diff options
author | Ade Lee <alee@redhat.com> | 2011-12-07 16:58:12 -0500 |
---|---|---|
committer | Ade Lee <alee@redhat.com> | 2011-12-07 16:58:12 -0500 |
commit | 32150d3ee32f8ac27118af7c792794b538c78a2f (patch) | |
tree | 52dd96f664a6fa51be25b28b6f10adc5f2c9f660 /pki/base/ca | |
parent | f05d58a46795553beb8881039cc922974b40db34 (diff) | |
download | pki-32150d3ee32f8ac27118af7c792794b538c78a2f.tar.gz pki-32150d3ee32f8ac27118af7c792794b538c78a2f.tar.xz pki-32150d3ee32f8ac27118af7c792794b538c78a2f.zip |
Formatting
Formatted project according to eclipse project settings
Diffstat (limited to 'pki/base/ca')
-rw-r--r-- | pki/base/ca/src/com/netscape/ca/CAPolicy.java | 54 | ||||
-rw-r--r-- | pki/base/ca/src/com/netscape/ca/CAService.java | 1245 | ||||
-rw-r--r-- | pki/base/ca/src/com/netscape/ca/CMSCRLExtensions.java | 416 | ||||
-rw-r--r-- | pki/base/ca/src/com/netscape/ca/CRLIssuingPoint.java | 1671 | ||||
-rw-r--r-- | pki/base/ca/src/com/netscape/ca/CRLWithExpiredCerts.java | 35 | ||||
-rw-r--r-- | pki/base/ca/src/com/netscape/ca/CertificateAuthority.java | 949 | ||||
-rw-r--r-- | pki/base/ca/src/com/netscape/ca/SigningUnit.java | 188 |
7 files changed, 2519 insertions, 2039 deletions
diff --git a/pki/base/ca/src/com/netscape/ca/CAPolicy.java b/pki/base/ca/src/com/netscape/ca/CAPolicy.java index 80c801a42..6326cf8c8 100644 --- a/pki/base/ca/src/com/netscape/ca/CAPolicy.java +++ b/pki/base/ca/src/com/netscape/ca/CAPolicy.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.ca; - import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; @@ -32,14 +31,11 @@ import com.netscape.certsrv.request.PolicyResult; import com.netscape.cmscore.policy.GenericPolicyProcessor; import com.netscape.cmscore.util.Debug; - /** - * XXX Just inherit 'GenericPolicyProcessor' (from RA) for now. - * This really bad. need to make a special case just for connector. - * would like a much better way of doing this to handle both EE and - * connectors. - * XXX2 moved to just implement IPolicy since GenericPolicyProcessor is - * unuseable for CA. + * XXX Just inherit 'GenericPolicyProcessor' (from RA) for now. This really bad. + * need to make a special case just for connector. would like a much better way + * of doing this to handle both EE and connectors. XXX2 moved to just implement + * IPolicy since GenericPolicyProcessor is unuseable for CA. * * @version $Revision$, $Date$ */ @@ -47,8 +43,7 @@ public class CAPolicy implements IPolicy { IConfigStore mConfig = null; ICertificateAuthority mCA = null; - public static String PROP_PROCESSOR = - "processor"; + public static String PROP_PROCESSOR = "processor"; // These are the different types of policy that are // allowed for the "processor" property public static String PR_TYPE_CLASSIC = "classic"; @@ -64,19 +59,19 @@ public class CAPolicy implements IPolicy { } public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mCA = (ICertificateAuthority) owner; mConfig = config; - String processorType = // XXX - need to upgrade 4.2 - config.getString(PROP_PROCESSOR, PR_TYPE_CLASSIC); + String processorType = // XXX - need to upgrade 4.2 + config.getString(PROP_PROCESSOR, PR_TYPE_CLASSIC); Debug.trace("selected policy processor = " + processorType); if (processorType.equals(PR_TYPE_CLASSIC)) { mPolicies = new GenericPolicyProcessor(); } else { - throw new EBaseException("Unknown policy processor type (" + - processorType + ")"); + throw new EBaseException("Unknown policy processor type (" + + processorType + ")"); } mPolicies.init(mCA, mConfig); @@ -99,33 +94,31 @@ public class CAPolicy implements IPolicy { return PolicyResult.REJECTED; } - Debug.trace("in CAPolicy.apply(requestType=" + - r.getRequestType() + ",requestId=" + - r.getRequestId().toString() + ",requestStatus=" + - r.getRequestStatus().toString() + ")"); + Debug.trace("in CAPolicy.apply(requestType=" + r.getRequestType() + + ",requestId=" + r.getRequestId().toString() + + ",requestStatus=" + r.getRequestStatus().toString() + ")"); - if (isProfileRequest(r)) { - Debug.trace("CAPolicy: Profile-base Request " + - r.getRequestId().toString()); + if (isProfileRequest(r)) { + Debug.trace("CAPolicy: Profile-base Request " + + r.getRequestId().toString()); - CMS.debug("CAPolicy: requestId=" + - r.getRequestId().toString()); + CMS.debug("CAPolicy: requestId=" + r.getRequestId().toString()); String profileId = r.getExtDataInString("profileId"); - if (profileId == null || profileId.equals("")) { + if (profileId == null || profileId.equals("")) { return PolicyResult.REJECTED; } - IProfileSubsystem ps = (IProfileSubsystem) - CMS.getSubsystem("profile"); + IProfileSubsystem ps = (IProfileSubsystem) CMS + .getSubsystem("profile"); try { - IProfile profile = ps.getProfile(profileId); + IProfile profile = ps.getProfile(profileId); r.setExtData("dbStatus", "NOT_UPDATED"); - profile.populate(r); - profile.validate(r); + profile.populate(r); + profile.validate(r); return PolicyResult.ACCEPTED; } catch (EBaseException e) { CMS.debug("CAPolicy: " + e.toString()); @@ -137,4 +130,3 @@ public class CAPolicy implements IPolicy { } } - diff --git a/pki/base/ca/src/com/netscape/ca/CAService.java b/pki/base/ca/src/com/netscape/ca/CAService.java index 159539d45..44ab65bcf 100644 --- a/pki/base/ca/src/com/netscape/ca/CAService.java +++ b/pki/base/ca/src/com/netscape/ca/CAService.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.ca; - import java.io.ByteArrayOutputStream; import java.io.IOException; import java.math.BigInteger; @@ -92,7 +91,6 @@ import com.netscape.cmscore.dbs.CertificateRepository; import com.netscape.cmscore.dbs.RevocationInfo; import com.netscape.cmscore.util.Debug; - /** * Request Service for CertificateAuthority. */ @@ -113,56 +111,31 @@ public class CAService implements ICAService, IService { private Hashtable mCRLIssuingPoints = new Hashtable(); private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); - private final static String - LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST = - "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4"; + private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST = "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4"; public CAService(ICertificateAuthority ca) { mCA = ca; - // init services. - mServants.put( - IRequest.ENROLLMENT_REQUEST, - new serviceIssue(this)); - mServants.put( - IRequest.RENEWAL_REQUEST, - new serviceRenewal(this)); - mServants.put( - IRequest.REVOCATION_REQUEST, - new serviceRevoke(this)); - mServants.put( - IRequest.CMCREVOKE_REQUEST, - new serviceRevoke(this)); - mServants.put( - IRequest.REVOCATION_CHECK_CHALLENGE_REQUEST, - new serviceCheckChallenge(this)); - mServants.put( - IRequest.GETCERTS_FOR_CHALLENGE_REQUEST, - new getCertsForChallenge(this)); - mServants.put( - IRequest.UNREVOCATION_REQUEST, - new serviceUnrevoke(this)); - mServants.put( - IRequest.GETCACHAIN_REQUEST, - new serviceGetCAChain(this)); - mServants.put( - IRequest.GETCRL_REQUEST, - new serviceGetCRL(this)); - mServants.put( - IRequest.GETREVOCATIONINFO_REQUEST, - new serviceGetRevocationInfo(this)); - mServants.put( - IRequest.GETCERTS_REQUEST, - new serviceGetCertificates(this)); - mServants.put( - IRequest.CLA_CERT4CRL_REQUEST, - new serviceCert4Crl(this)); - mServants.put( - IRequest.CLA_UNCERT4CRL_REQUEST, - new serviceUnCert4Crl(this)); - mServants.put( - IRequest.GETCERT_STATUS_REQUEST, - new getCertStatus(this)); + // init services. + mServants.put(IRequest.ENROLLMENT_REQUEST, new serviceIssue(this)); + mServants.put(IRequest.RENEWAL_REQUEST, new serviceRenewal(this)); + mServants.put(IRequest.REVOCATION_REQUEST, new serviceRevoke(this)); + mServants.put(IRequest.CMCREVOKE_REQUEST, new serviceRevoke(this)); + mServants.put(IRequest.REVOCATION_CHECK_CHALLENGE_REQUEST, + new serviceCheckChallenge(this)); + mServants.put(IRequest.GETCERTS_FOR_CHALLENGE_REQUEST, + new getCertsForChallenge(this)); + mServants.put(IRequest.UNREVOCATION_REQUEST, new serviceUnrevoke(this)); + mServants.put(IRequest.GETCACHAIN_REQUEST, new serviceGetCAChain(this)); + mServants.put(IRequest.GETCRL_REQUEST, new serviceGetCRL(this)); + mServants.put(IRequest.GETREVOCATIONINFO_REQUEST, + new serviceGetRevocationInfo(this)); + mServants.put(IRequest.GETCERTS_REQUEST, new serviceGetCertificates( + this)); + mServants.put(IRequest.CLA_CERT4CRL_REQUEST, new serviceCert4Crl(this)); + mServants.put(IRequest.CLA_UNCERT4CRL_REQUEST, new serviceUnCert4Crl( + this)); + mServants.put(IRequest.GETCERT_STATUS_REQUEST, new getCertStatus(this)); } public void init(IConfigStore config) throws EBaseException { @@ -170,28 +143,32 @@ public class CAService implements ICAService, IService { try { // MOVED TO com.netscape.certsrv.apps.CMS - // java.security.Security.addProvider(new netscape.security.provider.CMS()); - // java.security.Provider pr = java.security.Security.getProvider("CMS"); - // if (pr != null) { - // ; - // } - // else - // Debug.trace("Something is wrong in CMS install !"); - java.security.cert.CertificateFactory cf = java.security.cert.CertificateFactory.getInstance("X.509"); + // java.security.Security.addProvider(new + // netscape.security.provider.CMS()); + // java.security.Provider pr = + // java.security.Security.getProvider("CMS"); + // if (pr != null) { + // ; + // } + // else + // Debug.trace("Something is wrong in CMS install !"); + java.security.cert.CertificateFactory cf = java.security.cert.CertificateFactory + .getInstance("X.509"); Debug.trace("CertificateFactory Type : " + cf.getType()); - Debug.trace("CertificateFactory Provider : " + cf.getProvider().getInfo()); + Debug.trace("CertificateFactory Provider : " + + cf.getProvider().getInfo()); } catch (java.security.cert.CertificateException e) { - Debug.trace("Something is happen in install CMS provider !" + e.toString()); - } + Debug.trace("Something is happen in install CMS provider !" + + e.toString()); + } } public void startup() throws EBaseException { IConfigStore kraConfig = mConfig.getSubStore("KRA"); if (kraConfig != null) { - mArchivalRequired = kraConfig.getBoolean( - "archivalRequired", true); + mArchivalRequired = kraConfig.getBoolean("archivalRequired", true); mKRAConnector = getConnector(kraConfig); if (mKRAConnector != null) { if (Debug.ON) { @@ -228,8 +205,7 @@ public class CAService implements ICAService, IService { mKRAConnector = c; } - public IConnector getConnector(IConfigStore config) - throws EBaseException { + public IConnector getConnector(IConfigStore config) throws EBaseException { IConnector connector = null; if (config == null || config.size() <= 0) { @@ -241,13 +217,15 @@ public class CAService implements ICAService, IService { if (extConnector != null) { try { - connector = (IConnector) - Class.forName(extConnector).newInstance(); + connector = (IConnector) Class.forName(extConnector) + .newInstance(); // connector.start() will be called later on return connector; } catch (Exception e) { // ignore external class if error - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_LOAD_CONNECTOR", extConnector, e.toString())); + mCA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_LOAD_CONNECTOR", + extConnector, e.toString())); } } @@ -263,7 +241,8 @@ public class CAService implements ICAService, IService { if (authority == null) { String msg = "local authority " + id + " not found."; - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_AUTHORITY_NOT_FOUND", id)); + mCA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_AUTHORITY_NOT_FOUND", id)); throw new EBaseException(msg); } connector = new LocalConnector((ICertAuthority) mCA, authority); @@ -278,25 +257,27 @@ public class CAService implements ICAService, IService { int timeout = config.getInteger("timeout", 0); // Insert end // Changed by beomsuk - //RemoteAuthority remauthority = - // new RemoteAuthority(host, port, uri); - RemoteAuthority remauthority = - new RemoteAuthority(host, port, uri, timeout); + // RemoteAuthority remauthority = + // new RemoteAuthority(host, port, uri); + RemoteAuthority remauthority = new RemoteAuthority(host, port, uri, + timeout); - // Change end - if (nickname == null) + // Change end + if (nickname == null) nickname = mCA.getNickname(); - // Changed by beomsuk - //connector = - // new HttpConnector(mCA, nickname, remauthority, resendInterval); + // Changed by beomsuk + // connector = + // new HttpConnector(mCA, nickname, remauthority, resendInterval); if (timeout == 0) - connector = new HttpConnector((IAuthority) mCA, nickname, remauthority, resendInterval, config); + connector = new HttpConnector((IAuthority) mCA, nickname, + remauthority, resendInterval, config); else - connector = new HttpConnector((IAuthority) mCA, nickname, remauthority, resendInterval, config, timeout); - // Change end + connector = new HttpConnector((IAuthority) mCA, nickname, + remauthority, resendInterval, config, timeout); + // Change end - // log(ILogger.LL_INFO, "remote authority "+ - // host+":"+port+" "+uri+" inited"); + // log(ILogger.LL_INFO, "remote authority "+ + // host+":"+port+" "+uri+" inited"); } return connector; } @@ -311,13 +292,12 @@ public class CAService implements ICAService, IService { } /** - * After population of defaults, and constraint validation, - * the profile request is processed here. + * After population of defaults, and constraint validation, the profile + * request is processed here. */ - public void serviceProfileRequest(IRequest request) - throws EBaseException { - CMS.debug("CAService: serviceProfileRequest requestId=" + - request.getRequestId().toString()); + public void serviceProfileRequest(IRequest request) throws EBaseException { + CMS.debug("CAService: serviceProfileRequest requestId=" + + request.getRequestId().toString()); String profileId = request.getExtDataInString("profileId"); @@ -325,8 +305,7 @@ public class CAService implements ICAService, IService { throw new EBaseException("profileId not found"); } - IProfileSubsystem ps = (IProfileSubsystem) - CMS.getSubsystem("profile"); + IProfileSubsystem ps = (IProfileSubsystem) CMS.getSubsystem("profile"); IProfile profile = null; try { @@ -340,25 +319,26 @@ public class CAService implements ICAService, IService { // assumed rejected request.setExtData("dbStatus", "NOT_UPDATED"); - // profile.populate(request); + // profile.populate(request); profile.validate(request); profile.execute(request); // This function is called only from ConnectorServlet - // serialize to request queue + // serialize to request queue } /** - * method interface for IService + * method interface for IService * <P> - * + * * <ul> * <li>signed.audit LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST used - * whenever a user private key archive request is made. This is an option - * in a cert enrollment request detected by an RA or a CA, so, if selected, - * it should be logged immediately following the certificate request. + * whenever a user private key archive request is made. This is an option in + * a cert enrollment request detected by an RA or a CA, so, if selected, it + * should be logged immediately following the certificate request. * </ul> + * * @param request a certificate enrollment request from an RA or CA * @return true or false */ @@ -373,23 +353,25 @@ public class CAService implements ICAService, IService { // short cut profile-based request if (isProfileRequest(request)) { try { - CMS.debug("CAServic: x0 requestStatus=" + request.getRequestStatus().toString() + " instance=" + request); + CMS.debug("CAServic: x0 requestStatus=" + + request.getRequestStatus().toString() + " instance=" + + request); serviceProfileRequest(request); request.setExtData(IRequest.RESULT, IRequest.RES_SUCCESS); - CMS.debug("CAServic: x1 requestStatus=" + request.getRequestStatus().toString()); + CMS.debug("CAServic: x1 requestStatus=" + + request.getRequestStatus().toString()); // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, - auditArchiveID); + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, ILogger.SUCCESS, auditRequesterID, + auditArchiveID); audit(auditMessage); return true; } catch (EBaseException e) { - CMS.debug("CAServic: x2 requestStatus=" + request.getRequestStatus().toString()); + CMS.debug("CAServic: x2 requestStatus=" + + request.getRequestStatus().toString()); // need to put error into the request CMS.debug("CAService: serviceRequest " + e.toString()); request.setExtData(IRequest.RESULT, IRequest.RES_ERROR); @@ -397,11 +379,9 @@ public class CAService implements ICAService, IService { // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, - auditArchiveID); + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, ILogger.FAILURE, auditRequesterID, + auditArchiveID); audit(auditMessage); @@ -413,17 +393,18 @@ public class CAService implements ICAService, IService { IServant servant = (IServant) mServants.get(type); if (servant == null) { - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_INVALID_REQUEST_TYPE", type)); + mCA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_INVALID_REQUEST_TYPE", type)); request.setExtData(IRequest.RESULT, IRequest.RES_ERROR); - request.setExtData(IRequest.ERROR, - new ECAException(CMS.getUserMessage("CMS_CA_UNRECOGNIZED_REQUEST_TYPE", type))); + request.setExtData( + IRequest.ERROR, + new ECAException(CMS.getUserMessage( + "CMS_CA_UNRECOGNIZED_REQUEST_TYPE", type))); // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, - auditArchiveID); + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, ILogger.FAILURE, auditRequesterID, + auditArchiveID); audit(auditMessage); @@ -432,8 +413,9 @@ public class CAService implements ICAService, IService { try { // send request to KRA first - if (type.equals(IRequest.ENROLLMENT_REQUEST) && - isPKIArchiveOptionPresent(request) && mKRAConnector != null) { + if (type.equals(IRequest.ENROLLMENT_REQUEST) + && isPKIArchiveOptionPresent(request) + && mKRAConnector != null) { if (Debug.ON) { Debug.trace("*** Sending enrollment request to KRA"); } @@ -441,36 +423,36 @@ public class CAService implements ICAService, IService { if (mArchivalRequired == true) { if (sendStatus == false) { - request.setExtData(IRequest.RESULT, - IRequest.RES_ERROR); - request.setExtData(IRequest.ERROR, - new ECAException(CMS.getUserMessage("CMS_CA_SEND_KRA_REQUEST"))); + request.setExtData(IRequest.RESULT, IRequest.RES_ERROR); + request.setExtData( + IRequest.ERROR, + new ECAException( + CMS.getUserMessage("CMS_CA_SEND_KRA_REQUEST"))); // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, - auditArchiveID); + auditMessage = CMS + .getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, ILogger.FAILURE, + auditRequesterID, auditArchiveID); audit(auditMessage); return true; } else { if (request.getExtDataInString(IRequest.ERROR) != null) { - request.setExtData(IRequest.RESULT, IRequest.RES_SUCCESS); + request.setExtData(IRequest.RESULT, + IRequest.RES_SUCCESS); request.deleteExtData(IRequest.ERROR); } } if (request.getExtDataInString(IRequest.ERROR) != null) { // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, - auditArchiveID); + auditMessage = CMS + .getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, ILogger.FAILURE, + auditRequesterID, auditArchiveID); audit(auditMessage); @@ -479,7 +461,8 @@ public class CAService implements ICAService, IService { } } else { if (Debug.ON) { - Debug.trace("*** NOT Send to KRA type=" + type + " ENROLLMENT=" + IRequest.ENROLLMENT_REQUEST); + Debug.trace("*** NOT Send to KRA type=" + type + + " ENROLLMENT=" + IRequest.ENROLLMENT_REQUEST); } } @@ -491,11 +474,9 @@ public class CAService implements ICAService, IService { // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, - auditArchiveID); + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, ILogger.FAILURE, auditRequesterID, + auditArchiveID); audit(auditMessage); @@ -506,16 +487,14 @@ public class CAService implements ICAService, IService { if (Debug.ON) Debug.trace("serviceRequest completed = " + completed); - if (!(type.equals(IRequest.REVOCATION_REQUEST) || - type.equals(IRequest.UNREVOCATION_REQUEST) || - type.equals(IRequest.CMCREVOKE_REQUEST))) { + if (!(type.equals(IRequest.REVOCATION_REQUEST) + || type.equals(IRequest.UNREVOCATION_REQUEST) || type + .equals(IRequest.CMCREVOKE_REQUEST))) { // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, - auditArchiveID); + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, ILogger.SUCCESS, auditRequesterID, + auditArchiveID); audit(auditMessage); } @@ -524,7 +503,7 @@ public class CAService implements ICAService, IService { } /** - * register CRL Issuing Point + * register CRL Issuing Point */ public void addCRLIssuingPoint(String id, ICRLIssuingPoint crlIssuingPoint) { mCRLIssuingPoints.put(id, crlIssuingPoint); @@ -541,8 +520,8 @@ public class CAService implements ICAService, IService { * Checks if PKIArchiveOption present in the request. */ private boolean isPKIArchiveOptionPresent(IRequest request) { - String crmfBlob = request.getExtDataInString( - IRequest.HTTP_PARAMS, CRMF_REQUEST); + String crmfBlob = request.getExtDataInString(IRequest.HTTP_PARAMS, + CRMF_REQUEST); if (crmfBlob == null) { if (Debug.ON) { @@ -550,7 +529,8 @@ public class CAService implements ICAService, IService { } } else { try { - PKIArchiveOptionsContainer opts[] = CRMFParser.getPKIArchiveOptions(crmfBlob); + PKIArchiveOptionsContainer opts[] = CRMFParser + .getPKIArchiveOptions(crmfBlob); if (opts != null) { return true; @@ -562,20 +542,19 @@ public class CAService implements ICAService, IService { return false; } - /// - /// CA related routines. - /// + // / + // / CA related routines. + // / - public X509CertImpl issueX509Cert(X509CertInfo certi) - throws EBaseException { + public X509CertImpl issueX509Cert(X509CertInfo certi) throws EBaseException { return issueX509Cert(certi, null, null); } /** * issue cert for enrollment. */ - public X509CertImpl issueX509Cert(X509CertInfo certi, String profileId, String rid) - throws EBaseException { + public X509CertImpl issueX509Cert(X509CertInfo certi, String profileId, + String rid) throws EBaseException { CMS.debug("issueX509Cert"); X509CertImpl certImpl = issueX509Cert("", certi, false, null); @@ -586,7 +565,7 @@ public class CAService implements ICAService, IService { } X509CertImpl issueX509Cert(String rid, X509CertInfo certi) - throws EBaseException { + throws EBaseException { return issueX509Cert(rid, certi, false, null); } @@ -594,7 +573,7 @@ public class CAService implements ICAService, IService { * issue cert for enrollment. */ void storeX509Cert(String profileId, String rid, X509CertImpl cert) - throws EBaseException { + throws EBaseException { storeX509Cert(rid, cert, false, null, null, null, profileId); } @@ -602,28 +581,27 @@ public class CAService implements ICAService, IService { * issue cert for enrollment. */ void storeX509Cert(String rid, X509CertImpl cert, String crmfReqId) - throws EBaseException { + throws EBaseException { storeX509Cert(rid, cert, false, null, crmfReqId, null, null); } - void storeX509Cert(String rid, X509CertImpl cert, String crmfReqId, - String challengePassword) throws EBaseException { - storeX509Cert(rid, cert, false, null, crmfReqId, challengePassword, null); + void storeX509Cert(String rid, X509CertImpl cert, String crmfReqId, + String challengePassword) throws EBaseException { + storeX509Cert(rid, cert, false, null, crmfReqId, challengePassword, + null); } /** - * issue cert for enrollment and renewal. - * renewal is expected to have original cert serial no. in cert info - * field. + * issue cert for enrollment and renewal. renewal is expected to have + * original cert serial no. in cert info field. */ - X509CertImpl issueX509Cert(String rid, X509CertInfo certi, - boolean renewal, BigInteger oldSerialNo) - throws EBaseException { + X509CertImpl issueX509Cert(String rid, X509CertInfo certi, boolean renewal, + BigInteger oldSerialNo) throws EBaseException { String algname = null; X509CertImpl cert = null; - // NOTE: In this implementation, the "oldSerialNo" - // parameter is NOT used! + // NOTE: In this implementation, the "oldSerialNo" + // parameter is NOT used! boolean doUTF8 = mConfig.getBoolean("dnUTF8Encoding", false); @@ -631,11 +609,12 @@ public class CAService implements ICAService, IService { try { // check required fields in certinfo. - if (certi.get(X509CertInfo.SUBJECT) == null || - certi.get(X509CertInfo.KEY) == null) { + if (certi.get(X509CertInfo.SUBJECT) == null + || certi.get(X509CertInfo.KEY) == null) { - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_MISSING_ATTR")); - // XXX how do you reject a request in the service object ? + mCA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_MISSING_ATTR")); + // XXX how do you reject a request in the service object ? throw new ECAException( CMS.getUserMessage("CMS_CA_MISSING_REQD_FIELDS_IN_CERTISSUE")); } @@ -647,34 +626,31 @@ public class CAService implements ICAService, IService { } // set default validity if not set. - // validity would normally be set by policies or by - // agent or by authentication module. - CertificateValidity validity = (CertificateValidity) - certi.get(X509CertInfo.VALIDITY); + // validity would normally be set by policies or by + // agent or by authentication module. + CertificateValidity validity = (CertificateValidity) certi + .get(X509CertInfo.VALIDITY); Date begin = null, end = null; if (validity != null) { - begin = (Date) - validity.get(CertificateValidity.NOT_BEFORE); - end = (Date) - validity.get(CertificateValidity.NOT_AFTER); + begin = (Date) validity.get(CertificateValidity.NOT_BEFORE); + end = (Date) validity.get(CertificateValidity.NOT_AFTER); } - if (validity == null || - (begin.getTime() == 0 && end.getTime() == 0)) { + if (validity == null + || (begin.getTime() == 0 && end.getTime() == 0)) { if (Debug.ON) { Debug.trace("setting default validity"); } - + begin = CMS.getCurrentDate(); end = new Date(begin.getTime() + mCA.getDefaultValidity()); - certi.set(CertificateValidity.NAME, - new CertificateValidity(begin, end)); + certi.set(CertificateValidity.NAME, new CertificateValidity( + begin, end)); } /* - * For non-CA certs, check if validity exceeds CA time. - * If so, set to CA's not after if default validity - * exceeds ca's not after. + * For non-CA certs, check if validity exceeds CA time. If so, set + * to CA's not after if default validity exceeds ca's not after. */ // First find out if it is a CA cert @@ -683,21 +659,26 @@ public class CAService implements ICAService, IService { BasicConstraintsExtension bc_ext = null; try { - exts = (CertificateExtensions) - certi.get(X509CertInfo.EXTENSIONS); + exts = (CertificateExtensions) certi + .get(X509CertInfo.EXTENSIONS); if (exts != null) { Enumeration e = exts.getElements(); while (e.hasMoreElements()) { - netscape.security.x509.Extension ext = (netscape.security.x509.Extension) e.nextElement(); + netscape.security.x509.Extension ext = (netscape.security.x509.Extension) e + .nextElement(); - if (ext.getExtensionId().toString().equals(PKIXExtensions.BasicConstraints_Id.toString())) { + if (ext.getExtensionId() + .toString() + .equals(PKIXExtensions.BasicConstraints_Id + .toString())) { bc_ext = (BasicConstraintsExtension) ext; } } - if(bc_ext != null) { - Boolean isCA = (Boolean) bc_ext.get(BasicConstraintsExtension.IS_CA); + if (bc_ext != null) { + Boolean isCA = (Boolean) bc_ext + .get(BasicConstraintsExtension.IS_CA); is_ca = isCA.booleanValue(); } } // exts != null @@ -705,95 +686,108 @@ public class CAService implements ICAService, IService { CMS.debug("EnrollDefault: getExtension " + e.toString()); } - Date caNotAfter = - mCA.getSigningUnit().getCertImpl().getNotAfter(); + Date caNotAfter = mCA.getSigningUnit().getCertImpl().getNotAfter(); if (begin.after(caNotAfter)) { - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_PAST_VALIDITY")); - throw new ECAException(CMS.getUserMessage("CMS_CA_CERT_BEGIN_AFTER_CA_VALIDITY")); + mCA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_PAST_VALIDITY")); + throw new ECAException( + CMS.getUserMessage("CMS_CA_CERT_BEGIN_AFTER_CA_VALIDITY")); } if (end.after(caNotAfter)) { - if(!is_ca) { + if (!is_ca) { if (!mCA.isEnablePastCATime()) { end = caNotAfter; - certi.set(CertificateValidity.NAME, - new CertificateValidity(begin, caNotAfter)); + certi.set(CertificateValidity.NAME, + new CertificateValidity(begin, caNotAfter)); CMS.debug("CAService: issueX509Cert: cert past CA's NOT_AFTER...ca.enablePastCATime != true...resetting"); } else { CMS.debug("CAService: issueX509Cert: cert past CA's NOT_AFTER...ca.enablePastCATime = true...not resetting"); } } else { CMS.debug("CAService: issueX509Cert: CA cert issuance past CA's NOT_AFTER."); - } //!is_ca - mCA.log(ILogger.LL_INFO, CMS.getLogMessage("CMSCORE_CA_PAST_NOT_AFTER")); + } // !is_ca + mCA.log(ILogger.LL_INFO, + CMS.getLogMessage("CMSCORE_CA_PAST_NOT_AFTER")); } // check algorithm in certinfo. AlgorithmId algid = null; - CertificateAlgorithmId algor = (CertificateAlgorithmId) - certi.get(X509CertInfo.ALGORITHM_ID); + CertificateAlgorithmId algor = (CertificateAlgorithmId) certi + .get(X509CertInfo.ALGORITHM_ID); - if (algor == null || algor.toString().equals(CertInfo.SERIALIZE_ALGOR.toString())) { + if (algor == null + || algor.toString().equals( + CertInfo.SERIALIZE_ALGOR.toString())) { algname = mCA.getSigningUnit().getDefaultAlgorithm(); algid = AlgorithmId.get(algname); - certi.set(X509CertInfo.ALGORITHM_ID, - new CertificateAlgorithmId(algid)); + certi.set(X509CertInfo.ALGORITHM_ID, + new CertificateAlgorithmId(algid)); } else { - algid = (AlgorithmId) - algor.get(CertificateAlgorithmId.ALGORITHM); + algid = (AlgorithmId) algor + .get(CertificateAlgorithmId.ALGORITHM); algname = algid.getName(); } } catch (CertificateException e) { - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_BAD_FIELD", e.toString())); + mCA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_BAD_FIELD", e.toString())); if (Debug.ON) { e.printStackTrace(); } throw new ECAException( CMS.getUserMessage("CMS_CA_ERROR_GETTING_FIELDS_IN_ISSUE")); } catch (IOException e) { - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_BAD_FIELD", e.toString())); + mCA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_BAD_FIELD", e.toString())); if (Debug.ON) { e.printStackTrace(); } throw new ECAException( CMS.getUserMessage("CMS_CA_ERROR_GETTING_FIELDS_IN_ISSUE")); } catch (NoSuchAlgorithmException e) { - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_ALG_NOT_SUPPORTED", algname)); + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_SIGNING_ALG_NOT_SUPPORTED", algname)); if (Debug.ON) { e.printStackTrace(); } - throw new ECAException( - CMS.getUserMessage("CMS_CA_SIGNING_ALGOR_NOT_SUPPORTED", algname)); + throw new ECAException(CMS.getUserMessage( + "CMS_CA_SIGNING_ALGOR_NOT_SUPPORTED", algname)); } // get old cert serial number if renewal if (renewal) { try { - CertificateSerialNumber serialno = (CertificateSerialNumber) - certi.get(X509CertInfo.SERIAL_NUMBER); + CertificateSerialNumber serialno = (CertificateSerialNumber) certi + .get(X509CertInfo.SERIAL_NUMBER); if (serialno == null) { - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_NULL_SERIAL_NUMBER")); + mCA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_NULL_SERIAL_NUMBER")); throw new ECAException( CMS.getUserMessage("CMS_CA_MISSING_INFO_IN_RENEWREQ")); } - SerialNumber serialnum = (SerialNumber) - serialno.get(CertificateSerialNumber.NUMBER); + SerialNumber serialnum = (SerialNumber) serialno + .get(CertificateSerialNumber.NUMBER); if (serialnum == null) { - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_NULL_SERIAL_NUMBER")); + mCA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_NULL_SERIAL_NUMBER")); throw new ECAException( CMS.getUserMessage("CMS_CA_MISSING_INFO_IN_RENEWREQ")); } } catch (CertificateException e) { - // not possible - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_NO_ORG_SERIAL", e.getMessage())); + // not possible + mCA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_NO_ORG_SERIAL", + e.getMessage())); throw new ECAException( CMS.getUserMessage("CMS_CA_MISSING_INFO_IN_RENEWREQ")); } catch (IOException e) { - // not possible. - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_NO_ORG_SERIAL", e.getMessage())); + // not possible. + mCA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_NO_ORG_SERIAL", + e.getMessage())); throw new ECAException( CMS.getUserMessage("CMS_CA_MISSING_INFO_IN_RENEWREQ")); } @@ -801,34 +795,43 @@ public class CAService implements ICAService, IService { // set issuer, serial number try { - BigInteger serialNo = - mCA.getCertificateRepository().getNextSerialNumber(); - - certi.set(X509CertInfo.SERIAL_NUMBER, - new CertificateSerialNumber(serialNo)); - mCA.log(ILogger.LL_INFO, CMS.getLogMessage("CMSCORE_CA_SIGN_SERIAL", serialNo.toString(16))); + BigInteger serialNo = mCA.getCertificateRepository() + .getNextSerialNumber(); + + certi.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber( + serialNo)); + mCA.log(ILogger.LL_INFO, + CMS.getLogMessage("CMSCORE_CA_SIGN_SERIAL", + serialNo.toString(16))); } catch (EBaseException e) { - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_NO_NEXT_SERIAL", e.toString())); + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_NO_NEXT_SERIAL", e.toString())); throw new ECAException(CMS.getUserMessage("CMS_CA_NOSERIALNO", rid)); } catch (CertificateException e) { - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SET_SERIAL", e.toString())); - throw new ECAException( - CMS.getUserMessage("CMS_CA_SET_SERIALNO_FAILED", rid)); + mCA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_SET_SERIAL", e.toString())); + throw new ECAException(CMS.getUserMessage( + "CMS_CA_SET_SERIALNO_FAILED", rid)); } catch (IOException e) { - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SET_SERIAL", e.toString())); - throw new ECAException( - CMS.getUserMessage("CMS_CA_SET_SERIALNO_FAILED", rid)); + mCA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_SET_SERIAL", e.toString())); + throw new ECAException(CMS.getUserMessage( + "CMS_CA_SET_SERIALNO_FAILED", rid)); } try { - certi.set(X509CertInfo.ISSUER, - new CertificateIssuerName(mCA.getX500Name())); + certi.set(X509CertInfo.ISSUER, + new CertificateIssuerName(mCA.getX500Name())); } catch (CertificateException e) { - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SET_ISSUER", e.toString())); - throw new ECAException(CMS.getUserMessage("CMS_CA_SET_ISSUER_FAILED", rid)); + mCA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_SET_ISSUER", e.toString())); + throw new ECAException(CMS.getUserMessage( + "CMS_CA_SET_ISSUER_FAILED", rid)); } catch (IOException e) { - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SET_ISSUER", e.toString())); - throw new ECAException(CMS.getUserMessage("CMS_CA_SET_ISSUER_FAILED", rid)); + mCA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_SET_ISSUER", e.toString())); + throw new ECAException(CMS.getUserMessage( + "CMS_CA_SET_ISSUER_FAILED", rid)); } byte[] utf8_encodingOrder = { DerValue.tag_UTF8String }; @@ -837,20 +840,28 @@ public class CAService implements ICAService, IService { try { CMS.debug("doUTF8 true, updating subject."); - CertificateSubjectName sName = (CertificateSubjectName) certi.get(X509CertInfo.SUBJECT); + CertificateSubjectName sName = (CertificateSubjectName) certi + .get(X509CertInfo.SUBJECT); String subject = certi.get(X509CertInfo.SUBJECT).toString(); certi.set(X509CertInfo.SUBJECT, new CertificateSubjectName( - new X500Name(subject, - new LdapV3DNStrConverter(X500NameAttrMap.getDirDefault(), true), utf8_encodingOrder))); + new X500Name(subject, new LdapV3DNStrConverter( + X500NameAttrMap.getDirDefault(), true), + utf8_encodingOrder))); } catch (CertificateException e) { - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SET_SUBJECT", e.toString())); - throw new ECAException(CMS.getUserMessage("CMS_CA_SET_ISSUER_FAILED", rid)); + mCA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_SET_SUBJECT", + e.toString())); + throw new ECAException(CMS.getUserMessage( + "CMS_CA_SET_ISSUER_FAILED", rid)); } catch (IOException e) { - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SET_SUBJECT", e.toString())); - throw new ECAException(CMS.getUserMessage("CMS_CA_SET_ISSUER_FAILED", rid)); + mCA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_SET_SUBJECT", + e.toString())); + throw new ECAException(CMS.getUserMessage( + "CMS_CA_SET_ISSUER_FAILED", rid)); } } @@ -859,22 +870,21 @@ public class CAService implements ICAService, IService { return cert; } - void storeX509Cert(String rid, X509CertImpl cert, - boolean renewal, BigInteger oldSerialNo) - throws EBaseException { + void storeX509Cert(String rid, X509CertImpl cert, boolean renewal, + BigInteger oldSerialNo) throws EBaseException { storeX509Cert(rid, cert, renewal, oldSerialNo, null, null, null); } - void storeX509Cert(String rid, X509CertImpl cert, - boolean renewal, BigInteger oldSerialNo, String crmfReqId, - String challengePassword, String profileId) throws EBaseException { + void storeX509Cert(String rid, X509CertImpl cert, boolean renewal, + BigInteger oldSerialNo, String crmfReqId, String challengePassword, + String profileId) throws EBaseException { // now store in repository. - // if renewal, set the old serial number in the new cert, - // set the new serial number in the old cert. + // if renewal, set the old serial number in the new cert, + // set the new serial number in the old cert. CMS.debug("In storeX509Cert"); try { - BigInteger newSerialNo = cert.getSerialNumber(); + BigInteger newSerialNo = cert.getSerialNumber(); MetaInfo metaInfo = new MetaInfo(); if (profileId != null) @@ -884,34 +894,37 @@ public class CAService implements ICAService, IService { if (challengePassword != null && !challengePassword.equals("")) metaInfo.set("challengePhrase", challengePassword); if (crmfReqId != null) { - //System.out.println("Adding crmf reqid "+crmfReqId); + // System.out.println("Adding crmf reqid "+crmfReqId); metaInfo.set(CertRecord.META_CRMF_REQID, crmfReqId); } if (renewal) metaInfo.set(CertRecord.META_OLD_CERT, oldSerialNo.toString()); mCA.getCertificateRepository().addCertificateRecord( - new CertRecord(newSerialNo, cert, metaInfo)); + new CertRecord(newSerialNo, cert, metaInfo)); - mCA.log(ILogger.LL_INFO, CMS.getLogMessage("CMSCORE_CA_STORE_SERIAL", cert.getSerialNumber().toString(16))); + mCA.log(ILogger.LL_INFO, CMS.getLogMessage( + "CMSCORE_CA_STORE_SERIAL", + cert.getSerialNumber().toString(16))); if (renewal) { /* - mCA.getCertificateRepository().markCertificateAsRenewed( - BigIntegerMapper.BigIntegerToDB(oldSerialNo)); - mCA.mCertRepot.markCertificateAsRenewed(oldSerialNo); + * mCA.getCertificateRepository().markCertificateAsRenewed( + * BigIntegerMapper.BigIntegerToDB(oldSerialNo)); + * mCA.mCertRepot.markCertificateAsRenewed(oldSerialNo); */ MetaInfo oldMeta = null; - CertRecord oldCertRec = (CertRecord) - mCA.getCertificateRepository().readCertificateRecord(oldSerialNo); + CertRecord oldCertRec = (CertRecord) mCA + .getCertificateRepository().readCertificateRecord( + oldSerialNo); if (oldCertRec == null) { - Exception e = - new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", - "Cannot read cert record for " + oldSerialNo)); + Exception e = new EBaseException(CMS.getUserMessage( + "CMS_BASE_INTERNAL_ERROR", + "Cannot read cert record for " + oldSerialNo)); e.printStackTrace(); } - if (oldCertRec != null) + if (oldCertRec != null) oldMeta = oldCertRec.getMetaInfo(); if (oldMeta == null) { if (Debug.ON) { @@ -926,25 +939,29 @@ public class CAService implements ICAService, IService { while (n.hasMoreElements()) { String name = (String) n.nextElement(); - System.out.println("name " + name + " value " + - oldMeta.get(name)); + System.out.println("name " + name + " value " + + oldMeta.get(name)); } } } - oldMeta.set(CertRecord.META_RENEWED_CERT, - newSerialNo.toString()); + oldMeta.set(CertRecord.META_RENEWED_CERT, + newSerialNo.toString()); ModificationSet modSet = new ModificationSet(); - modSet.add(CertRecord.ATTR_AUTO_RENEW, - Modification.MOD_REPLACE, - CertRecord.AUTO_RENEWAL_DONE); - modSet.add(ICertRecord.ATTR_META_INFO, - Modification.MOD_REPLACE, oldMeta); - mCA.getCertificateRepository().modifyCertificateRecord(oldSerialNo, modSet); - mCA.log(ILogger.LL_INFO, CMS.getLogMessage("CMSCORE_CA_MARK_SERIAL", oldSerialNo.toString(16), newSerialNo.toString(16))); + modSet.add(CertRecord.ATTR_AUTO_RENEW, + Modification.MOD_REPLACE, CertRecord.AUTO_RENEWAL_DONE); + modSet.add(ICertRecord.ATTR_META_INFO, + Modification.MOD_REPLACE, oldMeta); + mCA.getCertificateRepository().modifyCertificateRecord( + oldSerialNo, modSet); + mCA.log(ILogger.LL_INFO, + CMS.getLogMessage("CMSCORE_CA_MARK_SERIAL", + oldSerialNo.toString(16), + newSerialNo.toString(16))); if (Debug.ON) { - CertRecord check = (CertRecord) - mCA.getCertificateRepository().readCertificateRecord(oldSerialNo); + CertRecord check = (CertRecord) mCA + .getCertificateRepository().readCertificateRecord( + oldSerialNo); MetaInfo meta = check.getMetaInfo(); Enumeration n = oldMeta.getElements(); @@ -956,7 +973,9 @@ public class CAService implements ICAService, IService { } } } catch (EBaseException e) { - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_NO_STORE_SERIAL", cert.getSerialNumber().toString(16))); + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_NO_STORE_SERIAL", cert.getSerialNumber() + .toString(16))); if (Debug.ON) e.printStackTrace(); throw e; @@ -966,23 +985,25 @@ public class CAService implements ICAService, IService { /** * revoke cert, check fields in crlentry, etc. */ - public void revokeCert(RevokedCertImpl crlentry) - throws EBaseException { + public void revokeCert(RevokedCertImpl crlentry) throws EBaseException { revokeCert(crlentry, null); } public void revokeCert(RevokedCertImpl crlentry, String requestId) - throws EBaseException { + throws EBaseException { BigInteger serialno = crlentry.getSerialNumber(); Date revdate = crlentry.getRevocationDate(); CRLExtensions crlentryexts = crlentry.getExtensions(); - CertRecord certRec = (CertRecord) mCA.getCertificateRepository().readCertificateRecord(serialno); + CertRecord certRec = (CertRecord) mCA.getCertificateRepository() + .readCertificateRecord(serialno); if (certRec == null) { - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CERT_NOT_FOUND", serialno.toString(16))); - throw new ECAException( - CMS.getUserMessage("CMS_CA_CANT_FIND_CERT_SERIAL", + mCA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CERT_NOT_FOUND", + serialno.toString(16))); + throw new ECAException(CMS.getUserMessage( + "CMS_CA_CANT_FIND_CERT_SERIAL", "0x" + serialno.toString(16))); } RevocationInfo revInfo = (RevocationInfo) certRec.getRevocationInfo(); @@ -993,8 +1014,8 @@ public class CAService implements ICAService, IService { exts = revInfo.getCRLEntryExtensions(); if (exts != null) { try { - reasonext = (CRLReasonExtension) - exts.get(CRLReasonExtension.NAME); + reasonext = (CRLReasonExtension) exts + .get(CRLReasonExtension.NAME); } catch (X509ExtensionException e) { // this means no crl reason extension set. } @@ -1002,16 +1023,18 @@ public class CAService implements ICAService, IService { // allow revoking certs that are on hold. String certStatus = certRec.getStatus(); - if (certStatus.equals(ICertRecord.STATUS_REVOKED) || - certStatus.equals(ICertRecord.STATUS_REVOKED_EXPIRED)) { - throw new ECAException(CMS.getUserMessage("CMS_CA_CERT_ALREADY_REVOKED", + if (certStatus.equals(ICertRecord.STATUS_REVOKED) + || certStatus.equals(ICertRecord.STATUS_REVOKED_EXPIRED)) { + throw new ECAException(CMS.getUserMessage( + "CMS_CA_CERT_ALREADY_REVOKED", "0x" + Long.toHexString(serialno.longValue()))); } try { - mCA.getCertificateRepository().markAsRevoked(serialno, - new RevocationInfo(revdate, crlentryexts)); - mCA.log(ILogger.LL_INFO, CMS.getLogMessage("CMSCORE_CA_CERT_REVOKED", - serialno.toString(16))); + mCA.getCertificateRepository().markAsRevoked(serialno, + new RevocationInfo(revdate, crlentryexts)); + mCA.log(ILogger.LL_INFO, + CMS.getLogMessage("CMSCORE_CA_CERT_REVOKED", + serialno.toString(16))); // inform all CRLIssuingPoints about revoked certificate Enumeration eIPs = mCRLIssuingPoints.elements(); @@ -1024,23 +1047,28 @@ public class CAService implements ICAService, IService { if (ip.isCACertsOnly()) { X509CertImpl cert = certRec.getCertificate(); - if (cert != null) b = cert.getBasicConstraintsIsCA(); + if (cert != null) + b = cert.getBasicConstraintsIsCA(); } if (ip.isProfileCertsOnly()) { MetaInfo metaInfo = certRec.getMetaInfo(); if (metaInfo != null) { - String profileId = (String)metaInfo.get("profileId"); + String profileId = (String) metaInfo + .get("profileId"); if (profileId != null) { b = ip.checkCurrentProfile(profileId); } } } - if (b) ip.addRevokedCert(serialno, crlentry, requestId); + if (b) + ip.addRevokedCert(serialno, crlentry, requestId); } } } catch (EBaseException e) { - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ERROR_REVOCATION", serialno.toString(), e.toString())); - //e.printStackTrace(); + mCA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_ERROR_REVOCATION", + serialno.toString(), e.toString())); + // e.printStackTrace(); throw e; } return; @@ -1049,19 +1077,21 @@ public class CAService implements ICAService, IService { /** * unrevoke cert, check serial number, etc. */ - void unrevokeCert(BigInteger serialNo) - throws EBaseException { + void unrevokeCert(BigInteger serialNo) throws EBaseException { unrevokeCert(serialNo, null); } void unrevokeCert(BigInteger serialNo, String requestId) - throws EBaseException { - CertRecord certRec = (CertRecord) mCA.getCertificateRepository().readCertificateRecord(serialNo); + throws EBaseException { + CertRecord certRec = (CertRecord) mCA.getCertificateRepository() + .readCertificateRecord(serialNo); if (certRec == null) { - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CERT_NOT_FOUND", serialNo.toString(16))); - throw new ECAException( - CMS.getUserMessage("CMS_CA_CANT_FIND_CERT_SERIAL", + mCA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CERT_NOT_FOUND", + serialNo.toString(16))); + throw new ECAException(CMS.getUserMessage( + "CMS_CA_CANT_FIND_CERT_SERIAL", "0x" + serialNo.toString(16))); } RevocationInfo revInfo = (RevocationInfo) certRec.getRevocationInfo(); @@ -1069,34 +1099,42 @@ public class CAService implements ICAService, IService { CRLReasonExtension reasonext = null; if (revInfo == null) { - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CERT_ON_HOLD", serialNo.toString())); - throw new ECAException(CMS.getUserMessage("CMS_CA_IS_NOT_ON_HOLD", + mCA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CERT_ON_HOLD", + serialNo.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_IS_NOT_ON_HOLD", serialNo.toString())); } exts = revInfo.getCRLEntryExtensions(); if (exts != null) { try { - reasonext = (CRLReasonExtension) - exts.get(CRLReasonExtension.NAME); + reasonext = (CRLReasonExtension) exts + .get(CRLReasonExtension.NAME); } catch (X509ExtensionException e) { - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CERT_ON_HOLD", serialNo.toString())); - throw new ECAException(CMS.getUserMessage("CMS_CA_IS_NOT_ON_HOLD", - serialNo.toString())); + mCA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CERT_ON_HOLD", + serialNo.toString())); + throw new ECAException(CMS.getUserMessage( + "CMS_CA_IS_NOT_ON_HOLD", serialNo.toString())); } } else { - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CERT_ON_HOLD", serialNo.toString())); - throw new ECAException(CMS.getUserMessage("CMS_CA_IS_NOT_ON_HOLD", + mCA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CERT_ON_HOLD", + serialNo.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_IS_NOT_ON_HOLD", serialNo.toString())); } // allow unrevoking certs that are on hold. - if ((certRec.getStatus().equals(ICertRecord.STATUS_REVOKED) || - certRec.getStatus().equals(ICertRecord.STATUS_REVOKED_EXPIRED)) && - reasonext != null && - reasonext.getReason() == RevocationReason.CERTIFICATE_HOLD) { + if ((certRec.getStatus().equals(ICertRecord.STATUS_REVOKED) || certRec + .getStatus().equals(ICertRecord.STATUS_REVOKED_EXPIRED)) + && reasonext != null + && reasonext.getReason() == RevocationReason.CERTIFICATE_HOLD) { try { mCA.getCertificateRepository().unmarkRevoked(serialNo, revInfo, - certRec.getRevokedOn(), certRec.getRevokedBy()); - mCA.log(ILogger.LL_INFO, CMS.getLogMessage("CMSCORE_CA_CERT_UNREVOKED", serialNo.toString(16))); + certRec.getRevokedOn(), certRec.getRevokedBy()); + mCA.log(ILogger.LL_INFO, + CMS.getLogMessage("CMSCORE_CA_CERT_UNREVOKED", + serialNo.toString(16))); // inform all CRLIssuingPoints about unrevoked certificate Enumeration eIPs = mCRLIssuingPoints.elements(); @@ -1109,27 +1147,34 @@ public class CAService implements ICAService, IService { if (ip.isCACertsOnly()) { X509CertImpl cert = certRec.getCertificate(); - if (cert != null) b = cert.getBasicConstraintsIsCA(); + if (cert != null) + b = cert.getBasicConstraintsIsCA(); } if (ip.isProfileCertsOnly()) { MetaInfo metaInfo = certRec.getMetaInfo(); if (metaInfo != null) { - String profileId = (String)metaInfo.get("profileId"); + String profileId = (String) metaInfo + .get("profileId"); if (profileId != null) { b = ip.checkCurrentProfile(profileId); } } } - if (b) ip.addUnrevokedCert(serialNo, requestId); + if (b) + ip.addUnrevokedCert(serialNo, requestId); } } } catch (EBaseException e) { - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CERT_ERROR_UNREVOKE", serialNo.toString(16))); + mCA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CERT_ERROR_UNREVOKE", + serialNo.toString(16))); throw e; } } else { - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CERT_ON_HOLD", serialNo.toString())); - throw new ECAException(CMS.getUserMessage("CMS_CA_IS_NOT_ON_HOLD", + mCA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CERT_ON_HOLD", + serialNo.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_IS_NOT_ON_HOLD", "0x" + serialNo.toString(16))); } @@ -1138,10 +1183,10 @@ public class CAService implements ICAService, IService { /** * Signed Audit Log - * + * * This method is called to store messages to the signed audit log. * <P> - * + * * @param msg signed audit log message */ private void audit(String msg) { @@ -1152,20 +1197,17 @@ public class CAService implements ICAService, IService { return; } - mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, - null, - ILogger.S_SIGNED_AUDIT, - ILogger.LL_SECURITY, - msg); + mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, null, + ILogger.S_SIGNED_AUDIT, ILogger.LL_SECURITY, msg); } /** * Signed Audit Log Subject ID - * - * This method is called to obtain the "SubjectID" for - * a signed audit log message. + * + * This method is called to obtain the "SubjectID" for a signed audit log + * message. * <P> - * + * * @return id string containing the signed audit log message SubjectID */ private String auditSubjectID() { @@ -1180,8 +1222,7 @@ public class CAService implements ICAService, IService { SessionContext auditContext = SessionContext.getExistingContext(); if (auditContext != null) { - subjectID = (String) - auditContext.get(SessionContext.USER_ID); + subjectID = (String) auditContext.get(SessionContext.USER_ID); if (subjectID != null) { subjectID = subjectID.trim(); @@ -1197,11 +1238,11 @@ public class CAService implements ICAService, IService { /** * Signed Audit Log Requester ID - * - * This method is called to obtain the "RequesterID" for - * a signed audit log message. + * + * This method is called to obtain the "RequesterID" for a signed audit log + * message. * <P> - * + * * @return id string containing the signed audit log message RequesterID */ private String auditRequesterID() { @@ -1216,8 +1257,8 @@ public class CAService implements ICAService, IService { SessionContext auditContext = SessionContext.getExistingContext(); if (auditContext != null) { - requesterID = (String) - auditContext.get(SessionContext.REQUESTER_ID); + requesterID = (String) auditContext + .get(SessionContext.REQUESTER_ID); if (requesterID != null) { requesterID = requesterID.trim(); @@ -1232,16 +1273,14 @@ public class CAService implements ICAService, IService { } } - -/// -/// servant classes -/// +// / +// / servant classes +// / interface IServant { public boolean service(IRequest request) throws EBaseException; } - class serviceIssue implements IServant { private ICertificateAuthority mCA; private CAService mService; @@ -1251,9 +1290,8 @@ class serviceIssue implements IServant { mCA = mService.getCA(); } - public boolean service(IRequest request) - throws EBaseException { - // XXX This is ugly. should associate attributes with + public boolean service(IRequest request) throws EBaseException { + // XXX This is ugly. should associate attributes with // request types, not policy. // XXX how do we know what to look for in request ? @@ -1262,21 +1300,23 @@ class serviceIssue implements IServant { else return false; // Don't know what it is ????? } - - public boolean serviceX509(IRequest request) - throws EBaseException { - // XXX This is ugly. should associate attributes with + + public boolean serviceX509(IRequest request) throws EBaseException { + // XXX This is ugly. should associate attributes with // request types, not policy. // XXX how do we know what to look for in request ? - X509CertInfo certinfos[] = - request.getExtDataInCertInfoArray(IRequest.CERT_INFO); + X509CertInfo certinfos[] = request + .getExtDataInCertInfoArray(IRequest.CERT_INFO); if (certinfos == null || certinfos[0] == null) { - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CERT_REQUEST_NOT_FOUND", request.getRequestId().toString())); - throw new ECAException(CMS.getUserMessage("CMS_CA_MISSING_INFO_IN_ISSUEREQ")); + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_CERT_REQUEST_NOT_FOUND", request.getRequestId() + .toString())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_MISSING_INFO_IN_ISSUEREQ")); } - String challengePassword = - request.getExtDataInString(CAService.CHALLENGE_PHRASE); + String challengePassword = request + .getExtDataInString(CAService.CHALLENGE_PHRASE); X509CertImpl[] certs = new X509CertImpl[certinfos.length]; String rid = request.getRequestId().toString(); @@ -1286,7 +1326,9 @@ class serviceIssue implements IServant { try { certs[i] = mService.issueX509Cert(rid, certinfos[i]); } catch (EBaseException e) { - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUE_ERROR", Integer.toString(i), rid, e.toString())); + mCA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_ISSUE_ERROR", + Integer.toString(i), rid, e.toString())); throw e; } } @@ -1295,25 +1337,31 @@ class serviceIssue implements IServant { for (i = 0; i < certs.length; i++) { try { - mService.storeX509Cert(rid, certs[i], crmfReqId, challengePassword); + mService.storeX509Cert(rid, certs[i], crmfReqId, + challengePassword); } catch (EBaseException e) { e.printStackTrace(); - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_STORE_ERROR", Integer.toString(i), rid, e.toString())); - ex = e; // save to throw later. + mCA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_STORE_ERROR", + Integer.toString(i), rid, e.toString())); + ex = e; // save to throw later. break; } } if (ex != null) { for (int j = 0; j < i; j++) { - // delete the stored cert records from the database. - // we issue all or nothing. - BigInteger serialNo = - ((X509Certificate) certs[i]).getSerialNumber(); + // delete the stored cert records from the database. + // we issue all or nothing. + BigInteger serialNo = ((X509Certificate) certs[i]) + .getSerialNumber(); try { - mCA.getCertificateRepository().deleteCertificateRecord(serialNo); + mCA.getCertificateRepository().deleteCertificateRecord( + serialNo); } catch (EBaseException e) { - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_DELETE_CERT_ERROR", serialNo.toString(), e.toString())); + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_DELETE_CERT_ERROR", + serialNo.toString(), e.toString())); } } throw ex; @@ -1325,7 +1373,6 @@ class serviceIssue implements IServant { } } - class serviceRenewal implements IServant { private ICertificateAuthority mCA; private CAService mService; @@ -1335,14 +1382,15 @@ class serviceRenewal implements IServant { mCA = mService.getCA(); } - public boolean service(IRequest request) - throws EBaseException { + public boolean service(IRequest request) throws EBaseException { // XXX if one fails should all fail ? - can't backtrack. - X509CertInfo certinfos[] = - request.getExtDataInCertInfoArray(IRequest.CERT_INFO); + X509CertInfo certinfos[] = request + .getExtDataInCertInfoArray(IRequest.CERT_INFO); if (certinfos == null || certinfos[0] == null) { - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CERT_REQUEST_NOT_FOUND", request.getRequestId().toString())); + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_CERT_REQUEST_NOT_FOUND", request.getRequestId() + .toString())); throw new ECAException( CMS.getUserMessage("CMS_CA_MISSING_INFO_IN_RENEWREQ")); } @@ -1362,31 +1410,37 @@ class serviceRenewal implements IServant { SerialNumber serialnum = null; try { - CertificateSerialNumber serialno = (CertificateSerialNumber) - certinfos[i].get(X509CertInfo.SERIAL_NUMBER); + CertificateSerialNumber serialno = (CertificateSerialNumber) certinfos[i] + .get(X509CertInfo.SERIAL_NUMBER); if (serialno == null) { - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_NULL_SERIAL_NUMBER")); + mCA.log(ILogger.LL_FAILURE, CMS + .getLogMessage("CMSCORE_CA_NULL_SERIAL_NUMBER")); throw new ECAException( CMS.getUserMessage("CMS_CA_MISSING_INFO_IN_RENEWREQ")); } - serialnum = (SerialNumber) - serialno.get(CertificateSerialNumber.NUMBER); + serialnum = (SerialNumber) serialno + .get(CertificateSerialNumber.NUMBER); } catch (IOException e) { if (Debug.ON) e.printStackTrace(); - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ERROR_GET_CERT", e.toString())); + mCA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_ERROR_GET_CERT", + e.toString())); throw new ECAException( CMS.getUserMessage("CMS_CA_MISSING_INFO_IN_RENEWREQ")); } catch (CertificateException e) { if (Debug.ON) e.printStackTrace(); - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ERROR_GET_CERT", e.toString())); + mCA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_ERROR_GET_CERT", + e.toString())); throw new ECAException( CMS.getUserMessage("CMS_CA_MISSING_INFO_IN_RENEWREQ")); } if (serialnum == null) { - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ERROR_GET_CERT", "")); + mCA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_ERROR_GET_CERT", "")); throw new ECAException( CMS.getUserMessage("CMS_CA_MISSING_INFO_IN_RENEWREQ")); } @@ -1394,26 +1448,30 @@ class serviceRenewal implements IServant { BigInteger oldSerialNo = serialnumBigInt.toBigInteger(); // get cert record - CertRecord certRecord = (CertRecord) - mCA.getCertificateRepository().readCertificateRecord(oldSerialNo); + CertRecord certRecord = (CertRecord) mCA + .getCertificateRepository().readCertificateRecord( + oldSerialNo); if (certRecord == null) { - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_NOT_FROM_CA", oldSerialNo.toString())); - svcerrors[i] = new ECAException( - CMS.getUserMessage("CMS_CA_CANT_FIND_CERT_SERIAL", - oldSerialNo.toString())).toString(); + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_NOT_FROM_CA", oldSerialNo.toString())); + svcerrors[i] = new ECAException(CMS.getUserMessage( + "CMS_CA_CANT_FIND_CERT_SERIAL", + oldSerialNo.toString())).toString(); continue; } - // check if cert has been revoked. + // check if cert has been revoked. String certStatus = certRecord.getStatus(); - if (certStatus.equals(ICertRecord.STATUS_REVOKED) || - certStatus.equals(ICertRecord.STATUS_REVOKED_EXPIRED)) { - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_RENEW_REVOKED", oldSerialNo.toString())); - svcerrors[i] = new ECAException( - CMS.getUserMessage("CMS_CA_CANNOT_RENEW_REVOKED_CERT", - "0x" + oldSerialNo.toString(16))).toString(); + if (certStatus.equals(ICertRecord.STATUS_REVOKED) + || certStatus + .equals(ICertRecord.STATUS_REVOKED_EXPIRED)) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_RENEW_REVOKED", oldSerialNo.toString())); + svcerrors[i] = new ECAException(CMS.getUserMessage( + "CMS_CA_CANNOT_RENEW_REVOKED_CERT", "0x" + + oldSerialNo.toString(16))).toString(); continue; } @@ -1421,75 +1479,87 @@ class serviceRenewal implements IServant { MetaInfo metaInfo = certRecord.getMetaInfo(); if (metaInfo != null) { - String renewed = (String) - metaInfo.get(ICertRecord.META_RENEWED_CERT); + String renewed = (String) metaInfo + .get(ICertRecord.META_RENEWED_CERT); if (renewed != null) { BigInteger serial = new BigInteger(renewed); - X509CertImpl cert = (X509CertImpl) - mCA.getCertificateRepository().getX509Certificate(serial); + X509CertImpl cert = (X509CertImpl) mCA + .getCertificateRepository().getX509Certificate( + serial); if (cert == null) { - // something wrong - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_MISSING_RENEWED", serial.toString())); - svcerrors[i] = new ECAException( - CMS.getUserMessage("CMS_CA_ERROR_GETTING_RENEWED_CERT", - oldSerialNo.toString(), serial.toString())).toString(); + // something wrong + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_MISSING_RENEWED", + serial.toString())); + svcerrors[i] = new ECAException(CMS.getUserMessage( + "CMS_CA_ERROR_GETTING_RENEWED_CERT", + oldSerialNo.toString(), serial.toString())) + .toString(); continue; } // get cert record - CertRecord cRecord = (CertRecord) - mCA.getCertificateRepository().readCertificateRecord(serial); + CertRecord cRecord = (CertRecord) mCA + .getCertificateRepository() + .readCertificateRecord(serial); if (cRecord == null) { - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_NOT_FROM_CA", serial.toString())); - svcerrors[i] = new ECAException( - CMS.getUserMessage("CMS_CA_CANT_FIND_CERT_SERIAL", - serial.toString())).toString(); + mCA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_NOT_FROM_CA", + serial.toString())); + svcerrors[i] = new ECAException(CMS.getUserMessage( + "CMS_CA_CANT_FIND_CERT_SERIAL", + serial.toString())).toString(); continue; } // Check renewed certificate already REVOKED or EXPIRED String status = cRecord.getStatus(); - if (status.equals(ICertRecord.STATUS_REVOKED) || - status.equals(ICertRecord.STATUS_REVOKED_EXPIRED)) { + if (status.equals(ICertRecord.STATUS_REVOKED) + || status + .equals(ICertRecord.STATUS_REVOKED_EXPIRED)) { Debug.trace("It is already revoked or Expired !!!"); - } // it is still new ... So just return this certificate to user - else { + } // it is still new ... So just return this certificate + // to user + else { Debug.trace("It is still new !!!"); issuedCerts[i] = cert; continue; - } + } } } // issue the cert. - issuedCerts[i] = - mService.issueX509Cert(rid, certinfos[i], true, oldSerialNo); + issuedCerts[i] = mService.issueX509Cert(rid, certinfos[i], + true, oldSerialNo); mService.storeX509Cert(rid, issuedCerts[i], true, oldSerialNo); } catch (ECAException e) { svcerrors[i] = e.toString(); - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CANNOT_RENEW", Integer.toString(i), request.getRequestId().toString())); + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_CANNOT_RENEW", Integer.toString(i), request + .getRequestId().toString())); } } - + // always set issued certs regardless of error. request.setExtData(IRequest.ISSUED_CERTS, issuedCerts); // set and throw error if any. int l; - for (l = svcerrors.length - 1; l >= 0 && svcerrors[l] == null; l--); + for (l = svcerrors.length - 1; l >= 0 && svcerrors[l] == null; l--) + ; if (l >= 0) { request.setExtData(IRequest.SVCERRORS, svcerrors); - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_NO_RENEW", request.getRequestId().toString())); + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_NO_RENEW", request.getRequestId().toString())); throw new ECAException(CMS.getUserMessage("CMS_CA_RENEW_FAILED")); } return true; } } - class getCertsForChallenge implements IServant { private ICertificateAuthority mCA; private CAService mService; @@ -1499,21 +1569,20 @@ class getCertsForChallenge implements IServant { mCA = mService.getCA(); } - public boolean service(IRequest request) - throws EBaseException { - BigInteger[] serialNoArray = - request.getExtDataInBigIntegerArray(CAService.SERIALNO_ARRAY); - X509CertImpl[] certs = new X509CertImpl[serialNoArray.length]; + public boolean service(IRequest request) throws EBaseException { + BigInteger[] serialNoArray = request + .getExtDataInBigIntegerArray(CAService.SERIALNO_ARRAY); + X509CertImpl[] certs = new X509CertImpl[serialNoArray.length]; for (int i = 0; i < serialNoArray.length; i++) { - certs[i] = mCA.getCertificateRepository().getX509Certificate(serialNoArray[i]); + certs[i] = mCA.getCertificateRepository().getX509Certificate( + serialNoArray[i]); } request.setExtData(IRequest.OLD_CERTS, certs); return true; } } - class getCertStatus implements IServant { private ICertificateAuthority mCA; private CAService mService; @@ -1526,8 +1595,8 @@ class getCertStatus implements IServant { public boolean service(IRequest request) throws EBaseException { BigInteger serialno = request.getExtDataInBigInteger("serialNumber"); String issuerDN = request.getExtDataInString("issuerDN"); - CertificateRepository certDB = (CertificateRepository) - mCA.getCertificateRepository(); + CertificateRepository certDB = (CertificateRepository) mCA + .getCertificateRepository(); String status = null; @@ -1552,13 +1621,12 @@ class getCertStatus implements IServant { } } } - + request.setExtData(IRequest.CERT_STATUS, status); return true; } } - class serviceCheckChallenge implements IServant { private ICertificateAuthority mCA; private CAService mService; @@ -1570,18 +1638,18 @@ class serviceCheckChallenge implements IServant { try { mSHADigest = MessageDigest.getInstance("SHA1"); } catch (NoSuchAlgorithmException e) { - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString())); + mCA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("OPERATION_ERROR", e.toString())); } } - public boolean service(IRequest request) - throws EBaseException { - // note: some request attributes used below are set in - // authentication/ChallengePhraseAuthentication.java :( + public boolean service(IRequest request) throws EBaseException { + // note: some request attributes used below are set in + // authentication/ChallengePhraseAuthentication.java :( BigInteger serialno = request.getExtDataInBigInteger("serialNumber"); - String pwd = request.getExtDataInString( - CAService.CHALLENGE_PHRASE); - CertificateRepository certDB = (CertificateRepository) mCA.getCertificateRepository(); + String pwd = request.getExtDataInString(CAService.CHALLENGE_PHRASE); + CertificateRepository certDB = (CertificateRepository) mCA + .getCertificateRepository(); BigInteger[] bigIntArray = null; if (serialno != null) { @@ -1605,14 +1673,16 @@ class serviceCheckChallenge implements IServant { } else { bigIntArray = new BigInteger[0]; } - } else + } else bigIntArray = new BigInteger[0]; } else { String subjectName = request.getExtDataInString("subjectName"); if (subjectName != null) { - String filter = "(&(x509cert.subject=" + subjectName + ")(certStatus=VALID))"; - ICertRecordList list = certDB.findCertRecordsInList(filter, null, 10); + String filter = "(&(x509cert.subject=" + subjectName + + ")(certStatus=VALID))"; + ICertRecordList list = certDB.findCertRecordsInList(filter, + null, 10); int size = list.getSize(); Enumeration en = list.getCertRecords(0, size - 1); @@ -1637,7 +1707,7 @@ class serviceCheckChallenge implements IServant { } } - if (bigIntArray == null) + if (bigIntArray == null) bigIntArray = new BigInteger[0]; request.setExtData(CAService.SERIALNO_ARRAY, bigIntArray); @@ -1645,18 +1715,19 @@ class serviceCheckChallenge implements IServant { } private boolean compareChallengePassword(CertRecord record, String pwd) - throws EBaseException { + throws EBaseException { MetaInfo metaInfo = (MetaInfo) record.get(CertRecord.ATTR_META_INFO); if (metaInfo == null) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "metaInfo")); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_ATTRIBUTE", "metaInfo")); } String hashpwd = hashPassword(pwd); // got metaInfo - String challengeString = - (String) metaInfo.get(CertRecord.META_CHALLENGE_PHRASE); + String challengeString = (String) metaInfo + .get(CertRecord.META_CHALLENGE_PHRASE); if (!challengeString.equals(hashpwd)) { return false; @@ -1673,7 +1744,6 @@ class serviceCheckChallenge implements IServant { } } - class serviceRevoke implements IServant { private ICertificateAuthority mCA; private CAService mService; @@ -1683,32 +1753,35 @@ class serviceRevoke implements IServant { mCA = mService.getCA(); } - public boolean service(IRequest request) - throws EBaseException { + public boolean service(IRequest request) throws EBaseException { boolean sendStatus = true; // XXX Need to think passing as array. - // XXX every implemented according to servlet. - RevokedCertImpl crlentries[] = - request.getExtDataInRevokedCertArray(IRequest.CERT_INFO); - - if (crlentries == null || - crlentries.length == 0 || - crlentries[0] == null) { - // XXX should this be an error ? - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRL_NOT_FOUND", request.getRequestId().toString())); - throw new ECAException(CMS.getUserMessage("CMS_CA_MISSING_INFO_IN_REVREQ")); + // XXX every implemented according to servlet. + RevokedCertImpl crlentries[] = request + .getExtDataInRevokedCertArray(IRequest.CERT_INFO); + + if (crlentries == null || crlentries.length == 0 + || crlentries[0] == null) { + // XXX should this be an error ? + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_CRL_NOT_FOUND", request.getRequestId() + .toString())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_MISSING_INFO_IN_REVREQ")); } - RevokedCertImpl revokedCerts[] = - new RevokedCertImpl[crlentries.length]; + RevokedCertImpl revokedCerts[] = new RevokedCertImpl[crlentries.length]; String svcerrors[] = null; for (int i = 0; i < crlentries.length; i++) { try { - mService.revokeCert(crlentries[i], request.getRequestId().toString()); + mService.revokeCert(crlentries[i], request.getRequestId() + .toString()); revokedCerts[i] = crlentries[i]; } catch (ECAException e) { - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CANNOT_REVOKE", Integer.toString(i), request.getRequestId().toString(), e.toString())); + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_CANNOT_REVOKE", Integer.toString(i), + request.getRequestId().toString(), e.toString())); revokedCerts[i] = null; if (svcerrors == null) { svcerrors = new String[revokedCerts.length]; @@ -1723,8 +1796,7 @@ class serviceRevoke implements IServant { // if clone ca, send revoked cert records to CLA if (CAService.mCLAConnector != null) { CMS.debug(CMS.getLogMessage("CMSCORE_CA_CLONE_READ_REVOKED")); - BigInteger revokedCertIds[] = - new BigInteger[revokedCerts.length]; + BigInteger revokedCertIds[] = new BigInteger[revokedCerts.length]; for (int i = 0; i < revokedCerts.length; i++) { revokedCertIds[i] = revokedCerts[i].getSerialNumber(); @@ -1732,16 +1804,18 @@ class serviceRevoke implements IServant { request.deleteExtData(IRequest.CERT_INFO); request.deleteExtData(IRequest.OLD_CERTS); request.setExtData(IRequest.REVOKED_CERT_RECORDS, revokedCertIds); - - CMS.debug(CMS.getLogMessage("CMSCORE_CA_CLONE_READ_REVOKED_CONNECTOR")); + + CMS.debug(CMS + .getLogMessage("CMSCORE_CA_CLONE_READ_REVOKED_CONNECTOR")); request.setRequestType(IRequest.CLA_CERT4CRL_REQUEST); sendStatus = CAService.mCLAConnector.send(request); if (sendStatus == false) { - request.setExtData(IRequest.RESULT, - IRequest.RES_ERROR); - request.setExtData(IRequest.ERROR, - new ECAException(CMS.getUserMessage("CMS_CA_SEND_CLA_REQUEST"))); + request.setExtData(IRequest.RESULT, IRequest.RES_ERROR); + request.setExtData( + IRequest.ERROR, + new ECAException(CMS + .getUserMessage("CMS_CA_SEND_CLA_REQUEST"))); return sendStatus; } else { if (request.getExtDataInString(IRequest.ERROR) != null) { @@ -1767,7 +1841,6 @@ class serviceRevoke implements IServant { } } - class serviceUnrevoke implements IServant { private ICertificateAuthority mCA; private CAService mService; @@ -1777,21 +1850,22 @@ class serviceUnrevoke implements IServant { mCA = mService.getCA(); } - public boolean service(IRequest request) - throws EBaseException { + public boolean service(IRequest request) throws EBaseException { boolean sendStatus = true; - BigInteger oldSerialNo[] = - request.getExtDataInBigIntegerArray(IRequest.OLD_SERIALS); + BigInteger oldSerialNo[] = request + .getExtDataInBigIntegerArray(IRequest.OLD_SERIALS); if (oldSerialNo == null || oldSerialNo.length < 1) { - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_UNREVOKE_MISSING_SERIAL")); + mCA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_UNREVOKE_MISSING_SERIAL")); throw new ECAException( CMS.getUserMessage("CMS_CA_MISSING_SERIAL_NUMBER")); } String svcerrors[] = null; boolean needOldCerts = false; - X509CertImpl oldCerts[] = request.getExtDataInCertArray(IRequest.OLD_CERTS); + X509CertImpl oldCerts[] = request + .getExtDataInCertArray(IRequest.OLD_CERTS); if (oldCerts == null || oldCerts.length < 1) { needOldCerts = true; @@ -1801,19 +1875,25 @@ class serviceUnrevoke implements IServant { for (int i = 0; i < oldSerialNo.length; i++) { try { if (oldSerialNo[i].compareTo(new BigInteger("0")) < 0) { - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_UNREVOKE_MISSING_SERIAL")); + mCA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_UNREVOKE_MISSING_SERIAL")); throw new ECAException( CMS.getUserMessage("CMS_CA_MISSING_SERIAL_NUMBER")); } if (needOldCerts) { - CertRecord certRec = (CertRecord) - mCA.getCertificateRepository().readCertificateRecord(oldSerialNo[i]); + CertRecord certRec = (CertRecord) mCA + .getCertificateRepository().readCertificateRecord( + oldSerialNo[i]); oldCerts[i] = certRec.getCertificate(); } - mService.unrevokeCert(oldSerialNo[i], request.getRequestId().toString()); + mService.unrevokeCert(oldSerialNo[i], request.getRequestId() + .toString()); } catch (ECAException e) { - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_UNREVOKE_FAILED", oldSerialNo[i].toString(), request.getRequestId().toString())); + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_UNREVOKE_FAILED", + oldSerialNo[i].toString(), request.getRequestId() + .toString())); if (svcerrors == null) { svcerrors = new String[oldSerialNo.length]; } @@ -1826,10 +1906,11 @@ class serviceUnrevoke implements IServant { request.setRequestType(IRequest.CLA_UNCERT4CRL_REQUEST); sendStatus = CAService.mCLAConnector.send(request); if (sendStatus == false) { - request.setExtData(IRequest.RESULT, - IRequest.RES_ERROR); - request.setExtData(IRequest.ERROR, - new ECAException(CMS.getUserMessage("CMS_CA_SEND_CLA_REQUEST"))); + request.setExtData(IRequest.RESULT, IRequest.RES_ERROR); + request.setExtData( + IRequest.ERROR, + new ECAException(CMS + .getUserMessage("CMS_CA_SEND_CLA_REQUEST"))); return sendStatus; } else { if (request.getExtDataInString(IRequest.ERROR) != null) { @@ -1853,7 +1934,6 @@ class serviceUnrevoke implements IServant { } } - class serviceGetCAChain implements IServant { private ICertificateAuthority mCA; private CAService mService; @@ -1877,7 +1957,6 @@ class serviceGetCAChain implements IServant { } } - class serviceGetCRL implements IServant { private ICertificateAuthority mCA; private CAService mService; @@ -1887,33 +1966,37 @@ class serviceGetCRL implements IServant { mCA = mService.getCA(); } - public boolean service(IRequest request) - throws EBaseException { + public boolean service(IRequest request) throws EBaseException { try { - ICRLIssuingPointRecord crlRec = - (ICRLIssuingPointRecord) mCA.getCRLRepository().readCRLIssuingPointRecord(ICertificateAuthority.PROP_MASTER_CRL); + ICRLIssuingPointRecord crlRec = (ICRLIssuingPointRecord) mCA + .getCRLRepository().readCRLIssuingPointRecord( + ICertificateAuthority.PROP_MASTER_CRL); X509CRLImpl crl = new X509CRLImpl(crlRec.getCRL()); request.setExtData(IRequest.CRL, crl.getEncoded()); } catch (EBaseException e) { - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_GETCRL_FIND_CRL")); - throw new ECAException( - CMS.getUserMessage("CMS_CA_CRL_ISSUEPT_NOT_FOUND", e.toString())); + mCA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_GETCRL_FIND_CRL")); + throw new ECAException(CMS.getUserMessage( + "CMS_CA_CRL_ISSUEPT_NOT_FOUND", e.toString())); } catch (CRLException e) { - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_GETCRL_INST_CRL", ICertificateAuthority.PROP_MASTER_CRL)); - throw new ECAException( - CMS.getUserMessage("CMS_CA_CRL_ISSUEPT_NOGOOD", ICertificateAuthority.PROP_MASTER_CRL)); + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_GETCRL_INST_CRL", + ICertificateAuthority.PROP_MASTER_CRL)); + throw new ECAException(CMS.getUserMessage( + "CMS_CA_CRL_ISSUEPT_NOGOOD", + ICertificateAuthority.PROP_MASTER_CRL)); } catch (X509ExtensionException e) { - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_GETCRL_NO_ISSUING_REC")); - throw new ECAException( - CMS.getUserMessage("CMS_CA_CRL_ISSUEPT_EXT_NOGOOD", + mCA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_GETCRL_NO_ISSUING_REC")); + throw new ECAException(CMS.getUserMessage( + "CMS_CA_CRL_ISSUEPT_EXT_NOGOOD", ICertificateAuthority.PROP_MASTER_CRL)); } return true; } } - class serviceGetRevocationInfo implements IServant { private ICertificateAuthority mCA; private CAService mService; @@ -1923,20 +2006,20 @@ class serviceGetRevocationInfo implements IServant { mCA = mService.getCA(); } - public