From 60b7e9e4d353229cfccf9587684af39c2d75bcfa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matou=C5=A1=20Bor=C3=A1k?= <matous.borak@platanus.cz>
Date: Sun, 30 Aug 2020 01:16:20 +0200
Subject: [PATCH 1/2] Handle SCEP messages sent in POST body

If the SCEP request is a HTTP POST request, we try to read the message as a binary string from the request body as outlined in https://tools.ietf.org/html/draft-gutmann-scep-16#section-4.3.

Note that the content type is ignored here - all POST request are processed this way which may cause problems when parameters are sent as form values in the body.
---
 .../cms/servlet/cert/scep/CRSEnrollment.java  | 39 ++++++++++++++++++-
 1 file changed, 37 insertions(+), 2 deletions(-)

diff --git a/base/ca/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java b/base/ca/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java
index 628ff1bd740..0c6eb181402 100644
--- a/base/ca/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java
+++ b/base/ca/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java
@@ -18,7 +18,9 @@
 package com.netscape.cms.servlet.cert.scep;
 
 import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
 import java.io.FileOutputStream;
+import java.io.IOException;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.security.PublicKey;
@@ -32,6 +34,7 @@
 
 import javax.servlet.ServletConfig;
 import javax.servlet.ServletException;
+import javax.servlet.ServletInputStream;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -190,7 +193,7 @@ public class CRSEnrollment extends HttpServlet {
     private static final String PROP_FLATTENDN = "flattenDN";
     private static final String PROP_ENTRYOC = "entryObjectclass";
 
-    // URL parameters
+    // URL parameters (message may be optionally present in body for POST requests)
     private static final String URL_OPERATION = "operation";
     private static final String URL_MESSAGE = "message";
 
@@ -355,6 +358,11 @@ public void service(HttpServletRequest httpReq,
         String message = null;
         mEncryptionAlgorithm = mConfiguredEncryptionAlgorithm;
 
+        logger.debug("http method=" + httpReq.getMethod());
+
+        // Try reading binary message in POST body and Base64-encode it
+        message = readMessageFromPostBody(httpReq);
+
         // Parse the URL from the HTTP Request. Split it up into
         // a structure which enables us to read the form elements
         ArgBlock input = new ArgBlock(toHashtable(httpReq));
@@ -363,7 +371,9 @@ public void service(HttpServletRequest httpReq,
             // Read in two form parameters - the router sets these
             operation = (String) input.get(URL_OPERATION);
             logger.debug("operation=" + operation);
-            message = (String) input.get(URL_MESSAGE);
+            if (message == null) {
+                message = (String) input.get(URL_MESSAGE);
+            }
             logger.debug("message=" + message);
 
             if (!mEnabled) {
@@ -404,6 +414,31 @@ public void service(HttpServletRequest httpReq,
 
     }
 
+    /*
+     * If this is a POST request, try reading the binary message from the request body.
+     */
+    private String readMessageFromPostBody(HttpServletRequest httpReq) {
+        String message = null;
+
+        try {
+            if (httpReq.getMethod().equalsIgnoreCase("POST")) {
+                ServletInputStream is = httpReq.getInputStream();
+                ByteArrayOutputStream bstream = new ByteArrayOutputStream(10000);
+
+                int r;
+                while ((r = is.read()) > -1) {
+                    bstream.write(r);
+                }
+
+                message = Utils.base64encode(bstream.toByteArray(), true);
+            }
+        } catch (IOException e) {
+            logger.warn("CSREnrollment: exception while reading POST body: " + e.getMessage(), e);
+        }
+
+        return message;
+    }
+
     private boolean isAlgorithmAllowed(String[] allowedAlgorithm, String algorithm) {
         boolean allowed = false;
 

From c7dd461fc35919b95cbedcbff543d9472bc93d7d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matou=C5=A1=20Bor=C3=A1k?= <matous.borak@platanus.cz>
Date: Sun, 30 Aug 2020 02:28:35 +0200
Subject: [PATCH 2/2] Use single-line Base64 encoding

---
 .../src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/base/ca/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java b/base/ca/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java
index 0c6eb181402..d9a513ce815 100644
--- a/base/ca/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java
+++ b/base/ca/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java
@@ -430,7 +430,7 @@ private String readMessageFromPostBody(HttpServletRequest httpReq) {
                     bstream.write(r);
                 }
 
-                message = Utils.base64encode(bstream.toByteArray(), true);
+                message = Utils.base64encode(bstream.toByteArray(), false);
             }
         } catch (IOException e) {
             logger.warn("CSREnrollment: exception while reading POST body: " + e.getMessage(), e);