactivate.equals("true")) ) { // it is not possible to use empty autoactivation passwords for soft tokens @@ -649,7 +654,9 @@ String properties = request.getParameter(TEXTFIELD_HARDCATOKENPROPERTIES); if(catokenpath == null) throw new Exception("Error in CATokenData"); - catoken = new HardCATokenInfo(); + if (catoken == null) { + catoken = new HardCATokenInfo(); + } catoken.setProperties(properties); } diff -urN ../ejbca_3_5_8/src/java/org/ejbca/core/ejb/ca/caadmin/CAAdminSessionBean.java ./src/java/org/ejbca/core/ejb/ca/caadmin/CAAdminSessionBean.java --- ../ejbca_3_5_8/src/java/org/ejbca/core/ejb/ca/caadmin/CAAdminSessionBean.java 2008-07-04 15:52:22.000000000 +0200 +++ ./src/java/org/ejbca/core/ejb/ca/caadmin/CAAdminSessionBean.java 2008-10-06 12:07:56.000000000 +0200 @@ -35,6 +35,9 @@ import java.security.cert.TrustAnchor; import java.security.cert.X509Certificate; import java.security.interfaces.RSAPublicKey; +import java.sql.Connection; +import java.sql.PreparedStatement; +import java.sql.ResultSet; import java.util.ArrayList; import java.util.Collection; import java.util.Date; @@ -55,6 +58,7 @@ import org.bouncycastle.util.encoders.Hex; import org.ejbca.core.EjbcaException; import org.ejbca.core.ejb.BaseSessionBean; +import org.ejbca.core.ejb.JNDINames; import org.ejbca.core.ejb.ServiceLocator; import org.ejbca.core.ejb.approval.IApprovalSessionLocal; import org.ejbca.core.ejb.approval.IApprovalSessionLocalHome; @@ -113,6 +117,7 @@ import org.ejbca.core.protocol.X509ResponseMessage; import org.ejbca.util.Base64; import org.ejbca.util.CertTools; +import org.ejbca.util.JDBCUtil; import org.ejbca.util.KeyTools; @@ -135,6 +140,11 @@ * * @weblogic.enable-call-by-reference True * + * @ejb.env-entry + * name="DataSource" + * type="java.lang.String" + * value="${datasource.jndi-name-prefix}${datasource.jndi-name}" + * * @ejb.env-entry description="Used internally to keystores in database" * name="keyStorePass" * type="java.lang.String" @@ -704,7 +714,9 @@ try{ CADataLocal cadata = cadatahome.findByName(name); cainfo = cadata.getCA().getCAInfo(); - authorizedToCA(admin,cainfo.getCAId()); + if (!authorizedToCA(admin,cainfo.getCAId())) { + return null; + } int status = cainfo.getStatus(); Date expireTime = cainfo.getExpireTime(); if(status == SecConst.CA_ACTIVE && expireTime.before(new Date())){ @@ -754,7 +766,9 @@ public CAInfo getCAInfo(Admin admin, int caid, boolean doSignTest){ CAInfo cainfo = null; try{ - authorizedToCA(admin,caid); + if (!authorizedToCA(admin,caid)) { + return null; + } CADataLocal cadata = cadatahome.findByPrimaryKey(new Integer(caid)); CA ca = cadata.getCA(); String name = ca.getName(); @@ -826,21 +840,27 @@ * @ejb.interface-method */ public Collection getAvailableCAs(Admin admin){ - ArrayList returnval = new ArrayList(); - try{ - Collection result = cadatahome.findAll(); - Iterator iter = result.iterator(); - while(iter.hasNext()){ - CADataLocal cadata = (CADataLocal) iter.next(); - if(cadata.getStatus() != SecConst.CA_WAITING_CERTIFICATE_RESPONSE && cadata.getStatus() != SecConst.CA_EXTERNAL) - returnval.add(cadata.getCaId()); + ArrayList al = new ArrayList(); + Connection con = null; + PreparedStatement ps = null; + ResultSet rs = null; + try { + con = JDBCUtil.getDBConnection(JNDINames.DATASOURCE); + final String sql = "SELECT cAId FROM CAData"; + ps = con.prepareStatement(sql); + rs = ps.executeQuery(); + while (rs.next()) { + al.add(rs.getInt(1)); } - }catch(javax.ejb.FinderException fe){} - - return returnval; + } catch (Exception e) { + log.error("", e); + throw new EJBException(e); + } finally { + JDBCUtil.close(con, ps, rs); + } + return al; } - - + /** * Creates a certificate request that should be sent to External Root CA for process before * activation of CA. @@ -2078,6 +2098,9 @@ private boolean authorizedToCA(Admin admin, int caid){ boolean returnval = false; + if (admin.getAdminType() == Admin.TYPE_INTERNALUSER) { + return true; // Skip database seach since this is always ok + } try{ returnval = getAuthorizationSession().isAuthorizedNoLog(admin, AvailableAccessRules.CAPREFIX + caid); }catch(AuthorizationDeniedException e){} diff -urN ../ejbca_3_5_8/src/java/org/ejbca/core/ejb/ca/caadmin/CADataBean.java ./src/java/org/ejbca/core/ejb/ca/caadmin/CADataBean.java --- ../ejbca_3_5_8/src/java/org/ejbca/core/ejb/ca/caadmin/CADataBean.java 2008-05-02 08:27:22.000000000 +0200 +++ ./src/java/org/ejbca/core/ejb/ca/caadmin/CADataBean.java 2008-10-06 12:07:56.000000000 +0200 @@ -232,7 +232,7 @@ float oldversion = ((Float) data.get(UpgradeableDataHashMap.VERSION)).floatValue(); switch(((Integer)(data.get(CA.CATYPE))).intValue()){ case CAInfo.CATYPE_X509: - ca = new X509CA(data, getCaId().intValue(), getSubjectDN(), getName(), getStatus(), getUpdateTimeAsDate()); + ca = new X509CA(data, getCaId().intValue(), getSubjectDN(), getName(), getStatus(), getUpdateTimeAsDate(), new Date(getExpireTime())); break; } boolean upgradedExtendedService = ca.upgradeExtendedCAServices(); diff -urN ../ejbca_3_5_8/src/java/org/ejbca/core/model/ca/caadmin/X509CA.java ./src/java/org/ejbca/core/model/ca/caadmin/X509CA.java --- ../ejbca_3_5_8/src/java/org/ejbca/core/model/ca/caadmin/X509CA.java 2008-05-02 08:27:24.000000000 +0200 +++ ./src/java/org/ejbca/core/model/ca/caadmin/X509CA.java 2008-10-06 12:07:58.000000000 +0200 @@ -199,8 +199,9 @@ /** Constructor used when retrieving existing X509CA from database. * @throws IllegalKeyStoreException */ - public X509CA(HashMap data, int caId, String subjectDN, String name, int status, Date updateTime) throws IllegalKeyStoreException{ + public X509CA(HashMap data, int caId, String subjectDN, String name, int status, Date updateTime, Date expireTime) throws IllegalKeyStoreException{ super(data); + setExpireTime(expireTime); // Make sure the internal state is synched with the database column. Required for upgrades from EJBCA 3.5.6 or EJBCA 3.6.1 and earlier. ArrayList externalcaserviceinfos = new ArrayList(); Iterator iter = getExternalCAServiceTypes().iterator(); while(iter.hasNext()){ diff -urN ../ejbca_3_5_8/src/java/org/ejbca/ui/web/admin/cainterface/CAInfoView.java ./src/java/org/ejbca/ui/web/admin/cainterface/CAInfoView.java --- ../ejbca_3_5_8/src/java/org/ejbca/ui/web/admin/cainterface/CAInfoView.java 2008-05-02 08:27:30.000000000 +0200 +++ ./src/java/org/ejbca/ui/web/admin/cainterface/CAInfoView.java 2008-10-06 12:07:58.000000000 +0200 @@ -23,6 +23,7 @@ import org.ejbca.core.model.ca.caadmin.X509CAInfo; import