boolean service(IRequest request) - throws EBaseException { + public boolean service(IRequest request) throws EBaseException { Enumeration enum1 = request.getExtDataKeys(); while (enum1.hasMoreElements()) { String name = (String) enum1.nextElement(); if (name.equals(IRequest.ISSUED_CERTS)) { - X509CertImpl certsToCheck[] = - request.getExtDataInCertArray(IRequest.ISSUED_CERTS); + X509CertImpl certsToCheck[] = request + .getExtDataInCertArray(IRequest.ISSUED_CERTS); - CertificateRepository certDB = (CertificateRepository) mCA.getCertificateRepository(); - RevocationInfo info = - certDB.isCertificateRevoked(certsToCheck[0]); + CertificateRepository certDB = (CertificateRepository) mCA + .getCertificateRepository(); + RevocationInfo info = certDB + .isCertificateRevoked(certsToCheck[0]); if (info != null) { RevokedCertImpl revokedCerts[] = new RevokedCertImpl[1]; @@ -1954,7 +2037,6 @@ class serviceGetRevocationInfo implements IServant { } } - class serviceGetCertificates implements IServant { private ICertificateAuthority mCA; private CAService mService; @@ -1964,17 +2046,18 @@ class serviceGetCertificates implements IServant { mCA = mService.getCA(); } - public boolean service(IRequest request) - throws EBaseException { + public boolean service(IRequest request) throws EBaseException { Enumeration enum1 = request.getExtDataKeys(); while (enum1.hasMoreElements()) { String name = (String) enum1.nextElement(); if (name.equals(IRequest.CERT_FILTER)) { - String filter = request.getExtDataInString(IRequest.CERT_FILTER); + String filter = request + .getExtDataInString(IRequest.CERT_FILTER); - CertificateRepository certDB = (CertificateRepository) mCA.getCertificateRepository(); + CertificateRepository certDB = (CertificateRepository) mCA + .getCertificateRepository(); X509CertImpl[] certs = certDB.getX509Certificates(filter); if (certs != null) { @@ -1986,7 +2069,6 @@ class serviceGetCertificates implements IServant { } } - class serviceCert4Crl implements IServant { private ICertificateAuthority mCA; private CAService mService; @@ -1996,42 +2078,44 @@ class serviceCert4Crl implements IServant { mCA = mService.getCA(); } - public boolean service(IRequest request) - throws EBaseException { + public boolean service(IRequest request) throws EBaseException { // XXX Need to think passing as array. - // XXX every implemented according to servlet. - BigInteger revokedCertIds[] = request.getExtDataInBigIntegerArray( - IRequest.REVOKED_CERT_RECORDS); - if (revokedCertIds == null || - revokedCertIds.length == 0) { - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CERT4CRL_NO_ENTRY", request.getRequestId().toString())); - throw new ECAException(CMS.getUserMessage("CMS_CA_MISSING_INFO_IN_CLAREQ")); + // XXX every implemented according to servlet. + BigInteger revokedCertIds[] = request + .getExtDataInBigIntegerArray(IRequest.REVOKED_CERT_RECORDS); + if (revokedCertIds == null || revokedCertIds.length == 0) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_CERT4CRL_NO_ENTRY", request.getRequestId() + .toString())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_MISSING_INFO_IN_CLAREQ")); } CertRecord revokedCertRecs[] = new CertRecord[revokedCertIds.length]; for (int i = 0; i < revokedCertIds.length; i++) { - revokedCertRecs[i] = (CertRecord) - mCA.getCertificateRepository().readCertificateRecord( - revokedCertIds[i]); + revokedCertRecs[i] = (CertRecord) mCA.getCertificateRepository() + .readCertificateRecord(revokedCertIds[i]); } - if (revokedCertRecs == null || - revokedCertRecs.length == 0 || - revokedCertRecs[0] == null) { - // XXX should this be an error ? - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CERT4CRL_NO_ENTRY", request.getRequestId().toString())); - throw new ECAException(CMS.getUserMessage("CMS_CA_MISSING_INFO_IN_CLAREQ")); + if (revokedCertRecs == null || revokedCertRecs.length == 0 + || revokedCertRecs[0] == null) { + // XXX should this be an error ? + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_CERT4CRL_NO_ENTRY", request.getRequestId() + .toString())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_MISSING_INFO_IN_CLAREQ")); } - CertRecord recordedCerts[] = - new CertRecord[revokedCertRecs.length]; + CertRecord recordedCerts[] = new CertRecord[revokedCertRecs.length]; String svcerrors[] = null; for (int i = 0; i < revokedCertRecs.length; i++) { try { // for CLA, record it into cert repost - ((CertificateRepository) mCA.getCertificateRepository()).addRevokedCertRecord(revokedCertRecs[i]); - // mService.revokeCert(crlentries[i]); + ((CertificateRepository) mCA.getCertificateRepository()) + .addRevokedCertRecord(revokedCertRecs[i]); + // mService.revokeCert(crlentries[i]); recordedCerts[i] = revokedCertRecs[i]; // inform all CRLIssuingPoints about revoked certificate Hashtable hips = mService.getCRLIssuingPoints(); @@ -2040,17 +2124,20 @@ class serviceCert4Crl implements IServant { while (eIPs.hasMoreElements()) { ICRLIssuingPoint ip = (ICRLIssuingPoint) eIPs.nextElement(); // form RevokedCertImpl - RevokedCertImpl rci = - new RevokedCertImpl(revokedCertRecs[i].getSerialNumber(), + RevokedCertImpl rci = new RevokedCertImpl( + revokedCertRecs[i].getSerialNumber(), revokedCertRecs[i].getRevokedOn()); if (ip != null) { - ip.addRevokedCert(revokedCertRecs[i].getSerialNumber(), rci); + ip.addRevokedCert(revokedCertRecs[i].getSerialNumber(), + rci); } } } catch (ECAException e) { - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CERT4CRL_NO_REC", Integer.toString(i), request.getRequestId().toString(), e.toString())); + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_CERT4CRL_NO_REC", Integer.toString(i), + request.getRequestId().toString(), e.toString())); recordedCerts[i] = null; if (svcerrors == null) { svcerrors = new String[recordedCerts.length]; @@ -2058,8 +2145,8 @@ class serviceCert4Crl implements IServant { svcerrors[i] = e.toString(); } } - //need to record which gets recorded and which failed...cfu - // request.set(IRequest.REVOKED_CERTS, revokedCerts); + // need to record which gets recorded and which failed...cfu + // request.set(IRequest.REVOKED_CERTS, revokedCerts); if (svcerrors != null) { request.setExtData(IRequest.SVCERRORS, svcerrors); throw new ECAException(CMS.getUserMessage("CMS_CA_CERT4CRL_FAILED")); @@ -2069,7 +2156,6 @@ class serviceCert4Crl implements IServant { } } - class serviceUnCert4Crl implements IServant { private ICertificateAuthority mCA; private CAService mService; @@ -2079,13 +2165,13 @@ class serviceUnCert4Crl implements IServant { mCA = mService.getCA(); } - public boolean service(IRequest request) - throws EBaseException { - BigInteger oldSerialNo[] = - request.getExtDataInBigIntegerArray(IRequest.OLD_SERIALS); + public boolean service(IRequest request) throws EBaseException { + BigInteger oldSerialNo[] = request + .getExtDataInBigIntegerArray(IRequest.OLD_SERIALS); if (oldSerialNo == null || oldSerialNo.length < 1) { - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_UNREVOKE_MISSING_SERIAL")); + mCA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_UNREVOKE_MISSING_SERIAL")); throw new ECAException( CMS.getUserMessage("CMS_CA_MISSING_SERIAL_NUMBER")); } @@ -2094,7 +2180,8 @@ class serviceUnCert4Crl implements IServant { for (int i = 0; i < oldSerialNo.length; i++) { try { - mCA.getCertificateRepository().deleteCertificateRecord(oldSerialNo[i]); + mCA.getCertificateRepository().deleteCertificateRecord( + oldSerialNo[i]); // inform all CRLIssuingPoints about unrevoked certificate Hashtable hips = mService.getCRLIssuingPoints(); Enumeration eIPs = hips.elements(); @@ -2107,7 +2194,9 @@ class serviceUnCert4Crl implements IServant { } } } catch (EBaseException e) { - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_DELETE_CERT_ERROR", oldSerialNo[i].toString(), e.toString())); + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_DELETE_CERT_ERROR", + oldSerialNo[i].toString(), e.toString())); if (svcerrors == null) { svcerrors = new String[oldSerialNo.length]; } @@ -2118,10 +2207,10 @@ class serviceUnCert4Crl implements IServant { if (svcerrors != null) { request.setExtData(IRequest.SVCERRORS, svcerrors); - throw new ECAException(CMS.getUserMessage("CMS_CA_UNCERT4CRL_FAILED")); + throw new ECAException( + CMS.getUserMessage("CMS_CA_UNCERT4CRL_FAILED")); } return true; } } - diff --git a/pki/base/ca/src/com/netscape/ca/CMSCRLExtensions.java b/pki/base/ca/src/com/netscape/ca/CMSCRLExtensions.java index 51d034179..8b06486ff 100644 --- a/pki/base/ca/src/com/netscape/ca/CMSCRLExtensions.java +++ b/pki/base/ca/src/com/netscape/ca/CMSCRLExtensions.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.ca; - import java.io.IOException; import java.security.cert.CertificateException; import java.util.Enumeration; @@ -56,7 +55,6 @@ import com.netscape.certsrv.logging.ILogger; import com.netscape.cms.crl.CMSIssuingDistributionPointExtension; import com.netscape.cmscore.base.SubsystemRegistry; - public class CMSCRLExtensions implements ICMSCRLExtensions { public static final String PROP_ENABLE = "enable"; public static final String PROP_EXTENSION = "extension"; @@ -65,7 +63,7 @@ public class CMSCRLExtensions implements ICMSCRLExtensions { public static final String PROP_CRITICAL = "critical"; public static final String PROP_CRL_EXT = "CRLExtension"; public static final String PROP_CRL_ENTRY_EXT = "CRLEntryExtension"; - + private ICRLIssuingPoint mCRLIssuingPoint = null; private IConfigStore mConfig = null; @@ -90,101 +88,110 @@ public class CMSCRLExtensions implements ICMSCRLExtensions { static { /* Default CRL Extensions */ - mDefaultCRLExtensionNames.addElement(AuthorityKeyIdentifierExtension.NAME); - mDefaultCRLExtensionNames.addElement(IssuerAlternativeNameExtension.NAME); + mDefaultCRLExtensionNames + .addElement(AuthorityKeyIdentifierExtension.NAME); + mDefaultCRLExtensionNames + .addElement(IssuerAlternativeNameExtension.NAME); mDefaultCRLExtensionNames.addElement(CRLNumberExtension.NAME); mDefaultCRLExtensionNames.addElement(DeltaCRLIndicatorExtension.NAME); - mDefaultCRLExtensionNames.addElement(IssuingDistributionPointExtension.NAME); + mDefaultCRLExtensionNames + .addElement(IssuingDistributionPointExtension.NAME); mDefaultCRLExtensionNames.addElement(FreshestCRLExtension.NAME); mDefaultCRLExtensionNames.addElement(AuthInfoAccessExtension.NAME2); /* Default CRL Entry Extensions */ mDefaultCRLEntryExtensionNames.addElement(CRLReasonExtension.NAME); - //mDefaultCRLEntryExtensionNames.addElement(HoldInstructionExtension.NAME); + // mDefaultCRLEntryExtensionNames.addElement(HoldInstructionExtension.NAME); mDefaultCRLEntryExtensionNames.addElement(InvalidityDateExtension.NAME); - //mDefaultCRLEntryExtensionNames.addElement(CertificateIssuerExtension.NAME); + // mDefaultCRLEntryExtensionNames.addElement(CertificateIssuerExtension.NAME); /* Default Enabled CRL Extensions */ mDefaultEnabledCRLExtensions.addElement(CRLNumberExtension.NAME); - //mDefaultEnabledCRLExtensions.addElement(DeltaCRLIndicatorExtension.NAME); + // mDefaultEnabledCRLExtensions.addElement(DeltaCRLIndicatorExtension.NAME); mDefaultEnabledCRLExtensions.addElement(CRLReasonExtension.NAME); mDefaultEnabledCRLExtensions.addElement(InvalidityDateExtension.NAME); /* Default Critical CRL Extensions */ - mDefaultCriticalCRLExtensions.addElement(DeltaCRLIndicatorExtension.NAME); - mDefaultCriticalCRLExtensions.addElement(IssuingDistributionPointExtension.NAME); - //mDefaultCriticalCRLExtensions.addElement(CertificateIssuerExtension.NAME); + mDefaultCriticalCRLExtensions + .addElement(DeltaCRLIndicatorExtension.NAME); + mDefaultCriticalCRLExtensions + .addElement(IssuingDistributionPointExtension.NAME); + // mDefaultCriticalCRLExtensions.addElement(CertificateIssuerExtension.NAME); /* CRL extension IDs */ mDefaultCRLExtensionIDs.put(PKIXExtensions.AuthorityKey_Id.toString(), - AuthorityKeyIdentifierExtension.NAME); - mDefaultCRLExtensionIDs.put(PKIXExtensions.IssuerAlternativeName_Id.toString(), - IssuerAlternativeNameExtension.NAME); + AuthorityKeyIdentifierExtension.NAME); + mDefaultCRLExtensionIDs.put( + PKIXExtensions.IssuerAlternativeName_Id.toString(), + IssuerAlternativeNameExtension.NAME); mDefaultCRLExtensionIDs.put(PKIXExtensions.CRLNumber_Id.toString(), - CRLNumberExtension.NAME); - mDefaultCRLExtensionIDs.put(PKIXExtensions.DeltaCRLIndicator_Id.toString(), - DeltaCRLIndicatorExtension.NAME); - mDefaultCRLExtensionIDs.put(PKIXExtensions.IssuingDistributionPoint_Id.toString(), - IssuingDistributionPointExtension.NAME); + CRLNumberExtension.NAME); + mDefaultCRLExtensionIDs.put( + PKIXExtensions.DeltaCRLIndicator_Id.toString(), + DeltaCRLIndicatorExtension.NAME); + mDefaultCRLExtensionIDs.put( + PKIXExtensions.IssuingDistributionPoint_Id.toString(), + IssuingDistributionPointExtension.NAME); mDefaultCRLExtensionIDs.put(PKIXExtensions.ReasonCode_Id.toString(), - CRLReasonExtension.NAME); - mDefaultCRLExtensionIDs.put(PKIXExtensions.HoldInstructionCode_Id.toString(), - HoldInstructionExtension.NAME); - mDefaultCRLExtensionIDs.put(PKIXExtensions.InvalidityDate_Id.toString(), - InvalidityDateExtension.NAME); - //mDefaultCRLExtensionIDs.put(PKIXExtensions.CertificateIssuer_Id.toString(), - // CertificateIssuerExtension.NAME); + CRLReasonExtension.NAME); + mDefaultCRLExtensionIDs.put( + PKIXExtensions.HoldInstructionCode_Id.toString(), + HoldInstructionExtension.NAME); + mDefaultCRLExtensionIDs.put( + PKIXExtensions.InvalidityDate_Id.toString(), + InvalidityDateExtension.NAME); + // mDefaultCRLExtensionIDs.put(PKIXExtensions.CertificateIssuer_Id.toString(), + // CertificateIssuerExtension.NAME); mDefaultCRLExtensionIDs.put(PKIXExtensions.FreshestCRL_Id.toString(), - FreshestCRLExtension.NAME); + FreshestCRLExtension.NAME); mDefaultCRLExtensionIDs.put(AuthInfoAccessExtension.ID.toString(), - AuthInfoAccessExtension.NAME2); + AuthInfoAccessExtension.NAME2); /* Class names */ - mDefaultCRLExtensionClassNames.put(AuthorityKeyIdentifierExtension.NAME, - "com.netscape.cms.crl.CMSAuthorityKeyIdentifierExtension"); + mDefaultCRLExtensionClassNames.put( + AuthorityKeyIdentifierExtension.NAME, + "com.netscape.cms.crl.CMSAuthorityKeyIdentifierExtension"); mDefaultCRLExtensionClassNames.put(IssuerAlternativeNameExtension.NAME, - "com.netscape.cms.crl.CMSIssuerAlternativeNameExtension"); + "com.netscape.cms.crl.CMSIssuerAlternativeNameExtension"); mDefaultCRLExtensionClassNames.put(CRLNumberExtension.NAME, - "com.netscape.cms.crl.CMSCRLNumberExtension"); + "com.netscape.cms.crl.CMSCRLNumberExtension"); mDefaultCRLExtensionClassNames.put(DeltaCRLIndicatorExtension.NAME, - "com.netscape.cms.crl.CMSDeltaCRLIndicatorExtension"); - mDefaultCRLExtensionClassNames.put(IssuingDistributionPointExtension.NAME, - "com.netscape.cms.crl.CMSIssuingDistributionPointExtension"); + "com.netscape.cms.crl.CMSDeltaCRLIndicatorExtension"); + mDefaultCRLExtensionClassNames.put( + IssuingDistributionPointExtension.NAME, + "com.netscape.cms.crl.CMSIssuingDistributionPointExtension"); mDefaultCRLExtensionClassNames.put(CRLReasonExtension.NAME, - "com.netscape.cms.crl.CMSCRLReasonExtension"); + "com.netscape.cms.crl.CMSCRLReasonExtension"); mDefaultCRLExtensionClassNames.put(HoldInstructionExtension.NAME, - "com.netscape.cms.crl.CMSHoldInstructionExtension"); + "com.netscape.cms.crl.CMSHoldInstructionExtension"); mDefaultCRLExtensionClassNames.put(InvalidityDateExtension.NAME, - "com.netscape.cms.crl.CMSInvalidityDateExtension"); - //mDefaultCRLExtensionClassNames.put(CertificateIssuerExtension.NAME, - // "com.netscape.cms.crl.CMSCertificateIssuerExtension"); + "com.netscape.cms.crl.CMSInvalidityDateExtension"); + // mDefaultCRLExtensionClassNames.put(CertificateIssuerExtension.NAME, + // "com.netscape.cms.crl.CMSCertificateIssuerExtension"); mDefaultCRLExtensionClassNames.put(FreshestCRLExtension.NAME, - "com.netscape.cms.crl.CMSFreshestCRLExtension"); + "com.netscape.cms.crl.CMSFreshestCRLExtension"); mDefaultCRLExtensionClassNames.put(AuthInfoAccessExtension.NAME2, - "com.netscape.cms.crl.CMSAuthInfoAccessExtension"); + "com.netscape.cms.crl.CMSAuthInfoAccessExtension"); try { OIDMap.addAttribute(DeltaCRLIndicatorExtension.class.getName(), - DeltaCRLIndicatorExtension.OID, - DeltaCRLIndicatorExtension.NAME); + DeltaCRLIndicatorExtension.OID, + DeltaCRLIndicatorExtension.NAME); } catch (CertificateException e) { } try { OIDMap.addAttribute(HoldInstructionExtension.class.getName(), - HoldInstructionExtension.OID, - HoldInstructionExtension.NAME); + HoldInstructionExtension.OID, HoldInstructionExtension.NAME); } catch (CertificateException e) { } try { OIDMap.addAttribute(InvalidityDateExtension.class.getName(), - InvalidityDateExtension.OID, - InvalidityDateExtension.NAME); + InvalidityDateExtension.OID, InvalidityDateExtension.NAME); } catch (CertificateException e) { } try { OIDMap.addAttribute(FreshestCRLExtension.class.getName(), - FreshestCRLExtension.OID, - FreshestCRLExtension.NAME); + FreshestCRLExtension.OID, FreshestCRLExtension.NAME); } catch (CertificateException e) { } } @@ -192,15 +199,16 @@ public class CMSCRLExtensions implements ICMSCRLExtensions { /** * Constructs a CRL extensions for CRL issuing point. */ - public CMSCRLExtensions(ICRLIssuingPoint crlIssuingPoint, IConfigStore config) { + public CMSCRLExtensions(ICRLIssuingPoint crlIssuingPoint, + IConfigStore config) { boolean modifiedConfig = false; - mConfig = config; + mConfig = config; mCRLExtConfig = config.getSubStore(PROP_EXTENSION); mCRLIssuingPoint = crlIssuingPoint; - IConfigStore mFileConfig = - SubsystemRegistry.getInstance().get("MAIN").getConfigStore(); + IConfigStore mFileConfig = SubsystemRegistry.getInstance().get("MAIN") + .getConfigStore(); IConfigStore crlExtConfig = (IConfigStore) mFileConfig; StringTokenizer st = new StringTokenizer(mCRLExtConfig.getName(), "."); @@ -212,13 +220,13 @@ public class CMSCRLExtensions implements ICMSCRLExtensions { if (newConfig != null) { crlExtConfig = newConfig; } - } + } if (crlExtConfig != null) { Enumeration<String> enumExts = crlExtConfig.getSubStoreNames(); while (enumExts.hasMoreElements()) { - String extName = enumExts.nextElement(); + String extName = enumExts.nextElement(); IConfigStore extConfig = crlExtConfig.getSubStore(extName); if (extConfig != null) { @@ -233,7 +241,9 @@ public class CMSCRLExtensions implements ICMSCRLExtensions { try { mFileConfig.commit(true); } catch (EBaseException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_SAVE_CONF", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CRLEXTS_SAVE_CONF", + e.toString())); } } } @@ -247,26 +257,38 @@ public class CMSCRLExtensions implements ICMSCRLExtensions { mEnabledCRLExtensions.addElement(extName); } } catch (EPropertyNotFound e) { - extConfig.putBoolean(PROP_ENABLE, mDefaultEnabledCRLExtensions.contains(extName)); + extConfig.putBoolean(PROP_ENABLE, + mDefaultEnabledCRLExtensions.contains(extName)); modifiedConfig = true; if (mDefaultEnabledCRLExtensions.contains(extName)) { mEnabledCRLExtensions.addElement(extName); } - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_NO_ENABLE", extName, mDefaultEnabledCRLExtensions.contains(extName) ? "true" : "false")); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_CRLEXTS_NO_ENABLE", extName, + mDefaultEnabledCRLExtensions.contains(extName) ? "true" + : "false")); } catch (EPropertyNotDefined e) { - extConfig.putBoolean(PROP_ENABLE, mDefaultEnabledCRLExtensions.contains(extName)); + extConfig.putBoolean(PROP_ENABLE, + mDefaultEnabledCRLExtensions.contains(extName)); modifiedConfig = true; if (mDefaultEnabledCRLExtensions.contains(extName)) { mEnabledCRLExtensions.addElement(extName); } - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_UNDEFINE_ENABLE", extName, mDefaultEnabledCRLExtensions.contains(extName) ? "true" : "false")); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_CRLEXTS_UNDEFINE_ENABLE", extName, + mDefaultEnabledCRLExtensions.contains(extName) ? "true" + : "false")); } catch (EBaseException e) { - extConfig.putBoolean(PROP_ENABLE, mDefaultEnabledCRLExtensions.contains(extName)); + extConfig.putBoolean(PROP_ENABLE, + mDefaultEnabledCRLExtensions.contains(extName)); modifiedConfig = true; if (mDefaultEnabledCRLExtensions.contains(extName)) { mEnabledCRLExtensions.addElement(extName); } - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_INVALID_ENABLE", extName, mDefaultEnabledCRLExtensions.contains(extName) ? "true" : "false")); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_CRLEXTS_INVALID_ENABLE", extName, + mDefaultEnabledCRLExtensions.contains(extName) ? "true" + : "false")); } return modifiedConfig; } @@ -279,26 +301,38 @@ public class CMSCRLExtensions implements ICMSCRLExtensions { mCriticalCRLExtensions.addElement(extName); } } catch (EPropertyNotFound e) { - extConfig.putBoolean(PROP_CRITICAL, mDefaultCriticalCRLExtensions.contains(extName)); + extConfig.putBoolean(PROP_CRITICAL, + mDefaultCriticalCRLExtensions.contains(extName)); modifiedConfig = true; if (mDefaultCriticalCRLExtensions.contains(extName)) { mCriticalCRLExtensions.addElement(extName); } - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_NO_CRITICAL", extName, mDefaultEnabledCRLExtensions.contains(extName) ? "true" : "false")); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_CRLEXTS_NO_CRITICAL", extName, + mDefaultEnabledCRLExtensions.contains(extName) ? "true" + : "false")); } catch (EPropertyNotDefined e) { - extConfig.putBoolean(PROP_CRITICAL, mDefaultCriticalCRLExtensions.contains(extName)); + extConfig.putBoolean(PROP_CRITICAL, + mDefaultCriticalCRLExtensions.contains(extName)); modifiedConfig = true; if (mDefaultCriticalCRLExtensions.contains(extName)) { mCriticalCRLExtensions.addElement(extName); } - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_UNDEFINE_CRITICAL", extName, mDefaultEnabledCRLExtensions.contains(extName) ? "true" : "false")); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_CRLEXTS_UNDEFINE_CRITICAL", extName, + mDefaultEnabledCRLExtensions.contains(extName) ? "true" + : "false")); } catch (EBaseException e) { - extConfig.putBoolean(PROP_CRITICAL, mDefaultCriticalCRLExtensions.contains(extName)); + extConfig.putBoolean(PROP_CRITICAL, + mDefaultCriticalCRLExtensions.contains(extName)); modifiedConfig = true; if (mDefaultCriticalCRLExtensions.contains(extName)) { mCriticalCRLExtensions.addElement(extName); } - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_INVALID_CRITICAL", extName, mDefaultEnabledCRLExtensions.contains(extName) ? "true" : "false")); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_CRLEXTS_INVALID_CRITICAL", extName, + mDefaultEnabledCRLExtensions.contains(extName) ? "true" + : "false")); } return modifiedConfig; } @@ -319,18 +353,24 @@ public class CMSCRLExtensions implements ICMSCRLExtensions { extConfig.putString(PROP_TYPE, PROP_CRL_ENTRY_EXT); modifiedConfig = true; mCRLEntryExtensionNames.addElement(extName); - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_INVALID_EXT", extName, PROP_CRL_ENTRY_EXT)); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_CRLEXTS_INVALID_EXT", extName, + PROP_CRL_ENTRY_EXT)); } else if (mDefaultCRLExtensionNames.contains(extName)) { extConfig.putString(PROP_TYPE, PROP_CRL_EXT); modifiedConfig = true; mCRLExtensionNames.addElement(extName); - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_INVALID_EXT", extName, PROP_CRL_EXT)); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_CRLEXTS_INVALID_EXT", extName, + PROP_CRL_EXT)); } else { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_INVALID_EXT", extName, "")); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_CRLEXTS_INVALID_EXT", extName, "")); } } } else { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_UNDEFINE_EXT", extName)); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_CRLEXTS_UNDEFINE_EXT", extName)); } } catch (EPropertyNotFound e) { if (mDefaultCRLEntryExtensionNames.contains(extName)) { @@ -340,9 +380,11 @@ public class CMSCRLExtensions implements ICMSCRLExtensions { extConfig.putString(PROP_TYPE, PROP_CRL_EXT); modifiedConfig = true; } - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_MISSING_EXT", extName)); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_CRLEXTS_MISSING_EXT", extName)); } catch (EBaseException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_INVALID_EXT", extName, "")); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_CRLEXTS_INVALID_EXT", extName, "")); } return modifiedConfig; } @@ -357,13 +399,14 @@ public class CMSCRLExtensions implements ICMSCRLExtensions { mCRLExtensionClassNames.put(extName, extClass); try { - Class<ICMSCRLExtension> crlExtClass = (Class<ICMSCRLExtension>) Class.forName(extClass); + Class<ICMSCRLExtension> crlExtClass = (Class<ICMSCRLExtension>) Class + .forName(extClass); if (crlExtClass != null) { - ICMSCRLExtension cmsCRLExt = crlExtClass.newInstance(); + ICMSCRLExtension cmsCRLExt = crlExtClass.newInstance(); if (cmsCRLExt != null) { - String id = cmsCRLExt.getCRLExtOID(); + String id = cmsCRLExt.getCRLExtOID(); if (id != null) { mCRLExtensionIDs.put(id, extName); @@ -371,37 +414,48 @@ public class CMSCRLExtensions implements ICMSCRLExtensions { } } } catch (ClassCastException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_INCORRECT_CLASS", extClass, e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_CRLEXTS_INCORRECT_CLASS", extClass, + e.toString())); } catch (ClassNotFoundException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_CLASS_NOT_FOUND", extClass, e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_CRLEXTS_CLASS_NOT_FOUND", extClass, + e.toString())); } catch (InstantiationException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_CLASS_NOT_INST", extClass, e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_CRLEXTS_CLASS_NOT_INST", extClass, + e.toString())); } catch (IllegalAccessException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_CLASS_NOT_ACCESS", extClass, e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_CRLEXTS_CLASS_NOT_ACCESS", extClass, + e.toString())); } } else { if (mDefaultCRLExtensionClassNames.containsKey(extName)) { - extClass = mCRLExtensionClassNames.get(extName); + extClass = mCRLExtensionClassNames.get(extName); extConfig.putString(PROP_CLASS, extClass); modifiedConfig = true; } - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_CLASS_NOT_DEFINED", extName)); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_CRLEXTS_CLASS_NOT_DEFINED", extName)); } } catch (EPropertyNotFound e) { if (mDefaultCRLExtensionClassNames.containsKey(extName)) { - extClass = mDefaultCRLExtensionClassNames.get(extName); + extClass = mDefaultCRLExtensionClassNames.get(extName); extConfig.putString(PROP_CLASS, extClass); modifiedConfig = true; } - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_CLASS_MISSING", extName)); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_CRLEXTS_CLASS_MISSING", extName)); } catch (EBaseException e) { if (mDefaultCRLExtensionClassNames.containsKey(extName)) { - extClass = mDefaultCRLExtensionClassNames.get(extName); + extClass = mDefaultCRLExtensionClassNames.get(extName); extConfig.putString(PROP_CLASS, extClass); modifiedConfig = true; } - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_CLASS_INVALID", extName)); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_CRLEXTS_CLASS_INVALID", extName)); } return modifiedConfig; } @@ -415,9 +469,8 @@ public class CMSCRLExtensions implements ICMSCRLExtensions { } public boolean isCRLExtensionEnabled(String extName) { - return ((mCRLExtensionNames.contains(extName) || - mCRLEntryExtensionNames.contains(extName)) && - mEnabledCRLExtensions.contains(extName)); + return ((mCRLExtensionNames.contains(extName) || mCRLEntryExtensionNames + .contains(extName)) && mEnabledCRLExtensions.contains(extName)); } public boolean isCRLExtensionCritical(String extName) { @@ -428,7 +481,7 @@ public class CMSCRLExtensions implements ICMSCRLExtensions { String name = null; if (mCRLExtensionIDs.containsKey(id)) { - name = mCRLExtensionIDs.get(id); + name = mCRLExtensionIDs.get(id); } return name; } @@ -438,29 +491,34 @@ public class CMSCRLExtensions implements ICMSCRLExtensions { } public Vector<String> getCRLEntryExtensionNames() { - return new Vector<String>( mCRLEntryExtensionNames); + return new Vector<String>(mCRLEntryExtensionNames); } - public void addToCRLExtensions(CRLExtensions crlExts, String extName, Extension ext) { + public void addToCRLExtensions(CRLExtensions crlExts, String extName, + Extension ext) { if (mCRLExtensionClassNames.containsKey(extName)) { - String name = mCRLExtensionClassNames.get(extName); + String name = mCRLExtensionClassNames.get(extName); try { - Class<ICMSCRLExtension > extClass = (Class<ICMSCRLExtension>) Class.forName(name); + Class<ICMSCRLExtension> extClass = (Class<ICMSCRLExtension>) Class + .forName(name); if (extClass != null) { ICMSCRLExtension cmsCRLExt = extClass.newInstance(); if (cmsCRLExt != null) { if (ext != null) { - if (isCRLExtensionCritical(extName) ^ ext.isCritical()) { - ext = (Extension) cmsCRLExt.setCRLExtensionCriticality( - ext, isCRLExtensionCritical(extName)); + if (isCRLExtensionCritical(extName) + ^ ext.isCritical()) { + ext = (Extension) cmsCRLExt + .setCRLExtensionCriticality(ext, + isCRLExtensionCritical(extName)); } } else { - ext = (Extension) cmsCRLExt.getCRLExtension(mCRLExtConfig.getSubStore(extName), - mCRLIssuingPoint, - isCRLExtensionCritical(extName)); + ext = (Extension) cmsCRLExt.getCRLExtension( + mCRLExtConfig.getSubStore(extName), + mCRLIssuingPoint, + isCRLExtensionCritical(extName)); } if (crlExts != null && ext != null) { @@ -469,15 +527,24 @@ public class CMSCRLExtensions implements ICMSCRLExtensions { } } } catch (ClassCastException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_INCORRECT_CLASS", name, e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_CRLEXTS_INCORRECT_CLASS", name, + e.toString())); } catch (ClassNotFoundException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_CLASS_NOT_FOUND", name, e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_CRLEXTS_CLASS_NOT_FOUND", name, + e.toString())); } catch (InstantiationException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_CLASS_NOT_INST", name, e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CRLEXTS_CLASS_NOT_INST", + name, e.toString())); } catch (IllegalAccessException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_CLASS_NOT_ACCESS", name, e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_CRLEXTS_CLASS_NOT_ACCESS", name, + e.toString())); } catch (IOException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_CLASS_ADD", name, e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_CRLEXTS_CLASS_ADD", name, e.toString())); } } } @@ -485,22 +552,18 @@ public class CMSCRLExtensions implements ICMSCRLExtensions { public NameValuePairs getConfigParams(String id) { NameValuePairs nvp = null; - if (mCRLEntryExtensionNames.contains(id) || - mCRLExtensionNames.contains(id)) { + if (mCRLEntryExtensionNames.contains(id) + || mCRLExtensionNames.contains(id)) { nvp = new NameValuePairs(); /* - if (mCRLEntryExtensionNames.contains(id)) { - nvp.add(Constants.PR_CRLEXT_IMPL_NAME, "CRLEntryExtension"); - } else { - nvp.add(Constants.PR_CRLEXT_IMPL_NAME, "CRLExtension"); - } - - if (mCRLEntryExtensionNames.contains(id)) { - nvp.add(PROP_TYPE, "CRLEntryExtension"); - } else { - nvp.add(PROP_TYPE, "CRLExtension"); - } + * if (mCRLEntryExtensionNames.contains(id)) { + * nvp.add(Constants.PR_CRLEXT_IMPL_NAME, "CRLEntryExtension"); } + * else { nvp.add(Constants.PR_CRLEXT_IMPL_NAME, "CRLExtension"); } + * + * if (mCRLEntryExtensionNames.contains(id)) { nvp.add(PROP_TYPE, + * "CRLEntryExtension"); } else { nvp.add(PROP_TYPE, + * "CRLExtension"); } */ if (mEnabledCRLExtensions.contains(id)) { @@ -515,7 +578,7 @@ public class CMSCRLExtensions implements ICMSCRLExtensions { } if (mCRLExtensionClassNames.containsKey(id)) { - String name = mCRLExtensionClassNames.get(id); + String name = mCRLExtensionClassNames.get(id); if (name != null) { @@ -523,18 +586,26 @@ public class CMSCRLExtensions implements ICMSCRLExtensions { Class<?> extClass = Class.forName(name); if (extClass != null) { - ICMSCRLExtension cmsCRLExt = (ICMSCRLExtension) extClass.newInstance(); + ICMSCRLExtension cmsCRLExt = (ICMSCRLExtension) extClass + .newInstance(); if (cmsCRLExt != null) { - cmsCRLExt.getConfigParams(mCRLExtConfig.getSubStore(id), nvp); + cmsCRLExt.getConfigParams( + mCRLExtConfig.getSubStore(id), nvp); } } } catch (ClassNotFoundException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_CLASS_NOT_FOUND", name, e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_CRLEXTS_CLASS_NOT_FOUND", name, + e.toString())); } catch (InstantiationException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_CLASS_NOT_INST", name, e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_CRLEXTS_CLASS_NOT_INST", name, + e.toString())); } catch (IllegalAccessException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_CLASS_NOT_ACCESS", name, e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_CRLEXTS_CLASS_NOT_ACCESS", name, + e.toString())); } int i = name.lastIndexOf('.'); @@ -552,13 +623,15 @@ public class CMSCRLExtensions implements ICMSCRLExtensions { return nvp; } - public void setConfigParams(String id, NameValuePairs nvp, IConfigStore config) { - ICertificateAuthority ca = (ICertificateAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_CA); + public void setConfigParams(String id, NameValuePairs nvp, + IConfigStore config) { + ICertificateAuthority ca = (ICertificateAuthority) CMS + .getSubsystem(CMS.SUBSYSTEM_CA); String ipId = nvp.getValue("id"); - ICRLIssuingPoint ip = null; - if(ipId != null && ca != null) { - ip = ca.getCRLIssuingPoint(ipId); + ICRLIssuingPoint ip = null; + if (ipId != null && ca != null) { + ip = ca.getCRLIssuingPoint(ipId); } for (int i = 0; i < nvp.size(); i++) { @@ -567,8 +640,8 @@ public class CMSCRLExtensions implements ICMSCRLExtensions { String value = p.getValue(); if (name.equals(PROP_ENABLE)) { - if (!(value.equals(Constants.TRUE) || - value.equals(Constants.FALSE))) { + if (!(value.equals(Constants.TRUE) || value + .equals(Constants.FALSE))) { continue; } if (value.equals(Constants.TRUE)) { @@ -582,8 +655,8 @@ public class CMSCRLExtensions implements ICMSCRLExtensions { } if (name.equals(PROP_CRITICAL)) { - if (!(value.equals(Constants.TRUE) || - value.equals(Constants.FALSE))) { + if (!(value.equals(Constants.TRUE) || value + .equals(Constants.FALSE))) { continue; } if (value.equals(Constants.TRUE)) { @@ -595,68 +668,82 @@ public class CMSCRLExtensions implements ICMSCRLExtensions { mCriticalCRLExtensions.remove(id); } } - //Sync the onlyContainsCACerts with similar property in CRLIssuingPoint - //called caCertsOnly. - if(name.equals(CMSIssuingDistributionPointExtension.PROP_CACERTS)) { + // Sync the onlyContainsCACerts with similar property in + // CRLIssuingPoint + // called caCertsOnly. + if (name.equals(CMSIssuingDistributionPointExtension.PROP_CACERTS)) { NameValuePairs crlIssuingPointPairs = null; boolean crlCACertsOnly = false; boolean issuingDistPointExtEnabled = false; - CMSCRLExtensions cmsCRLExtensions = (CMSCRLExtensions) ip.getCRLExtensions(); - if(cmsCRLExtensions != null) { - issuingDistPointExtEnabled = cmsCRLExtensions.isCRLExtensionEnabled(IssuingDistributionPointExtension.NAME); + CMSCRLExtensions cmsCRLExtensions = (CMSCRLExtensions) ip + .getCRLExtensions(); + if (cmsCRLExtensions != null) { + issuingDistPointExtEnabled = cmsCRLExtensions + .isCRLExtensionEnabled(IssuingDistributionPointExtension.NAME); } - CMS.debug("issuingDistPointExtEnabled = " + issuingDistPointExtEnabled); + CMS.debug("issuingDistPointExtEnabled = " + + issuingDistPointExtEnabled); - if (!(value.equals(Constants.TRUE) || - value.equals(Constants.FALSE))) { + if (!(value.equals(Constants.TRUE) || value + .equals(Constants.FALSE))) { continue; } - //Get value of caCertsOnly from CRLIssuingPoint - if((ip != null) && (issuingDistPointExtEnabled == true)) { + // Get value of caCertsOnly from CRLIssuingPoint + if ((ip != null) && (issuingDistPointExtEnabled == true)) { crlCACertsOnly = ip.isCACertsOnly(); CMS.debug("CRLCACertsOnly is: " + crlCACertsOnly); crlIssuingPointPairs = new NameValuePairs(); - + } String newValue = ""; boolean modifiedCRLConfig = false; - //If the CRLCACertsOnly prop is false change it to true to sync. - if(value.equals(Constants.TRUE) && (issuingDistPointExtEnabled == true)) { - if(crlCACertsOnly == false) { + // If the CRLCACertsOnly prop is false change it to true to + // sync. + if (value.equals(Constants.TRUE) + && (issuingDistPointExtEnabled == true)) { + if (crlCACertsOnly == false) { CMS.debug(" value = true and CRLCACertsOnly is already false."); - crlIssuingPointPairs.add(Constants.PR_CA_CERTS_ONLY, Constants.TRUE); + crlIssuingPointPairs.add(Constants.PR_CA_CERTS_ONLY, + Constants.TRUE); newValue = Constants.TRUE; ip.updateConfig(crlIssuingPointPairs); modifiedCRLConfig = true; } } - //If the CRLCACertsOnly prop is true change it to false to sync. - if(value.equals(Constants.FALSE) && (issuingDistPointExtEnabled == true)) { - crlIssuingPointPairs.add(Constants.PR_CA_CERTS_ONLY, Constants.FALSE); - if(ip != null) { + // If the CRLCACertsOnly prop is true change it to false to + // sync. + if (value.equals(Constants.FALSE) + && (issuingDistPointExtEnabled == true)) { + crlIssuingPointPairs.add(Constants.PR_CA_CERTS_ONLY, + Constants.FALSE); + if (ip != null) { ip.updateConfig(crlIssuingPointPairs); newValue = Constants.FALSE; modifiedCRLConfig = true; } } - - if(modifiedCRLConfig == true) { - //Commit to this CRL IssuingPoint's config store - ICertificateAuthority CA = (ICertificateAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_CA); + + if (modifiedCRLConfig == true) { + // Commit to this CRL IssuingPoint's config store + ICertificateAuthority CA = (ICertificateAuthority) CMS + .getSubsystem(CMS.SUBSYSTEM_CA); IConfigStore crlsSubStore = CA.getConfigStore(); - crlsSubStore = crlsSubStore.getSubStore(ICertificateAuthority.PROP_CRL_SUBSTORE); + crlsSubStore = crlsSubStore + .getSubStore(ICertificateAuthority.PROP_CRL_SUBSTORE); crlsSubStore = crlsSubStore.getSubStore(ipId); try { - crlsSubStore.putString(Constants.PR_CA_CERTS_ONLY,newValue); + crlsSubStore.putString(Constants.PR_CA_CERTS_ONLY, + newValue); crlsSubStore.commit(true); } catch (EBaseException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_SAVE_CONF", e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_CRLEXTS_SAVE_CONF", e.toString())); } } } @@ -691,7 +778,6 @@ public class CMSCRLExtensions implements ICMSCRLExtensions { private void log(int level, String msg) { mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_CA, level, - "CMSCRLExtension - " + msg); + "CMSCRLExtension - " + msg); } } - diff --git a/pki/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/pki/base/ca/src/com/netscape/ca/CRLIssuingPoint.java index bc859910b..064832fe4 100644 --- a/pki/base/ca/src/com/netscape/ca/CRLIssuingPoint.java +++ b/pki/base/ca/src/com/netscape/ca/CRLIssuingPoint.