@Override protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { // // If OSS is already initialized, bail out // if (OSS.isInitialized()) { resp.sendError(HttpServletResponse.SC_BAD_REQUEST, "Open Secret Server already initialized."); return; } // // Extract token // String b64token = req.getParameter("token"); // // Decode it from base64 // byte[] token = Base64.decode(b64token); // // Extract wrapped init token and sealed AES key // byte[] wrappedtoken = CryptoHelper.decodeNetworkString(token, 0); byte[] sealedaeskey = CryptoHelper.decodeNetworkString(token, wrappedtoken.length + 4); // // Unseal AES key // byte[] aeskey = CryptoHelper.decryptRSA(OSS.getSessionRSAPrivateKey(), sealedaeskey); // // Unwrap init token // byte[] inittoken = CryptoHelper.unwrapAES(aeskey, wrappedtoken); // // Check OSS Token // OSS.OSSToken osstoken = null; try { osstoken = OSS.checkToken(inittoken); } catch (OSSException osse) { LOGGER.error("doPost", osse); resp.sendError(HttpServletResponse.SC_BAD_REQUEST, osse.getMessage()); return; } // // Check signing key fingerprint // if (!OSS.checkInitSSHKey(osstoken.getKeyblob())) { LOGGER.error( "[" + new String(Hex.encode(CryptoHelper.sshKeyBlobFingerprint(osstoken.getKeyblob()))) + "] (unauthorized) attempted to initialize Open Secret Server."); resp.sendError( HttpServletResponse.SC_FORBIDDEN, "SSH signing key is not authorized to initialize this Open Secret Server."); return; } // // Add secret to initialization // try { OSS.init(osstoken.getSecret()); } catch (OSSException osse) { LOGGER.error("doPost", osse); resp.sendError(HttpServletResponse.SC_BAD_REQUEST, osse.getMessage()); return; } if (!OSS.isInitialized()) { LOGGER.info( "[" + new String(Hex.encode(CryptoHelper.sshKeyBlobFingerprint(osstoken.getKeyblob()))) + "] added secret to intialize Open Secret Server."); resp.sendError( HttpServletResponse.SC_ACCEPTED, "Open Secret Server not yet initialized, needs some more secrets."); return; } else { LOGGER.info( "[" + new String(Hex.encode(CryptoHelper.sshKeyBlobFingerprint(osstoken.getKeyblob()))) + "] completed intialization of Open Secret Server."); } resp.setStatus(HttpServletResponse.SC_OK); }