org.ejbca.core.model.ca.caadmin.extendedcaservices.ExtendedCAServiceInfo; import org.ejbca.core.model.ca.caadmin.extendedcaservices.OCSPCAServiceInfo; +import org.ejbca.core.model.ca.catoken.CATokenInfo; import org.ejbca.core.model.ca.catoken.HardCATokenInfo; import org.ejbca.core.model.ca.catoken.ICAToken; import org.ejbca.core.model.ca.catoken.NullCATokenInfo; @@ -188,6 +189,7 @@ public String[] getCAInfoDataText(){ return cainfodatatexts;} public CAInfo getCAInfo() { return cainfo;} + public CATokenInfo getCATokenInfo() { return cainfo.getCATokenInfo(); } public Collection getCertificateChain() { return cainfo.getCertificateChain(); } public X509Certificate getOCSPSignerCertificate() { return ocspcert;} diff -urN ../ejbca_3_5_8/src/java/org/ejbca/ui/web/pub/cluster/EJBCAHealthCheck.java ./src/java/org/ejbca/ui/web/pub/cluster/EJBCAHealthCheck.java --- ../ejbca_3_5_8/src/java/org/ejbca/ui/web/pub/cluster/EJBCAHealthCheck.java 2008-07-04 15:52:24.000000000 +0200 +++ ./src/java/org/ejbca/ui/web/pub/cluster/EJBCAHealthCheck.java 2008-10-06 12:07:58.000000000 +0200 @@ -18,6 +18,7 @@ import javax.ejb.EJBException; import javax.naming.Context; import javax.naming.InitialContext; +import javax.naming.NamingException; import javax.servlet.ServletConfig; import javax.servlet.http.HttpServletRequest; @@ -130,35 +131,32 @@ return retval; } - private IPublisherSessionLocal publishersession = null; - private IPublisherSessionLocal getPublisherSession(){ - if(publishersession == null){ - - try { - Context context = new InitialContext(); - publishersession = ((IPublisherSessionLocalHome) javax.rmi.PortableRemoteObject.narrow(context.lookup( - "PublisherSessionLocal"), IPublisherSessionLocalHome.class)).create(); - } catch (Exception e) { - throw new EJBException(e); - } - + private Context context = null; + private Context getContext() throws NamingException { + if (context == null) { + context = new InitialContext(); } - - return publishersession; + return context; + } + private IPublisherSessionLocal getPublisherSession(){ + try { + Context ctx = getContext(); + IPublisherSessionLocal publishersession = ((IPublisherSessionLocalHome) javax.rmi.PortableRemoteObject.narrow(ctx.lookup( + IPublisherSessionLocalHome.JNDI_NAME), IPublisherSessionLocalHome.class)).create(); + return publishersession; + } catch (Exception e) { + throw new EJBException(e); + } } - private ICAAdminSessionLocal caadminsession = null; - private ICAAdminSessionLocal getCAAdminSession(){ - if(caadminsession == null){ - - try { - Context context = new InitialContext(); - caadminsession = ((ICAAdminSessionLocalHome) javax.rmi.PortableRemoteObject.narrow(context.lookup( - "CAAdminSessionLocal"), ICAAdminSessionLocalHome.class)).create(); - } catch (Exception e) { - throw new EJBException(e); - } - } - return caadminsession; + private ICAAdminSessionLocal getCAAdminSession() { + try { + Context ctx = getContext(); + ICAAdminSessionLocal caadminsession = ((ICAAdminSessionLocalHome) javax.rmi.PortableRemoteObject.narrow(ctx.lookup( + ICAAdminSessionLocalHome.JNDI_NAME), ICAAdminSessionLocalHome.class)).create(); + return caadminsession; + } catch (Exception e) { + throw new EJBException(e); + } } }