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.ca; - import java.io.IOException; import java.math.BigInteger; import java.security.NoSuchAlgorithmException; @@ -86,18 +85,17 @@ import com.netscape.cmscore.dbs.CertificateRepository; import com.netscape.cmscore.util.Debug; /** - * This class encapsulates CRL issuing mechanism. CertificateAuthority - * contains a map of CRLIssuingPoint indexed by string ids. Each issuing - * point contains information about CRL issuing and publishing parameters - * as well as state information which includes last issued CRL, next CRL - * serial number, time of the next update etc. - * If autoUpdateInterval is set to non-zero value then worker thread - * is created that will perform CRL update at scheduled intervals. Update - * can also be triggered by invoking updateCRL method directly. Another - * parameter minUpdateInterval can be used to prevent CRL - * from being updated too often + * This class encapsulates CRL issuing mechanism. CertificateAuthority contains + * a map of CRLIssuingPoint indexed by string ids. Each issuing point contains + * information about CRL issuing and publishing parameters as well as state + * information which includes last issued CRL, next CRL serial number, time of + * the next update etc. If autoUpdateInterval is set to non-zero value then + * worker thread is created that will perform CRL update at scheduled intervals. + * Update can also be triggered by invoking updateCRL method directly. Another + * parameter minUpdateInterval can be used to prevent CRL from being updated too + * often * <P> - * + * * @author awnuk * @author lhsiao * @author galperin @@ -134,8 +132,8 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { protected String mId = null; /** - * Reference to the CertificateAuthority instance which owns this - * issuing point. + * Reference to the CertificateAuthority instance which owns this issuing + * point. */ protected ICertificateAuthority mCA = null; @@ -162,16 +160,16 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { /** * CRL cache */ - private Hashtable<BigInteger,RevokedCertificate> mCRLCerts = new Hashtable<BigInteger, RevokedCertificate>(); - private Hashtable<BigInteger,RevokedCertificate> mRevokedCerts = new Hashtable<BigInteger, RevokedCertificate>(); - private Hashtable<BigInteger,RevokedCertificate> mUnrevokedCerts = new Hashtable<BigInteger, RevokedCertificate>(); - private Hashtable<BigInteger,RevokedCertificate> mExpiredCerts = new Hashtable<BigInteger, RevokedCertificate>(); + private Hashtable<BigInteger, RevokedCertificate> mCRLCerts = new Hashtable<BigInteger, RevokedCertificate>(); + private Hashtable<BigInteger, RevokedCertificate> mRevokedCerts = new Hashtable<BigInteger, RevokedCertificate>(); + private Hashtable<BigInteger, RevokedCertificate> mUnrevokedCerts = new Hashtable<BigInteger, RevokedCertificate>(); + private Hashtable<BigInteger, RevokedCertificate> mExpiredCerts = new Hashtable<BigInteger, RevokedCertificate>(); private boolean mIncludeExpiredCerts = false; private boolean mIncludeExpiredCertsOneExtraTime = false; private boolean mCACertsOnly = false; private boolean mProfileCertsOnly = false; - private Vector<String> mProfileList = null; + private Vector<String> mProfileList = null; /** * Enable CRL cache. @@ -179,7 +177,7 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { private boolean mEnableCRLCache = true; private boolean mCRLCacheIsCleared = true; private boolean mEnableCacheRecovery = false; - private String mFirstUnsaved = null; + private String mFirstUnsaved = null; private boolean mEnableCacheTesting = false; /** @@ -188,8 +186,8 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { private long mLastCacheUpdate = 0; /** - * Time interval in milliseconds between consequential CRL cache - * updates performed automatically. + * Time interval in milliseconds between consequential CRL cache updates + * performed automatically. */ private long mCacheUpdateInterval; @@ -208,7 +206,7 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { * Enable CRL daily updates at listed times. */ private boolean mEnableDailyUpdates = false; - private Vector<Vector<Integer>> mDailyUpdates = null; + private Vector<Vector<Integer>> mDailyUpdates = null; private int mCurrentDay = 0; private int mLastDay = 0; private int mTimeListSize = 0; @@ -220,14 +218,14 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { private boolean mEnableUpdateFreq = false; /** - * Time interval in milliseconds between consequential CRL Enable CRL daily update at updates - * performed automatically. + * Time interval in milliseconds between consequential CRL Enable CRL daily + * update at updates performed automatically. */ private long mAutoUpdateInterval; /** - * Minimum time interval in milliseconds between consequential - * CRL updates (manual or automatic). + * Minimum time interval in milliseconds between consequential CRL updates + * (manual or automatic). */ private long mMinUpdateInterval; @@ -239,17 +237,16 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { /** * next update grace period */ - private long mNextUpdateGracePeriod; + private long mNextUpdateGracePeriod; /** - * Boolean flag controlling whether CRLv2 extensions are to be - * used in CRL. + * Boolean flag controlling whether CRLv2 extensions are to be used in CRL. */ private boolean mAllowExtensions = false; /** - * DN of the directory entry where CRLs from this issuing point - * are published. + * DN of the directory entry where CRLs from this issuing point are + * published. */ private String mPublishDN = null; @@ -262,7 +259,7 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { /** * Cached value of the CRL extensions to be placed in CRL */ - //protected CRLExtensions mCrlExtensions; + // protected CRLExtensions mCrlExtensions; /** * CRL number @@ -297,7 +294,7 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { private Thread mUpdateThread = null; /** - * for going one more round when auto-interval is set to 0 (turned off) + * for going one more round when auto-interval is set to 0 (turned off) */ private boolean mDoLastAutoUpdate = false; @@ -313,15 +310,15 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { private long mDeltaCRLSize = -1; /** - * update status, publishing status Strings to store in requests to - * display result. + * update status, publishing status Strings to store in requests to display + * result. */ private String mCrlUpdateStatus; private String mCrlUpdateError; private String mCrlPublishStatus; private String mCrlPublishError; - /** + /** * begin, end serial number range of revoked certs if any. */ protected BigInteger mBeginSerial = null; @@ -330,7 +327,7 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { private int mUpdatingCRL = CRL_UPDATE_DONE; private boolean mDoManualUpdate = false; - private String mSignatureAlgorithmForManualUpdate = null; + private String mSignatureAlgorithmForManualUpdate = null; private boolean mPublishOnStart = false; private long[] mSplits = new long[10]; @@ -338,8 +335,8 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { private boolean mSaveMemory = false; /** - * Constructs a CRL issuing point from instantiating from class name. - * CRL Issuing point must be followed by method call init(CA, id, config); + * Constructs a CRL issuing point from instantiating from class name. CRL + * Issuing point must be followed by method call init(CA, id, config); */ public CRLIssuingPoint() { } @@ -398,39 +395,41 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { } public boolean isProfileCertsOnly() { - return (mProfileCertsOnly && mProfileList != null && mProfileList.size() > 0); + return (mProfileCertsOnly && mProfileList != null && mProfileList + .size() > 0); } public boolean checkCurrentProfile(String id) { boolean b = false; - if (mProfileCertsOnly && mProfileList != null && mProfileList.size() > 0) { + if (mProfileCertsOnly && mProfileList != null + && mProfileList.size() > 0) { for (int k = 0; k < mProfileList.size(); k++) { String profileId = mProfileList.elementAt(k); - if (id != null && profileId != null && profileId.equalsIgnoreCase(id)) { + if (id != null && profileId != null + && profileId.equalsIgnoreCase(id)) { b = true; break; } } } - + return b; } - /** * Initializes a CRL issuing point config. * <P> - * - * @param ca reference to CertificateAuthority instance which - * owns this issuing point. + * + * @param ca reference to CertificateAuthority instance which owns this + * issuing point. * @param id string id of this CRL issuing point. * @param config configuration of this CRL issuing point. * @exception EBaseException if initialization failed * @exception IOException */ - public void init(ISubsystem ca, String id, IConfigStore config) - throws EBaseException { + public void init(ISubsystem ca, String id, IConfigStore config) + throws EBaseException { mCA = (ICertificateAuthority) ca; mId = id; @@ -448,17 +447,19 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { mConfigStore = config; - IConfigStore crlSubStore = mCA.getConfigStore().getSubStore(ICertificateAuthority.PROP_CRL_SUBSTORE); - mPageSize = crlSubStore.getInteger(ICertificateAuthority.PROP_CRL_PAGE_SIZE, CRL_PAGE_SIZE); - CMS.debug("CRL Page Size: "+ mPageSize); + IConfigStore crlSubStore = mCA.getConfigStore().getSubStore( + ICertificateAuthority.PROP_CRL_SUBSTORE); + mPageSize = crlSubStore.getInteger( + ICertificateAuthority.PROP_CRL_PAGE_SIZE, CRL_PAGE_SIZE); + CMS.debug("CRL Page Size: " + mPageSize); - mCountMod = config.getInteger("countMod",0); + mCountMod = config.getInteger("countMod", 0); mCRLRepository = mCA.getCRLRepository(); mCertRepository = mCA.getCertificateRepository(); ((CertificateRepository) mCertRepository).addCRLIssuingPoint(mId, this); mPublisherProcessor = mCA.getPublisherProcessor(); - //mCRLPublisher = mCA.getCRLPublisher(); + // mCRLPublisher = mCA.getCRLPublisher(); ((CAService) mCA.getCAService()).addCRLIssuingPoint(mId, this); // read in config parameters. @@ -469,8 +470,8 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { String crlListName = lname + "_" + mId; if (mCA.getRequestListener(crlListName) == null) { - mCA.registerRequestListener( - crlListName, new RevocationRequestListener()); + mCA.registerRequestListener(crlListName, + new RevocationRequestListener()); } for (int i = 0; i < mSplits.length; i++) { @@ -481,52 +482,62 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { setAutoUpdates(); } - private int checkTime(String time) { String digits = "0123456789"; int len = time.length(); - if (len < 3 || len > 5) return -1; + if (len < 3 || len > 5) + return -1; int s = time.indexOf(':'); - if (s < 0 || s > 2 || (len - s) != 3) return -1; + if (s < 0 || s > 2 || (len - s) != 3) + return -1; int h = 0; for (int i = 0; i < s; i++) { h *= 10; int k = digits.indexOf(time.charAt(i)); - if (k < 0) return -1; + if (k < 0) + return -1; h += k; } - if (h > 23) return -1; + if (h > 23) + return -1; int m = 0; - for (int i = s+1; i < len; i++) { + for (int i = s + 1; i < len; i++) { m *= 10; int k = digits.indexOf(time.charAt(i)); - if (k < 0) return -1; + if (k < 0) + return -1; m += k; } - if (m > 59) return -1; + if (m > 59) + return -1; return ((h * 60) + m); } - private boolean areTimeListsIdentical(Vector<Vector<Integer>> list1, Vector<Vector<Integer>> list2) { + private boolean areTimeListsIdentical(Vector<Vector<Integer>> list1, + Vector<Vector<Integer>> list2) { boolean identical = true; - if (list1 == null || list2 == null) identical = false; - if (identical && list1.size() != list2.size()) identical = false; + if (list1 == null || list2 == null) + identical = false; + if (identical && list1.size() != list2.size()) + identical = false; for (int i = 0; identical && i < list1.size(); i++) { Vector<Integer> times1 = list1.elementAt(i); Vector<Integer> times2 = list2.elementAt(i); - if (times1.size() != times2.size()) identical = false; + if (times1.size() != times2.size()) + identical = false; for (int j = 0; identical && j < times1.size(); j++) { - if ((((times1.elementAt(j))).intValue()) != (((times2.elementAt(j))).intValue())) { + if ((((times1.elementAt(j))).intValue()) != (((times2 + .elementAt(j))).intValue())) { identical = false; } } } - CMS.debug("areTimeListsIdentical: identical: "+identical); + CMS.debug("areTimeListsIdentical: identical: " + identical); return identical; } @@ -535,23 +546,25 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { int listSize = 0; for (int i = 0; listedDays != null && i < listedDays.size(); i++) { Vector<Integer> listedTimes = listedDays.elementAt(i); - listSize += ((listedTimes != null)? listedTimes.size(): 0); + listSize += ((listedTimes != null) ? listedTimes.size() : 0); } - CMS.debug("getTimeListSize: ListSize="+listSize); + CMS.debug("getTimeListSize: ListSize=" + listSize); return listSize; } private boolean isTimeListExtended(String list) { - boolean extendedTimeList = true; - if (list == null || list.indexOf('*') == -1) - extendedTimeList = false; - return extendedTimeList; + boolean extendedTimeList = true; + if (list == null || list.indexOf('*') == -1) + extendedTimeList = false; + return extendedTimeList; } private Vector<Vector<Integer>> getTimeList(String list) { boolean timeListPresent = false; - if (list == null || list.length() == 0) return null; - if (list.charAt(0) == ',' || list.charAt(list.length()-1) == ',') return null; + if (list == null || list.length() == 0) + return null; + if (list.charAt(0) == ',' || list.charAt(list.length() - 1) == ',') + return null; Vector<Vector<Integer>> listedDays = new Vector<Vector<Integer>>(); @@ -559,7 +572,8 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { Vector<Integer> listedTimes = null; while (days.hasMoreTokens()) { String dayList = days.nextToken().trim(); - if (dayList == null) continue; + if (dayList == null) + continue; if (dayList.equals(";")) { if (timeListPresent) { @@ -588,7 +602,7 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { return null; } else { if (t > t0) { - listedTimes.addElement(new Integer(k*t)); + listedTimes.addElement(new Integer(k * t)); t0 = t; } else { return null; @@ -598,7 +612,7 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { } if (!timeListPresent) { listedTimes = new Vector<Integer>(); - listedDays.addElement(listedTimes); + listedDays.addElement(listedTimes); } return listedDays; @@ -607,7 +621,7 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { private String checkProfile(String id, Enumeration<String> e) { if (e != null) { while (e.hasMoreElements()) { - String profileId = e.nextElement(); + String profileId = e.nextElement(); if (profileId != null && profileId.equalsIgnoreCase(id)) return id; } @@ -618,9 +632,12 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { private Vector<String> getProfileList(String list) { Enumeration<String> e = null; IConfigStore pc = CMS.getConfigStore().getSubStore("profile"); - if (pc != null) e = pc.getSubStoreNames(); - if (list == null) return null; - if (list.length() > 0 && list.charAt(list.length()-1) == ',') return null; + if (pc != null) + e = pc.getSubStoreNames(); + if (list == null) + return null; + if (list.length() > 0 && list.charAt(list.length() - 1) == ',') + return null; Vector<String> listedProfiles = new Vector<String>(); @@ -629,8 +646,10 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { int n = 0; while (elements.hasMoreTokens()) { String element = elements.nextToken().trim(); - if (element == null || element.length() == 0) return null; - if (element.equals(",") && n % 2 == 0) return null; + if (element == null || element.length() == 0) + return null; + if (element.equals(",") && n % 2 == 0) + return null; if (n % 2 == 0) { String id = checkProfile(element, e); if (id != null) { @@ -639,26 +658,28 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { } n++; } - if (n % 2 == 0) return null; + if (n % 2 == 0) + return null; return listedProfiles; } - /** * get CRL config store info */ - protected void initConfig(IConfigStore config) - throws EBaseException { + protected void initConfig(IConfigStore config) throws EBaseException { mEnable = config.getBoolean(Constants.PR_ENABLE, true); mDescription = config.getString(Constants.PR_DESCRIPTION); // Get CRL cache config. mEnableCRLCache = config.getBoolean(Constants.PR_ENABLE_CACHE, true); - mCacheUpdateInterval = MINUTE * config.getInteger(Constants.PR_CACHE_FREQ, 0); - mEnableCacheRecovery = config.getBoolean(Constants.PR_CACHE_RECOVERY, false); - mEnableCacheTesting = config.getBoolean(Constants.PR_CACHE_TESTING, false); + mCacheUpdateInterval = MINUTE + * config.getInteger(Constants.PR_CACHE_FREQ, 0); + mEnableCacheRecovery = config.getBoolean(Constants.PR_CACHE_RECOVERY, + false); + mEnableCacheTesting = config.getBoolean(Constants.PR_CACHE_TESTING, + false); // check if CRL generation is enabled mEnableCRLUpdates = config.getBoolean(Constants.PR_ENABLE_CRL, true); @@ -671,34 +692,43 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { mAlwaysUpdate = config.getBoolean(Constants.PR_UPDATE_ALWAYS, false); // Get list of daily updates. - mEnableDailyUpdates = config.getBoolean(Constants.PR_ENABLE_DAILY, false); + mEnableDailyUpdates = config.getBoolean(Constants.PR_ENABLE_DAILY, + false); String daily = config.getString(Constants.PR_DAILY_UPDATES, null); mDailyUpdates = getTimeList(daily); mExtendedTimeList = isTimeListExtended(daily); mTimeListSize = getTimeListSize(mDailyUpdates); - if (mDailyUpdates == null || mDailyUpdates.isEmpty() || mTimeListSize == 0) { + if (mDailyUpdates == null || mDailyUpdates.isEmpty() + || mTimeListSize == 0) { mEnableDailyUpdates = false; - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_INVALID_TIME_LIST")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_INVALID_TIME_LIST")); } // Get auto update interval in minutes. mEnableUpdateFreq = config.getBoolean(Constants.PR_ENABLE_FREQ, true); - mAutoUpdateInterval = MINUTE * config.getInteger(Constants.PR_UPDATE_FREQ, 0); - mMinUpdateInterval = MINUTE * config.getInteger(PROP_MIN_UPDATE_INTERVAL, 0); - if (mEnableUpdateFreq && mAutoUpdateInterval > 0 && - mAutoUpdateInterval < mMinUpdateInterval) + mAutoUpdateInterval = MINUTE + * config.getInteger(Constants.PR_UPDATE_FREQ, 0); + mMinUpdateInterval = MINUTE + * config.getInteger(PROP_MIN_UPDATE_INTERVAL, 0); + if (mEnableUpdateFreq && mAutoUpdateInterval > 0 + && mAutoUpdateInterval < mMinUpdateInterval) mAutoUpdateInterval = mMinUpdateInterval; - // get next update grace period - mNextUpdateGracePeriod = MINUTE * config.getInteger(Constants.PR_GRACE_PERIOD, 0); + // get next update grace period + mNextUpdateGracePeriod = MINUTE + * config.getInteger(Constants.PR_GRACE_PERIOD, 0); - // Get V2 or V1 CRL + // Get V2 or V1 CRL mAllowExtensions = config.getBoolean(Constants.PR_EXTENSIONS, false); - mIncludeExpiredCerts = config.getBoolean(Constants.PR_INCLUDE_EXPIREDCERTS, false); - mIncludeExpiredCertsOneExtraTime = config.getBoolean(Constants.PR_INCLUDE_EXPIREDCERTS_ONEEXTRATIME, false); + mIncludeExpiredCerts = config.getBoolean( + Constants.PR_INCLUDE_EXPIREDCERTS, false); + mIncludeExpiredCertsOneExtraTime = config.getBoolean( + Constants.PR_INCLUDE_EXPIREDCERTS_ONEEXTRATIME, false); mCACertsOnly = config.getBoolean(Constants.PR_CA_CERTS_ONLY, false); - mProfileCertsOnly = config.getBoolean(Constants.PR_PROFILE_CERTS_ONLY, false); + mProfileCertsOnly = config.getBoolean(Constants.PR_PROFILE_CERTS_ONLY, + false); if (mProfileCertsOnly) { String profiles = config.getString(Constants.PR_PROFILE_LIST, null); mProfileList = getProfileList(profiles); @@ -707,16 +737,17 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { // Get default signing algorithm. // check if algorithm is supported. mSigningAlgorithm = mCA.getCRLSigningUnit().getDefaultAlgorithm(); - String algorithm = config.getString(Constants.PR_SIGNING_ALGORITHM, null); + String algorithm = config.getString(Constants.PR_SIGNING_ALGORITHM, + null); if (algorithm != null) { - // make sure this algorithm is acceptable to CA. + // make sure this algorithm is acceptable to CA. mCA.getCRLSigningUnit().checkSigningAlgorithmFromName(algorithm); mSigningAlgorithm = algorithm; } mPublishOnStart = config.getBoolean(PROP_PUBLISH_ON_START, false); - // if publish dn is null then certificate will be published to + // if publish dn is null then certificate will be published to // CA's entry in the directory. mPublishDN = config.getString(PROP_PUBLISH_DN, null); @@ -724,30 +755,28 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { mCMSCRLExtensions = new CMSCRLExtensions(this, config); - mExtendedNextUpdate = ((mUpdateSchema > 1 || (mEnableDailyUpdates && mExtendedTimeList)) && isDeltaCRLEnabled())? - config.getBoolean(Constants.PR_EXTENDED_NEXT_UPDATE, true): - false; + mExtendedNextUpdate = ((mUpdateSchema > 1 || (mEnableDailyUpdates && mExtendedTimeList)) && isDeltaCRLEnabled()) ? config + .getBoolean(Constants.PR_EXTENDED_NEXT_UPDATE, true) : false; // Get serial number ranges if any. mBeginSerial = config.getBigInteger(PROP_BEGIN_SERIAL, null); if (mBeginSerial != null && mBeginSerial.compareTo(BigInteger.ZERO) < 0) { - throw new EBaseException( - CMS.getUserMessage("CMS_BASE_INVALID_PROPERTY_1", - PROP_BEGIN_SERIAL, "BigInteger", "positive number")); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_PROPERTY_1", PROP_BEGIN_SERIAL, + "BigInteger", "positive number")); } mEndSerial = config.getBigInteger(PROP_END_SERIAL, null); if (mEndSerial != null && mEndSerial.compareTo(BigInteger.ZERO) < 0) { - throw new EBaseException( - CMS.getUserMessage("CMS_BASE_INVALID_PROPERTY_1", - PROP_END_SERIAL, "BigInteger", "positive number")); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_PROPERTY_1", PROP_END_SERIAL, + "BigInteger", "positive number")); } } /** - * Reads CRL issuing point, if missing, it creates one. - * Initializes CRL cache and republishes CRL if requested - * Called from auto update thread (run()). - * Do not call it from init(), because it will block CMS on start. + * Reads CRL issuing point, if missing, it creates one. Initializes CRL + * cache and republishes CRL if requested Called from auto update thread + * (run()). Do not call it from init(), because it will block CMS on start. */ private void initCRL() { ICRLIssuingPointRecord crlRecord = null; @@ -757,12 +786,14 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { try { crlRecord = mCRLRepository.readCRLIssuingPointRecord(mId); } catch (EDBNotAvailException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_INST_CRL", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_ISSUING_INST_CRL", + e.toString())); mInitialized = CRL_IP_INITIALIZATION_FAILED; return; } catch (EBaseException e) { // CRL was never set. - // fall to the following.. + // fall to the following.. } if (crlRecord != null) { @@ -802,16 +833,19 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { mNextUpdate = crlRecord.getNextUpdate(); if (isDeltaCRLEnabled()) { - mNextDeltaUpdate = (mNextUpdate != null)? new Date(mNextUpdate.getTime()): null; + mNextDeltaUpdate = (mNextUpdate != null) ? new Date( + mNextUpdate.getTime()) : null; } mFirstUnsaved = crlRecord.getFirstUnsaved(); if (Debug.on()) { - Debug.trace("initCRL CRLNumber="+mCRLNumber.toString()+" CRLSize="+mCRLSize+ - " FirstUnsaved="+mFirstUnsaved); + Debug.trace("initCRL CRLNumber=" + mCRLNumber.toString() + + " CRLSize=" + mCRLSize + " FirstUnsaved=" + + mFirstUnsaved); } - if (mFirstUnsaved == null || - (mFirstUnsaved != null && mFirstUnsaved.equals(ICRLIssuingPointRecord.NEW_CACHE))) { + if (mFirstUnsaved == null + || (mFirstUnsaved != null && mFirstUnsaved + .equals(ICRLIssuingPointRecord.NEW_CACHE))) { clearCRLCache(); updateCRLCacheRepository(); } else { @@ -825,10 +859,14 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { x509crl = new X509CRLImpl(crl); } catch (Exception e) { clearCRLCache(); - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_DECODE_CRL", e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_ISSUING_DECODE_CRL", + e.toString())); } catch (OutOfMemoryError e) { clearCRLCache(); - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_DECODE_CRL", e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_ISSUING_DECODE_CRL", + e.toString())); mInitialized = CRL_IP_INITIALIZATION_FAILED; return; } @@ -836,7 +874,8 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { if (x509crl != null) { mLastFullUpdate = x509crl.getThisUpdate(); if (mEnableCRLCache) { - if (mCRLCacheIsCleared && mUpdatingCRL == CRL_UPDATE_DONE) { + if (mCRLCacheIsCleared + && mUpdatingCRL == CRL_UPDATE_DONE) { mRevokedCerts = crlRecord.getRevokedCerts(); if (mRevokedCerts == null) { mRevokedCerts = new Hashtable<BigInteger, RevokedCertificate>(); @@ -852,9 +891,12 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { if (isDeltaCRLEnabled()) { mNextUpdate = x509crl.getNextUpdate(); } - mCRLCerts = x509crl.getListOfRevokedCertificates(); + mCRLCerts = x509crl + .getListOfRevokedCertificates(); } - if (mFirstUnsaved != null && !mFirstUnsaved.equals(ICRLIssuingPointRecord.CLEAN_CACHE)) { + if (mFirstUnsaved != null + && !mFirstUnsaved + .equals(ICRLIssuingPointRecord.CLEAN_CACHE)) { recoverCRLCache(); } else { mCRLCacheIsCleared = false; @@ -867,10 +909,14 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { x509crl = null; } catch (EBaseException e) { x509crl = null; - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_CRL", mCRLNumber.toString(), e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_ISSUING_PUBLISH_CRL", + mCRLNumber.toString(), e.toString())); } catch (OutOfMemoryError e) { x509crl = null; - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_CRL", mCRLNumber.toString(), e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_ISSUING_PUBLISH_CRL", + mCRLNumber.toString(), e.toString())); } } } @@ -879,30 +925,33 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { } if (crlRecord == null) { - // no crl was ever created, or crl in db is corrupted. + // no crl was ever created, or crl in db is corrupted. // create new one. try { - crlRecord = new CRLIssuingPointRecord(mId, BigInteger.ZERO, Long.valueOf(-1), - null, null, BigInteger.ZERO, Long.valueOf(-1), - mRevokedCerts, mUnrevokedCerts, mExpiredCerts); + crlRecord = new CRLIssuingPointRecord(mId, BigInteger.ZERO, + Long.valueOf(-1), null, null, BigInteger.ZERO, + Long.valueOf(-1), mRevokedCerts, mUnrevokedCerts, + mExpiredCerts); mCRLRepository.addCRLIssuingPointRecord(crlRecord); - mCRLNumber = BigInteger.ZERO; //BIG_ZERO; - mNextCRLNumber = BigInteger.ONE; //BIG_ONE; + mCRLNumber = BigInteger.ZERO; // BIG_ZERO; + mNextCRLNumber = BigInteger.ONE; // BIG_ONE; mLastCRLNumber = mCRLNumber; mDeltaCRLNumber = mCRLNumber; mNextDeltaCRLNumber = mNextCRLNumber; mLastUpdate = new Date(0L); if (crlRecord != null) { - // This will trigger updateCRLNow, which will also publish CRL. - if ((mDoManualUpdate == false) && - (mEnableCRLCache || mAlwaysUpdate || - (mEnableUpdateFreq && mAutoUpdateInterval > 0))) { + // This will trigger updateCRLNow, which will also publish + // CRL. + if ((mDoManualUpdate == false) + && (mEnableCRLCache || mAlwaysUpdate || (mEnableUpdateFreq && mAutoUpdateInterval > 0))) { mInitialized = CRL_IP_INITIALIZED; setManualUpdate(null); } } } catch (EBaseException ex) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_CREATE_CRL", ex.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_ISSUING_CREATE_CRL", + ex.toString())); mInitialized = CRL_IP_INITIALIZATION_FAILED; return; } @@ -921,13 +970,14 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { NameValuePair p = params.elementAt(i); String name = p.getName(); String value = p.getValue(); - + // -- Update Schema -- if (name.equals(Constants.PR_ENABLE_CRL)) { if (value.equals(Constants.FALSE) && mEnableCRLUpdates) { mEnableCRLUpdates = false; modifiedSchedule = true; - } else if (value.equals(Constants.TRUE) && (!mEnableCRLUpdates)) { + } else if (value.equals(Constants.TRUE) + && (!mEnableCRLUpdates)) { mEnableCRLUpdates = true; modifiedSchedule = true; } @@ -951,7 +1001,8 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { if (name.equals(Constants.PR_EXTENDED_NEXT_UPDATE)) { if (value.equals(Constants.FALSE) && mExtendedNextUpdate) { mExtendedNextUpdate = false; - } else if (value.equals(Constants.TRUE) && (!mExtendedNextUpdate)) { + } else if (value.equals(Constants.TRUE) + && (!mExtendedNextUpdate)) { mExtendedNextUpdate = true; } } @@ -969,7 +1020,8 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { if (value.equals(Constants.FALSE) && mEnableDailyUpdates) { mEnableDailyUpdates = false; modifiedSchedule = true; - } else if (value.equals(Constants.TRUE) && (!mEnableDailyUpdates)) { + } else if (value.equals(Constants.TRUE) + && (!mEnableDailyUpdates)) { mEnableDailyUpdates = true; modifiedSchedule = true; } @@ -989,9 +1041,11 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { mTimeListSize = getTimeListSize(mDailyUpdates); modifiedSchedule = true; } - if (mDailyUpdates == null || mDailyUpdates.isEmpty() || mTimeListSize == 0) { + if (mDailyUpdates == null || mDailyUpdates.isEmpty() + || mTimeListSize == 0) { mEnableDailyUpdates = false; - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_INVALID_TIME_LIST")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_INVALID_TIME_LIST")); } } @@ -999,7 +1053,8 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { if (value.equals(Constants.FALSE) && mEnableUpdateFreq) { mEnableUpdateFreq = false; modifiedSchedule = true; - } else if (value.equals(Constants.TRUE) && (!mEnableUpdateFreq)) { + } else if (value.equals(Constants.TRUE) + && (!mEnableUpdateFreq)) { mEnableUpdateFreq = true; modifiedSchedule = true; } @@ -1027,7 +1082,8 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { if (name.equals(Constants.PR_GRACE_PERIOD)) { try { if (value != null && value.length() > 0) { - mNextUpdateGracePeriod = MINUTE * Long.parseLong(value.trim()); + mNextUpdateGracePeriod = MINUTE + * Long.parseLong(value.trim()); } } catch (NumberFormatException e) { noRestart = false; @@ -1041,7 +1097,8 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { updateCRLCacheRepository(); mEnableCRLCache = false; modifiedSchedule = true; - } else if (value.equals(Constants.TRUE) && (!mEnableCRLCache)) { + } else if (value.equals(Constants.TRUE) + && (!mEnableCRLCache)) { clearCRLCache(); updateCRLCacheRepository(); mEnableCRLCache = true; @@ -1066,7 +1123,8 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { if (name.equals(Constants.PR_CACHE_RECOVERY)) { if (value.equals(Constants.FALSE) && mEnableCacheRecovery) { mEnableCacheRecovery = false; - } else if (value.equals(Constants.TRUE) && (!mEnableCacheRecovery)) { + } else if (value.equals(Constants.TRUE) + && (!mEnableCacheRecovery)) { mEnableCacheRecovery = true; } } @@ -1077,14 +1135,16 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { updateCRLCacheRepository(); mEnableCacheTesting = false; setManualUpdate(null); - } else if (value.equals(Constants.TRUE) && (!mEnableCacheTesting)) { + } else if (value.equals(Constants.TRUE) + && (!mEnableCacheTesting)) { mEnableCacheTesting = true; } } // -- CRL Format -- if (name.equals(Constants.PR_SIGNING_ALGORITHM)) { - if (value != null) value = value.trim(); + if (value != null) + value = value.trim(); if (!mSigningAlgorithm.equals(value)) { mSigningAlgorithm = value; } @@ -1095,7 +1155,8 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { clearCRLCache(); updateCRLCacheRepository(); mAllowExtensions = false; - } else if (value.equals(Constants.TRUE) && (!mAllowExtensions)) { + } else if (value.equals(Constants.TRUE) + && (!mAllowExtensions)) { clearCRLCache(); updateCRLCacheRepository(); mAllowExtensions = true; @@ -1107,7 +1168,8 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { clearCRLCache(); updateCRLCacheRepository(); mIncludeExpiredCerts = false; - } else if (value.equals(Constants.TRUE) && (!mIncludeExpiredCerts)) { + } else if (value.equals(Constants.TRUE) + && (!mIncludeExpiredCerts)) { clearCRLCache(); updateCRLCacheRepository(); mIncludeExpiredCerts = true; @@ -1115,9 +1177,11 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { } if (name.equals(Constants.PR_INCLUDE_EXPIREDCERTS_ONEEXTRATIME)) { - if (value.equals(Constants.FALSE) && mIncludeExpiredCertsOneExtraTime) { + if (value.equals(Constants.FALSE) + && mIncludeExpiredCertsOneExtraTime) { mIncludeExpiredCertsOneExtraTime = false; - } else if (value.equals(Constants.TRUE) && (!mIncludeExpiredCertsOneExtraTime)) { + } else if (value.equals(Constants.TRUE) + && (!mIncludeExpiredCertsOneExtraTime)) { mIncludeExpiredCertsOneExtraTime = true; } } @@ -1125,9 +1189,10 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { if (name.equals(Constants.PR_CA_CERTS_ONLY)) { Extension distExt = getCRLExtension(IssuingDistributionPointExtension.NAME); IssuingDistributionPointExtension iExt = (IssuingDistributionPointExtension) distExt; - IssuingDistributionPoint issuingDistributionPoint = null; - if(iExt != null) - issuingDistributionPoint = iExt.getIssuingDistributionPoint(); + IssuingDistributionPoint issuingDistributionPoint = null; + if (iExt != null) + issuingDistributionPoint = iExt + .getIssuingDistributionPoint(); if (value.equals(Constants.FALSE) && mCACertsOnly) { clearCRLCache(); updateCRLCacheRepository(); @@ -1137,27 +1202,31 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { updateCRLCacheRepository(); mCACertsOnly = true; } - //attempt to sync the IssuingDistributionPoint Extension value of - //onlyContainsCACerts - if(issuingDistributionPoint != null && params.size() > 1) { - boolean onlyContainsCACerts = issuingDistributionPoint.getOnlyContainsCACerts(); - if(onlyContainsCACerts != mCACertsOnly) { + // attempt to sync the IssuingDistributionPoint Extension + // value of + // onlyContainsCACerts + if (issuingDistributionPoint != null && params.size() > 1) { + boolean onlyContainsCACerts = issuingDistributionPoint + .getOnlyContainsCACerts(); + if (onlyContainsCACerts != mCACertsOnly) { IConfigStore config = mCA.getConfigStore(); - IConfigStore crlsSubStore = - config.getSubStore(ICertificateAuthority.PROP_CRL_SUBSTORE); - IConfigStore crlSubStore = crlsSubStore.getSubStore(mId); - IConfigStore crlExtsSubStore = - crlSubStore.getSubStore(ICertificateAuthority.PROP_CRLEXT_SUBSTORE); - crlExtsSubStore = crlExtsSubStore.getSubStore(IssuingDistributionPointExtension.NAME); - - if(crlExtsSubStore != null) { + IConfigStore crlsSubStore = config + .getSubStore(ICertificateAuthority.PROP_CRL_SUBSTORE); + IConfigStore crlSubStore = crlsSubStore + .getSubStore(mId); + IConfigStore crlExtsSubStore = crlSubStore + .getSubStore(ICertificateAuthority.PROP_CRLEXT_SUBSTORE); + crlExtsSubStore = crlExtsSubStore + .getSubStore(IssuingDistributionPointExtension.NAME); + + if (crlExtsSubStore != null) { String val = ""; - if(mCACertsOnly == true) { + if (mCACertsOnly == true) { val = Constants.TRUE; } else { val = Constants.FALSE; } - crlExtsSubStore.putString(PROP_CACERTS,val); + crlExtsSubStore.putString(PROP_CACERTS, val); try { crlExtsSubStore.commit(true); } catch (Exception e) { @@ -1172,7 +1241,8 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { clearCRLCache(); updateCRLCacheRepository(); mProfileCertsOnly = false; - } else if (value.equals(Constants.TRUE) && (!mProfileCertsOnly)) { + } else if (value.equals(Constants.TRUE) + && (!mProfileCertsOnly)) { clearCRLCache(); updateCRLCacheRepository(); mProfileCertsOnly = true; @@ -1181,12 +1251,13 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { if (name.equals(Constants.PR_PROFILE_LIST)) { Vector<String> profileList = getProfileList(value); - if (((profileList != null) ^ (mProfileList != null)) || - (profileList != null && mProfileList != null && - (!mProfileList.equals(profileList)))) { + if (((profileList != null) ^ (mProfileList != null)) + || (profileList != null && mProfileList != null && (!mProfileList + .equals(profileList)))) { if (profileList != null) { @SuppressWarnings("unchecked") - Vector<String> newProfileList = (Vector<String>) profileList.clone(); + Vector<String> newProfileList = (Vector<String>) profileList + .clone(); mProfileList = newProfileList; } else { mProfileList = null; @@ -1196,12 +1267,14 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { } if (mProfileList == null || mProfileList.isEmpty()) { mProfileCertsOnly = false; - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_INVALID_PROFILE_LIST")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_INVALID_PROFILE_LIST")); } } } - if (modifiedSchedule) setAutoUpdates(); + if (modifiedSchedule) + setAutoUpdates(); return noRestart; } @@ -1220,20 +1293,15 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { setAutoUpdates(); /* - if (mUpdateThread != null) { - try { - mUpdateThread.interrupt(); - } - catch (Exception e) { - } - } - */ + * if (mUpdateThread != null) { try { mUpdateThread.interrupt(); } catch + * (Exception e) { } } + */ } /** * Returns internal id of this CRL issuing point. * <P> - * + * * @return internal id of this CRL issuing point */ public String getId() { @@ -1243,7 +1311,7 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { /** * Returns internal description of this CRL issuing point. * <P> - * + * * @return internal description of this CRL issuing point */ public String getDescription() { @@ -1252,7 +1320,7 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { /** * Sets internal description of this CRL issuing point. - * + * * @param description description for this CRL issuing point. */ public void setDescription(String description) { @@ -1260,10 +1328,10 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { } /** - * Returns DN of the directory entry where CRLs.from this issuing point - * are published. + * Returns DN of the directory entry where CRLs.from this issuing point are + * published. * <P> - * + * * @return DN of the directory entry where CRLs are published. */ public String getPublishDN() { @@ -1273,7 +1341,7 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { /** * Returns signing algorithm. * <P> - * + * * @return SigningAlgorithm. */ public String getSigningAlgorithm() { @@ -1287,7 +1355,7 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { /** * Returns current CRL generation schema for this CRL issuing point. * <P> - * + * * @return current CRL generation schema for this CRL issuing point */ public int getCRLSchema() { @@ -1297,7 +1365,7 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { /** * Returns current CRL number of this CRL issuing point. * <P> - * + * * @return current CRL number of this CRL issuing point */ public BigInteger getCRLNumber() { @@ -1307,17 +1375,18 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { /** * Returns current delta CRL number of this CRL issuing point. * <P> - * + * * @return current delta CRL number of this CRL issuing point */ public BigInteger getDeltaCRLNumber() { - return (isDeltaCRLEnabled() && mDeltaCRLSize > -1)? mDeltaCRLNumber: BigInteger.ZERO; + return (isDeltaCRLEnabled() && mDeltaCRLSize > -1) ? mDeltaCRLNumber + : BigInteger.ZERO; } /** * Returns next CRL number of this CRL issuing point. * <P> - * + * * @return next CRL number of this CRL issuing point */ public BigInteger getNextCRLNumber() { @@ -1327,17 +1396,18 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { /** * Returns number of entries in the CRL * <P> - * + * * @return number of entries in the CRL */ public long getCRLSize() { - return (mCRLCerts.size() > 0 && mCRLSize == 0)? mCRLCerts.size(): mCRLSize; + return (mCRLCerts.size() > 0 && mCRLSize == 0) ? mCRLCerts.size() + : mCRLSize; } /** * Returns number of entries in delta CRL * <P> - * + * * @return number of entries in delta CRL */ public long getDeltaCRLSize() { @@ -1347,7 +1417,7 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { /** * Returns last update time * <P> - * + * * @return last CRL update time */ public Date getLastUpdate() { @@ -1357,7 +1427,7 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { /** * Returns next update time * <P> - * + * * @return next CRL update time */ public Date getNextUpdate() { @@ -1367,7 +1437,7 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { /** * Returns next update time * <P> - * + * * @return next CRL update time */ public Date getNextDeltaUpdate() { @@ -1377,14 +1447,15 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { /** * Returns all the revoked certificates from the CRL cache. * <P> - * + * * @return set of all the revoked certificates or null if there are none. */ public Set<RevokedCertificate> getRevokedCertificates(int start, int end) { if (mCRLCacheIsCleared || mCRLCerts == null || mCRLCerts.isEmpty()) { return null; } else { - Set<RevokedCertificate> certSet = new TreeSet<RevokedCertificate>(mCRLCerts.values()); + Set<RevokedCertificate> certSet = new TreeSet<RevokedCertificate>( + mCRLCerts.values()); return certSet; } } @@ -1392,7 +1463,7 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { /** * Returns certificate authority. * <P> - * + * * @return certificate authority */ public ISubsystem getCertificateAuthority() { @@ -1404,29 +1475,27 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { */ private synchronized void setAutoUpdates() { - if ((mEnable && mUpdateThread == null) && - ((mEnableCRLCache && mCacheUpdateInterval > 0) || - (mEnableCRLUpdates && - ((mEnableDailyUpdates && mDailyUpdates != null && - mTimeListSize > 0) || - (mEnableUpdateFreq && mAutoUpdateInterval > 0) || - (mInitialized == CRL_IP_NOT_INITIALIZED) || - mDoLastAutoUpdate || mDoManualUpdate)))) { + if ((mEnable && mUpdateThread == null) + && ((mEnableCRLCache && mCacheUpdateInterval > 0) || (mEnableCRLUpdates && ((mEnableDailyUpdates + && mDailyUpdates != null && mTimeListSize > 0) + || (mEnableUpdateFreq && mAutoUpdateInterval > 0) + || (mInitialized == CRL_IP_NOT_INITIALIZED) + || mDoLastAutoUpdate || mDoManualUpdate)))) { mUpdateThread = new Thread(this, "CRLIssuingPoint-" + mId); - log(ILogger.LL_INFO, CMS.getLogMessage("CMSCORE_CA_ISSUING_START_CRL", mId)); + log(ILogger.LL_INFO, + CMS.getLogMessage("CMSCORE_CA_ISSUING_START_CRL", mId)); mUpdateThread.setDaemon(true); mUpdateThread.start(); } - if ((mInitialized == CRL_IP_INITIALIZED) && (((mNextUpdate != null) ^ - ((mEnableDailyUpdates && mDailyUpdates != null && mTimeListSize > 0) || - (mEnableUpdateFreq && mAutoUpdateInterval > 0))) || - (!mEnableCRLUpdates && mNextUpdate != null))) { - mDoLastAutoUpdate = true; + if ((mInitialized == CRL_IP_INITIALIZED) + && (((mNextUpdate != null) ^ ((mEnableDailyUpdates + && mDailyUpdates != null && mTimeListSize > 0) || (mEnableUpdateFreq && mAutoUpdateInterval > 0))) || (!mEnableCRLUpdates && mNextUpdate != null))) { + mDoLastAutoUpdate = true; } - if (mEnableUpdateFreq && mAutoUpdateInterval > 0 && - mAutoUpdateInterval < mMinUpdateInterval) { + if (mEnableUpdateFreq && mAutoUpdateInterval > 0 + && mAutoUpdateInterval < mMinUpdateInterval) { mAutoUpdateInterval = mMinUpdateInterval; } @@ -1434,14 +1503,14 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { } /** - * Sets CRL manual-update - * Starts or stops worker thread as necessary. + * Sets CRL manual-update Starts or stops worker thread as necessary. */ public synchronized void setManualUpdate(String signatureAlgorithm) { if (!mDoManualUpdate) { mDoManualUpdate = true; mSignatureAlgorithmForManualUpdate = signatureAlgorithm; - if (mEnableUpdateFreq && mAutoUpdateInterval > 0 && mUpdateThread != null) { + if (mEnableUpdateFreq && mAutoUpdateInterval > 0 + && mUpdateThread != null) { notifyAll(); } else { setAutoUpdates(); @@ -1453,13 +1522,13 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { * @return auto update interval in milliseconds. */ public long getAutoUpdateInterval() { - return (mEnableUpdateFreq)? mAutoUpdateInterval: 0; + return (mEnableUpdateFreq) ? mAutoUpdateInterval : 0; } /** - * @return always update the CRL + * @return always update the CRL */ - public boolean getAlwaysUpdate() { + public boolean getAlwaysUpdate() { return mAlwaysUpdate; } @@ -1473,11 +1542,11 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { /** * Finds next update time expressed as delay or time of the next update. - * - * @param fromLastUpdate if true, function returns delay to the next update time - * otherwise returns the next update time. - * @param delta if true, function returns the next update time for delta CRL, - * otherwise returns the next update time for CRL. + * + * @param fromLastUpdate if true, function returns delay to the next update + * time otherwise returns the next update time. + * @param delta if true, function returns the next update time for delta + * CRL, otherwise returns the next update time for CRL. * @return delay to the next update time or the next update time itself */ private long findNextUpdate(boolean fromLastUpdate, boolean delta) { @@ -1485,52 +1554,61 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { TimeZone tz = TimeZone.getDefault(); int offset = tz.getOffset(now); long oneDay = 1440L * MINUTE; - long nowToday = (now + (long)offset) % oneDay; + long nowToday = (now + (long) offset) % oneDay; long startOfToday = now - nowToday; - long lastUpdated = (mLastUpdate != null)? mLastUpdate.getTime(): now; - long lastUpdateDay = lastUpdated - ((lastUpdated + (long)offset) % oneDay); + long lastUpdated = (mLastUpdate != null) ? mLastUpdate.getTime() : now; + long lastUpdateDay = lastUpdated + - ((lastUpdated + (long) offset) % oneDay); - long lastUpdate = (mLastUpdate != null && fromLastUpdate)? mLastUpdate.getTime(): now; - long last = (lastUpdate + (long)offset) % oneDay; + long lastUpdate = (mLastUpdate != null && fromLastUpdate) ? mLastUpdate + .getTime() : now; + long last = (lastUpdate + (long) offset) % oneDay; long lastDay = lastUpdate - last; boolean isDeltaEnabled = isDeltaCRLEnabled(); long next = 0L; long nextUpdate = 0L; - CMS.debug("findNextUpdate: fromLastUpdate: "+fromLastUpdate+" delta: "+delta); + CMS.debug("findNextUpdate: fromLastUpdate: " + fromLastUpdate + + " delta: " + delta); - int numberOfDays = (int)((startOfToday - lastUpdateDay) / oneDay); - if (numberOfDays > 0 && mDailyUpdates.size() > 1 && - ((mCurrentDay == mLastDay) || - (mCurrentDay != ((mLastDay + numberOfDays) % mDailyUpdates.size())))) { + int numberOfDays = (int) ((startOfToday - lastUpdateDay) / oneDay); + if (numberOfDays > 0 + && mDailyUpdates.size() > 1 + && ((mCurrentDay == mLastDay) || (mCurrentDay != ((mLastDay + numberOfDays) % mDailyUpdates + .size())))) { mCurrentDay = (mLastDay + numberOfDays) % mDailyUpdates.size(); } - if ((delta || fromLastUpdate) && isDeltaEnabled && - (mUpdateSchema > 1 || (mEnableDailyUpdates && mExtendedTimeList)) && - mNextDeltaUpdate != null) { + if ((delta || fromLastUpdate) + && isDeltaEnabled + && (mUpdateSchema > 1 || (mEnableDailyUpdates && mExtendedTimeList)) + && mNextDeltaUpdate != null) { nextUpdate = mNextDeltaUpdate.getTime(); } else if (mNextUpdate != null) { nextUpdate = mNextUpdate.getTime(); } - if (mEnableDailyUpdates && - mDailyUpdates != null && mDailyUpdates.size() > 0) { + if (mEnableDailyUpdates && mDailyUpdates != null + && mDailyUpdates.size() > 0) { int n = 0; - if (mDailyUpdates.size() == 1 && mDailyUpdates.elementAt(0).size() == 1 && - mEnableUpdateFreq && mAutoUpdateInterval > 0) { + if (mDailyUpdates.size() == 1 + && mDailyUpdates.elementAt(0).size() == 1 + && mEnableUpdateFreq && mAutoUpdateInterval > 0) { // Interval updates with starting time - long firstTime = MINUTE * ((Integer)mDailyUpdates.elementAt(0).elementAt(0)).longValue(); + long firstTime = MINUTE + * ((Integer) mDailyUpdates.elementAt(0).elementAt(0)) + .longValue(); long t = firstTime; long interval = mAutoUpdateInterval; - if (mExtendedNextUpdate && (!fromLastUpdate) && (!delta) && - isDeltaEnabled && mUpdateSchema > 1) { + if (mExtendedNextUpdate && (!fromLastUpdate) && (!delta) + && isDeltaEnabled && mUpdateSchema > 1) { interval *= mUpdateSchema; } - while (t < oneDay) { - if (t - mMinUpdateInterval > last) break; + while (t < oneDay) { + if (t - mMinUpdateInterval > last) + break; t += interval; n++; } @@ -1542,7 +1620,8 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { if (t == firstTime) { mSchemaCounter = 0; } else if (n != mSchemaCounter) { - if (mSchemaCounter != 0 && (mSchemaCounter < n || n == 0)) { + if (mSchemaCounter != 0 + && (mSchemaCounter < n || n == 0)) { mSchemaCounter = n; } } @@ -1564,9 +1643,12 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { } // search the current day for (i = 0; i < mDailyUpdates.elementAt(mCurrentDay).size(); i++) { - long t = MINUTE * ((Integer)mDailyUpdates.elementAt(mCurrentDay).elementAt(i)).longValue(); + long t = MINUTE + * ((Integer) mDailyUpdates.elementAt(mCurrentDay) + .elementAt(i)).longValue(); if (mEnableDailyUpdates && mExtendedTimeList) { - if (mExtendedNextUpdate && (!fromLastUpdate) && (!delta) && isDeltaEnabled) { + if (mExtendedNextUpdate && (!fromLastUpdate) + && (!delta) && isDeltaEnabled) { if (t < 0) { t *= -1; } else { @@ -1579,8 +1661,11 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { } } if (t - mMinUpdateInterval > last) { - if (mExtendedNextUpdate && (!fromLastUpdate) && (!(mEnableDailyUpdates && mExtendedTimeList)) && (!delta) && - isDeltaEnabled && mUpdateSchema > 1) { + if (mExtendedNextUpdate + && (!fromLastUpdate) + && (!(mEnableDailyUpdates && mExtendedTimeList)) + && (!delta) && isDeltaEnabled + && mUpdateSchema > 1) { i += mUpdateSchema - ((i + m) % mUpdateSchema); } break; @@ -1590,21 +1675,26 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { if (i < mDailyUpdates.elementAt(mCurrentDay).size()) { // found inside the current day - next = (MINUTE * ((Integer)mDailyUpdates.elementAt(mCurrentDay).elementAt(i)).longValue()); + next = (MINUTE * ((Integer) mDailyUpdates.elementAt( + mCurrentDay).elementAt(i)).longValue()); if (mEnableDailyUpdates && mExtendedTimeList && next < 0) { next *= -1; if (fromLastUpdate) { mSchemaCounter = 0; } } - next += ((lastDay < lastUpdateDay)? lastDay: lastUpdateDay) + (oneDay * (mCurrentDay - mLastDay)); + next += ((lastDay < lastUpdateDay) ? lastDay + : lastUpdateDay) + + (oneDay * (mCurrentDay - mLastDay)); - if (fromLastUpdate && (!(mEnableDailyUpdates && mExtendedTimeList))) { + if (fromLastUpdate + && (!(mEnableDailyUpdates && mExtendedTimeList))) { n = n % mUpdateSchema; if (i == 0 && mCurrentDay == 0) { mSchemaCounter = 0; } else if (n != mSchemaCounter) { - if (mSchemaCounter != 0 && ((n == 0 && mCurrentDay == 0) || mSchemaCounter < n)) { + if (mSchemaCounter != 0 + && ((n == 0 && mCurrentDay == 0) || mSchemaCounter < n)) { mSchemaCounter = n; } } @@ -1616,12 +1706,20 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { long t = 0; if (mDailyUpdates.size() > 1) { while (nDays <= mDailyUpdates.size()) { - int nextDay = (mCurrentDay + nDays) % mDailyUpdates.size(); + int nextDay = (mCurrentDay + nDays) + % mDailyUpdates.size(); if (j < mDailyUpdates.elementAt(nextDay).size()) { - if (nextDay == 0 && (!(mEnableDailyUpdates && mExtendedTimeList))) j = 0; - t = MINUTE * ((Integer)mDailyUpdates.elementAt(nextDay).elementAt(j)).longValue(); + if (nextDay == 0 + && (!(mEnableDailyUpdates && mExtendedTimeList))) + j = 0; + t = MINUTE + * ((Integer) mDailyUpdates.elementAt( + nextDay).elementAt(j)) + .longValue(); if (mEnableDailyUpdates && mExtendedTimeList) { - if (mExtendedNextUpdate && (!fromLastUpdate) && (!delta) && isDeltaEnabled) { + if (mExtendedNextUpdate + && (!fromLastUpdate) && (!delta) + && isDeltaEnabled) { if (t < 0) { t *= -1; } else { @@ -1644,7 +1742,8 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { nDays++; } } - next = ((lastDay < lastUpdateDay)? lastDay: lastUpdateDay) + (oneDay * nDays) + t; + next = ((lastDay < lastUpdateDay) ? lastDay : lastUpdateDay) + + (oneDay * nDays) + t; if (fromLastUpdate && mDailyUpdates.size() < 2) { mSchemaCounter = 0; @@ -1653,49 +1752,49 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { } } else if (mEnableUpdateFreq && mAutoUpdateInterval > 0) { // Interval updates without starting time - if (mExtendedNextUpdate && (!fromLastUpdate) && (!delta) && isDeltaEnabled && mUpdateSchema > 1) { + if (mExtendedNextUpdate && (!fromLastUpdate) && (!delta) + && isDeltaEnabled && mUpdateSchema > 1) { next = lastUpdate + (mUpdateSchema * mAutoUpdateInterval); } else { next = lastUpdate + mAutoUpdateInterval; } } - if (fromLastUpdate && nextUpdate > 0 && (nextUpdate < next || nextUpdate >= now)) { + if (fromLastUpdate && nextUpdate > 0 + && (nextUpdate < next || nextUpdate >= now)) { next = nextUpdate; } - CMS.debug("findNextUpdate: "+((new Date(next)).toString())+((fromLastUpdate)? " delay: "+(next-now): "")); + CMS.debug("findNextUpdate: " + ((new Date(next)).toString()) + + ((fromLastUpdate) ? " delay: " + (next - now) : "")); - return (fromLastUpdate)? next-now: next; + return (fromLastUpdate) ? next - now : next; } - /** - * Implements Runnable interface. Defines auto-update - * logic used by worker thread. + * Implements Runnable interface. Defines auto-update logic used by worker + * thread. * <P> */ public void run() { - while (mEnable && ((mEnableCRLCache && mCacheUpdateInterval > 0) || - (mInitialized == CRL_IP_NOT_INITIALIZED) || - mDoLastAutoUpdate || (mEnableCRLUpdates && - ((mEnableDailyUpdates && mDailyUpdates != null && - mTimeListSize > 0) || - (mEnableUpdateFreq && mAutoUpdateInterval > 0) || - mDoManualUpdate)))) { + while (mEnable + && ((mEnableCRLCache && mCacheUpdateInterval > 0) + || (mInitialized == CRL_IP_NOT_INITIALIZED) + || mDoLastAutoUpdate || (mEnableCRLUpdates && ((mEnableDailyUpdates + && mDailyUpdates != null && mTimeListSize > 0) + || (mEnableUpdateFreq && mAutoUpdateInterval > 0) || mDoManualUpdate)))) { synchronized (this) { long delay = 0; long delay2 = 0; boolean doCacheUpdate = false; - boolean scheduledUpdates = mEnableCRLUpdates && - ((mEnableDailyUpdates && mDailyUpdates != null && - mTimeListSize > 0) || - (mEnableUpdateFreq && mAutoUpdateInterval > 0)); + boolean scheduledUpdates = mEnableCRLUpdates + && ((mEnableDailyUpdates && mDailyUpdates != null && mTimeListSize > 0) || (mEnableUpdateFreq && mAutoUpdateInterval > 0)); if (mInitialized == CRL_IP_NOT_INITIALIZED) initCRL(); - if (mInitialized == CRL_IP_INITIALIZED && (!mEnable)) break; + if (mInitialized == CRL_IP_INITIALIZED && (!mEnable)) + break; if ((mEnableCRLUpdates && mDoManualUpdate) || mDoLastAutoUpdate) { delay = 0; @@ -1704,11 +1803,10 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { } if (mEnableCRLCache && mCacheUpdateInterval > 0) { - delay2 = mLastCacheUpdate + mCacheUpdateInterval - - System.currentTimeMillis(); - if (delay2 < delay || - (!(scheduledUpdates || mDoLastAutoUpdate || - (mEnableCRLUpdates && mDoManualUpdate)))) { + delay2 = mLastCacheUpdate + mCacheUpdateInterval + - System.currentTimeMillis(); + if (delay2 < delay + || (!(scheduledUpdates || mDoLastAutoUpdate || (mEnableCRLUpdates && mDoManualUpdate)))) { delay = delay2; if (delay <= 0) { doCacheUpdate = true; @@ -1718,7 +1816,7 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { } if (delay > 0) { - try { + try { wait(delay); } catch (InterruptedException e) { } @@ -1726,18 +1824,22 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { try { if (doCacheUpdate) { updateCRLCacheRepository(); - } else if (mAutoUpdateInterval > 0 || mDoLastAutoUpdate || mDoManualUpdate) { + } else if (mAutoUpdateInterval > 0 || mDoLastAutoUpdate + || mDoManualUpdate) { updateCRL(); } } catch (Exception e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_CRL", - (doCacheUpdate)?"update CRL cache":"update CRL", e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_ISSUING_CRL", + (doCacheUpdate) ? "update CRL cache" + : "update CRL", e.toString())); if (Debug.on()) { - Debug.trace((doCacheUpdate)?"update CRL cache":"update CRL" + " error " + e); + Debug.trace((doCacheUpdate) ? "update CRL cache" + : "update CRL" + " error " + e); Debug.printStackTrace(e); } } - // put this here to prevent continuous loop if internal + // put this here to prevent continuous loop if internal // db is down. if (mDoLastAutoUpdate) mDoLastAutoUpdate = false; @@ -1751,28 +1853,23 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { mUpdateThread = null; } - /** - * Updates CRL and publishes it. - * If time elapsed since last CRL update is less than - * minUpdateInterval silently returns. - * Otherwise determines nextUpdate by adding autoUpdateInterval or - * minUpdateInterval to the current time. If neither of the - * intervals are defined nextUpdate will be null. - * Then using specified configuration parameters it formulates new - * CRL, signs it, updates CRLIssuingPointRecord in the database - * and publishes CRL in the directory. + * Updates CRL and publishes it. If time elapsed since last CRL update is + * less than minUpdateInterval silently returns. Otherwise determines + * nextUpdate by adding autoUpdateInterval or minUpdateInterval to the + * current time. If neither of the intervals are defined nextUpdate will be + * null. Then using specified configuration parameters it formulates new + * CRL, signs it, updates CRLIssuingPointRecord in the database and + * publishes CRL in the directory. * <P> */ private void updateCRL() throws EBaseException { /* - if (mEnableUpdateFreq && mAutoUpdateInterval > 0 && - (System.currentTimeMillis() - mLastUpdate.getTime() < - mMinUpdateInterval)) { - // log or alternatively throw an Exception - return; - } - */ + * if (mEnableUpdateFreq && mAutoUpdateInterval > 0 && + * (System.currentTimeMillis() - mLastUpdate.getTime() < + * mMinUpdateInterval)) { // log or alternatively throw an Exception + * return; } + */ if (mDoManualUpdate && mSignatureAlgorithmForManualUpdate != null) { updateCRLNow(mSignatureAlgorithmForManualUpdate); } else { @@ -1791,21 +1888,25 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { if (mIncludeExpiredCerts) filter += "(|"; - filter += "(" + CertRecord.ATTR_CERT_STATUS + "=" + CertRecord.STATUS_REVOKED + ")"; + filter += "(" + CertRecord.ATTR_CERT_STATUS + "=" + + CertRecord.STATUS_REVOKED + ")"; if (mIncludeExpiredCerts) - filter += "(" + CertRecord.ATTR_CERT_STATUS + "=" + CertRecord.STATUS_REVOKED_EXPIRED + "))"; + filter += "(" + CertRecord.ATTR_CERT_STATUS + "=" + + CertRecord.STATUS_REVOKED_EXPIRED + "))"; if (mCACertsOnly) { filter += "(x509cert.BasicConstraints.isCA=on)"; } - if (mProfileCertsOnly && mProfileList != null && mProfileList.size() > 0) { + if (mProfileCertsOnly && mProfileList != null + && mProfileList.size() > 0) { if (mProfileList.size() > 1) { filter += "(|"; } for (int k = 0; k < mProfileList.size(); k++) { String id = mProfileList.elementAt(k); - filter += "(" + CertRecord.ATTR_META_INFO + "=profileId:" + id + ")"; + filter += "(" + CertRecord.ATTR_META_INFO + "=profileId:" + id + + ")"; } if (mProfileList.size() > 1) { filter += ")"; @@ -1814,15 +1915,20 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { // check if any ranges specified. if (mBeginSerial != null) { - filter += "(" + CertRecord.ATTR_ID + ">=" + mBeginSerial.toString() + ")"; + filter += "(" + CertRecord.ATTR_ID + ">=" + mBeginSerial.toString() + + ")"; } if (mEndSerial != null) { - filter += "(" + CertRecord.ATTR_ID + "<=" + mEndSerial.toString() + ")"; + filter += "(" + CertRecord.ATTR_ID + "<=" + mEndSerial.toString() + + ")"; } // get all revoked non-expired certs. - if (mEndSerial != null || mBeginSerial != null || mCACertsOnly || - (mProfileCertsOnly && mProfileList != null && mProfileList.size() > 0)) { + if (mEndSerial != null + || mBeginSerial != null + || mCACertsOnly + || (mProfileCertsOnly && mProfileList != null && mProfileList + .size() > 0)) { filter = "(&" + filter + ")"; } @@ -1830,29 +1936,28 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { } /** - * Gets a enumeration of revoked certs to put into CRL. - * This does not include expired certs. - * <i>Override this method to make a CRL other than the - * full/complete CRL.</i> - * @return Enumeration of CertRecords to put into CRL. + * Gets a enumeration of revoked certs to put into CRL. This does not + * include expired certs. <i>Override this method to make a CRL other than + * the full/complete CRL.</i> + * + * @return Enumeration of CertRecords to put into CRL. * @exception EBaseException if an error occured in the database. */ - public void processRevokedCerts(IElementProcessor p) - throws EBaseException { + public void processRevokedCerts(IElementProcessor p) throws EBaseException { CertRecProcessor cp = (CertRecProcessor) p; String filter = getFilter(); - // NOTE: dangerous cast. + // NOTE: dangerous cast. // correct way would be to modify interface and add // accessor but we don't want to touch the interface - CertificateRepository cr = (CertificateRepository)mCertRepository; + CertificateRepository cr = (CertificateRepository) mCertRepository; synchronized (cr.mCertStatusUpdateThread) { CMS.debug("Starting processRevokedCerts (entered lock)"); - ICertRecordList list = mCertRepository.findCertRecordsInList(filter, - new String[] {ICertRecord.ATTR_ID, ICertRecord.ATTR_REVO_INFO, "objectclass" }, - "serialno", - mPageSize); + ICertRecordList list = mCertRepository.findCertRecordsInList( + filter, new String[] { ICertRecord.ATTR_ID, + ICertRecord.ATTR_REVO_INFO, "objectclass" }, + "serialno", mPageSize); int totalSize = list.getSize(); @@ -1890,21 +1995,24 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { if (mEnableCacheRecovery) { // 553815 - original filter was not aligned with any VLV index // String filter = "(&(requeststate=complete)"+ - // "(|(requestType=" + IRequest.REVOCATION_REQUEST + ")"+ - // "(requestType=" + IRequest.UNREVOCATION_REQUEST + ")))"; + // "(|(requestType=" + IRequest.REVOCATION_REQUEST + ")"+ + // "(requestType=" + IRequest.UNREVOCATION_REQUEST + ")))"; String filter = "(requeststate=complete)"; if (Debug.on()) { - Debug.trace("recoverCRLCache mFirstUnsaved="+mFirstUnsaved+" filter="+filter); + Debug.trace("recoverCRLCache mFirstUnsaved=" + mFirstUnsaved + + " filter=" + filter); } IRequestQueue mQueue = mCA.getRequestQueue(); IRequestVirtualList list = mQueue.getPagedRequestsByFilter( - new RequestId(mFirstUnsaved), filter, 500, "requestId"); + new RequestId(mFirstUnsaved), filter, 500, "requestId"); if (Debug.on()) { - Debug.trace("recoverCRLCache size="+list.getSize()+" index="+list.getCurrentIndex()); + Debug.trace("recoverCRLCache size=" + list.getSize() + + " index=" + list.getCurrentIndex()); } - CertRecProcessor cp = new CertRecProcessor(mCRLCerts, this, mLogger, mAllowExtensions); + CertRecProcessor cp = new CertRecProcessor(mCRLCerts, this, + mLogger, mAllowExtensions); boolean includeCert = true; int s = list.getSize() - list.getCurrentIndex(); @@ -1919,29 +2027,44 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { continue; } if (Debug.on()) { - Debug.trace("recoverCRLCache request="+request.getRequestId().toString()+ - " type="+request.getRequestType()); - } - if (IRequest.REVOCATION_REQUEST.equals(request.getRequestType())) { - RevokedCertImpl revokedCert[] = - request.getExtDataInRevokedCertArray(IRequest.CERT_INFO); + Debug.trace("recoverCRLCache request=" + + request.getRequestId().toString() + " type=" + + request.getRequestType()); + } + if (IRequest.REVOCATION_REQUEST + .equals(request.getRequestType())) { + RevokedCertImpl revokedCert[] = request + .getExtDataInRevokedCertArray(IRequest.CERT_INFO); for (int j = 0; j < revokedCert.length; j++) { if (Debug.on()) { - Debug.trace("recoverCRLCache R j="+j+" length="+revokedCert.length+ - " SerialNumber=0x"+revokedCert[j].getSerialNumber().toString(16)); + Debug.trace("recoverCRLCache R j=" + + j + + " length=" + + revokedCert.length + + " SerialNumber=0x" + + revokedCert[j].getSerialNumber() + .toString(16)); } - if(cp != null) - includeCert = cp.checkRevokedCertExtensions(revokedCert[j].getExtensions()); - if(includeCert) { - updateRevokedCert(REVOKED_CERT, revokedCert[j].getSerialNumber(), revokedCert[j]); + if (cp != null) + includeCert = cp + .checkRevokedCertExtensions(revokedCert[j] + .getExtensions()); + if (includeCert) { + updateRevokedCert(REVOKED_CERT, + revokedCert[j].getSerialNumber(), + revokedCert[j]); } } - } else if (IRequest.UNREVOCATION_REQUEST.equals(request.getRequestType())) { - BigInteger serialNo[] = request.getExtDataInBigIntegerArray(IRequest.OLD_SERIALS); + } else if (IRequest.UNREVOCATION_REQUEST.equals(request + .getRequestType())) { + BigInteger serialNo[] = request + .getExtDataInBigIntegerArray(IRequest.OLD_SERIALS); for (int j = 0; j < serialNo.length; j++) { if (Debug.on()) { - Debug.trace("recoverCRLCache U j="+j+" length="+serialNo.length+ - " SerialNumber=0x"+serialNo[j].toString(16)); + Debug.trace("recoverCRLCache U j=" + j + + " length=" + serialNo.length + + " SerialNumber=0x" + + serialNo[j].toString(16)); } updateRevokedCert(UNREVOKED_CERT, serialNo[j], null); } @@ -1949,11 +2072,13 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { } try { - mCRLRepository.updateRevokedCerts(mId, mRevokedCerts, mUnrevokedCerts); + mCRLRepository.updateRevokedCerts(mId, mRevokedCerts, + mUnrevokedCerts); mFirstUnsaved = ICRLIssuingPointRecord.CLEAN_CACHE; mCRLCacheIsCleared = false; } catch (EBaseException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_STORE_CRL_CACHE", e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_ISSUING_STORE_CRL_CACHE", e.toString())); } } else { clearCRLCache(); @@ -1974,32 +2099,33 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { } private Extension getCRLExtension(String extName) { - if(mAllowExtensions == false) { + if (mAllowExtensions == false) { return null; } - if(mCMSCRLExtensions.isCRLExtensionEnabled(extName) == false) { + if (mCMSCRLExtensions.isCRLExtensionEnabled(extName) == false) { return null; } CMSCRLExtensions exts = (CMSCRLExtensions) this.getCRLExtensions(); CRLExtensions ext = new CRLExtensions(); - + Vector<String> extNames = exts.getCRLExtensionNames(); - for (int i = 0; i < extNames.size(); i++) { - String curName = extNames.elementAt(i); - if (curName.equals(extName)) { - exts.addToCRLExtensions(ext, extName, null); - } - } - Extension theExt = null; - try { - theExt = ext.get(extName); - } catch (Exception e) { + for (int i = 0; i < extNames.size(); i++) { + String curName = extNames.elementAt(i); + if (curName.equals(extName)) { + exts.addToCRLExtensions(ext, extName, null); } + } + Extension theExt = null; + try { + theExt = ext.get(extName); + } catch (Exception e) { + } - CMS.debug("CRLIssuingPoint.getCRLExtension extension: " + theExt); - return theExt; + CMS.debug("CRLIssuingPoint.getCRLExtension extension: " + theExt); + return theExt; } + /** * get required crl entry extensions */ @@ -2008,7 +2134,8 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { if (mAllowExtensions && exts != null && exts.size() > 0) { entryExt = new CRLExtensions(); - Vector<String> extNames = mCMSCRLExtensions.getCRLEntryExtensionNames(); + Vector<String> extNames = mCMSCRLExtensions + .getCRLEntryExtensionNames(); for (int i = 0; i < extNames.size(); i++) { String extName = extNames.elementAt(i); @@ -2018,20 +2145,23 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { for (k = 0; k < exts.size(); k++) { Extension ext = (Extension) exts.elementAt(k); - String name = mCMSCRLExtensions.getCRLExtensionName( - ext.getExtensionId().toString()); + String name = mCMSCRLExtensions.getCRLExtensionName(ext + .getExtensionId().toString()); if (extName.equals(name)) { - if (!(ext instanceof CRLReasonExtension) || - (((CRLReasonExtension) ext).getReason().toInt() > - RevocationReason.UNSPECIFIED.toInt())) { - mCMSCRLExtensions.addToCRLExtensions(entryExt, extName, ext); + if (!(ext instanceof CRLReasonExtension) + || (((CRLReasonExtension) ext).getReason() + .toInt() > RevocationReason.UNSPECIFIED + .toInt())) { + mCMSCRLExtensions.addToCRLExtensions(entryExt, + extName, ext); } break; } } if (k == exts.size()) { - mCMSCRLExtensions.addToCRLExtensions(entryExt, extName, null); + mCMSCRLExtensions.addToCRLExtensions(entryExt, extName, + null); } } } @@ -2047,24 +2177,22 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { /** * update CRL cache with new revoked-unrevoked certificate info */ - private void updateRevokedCert(int certType, - BigInteger serialNumber, - RevokedCertImpl revokedCert) { + private void updateRevokedCert(int certType, BigInteger serialNumber, + RevokedCertImpl revokedCert) { updateRevokedCert(certType, serialNumber, revokedCert, null); } - private void updateRevokedCert(int certType, - BigInteger serialNumber, - RevokedCertImpl revokedCert, - String requestId) { + private void updateRevokedCert(int certType, BigInteger serialNumber, + RevokedCertImpl revokedCert, String requestId) { synchronized (cacheMonitor) { - if (requestId != null && mFirstUnsaved != null && - mFirstUnsaved.equals(ICRLIssuingPointRecord.CLEAN_CACHE)) { + if (requestId != null && mFirstUnsaved != null + && mFirstUnsaved.equals(ICRLIssuingPointRecord.CLEAN_CACHE)) { mFirstUnsaved = requestId; try { mCRLRepository.updateFirstUnsaved(mId, mFirstUnsaved); } catch (EBaseException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_STORE_CRL_CACHE", e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_ISSUING_STORE_CRL_CACHE", e.toString())); } } if (certType == REVOKED_CERT) { @@ -2072,19 +2200,22 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { mUnrevokedCerts.remove(serialNumber); if (mCRLCerts.containsKey(serialNumber)) { Date revocationDate = revokedCert.getRevocationDate(); - CRLExtensions entryExt = getRequiredEntryExtensions(revokedCert.getExtensions()); - RevokedCertImpl newRevokedCert = - new RevokedCertImpl(serialNumber, revocationDate, entryExt); + CRLExtensions entryExt = getRequiredEntryExtensions(revokedCert + .getExtensions()); + RevokedCertImpl newRevokedCert = new RevokedCertImpl( + serialNumber, revocationDate, entryExt); mCRLCerts.put(serialNumber, newRevokedCert); } } else { Date revocationDate = revokedCert.getRevocationDate(); - CRLExtensions entryExt = getRequiredEntryExtensions(revokedCert.getExtensions()); - RevokedCertImpl newRevokedCert = - new RevokedCertImpl(serialNumber, revocationDate, entryExt); + CRLExtensions entryExt = getRequiredEntryExtensions(revokedCert + .getExtensions()); + RevokedCertImpl newRevokedCert = new RevokedCertImpl( + serialNumber, revocationDate, entryExt); - mRevokedCerts.put(serialNumber, (RevokedCertificate) newRevokedCert); + mRevokedCerts.put(serialNumber, + (RevokedCertificate) newRevokedCert); } } else if (certType == UNREVOKED_CERT) { if (mRevokedCerts.containsKey(serialNumber)) { @@ -2093,14 +2224,16 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { CRLExtensions entryExt = new CRLExtensions(); try { - entryExt.set(CRLReasonExtension.REMOVE_FROM_CRL.getName(), - CRLReasonExtension.REMOVE_FROM_CRL); + entryExt.set( + CRLReasonExtension.REMOVE_FROM_CRL.getName(), + CRLReasonExtension.REMOVE_FROM_CRL); } catch (IOException e) { } - RevokedCertImpl newRevokedCert = new RevokedCertImpl(serialNumber, - CMS.getCurrentDate(), entryExt); + RevokedCertImpl newRevokedCert = new RevokedCertImpl( + serialNumber, CMS.getCurrentDate(), entryExt); - mUnrevokedCerts.put(serialNumber, (RevokedCertificate) newRevokedCert); + mUnrevokedCerts.put(serialNumber, + (RevokedCertificate) newRevokedCert); } } } @@ -2109,27 +2242,34 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { /** * registers revoked certificates */ - public void addRevokedCert(BigInteger serialNumber, RevokedCertImpl revokedCert) { + public void addRevokedCert(BigInteger serialNumber, + RevokedCertImpl revokedCert) { addRevokedCert(serialNumber, revokedCert, null); } - public void addRevokedCert(BigInteger serialNumber, RevokedCertImpl revokedCert, - String requestId) { + public void addRevokedCert(BigInteger serialNumber, + RevokedCertImpl revokedCert, String requestId) { - CertRecProcessor cp = new CertRecProcessor(mCRLCerts, this, mLogger, mAllowExtensions); + CertRecProcessor cp = new CertRecProcessor(mCRLCerts, this, mLogger, + mAllowExtensions); boolean includeCert = true; - if(cp != null) - includeCert = cp.checkRevokedCertExtensions(revokedCert.getExtensions()); + if (cp != null) + includeCert = cp.checkRevokedCertExtensions(revokedCert + .getExtensions()); if (mEnable && mEnableCRLCache && includeCert == true) { - updateRevokedCert(REVOKED_CERT, serialNumber, revokedCert, requestId); + updateRevokedCert(REVOKED_CERT, serialNumber, revokedCert, + requestId); if (mCacheUpdateInterval == 0) { try { - mCRLRepository.updateRevokedCerts(mId, mRevokedCerts, mUnrevokedCerts); + mCRLRepository.updateRevokedCerts(mId, mRevokedCerts, + mUnrevokedCerts); mFirstUnsaved = ICRLIssuingPointRecord.CLEAN_CACHE; } catch (EBaseException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_STORE_REVOKED_CERT", mId, e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_ISSUING_STORE_REVOKED_CERT", mId, + e.toString())); } } } @@ -2148,10 +2288,13 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { if (mCacheUpdateInterval == 0) { try { - mCRLRepository.updateRevokedCerts(mId, mRevokedCerts, mUnrevokedCerts); + mCRLRepository.updateRevokedCerts(mId, mRevokedCerts, + mUnrevokedCerts); mFirstUnsaved = ICRLIssuingPointRecord.CLEAN_CACHE; } catch (EBaseException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_STORE_UNREVOKED_CERT", mId, e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_ISSUING_STORE_UNREVOKED_CERT", mId, + e.toString())); } } } @@ -2168,20 +2311,23 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { try { entryExt.set(CRLReasonExtension.REMOVE_FROM_CRL.getName(), - CRLReasonExtension.REMOVE_FROM_CRL); + CRLReasonExtension.REMOVE_FROM_CRL); } catch (IOException e) { } - RevokedCertImpl newRevokedCert = new RevokedCertImpl(serialNumber, - CMS.getCurrentDate(), entryExt); + RevokedCertImpl newRevokedCert = new RevokedCertImpl( + serialNumber, CMS.getCurrentDate(), entryExt); - mExpiredCerts.put(serialNumber, (RevokedCertificate) newRevokedCert); + mExpiredCerts.put(serialNumber, + (RevokedCertificate) newRevokedCert); } if (mCacheUpdateInterval == 0) { try { mCRLRepository.updateExpiredCerts(mId, mExpiredCerts); } catch (EBaseException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_STORE_EXPIRED_CERT", mId, e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_ISSUING_STORE_EXPIRED_CERT", mId, + e.toString())); } } } @@ -2193,19 +2339,23 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { synchronized (repositoryMonitor) { try { mCRLRepository.updateCRLCache(mId, Long.valueOf(mCRLSize), - mRevokedCerts, mUnrevokedCerts, mExpiredCerts); + mRevokedCerts, mUnrevokedCerts, mExpiredCerts); mFirstUnsaved = ICRLIssuingPointRecord.CLEAN_CACHE; } catch (EBaseException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_STORE_CRL_CACHE", e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_ISSUING_STORE_CRL_CACHE", e.toString())); } } } public boolean isDeltaCRLEnabled() { - return (mAllowExtensions && mEnableCRLCache && - mCMSCRLExtensions.isCRLExtensionEnabled(DeltaCRLIndicatorExtension.NAME) && - mCMSCRLExtensions.isCRLExtensionEnabled(CRLNumberExtension.NAME) && - mCMSCRLExtensions.isCRLExtensionEnabled(CRLReasonExtension.NAME)); + return (mAllowExtensions + && mEnableCRLCache + && mCMSCRLExtensions + .isCRLExtensionEnabled(DeltaCRLIndicatorExtension.NAME) + && mCMSCRLExtensions + .isCRLExtensionEnabled(CRLNumberExtension.NAME) && mCMSCRLExtensions + .isCRLExtensionEnabled(CRLReasonExtension.NAME)); } public boolean isThisCurrentDeltaCRL(X509CRLImpl deltaCRL) { @@ -2219,16 +2369,19 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { for (int k = 0; k < crlExtensions.size(); k++) { Extension ext = (Extension) crlExtensions.elementAt(k); - if (DeltaCRLIndicatorExtension.OID.equals(ext.getExtensionId().toString())) { + if (DeltaCRLIndicatorExtension.OID.equals(ext + .getExtensionId().toString())) { DeltaCRLIndicatorExtension dExt = (DeltaCRLIndicatorExtension) ext; BigInteger crlNumber = null; try { - crlNumber = (BigInteger) dExt.get(DeltaCRLIndicatorExtension.NUMBER); + crlNumber = (BigInteger) dExt + .get(DeltaCRLIndicatorExtension.NUMBER); } catch (IOException e) { } - if (crlNumber != null && (crlNumber.equals(mLastCRLNumber) || - mLastCRLNumber.equals(BigInteger.ZERO))) { + if (crlNumber != null + && (crlNumber.equals(mLastCRLNumber) || mLastCRLNumber + .equals(BigInteger.ZERO))) { result = true; } } @@ -2244,7 +2397,7 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { } public boolean isCRLCacheEmpty() { - return ((mCRLCerts != null)? mCRLCerts.isEmpty(): true); + return ((mCRLCerts != null) ? mCRLCerts.isEmpty() : true); } public boolean isCRLCacheTestingEnabled() { @@ -2252,8 +2405,7 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { } public Date getRevocationDateFromCache(BigInteger serialNumber, - boolean checkDeltaCache, - boolean includeExpiredCerts) { + boolean checkDeltaCache, boolean includeExpiredCerts) { Date revocationDate = null; if (mCRLCerts.containsKey(serialNumber)) { @@ -2265,7 +2417,8 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { revocationDate = null; } if (mRevokedCerts.containsKey(serialNumber)) { - revocationDate = mRevokedCerts.get(serialNumber).getRevocationDate(); + revocationDate = mRevokedCerts.get(serialNumber) + .getRevocationDate(); } if (!includeExpiredCerts && mExpiredCerts.containsKey(serialNumber)) { revocationDate = null; @@ -2291,29 +2444,32 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { /** * updates CRL and publishes it now */ - public void updateCRLNow() - throws EBaseException { + public void updateCRLNow() throws EBaseException { updateCRLNow(null); } public synchronized void updateCRLNow(String signingAlgorithm) - throws EBaseException { + throws EBaseException { - if ((!mEnable) || (!mEnableCRLUpdates && !mDoLastAutoUpdate)) return; + if ((!mEnable) || (!mEnableCRLUpdates && !mDoLastAutoUpdate)) + return; CMS.debug("Updating CRL"); - mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, AuditFormat.LEVEL, - CMS.getLogMessage("CMSCORE_CA_CA_CRL_UPDATE_STARTED"), - new Object[] { + mLogger.log( + ILogger.EV_AUDIT, + ILogger.S_OTHER, + AuditFormat.LEVEL, + CMS.getLogMessage("CMSCORE_CA_CA_CRL_UPDATE_STARTED"), + new Object[] { getId(), getNextCRLNumber(), Boolean.toString(isDeltaCRLEnabled()), Boolean.toString(isCRLCacheEnabled()), Boolean.toString(mEnableCacheRecovery), Boolean.toString(mCRLCacheIsCleared), - ""+mCRLCerts.size()+","+mRevokedCerts.size()+","+mUnrevokedCerts.size()+","+mExpiredCerts.size()+"" - } - ); + "" + mCRLCerts.size() + "," + mRevokedCerts.size() + + "," + mUnrevokedCerts.size() + "," + + mExpiredCerts.size() + "" }); mUpdatingCRL = CRL_UPDATE_STARTED; if (signingAlgorithm == null || signingAlgorithm.length() == 0) signingAlgorithm = mSigningAlgorithm; @@ -2322,20 +2478,23 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { Date nextUpdate = null; Date nextDeltaUpdate = null; - if (mEnableCRLUpdates && ((mEnableDailyUpdates && - mDailyUpdates != null && mTimeListSize > 0) || - (mEnableUpdateFreq && mAutoUpdateInterval > 0))) { + if (mEnableCRLUpdates + && ((mEnableDailyUpdates && mDailyUpdates != null && mTimeListSize > 0) || (mEnableUpdateFreq && mAutoUpdateInterval > 0))) { - if ((!isDeltaCRLEnabled()) || mSchemaCounter == 0 || mUpdateSchema == 1) { + if ((!isDeltaCRLEnabled()) || mSchemaCounter == 0 + || mUpdateSchema == 1) { nextUpdate = new Date(findNextUpdate(false, false)); mNextUpdate = new Date(nextUpdate.getTime()); } if (isDeltaCRLEnabled()) { - if (mUpdateSchema > 1 || (mEnableDailyUpdates && mExtendedTimeList && mTimeListSize > 1)) { + if (mUpdateSchema > 1 + || (mEnableDailyUpdates && mExtendedTimeList && mTimeListSize > 1)) { nextDeltaUpdate = new Date(findNextUpdate(false, true)); - if (mExtendedNextUpdate && mSchemaCounter > 0 && - mNextUpdate != null && mNextUpdate.equals(nextDeltaUpdate)) { - if (mEnableDailyUpdates && mExtendedTimeList && mTimeListSize > 1) { + if (mExtendedNextUpdate && mSchemaCounter > 0 + && mNextUpdate != null + && mNextUpdate.equals(nextDeltaUpdate)) { + if (mEnableDailyUpdates && mExtendedTimeList + && mTimeListSize > 1) { mSchemaCounter = mTimeListSize - 1; } else { mSchemaCounter = mUpdateSchema - 1; @@ -2356,33 +2515,41 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { mLastUpdate = thisUpdate; // mNextUpdate = nextUpdate; - mNextDeltaUpdate = (nextDeltaUpdate != null)? new Date(nextDeltaUpdate.getTime()): null; + mNextDeltaUpdate = (nextDeltaUpdate != null) ? new Date( + nextDeltaUpdate.getTime()) : null; if (nextUpdate != null) { - nextUpdate.setTime((nextUpdate.getTime())+mNextUpdateGracePeriod); + nextUpdate.setTime((nextUpdate.getTime()) + mNextUpdateGracePeriod); } if (nextDeltaUpdate != null) { - nextDeltaUpdate.setTime((nextDeltaUpdate.getTime())+mNextUpdateGracePeriod); + nextDeltaUpdate.setTime((nextDeltaUpdate.getTime()) + + mNextUpdateGracePeriod); } mSplits[0] -= System.currentTimeMillis(); @SuppressWarnings("unchecked") - Hashtable<BigInteger, RevokedCertificate> clonedRevokedCerts = (Hashtable<BigInteger, RevokedCertificate>)mRevokedCerts.clone(); + Hashtable<BigInteger, RevokedCertificate> clonedRevokedCerts = (Hashtable<BigInteger, RevokedCertificate>) mRevokedCerts + .clone(); @SuppressWarnings("unchecked") - Hashtable<BigInteger, RevokedCertificate> clonedUnrevokedCerts = (Hashtable<BigInteger, RevokedCertificate>)mUnrevokedCerts.clone(); + Hashtable<BigInteger, RevokedCertificate> clonedUnrevokedCerts = (Hashtable<BigInteger, RevokedCertificate>) mUnrevokedCerts + .clone(); @SuppressWarnings("unchecked") - Hashtable<BigInteger, RevokedCertificate> clonedExpiredCerts = (Hashtable<BigInteger, RevokedCertificate> )mExpiredCerts.clone(); + Hashtable<BigInteger, RevokedCertificate> clonedExpiredCerts = (Hashtable<BigInteger, RevokedCertificate>) mExpiredCerts + .clone(); mSplits[0] += System.currentTimeMillis(); // starting from the beginning - if ((!mEnableCRLCache) || - ((mCRLCacheIsCleared && mCRLCerts.isEmpty() && clonedRevokedCerts.isEmpty() && - clonedUnrevokedCerts.isEmpty() && clonedExpiredCerts.isEmpty()) || - (mCRLCerts.isEmpty() && (!clonedUnrevokedCerts.isEmpty())) || - (mCRLCerts.size() < clonedUnrevokedCerts.size()) || - (mCRLCerts.isEmpty() && (mCRLSize > 0)) || - (mCRLCerts.size() > 0 && mCRLSize == 0))) { + if ((!mEnableCRLCache) + || ((mCRLCacheIsCleared && mCRLCerts.isEmpty() + && clonedRevokedCerts.isEmpty() + && clonedUnrevokedCerts.isEmpty() && clonedExpiredCerts + .isEmpty()) + || (mCRLCerts.isEmpty() && (!clonedUnrevokedCerts + .isEmpty())) + || (mCRLCerts.size() < clonedUnrevokedCerts.size()) + || (mCRLCerts.isEmpty() && (mCRLSize > 0)) || (mCRLCerts + .size() > 0 && mCRLSize == 0))) { mSplits[5] -= System.currentTimeMillis(); mDeltaCRLSize = -1; @@ -2392,15 +2559,17 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { clonedExpiredCerts.clear(); mSchemaCounter = 0; - IStatsSubsystem statsSub = (IStatsSubsystem)CMS.getSubsystem("stats"); + IStatsSubsystem statsSub = (IStatsSubsystem) CMS + .getSubsystem("stats"); if (statsSub != null) { - statsSub.startTiming("generation"); + statsSub.startTiming("generation"); } - CertRecProcessor cp = new CertRecProcessor(mCRLCerts, this, mLogger, mAllowExtensions); + CertRecProcessor cp = new CertRecProcessor(mCRLCerts, this, + mLogger, mAllowExtensions); processRevokedCerts(cp); if (statsSub != null) { - statsSub.endTiming("generation"); + statsSub.endTiming("generation"); } mCRLCacheIsCleared = false; @@ -2409,17 +2578,21 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { if (isDeltaCRLEnabled()) { mSplits[1] -= System.currentTimeMillis(); @SuppressWarnings("unchecked") - Hashtable<BigInteger, RevokedCertificate> deltaCRLCerts = (Hashtable<BigInteger, RevokedCertificate> )clonedRevokedCerts.clone(); + Hashtable<BigInteger, RevokedCertificate> deltaCRLCerts = (Hashtable<BigInteger, RevokedCertificate>) clonedRevokedCerts + .clone(); deltaCRLCerts.putAll(clonedUnrevokedCerts); if (mIncludeExpiredCertsOneExtraTime) { if (!clonedExpiredCerts.isEmpty()) { - for (Enumeration<BigInteger> e = clonedExpiredCerts.keys(); e.hasMoreElements();) { + for (Enumeration<BigInteger> e = clonedExpiredCerts + .keys(); e.hasMoreElements();) { BigInteger serialNumber = e.nextElement(); - if ((mLastFullUpdate != null && - mLastFullUpdate.after((mExpiredCerts.get(serialNumber)).getRevocationDate())) || - mLastFullUpdate == null) { - deltaCRLCerts.put(serialNumber, clonedExpiredCerts.get(serialNumber)); + if ((mLastFullUpdate != null && mLastFullUpdate + .after((mExpiredCerts.get(serialNumber)) + .getRevocationDate())) + || mLastFullUpdate == null) { + deltaCRLCerts.put(serialNumber, + clonedExpiredCerts.get(serialNumber)); } } } @@ -2430,14 +2603,16 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { mLastCRLNumber = mCRLNumber; CRLExtensions ext = new CRLExtensions(); - Vector<String> extNames = mCMSCRLExtensions.getCRLExtensionNames(); + Vector<String> extNames = mCMSCRLExtensions + .getCRLExtensionNames(); for (int i = 0; i < extNames.size(); i++) { String extName = extNames.elementAt(i); - if (mCMSCRLExtensions.isCRLExtensionEnabled(extName) && - (!extName.equals(FreshestCRLExtension.NAME))) { - mCMSCRLExtensions.addToCRLExtensions(ext, extName, null); + if (mCMSCRLExtensions.isCRLExtensionEnabled(extName) + && (!extName.equals(FreshestCRLExtension.NAME))) { + mCMSCRLExtensions + .addToCRLExtensions(ext, extName, null); } } mSplits[1] += System.currentTimeMillis(); @@ -2449,15 +2624,17 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { byte[] newDeltaCRL; // #56123 - dont generate CRL if no revoked certificates - if (mConfigStore.getBoolean("noCRLIfNoRevokedCert", false)) { + if (mConfigStore.getBoolean("noCRLIfNoRevokedCert", false)) { if (deltaCRLCerts.size() == 0) { CMS.debug("CRLIssuingPoint: No Revoked Certificates Found And noCRLIfNoRevokedCert is set to true - No Delta CRL Generated"); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", "No Revoked Certificates")); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INTERNAL_ERROR", + "No Revoked Certificates")); } } X509CRLImpl crl = new X509CRLImpl(mCA.getCRLX500Name(), - AlgorithmId.get(signingAlgorithm), - thisUpdate, nextDeltaUpdate, deltaCRLCerts, ext); + AlgorithmId.get(signingAlgorithm), thisUpdate, + nextDeltaUpdate, deltaCRLCerts, ext); newX509DeltaCRL = mCA.sign(crl, signingAlgorithm); newDeltaCRL = newX509DeltaCRL.getEncoded(); @@ -2465,47 +2642,51 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { mSplits[3] -= System.currentTimeMillis(); mCRLRepository.updateDeltaCRL(mId, mNextDeltaCRLNumber, - Long.valueOf(deltaCRLCerts.size()), mNextDeltaUpdate, newDeltaCRL); + Long.valueOf(deltaCRLCerts.size()), + mNextDeltaUpdate, newDeltaCRL); mSplits[3] += System.currentTimeMillis(); mDeltaCRLSize = deltaCRLCerts.size(); - long totalTime = 0; String splitTimes = " ("; for (int i = 1; i < mSplits.length && i < 5; i++) { totalTime += mSplits[i]; - if (i > 1) splitTimes += ","; + if (i > 1) + splitTimes += ","; splitTimes += Long.toString(mSplits[i]); } splitTimes += ")"; - mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, - AuditFormat.LEVEL, - CMS.getLogMessage("CMSCORE_CA_CA_DELTA_CRL_UPDATED"), - new Object[] { - getId(), - getNextCRLNumber(), - getCRLNumber(), - getLastUpdate(), + mLogger.log( + ILogger.EV_AUDIT, + ILogger.S_OTHER, + AuditFormat.LEVEL, + CMS.getLogMessage("CMSCORE_CA_CA_DELTA_CRL_UPDATED"), + new Object[] { getId(), getNextCRLNumber(), + getCRLNumber(), getLastUpdate(), getNextDeltaUpdate(), - Long.toString(mDeltaCRLSize), - Long.toString(totalTime)+splitTimes - } - ); + Long.toString(mDeltaCRLSize), + Long.toString(totalTime) + splitTimes }); } catch (EBaseException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_OR_STORE_DELTA", e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_ISSUING_SIGN_OR_STORE_DELTA", + e.toString())); mDeltaCRLSize = -1; } catch (NoSuchAlgorithmException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); mDeltaCRLSize = -1; } catch (CRLException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); mDeltaCRLSize = -1; } catch (X509ExtensionException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); mDeltaCRLSize = -1; } catch (OutOfMemoryError e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); mDeltaCRLSize = -1; } @@ -2515,12 +2696,16 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { mSplits[4] += System.currentTimeMillis(); } catch (EBaseException e) { newX509DeltaCRL = null; - if (Debug.on()) + if (Debug.on()) Debug.printStackTrace(e); - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_DELTA", mCRLNumber.toString(), e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_ISSUING_PUBLISH_DELTA", + mCRLNumber.toString(), e.toString())); } catch (OutOfMemoryError e) { newX509DeltaCRL = null; - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_DELTA", mCRLNumber.toString(), e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_ISSUING_PUBLISH_DELTA", + mCRLNumber.toString(), e.toString())); } } else { mDeltaCRLSize = -1; @@ -2529,12 +2714,15 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { mSplits[5] -= System.currentTimeMillis(); if (mSchemaCounter == 0) { - if (((!mCRLCerts.isEmpty()) && ((!clonedRevokedCerts.isEmpty()) || - (!clonedUnrevokedCerts.isEmpty()) || (!clonedExpiredCerts.isEmpty()))) || - (mCRLCerts.isEmpty() && (mCRLSize == 0) && (!clonedRevokedCerts.isEmpty()))) { + if (((!mCRLCerts.isEmpty()) && ((!clonedRevokedCerts.isEmpty()) + || (!clonedUnrevokedCerts.isEmpty()) || (!clonedExpiredCerts + .isEmpty()))) + || (mCRLCerts.isEmpty() && (mCRLSize == 0) && (!clonedRevokedCerts + .isEmpty()))) { if (!clonedUnrevokedCerts.isEmpty()) { - for (Enumeration<BigInteger> e = clonedUnrevokedCerts.keys(); e.hasMoreElements();) { + for (Enumeration<BigInteger> e = clonedUnrevokedCerts + .keys(); e.hasMoreElements();) { BigInteger serialNumber = e.nextElement(); if (mCRLCerts.containsKey(serialNumber)) { @@ -2545,22 +2733,27 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { } if (!clonedRevokedCerts.isEmpty()) { - for (Enumeration<BigInteger> e = clonedRevokedCerts.keys(); e.hasMoreElements();) { + for (Enumeration<BigInteger> e = clonedRevokedCerts + .keys(); e.hasMoreElements();) { BigInteger serialNumber = e.nextElement(); - mCRLCerts.put(serialNumber, mRevokedCerts.get(serialNumber)); + mCRLCerts.put(serialNumber, + mRevokedCerts.get(serialNumber)); mRevokedCerts.remove(serialNumber); } } if (!clonedExpiredCerts.isEmpty()) { - for (Enumeration<BigInteger> e = clonedExpiredCerts.keys(); e.hasMoreElements();) { + for (Enumeration<BigInteger> e = clonedExpiredCerts + .keys(); e.hasMoreElements();) { BigInteger serialNumber = e.nextElement(); - if ((!mIncludeExpiredCertsOneExtraTime) || - (mLastFullUpdate != null && - mLastFullUpdate.after((mExpiredCerts.get(serialNumber)).getRevocationDate())) || - mLastFullUpdate == null) { + if ((!mIncludeExpiredCertsOneExtraTime) + || (mLastFullUpdate != null && mLastFullUpdate + .after((mExpiredCerts + .get(serialNumber)) + .getRevocationDate())) + || mLastFullUpdate == null) { if (mCRLCerts.containsKey(serialNumber)) { mCRLCerts.remove(serialNumber); } @@ -2591,14 +2784,17 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { if (mAllowExtensions) { ext = new CRLExtensions(); - Vector<String> extNames = mCMSCRLExtensions.getCRLExtensionNames(); + Vector<String> extNames = mCMSCRLExtensions + .getCRLExtensionNames(); for (int i = 0; i < extNames.size(); i++) { String extName = extNames.elementAt(i); - if (mCMSCRLExtensions.isCRLExtensionEnabled(extName) && - (!extName.equals(DeltaCRLIndicatorExtension.NAME))) { - mCMSCRLExtensions.addToCRLExtensions(ext, extName, null); + if (mCMSCRLExtensions.isCRLExtensionEnabled(extName) + && (!extName + .equals(DeltaCRLIndicatorExtension.NAME))) { + mCMSCRLExtensions + .addToCRLExtensions(ext, extName, null); } } } @@ -2610,22 +2806,24 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { try { byte[] newCRL; - CMS.debug("Making CRL with algorithm " + - signingAlgorithm + " " + AlgorithmId.get(signingAlgorithm)); + CMS.debug("Making CRL with algorithm " + signingAlgorithm + " " + + AlgorithmId.get(signingAlgorithm)); mSplits[7] -= System.currentTimeMillis(); // #56123 - dont generate CRL if no revoked certificates - if (mConfigStore.getBoolean("noCRLIfNoRevokedCert", false)) { - if (mCRLCerts.size() == 0) { - CMS.debug("CRLIssuingPoint: No Revoked Certificates Found And noCRLIfNoRevokedCert is set to true - No CRL Generated"); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", "No Revoked Certificates")); - } + if (mConfigStore.getBoolean("noCRLIfNoRevokedCert", false)) { + if (mCRLCerts.size() == 0) { + CMS.debug("CRLIssuingPoint: No Revoked Certificates Found And noCRLIfNoRevokedCert is set to true - No CRL Generated"); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INTERNAL_ERROR", + "No Revoked Certificates")); + } } CMS.debug("before new X509CRLImpl"); X509CRLImpl crl = new X509CRLImpl(mCA.getCRLX500Name(), - AlgorithmId.get(signingAlgorithm), - thisUpdate, nextUpdate, mCRLCerts, ext); + AlgorithmId.get(signingAlgorithm), thisUpdate, + nextUpdate, mCRLCerts, ext); CMS.debug("before sign"); newX509CRL = mCA.sign(crl, signingAlgorithm); @@ -2638,20 +2836,21 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { mSplits[8] -= System.currentTimeMillis(); Date nextUpdateDate = mNextUpdate; - if (isDeltaCRLEnabled() && (mUpdateSchema > 1 || - (mEnableDailyUpdates && mExtendedTimeList)) && mNextDeltaUpdate != null) { + if (isDeltaCRLEnabled() + && (mUpdateSchema > 1 || (mEnableDailyUpdates && mExtendedTimeList)) + && mNextDeltaUpdate != null) { nextUpdateDate = mNextDeltaUpdate; } if (mSaveMemory) { - mCRLRepository.updateCRLIssuingPointRecord( - mId, newCRL, thisUpdate, nextUpdateDate, - mNextCRLNumber, Long.valueOf(mCRLCerts.size())); + mCRLRepository.updateCRLIssuingPointRecord(mId, newCRL, + thisUpdate, nextUpdateDate, mNextCRLNumber, + Long.valueOf(mCRLCerts.size())); updateCRLCacheRepository(); } else { - mCRLRepository.updateCRLIssuingPointRecord( - mId, newCRL, thisUpdate, nextUpdateDate, - mNextCRLNumber, Long.valueOf(mCRLCerts.size()), - mRevokedCerts, mUnrevokedCerts, mExpiredCerts); + mCRLRepository.updateCRLIssuingPointRecord(mId, newCRL, + thisUpdate, nextUpdateDate, mNextCRLNumber, + Long.valueOf(mCRLCerts.size()), mRevokedCerts, + mUnrevokedCerts, mExpiredCerts); mFirstUnsaved = ICRLIssuingPointRecord.CLEAN_CACHE; } @@ -2663,11 +2862,10 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { mNextCRLNumber = mCRLNumber.add(BigInteger.ONE); mNextDeltaCRLNumber = mNextCRLNumber; - CMS.debug("Logging CRL Update to transaction log"); - long totalTime = 0; - long crlTime = 0; - long deltaTime = 0; + long totalTime = 0; + long crlTime = 0; + long deltaTime = 0; String splitTimes = " ("; for (int i = 0; i < mSplits.length; i++) { totalTime += mSplits[i]; @@ -2676,53 +2874,67 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { } else { crlTime += mSplits[i]; } - if (i > 0) splitTimes += ","; + if (i > 0) + splitTimes += ","; splitTimes += Long.toString(mSplits[i]); } - splitTimes += "," + Long.toString(deltaTime) + "," + Long.toString(crlTime) + "," + Long.toString(totalTime) + ")"; - mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, - AuditFormat.LEVEL, - CMS.getLogMessage("CMSCORE_CA_CA_CRL_UPDATED"), - new Object[] { - getId(), - getCRLNumber(), - getLastUpdate(), - getNextUpdate(), + splitTimes += "," + Long.toString(deltaTime) + "," + + Long.toString(crlTime) + "," + + Long.toString(totalTime) + ")"; + mLogger.log( + ILogger.EV_AUDIT, + ILogger.S_OTHER, + AuditFormat.LEVEL, + CMS.getLogMessage("CMSCORE_CA_CA_CRL_UPDATED"), + new Object[] { getId(), getCRLNumber(), + getLastUpdate(), getNextUpdate(), Long.toString(mCRLSize), Long.toString(totalTime), Long.toString(crlTime), - Long.toString(deltaTime)+splitTimes - } - ); + Long.toString(deltaTime) + splitTimes }); CMS.debug("Finished Logging CRL Update to transaction log"); } catch (EBaseException e) { newX509CRL = null; mUpdatingCRL = CRL_UPDATE_DONE; - if (Debug.on()) + if (Debug.on()) Debug.printStackTrace(e); - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_OR_STORE_CRL", e.toString())); - throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_ISSUING_SIGN_OR_STORE_CRL", e.toString())); + throw new ECAException(CMS.getUserMessage( + "CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); } catch (NoSuchAlgorithmException e) { newX509CRL = null; mUpdatingCRL = CRL_UPDATE_DONE; - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); - throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", + e.toString())); + throw new ECAException(CMS.getUserMessage( + "CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); } catch (CRLException e) { newX509CRL = null; mUpdatingCRL = CRL_UPDATE_DONE; - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); - throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", + e.toString())); + throw new ECAException(CMS.getUserMessage( + "CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); } catch (X509ExtensionException e) { newX509CRL = null; mUpdatingCRL = CRL_UPDATE_DONE; - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); - throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", + e.toString())); + throw new ECAException(CMS.getUserMessage( + "CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); } catch (OutOfMemoryError e) { newX509CRL = null; mUpdatingCRL = CRL_UPDATE_DONE; - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); - throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", + e.toString())); + throw new ECAException(CMS.getUserMessage( + "CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); } try { @@ -2734,11 +2946,15 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { } catch (EBaseException e) { newX509CRL = null; mUpdatingCRL = CRL_UPDATE_DONE; - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_CRL", mCRLNumber.toString(), e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_ISSUING_PUBLISH_CRL", + mCRLNumber.toString(), e.toString())); } catch (OutOfMemoryError e) { newX509CRL = null; mUpdatingCRL = CRL_UPDATE_DONE; - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_CRL", mCRLNumber.toString(), e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_ISSUING_PUBLISH_CRL", + mCRLNumber.toString(), e.toString())); } } @@ -2746,10 +2962,13 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { mDeltaCRLNumber = mNextDeltaCRLNumber; mNextDeltaCRLNumber = mDeltaCRLNumber.add(BigInteger.ONE); } - - if ((!(mEnableDailyUpdates && mExtendedTimeList)) || mSchemaCounter == 0) mSchemaCounter++; - if ((mEnableDailyUpdates && mExtendedTimeList && mSchemaCounter >= mTimeListSize) || - (mUpdateSchema > 1 && mSchemaCounter >= mUpdateSchema)) mSchemaCounter = 0; + + if ((!(mEnableDailyUpdates && mExtendedTimeList)) + || mSchemaCounter == 0) + mSchemaCounter++; + if ((mEnableDailyUpdates && mExtendedTimeList && mSchemaCounter >= mTimeListSize) + || (mUpdateSchema > 1 && mSchemaCounter >= mUpdateSchema)) + mSchemaCounter = 0; mLastDay = mCurrentDay; mUpdatingCRL = CRL_UPDATE_DONE; @@ -2760,35 +2979,32 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { * publish CRL. called from updateCRLNow() and init(). */ - public void publishCRL() - throws EBaseException { + public void publishCRL() throws EBaseException { publishCRL(null); } - protected void publishCRL(X509CRLImpl x509crl) - throws EBaseException { + protected void publishCRL(X509CRLImpl x509crl) throws EBaseException { publishCRL(x509crl, false); } - + /* - * The Session Context is a Hashtable, but without type information. - * Suppress the warnings generated by adding to the session context - * + * The Session Context is a Hashtable, but without type information. + * Suppress the warnings generated by adding to the session context */ @SuppressWarnings("unchecked") - protected void publishCRL(X509CRLImpl x509crl, boolean isDeltaCRL) - throws EBaseException { + protected void publishCRL(X509CRLImpl x509crl, boolean isDeltaCRL) + throws EBaseException { SessionContext sc = SessionContext.getContext(); - IStatsSubsystem statsSub = (IStatsSubsystem)CMS.getSubsystem("stats"); + IStatsSubsystem statsSub = (IStatsSubsystem) CMS.getSubsystem("stats"); if (statsSub != null) { - statsSub.startTiming("crl_publishing"); + statsSub.startTiming("crl_publishing"); } if (mCountMod == 0) { - sc.put(SC_CRL_COUNT, Integer.toString(mCount)); + sc.put(SC_CRL_COUNT, Integer.toString(mCount)); } else { - sc.put(SC_CRL_COUNT, Integer.toString(mCount%mCountMod)); + sc.put(SC_CRL_COUNT, Integer.toString(mCount % mCountMod)); } mCount++; sc.put(SC_ISSUING_POINT_ID, mId); @@ -2805,16 +3021,18 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { if (x509crl == null) { crlRecord = mCRLRepository.readCRLIssuingPointRecord(mId); if (crlRecord != null) { - byte[] crl = (isDeltaCRL) ? crlRecord.getDeltaCRL() : crlRecord.getCRL(); + byte[] crl = (isDeltaCRL) ? crlRecord.getDeltaCRL() + : crlRecord.getCRL(); if (crl != null) { x509crl = new X509CRLImpl(crl); } } } - if (x509crl != null && - mPublisherProcessor != null && mPublisherProcessor.enabled()) { - Enumeration<ILdapRule> rules = mPublisherProcessor.getRules(IPublisherProcessor.PROP_LOCAL_CRL); + if (x509crl != null && mPublisherProcessor != null + && mPublisherProcessor.enabled()) { + Enumeration<ILdapRule> rules = mPublisherProcessor + .getRules(IPublisherProcessor.PROP_LOCAL_CRL); if (rules == null || !rules.hasMoreElements()) { CMS.debug("CRL publishing is not enabled."); } else { @@ -2822,7 +3040,7 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { mPublisherProcessor.publishCRL(mPublishDN, x509crl); CMS.debug("CRL published to " + mPublishDN); } else { - mPublisherProcessor.publishCRL(x509crl,getId()); + mPublisherProcessor.publishCRL(x509crl, getId()); CMS.debug("CRL published."); } } @@ -2830,18 +3048,18 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { } catch (Exception e) { CMS.debug("Could not publish CRL. Error " + e); CMS.debug("Could not publish CRL. ID " + mId); - throw new EErrorPublishCRL( - CMS.getUserMessage("CMS_CA_ERROR_PUBLISH_CRL", mId, e.toString())); + throw new EErrorPublishCRL(CMS.getUserMessage( + "CMS_CA_ERROR_PUBLISH_CRL", mId, e.toString())); } finally { - if (statsSub != null) { - statsSub.endTiming("crl_publishing"); - } + if (statsSub != null) { + statsSub.endTiming("crl_publishing"); + } } } protected void log(int level, String msg) { - mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_CA, level, - "CRLIssuingPoint " + mId + " - " + msg); + mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_CA, level, + "CRLIssuingPoint " + mId + " - " + msg); } void setConfigParam(String name, String value) { @@ -2851,7 +3069,7 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { class RevocationRequestListener implements IRequestListener { public void init(ISubsystem sys, IConfigStore config) - throws EBaseException { + throws EBaseException { } public void set(String name, String val) { @@ -2860,38 +3078,37 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { public void accept(IRequest r) { String requestType = r.getRequestType(); - if (requestType.equals(IRequest.REVOCATION_REQUEST) || - requestType.equals(IRequest.UNREVOCATION_REQUEST) || - requestType.equals(IRequest.CLA_CERT4CRL_REQUEST) || - requestType.equals(IRequest.CLA_UNCERT4CRL_REQUEST)) { + if (requestType.equals(IRequest.REVOCATION_REQUEST) + || requestType.equals(IRequest.UNREVOCATION_REQUEST) + || requestType.equals(IRequest.CLA_CERT4CRL_REQUEST) + || requestType.equals(IRequest.CLA_UNCERT4CRL_REQUEST)) { CMS.debug("Revocation listener called."); // check if serial number is in begin/end range if set. if (mBeginSerial != null || mEndSerial != null) { - CMS.debug( - "Checking if serial number is between " + - mBeginSerial + " and " + mEndSerial); - BigInteger[] serialNos = - r.getExtDataInBigIntegerArray(IRequest.OLD_SERIALS); + CMS.debug("Checking if serial number is between " + + mBeginSerial + " and " + mEndSerial); + BigInteger[] serialNos = r + .getExtDataInBigIntegerArray(IRequest.OLD_SERIALS); if (serialNos == null || serialNos.length == 0) { - X509CertImpl oldCerts[] = - r.getExtDataInCertArray(IRequest.OLD_CERTS); + X509CertImpl oldCerts[] = r + .getExtDataInCertArray(IRequest.OLD_CERTS); - if (oldCerts == null || oldCerts.length == 0) + if (oldCerts == null || oldCerts.length == 0) return; serialNos = new BigInteger[oldCerts.length]; for (int i = 0; i < oldCerts.length; i++) { serialNos[i] = oldCerts[i].getSerialNumber(); } } - + boolean inRange = false; for (int i = 0; i < serialNos.length; i++) { - if ((mBeginSerial == null || - serialNos[i].compareTo(mBeginSerial) >= 0) && - (mEndSerial == null || - serialNos[i].compareTo(mEndSerial) <= 0)) { + if ((mBeginSerial == null || serialNos[i] + .compareTo(mBeginSerial) >= 0) + && (mEndSerial == null || serialNos[i] + .compareTo(mEndSerial) <= 0)) { inRange = true; } } @@ -2905,7 +3122,8 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { updateCRLNow(); r.setExtData(mCrlUpdateStatus, IRequest.RES_SUCCESS); if (mPublisherProcessor != null) { - r.setExtData(mCrlPublishStatus, IRequest.RES_SUCCESS); + r.setExtData(mCrlPublishStatus, + IRequest.RES_SUCCESS); } } catch (EErrorPublishCRL e) { // error already logged in updateCRLNow(); @@ -2915,17 +3133,22 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { r.setExtData(mCrlPublishError, e); } } catch (EBaseException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_UPDATE_CRL", e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_ISSUING_UPDATE_CRL", e.toString())); r.setExtData(mCrlUpdateStatus, IRequest.RES_ERROR); r.setExtData(mCrlUpdateError, e); } catch (Exception e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_UPDATE_CRL", e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_ISSUING_UPDATE_CRL", e.toString())); if (Debug.on()) Debug.printStackTrace(e); r.setExtData(mCrlUpdateStatus, IRequest.RES_ERROR); - r.setExtData(mCrlUpdateError, - new EBaseException( - CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", e.toString()))); + r.setExtData( + mCrlUpdateError, + new EBaseException( + CMS.getUserMessage( + "CMS_BASE_INTERNAL_ERROR", + e.toString()))); } } } @@ -2933,7 +3156,6 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { } } - class CertRecProcessor implements IElementProcessor { private Hashtable<BigInteger, RevokedCertificate> mCRLCerts = null; private boolean mAllowExtensions = false; @@ -2944,107 +3166,109 @@ class CertRecProcessor implements IElementProcessor { private boolean mIssuingDistPointEnabled = false; private BitArray mOnlySomeReasons = null; - public CertRecProcessor(Hashtable<BigInteger, RevokedCertificate> crlCerts, CRLIssuingPoint ip, ILogger logger, boolean allowExtensions) { + public CertRecProcessor(Hashtable<BigInteger, RevokedCertificate> crlCerts, + CRLIssuingPoint ip, ILogger logger, boolean allowExtensions) { mCRLCerts = crlCerts; mLogger = logger; mIP = ip; mAllowExtensions = allowExtensions; mIssuingDistPointAttempted = false; - mIssuingDistPointEnabled = false; + mIssuingDistPointEnabled = false; mOnlySomeReasons = null; } private boolean initCRLIssuingDistPointExtension() { - boolean result = false; - CMSCRLExtensions exts = null; - - if(mIssuingDistPointAttempted == true) { - if((mIssuingDistPointEnabled == true) && (mOnlySomeReasons != null )) { - return true; - } else { - return false; - } - } - - mIssuingDistPointAttempted = true; - exts = (CMSCRLExtensions) mIP.getCRLExtensions(); - if(exts == null) { - return result; - } - boolean isIssuingDistPointExtEnabled = false; - isIssuingDistPointExtEnabled = exts.isCRLExtensionEnabled(IssuingDistributionPointExtension.NAME); - if(isIssuingDistPointExtEnabled == false) { + boolean result = false; + CMSCRLExtensions exts = null; + + if (mIssuingDistPointAttempted == true) { + if ((mIssuingDistPointEnabled == true) + && (mOnlySomeReasons != null)) { + return true; + } else { + return false; + } + } + + mIssuingDistPointAttempted = true; + exts = (CMSCRLExtensions) mIP.getCRLExtensions(); + if (exts == null) { + return result; + } + boolean isIssuingDistPointExtEnabled = false; + isIssuingDistPointExtEnabled = exts + .isCRLExtensionEnabled(IssuingDistributionPointExtension.NAME); + if (isIssuingDistPointExtEnabled == false) { mIssuingDistPointEnabled = false; return false; } mIssuingDistPointEnabled = true; - //Get info out of the IssuingDistPointExtension + // Get info out of the IssuingDistPointExtension CRLExtensions ext = new CRLExtensions(); Vector<String> extNames = exts.getCRLExtensionNames(); - for (int i = 0; i < extNames.size(); i++) { - String extName = extNames.elementAt(i); - if (extName.equals(IssuingDistributionPointExtension.NAME)) { - exts.addToCRLExtensions(ext, extName, null); - } - } - Extension issuingDistExt = null; - try { - issuingDistExt = ext.get(IssuingDistributionPointExtension.NAME); - } catch (Exception e) { + for (int i = 0; i < extNames.size(); i++) { + String extName = extNames.elementAt(i); + if (extName.equals(IssuingDistributionPointExtension.NAME)) { + exts.addToCRLExtensions(ext, extName, null); } + } + Extension issuingDistExt = null; + try { + issuingDistExt = ext.get(IssuingDistributionPointExtension.NAME); + } catch (Exception e) { + } - IssuingDistributionPointExtension iExt = null; - if(issuingDistExt != null) - iExt = (IssuingDistributionPointExtension) issuingDistExt; - IssuingDistributionPoint issuingDistributionPoint = null; - if(iExt != null) - issuingDistributionPoint = iExt.getIssuingDistributionPoint(); + IssuingDistributionPointExtension iExt = null; + if (issuingDistExt != null) + iExt = (IssuingDistributionPointExtension) issuingDistExt; + IssuingDistributionPoint issuingDistributionPoint = null; + if (iExt != null) + issuingDistributionPoint = iExt.getIssuingDistributionPoint(); - BitArray onlySomeReasons = null; + BitArray onlySomeReasons = null; - if(issuingDistributionPoint != null) - onlySomeReasons = issuingDistributionPoint.getOnlySomeReasons(); + if (issuingDistributionPoint != null) + onlySomeReasons = issuingDistributionPoint.getOnlySomeReasons(); - boolean applyReasonMatch = false; - boolean reasonMatch = true; + boolean applyReasonMatch = false; + boolean reasonMatch = true; - if(onlySomeReasons != null) { - applyReasonMatch = !onlySomeReasons.toString().equals("0000000"); - CMS.debug("applyReasonMatch " + applyReasonMatch); - if(applyReasonMatch == true) { - mOnlySomeReasons = onlySomeReasons; - result = true; - } + if (onlySomeReasons != null) { + applyReasonMatch = !onlySomeReasons.toString().equals("0000000"); + CMS.debug("applyReasonMatch " + applyReasonMatch); + if (applyReasonMatch == true) { + mOnlySomeReasons = onlySomeReasons; + result = true; } - return result; + } + return result; } - private boolean checkOnlySomeReasonsExtension(CRLExtensions entryExts) - { + private boolean checkOnlySomeReasonsExtension(CRLExtensions entryExts) { boolean includeCert = true; - //This is exactly how the Pretty Print code obtains the reason code - //through the extensions - if(entryExts == null) { + // This is exactly how the Pretty Print code obtains the reason code + // through the extensions + if (entryExts == null) { return includeCert; } Extension crlReasonExt = null; try { - crlReasonExt = entryExts.get(CRLReasonExtension.NAME); + crlReasonExt = entryExts.get(CRLReasonExtension.NAME); } catch (Exception e) { return includeCert; } RevocationReason reason = null; int reasonIndex = 0; - if(crlReasonExt != null) { + if (crlReasonExt != null) { try { - CRLReasonExtension theReason = (CRLReasonExtension) crlReasonExt; - reason = (RevocationReason) theReason.get("value"); - reasonIndex = reason.toInt(); - CMS.debug("revoked reason " + reason); + CRLReasonExtension theReason = (CRLReasonExtension) crlReasonExt; + reason = (RevocationReason) theReason.get("value"); + reasonIndex = reason.toInt(); + CMS.debug("revoked reason " + reason); } catch (Exception e) { return includeCert; } @@ -3052,37 +3276,37 @@ class CertRecProcessor implements IElementProcessor { return includeCert; } boolean reasonMatch = false; - if(reason != null) { - if(mOnlySomeReasons != null) { + if (reason != null) { + if (mOnlySomeReasons != null) { reasonMatch = mOnlySomeReasons.get(reasonIndex); - if(reasonMatch != true) { + if (reasonMatch != true) { includeCert = false; } else { CMS.debug("onlySomeReasons match! reason: " + reason); } } } - + return includeCert; } - public boolean checkRevokedCertExtensions(CRLExtensions crlExtensions) - { - //For now just check the onlySomeReason CRL IssuingDistributionPoint extension + public boolean checkRevokedCertExtensions(CRLExtensions crlExtensions) { + // For now just check the onlySomeReason CRL IssuingDistributionPoint + // extension - boolean includeCert = true; - if((crlExtensions == null) || (mAllowExtensions == false)) { + boolean includeCert = true; + if ((crlExtensions == null) || (mAllowExtensions == false)) { return includeCert; } boolean inited = initCRLIssuingDistPointExtension(); - //If the CRLIssuingDistPointExtension is not available or + // If the CRLIssuingDistPointExtension is not available or // if onlySomeReasons does not apply, bail. - if(inited == false) { + if (inited == false) { return includeCert; - } + } - //Check the onlySomeReasonsExtension + // Check the onlySomeReasonsExtension includeCert = checkOnlySomeReasonsExtension(crlExtensions); return includeCert; @@ -3101,23 +3325,24 @@ class CertRecProcessor implements IElementProcessor { crlExts = revInfo.getCRLEntryExtensions(); entryExt = mIP.getRequiredEntryExtensions(crlExts); } - RevokedCertificate newRevokedCert = - new RevokedCertImpl(serialNumber, revocationDate, entryExt); + RevokedCertificate newRevokedCert = new RevokedCertImpl( + serialNumber, revocationDate, entryExt); boolean includeCert = checkRevokedCertExtensions(crlExts); if (includeCert == true) { - mCRLCerts.put(serialNumber, (RevokedCertificate) newRevokedCert); + mCRLCerts + .put(serialNumber, (RevokedCertificate) newRevokedCert); if (serialNumber != null) { - CMS.debug("Putting certificate serial: 0x"+serialNumber.toString(16)+" into CRL hashtable"); + CMS.debug("Putting certificate serial: 0x" + + serialNumber.toString(16) + " into CRL hashtable"); } } } catch (EBaseException e) { - CMS.debug( - "CA failed constructing CRL entry: " + - (mCRLCerts.size() + 1) + " " + e); - throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); + CMS.debug("CA failed constructing CRL entry: " + + (mCRLCerts.size() + 1) + " " + e); + throw new ECAException(CMS.getUserMessage( + "CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); } } } - diff --git a/pki/base/ca/src/com/netscape/ca/CRLWithExpiredCerts.java b/pki/base/ca/src/com/netscape/ca/CRLWithExpiredCerts.java index bb2043860..f4e3a80ba 100644 --- a/pki/base/ca/src/com/netscape/ca/CRLWithExpiredCerts.java +++ b/pki/base/ca/src/com/netscape/ca/CRLWithExpiredCerts.java @@ -17,44 +17,43 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.ca; - import java.math.BigInteger; import com.netscape.certsrv.base.EBaseException; import com.netscape.cmscore.dbs.CertRecord; - /** - * A CRL Issuing point that contains revoked certs, include onces that - * have expired. + * A CRL Issuing point that contains revoked certs, include onces that have + * expired. */ public class CRLWithExpiredCerts extends CRLIssuingPoint { /** - * overrides getRevokedCerts in CRLIssuingPoint to include - * all revoked certs, including once that have expired. - * + * overrides getRevokedCerts in CRLIssuingPoint to include all revoked + * certs, including once that have expired. + * * @param thisUpdate parameter is ignored. - * + * * @exception EBaseException if an exception occured getting revoked - * certificates from the database. + * certificates from the database. */ public String getFilter() { // PLEASE DONT CHANGE THE FILTER. It is indexed. // Changing it will degrade performance. See // also com.netscape.certsetup.LDAPUtil.java - String filter = - "(|(" + CertRecord.ATTR_CERT_STATUS + "=" + - CertRecord.STATUS_REVOKED + ")" + - "(" + CertRecord.ATTR_CERT_STATUS + "=" + - CertRecord.STATUS_REVOKED_EXPIRED + "))"; + String filter = "(|(" + CertRecord.ATTR_CERT_STATUS + "=" + + CertRecord.STATUS_REVOKED + ")" + "(" + + CertRecord.ATTR_CERT_STATUS + "=" + + CertRecord.STATUS_REVOKED_EXPIRED + "))"; // check if any ranges specified. - if (mBeginSerial != null) - filter += "(" + CertRecord.ATTR_ID + ">=" + mBeginSerial.toString() + ")"; + if (mBeginSerial != null) + filter += "(" + CertRecord.ATTR_ID + ">=" + mBeginSerial.toString() + + ")"; if (mEndSerial != null) - filter += "(" + CertRecord.ATTR_ID + "<=" + mEndSerial.toString() + ")"; - // get all revoked non-expired certs. + filter += "(" + CertRecord.ATTR_ID + "<=" + mEndSerial.toString() + + ")"; + // get all revoked non-expired certs. if (mEndSerial != null || mBeginSerial != null) { filter = "(&" + filter + ")"; } diff --git a/pki/base/ca/src/com/netscape/ca/CertificateAuthority.java b/pki/base/ca/src/com/netscape/ca/CertificateAuthority.java index a81ae362a..cec5b2f2a 100644 --- a/pki/base/ca/src/com/netscape/ca/CertificateAuthority.java +++ b/pki/base/ca/src/com/netscape/ca/CertificateAuthority.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.ca; - import java.io.ByteArrayInputStream; import java.io.File; import java.io.FileInputStream; @@ -117,25 +116,26 @@ import com.netscape.cmsutil.ocsp.SingleResponse; import com.netscape.cmsutil.ocsp.TBSRequest; import com.netscape.cmsutil.ocsp.UnknownInfo; - /** - * A class represents a Certificate Authority that is - * responsible for certificate specific operations. + * A class represents a Certificate Authority that is responsible for + * certificate specific operations. * <P> - * + * * @author lhsiao * @version $Revision$, $Date$ */ -public class CertificateAuthority implements ICertificateAuthority, ICertAuthority, IOCSPService { +public class CertificateAuthority implements ICertificateAuthority, + ICertAuthority, IOCSPService { public static final String OFFICIAL_NAME = "Certificate Manager"; - public final static OBJECT_IDENTIFIER OCSP_NONCE = new OBJECT_IDENTIFIER("1.3.6.1.5.5.7.48.1.2"); + public final static OBJECT_IDENTIFIER OCSP_NONCE = new OBJECT_IDENTIFIER( + "1.3.6.1.5.5.7.48.1.2"); protected ISubsystem mOwner = null; protected IConfigStore mConfig = null; protected ILogger mLogger = CMS.getLogger(); - protected Hashtable<String, CRLIssuingPoint> mCRLIssuePoints = new Hashtable<String, CRLIssuingPoint>(); - protected CRLIssuingPoint mMasterCRLIssuePoint = null; // the complete crl. + protected Hashtable<String, CRLIssuingPoint> mCRLIssuePoints = new Hashtable<String, CRLIssuingPoint>(); + protected CRLIssuingPoint mMasterCRLIssuePoint = null; // the complete crl. protected SigningUnit mSigningUnit; protected SigningUnit mOCSPSigningUnit; protected SigningUnit mCRLSigningUnit; @@ -143,8 +143,8 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori protected X500Name mName = null; protected X500Name mCRLName = null; protected X500Name mOCSPName = null; - protected String mNickname = null; // nickname of CA signing cert. - protected String mOCSPNickname = null; // nickname of OCSP signing cert. + protected String mNickname = null; // nickname of CA signing cert. + protected String mOCSPNickname = null; // nickname of OCSP signing cert. protected long mCertSerialNumberCounter = System.currentTimeMillis(); protected long mRequestID = System.currentTimeMillis(); @@ -185,7 +185,7 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori protected boolean mEnableOCSP; protected int mFastSigning = FASTSIGNING_DISABLED; - protected static final long SECOND = 1000; // 1000 milliseconds + protected static final long SECOND = 1000; // 1000 milliseconds protected static final long MINUTE = 60 * SECOND; protected static final long HOUR = 60 * MINUTE; protected static final long DAY = 24 * HOUR; @@ -197,7 +197,7 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori // for the notification listeners - /** + /** * Package constants */ @@ -261,12 +261,12 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori } } - public void publishCRLNow() throws EBaseException { if (mMasterCRLIssuePoint != null) { mMasterCRLIssuePoint.publishCRL(); } } + public ICRLPublisher getCRLPublisher() { return mCRLPublisher; } @@ -286,105 +286,108 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori /** * Initializes this CA subsystem. * <P> - * + * * @param owner owner of this subsystem * @param config configuration of this subsystem * @exception EBaseException failed to initialize this CA */ - public void init(ISubsystem owner, IConfigStore config) throws - EBaseException { + public void init(ISubsystem owner, IConfigStore config) + throws EBaseException { - try { - CMS.debug("CertificateAuthority init "); - mOwner = owner; - mConfig = config; + try { + CMS.debug("CertificateAuthority init "); + mOwner = owner; + mConfig = config; - // init cert & crl database. - initCaDatabases(); + // init cert & crl database. + initCaDatabases(); - // init signing unit & CA cert. - try { - initSigUnit(); - // init default CA attributes like cert version, validity. - initDefCaAttrs(); - } catch (EBaseException e) { - if (CMS.isPreOpMode()) - ; - else - throw e; - } + // init signing unit & CA cert. + try { + initSigUnit(); + // init default CA attributes like cert version, validity. + initDefCaAttrs(); + } catch (EBaseException e) { + if (CMS.isPreOpMode()) + ; + else + throw e; + } - // init web gateway. - initWebGateway(); + // init web gateway. + initWebGateway(); - mUseNonces = mConfig.getBoolean("enableNonces", true); - mMaxNonces = mConfig.getInteger("maxNumberOfNonces", 100); - if (mUseNonces) { - mNonces = new Nonces(mMaxNonces); - CMS.debug("CertificateAuthority init: Nonces enabled. ("+mNonces.size()+")"); - } + mUseNonces = mConfig.getBoolean("enableNonces", true); + mMaxNonces = mConfig.getInteger("maxNumberOfNonces", 100); + if (mUseNonces) { + mNonces = new Nonces(mMaxNonces); + CMS.debug("CertificateAuthority init: Nonces enabled. (" + + mNonces.size() + ")"); + } - // init request queue and related modules. - CMS.debug("CertificateAuthority init: initRequestQueue"); - initRequestQueue(); - if (CMS.isPreOpMode()) - return; + // init request queue and related modules. + CMS.debug("CertificateAuthority init: initRequestQueue"); + initRequestQueue(); + if (CMS.isPreOpMode()) + return; - // set certificate status to 10 minutes - mCertRepot.setCertStatusUpdateInterval( - mRequestQueue.getRequestRepository(), - mConfig.getInteger("certStatusUpdateInterval", 10 * 60), - mConfig.getBoolean("listenToCloneModifications", false)); - mCertRepot.setConsistencyCheck( - mConfig.getBoolean("ConsistencyCheck", false)); - mCertRepot.setSkipIfInConsistent( - mConfig.getBoolean("SkipIfInConsistent", false)); - - mService.init(config.getSubStore("connector")); + // set certificate status to 10 minutes + mCertRepot.setCertStatusUpdateInterval( + mRequestQueue.getRequestRepository(), + mConfig.getInteger("certStatusUpdateInterval", 10 * 60), + mConfig.getBoolean("listenToCloneModifications", false)); + mCertRepot.setConsistencyCheck(mConfig.getBoolean( + "ConsistencyCheck", false)); + mCertRepot.setSkipIfInConsistent(mConfig.getBoolean( + "SkipIfInConsistent", false)); - initMiscellaneousListeners(); + mService.init(config.getSubStore("connector")); - // instantiate CRL publisher - IConfigStore cpStore = null; + initMiscellaneousListeners(); - mByName = config.getBoolean("byName", true); + // instantiate CRL publisher + IConfigStore cpStore = null; - cpStore = config.getSubStore("crlPublisher"); - if (cpStore != null && cpStore.size() > 0) { - String publisherClass = cpStore.getString("class"); + mByName = config.getBoolean("byName", true); - if (publisherClass != null) { - try { - Class pc = Class.forName(publisherClass); - - mCRLPublisher = (ICRLPublisher) - pc.newInstance(); - mCRLPublisher.init(this, cpStore); - } catch (ClassNotFoundException ee) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_NO_PUBLISHER", ee.toString())); - } catch (IllegalAccessException ee) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_NO_PUBLISHER", ee.toString())); - } catch (InstantiationException ee) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_NO_PUBLISHER", ee.toString())); + cpStore = config.getSubStore("crlPublisher"); + if (cpStore != null && cpStore.size() > 0) { + String publisherClass = cpStore.getString("class"); + + if (publisherClass != null) { + try { + Class pc = Class.forName(publisherClass); + + mCRLPublisher = (ICRLPublisher) pc.newInstance(); + mCRLPublisher.init(this, cpStore); + } catch (ClassNotFoundException ee) { + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_CA_NO_PUBLISHER", ee.toString())); + } catch (IllegalAccessException ee) { + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_CA_NO_PUBLISHER", ee.toString())); + } catch (InstantiationException ee) { + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_CA_NO_PUBLISHER", ee.toString())); + } } } - } - // initialize publisher processor (publish remote admin - // rely on this subsystem, so it has to be initialized) - initPublish(); + // initialize publisher processor (publish remote admin + // rely on this subsystem, so it has to be initialized) + initPublish(); - // Initialize CRL issuing points. - // note CRL framework depends on DBS, CRYPTO and PUBLISHING - // being functional. - initCRL(); + // Initialize CRL issuing points. + // note CRL framework depends on DBS, CRYPTO and PUBLISHING + // being functional. + initCRL(); - } catch (EBaseException e) { - if (CMS.isPreOpMode()) - return; - else - throw e; - } + } catch (EBaseException e) { + if (CMS.isPreOpMode()) + return; + else + throw e; + } } /** @@ -393,7 +396,7 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori public IRequestQueue getRequestQueue() { return mRequestQueue; } - + /** * registers listener */ @@ -506,7 +509,7 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori } mService.startup(); mRequestQueue.recover(); - + // Note that this could be null. // setup Admin operations @@ -514,7 +517,7 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori initNotificationListeners(); startPublish(); - // startCRL(); + // startCRL(); } /** @@ -524,7 +527,7 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori public void shutdown() { Enumeration enums = mCRLIssuePoints.elements(); while (enums.hasMoreElements()) { - CRLIssuingPoint point = (CRLIssuingPoint)enums.nextElement(); + CRLIssuingPoint point = (CRLIssuingPoint) enums.nextElement(); point.shutdown(); } @@ -577,7 +580,7 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori return mDefaultValidity; } - public SignatureAlgorithm getDefaultSignatureAlgorithm() { + public SignatureAlgorithm getDefaultSignatureAlgorithm() { return mSigningUnit.getDefaultSignatureAlgorithm(); } @@ -591,8 +594,7 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori public String getStartSerial() { try { - BigInteger serial = - ((Repository) mCertRepot).getTheSerialNumber(); + BigInteger serial = ((Repository) mCertRepot).getTheSerialNumber(); if (serial == null) return ""; @@ -600,7 +602,7 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori return serial.toString(16); } catch (EBaseException e) { // shouldn't get here. - return ""; + return ""; } } @@ -624,24 +626,23 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori /** * Retrieves certificate repository. * <P> - * + * * @return certificate repository */ public ICertificateRepository getCertificateRepository() { return mCertRepot; } - + /** * Retrieves replica repository. * <P> - * + * * @return replica repository */ public IReplicaIDRepository getReplicaRepository() { return mReplicaRepot; } - /** * Retrieves CRL repository. */ @@ -656,6 +657,7 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori /** * Retrieves the CRL issuing point by id. * <P> + * * @param id string id of the CRL issuing point * @return CRL issuing point */ @@ -666,6 +668,7 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori /** * Enumerates CRL issuing points * <P> + * * @return security service */ public Enumeration getCRLIssuingPoints() { @@ -680,7 +683,7 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori * Adds CRL issuing point with the given identifier and description. */ public boolean addCRLIssuingPoint(IConfigStore crlSubStore, String id, - boolean enable, String description) { + boolean enable, String description) { crlSubStore.makeSubStore(id); IConfigStore c = crlSubStore.getSubStore(id); @@ -712,26 +715,34 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori // crl extensions // AuthorityInformationAccess c.putString("extension.AuthorityInformationAccess.enable", "false"); - c.putString("extension.AuthorityInformationAccess.critical", "false"); - c.putString("extension.AuthorityInformationAccess.type", "CRLExtension"); + c.putString("extension.AuthorityInformationAccess.critical", + "false"); + c.putString("extension.AuthorityInformationAccess.type", + "CRLExtension"); c.putString("extension.AuthorityInformationAccess.class", - "com.netscape.cms.crl.CMSAuthInfoAccessExtension"); - c.putString("extension.AuthorityInformationAccess.numberOfAccessDescriptions", "1"); - c.putString("extension.AuthorityInformationAccess.accessMethod0", "caIssuers"); - c.putString("extension.AuthorityInformationAccess.accessLocationType0", "URI"); - c.putString("extension.AuthorityInformationAccess.accessLocation0", ""); + "com.netscape.cms.crl.CMSAuthInfoAccessExtension"); + c.putString( + "extension.AuthorityInformationAccess.numberOfAccessDescriptions", + "1"); + c.putString("extension.AuthorityInformationAccess.accessMethod0", + "caIssuers"); + c.putString( + "extension.AuthorityInformationAccess.accessLocationType0", + "URI"); + c.putString("extension.AuthorityInformationAccess.accessLocation0", + ""); // AuthorityKeyIdentifier c.putString("extension.AuthorityKeyIdentifier.enable", "false"); c.putString("extension.AuthorityKeyIdentifier.critical", "false"); c.putString("extension.AuthorityKeyIdentifier.type", "CRLExtension"); c.putString("extension.AuthorityKeyIdentifier.class", - "com.netscape.cms.crl.CMSAuthorityKeyIdentifierExtension"); + "com.netscape.cms.crl.CMSAuthorityKeyIdentifierExtension"); // IssuerAlternativeName c.putString("extension.IssuerAlternativeName.enable", "false"); c.putString("extension.IssuerAlternativeName.critical", "false"); c.putString("extension.IssuerAlternativeName.type", "CRLExtension"); c.putString("extension.IssuerAlternativeName.class", - "com.netscape.cms.crl.CMSIssuerAlternativeNameExtension"); + "com.netscape.cms.crl.CMSIssuerAlternativeNameExtension"); c.putString("extension.IssuerAlternativeName.numNames", "0"); c.putString("extension.IssuerAlternativeName.nameType0", ""); c.putString("extension.IssuerAlternativeName.name0", ""); @@ -740,62 +751,71 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori c.putString("extension.CRLNumber.critical", "false"); c.putString("extension.CRLNumber.type", "CRLExtension"); c.putString("extension.CRLNumber.class", - "com.netscape.cms.crl.CMSCRLNumberExtension"); + "com.netscape.cms.crl.CMSCRLNumberExtension"); // DeltaCRLIndicator c.putString("extension.DeltaCRLIndicator.enable", "false"); c.putString("extension.DeltaCRLIndicator.critical", "true"); c.putString("extension.DeltaCRLIndicator.type", "CRLExtension"); c.putString("extension.DeltaCRLIndicator.class", - "com.netscape.cms.crl.CMSDeltaCRLIndicatorExtension"); + "com.netscape.cms.crl.CMSDeltaCRLIndicatorExtension"); // IssuingDistributionPoint c.putString("extension.IssuingDistributionPoint.enable", "false"); c.putString("extension.IssuingDistributionPoint.critical", "true"); - c.putString("extension.IssuingDistributionPoint.type", "CRLExtension"); + c.putString("extension.IssuingDistributionPoint.type", + "CRLExtension"); c.putString("extension.IssuingDistributionPoint.class", - "com.netscape.cms.crl.CMSIssuingDistributionPointExtension"); + "com.netscape.cms.crl.CMSIssuingDistributionPointExtension"); c.putString("extension.IssuingDistributionPoint.pointType", ""); c.putString("extension.IssuingDistributionPoint.pointName", ""); - c.putString("extension.IssuingDistributionPoint.onlyContainsUserCerts", "false"); - c.putString("extension.IssuingDistributionPoint.onlyContainsCACerts", "false"); - c.putString("extension.IssuingDistributionPoint.onlySomeReasons", ""); - //"keyCompromise,cACompromise,affiliationChanged,superseded,cessationOfOperation,certificateHold"); - c.putString("extension.IssuingDistributionPoint.indirectCRL", "false"); + c.putString( + "extension.IssuingDistributionPoint.onlyContainsUserCerts", + "false"); + c.putString( + "extension.IssuingDistributionPoint.onlyContainsCACerts", + "false"); + c.putString("extension.IssuingDistributionPoint.onlySomeReasons", + ""); + // "keyCompromise,cACompromise,affiliationChanged,superseded,cessationOfOperation,certificateHold"); + c.putString("extension.IssuingDistributionPoint.indirectCRL", + "false"); // CRLReason c.putString("extension.CRLReason.enable", "true"); c.putString("extension.CRLReason.critical", "false"); c.putString("extension.CRLReason.type", "CRLEntryExtension"); c.putString("extension.CRLReason.class", - "com.netscape.cms.crl.CMSCRLReasonExtension"); + "com.netscape.cms.crl.CMSCRLReasonExtension"); // HoldInstruction - removed by RFC 5280 // c.putString("extension.HoldInstruction.enable", "false"); // c.putString("extension.HoldInstruction.critical", "false"); - // c.putString("extension.HoldInstruction.type", "CRLEntryExtension"); + // c.putString("extension.HoldInstruction.type", + // "CRLEntryExtension"); // c.putString("extension.HoldInstruction.class", - // "com.netscape.cms.crl.CMSHoldInstructionExtension"); + // "com.netscape.cms.crl.CMSHoldInstructionExtension"); // c.putString("extension.HoldInstruction.instruction", "none"); // InvalidityDate c.putString("extension.InvalidityDate.enable", "true"); c.putString("extension.InvalidityDate.critical", "false"); c.putString("extension.InvalidityDate.type", "CRLEntryExtension"); c.putString("extension.InvalidityDate.class", - "com.netscape.cms.crl.CMSInvalidityDateExtension"); + "com.netscape.cms.crl.CMSInvalidityDateExtension"); // CertificateIssuer /* - c.putString("extension.CertificateIssuer.enable", "false"); - c.putString("extension.CertificateIssuer.critical", "true"); - c.putString("extension.CertificateIssuer.type", "CRLEntryExtension"); - c.putString("extension.CertificateIssuer.class", - "com.netscape.cms.crl.CMSCertificateIssuerExtension"); - c.putString("extension.CertificateIssuer.numNames", "0"); - c.putString("extension.CertificateIssuer.nameType0", ""); - c.putString("extension.CertificateIssuer.name0", ""); + * c.putString("extension.CertificateIssuer.enable", "false"); + * c.putString("extension.CertificateIssuer.critical", "true"); + * c.putString("extension.CertificateIssuer.type", + * "CRLEntryExtension"); + * c.putString("extension.CertificateIssuer.class", + * "com.netscape.cms.crl.CMSCertificateIssuerExtension"); + * c.putString("extension.CertificateIssuer.numNames", "0"); + * c.putString("extension.CertificateIssuer.nameType0", ""); + * c.putString("extension.CertificateIssuer.name0", ""); */ // FreshestCRL c.putString("extension.FreshestCRL.enable", "false"); c.putString("extension.FreshestCRL.critical", "false"); c.putString("extension.FreshestCRL.type", "CRLExtension"); c.putString("extension.FreshestCRL.class", - "com.netscape.cms.crl.CMSFreshestCRLExtension"); + "com.netscape.cms.crl.CMSFreshestCRLExtension"); c.putString("extension.FreshestCRL.numPoints", "0"); c.putString("extension.FreshestCRL.pointType0", ""); c.putString("extension.FreshestCRL.pointName0", ""); @@ -807,7 +827,8 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori try { issuingPointClassName = c.getString(PROP_CLASS); issuingPointClass = Class.forName(issuingPointClassName); - issuingPoint = (CRLIssuingPoint) issuingPointClass.newInstance(); + issuingPoint = (CRLIssuingPoint) issuingPointClass + .newInstance(); issuingPoint.init(this, id, c); mCRLIssuePoints.put(id, issuingPoint); } catch (EPropertyNotFound e) { @@ -845,7 +866,8 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori mCRLRepot.deleteCRLIssuingPointRecord(id); } catch (EBaseException e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("FAILED_REMOVING_CRL_IP_2", id, e.toString())); + CMS.getLogMessage("FAILED_REMOVING_CRL_IP_2", id, + e.toString())); } } } @@ -853,7 +875,7 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori /** * Returns X500 name of the Certificate Authority * <P> - * + * * @return CA name */ public X500Name getX500Name() { @@ -871,6 +893,7 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori /** * Returns nickname of CA's signing cert. * <p> + * * @return CA signing cert nickname. */ public String getNickname() { @@ -880,6 +903,7 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori /** * Returns nickname of OCSP's signing cert. * <p> + * * @return OCSP signing cert nickname. */ public String getOCSPNickname() { @@ -889,7 +913,7 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori /** * Returns default signing unit used by this CA * <P> - * + * * @return request identifier */ public ISigningUnit getSigningUnit() { @@ -905,28 +929,29 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori } public void setBasicConstraintMaxLen(int num) { - mConfig.putString("Policy.rule.BasicConstraintsExt.maxPathLen", "" + num); + mConfig.putString("Policy.rule.BasicConstraintsExt.maxPathLen", "" + + num); } /** - * Signs CRL using the specified signature algorithm. - * If no algorithm is specified the CA's default signing algorithm - * is used. + * Signs CRL using the specified signature algorithm. If no algorithm is + * specified the CA's default signing algorithm is used. * <P> + * * @param crl the CRL to be signed. - * @param algname the algorithm name to use. This is a JCA name such - * as MD5withRSA, etc. If set to null the default signing algorithm - * is used. - * + * @param algname the algorithm name to use. This is a JCA name such as + * MD5withRSA, etc. If set to null the default signing algorithm + * is used. + * * @return the signed CRL */ public X509CRLImpl sign(X509CRLImpl crl, String algname) - throws EBaseException { + throws EBaseException { X509CRLImpl signedcrl = null; - IStatsSubsystem statsSub = (IStatsSubsystem)CMS.getSubsystem("stats"); + IStatsSubsystem statsSub = (IStatsSubsystem) CMS.getSubsystem("stats"); if (statsSub != null) { - statsSub.startTiming("signing"); + statsSub.startTiming("signing"); } long startTime = CMS.getCurrentDate().getTime(); @@ -959,48 +984,57 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori CMS.debug("Failed to add signature to CRL object."); } } catch (CRLException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_SIGN_CRL", e.toString(), e.getMessage())); - throw new ECAException( - CMS.getUserMessage("CMS_CA_SIGNING_CRL_FAILED", e.getMessage())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CA_SIGN_CRL", e.toString(), + e.getMessage())); + throw new ECAException(CMS.getUserMessage( + "CMS_CA_SIGNING_CRL_FAILED", e.getMessage())); } catch (X509ExtensionException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_SIGN_CRL", e.toString(), e.getMessage())); - throw new ECAException( - CMS.getUserMessage("CMS_CA_SIGNING_CRL_FAILED", e.getMessage())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CA_SIGN_CRL", e.toString(), + e.getMessage())); + throw new ECAException(CMS.getUserMessage( + "CMS_CA_SIGNING_CRL_FAILED", e.getMessage())); } catch (NoSuchAlgorithmException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_SIGN_CRL", e.toString(), e.getMessage())); - throw new ECAException( - CMS.getUserMessage("CMS_CA_SIGNING_CRL_FAILED", e.getMessage())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CA_SIGN_CRL", e.toString(), + e.getMessage())); + throw new ECAException(CMS.getUserMessage( + "CMS_CA_SIGNING_CRL_FAILED", e.getMessage())); } catch (IOException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_SIGN_CRL", e.toString(), e.getMessage())); - throw new ECAException( - CMS.getUserMessage("CMS_CA_SIGNING_CRL_FAILED", e.getMessage())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CA_SIGN_CRL", e.toString(), + e.getMessage())); + throw new ECAException(CMS.getUserMessage( + "CMS_CA_SIGNING_CRL_FAILED", e.getMessage())); } finally { - if (statsSub != null) { - statsSub.endTiming("signing"); - } + if (statsSub != null) { + statsSub.endTiming("signing"); + } } return signedcrl; } /** - * Signs the given certificate info using specified signing algorithm - * If no algorithm is specified the CA's default algorithm is used. + * Signs the given certificate info using specified signing algorithm If no + * algorithm is specified the CA's default algorithm is used. * <P> + * * @param certInfo the certificate info to be signed. - * @param algname the signing algorithm to use. These are names defined - * in JCA, such as MD5withRSA, etc. If null the CA's default - * signing algorithm will be used. + * @param algname the signing algorithm to use. These are names defined in + * JCA, such as MD5withRSA, etc. If null the CA's default signing + * algorithm will be used. * @return signed certificate */ - public X509CertImpl sign(X509CertInfo certInfo, String algname) - throws EBaseException { + public X509CertImpl sign(X509CertInfo certInfo, String algname) + throws EBaseException { X509CertImpl signedcert = null; - IStatsSubsystem statsSub = (IStatsSubsystem)CMS.getSubsystem("stats"); + IStatsSubsystem statsSub = (IStatsSubsystem) CMS.getSubsystem("stats"); if (statsSub != null) { - statsSub.startTiming("signing"); + statsSub.startTiming("signing"); } long startTime = CMS.getCurrentDate().getTime(); @@ -1009,7 +1043,8 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori DerOutputStream tmp = new DerOutputStream(); if (certInfo == null) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_NO_CERTINFO")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CA_NO_CERTINFO")); return null; } @@ -1024,20 +1059,20 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori CMS.debug("sign cert encoding cert"); certInfo.encode(tmp); byte[] rawCert = tmp.toByteArray(); - + // encode algorithm identifier CMS.debug("sign cert encoding algorithm"); alg.encode(tmp); - + CMS.debug("CA cert signing: signing cert"); byte[] signature = mSigningUnit.sign(rawCert, algname); - + tmp.putBitString(signature); - + // Wrap the signed data in a SEQUENCE { data, algorithm, sig } out.write(DerValue.tag_Sequence, tmp); - //log(ILogger.LL_INFO, "CertificateAuthority: done signing"); - + // log(ILogger.LL_INFO, "CertificateAuthority: done signing"); + switch (mFastSigning) { case FASTSIGNING_DISABLED: signedcert = new X509CertImpl(out.toByteArray()); @@ -1050,52 +1085,55 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori default: break; } - } - catch (NoSuchAlgorithmException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_SIGN_CERT", e.toString(), e.getMessage())); - throw new ECAException( - CMS.getUserMessage("CMS_CA_SIGNING_CERT_FAILED", e.getMessage())); + } catch (NoSuchAlgorithmException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_CA_SIGN_CERT", e.toString(), e.getMessage())); + throw new ECAException(CMS.getUserMessage( + "CMS_CA_SIGNING_CERT_FAILED", e.getMessage())); } catch (IOException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_SIGN_CERT", e.toString(), e.getMessage())); - throw new ECAException( - CMS.getUserMessage("CMS_CA_SIGNING_CERT_FAILED", e.getMessage())); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_CA_SIGN_CERT", e.toString(), e.getMessage())); + throw new ECAException(CMS.getUserMessage( + "CMS_CA_SIGNING_CERT_FAILED", e.getMessage())); } catch (CertificateException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_SIGN_CERT", e.toString(), e.getMessage())); - throw new ECAException( - CMS.getUserMessage("CMS_CA_SIGNING_CERT_FAILED", e.getMessage())); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_CA_SIGN_CERT", e.toString(), e.getMessage())); + throw new ECAException(CMS.getUserMessage( + "CMS_CA_SIGNING_CERT_FAILED", e.getMessage())); } finally { - if (statsSub != null) { - statsSub.endTiming("signing"); - } + if (statsSub != null) { + statsSub.endTiming("signing"); + } } return signedcert; } /** - * Sign a byte array using the specified algorithm. - * If algorithm is null the CA's default algorithm is used. + * Sign a byte array using the specified algorithm. If algorithm is null the + * CA's default algorithm is used. * <p> - * @param data the data to be signed in a byte array. + * + * @param data the data to be signed in a byte array. * @param algname the algorithm to use. * @return the signature in a byte array. - */ - public byte[] sign(byte[] data, String algname) - throws EBaseException { + */ + public byte[] sign(byte[] data, String algname) throws EBaseException { return mSigningUnit.sign(data, algname); } /** * logs a message in the CA area. + * * @param level the debug level. * @param msg the message to debug. */ public void log(int level, String msg) { - mLogger.log(ILogger.EV_SYSTEM, ILogger.S_CA, - level, msg); + mLogger.log(ILogger.EV_SYSTEM, ILogger.S_CA, level, msg); } /** * Retrieves certificate chains of this CA. + * * @return this CA's cert chain. */ public CertificateChain getCACertChain() { @@ -1104,18 +1142,18 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori public X509CertImpl getCACert() { if (mCaCert != null) { - return mCaCert; + return mCaCert; } // during configuration try { - String cert = mConfig.getString("signing.cert", null); - if (cert != null) { - return new X509CertImpl(CMS.AtoB(cert)); - } + String cert = mConfig.getString("signing.cert", null); + if (cert != null) { + return new X509CertImpl(CMS.AtoB(cert)); + } } catch (EBaseException e) { - CMS.debug(e); + CMS.debug(e); } catch (CertificateException e) { - CMS.debug(e); + CMS.debug(e); } return null; } @@ -1125,10 +1163,10 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori } public String[] getCASigningAlgorithms() { - if (mCASigningAlgorithms != null) + if (mCASigningAlgorithms != null) return mCASigningAlgorithms; - if (mCaCert == null) + if (mCaCert == null) return null; // CA not inited yet. X509Key caPubKey = null; @@ -1136,49 +1174,48 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori caPubKey = (X509Key) mCaCert.get(X509CertImpl.PUBLIC_KEY); } catch (CertificateParsingException e) { } - if (caPubKey == null) - return null; // something seriously wrong. + if (caPubKey == null) + return null; // something seriously wrong. AlgorithmId alg = caPubKey.getAlgorithmId(); - if (alg == null) - return null; // something seriously wrong. + if (alg == null) + return null; // something seriously wrong. mCASigningAlgorithms = AlgorithmId.getSigningAlgorithms(alg); if (mCASigningAlgorithms == null) { - CMS.debug( - "CA - no signing algorithms for " + alg.getName()); + CMS.debug("CA - no signing algorithms for " + alg.getName()); } else { - CMS.debug( - "CA First signing algorithm is " + mCASigningAlgorithms[0]); + CMS.debug("CA First signing algorithm is " + + mCASigningAlgorithms[0]); } return mCASigningAlgorithms; } - ////////// - // Initialization routines. + // //////// + // Initialization routines. // - /** * init CA signing unit & cert chain. */ - private void initSigUnit() - throws EBaseException { + private void initSigUnit() throws EBaseException { try { // init signing unit mSigningUnit = new SigningUnit(); - IConfigStore caSigningCfg = - mConfig.getSubStore(PROP_SIGNING_SUBSTORE); + IConfigStore caSigningCfg = mConfig + .getSubStore(PROP_SIGNING_SUBSTORE); mSigningUnit.init(this, caSigningCfg); CMS.debug("CA signing unit inited"); // for identrus - IConfigStore CrlStore = mConfig.getSubStore(PROP_CRL_SIGNING_SUBSTORE); + IConfigStore CrlStore = mConfig + .getSubStore(PROP_CRL_SIGNING_SUBSTORE); if (CrlStore != null && CrlStore.size() > 0) { mCRLSigningUnit = new SigningUnit(); - mCRLSigningUnit.init(this, mConfig.getSubStore(PROP_CRL_SIGNING_SUBSTORE)); + mCRLSigningUnit.init(this, + mConfig.getSubStore(PROP_CRL_SIGNING_SUBSTORE)); } else { mCRLSigningUnit = mSigningUnit; } @@ -1186,43 +1223,44 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori // init cert chain CryptoManager manager = CryptoManager.getInstance(); - int caChainNum = - caSigningCfg.getInteger(PROP_CA_CHAIN_NUM, 0); + int caChainNum = caSigningCfg.getInteger(PROP_CA_CHAIN_NUM, 0); CMS.debug("cachainNum= " + caChainNum); if (caChainNum > 0) { // custom build chain (for cross cert chain) // audit here *** - IConfigStore chainStore = - caSigningCfg.getSubStore(PROP_CA_CHAIN); + IConfigStore chainStore = caSigningCfg + .getSubStore(PROP_CA_CHAIN); if (chainStore == null) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_CA_CA_OCSP_CHAIN", + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_CA_OCSP_CHAIN", "ca cert chain config error")); - throw new ECAException( - CMS.getUserMessage("CMS_CA_BUILD_CA_CHAIN_FAILED", + throw new ECAException(CMS.getUserMessage( + "CMS_CA_BUILD_CA_CHAIN_FAILED", "ca cert chain config error")); } - java.security.cert.X509Certificate[] implchain = - new java.security.cert.X509Certificate[caChainNum]; + java.security.cert.X509Certificate[] implchain = new java.security.cert.X509Certificate[caChainNum]; for (int i = 0; i < caChainNum; i++) { String subtreeName = PROP_CA_CERT + i; // cert file name must be full path - String certFileName = - chainStore.getString(subtreeName, null); + String certFileName = chainStore.getString(subtreeName, + null); if ((certFileName == null) || certFileName.equals("")) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_OCSP_CHAIN", "cert file config error")); - throw new ECAException( - CMS.getUserMessage("CMS_CA_BUILD_CA_CHAIN_FAILED", + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_CA_OCSP_CHAIN", + "cert file config error")); + throw new ECAException(CMS.getUserMessage( + "CMS_CA_BUILD_CA_CHAIN_FAILED", "cert file config error")); } byte[] b64Bytes = getCertFromFile(certFileName); String b64String = new String(b64Bytes); - byte[] certBytes = KeyCertUtil.convertB64EToByteArray(b64String); + byte[] certBytes = KeyCertUtil + .convertB64EToByteArray(b64String); implchain[i] = new X509CertImpl(certBytes); } // for @@ -1231,11 +1269,10 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori CMS.debug("in init - custom built CA cert chain."); } else { // build ca chain the traditional way - org.mozilla.jss.crypto.X509Certificate[] chain = - manager.buildCertificateChain(mSigningUnit.getCert()); + org.mozilla.jss.crypto.X509Certificate[] chain = manager + .buildCertificateChain(mSigningUnit.getCert()); // do this in case other subsyss expect a X509CertImpl - java.security.cert.X509Certificate[] implchain = - new java.security.cert.X509Certificate[chain.length]; + java.security.cert.X509Certificate[] implchain = new java.security.cert.X509Certificate[chain.length]; for (int i = 0; i < chain.length; i++) { implchain[i] = new X509CertImpl(chain[i].getEncoded()); @@ -1244,22 +1281,23 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori CMS.debug("in init - got CA chain from JSS."); } - IConfigStore OCSPStore = mConfig.getSubStore(PROP_OCSP_SIGNING_SUBSTORE); + IConfigStore OCSPStore = mConfig + .getSubStore(PROP_OCSP_SIGNING_SUBSTORE); if (OCSPStore != null && OCSPStore.size() > 0) { mOCSPSigningUnit = new SigningUnit(); - mOCSPSigningUnit.init(this, mConfig.getSubStore(PROP_OCSP_SIGNING_SUBSTORE)); + mOCSPSigningUnit.init(this, + mConfig.getSubStore(PROP_OCSP_SIGNING_SUBSTORE)); CMS.debug("Separate OCSP signing unit inited"); } else { mOCSPSigningUnit = mSigningUnit; CMS.debug("Shared OCSP signing unit inited"); } - org.mozilla.jss.crypto.X509Certificate[] ocspChain = - manager.buildCertificateChain(mOCSPSigningUnit.getCert()); + org.mozilla.jss.crypto.X509Certificate[] ocspChain = manager + .buildCertificateChain(mOCSPSigningUnit.getCert()); // do this in case other subsyss expect a X509CertImpl - java.security.cert.X509Certificate[] ocspImplchain = - new java.security.cert.X509Certificate[ocspChain.length]; + java.security.cert.X509Certificate[] ocspImplchain = new java.security.cert.X509Certificate[ocspChain.length]; for (int i = 0; i < ocspChain.length; i++) { ocspImplchain[i] = new X509CertImpl(ocspChain[i].getEncoded()); @@ -1285,40 +1323,47 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori CMS.debug("in init - got CA name " + mName); } catch (CryptoManager.NotInitializedException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_OCSP_SIGNING", e.toString())); - throw new ECAException(CMS.getUserMessage("CMS_CA_CRYPTO_NOT_INITIALIZED")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CA_OCSP_SIGNING", + e.toString())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_CRYPTO_NOT_INITIALIZED")); } catch (CertificateException e) { if (Debug.ON) e.printStackTrace(); - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_OCSP_CHAIN", e.toString())); - throw new ECAException( - CMS.getUserMessage("CMS_CA_BUILD_CA_CHAIN_FAILED", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CA_OCSP_CHAIN", e.toString())); + throw new ECAException(CMS.getUserMessage( + "CMS_CA_BUILD_CA_CHAIN_FAILED", e.toString())); } catch (FileNotFoundException e) { if (Debug.ON) e.printStackTrace(); - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_OCSP_CHAIN", e.toString())); - throw new ECAException( - CMS.getUserMessage("CMS_CA_BUILD_CA_CHAIN_FAILED", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CA_OCSP_CHAIN", e.toString())); + throw new ECAException(CMS.getUserMessage( + "CMS_CA_BUILD_CA_CHAIN_FAILED", e.toString())); } catch (IOException e) { if (Debug.ON) e.printStackTrace(); - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_OCSP_CHAIN", e.toString())); - throw new ECAException( - CMS.getUserMessage("CMS_CA_BUILD_CA_CHAIN_FAILED", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CA_OCSP_CHAIN", e.toString())); + throw new ECAException(CMS.getUserMessage( + "CMS_CA_BUILD_CA_CHAIN_FAILED", e.toString())); } catch (TokenException e) { if (Debug.ON) e.printStackTrace(); - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_OCSP_CHAIN", e.toString())); - throw new ECAException( - CMS.getUserMessage("CMS_CA_BUILD_CA_CHAIN_FAILED", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CA_OCSP_CHAIN", e.toString())); + throw new ECAException(CMS.getUserMessage( + "CMS_CA_BUILD_CA_CHAIN_FAILED", e.toString())); } } /** * read ca cert from path, converts and bytes */ - byte[] getCertFromFile(String path) - throws FileNotFoundException, IOException { + byte[] getCertFromFile(String path) throws FileNotFoundException, + IOException { File file = new File(path); Long l = Long.valueOf(file.length()); @@ -1330,33 +1375,30 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori return b; } - /** + /** * init default cert attributes. */ - private void initDefCaAttrs() - throws EBaseException { - int version = mConfig.getInteger(PROP_X509CERT_VERSION, + private void initDefCaAttrs() throws EBaseException { + int version = mConfig.getInteger(PROP_X509CERT_VERSION, CertificateVersion.V3); - if (version != CertificateVersion.V1 && - version != CertificateVersion.V3) { + if (version != CertificateVersion.V1 + && version != CertificateVersion.V3) { throw new ECAException( CMS.getUserMessage("CMS_CA_X509CERT_VERSION_NOT_SUPPORTED")); } try { mDefaultCertVersion = new CertificateVersion(version - 1); } catch (IOException e) { - // should never occur. + // should never occur. } int validity_in_days = mConfig.getInteger(PROP_DEF_VALIDITY, 2 * 365); mDefaultValidity = validity_in_days * DAY; // days in config file. - mEnablePastCATime = - mConfig.getBoolean(PROP_ENABLE_PAST_CATIME, false); - mEnableOCSP = - mConfig.getBoolean(PROP_ENABLE_OCSP, true); + mEnablePastCATime = mConfig.getBoolean(PROP_ENABLE_PAST_CATIME, false); + mEnableOCSP = mConfig.getBoolean(PROP_ENABLE_OCSP, true); String fs = mConfig.getString(PROP_FAST_SIGNING, ""); @@ -1371,29 +1413,29 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori /** * init cert & crl database */ - private void initCaDatabases() - throws EBaseException { + private void initCaDatabases() throws EBaseException { int certdb_inc = mConfig.getInteger(PROP_CERTDB_INC, 5); String certReposDN = mConfig.getString(PROP_CERT_REPOS_DN, null); - if (certReposDN == null) { - certReposDN = "ou=certificateRepository, ou=" + getId() + - ", " + getDBSubsystem().getBaseDN(); + if (certReposDN == null) { + certReposDN = "ou=certificateRepository, ou=" + getId() + ", " + + getDBSubsystem().getBaseDN(); } String reposDN = mConfig.getString(PROP_REPOS_DN, null); - if (reposDN == null) { - reposDN = "ou=certificateRepository, ou=" + getId() + - ", " + getDBSubsystem().getBaseDN(); + if (reposDN == null) { + reposDN = "ou=certificateRepository, ou=" + getId() + ", " + + getDBSubsystem().getBaseDN(); } - int transitMaxRecords = mConfig.getInteger(PROP_CERTDB_TRANS_MAXRECORDS, 1000000); - int transitRecordPageSize = mConfig.getInteger(PROP_CERTDB_TRANS_PAGESIZE, 200); + int transitMaxRecords = mConfig.getInteger( + PROP_CERTDB_TRANS_MAXRECORDS, 1000000); + int transitRecordPageSize = mConfig.getInteger( + PROP_CERTDB_TRANS_PAGESIZE, 200); - mCertRepot = new CertificateRepository( - DBSubsystem.getInstance(), - certReposDN, certdb_inc, reposDN); + mCertRepot = new CertificateRepository(DBSubsystem.getInstance(), + certReposDN, certdb_inc, reposDN); mCertRepot.setTransitMaxRecords(transitMaxRecords); mCertRepot.setTransitRecordPageSize(transitRecordPageSize); @@ -1404,19 +1446,17 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori int crldb_inc = mConfig.getInteger(PROP_CRLDB_INC, 5); - mCRLRepot = new CRLRepository( - DBSubsystem.getInstance(), - crldb_inc, - "ou=crlIssuingPoints, ou=" + getId() + ", " + - getDBSubsystem().getBaseDN()); + mCRLRepot = new CRLRepository(DBSubsystem.getInstance(), crldb_inc, + "ou=crlIssuingPoints, ou=" + getId() + ", " + + getDBSubsystem().getBaseDN()); CMS.debug("CRL Repot inited"); String replicaReposDN = mConfig.getString(PROP_REPLICAID_DN, null); if (replicaReposDN == null) { - replicaReposDN = "ou=Replica," + getDBSubsystem().getBaseDN(); + replicaReposDN = "ou=Replica," + getDBSubsystem().getBaseDN(); } - mReplicaRepot = new ReplicaIDRepository( - DBSubsystem.getInstance(), 1, replicaReposDN); + mReplicaRepot = new ReplicaIDRepository(DBSubsystem.getInstance(), 1, + replicaReposDN); CMS.debug("Replica Repot inited"); } @@ -1424,13 +1464,11 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori /** * init web gateway - just gets the ee gateway for this CA. */ - private void initWebGateway() - throws EBaseException { + private void initWebGateway() throws EBaseException { } - private void startPublish() - throws EBaseException { - //xxx Note that CMS411 only support ca cert publishing to ldap + private void startPublish() throws EBaseException { + // xxx Note that CMS411 only support ca cert publishing to ldap // if ldap publishing is not enabled while publishing isenabled // there will be a lot of problem. try { @@ -1440,34 +1478,36 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori } } catch (ELdapException e) { // exception not thrown - not seen as a fatal error. - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_PUBLISH", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CA_PUBLISH", e.toString())); } } /** * init publishing */ - private void initPublish() - throws EBaseException { + private void initPublish() throws EBaseException { IConfigStore c = null; try { c = mConfig.getSubStore(PROP_PUBLISH_SUBSTORE); if (c != null && c.size() > 0) { - mPublisherProcessor = new PublisherProcessor( - getId() + "pp"); + mPublisherProcessor = new PublisherProcessor(getId() + "pp"); mPublisherProcessor.init(this, c); CMS.debug("Publishing inited"); } else { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_NO_PUBLISH")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CA_NO_PUBLISH")); throw new ECAException( CMS.getUserMessage("CMS_CA_INIT_PUBLISH_MODULE_FAILED")); } } catch (ELdapException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_ERROR_PUBLISH_MODULE", e.toString())); - //throw new ECAException( - // CAResources.INIT_PUBLISH_MODULE_FAILED, e); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CA_ERROR_PUBLISH_MODULE", + e.toString())); + // throw new ECAException( + // CAResources.INIT_PUBLISH_MODULE_FAILED, e); } } @@ -1488,7 +1528,7 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori while (names.hasMoreElements()) { String id = (String) names.nextElement(); - if (Debug.ON) + if (Debug.ON) Debug.trace("registering listener impl: " + id); String cl = implc.getString(id + "." + PROP_CLASS); @@ -1507,42 +1547,50 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori Debug.trace("registering listener instance: " + id); IConfigStore iConfig = instc.getSubStore(id); String implName = instc.getString(id + "." + PROP_PLUGIN); - ListenerPlugin plugin = (ListenerPlugin) mListenerPlugins.get(implName); + ListenerPlugin plugin = (ListenerPlugin) mListenerPlugins + .get(implName); if (plugin == null) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_ERROR_LISTENER", implName)); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_CA_ERROR_LISTENER", implName)); throw new Exception("Cannot initialize"); } String className = plugin.getClassPath(); - + try { IRequestListener listener = null; - listener = (IRequestListener) - Class.forName(className).newInstance(); + listener = (IRequestListener) Class.forName(className) + .newInstance(); - //listener.init(id, implName, iConfig); + // listener.init(id, implName, iConfig); listener.init(this, iConfig); - // registerRequestListener(id, (IRequestListener) listener); - //log(ILogger.LL_INFO, - // "Listener instance " + id + " added"); + // registerRequestListener(id, (IRequestListener) + // listener); + // log(ILogger.LL_INFO, + // "Listener instance " + id + " added"); } catch (Exception e) { if (Debug.ON) { e.printStackTrace(); } Debug.trace("failed to add listener instance"); - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_INIT_LISTENER", id, e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage( + "CMSCORE_CA_CA_INIT_LISTENER", id, + e.toString())); throw e; } } - + } - + } catch (Exception e) { - log(ILogger.LL_INFO, CMS.getLogMessage("CMSCORE_CA_CA_FAILED_LISTENER", e.toString())); + log(ILogger.LL_INFO, + CMS.getLogMessage("CMSCORE_CA_CA_FAILED_LISTENER", + e.toString())); } - + } /** @@ -1556,63 +1604,79 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori if (nc != null && nc.size() > 0) { // Initialize Certificate Issued notification listener - String certificateIssuedListenerClassName = nc.getString("certificateIssuedListenerClassName", "com.netscape.cms.listeners.CertificateIssuedListener"); + String certificateIssuedListenerClassName = nc.getString( + "certificateIssuedListenerClassName", + "com.netscape.cms.listeners.CertificateIssuedListener"); try { - mCertIssuedListener = (IRequestListener) Class.forName(certificateIssuedListenerClassName).newInstance(); + mCertIssuedListener = (IRequestListener) Class.forName( + certificateIssuedListenerClassName).newInstance(); mCertIssuedListener.init(this, nc); } catch (Exception e1) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_REGISTER_LISTENER", certificateIssuedListenerClassName)); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_CA_REGISTER_LISTENER", + certificateIssuedListenerClassName)); } // Initialize Revoke Request notification listener - - String certificateRevokedListenerClassName = nc.getString("certificateIssuedListenerClassName", "com.netscape.cms.listeners.CertificateRevokedListener"); + + String certificateRevokedListenerClassName = nc + .getString("certificateIssuedListenerClassName", + "com.netscape.cms.listeners.CertificateRevokedListener"); try { - mCertRevokedListener = (IRequestListener) Class.forName(certificateRevokedListenerClassName).newInstance(); + mCertRevokedListener = (IRequestListener) Class.forName( + certificateRevokedListenerClassName).newInstance(); mCertRevokedListener.init(this, nc); } catch (Exception e1) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_REGISTER_LISTENER", certificateRevokedListenerClassName)); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_CA_REGISTER_LISTENER", + certificateRevokedListenerClassName)); } // Initialize Request In Queue notification listener IConfigStore rq = nc.getSubStore(PROP_REQ_IN_Q_SUBSTORE); - - String requestInQListenerClassName = nc.getString("certificateIssuedListenerClassName", "com.netscape.cms.listeners.RequestInQListener"); + + String requestInQListenerClassName = nc.getString( + "certificateIssuedListenerClassName", + "com.netscape.cms.listeners.RequestInQListener"); try { - mReqInQListener = (IRequestListener) Class.forName(requestInQListenerClassName).newInstance(); + mReqInQListener = (IRequestListener) Class.forName( + requestInQListenerClassName).newInstance(); mReqInQListener.init(this, nc); } catch (Exception e1) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_REGISTER_REQ_LISTENER", requestInQListenerClassName)); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_CA_REGISTER_REQ_LISTENER", + requestInQListenerClassName)); } // Initialize extra listeners IConfigStore mListenerConfig = null; } else { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_NOTIFY_NONE")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CA_NOTIFY_NONE")); } } catch (Exception e) { e.printStackTrace(); - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_NOTIFY_FAILED")); - // throw e; + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CA_NOTIFY_FAILED")); + // throw e; } } /** * initialize request queue components */ - private void initRequestQueue() - throws EBaseException { + private void initRequestQueue() throws EBaseException { mPolicy = new CAPolicy(); ((CAPolicy) mPolicy).init(this, mConfig.getSubStore(PROP_POLICY)); CMS.debug("CA policy inited"); mService = new CAService(this); CMS.debug("CA service inited"); - mNotify = new ARequestNotifier (this); + mNotify = new ARequestNotifier(this); CMS.debug("CA notifier inited"); mPNotify = new ARequestNotifier(); CMS.debug("CA pending notifier inited"); @@ -1621,22 +1685,23 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori try { int reqdb_inc = mConfig.getInteger("reqdbInc", 5); - mRequestQueue = - RequestSubsystem.getInstance().getRequestQueue( - getId(), reqdb_inc, mPolicy, mService, mNotify, mPNotify); + mRequestQueue = RequestSubsystem.getInstance().getRequestQueue( + getId(), reqdb_inc, mPolicy, mService, mNotify, mPNotify); } catch (EBaseException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_QUEUE_FAILED", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CA_QUEUE_FAILED", + e.toString())); throw e; } // init request scheduler if configured - String schedulerClass = - mConfig.getString("requestSchedulerClass", null); + String schedulerClass = mConfig + .getString("requestSchedulerClass", null); if (schedulerClass != null) { - try { - IRequestScheduler scheduler = (IRequestScheduler) - Class.forName(schedulerClass).newInstance(); + try { + IRequestScheduler scheduler = (IRequestScheduler) Class + .forName(schedulerClass).newInstance(); mRequestQueue.setRequestScheduler(scheduler); } catch (Exception e) { @@ -1646,35 +1711,30 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori } /* - private void startCRL() - throws EBaseException - { - Enumeration e = mCRLIssuePoints.keys(); - while (e.hasMoreElements()) { - CRLIssuingPoint cp = (CRLIssuingPoint) - mCRLIssuePoints.get(e.nextElement()); - cp.startup(); - } - } + * private void startCRL() throws EBaseException { Enumeration e = + * mCRLIssuePoints.keys(); while (e.hasMoreElements()) { CRLIssuingPoint cp + * = (CRLIssuingPoint) mCRLIssuePoints.get(e.nextElement()); cp.startup(); } + * } */ - + /** - * initialize CRL + * initialize CRL */ - private void initCRL() - throws EBaseException { + private void initCRL() throws EBaseException { IConfigStore crlConfig = mConfig.getSubStore(PROP_CRL_SUBSTORE); if ((crlConfig == null) || (crlConfig.size() <= 0)) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_NO_MASTER_CRL")); - //throw new ECAException(CAResources.NO_CONFIG_FOR_MASTER_CRL); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CA_NO_MASTER_CRL")); + // throw new ECAException(CAResources.NO_CONFIG_FOR_MASTER_CRL); return; } Enumeration<String> issuePointIdEnum = crlConfig.getSubStoreNames(); if (issuePointIdEnum == null || !issuePointIdEnum.hasMoreElements()) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_NO_MASTER_CRL_SUBSTORE")); - //throw new ECAException(CAResources.NO_CONFIG_FOR_MASTER_CRL); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CA_NO_MASTER_CRL_SUBSTORE")); + // throw new ECAException(CAResources.NO_CONFIG_FOR_MASTER_CRL); return; } @@ -1683,8 +1743,7 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori while (issuePointIdEnum.hasMoreElements()) { String issuePointId = (String) issuePointIdEnum.nextElement(); - CMS.debug( - "initializing crl issue point " + issuePointId); + CMS.debug("initializing crl issue point " + issuePointId); IConfigStore issuePointConfig = null; String issuePointClassName = null; Class issuePointClass = null; @@ -1697,29 +1756,28 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori issuePoint = (CRLIssuingPoint) issuePointClass.newInstance(); issuePoint.init(this, issuePointId, issuePointConfig); mCRLIssuePoints.put(issuePointId, issuePoint); - if (mMasterCRLIssuePoint == null && - issuePointId.equals(PROP_MASTER_CRL)) + if (mMasterCRLIssuePoint == null + && issuePointId.equals(PROP_MASTER_CRL)) mMasterCRLIssuePoint = issuePoint; } catch (ClassNotFoundException e) { - throw new ECAException( - CMS.getUserMessage("CMS_CA_CRL_ISSUING_POINT_INIT_FAILED", - issuePointId, e.toString())); + throw new ECAException(CMS.getUserMessage( + "CMS_CA_CRL_ISSUING_POINT_INIT_FAILED", issuePointId, + e.toString())); } catch (InstantiationException e) { - throw new ECAException( - CMS.getUserMessage("CMS_CA_CRL_ISSUING_POINT_INIT_FAILED", - issuePointId, e.toString())); + throw new ECAException(CMS.getUserMessage( + "CMS_CA_CRL_ISSUING_POINT_INIT_FAILED", issuePointId, + e.toString())); } catch (IllegalAccessException e) { - throw new ECAException( - CMS.getUserMessage("CMS_CA_CRL_ISSUING_POINT_INIT_FAILED", - issuePointId, e.toString())); + throw new ECAException(CMS.getUserMessage( + "CMS_CA_CRL_ISSUING_POINT_INIT_FAILED", issuePointId, + e.toString())); } } /* - if (mMasterCRLIssuePoint == null) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_NO_FULL_CRL", PROP_MASTER_CRL)); - throw new ECAException(CAResources.NO_CONFIG_FOR_MASTER_CRL); - } + * if (mMasterCRLIssuePoint == null) { log(ILogger.LL_FAILURE, + * CMS.getLogMessage("CMSCORE_CA_CA_NO_FULL_CRL", PROP_MASTER_CRL)); + * throw new ECAException(CAResources.NO_CONFIG_FOR_MASTER_CRL); } */ log(ILogger.LL_INFO, "CRL Issuing Points inited"); } @@ -1744,9 +1802,8 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori return mSignTime; } - public long getOCSPTotalLookupTime() - { - return mLookupTime; + public long getOCSPTotalLookupTime() { + return mLookupTime; } public ResponderID getResponderIDByName() { @@ -1754,8 +1811,9 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori X500Name name = getOCSPX500Name(); Name.Template nameTemplate = new Name.Template(); - return new NameID((Name) nameTemplate.decode( - new ByteArrayInputStream(name.getEncoded()))); + return new NameID( + (Name) nameTemplate.decode(new ByteArrayInputStream(name + .getEncoded()))); } catch (IOException e) { return null; } catch (InvalidBERException e) { @@ -1766,8 +1824,8 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori public ResponderID getResponderIDByHash() { /* - KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key - --(excluding the tag and length fields) + * KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key + * --(excluding the tag and length fields) */ PublicKey publicKey = getOCSPSigningUnit().getPublicKey(); MessageDigest md = null; @@ -1786,8 +1844,7 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori /** * Process OCSPRequest. */ - public OCSPResponse validate(OCSPRequest request) - throws EBaseException { + public OCSPResponse validate(OCSPRequest request) throws EBaseException { if (!mEnableOCSP) { CMS.debug("Local ocsp service is disable."); @@ -1795,23 +1852,22 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori } mNumOCSPRequest++; - IStatsSubsystem statsSub = (IStatsSubsystem)CMS.getSubsystem("stats"); + IStatsSubsystem statsSub = (IStatsSubsystem) CMS.getSubsystem("stats"); long startTime = CMS.getCurrentDate().getTime(); try { - //log(ILogger.LL_INFO, "start OCSP request"); + // log(ILogger.LL_INFO, "start OCSP request"); TBSRequest tbsReq = request.getTBSRequest(); // (3) look into database to check the - // certificate's status + // certificate's status Vector singleResponses = new Vector(); if (statsSub != null) { - statsSub.startTiming("lookup"); + statsSub.startTiming("lookup"); } long lookupStartTime = CMS.getCurrentDate().getTime(); for (int i = 0; i < tbsReq.getRequestCount(); i++) { - com.netscape.cmsutil.ocsp.Request req = - tbsReq.getRequestAt(i); + com.netscape.cmsutil.ocsp.Request req = tbsReq.getRequestAt(i); CertID cid = req.getCertID(); SingleResponse sr = processRequest(cid); @@ -1819,12 +1875,12 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori } long lookupEndTime = CMS.getCurrentDate().getTime(); if (statsSub != null) { - statsSub.endTiming("lookup"); + statsSub.endTiming("lookup"); } mLookupTime += lookupEndTime - lookupStartTime; if (statsSub != null) { - statsSub.startTiming("build_response"); + statsSub.startTiming("build_response"); } SingleResponse res[] = new SingleResponse[singleResponses.size()]; @@ -1833,16 +1889,16 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori ResponderID rid = null; if (mByName) { if (mResponderIDByName == null) { - mResponderIDByName = getResponderIDByName(); + mResponderIDByName = getResponderIDByName(); } rid = mResponderIDByName; } else { if (mResponderIDByHash == null) { - mResponderIDByHash = getResponderIDByHash(); + mResponderIDByHash = getResponderIDByHash(); } rid = mResponderIDByHash; } - + Extension nonce[] = null; for (int j = 0; j < tbsReq.getExtensionsCount(); j++) { @@ -1853,34 +1909,36 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori nonce[0] = thisExt; } } - ResponseData rd = new ResponseData(rid, - new GeneralizedTime(CMS.getCurrentDate()), res, nonce); + ResponseData rd = new ResponseData(rid, new GeneralizedTime( + CMS.getCurrentDate()), res, nonce); if (statsSub != null) { - statsSub.endTiming("build_response"); + statsSub.endTiming("build_response"); } if (statsSub != null) { - statsSub.startTiming("signing"); + statsSub.startTiming("signing"); } long signStartTime = CMS.getCurrentDate().getTime(); BasicOCSPResponse basicRes = sign(rd); long signEndTime = CMS.getCurrentDate().getTime(); mSignTime += signEndTime - signStartTime; if (statsSub != null) { - statsSub.endTiming("signing"); + statsSub.endTiming("signing"); } OCSPResponse response = new OCSPResponse( - OCSPResponseStatus.SUCCESSFUL, - new ResponseBytes(ResponseBytes.OCSP_BASIC, - new OCTET_STRING(ASN1Util.encode(basicRes)))); + OCSPResponseStatus.SUCCESSFUL, new ResponseBytes( + ResponseBytes.OCSP_BASIC, new OCTET_STRING( + ASN1Util.encode(basicRes)))); - //log(ILogger.LL_INFO, "done OCSP request"); + // log(ILogger.LL_INFO, "done OCSP request"); long endTime = CMS.getCurrentDate().getTime(); mTotalTime += endTime - startTime; return response; } catch (Exception e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_OCSP_REQUEST", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CA_OCSP_REQUEST", + e.toString())); return null; } } @@ -1890,11 +1948,11 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori DerOutputStream out = new DerOutputStream(); DerOutputStream tmp = new DerOutputStream(); - String algname = mOCSPSigningUnit.getDefaultAlgorithm(); + String algname = mOCSPSigningUnit.getDefaultAlgorithm(); byte rd_data[] = ASN1Util.encode(rd); if (rd_data != null) { - mTotalData += rd_data.length; + mTotalData += rd_data.length; } rd.encode(tmp); AlgorithmId.get(algname).encode(tmp); @@ -1907,25 +1965,27 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori DerOutputStream tmpChain = new DerOutputStream(); DerOutputStream tmp1 = new DerOutputStream(); DerOutputStream outChain = new DerOutputStream(); - java.security.cert.X509Certificate chains[] = - mOCSPCertChain.getChain(); + java.security.cert.X509Certificate chains[] = mOCSPCertChain + .getChain(); for (int i = 0; i < chains.length; i++) { tmpChain.putDerValue(new DerValue(chains[i].getEncoded())); } tmp1.write(DerValue.tag_Sequence, tmpChain); tmp.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0), - tmp1); + tmp1); out.write(DerValue.tag_Sequence, tmp); - BasicOCSPResponse response = new BasicOCSPResponse(out.toByteArray()); + BasicOCSPResponse response = new BasicOCSPResponse( + out.toByteArray()); return response; } catch (Exception e) { e.printStackTrace(); // error e - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_OCSP_SIGN", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CA_OCSP_SIGN", e.toString())); return null; } } @@ -1951,12 +2011,11 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori try { issuingPointId = mConfig.getString( - "ocspUseCacheIssuingPointId", PROP_MASTER_CRL); + "ocspUseCacheIssuingPointId", PROP_MASTER_CRL); } catch (EBaseException e) { } - CRLIssuingPoint point = (CRLIssuingPoint) - getCRLIssuingPoint(issuingPointId); + CRLIssuingPoint point = (CRLIssuingPoint) getCRLIssuingPoint(issuingPointId); if (point.isCRLCacheEnabled()) { // only do this if cache is enabled @@ -1965,26 +2024,29 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori boolean includeExpiredCerts = false; try { - checkDeltaCache = mConfig.getBoolean("ocspUseCacheCheckDeltaCache", false); + checkDeltaCache = mConfig.getBoolean( + "ocspUseCacheCheckDeltaCache", false); } catch (EBaseException e) { } try { - includeExpiredCerts = mConfig.getBoolean("ocspUseCacheIncludeExpiredCerts", false); + includeExpiredCerts = mConfig.getBoolean( + "ocspUseCacheIncludeExpiredCerts", false); } catch (EBaseException e) { } - Date revokedOn = point.getRevocationDateFromCache( - sno, checkDeltaCache, includeExpiredCerts); + Date revokedOn = point.getRevocationDateFromCache(sno, + checkDeltaCache, includeExpiredCerts); if (revokedOn == null) { certStatus = new GoodInfo(); } else { certStatus = new RevokedInfo(new GeneralizedTime(revokedOn)); } - return new SingleResponse(cid, certStatus, thisUpdate, nextUpdate); + return new SingleResponse(cid, certStatus, thisUpdate, + nextUpdate); } } - try { + try { ICertRecord rec = mCertRepot.readCertificateRecord(serialNo); String status = rec.getStatus(); @@ -1996,11 +2058,13 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori // not yet valid certStatus = new UnknownInfo(); } else if (status.equals(CertRecord.STATUS_REVOKED)) { - certStatus = new RevokedInfo(new GeneralizedTime(rec.getRevokedOn())); + certStatus = new RevokedInfo(new GeneralizedTime( + rec.getRevokedOn())); } else if (status.equals(CertRecord.STATUS_EXPIRED)) { certStatus = new UnknownInfo(); } else if (status.equals(CertRecord.STATUS_REVOKED_EXPIRED)) { - certStatus = new RevokedInfo(new GeneralizedTime(rec.getRevokedOn())); + certStatus = new RevokedInfo(new GeneralizedTime( + rec.getRevokedOn())); } else { certStatus = new UnknownInfo(); } @@ -2012,4 +2076,3 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori return new SingleResponse(cid, certStatus, thisUpdate, nextUpdate); } } - diff --git a/pki/base/ca/src/com/netscape/ca/SigningUnit.java b/pki/base/ca/src/com/netscape/ca/SigningUnit.java index 6b0dfc649..a0918af8f 100644 --- a/pki/base/ca/src/com/netscape/ca/SigningUnit.java +++ b/pki/base/ca/src/com/netscape/ca/SigningUnit.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.ca; - import java.security.InvalidKeyException; import java.security.NoSuchAlgorithmException; import java.security.PublicKey; @@ -50,10 +49,9 @@ import com.netscape.certsrv.security.ISigningUnit; import com.netscape.cmscore.security.JssSubsystem; import com.netscape.cmsutil.util.Cert; - /** * CA signing unit based on JSS. - * + * * $Revision$ $Date$ */ @@ -81,8 +79,8 @@ public final class SigningUnit implements ISigningUnit { private ISubsystem mOwner = null; - private String mDefSigningAlgname = null; - private SignatureAlgorithm mDefSigningAlgorithm = null; + private String mDefSigningAlgname = null; + private SignatureAlgorithm mDefSigningAlgorithm = null; public SigningUnit() { } @@ -114,7 +112,7 @@ public final class SigningUnit implements ISigningUnit { public PrivateKey getPrivateKey() { return mPrivk; } - + public void updateConfig(String nickname, String tokenname) { mConfig.putString(PROP_CERT_NICKNAME, nickname); mConfig.putString(PROP_TOKEN_NAME, tokenname); @@ -133,8 +131,8 @@ public final class SigningUnit implements ISigningUnit { } public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { - mOwner = owner; + throws EBaseException { + mOwner = owner; mConfig = config; String tokenname = null; @@ -144,24 +142,25 @@ public final class SigningUnit implements ISigningUnit { mNickname = getNickName(); tokenname = config.getString(PROP_TOKEN_NAME); - if (tokenname.equalsIgnoreCase(Constants.PR_INTERNAL_TOKEN) || - tokenname.equalsIgnoreCase("Internal Key Storage Token")) { + if (tokenname.equalsIgnoreCase(Constants.PR_INTERNAL_TOKEN) + || tokenname.equalsIgnoreCase("Internal Key Storage Token")) { mToken = mManager.getInternalKeyStorageToken(); - setNewNickName(mNickname); + setNewNickName(mNickname); } else { mToken = mManager.getTokenByName(tokenname); - mNickname = tokenname + ":" + mNickname; - setNewNickName(mNickname); - } + mNickname = tokenname + ":" + mNickname; + setNewNickName(mNickname); + } CMS.debug(config.getName() + " Signing Unit nickname " + mNickname); CMS.debug("Got token " + tokenname + " by name"); - PasswordCallback cb = JssSubsystem.getInstance().getPWCB(); + PasswordCallback cb = JssSubsystem.getInstance().getPWCB(); mToken.login(cb); // ONE_TIME by default. mCert = mManager.findCertByNickname(mNickname); - CMS.debug("Found cert by nickname: '"+mNickname+"' with serial number: "+mCert.getSerialNumber()); + CMS.debug("Found cert by nickname: '" + mNickname + + "' with serial number: " + mCert.getSerialNumber()); mCertImpl = new X509CertImpl(mCert.getEncoded()); CMS.debug("converted to x509CertImpl"); @@ -174,38 +173,52 @@ public final class SigningUnit implements ISigningUnit { // get def alg and check if def sign alg is valid for token. mDefSigningAlgname = config.getString(PROP_DEFAULT_SIGNALG); - mDefSigningAlgorithm = - checkSigningAlgorithmFromName(mDefSigningAlgname); - CMS.debug( - "got signing algorithm " + mDefSigningAlgorithm); + mDefSigningAlgorithm = checkSigningAlgorithmFromName(mDefSigningAlgname); + CMS.debug("got signing algorithm " + mDefSigningAlgorithm); mInited = true; } catch (java.security.cert.CertificateException e) { - CMS.debug("SigningUnit init: debug "+ e.toString()); - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_CA_CERT", e.getMessage())); - throw new ECAException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", e.toString())); + CMS.debug("SigningUnit init: debug " + e.toString()); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_SIGNING_CA_CERT", + e.getMessage())); + throw new ECAException(CMS.getUserMessage( + "CMS_BASE_INTERNAL_ERROR", e.toString())); } catch (CryptoManager.NotInitializedException e) { - CMS.debug("SigningUnit init: debug "+ e.toString()); - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_TOKEN_INIT", e.toString())); - throw new ECAException(CMS.getUserMessage("CMS_CA_CRYPTO_NOT_INITIALIZED")); + CMS.debug("SigningUnit init: debug " + e.toString()); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_SIGNING_TOKEN_INIT", + e.toString())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_CRYPTO_NOT_INITIALIZED")); } catch (IncorrectPasswordException e) { - CMS.debug("SigningUnit init: debug "+ e.toString()); - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_WRONG_PWD", e.toString())); - throw new ECAException(CMS.getUserMessage("CMS_CA_INVALID_PASSWORD")); + CMS.debug("SigningUnit init: debug " + e.toString()); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_SIGNING_WRONG_PWD", + e.toString())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_INVALID_PASSWORD")); } catch (NoSuchTokenException e) { - CMS.debug("SigningUnit init: debug "+ e.toString()); - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_TOKEN_NOT_FOUND", tokenname, e.toString())); - throw new ECAException(CMS.getUserMessage("CMS_CA_TOKEN_NOT_FOUND", tokenname)); + CMS.debug("SigningUnit init: debug " + e.toString()); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_SIGNING_TOKEN_NOT_FOUND", tokenname, + e.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_TOKEN_NOT_FOUND", + tokenname)); } catch (ObjectNotFoundException e) { - CMS.debug("SigningUnit init: debug "+ e.toString()); - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_CERT_NOT_FOUND", e.toString())); - throw new ECAException(CMS.getUserMessage("CMS_CA_CERT_OBJECT_NOT_FOUND")); + CMS.debug("SigningUnit init: debug " + e.toString()); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_SIGNING_CERT_NOT_FOUND", + e.toString())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_CERT_OBJECT_NOT_FOUND")); } catch (TokenException e) { - CMS.debug("SigningUnit init: debug "+ e.toString()); - log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString())); + CMS.debug("SigningUnit init: debug " + e.toString()); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("OPERATION_ERROR", e.toString())); throw new ECAException(CMS.getUserMessage("CMS_CA_TOKEN_ERROR")); - } catch (Exception e){ - CMS.debug("SigningUnit init: debug "+ e.toString()); - } + } catch (Exception e) { + CMS.debug("SigningUnit init: debug " + e.toString()); + } } /** @@ -218,41 +231,47 @@ public final class SigningUnit implements ISigningUnit { * @exception EBaseException if signing algorithm is not supported. */ public SignatureAlgorithm checkSigningAlgorithmFromName(String algname) - throws EBaseException { + throws EBaseException { try { SignatureAlgorithm sigalg = null; sigalg = mapAlgorithmToJss(algname); if (sigalg == null) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_ALG_NOT_SUPPORTED", algname, "")); - throw new ECAException( - CMS.getUserMessage("CMS_CA_SIGNING_ALGOR_NOT_SUPPORTED", algname)); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_SIGNING_ALG_NOT_SUPPORTED", algname, "")); + throw new ECAException(CMS.getUserMessage( + "CMS_CA_SIGNING_ALGOR_NOT_SUPPORTED", algname)); } Signature signer = mToken.getSignatureContext(sigalg); signer.initSign(mPrivk); return sigalg; } catch (NoSuchAlgorithmException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_ALG_NOT_SUPPORTED", algname, e.toString())); - throw new ECAException( - CMS.getUserMessage("CMS_CA_SIGNING_ALGOR_NOT_SUPPORTED", algname)); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_SIGNING_ALG_NOT_SUPPORTED", algname, + e.toString())); + throw new ECAException(CMS.getUserMessage( + "CMS_CA_SIGNING_ALGOR_NOT_SUPPORTED", algname)); } catch (TokenException e) { // from get signature context or from initSign - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_ALG_NOT_SUPPORTED", algname, e.toString())); - throw new ECAException( - CMS.getUserMessage("CMS_CA_SIGNING_ALGOR_NOT_SUPPORTED", algname)); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_SIGNING_ALG_NOT_SUPPORTED", algname, + e.toString())); + throw new ECAException(CMS.getUserMessage( + "CMS_CA_SIGNING_ALGOR_NOT_SUPPORTED", algname)); } catch (InvalidKeyException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_ALG_NOT_SUPPORTED", algname, e.toString())); - throw new ECAException( - CMS.getUserMessage("CMS_CA_SIGNING_ALGOR_NOT_SUPPORTED_FOR_KEY", algname)); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_SIGNING_ALG_NOT_SUPPORTED", algname, + e.toString())); + throw new ECAException(CMS.getUserMessage( + "CMS_CA_SIGNING_ALGOR_NOT_SUPPORTED_FOR_KEY", algname)); } } /** * @param algname is expected to be one of JCA's algorithm names. */ - public byte[] sign(byte[] data, String algname) - throws EBaseException { + public byte[] sign(byte[] data, String algname) throws EBaseException { if (!mInited) { throw new EBaseException("CASigningUnit not initialized!"); } @@ -264,11 +283,11 @@ public final class SigningUnit implements ISigningUnit { if (algname != null) { signAlg = checkSigningAlgorithmFromName(algname); } - - // XXX use a pool of signers based on alg ? + + // XXX use a pool of signers based on alg ? // XXX Map algor. name to id. hack: use hardcoded define for now. - CMS.debug( - "Getting algorithm context for " + algname + " " + signAlg); + CMS.debug("Getting algorithm context for " + algname + " " + + signAlg); Signature signer = mToken.getSignatureContext(signAlg); signer.initSign(mPrivk); @@ -277,26 +296,29 @@ public final class SigningUnit implements ISigningUnit { CMS.debug("Signing Certificate"); return signer.sign(); } catch (NoSuchAlgorithmException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString())); - throw new ECAException( - CMS.getUserMessage("CMS_CA_SIGNING_ALGOR_NOT_SUPPORTED", algname)); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("OPERATION_ERROR", e.toString())); + throw new ECAException(CMS.getUserMessage( + "CMS_CA_SIGNING_ALGOR_NOT_SUPPORTED", algname)); } catch (TokenException e) { // from get signature context or from initSign - log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("OPERATION_ERROR", e.toString())); // XXX fix this exception later. throw new EBaseException(e.toString()); } catch (InvalidKeyException e) { // XXX fix this exception later. throw new EBaseException(e.toString()); } catch (SignatureException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("OPERATION_ERROR", e.toString())); // XXX fix this exception later. throw new EBaseException(e.toString()); } } - + public boolean verify(byte[] data, byte[] signature, String algname) - throws EBaseException { + throws EBaseException { if (!mInited) { throw new EBaseException("CASigningUnit not initialized!"); } @@ -304,9 +326,10 @@ public final class SigningUnit implements ISigningUnit { SignatureAlgorithm signAlg = mapAlgorithmToJss(algname); if (signAlg == null) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_ALG_NOT_SUPPORTED", algname, "")); - throw new ECAException( - CMS.getUserMessage("CMS_CA_SIGNING_ALGOR_NOT_SUPPORTED", algname)); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_SIGNING_ALG_NOT_SUPPORTED", algname, "")); + throw new ECAException(CMS.getUserMessage( + "CMS_CA_SIGNING_ALGOR_NOT_SUPPORTED", algname)); } // XXX make this configurable. hack: use hardcoded for now. Signature signer = mToken.getSignatureContext(signAlg); @@ -315,20 +338,24 @@ public final class SigningUnit implements ISigningUnit { signer.update(data); return signer.verify(signature); } catch (NoSuchAlgorithmException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("OPERATION_ERROR", e.toString())); // XXX fix this exception later. throw new EBaseException(e.toString()); } catch (TokenException e) { // from get signature context or from initSign - log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("OPERATION_ERROR", e.toString())); // XXX fix this exception later. throw new EBaseException(e.toString()); } catch (InvalidKeyException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("OPERATION_ERROR", e.toString())); // XXX fix this exception later. throw new EBaseException(e.toString()); } catch (SignatureException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("OPERATION_ERROR", e.toString())); // XXX fix this exception later. throw new EBaseException(e.toString()); } @@ -337,8 +364,8 @@ public final class SigningUnit implements ISigningUnit { private void log(int level, String msg) { if (mLogger == null) return; - mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_CA, - level, "CASigningUnit: " + msg); + mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_CA, level, + "CASigningUnit: " + msg); } /** @@ -356,15 +383,14 @@ public final class SigningUnit implements ISigningUnit { } public void setDefaultAlgorithm(String algorithm) throws EBaseException { - mConfig.putString(PROP_DEFAULT_SIGNALG, algorithm); + mConfig.putString(PROP_DEFAULT_SIGNALG, algorithm); mDefSigningAlgname = algorithm; - log(ILogger.LL_INFO, - "Default signing algorithm is set to " + algorithm); + log(ILogger.LL_INFO, "Default signing algorithm is set to " + algorithm); } /** * get all possible algorithms for the CA signing key type. - */ + */ public String[] getAllAlgorithms() throws EBaseException { byte[] keybytes = mPubk.getEncoded(); X509Key key = new X509Key(); @@ -375,7 +401,8 @@ public final class SigningUnit implements ISigningUnit { String msg = "Invalid encoding in CA signing key."; log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", msg)); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", msg)); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INTERNAL_ERROR", msg)); } if (key.getAlgorithmId().getOID().equals(AlgorithmId.DSA_oid)) { @@ -389,4 +416,3 @@ public final class SigningUnit implements ISigningUnit { return Cert.mapAlgorithmToJss(algname); } } - |